unisys ClearPath Enterprise Servers TCP/IP Implementation and Operations Guide ClearPath MCP 16.0 April

Transcription

1 unisys ClearPath Enterprise Servers TCP/IP Implementation and Operations Guide ClearPath MCP 16.0 April

2 NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information described herein is only furnished pursuant and subject to the terms and conditions of a duly executed agreement to purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the products described in this document are set forth in such agreement. Unisys cannot accept any financial or other responsibility that may be the result of your use of the information in this document or software material, including direct, special, or consequential damages. You should be very careful to ensure that the use of this information and/or software material complies with the laws, rules, and regulations of the jurisdictions with respect to which it is used. The information contained herein is subject to change without notice. Revisions may be issued to advise of such changes and/or additions. Notice to U.S. Government End Users: This is commercial computer software or hardware documentation developed at private expense. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys standard commercial license for the products, and where applicable, the restricted/limited rights provisions of the contract data rights clauses. Unisys and ClearPath are registered trademarks of Unisys Corporation in the United States and other countries. All other brands and products referenced in this document are acknowledged to be the trademarks or registered trademarks of their respective holders.

3 Contents Section 1. Overview Documentation Updates What s New? Notation Conventions Terminology Conventions TCP/IP Architecture Internet Protocol Version 6 (IPv6) MCP Networking and IPv Summary of IPv6 Features Migrating to IPv Key Differences Between IPv4 and IPv IPv6 Internet Standards (IETF RFCs) TCP/IP Distributed Systems Services Section 2. Overview of TCP/IP Routing TCP/IP Routing Commands IPv4 Addressing Understanding IPv4 Address Classes Classful Addressing Limitations Subnetting IPv6 Addressing IPv6 Address Representation IPv6 Address Type Identification Unicast Addresses Global Unicast Addresses IPv6 Address Prefix Representation IPv6 Alternative Representations of Addresses Variable-Length Subnet Masking (VLSM) Classless Interdomain Routing (CIDR) CIDR in IPv4 Networks CIDR in IPv6 Networks TCP/IP IPv4 Network TCP/IP IPv6 Network Routing Information Protocol Version 2 (RIPv2) IPv6 Neighbor Discovery Support for Multiple Routes to a Destination MCP Route States Alternate Routes Dead Gateway Detection (IPv4 Networks) Discovering Unreachable Neighbors (IPv6 Networks) iii

4 Contents Parallel Routes Special Topologies Multiple Assigned Default Routes Multiple Local IP Addresses Section 3. Configuring a TCP/IP Network Using the NAU Overview of the Implementation Process Applying NAU TCP/IP Profiles Using Default Attribute Values Traversing the NAU Screens Configuring a Sample TCP/IP Network What the Sample Network Contains Adding TCP/IP to an Existing Network Starting the NAU Configuring TCP/IP on an Application Host Defining the Network Interface as a TCP/IP Connection Identifying IP Addresses, Subnet Mask, and Router Discovery Attributes for ICPs Defining TCP/IP Network Parameters Specifying the Enterprise Server TCP/IP Internet Host Name and ICMP Report Display Parameters Updating LAN Lines and Connections to Include TCP/IP Optional Enhancements to the TCP/IP Configuration Defining Known Routes to TCP/IP Hosts Not Directly Connected to the LAN Defining Unknown (Default) Routes to TCP/IP Hosts Not Directly Connected to the LAN Defining the TCP/IP ARP Address List Mapping a TCP/IP Host Name to IP Addresses Configuring Dynamic Initiation of Specified Port Numbers Configuring Port Filtering Using the FILTERFRAMES Command Configuring TCP and UDP Port Event Monitoring Configuring Default Policies for Selecting Source and Destination IPv6 Addresses Configuring TCP/IP Timer Values Configuration Procedure Configuring TCP/IP Options Configuration Procedure Configuring TCP/IP Neighbor Address Parameters Configuration Procedure Editing the ICP LAN Line Connection and Specifying a Multicast Address List Auto-Configuring BNA-over-IP (BIP) Connections Adding an IPv6 BNA-over-IP (BIP) Neighbor Configuring FC3-IOP Networking Specifying VLANID Attribute Values iv

5 Contents Specifying the VLANID Attribute in TCPIP Commands Checking Network Consistency Consistency Errors and Solutions Generating Initialization Files Printing the Network Description Reports Ending an NAU Session Initializing the TCP/IP Network Section 4. Operating TCP/IP Software Initializing the TCP/IP Network U. S. Export Regulations Concerning IPv6 and IPsec Dual Mode Initialization IPv6 Initialization Modifying the Autoconfiguration Setting IP Security (IPsec) Initialization Initialization File Names SNMP Agent Initialization Initializing TCP/IP Terminating TCP/IP on the Enterprise Server Host Inquiring on the Status of TCP/IP Software Inquiring on the Status of IPsec TCPIP Status Command Examples Setting Timer Values Setting the Routing Information Timer Value Setting the LAN Resiliency Timer Value Configuring Multiple Routes and Default Routes Configuring Multiple Routes to a Remote Destination Configuring Default IP Routes Inquiring About Routing Problems Clearing the Routing Table Specifying Selection Criteria for Route Inquiries Inquiring on the Routing Information Protocol (RIP) Setting the Routing Information Protocol Authentication Type IPv6 Default Address Selection TCPIP Address Selection Policy Inquiring on the Route Used to Reach a Remote Node Modifying TCP/IP Components Online Identifying a Local TCP/IP Host to the Network Assigning IP Addresses to a Network Interface Assigning Multiple Local IP Addresses and Mask Pairs to a Network Interface Detecting a Duplicate IP Address on Your Network Reporting on Autoconfigured Interfaces Creating a Mapping Between a TCP/IP Host and One or More IP Addresses v

6 Contents Inquiring on One or More Host Names Reaching a Remote Host or Other Network Interface on the Same Logical Host Verifying That Packets Are Received by a Remote Host Filtering TCP/IP Traffic Filtering Frames Based on Port Numbers Enabling Dynamic Port Filtering Enabling Static Port Filtering Filtering Broadcast Traffic IPv6 Protocol Filtering Filtering RIP Frames Deleting TCP/IP Components Online Deleting an IP Route to a TCP/IP Host Deleting Default IP Routes Deleting a User-Specified Mapping (TCP/IP Host to IP Address) Deleting All Learned Mappings Deleting an Enterprise Server IP Address from the Network Deleting Local IP Address and Mask Pairs Enabling a Host to Use the Address Mask Protocol Using Router Discovery Enabling a Host to Use the Router Discovery Protocol Using Neighbor Discovery Specifying Neighbor Discovery Options Setting the IPADDRESSLIST Attribute Controlling TCP/IP End System Security Differentiating Rules for Inbound/Outbound Dialogs and for TCP/UDP Protocols Initialized Security Environment Determining the Current TCP/IP End System Security State Enabling or Disabling TCP/IP End System Security Loading a Rules File Changing to Another Rules File Reviewing Security Rule Violations Authorizing the Use of Well-Known TCPIP Ports Using TCP/IP Options Enabling and Disabling IP Security (IPsec) Enabling and Disabling SSH Enabling and Disabling SSL Configuring LAN Resiliency Inquiring on the LAN Resiliency Timer TCPIP LAN Resiliency Report Disabling Mapping of Learned Host Names and IP Addresses Enabling Use of RFC 1122 MTU Enabling the Windows Server to Force the MTU to Acknowledge Every Two MTUs Protecting TCP/IP Dialogs Against ICMP Attacks vi

7 Contents Setting Path MTU Verification Interval Enabling and Disabling Session Warnings Specifying Autoconfiguration for a Network Interface Obtaining an Autoconfigured IP Address Using the MAC Address Specifying ICMPv6 Error Report Values Specifying the Default Maximum Hop Limit for a Router Closing Sockets by Job Number Specifying and Inquiring on IP Multicast Frames Updating an Initialization File to Use Multicast Addresses Deriving Ethernet Multicast Addresses from Multicast IP Addresses Enabling Multicast Address Handling for IPv4 Addresses Only Preventing a Done Report From Being Sent Specifying the Unsolicited Report Options for Multicast Listener Discovery Specifying the Window Scale Factor Specifying the TCP Selective Acknowledgement Option Disabling and Enabling the Dynamic Initiation of Specified Port Numbers Disabling the Dynamic Initiation of an Application Enabling the Dynamic Initiation of an Application Inquiring on the Dynamic Initiation Status of an Application Monitoring TCP and UDP Port Events Implementing Time-Wait for TCP/IP on MCP Systems Section 5. Troubleshooting TCP/IP Installation and Configuration Problems Verifying That TCP/IP End System Security Is Operable Verifying that IP Security (IPsec) Is Operable Inquiring About the TCP/IP Environment Displaying Enterprise Server TCP/IP Reports Monitoring TCP/IP System Activity with TCPIP DEBUG Using the Trace Option of the TCPIP DEBUG Command Using the Dump Option of the TCPIP DEBUG Command Using the TCPIP DISPLAY, TCPIP DISPLAY INTERVAL, and TCPIP DISPLAY OPTIONS Commands Using the TCPIP DISPLAY TABLE Command Understanding the TCP/IP CONNECTION RESET Report Diagnostic Codes vii

8 Contents Section 6. Running OSI Applications over a TCP/IP Network Functional Overview Overview of the Implementation Process Initializing the OSI Software on the TCP/IP Host Identifying OSI Application Endpoints Associating OSI and TCP/IP Addresses Defining an NSAP Address Which Contains an Embedded IP Address Configuring OSI-TCP/IP Address Pairs Using the NAU to Configure OSI-TCP/IP Address Pairs Using the Operations Interface (OI) to Configure OSI-TCP/IP Address Pairs Checking the OSI-TCP/IP Pairings Using Network Inquiries Sample OSI Initialization Files Configuring a More Complex Network Operating OSI Applications Appendix A. TCP/IP Commands and Inquiries Appendix B. Initialization File for the Sample Network CNS Initialization File...B 1 TCP/IP Initialization File...B 3 Appendix C. Using the NAU in a Web Browser Preparing the Web Enabler for ClearPath MCP HTML Page...C 1 Using a Sample Page...C 2 Creating a Page with the Web Enabler Wizard...C 2 Running the NAU in Web Enabler for ClearPath MCP...C 3 Appendix D. TCP/IP Capabilities TCP/IP Capabilities - Network Services... D 2 TCP/IP Capabilities - Host Services... D 7 Appendix E. TCP/IP Port Numbers Index... 1 viii

9 Figures 2 1. Two-Level Addressing Hierarchy Classful IP Addresses Subnet Address Extended-Network-Prefix Subnet Masking Subnetted Topology Unicast Address with no Internal Structure Unicast Address with Subnet Prefix General Format for Global Unicast Address VLSM Topology CIDR Routing Advertisements IPv6 CIDR Routing Advertisements Mixed Classful and Classless IPv4 Topology IPv6 Classless Topology Alternate Route Topology Parallel Route Topology Parallel Routes Through the Same Subnet Parallel Routes Through Alternate Networks Weak-Model Multihoming Topology (IPv4 Only) Resilient Weak-Model Multihoming Topology (IPv4 Only) Multiple Default Routes Topology Multiple Parallel Default Route Topology Multiple Logical Networks Topology Sample TCP/IP Network WELCOME Screen APPLICATION HOST LIST Screen APPLICATION HOST MENU Screen APPLICATION HOST ATTRIBUTES Screen ICP ASSIGNMENTS Screen SHARED ADAPTERS ICP CONFIGURATION Screen SHARED ADAPTERS CONFIGURATION Screen TCP/IP CONFIGURATION MENU Screen TCP/IP IDENTITY ADDRESS LIST Screen TCP/IP NETWORK ADDRESS PARAMETERS Screen TCP/IP MULTIPLE IDENTITY ADDRESS LIST Screen TCP/IP APPLICATION HOST PARAMETERS Screen TCP/IP ICMP REPORT DISPLAY Screen TCP/IP CONFIGURATION MENU Screen TCP/IP ROUTE LIST Screen TCP/IP ROUTE LIST Screen TCP/IP DEFAULT ROUTE LIST Screen ix

10 Figures TCP/IP ARP ADDRESS LIST Screen TCP/IP HOST MAPPING LIST Screen TCP/IP MAPPING IP ADDRESS LIST Screen TCP/IP DYNAMICINIT COMMANDS Screen TCP/IP DISABLE TCP PORT SPECIFICATION Screen TCP/IP DISABLE UDP PORT SPECIFICATION Screen TCP/IP FILTERFRAMES COMMANDS Screen TCP/IP FILTERFRAMES ENABLE TCP PORTS Screen TCP/IP MONITOREVENTS COMMANDS Screen TCP/IP MONITOREVENTS PORT SPECIFICATION Screen TCP/IP ADDRESS SELECTION POLICY Screen TCP/IP OPTION Screen TCP/IP OPTION (2/2) Screen TCP/IP CONFIGURATION MENU Screen TCP/IP NETWORK ADDRESS PARAMETERS Screen LAN DEVICE LIST Screen LAN TCP/IP DEVICE ATTRIBUTES Screen TCP/IP MULTICAST ADDRESS LIST Screen NEIGHBOR PAIRED IP ADDRESS LIST Screen ICP ASSIGNMENTS Screen DIRECT ATTACH ADAPTER CONFIGURATION Screen DIRECT ATTACH LINE CONFIGURATION Screen CONSISTENCY CHECK MENU Screen GENERATE MENU Screen Sample TCP/IP Information Summary Report for Enterprise Server PRINT GENERATED NETWORK DESCRIPTION MENU Screen PRINT SELECT INFORMATION Screen Specifying IPADDRESSLIST Values TCP/IP End System Security Phases Sample TCP/IP Network Running OSI Applications Hierarchy of NAU Screens to Enable TCP/IP Hosts to Run OSI Applications OSI MENU Screen SYSTEM LIST Screen OSI SYSTEM MENU Screen NSAPA ASSIGNMENT LIST Screen NSAPA/IP ADDRESS PAIRING Screen OSI DESTINATION NETWORK ADDRESS PAIRS Screen OSI DESTINATION NETWORK ADDRESS PAIRS Screen LOCAL IP ADDRESS ASSIGNMENT Screen Sample OSI Network Address Pairing Summary Report Initialization File for OSI in ES Initialization File for the OSI Endpoints in ES NSAPA/IP ADDRESS PAIRING Screen B 1. B 2. CNS Initialization File...B 2 TCP/IP Initialization File...B 4 x

11 Tables 1 1. Key Differences Between IPv4 and IPv IPv6 RFCs IPv4 CIDR Supernet/Subnet Table TCP/IP ICMP REPORT DISPLAY Screen Field Summary TCP/IP Options (OPTION Screen 1/2) TCP/IP Options (OPTION Screen 2/2) NAU TCP/IP Consistency Checker Error Messages IPSEC Summary Response IPMASKCONFIG Attribute Values Trace Options Dump Options ICMP Message Options Message and Table Options Diagnostic Codes for TCP/IP CONNECTION RESET Report Correcting Consistency Errors Found When Enabling TCP/IP Hosts to Use OSI Applications OSI-TCP/IP Address Pair Inquiries A 1. TCP/IP Commands and Inquiries... A 1 D 1. Network Services Capabilities... D 2 D 2. Host Services Capabilities... D 7 E 1. TCP/IP Well Known Ports... E 1 E 2. TCP/IP Registered Ports... E xi

12 Tables xii

13 Section 1 Overview This guide describes the required software and hardware components of a TCP/IP network and provides procedures for configuring, operating, and troubleshooting TCP/IP software on ClearPath MCP servers. This guide is intended for the network administrator who installs and configures TCP/IP and also for system operators. This guide assumes you are familiar with the following: System operations CNS concepts and operations Network Administrative Utility (NAU) operations Documentation Updates This document contains all the information that was available at the time of publication. Changes identified after release of this document are included in problem list entry (PLE) To obtain a copy of the PLE, contact your Unisys representative or access the current PLE from the Unisys Product Support website: Note: If you are not logged into the Product Support site, you will be asked to do so

14 Overview What s New? The following table identifies new and revised information for this release. New or Revised Information Modified the examples for network interfaces. Removed "Domain Name Services (DNS)" and replaced it with "Domain Name System (DNS)". Removed the "IEA-IOP" interface and replaced it with "FC3-IOP". Removed the "CNP" interface and replaced it with "VNP" and "MAICP4". Modified the CIDR Network example for IPv6. Modified the value entered in the Total LAN/ATM LANE Lines field. Modified the TCP Window Scale Factor range. Removed "ClearPath Network Appliance (CNA)" and replaced it with VNP and "Network Services". Added a new RFC to the Secure Shell (SSH) feature. Added a new Mac Algorithm to the NW TCPIP STATUS SSH enabled/running command response. Added a new Versions Supported to the NW TCPIP STATUS SSL enabled/running command response. Added two new Ciphers Supported to the NW TCPIP STATUS SSL enabled/running command response. Added a new response to the NW TCPIP STATUS SSL command. Modified information regarding Telnet Station Names and Incoming Telnet Sessions. Modified information regarding port filtering and filtering RIP frames. Location Section 1, "Overview" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 1, "Overview" Appendix D, "TCP/IP Capabilities" Section 1, "Overview" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 4, "Operating TCP/IP Software" Appendix A, "TCP/IP Commands and Inquiries" Section 2, "Overview of TCP/IP Routing" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 4, "Operating TCP/IP Software" Section 3, "Configuring a TCP/IP Network Using the NAU" Appendix D, "TCP/IP Capabilities" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software"

15 Overview New or Revised Information Added a new subsection to Section 4, describing how to implement the Time-Wait feature on an MCP System. Modified the description for the IPDESTADDR <IP address> command. Added a new RFC to the Secure Sockets Layer (SSL) feature. Added port number 22/tcp to the Secure Shell (SSH) service port. Modified the 137/tcp and 138/tcp port numbers and port name/descriptions. Modified the description for port number 139/tcp. Added port number 445/tcp and port name/description. Modified the port name/description for port number 56288/tcp. Added port number 56298/tcp to the Locum RealTime Config (SSL based port). Location Section 4, "Operating TCP/IP Software" Section 5, "Troubleshooting TCP/IP Installation and Configuration Problems" Appendix D, "TCP/IP Capabilities" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers"

16 Overview Notation Conventions The following conventions are used in this guide: In text, data that you enter at the keyboard appear in bold. In text, system responses appear indented. Optional data that you enter at the keyboard, or that might appear in a message, appears throughout this guide enclosed in square brackets; for example, [data]. For Operations Interface (OI) commands, this guide shows the full command name and often shows permitted command abbreviations in text or examples. For example, for the NW TCPIP [TCPIP]IDENTITY command, you can enter any of the following: NW TCPIP TCPIPIDENTITY NW TCPIP TCPIPID NW TCPIP ID Variables that you enter at the keyboard, and those that appear in messages or on NAU screens, appear throughout this guide enclosed in angle brackets; for example, <variable>. NAU screen names appear in uppercase letters. Terminology Conventions In this document, the term ClearPath MCP servers refers to ClearPath Libra Series, FS Series, CS Series, and LX7100 Enterprise Servers. Application host refers to a ClearPath MCP host. To simplify fully inclusive references, the term Windows is used throughout this guide to refer to supported versions of the Windows operating system. The term network interface means the interface that provides TCP/IP networking from an enterprise server to a local area network (LAN). Some examples of network interfaces include Network Services (Shared Adapters or MCP Adapters), and FC3- IOPs. The term EVLAN refers to an enhanced virtual LAN connection, a high performance network path for TCP/IP-based data transfers between the MCP and Windows servers of a ClearPath system. For more details on EVLAN, refer to the Network Services Implementation Guide

17 Overview TCP/IP Architecture Enterprise servers connected to a TCP/IP network provide a wide range of connectivity and interoperability. Using TCP/IP, you can link Unisys ClearPath MCP enterprise server systems with each other or with other vendors' systems. TCP/IP products provide the following: Support for dual IP layers, IPv4 and IPv6, enabling applications to operate over IPv4 and IPv6 simultaneously Flexible topologies over LANs and WANs LAN resiliency Integrated network management with the SNMP Agent Support of classless network topologies and route aggregation Support of multiple logical interfaces (local IP addresses) for a single network interface Multihoming of an enterprise server Network access control Support of sockets Secure sockets layer (SSL) implementation, which supports the SSL and TLS protocols Support for the RFC 1006 protocol standard (enables OSI communication over a TCP/IP network) TCP/IP distributed systems services (DSS), which are available to support your processing needs across a TCP/IP network Support for TCP/IP end system security, which enables the system administrator to monitor and control data traffic to and from networked MCP systems The system administrator can set up a security firewall by defining a set of Deny and Allow rules in an active rules file to specify which network traffic to allow or deny respectively. The TCP/IP security firewall has been enhanced to recognize IPv6 addresses. Support for IP Security (IPsec) which secures network data at the IP layer. IPsec over IPv6 networks is supported; IPsec over IPv4 is not supported. IPsec uses policies to define the security protection that is to be applied. Support for Secure Shell (SSH) for ClearPath MCP which secures data at the application layer. Secure File Transfer Protocol (SFTP) and a remote command utility (SSHCLIENT) are supported; SSH terminals are not supported

18 Overview Internet Protocol Version 6 (IPv6) IPv6 is supported by MCP networking. This section provides an overview of IPv6. IPv6 is the next generation of the Internet Protocol. It is intended to remedy the impending shortage of IP addresses caused by the rapid expansion of the Internet and the growth of devices that are "connected" such as cell phones, PDAs, and home appliances. IPv6 uses a 128-bit address field instead of the 32-bit addresses used by IPv4. As a result, IPv6 affects a large number of MCP products mainly those making use of IP addresses or facilitating the use of IP addresses for other products. The new IPv6 software architecture is based on the current MCP host-resident TCP/IP architecture implemented for IPv4. The IPv6 protocol stack coexists with the existing IPv4 host-resident TCP/IP protocol stack. This dual-stack IP architecture enables applications to operate over IPv4 and IPv6 simultaneously and provides the transition mechanism for migrating from IPv4 networks to IPv6 networks. This architecture also permits a ClearPath MCP host to participate in a mixed network topology of IPv4-only hosts, IPv6-only hosts, and hosts capable of supporting both IPv4 and IPv6. MCP Networking and IPv6 Many products, including Networking software and Network Administrative Utility (NAU), have been updated to support IPv6. Both these products require at least MCP 12.0 (53.1) irrespective of IPv4 or IPv6 functionality. Because IP Security (IPsec) is currently considered a mandatory component of IPv6, IPv6 is considered an encryption product and is restricted under U.S. federal export regulations. To use MCP IPv6 networking, you must order the IOE Encryption Option. The appropriate keys to enable IPv6 and IPsec are included as part of the Encryption Option package. MCP IPv4 networking remains available and orderable as in the past

19 Overview Summary of IPv6 Features This guide describes IPv6 features that affect TCP/IP in areas such as address configuration and resolution, route discovery, and security. Expanded Addressing Capabilities IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler autoconfiguration of addresses. The scalability of multicast routing is improved by adding a scope field to multicast addresses. A new type of address called anycast address is defined and used to send a packet to any one of a group of nodes. See Section 2, Overview of TCP/IP Routing," for a detailed description of IPv6 addressing conventions. Header Format Simplification Some IPv4 header fields have been dropped or moved to optional extension headers to reduce the common-case processing cost of packet handling and to limit the added bandwidth cost of the IPv6 header (beyond the long addresses). Fragmentation and reassembly are limited to the source and destination nodes. Improved Support for Extensions and Options Optional Internet-layer information is encoded in separate headers, called extension headers, which can be placed between the IPv6 header and the upper-layer header in the packet. An IPv6 packet can carry zero, one, or more extension headers. Changes in the way IP header options are encoded allow for more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future. These headers increase and enhance the current capability of IP. For example, IPv6 has the ability to support datagrams (packets) larger than bytes, referred to as Jumbograms. This is accomplished through the use of the Jumbo Payload Hop-by-Hop option. IPv6 also provides greater network security through the use of the Authentication Headers (AH) and Encapsulating Security Payload (ESP) headers. IP Security IPv6 uses IP Security (IPsec) to enable the TCP/IP network provider to secure network traffic and communicate with other endpoints. IPsec provides security services by enabling a host to select required security protocols, determine the algorithms used for the service, and put in place any cryptographic keys required to provide the requested service. IPsec supports encrypted and authenticated datagrams through the use of ESP headers for the encryption and AH for the authentication

20 Overview IPsec and its policies are administered by Security Center. Status information can be retrieved using the following Operations Interface (OI) commands: NW TCPIP OPTION IPSEC Enables and disables IPsec. NW TCPIP STATUS IPSEC Displays detailed IPsec information. NW TCPIP DEBUG The dump type option of this command dumps all entries in all IPsec tables. The trace type option of this command traces within the IPsec module. For more information on the TCPIP OPTION and TCPIP STATUS commands, see Section 4, Operating TCP/IP Software. For more information on the TCPIP DEBUG command, see Section 5, Troubleshooting TCP/IP Installation and Configuration Problems. ICMPv6 Messages The IPv6 version of ICMP (ICMPv6) is supported and implemented by every IPv6 node. ICMPv6 messages are one of two types: error messages or informational messages. All ICMPv6 messages have three fields that are common to all messages (type, code, and checksum), and a variable-length field that varies based on the message type. ICMPv6 supports the following error and information types: Destination Unreachable Packet Too Big Time Exceeded Parameter Problem ICMPv6 supports the following new Multicast Listener Discovery (MLD) message types: Multicast Listener Query Multicast Listener Report Multicast Listener Done ICMPv6 supports the following new Neighbor Discovery message types: Router Solicitation Router Advertisement Neighbor Solicitation Neighbor Advertisement Redirect

21 Overview Automatic Stateless Address Configuration and Duplicate Address Detection To simplify host configuration, IPv6 supports automatic stateless address configuration. This enables hosts on a link to automatically configure themselves with IPv6 addresses for the link and with addresses derived from prefixes advertised by local routers. Even in the absence of a router, hosts on the same link can automatically configure themselves with link-local addresses and communicate without manual configuration. This feature allows an IPv6-enabled node to be added to a network and, without any configuration, be able to communicate with other destinations in the network. Before an address is permanently assigned to an interface, it is verified to ensure that it is not already in use by another interface on the link using duplicate address detection. For information on specifying automatic stateless address configuration and duplicate address detection, see Assigning IPv6 Addresses and Specifying Autoconfiguration for a Network Interface in Section 4, Operating TCP/IP Software. IPv6 Neighbor Discovery IPv6 discovers and records information about neighbor nodes on the local link. This enables nodes to determine which neighbors are reachable and to find routers that are able to forward packets for them. It is the primary means of discovering IPv6 routing information. Neighbor Discovery provides the following as part of the base protocol set: Router Discovery Address Resolution Neighbor Unreachability Detection Redirection These features are described in more detail in IPv6 Neighbor Discovery in Section 2, Overview of TCP/IP Routing and in Using Neighbor Discovery in Section 4, Operating TCP/IP Software. For information on using Neighbor Discovery, see Specifying Neighbor Discovery Options in Section 4, Operating TCP/IP Software. Multicast Listener Discovery V1 Multicast listener discovery allows IPv6 routers to discover nodes on its link that want to receive multicast packets and to discover which multicast addresses are of interest to its neighboring nodes. This information is used by IPv6 routers to deliver multicast information to the links on which there are listening nodes. To receive multicast input, an application must specify the multicast IP address for which it intends to receive multicast input, and the TCP/IP initialization file must be configured with the link-layer multicast address. To specify multicast listener discovery report intervals and retry limits, see Specifying the Unsolicited Report Options for Multicast Listener Discovery in Section 4, Operating TCP/IP Software

22 Overview Migrating to IPv6 In most cases, migrating hosts and networks in an enterprise to IPv6 is expected to be a gradual process. Compatibility with the existing IPv4 applications and hosts needs to be maintained during this transition period. It is also expected that Most or all remote hosts that are IPv6-capable are dual-stack. Edge routers (if not the complete network) are dual-stack in most cases, at least in the initial transition period. ClearPath MCP applications will be modified or newly written to be IPv6-capable as needed. These applications must be capable of operating on both IPv4 and IPv6 networks. Given the preceding conditions IPv6-capable MCP applications communicate with remote IPv4 hosts using the IPv4 layer, with IPv6 hosts using the IPv6 layer, and with dual-stack hosts using either the IPv4 or IPv6 layer with preference given to IPv6 for active opens. All existing unchanged MCP applications communicate with remote IPv4 hosts using the IPv4 layer. Existing unchanged applications that are not IP address-aware communicate with IPv6 hosts using the IPv6 layer, and with dual-stack hosts using either the IPv4 or IPv6 layer with preference given to IPv6 for active opens. Existing unchanged applications that are IP address-aware communicate with dualstack hosts using the IPv4 layer. If the remote host is IPv6-only, a network-based translation device can be used to facilitate the conversion between IPv4 and IPv6, transparently to hosts; the protocol used is NAT-PT. All applications using the MCP Sockets API and those using the user datagram protocol (UDP) need to be modified for IPv6. Applications using the Logical I/O and Co-op APIs over TCP connections are affected if one of the following is true: The applications need to be capable of connecting to remote hosts using explicit IP addresses. The applications handle (store, parse, generate, or display) IP addresses

23 Overview Key Differences Between IPv4 and IPv6 Table 1 1 describes the key differences between IPv4 and IPv6. Table 1 1. Key Differences Between IPv4 and IPv6 IPv4 Source and destination addresses are 32 bits (4 bytes) in length. IPsec support is optional. No identification of packet flow for quality of service (QoS) handling by routers is present within the IPv4 header. Fragmentation is done by both routers and the sending host. Header includes a checksum. Header includes options. Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IPv4 address to a link-layer address. Internet Group Management Protocol (IGMP) is used to manage local subnet group memberships. ICMP Router Discovery is used to determine the IPv4 address of the best default gateway and is optional. Broadcast addresses are used to send traffic to all nodes on a subnet. Must be configured either manually or through DHCP. Uses host address (A) resource records in the Domain Name System (DNS) to map host names to IPv4 addresses. Uses pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names. Must support a 576-byte packet size (possibly fragmented). IPv6 Source and destination addresses are 128 bits (16 bytes) in length. IPsec support is required. Packet flow identification for QoS handling by routers is included in IPv6 header using the Flow Label field. Fragmentation is not done by routers, only by the sending host. Header does not include a checksum. All optional data is moved to IPv6 extension headers. ARP Request frames are replaced with Multicast Neighbor Solicitation messages. IGMP is replaced with Multicast Listener Discovery (MLD) messages. ICMP Router Discovery is replaced with ICMPv6 Router Solicitation and Router Advertisement messages and is required. There are no IPv6 broadcast addresses. Instead, a link-local scope-all-nodes multicast address is used. Does not require manual configuration or DHCP. Uses host address (AAAA) resource records in the Domain Name System (DNS) to map host names to IPv6 addresses. Uses pointer (PTR) resource records in the IP6.INT DNS domain to map IPv6 addresses to host names. Must support a 1280-byte packet size (without fragmentation)

24 Overview IPv6 Internet Standards (IETF RFCs) The following Request for Comments (RFC) identifies functions provided by IPv6 that are implemented for all supported levels of MCP Networking. Table 1 2. IPv6 RFCs RFC Number Title 2460 Internet Protocol Version 6 (IPv6) Specification 2461 Neighbor Discovery for IP Version 6 (IPv6) 2462 IPv6 Stateless Address Autoconfiguration 2464 Transmission of IPv6 Packets over Ethernet Networks 2710 Multicast Listener Discovery (MLD) for IPv Format for Literal IPv6 Addresses in URL s 3484 Default Address Selection for Internet Protocol Version 6 (IPv6) 3493 Basic Socket Interface Extensions for IPv DNS Extensions to Support IP Version Application Aspects of IPv6 Transition 4191 Default Router Preferences and More-Specific Routes 4213 Basic Transition Mechanisms for IPv6 Hosts and Routers 4291 IP Version 6 Addressing Architecture 4294 IPv6 Node Requirements 4301 Security Architecture for the Internet Protocol 4302 IP Authentication Header (AH) 4303 IP Encapsulating Security Payload (ESP) 4308 Cryptographic Suites for IPsec 4429 Optimistic Duplicate Address Detection (DAD) for IPv Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification 4835 Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

25 Overview TCP/IP Distributed Systems Services Unisys provides a variety of TCP/IP distributed systems services (DSS) for use on ClearPath MCP systems. TCP/IP DSS products include the following: FTP Services for ClearPath MCP This product provides file transfer capabilities with two client interfaces, one server interface, and an operator/administrator interface. The capability for securing the control and/or the data streams through the use of the SSL protocol (called FTPS) or the use of the SSH protocol (called SFTP) is available. Telnet Services This product provides station connection services from one remote host to another across a TCP/IP network. The capability for securing the Telnet session with SSL is available. TCP/IP Printing This product provides printing services between the Print System or the Remote Print System and remote hosts and network printers by means of a TCP/IP network. Domain Name System (DNS) This product provides addressing services on a TCP/IP network. Time Synchronization This product allows multiple computers in a network to perform transactions that are time sensitive. Different machines have the capability of operating on the same time reference. Remote SSH Command Utility This product allows commands to be executed at remote Unix systems via the SSH protocol. For more information on using TCP/IP DSS products, refer to the TCP/IP Distributed Systems Services Operations Guide

26 Overview

27 Section 2 Overview of TCP/IP Routing This section describes TCP/IP routing on ClearPath MCP servers. Beginning with MCP release 12.0, TCP/IP initializes in dual mode and can support both the IPv4 and IPv6 protocols running simultaneously on a ClearPath server. This section describes the basic routing concepts shared by IPv4 and IPv6 and explains the new features supported by IPv6 to enhance TCP/IP routing capabilities. This section provides the following: An overview of TCP/IP IPv4 and IPv6 routing commands IPv4 addressing and subnetting concepts IPv6 addressing concepts Conceptual material explaining variable-length subnet masking (VLSM) and classless interdomain routing (CIDR) and how these routing technologies are implemented by IPv4 and IPv6 Examples that illustrate various IPv4 and IPv6 routing topologies including the use of multiple routes to a common destination, multiple local IP addresses for a network interface, and multiple logical networks Notes: The IP addresses shown in the sample topologies in this section are for reference only. Do not use these addresses. If a routing feature is supported on both IPv4 and IPv6 networks, the sample topologies that illustrate the feature assume dual-mode operation and show support for both IPv4 and IPv6 running simultaneously. Therefore, both IPv4 addresses and IPv6 addresses are shown in the topologies, but these addresses cannot be intermixed. That is, a node with an IPv4 address cannot communicate with another node that has an IPv6 address

28 Overview of TCP/IP Routing TCP/IP Routing Commands The following commands support TCP/IP routing. See Section 4, Operating TCP/IP Software, for information on how to use these commands. NW TCPIP ROUTE command NW TCPIP [TCPIP]IDENTITY command NW TCPIP RIP command (IPv4 only) NW TCPIP RIP RIPAUTHENTICATION command (IPv4 only) NW TCPIP ROUTE Command The NW TCPIP ROUTE command configures networks reachable through known routers. It enables you to configure routes that are more flexible, support resilient network topologies, and support VLSM or CIDR addressing and routing. Specific routes to remote hosts, subnets, networks, and supernets can be manually configured using the ROUTE ADD form of this command by supplying a destination and a next-hop router through which the destination can be reached. For IPv4 networks, VLSM-addressed or CIDR-addressed routes can be configured by adding a destination with the optional mask or / (slash) notation followed by the networkprefix attribute. For IPv6 networks, the IPv6 address autoconfiguration feature defaults to disabled. You can use the NW TCPIP ROUTE command to configure an IPv6 address on an interface. This initializes the IPv6 networking stacks and appropriate data structures for that interface. IPv6 networks do not support the mask attribute and use the / notation followed by the network-prefix attribute. Destinations that are configured without the mask or / networkprefix attribute notation are treated as host-specific routes. The ROUTE ADD form of the command can also be used to configure default routes. A default route is a route that is taken in the absence of a specific route (dynamically learned or manually configured) to a destination. Default routes can be assigned to specific VLSM or CIDR address aggregations (subnet/network/supernet) using the optional mask attribute (supported by IPv4 only) or / network-prefix attribute (supported by IPv4 and IPv6), and are referred to as assigned default routes. Default routes that are configured without the mask or / route-prefix attribute are treated as system default routes. The ROUTE DELETE form of the ROUTE command enables you to manually delete specific static (manually configured) routes to remote hosts, subnets, networks, or supernets and default routes. Only inactive routes (those without open dialogs) can be deleted unless forced by using the optional "NOW" keyword

29 Overview of TCP/IP Routing NW TCPIP [TCPIP]IDENTITY Command The NW TCPIP [TCPIP]IDENTITY (TCPIP ID) command enables an IPv4 network administrator to configure and delete multiple local IP addresses or address and mask pairs for each network interface. This extends MCP TCP/IP multihoming capabilities to support multiple logical networks. With IPv4 networks, you can also use this command to set the RIP Authentication type for each network interface. For IPv6, the network administrator can use the NW TCPIP ID command to enable autoconfiguration and duplicate address detection. If autoconfiguration is enabled, IPv6 hosts are automatically configured when connected to a routed IPv6 network. This means that you can use the TCPIP ID command without specifying an IPv6 address. If autoconfiguration is not enabled, IPv6 addresses must be assigned manually for communication to occur within an IPv6 network. Both a link-local address and any routed unicast addresses in which the interface will participate must be manually specified. If a link-local address is missing on an interface that is configured for IPv6, then a waiting entry is generated. For example: 2422/ :03 TCPIP/WARNING/TASK/ACCEPT/211/1/0 ACCEPT:No IPv6 link local address for interface on Network processor 211 Line 1 VLAN 0. *** ENTER: 'AX OK', OR DS You can also specify the number of consecutive Neighbor Solicitation messages sent while performing duplicate address detection on a tentative address. This ensures that an address is not already in use by another interface before it is permanently assigned to an interface. NW TCPIP RIP and NW TCPIP RIP RIPAUTHENTICATION Commands The NW TCPIP RIP and NW TCPIP RIP RIPAUTHENTICATION (TCPIP RIP RIPAA) commands are supported only by IPv4. The NW TCPIP RIP command provides current Routing Information Protocol (RIP) status and configuration information. The NW TCPIP RIP RIPAA command sets the type of RIPv2 authentication that is in effect for a specified network processor and line. Network administrators can also inquire on the current authentication types set on each device and line configured on the system. IPv6 uses dynamic route discovery to perform the same functions as RIP in IPv4. Dynamic route discovery gathers information learned from router advertisements in order to build a list of routers to which packets can be sent. If autoconfiguration is enabled, local addresses are parsed and built from the prefixes in the router advertisements

30 Overview of TCP/IP Routing IPv4 Addressing An Internet Protocol (IP) address is assigned to every host that uses the TCP/IP IPv4 protocol. This address is 32 bits in length, consisting of four octets or bytes. In decimal form, it is commonly represented as four fields, separated by dots, where each field contains a value in the range of 0 to 255. For example: Each IP address consists of two parts as shown in Figure 2 1. The first part of the address is the network-number, which identifies the network on the Internet on which the host resides. The second part of the address is the host-number, which indicates a specific host within that network. Since the leading portion of an IP address provides the network-number, it is often referred to as the network-prefix. All hosts on any given network share the same network-prefix but must have a unique host-number. bit # 0 31 Network-Number/ Network-Prefix Host-Number 001 Figure 2 1. Two-Level Addressing Hierarchy Understanding IPv4 Address Classes In order to support networks of different sizes, address space is divided into different address classes, Class A, B, and C recognized as classful addressing. Addresses within each class are self-identifying because the boundary between the network-prefix and the host-number is fixed depending on the class to which they belong. Given any classful IP address, its class can be determined from a self-encoding key at the beginning of the network-prefix as shown in Figure

31 Overview of TCP/IP Routing Class A bit # Network-Prefix Host-Number Class B bit # Network-Prefix Host-Number Class C bit # Network-Prefix Host-Number 002 Figure 2 2. Classful IP Addresses Class A (addresses that start with 1 126; 8-bit network prefix) Class A is reserved for 126 large public networks and very large corporate networks. All of these network numbers have already been assigned. Each Class A network can contain almost 17 million (2 24-2) hosts. Example: (for host on network number ). Class B (addresses that start with ; 16-bit network prefix) Class B can support 16,384 networks and is used by government agencies and very large corporations. Most of the 16,382 possible Class B addresses have already been assigned. Each Class B network can contain up to 65,534 (2 16-2) hosts. Example: (host 5.1 on network number ). Class C (addresses that start with ; 24-bit network prefix) Class C is intended for most users around the world. There are several million possible Class C networks. Each Class C network can contain up to 254 (2 8-2) hosts. Example: (host 1 on network number ). Class D (addresses that start with ) Hosts can use Class D addresses to multicast messages to a specific group of nodes. Class E (addresses that start with ) Class E is reserved for future use

32 Overview of TCP/IP Routing Special Address Considerations There are several special IP addressing rules and considerations Network 127.x.x.x is reserved for loopback testing and can be used by any host. When a host number of all 0s (in binary) is specified, a reference is made to the network (or subnetwork) itself. For example, refers to Class C network When a network number of all 0s (in binary) is specified, a reference is made to the network itself. For example, refers to host 22 on this network. A host number of all 1s (in binary) is used as a broadcast address within a given network or subnetwork. Classful Addressing Limitations There are several problems with classful addressing; the biggest resulting from not having a network class that can efficiently support a medium-sized domain. Generally, a Class C network supporting 254 hosts is too small, while a Class B network supporting 65,534 hosts is much too large. To prevent a negative impact on the Internet routing tables, a request for a network address block from medium domains is generally handled by assigning a Class B network address rather than multiple Class C network addresses, wasting several thousand potential host addresses. Some of the problems created by two-level classful addressing can be overcome by subnetting. Subnetting Subnetting is used in IPv4 networks when an organization with a single logical IP network address has multiple physical networks. From an administrative perspective, each of these physical networks, or subnets, must be individually addressable as it significantly reduces the complexity of managing the network topology. Subnetting uses a three-level addressing hierarchy as shown in Figure 2 3. A subnetted domain further divides the host-number portion of the classful address into two parts, a subnet-number and a host-number on that subnet

33 Overview of TCP/IP Routing bit # 0 31 Network-Number/ Network-Prefix Host-Number bit # 0 31 Network-Number/ Network-Prefix Subnet-Number Host-Number 003 Figure 2 3. Subnet Address With the three-level subnet addressing, routers within the subnetted domain now use an extended-network-prefix to route traffic between individual subnets. The extendednetwork-prefix (Figure 2 4) is composed of the classful network-prefix and the subnetnumber. bit # 0 31 Network-Number/ Network-Prefix Subnet-Number Host-Number Extended-Network-Prefix 004 Figure 2 4. Extended-Network-Prefix The extended-network-prefix is identified by a subnet mask. In classful topologies, the subnet mask (Figure 2 5) is a fixed attribute and must be the same value when assigned to all hosts and routers within the same network. The bits in the subnet mask have a one-to-one correspondence with the bits in the classful IP address. If a bit in the subnet mask has a value of 1, the system should treat the corresponding bit in the IP address as part of the extended-network-prefix. If the bits in the mask are set to 0 (zero), the corresponding bits in the IP address are part of the host-number. Network - prefix Subnetnumber Hostnumber IP Address: Subnet Mask: Extended-network - prefix 005 Figure 2 5. Subnet Masking

34 Overview of TCP/IP Routing The length of the extended-network-prefix is equivalent to the number of contiguous one-bits in the subnet mask. In Figure 2 5, the extended-network-prefix length would be 24, the number of contiguous one-bits. Slash notation is used to represent the IP address and subnet mask pair needed to perform routing. The example in Figure 2 5 would therefore represent the IP address and its corresponding mask as /24. The subnetting of individual networks ensures that the subnet structure of a network is never visible outside of the private domain. The route from the Internet to any subnet of a given IP address is the same, regardless of the subnet on which the destination host resides. This is because all subnets of a given network number use that same networkprefix but different subnet numbers. To the Internet, all of the subnets of a given domain are collected into a single routing table entry, /16, as shown in Figure 2 6. Private Domain / /16 Internet / / Figure 2 6. Subnetted Topology

35 Overview of TCP/IP Routing IPv6 Addressing An IPv6 address is a numerical designator that uniquely identifies a network or host within a component network of an IPv6 network. The numerical designator can have the following values. Value Varies depending on the address form, but could contain hexadecimals, decimals 0 through 255, and double colons (::). See "IPv6 Address Representation" later in this section for more information. Description A 128-bit (16-byte) number that includes a network prefix and an interface identifier. The interface identifier must be unique within the link. The nodes of an IPv6 address are separated by colons (:). The link-local identifier must be unique within the link. The nodes of an IPv6 address are separated by colons. IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces. Fields in IPv6 addresses are given a specific name, for example, "subnet." When this name is used with the term "ID" after the name (for example, "subnet ID"), it refers to the contents of the named field. When this name is used with the term "prefix" (for example, "subnet prefix"), it refers to all of the address from the left up to and including this field. In IPv6, 0 (zero) and 1 are legal values for any field, unless specifically excluded. Specifically, prefixes can contain or end with zero-valued fields. IPv6 Address Representation The two conventional forms for representing IPv6 addresses are as follows: The first and preferred form of IPv6 address is represented as x:x:x:x:x:x:x:x The variable <x> represents one to four hexadecimal digits of the eight 16-bit pieces of the address. For example ABCD:EF01:2345:6789:ABCD:EF01:2345: :DB8:0:0:8:800:200C:417A

36 Overview of TCP/IP Routing Note: It is not necessary to write the leading zeros in an individual field, but there must be at least one numeral in every field (except for the syntax described in the following case). A second form of IPv6 address uses a special syntax for compressing zeros. This form can be useful because some IPv6 addresses contain long strings of zero-bits. The syntax uses double colons (::) to indicate one or more sets of 16 bits of zeros. The double colons can be used only once to compress leading or trailing zeros in an address. For example The following addresses :DB8:0:0:8:800:200C:417A (a unicast address) FF01:0:0:0:0:0:0:101 (a multicast address) 0:0:0:0:0:0:0:1 (the loopback address) 0:0:0:0:0:0:0:0 (the unspecified address) Can be represented as :DB8::8:800:200C:417A FF01::101 ::1 :: IPv6 Address Type Identification The type of an IPv6 address is identified by the high-order bits of the address, as follows. Address Type Binary Prefix IPv6 Notation unspecified (128 bits) ::/128 loopback (128 bits) ::1/128 multicast FF00::/8 link-local unicast FE80::/10 global unicast (everything else) Anycast addresses are taken from the unicast address spaces (of any scope) and are not syntactically distinguishable from unicast addresses. The general format of global unicast addresses is described in Global Unicast Addresses later in this section. Future specifications might redefine one or more subranges of the global unicast space for other purposes, but for now, implementations must treat all addresses that do not start with any of the previously listed prefixes as global unicast addresses

37 Overview of TCP/IP Routing Unicast Addresses IPv6 unicast addresses can be aggregated with prefixes of arbitrary bit length, similar to IPv4 addresses under CIDR. There are several types of unicast addresses in IPv6, in particular, global unicast, site-local unicast (deprecated), and link-local unicast. There are also special-purpose subtypes of global unicast, such as IPv6 addresses with embedded IPv4 addresses. IPv6 nodes can have considerable or no knowledge of the internal structure of the IPv6 address, depending on the role the node plays (for instance, host versus router). At a minimum, a node can assume that unicast addresses (including its own) have no internal structure (as shown in Figure 2 7). Figure 2 7. Unicast Address with no Internal Structure A slightly sophisticated host (but still rather simple) can also be aware of a subnet prefix for the link or links to which it is attached. The different addresses can have different values for n (as shown in Figure 2 8). Figure 2 8. Unicast Address with Subnet Prefix Though a very simple router might have no knowledge of the internal structure of IPv6 unicast addresses, routers typically have knowledge of one or more of the hierarchical boundaries for the operation of routing protocols. The known boundaries differ from router to router, depending on the positions the router holds in the routing hierarchy. Except for the knowledge of the subnet boundary discussed in the previous paragraphs, nodes should not make any assumptions about the structure of an IPv6 address

38 Overview of TCP/IP Routing Global Unicast Addresses The general format for IPv6 global unicast addresses is shown in Figure 2 9. Figure 2 9. General Format for Global Unicast Address The global routing prefix is a value assigned to a site (a cluster of subnets and links), the subnet ID is an identifier of a link within the site, and the interface ID is used to identify interfaces on a link. See RFC 4291 for a further description of these fields. All global unicast addresses other than those that start with binary 000 have a 64-bit interface ID field (that is, n + m = 64). Global unicast addresses that start with binary 000 have no such constraint on the size or structure of the interface ID field. Examples of global unicast addresses that start with binary 000 are the IPv6 address with embedded IPv4 addresses. An example of global addresses starting with a binary value other than 000 (and therefore having a 64-bit interface ID field) can be found in RFC IPv6 Address Prefix Representation IPv6 address prefixes are similar to IPv4 address prefixes in classless interdomain routing (CIDR) notation. An IPv6 address prefix is represented by the following notation: ipv6-address/prefix-length where The ipv6-address value represents an IPv6 address using either of the notation forms listed in IPv6 Address Representation. The prefix-length represents a decimal value that specifies the number of leftmost contiguous address bits that form the prefix. The following examples are valid representations of the 60-bit prefix 20010DB80000CD3 (hexadecimal): 2001:0DB8:0000:CD30:0000:0000:0000:0000/ :0DB8::CD30:0:0:0:0/ :0DB8:0:CD30::/

39 Overview of TCP/IP Routing The following examples are invalid representations of the 60-bit prefix 20010DB80000CD3 (hexadecimal). Invalid Representation 2001:0DB8:0:CD3/ :0DB8::CD30/ :0DB8::CD3/60 Reason Might drop leading zeros, but not trailing zeros, within any 16-bit chunk of the address Address to left of / (slash) expands to 2001:0DB8:0000:0000:0000:0000:0000:CD30 Address to left of / (slash) expands to 2001:0DB8:0000:0000:0000:0000:0000:0CD3 When writing both a node address and a prefix of that node address (that is, the subnet prefix of the node), the two can be combined as follows: For example, the node address 2001:0DB8:0:CD30:123:4567:89AB:CDEF and its subnet number 2001:0DB8:0:CD30::/60 can be abbreviated as follows: 2001:0DB8:0:CD30:123:4567:89AB:CDEF/60 IPv6 Alternative Representations of Addresses You can enclose the address in square brackets as is done with URLs [see RFC2732]. This example shows the use of brackets: If brackets are used, the prefix length must be inserted outside of the square brackets as follows: Correct usage: [2001:db8::]/64 Do not use the following format: [2001:db8::/64] The prefix/length notation is syntactically indistinguishable from a valid URL. For that reason, the prefix/length notation must be used only from within a context where it cannot be mistaken for something else, such as a URL. In some specific cases, it might be necessary to give a zone identifier as part of the address, as is shown in the following example: fe80::1%eth0. In general, applications should not need to parse these identifiers. Notes: Some applications might also represent IPv6 address literals differently; for example, SMTP [see RFC 2821] uses [IPv6:2001:db8::1]. The use of address literals is strongly discouraged for general-purpose direct input to the applications. Host names and DNS should be used instead

40 Overview of TCP/IP Routing Variable-Length Subnet Masking (VLSM) Both IPv4 classless interdomain routing and IPv6 routing use variable-length subnet masking (VLSM). IPv6 implements VLSM the same way as IPv4 except that it uses 128- bit addressing instead of 32-bit addressing. IPv6 can also have larger prefix lengths ranging from 0 to 128. A private IP network employing more than one subnet mask within its hierarchy is called a network with variable-length subnet masking (VLSM) since the extended-networkprefixes have different lengths. This permits More efficient use of the assigned IP address space for the domain Route aggregation that significantly reduces the amount of routing information at the backbone level within the private routing domain Allowing a subnetted network to use more than one subnet mask with its assigned network address space prevents the private domain from being locked into a limited set of subnets. Suppose a private organization is assigned the address block belonging to Class B network ( /16). Further, the private domain intranet includes several campuses and has therefore been subnetted using a 3-bit subnet-number field creating a /19 extended-network-prefix that allows for up to eight total subnets within the domain. The subnet mask used would therefore be , and the private domain could support up to eight subnets, each capable of addressing 8,190 hosts. Now, assume the administrator needs to add a ninth subnet. Under traditional methods, the administrator would either have to request another address block (since all possible subnet-numbers have been exhausted), or renumber the entire domain. As shown in Figure 2 10, VLSM eliminates this problem by allowing the administrator to create subnets with different extended-network prefixes. Note: Figure 2 10 contains both IPv4 and IPv6 addresses to show how VLSM could be implemented in a network using either addressing convention. The addresses in this example are for reference only. Do not use these addresses. Using this example, the administrator of an IPv4 network could configure the /16 domain (or the FEC0::16 domain in an IPv6 network) to have both a /19 and a /26 extended-network-prefix. The /26 prefix permits 1024 subnets of 62 hosts, ideal for small subnets of 60 or less hosts, while the /19 prefix is appropriate for large subnets of up to 8100 hosts

41 Overview of TCP/IP Routing Internet /16 FEC0::/16 Private Domain /19 FEC0:0:0:42F0:: / /26 FEC0:0:0:42F1:: / /19 FEC0:0:0:42F0:: ABCD:0/ /19 FEC0:0:0:42F0:: EF01:0/ /26 FEC0:0:0:42F1:: 2345:0/ Figure VLSM Topology To limit the size of the intranet backbone routing table, VLSM also supports the recursive division of a domain address space so that it can be aggregated. This is equivalent to dividing a network into subnets, then further subdividing some of the subnets into sub-subnets, then subdividing some of the sub-subnets into sub-subsubnets, and so on. Aggregating addresses in this manner abstracts the routing information details of one subnet group from another subnet group. Through the use of VLSM aggregation, a router residing on the subnet boundary is able to summarize all of the subnets behind it into a single advertisement, which it injects into the routing table of the parent subnet, eventually advertising a single route into the Internet global routing table for the entire domain

42 Overview of TCP/IP Routing Classless Interdomain Routing (CIDR) Classless interdomain routing (CIDR) is sometimes called supernetting. CIDR is a prefixbased standard for the interpretation of IP addresses. It facilitates routing by allowing blocks of addresses to be grouped together into single routing table entries. Both IPv4 and IPv6 networks use CIDR technology as explained in the following text. CIDR in IPv4 Networks As implemented by IPv4, CIDR Eliminates the traditional concept of classful addresses (that is, Class A, B, or C addresses) and replaces them with the generalized concept of a network-prefix Supports route aggregation of perhaps thousands of traditional classful routes. A single routing table entry can specify many individual network addresses. CIDR uses the network-prefix rather than the first 3 bits of the IP address to determine the division between the network-number and the host-number. It can support the deployment of arbitrarily sized networks rather than the fixed-size Class A (/8), B (/16), or C (/24) classful networks. CIDR advertises a bit mask with each piece of routing information. Routers that support CIDR do not make any assumptions based on the first 3 bits of a destination address, relying only on the prefix-length associated with the route. Network prefixes are viewed as bitwise contiguous blocks of the IP address space. Using CIDR, Table 2 1 can be developed. The table itemizes all the potential supernets/subnets available within the IPv4- addressing space. Additional information is provided for Hex and Decimal values, classful equivalents, and number of addresses available within the indicated block. All of the network-prefixes from 1 to 32 are provided. Table 2 1. IPv4 CIDR Supernet/Subnet Table Mask Value: Hex CIDR Prefix Dotted Decimal # of Addresses # of Classful / M 128 A C / M 64 A E / M 32 A F / M 16 A F / M 8 A FC / M 4 A FE / M 2 A FF / M 1 A FF / M 128 B FF.C / M 64 B FF.E / M 32 B

43 Overview of TCP/IP Routing Table 2 1. IPv4 CIDR Supernet/Subnet Table Mask Value: Hex CIDR Prefix Dotted Decimal # of Addresses # of Classful FF.F / K 16 B FF.F / K 8 B FF.FC / K 4 B FF.FE / K 2 B FF.FF / K 1 B FF.FF / K 128 C FF.FF.C0.00 / K 64 C FF.FF.E0.00 / K 32 C FF.FF.F0.00 / K 16 C FF.FF.F8.00 / K 8 C FF.FF.FC.00 / K 4 C FF.FF.FE.00 / C FF.FF.FF.00 / C FF.FF.FF.80 / ½ C FF.FF.FF.C0 / /4C FF.FF.FF.E0 / /8 C FF.FF.FF.F0 / /16 C FF.FF.FF.F8 / /32 C FF.FF.FF.FC / /64 C FF.FF.FF.FE / /128 C FF.FF.FF.FF / Single host Single host Note: See RFC 1878, Variable Length Subnet Table for IPv4, for more information. This RFC includes a standard subnet table which provides subnetting values for Class A, B, and C networks as well as Network IDs, host ranges, and IP broadcast addresses with emphasis on Class C subnets. Hosts that support CIDR permit supernetting, the configuration of a mask that identifies a prefix shorter than the natural mask associated with traditional classful addresses

44 Overview of TCP/IP Routing CIDR and VLSM are essentially the same thing they both support the recursive division of the IP address space into subsequently smaller pieces. The difference is that with VLSM, the recursion takes place on the address space previously assigned to a domain (classful address block) and is invisible to the global Internet. CIDR instead supports the recursive allocation of the entire IP address space in a hierarchical manner (aggregation); from an Internet Registry to a high-level ISP, to a mid-level ISP, to a lowlevel ISP, and eventually to a private domain/network. Consider Figure /20 Internet Service Provider # /16 Internet Registry # /24 Organization # 1 Internet /20 Internet Service Provider # /16 Internet Registry # /24 Organization # Figure CIDR Routing Advertisements Since all of the routes within Organization # 1 s domain are part of ISP # 2 s address block, the routes to Organization # 1 are implicitly aggregated via ISP # 2 s aggregated route announcement to Internet Registry # 1. Therefore, all of Organization # 1 s networks are hidden behind a single routing advertisement from ISP # 2. In turn, all of the routes within ISP # 2 are implicitly aggregated via Internet Registry # 1 s route announcement to the global Internet, hiding all of the routes behind and within Internet Registry # 1. From this, it is clear how growth of the Internet s routing table can be controlled using CIDR. As with VLSM, CIDR requires that interior routing protocols carry the network-prefix information for each advertised route, implement a forwarding algorithm based on the longest match paradigm, and in order to provide route aggregation, assign addresses so that they are topologically significant

45 Overview of TCP/IP Routing CIDR in IPv6 Networks IPv6 networks are written using CIDR notation and use the same CIDR technology as is employed by CIDR on IPv4. Under CIDR, IPv6 unicast addresses can be aggregated with prefixes of arbitrary bit length, similar to IPv4 addresses. See Global Unicast Addresses earlier in this section for more details on IPv6 unicast addresses. An IPv6 network or subnet is a contiguous group of IPv6 addresses the size of which must be a power of two. The initial bits of addresses, which are identical for all hosts in the network, are called the network prefix. A network is denoted by the first address in the network and the size in bits of the prefix (in decimal), separated with a slash. For example 2001:0DB8:1234::/48 stands for the network with the addresses 2001:0DB8:1234:0000:0000:0000:0000:0000 through 2001:0DB8:1234:FFFF:FFFF:FFFF:FFFF:FFFF Because a single host can be seen as a network with a 128-bit prefix, you sometimes see host addresses written followed with /128. Figure 2 12 shows CIDR routing advertisements with IPv6 addresses added. Figure IPv6 CIDR Routing Advertisements

46 Overview of TCP/IP Routing TCP/IP IPv4 Network In IPv4 networks, VLSM addressing and CIDR routing enable a classful host/server to be configured within a classless network as shown in Figure ClearPath Host Mask = CA-1 CA Mask = /24 Router 1 Router / / /11 Router / /16 Router 4 Host 2 Host / /16 Figure Mixed Classful and Classless IPv4 Topology As illustrated, this topology shows a classful ClearPath server participating within a classless network topology. The ClearPath system is multihomed to two different Class C networks, using CA-1 and using CA-2, both using a classful mask of Router 1 and Router 2 see the ClearPath system as a member of a /24 CIDR aggregation. Since both Router 1 and Router 2 support VLSM and CIDR, they can easily be configured to match the classful addressing paradigm supported by the ClearPath system (that is, a Class C address with a 24-bit network-prefix can be represented as a /24 CIDR network-prefix) and be able to correctly route datagrams to it. Router 1 will advertise a route for /24 on its interface to Router 3 and Router 2 will advertise a route for /24 on its interface to Router 4. The Router 1 interface to CA-1 is classful, as is the Router 2 interface to CA-2. On these interfaces, the routers must use RIPv1 to advertise routes. RIPv1 does not include mask information and therefore Router 1 advertises without a mask and Router 2 advertises without a mask

47 Overview of TCP/IP Routing TCP/IP IPv6 Network In IPv6 networks, VLSM addressing and CIDR routing enable a host/server to be configured within a network as shown in Figure Routing within an IPv6 network is similar to routing within an IPv4 network except for the difference in IPv6 address lengths. ClearPath Host FEC0:0:0:42F0::1/64 CA-1 CA-2 FEC0:0:0:42F3::2/64 FEC0:0:0:42F0::2/64 Router 1 Router 2 FEC0:0:0:42F3::4/64 FEC0:0:0:42F1::2/64 Router 3 Router 4 FEC0:0:0:42F2::1/64 Host 2 Host 1 FEC0:0:0:42F1::1/64 FEC0:0:0:42F2::2/ Figure IPv6 Classless Topology

48 Overview of TCP/IP Routing Routing Information Protocol Version 2 (RIPv2) RIPv2 is an extension of RIPv1 and is supported only on IPv4 networks. RIPv2 shares the same basic algorithms of RIPv1, along with the support of several new features that provide the additional capability to support subnet mask information, which is required for the implementation of classless addressing needed by VLSM and CIDR. These new features, as described in RFC 2453, include subnet masks, next hop addresses, authentication, and multicasting. All RIPv1 messages are still supported in addition to the new RIPv2 message types. The MCP TCP/IP RIPv2 implementation uses the subnet masks, next hop addresses, authentication, and multicast features in order to fulfill the requirement of classless addressing. RIPv2 responses update IP routing tables with information based on the route referenced in the IP address/subnet mask pair supplied in the RIPv2 message. Information regarding the next hop address of that route will also be updated if that information is supplied in the message. Finally, the RIP port is configured to listen for messages that are received on the IP multicast address Use of this multicast address reduces the load on those hosts not configured to listen for multicast RIPv2 messages and prevents RIPv1-only hosts from having to process RIPv2 messages. Since periodic RIPv2 broadcasts use this address, an explicit request must be issued to receive datagrams using that address. It is a requirement that the multicast address be assigned via the MulticastAddressList connection attribute in the connection definition of the TCP initialization file. Previously only one route to a destination was maintained in the routing table. Note that with the support of multiple parallel routes, all of the routes discovered by RIP will be added to the routing tables with a preference value based on the route metric

49 Overview of TCP/IP Routing IPv6 Neighbor Discovery MCP IPv6 uses Neighbor Discovery instead of RIPv2 to discover routing information. Neighbor Discovery enables nodes to determine neighbors that are reachable and to find routers that are able to forward packets for them. Nodes can also use Neighbor Discovery to determine the data link-layer addresses for neighbors on attached links and to detect when these addresses change. Neighbor Discovery provides a means to resolve the following: Router Discovery Router Discovery enables nodes to locate routers residing on a link and to determine the appropriate next hop. On multicast-capable links, each router periodically multicasts a router advertisement packet announcing its availability. Receipt of router advertisements from all routers facilitates the building of a list of default routers (routers to which packets can be sent) and address prefixes. Address Resolution Address Resolution enables mapping from an IP address to a link-layer address. Neighbor address resolution, previously done through ARP in IPv4, is accomplished by multicasting a neighbor solicitation that asks the target node to return its link-layer address. When a node acknowledges that its link-layer address has changed, it multicasts a few unsolicited neighbor advertisement packets to all nodes to quickly update cached link-layer addresses that have become invalid. Neighbor Unreachability Detection Neighbor Unreachability Detection determines that a neighbor is no longer reachable on a link. Communication to or through a neighbor can fail for numerous reasons at any time. If it is the path that has failed, because of a router failure, link or half-link failure, or because of a change in the link-layer address of a node, recovery might be possible. Therefore, a node actively tracks the reachability "state" for the neighbors to which it is sending packets. Redirection Redirect messages are sent by routers to redirect a host to a better first-hop router for a specific destination or to inform hosts that a destination is in fact a neighbor (that is, on-link). Unlike IPv4, the recipient of an IPv6 redirect assumes that the new next-hop is on-link. Neighbor Discovery is facilitated by five ICMPv6 message types Router Solicitation (Type 133) Router Advertisement (Type 134) Neighbor Solicitation (Type 135) Neighbor Advertisement (Type 136) Redirect (Type 137) These messages are described in detail in RFC 2461, Neighbor Discovery for IP Version 6 (IPv6)

50 Overview of TCP/IP Routing Support for Multiple Routes to a Destination In both IPv4 and IPv6 networks, you can configure multiple routes to a common destination and build a redundant (and resilient) network topology by assigning preference values to routes. To do this, set the preference value of one router to a higher preference level (using a lower value, for example 1 indicates higher preference than 2), and thus create an alternate backup route should the route of lower preference value (the preferred router) become disabled. Defining multiple routes with equal preference values allows the potential for balancing individual network dialogs across each of the next-hops. For example, if there are two equal preference next-hops within the same network prefix, a balancing algorithm is employed such that the first dialog would use Router-1 and the second dialog would use Router-2. As with alternate routes, in the event that one of these parallel routes experiences a failure, all dialogs can be re-assigned to the other route. Multiple "assigned" default routes can also be configured and/or assigned to a specific network prefix. Default routes that are configured without a route mask are considered "system" default routes and will be selected in the absence of an assigned default route (one where the route mask has been defined). Note that redundant configurations, such as those described here, do not always imply the capability for dialog resiliency. Redundancy and resiliency are not synonymous; nor does one imply the other. Achieving seamless dialog recovery (resiliency) in the event of a route failure requires that the networks within the topology eliminate every single point of failure. Accomplishing this requires a redundant topology that provides multiple routes to desired remote destinations from within the same network prefixes. The following subsections show sample topologies you can configure with MCP TCP/IP that support multiple routes to a destination

51 Overview of TCP/IP Routing MCP Route States When multiple routes are configured to a destination, all next-hop routes are maintained and it is necessary to keep track of the state of each route to determine which routes are preferred, offline, or alternate. There are four different route states as follows. Route State ACTIVE IDLE INACTIVE OFF-LINE Description This route is currently being used for network communication and has open dialogs associated with it. For IPv4 networks, ACTIVE routes cannot be deleted or aged from the routing table unless forced with the NOW attribute. Note: Use of the NOW attribute is a destructive operation and causes dialogs using the route to terminate if a network event (for example, ICMP redirect) occurs. For IPv6 networks, the ACTIVE state only implies that the route is usable; the route can be deleted from the routing table without using the NOW attribute. This route is currently available for use and provides access to the specified destination. There are no open dialogs associated with it at this time. IDLE routes can be deleted and, if not statically configured, aged from the routing table. This route has been configured to be an alternate or backup route to the specified destination by having a higher preference value than another primary route to the same destination. Routes can also become INACTIVE when redirected by the network due to changes in the topology or inaccurate static configuration. INACTIVE routes have access to their destinations but are not generally the preferred path. INACTIVE routes can be deleted and, if not statically configured, aged from the routing table. This route cannot be used. Dynamic mechanisms within TCP/IP and the network have determined that the next-hop router is off-line." The OFF-LINE status might only be temporary and can change as network topology conditions change. Depending on the configuration, another route might now be servicing the dialogs originally assigned to this route. OFF-LINE routes can be deleted and, if not statically configured, aged from the routing table

52 Overview of TCP/IP Routing Alternate Routes You can use the ROUTE command in IPv4 or IPv6 networks to manually define multiple routes to a common destination such that access to the destination can be achieved through more than one next-hop router. By using a preference field, you can enable the routing software to bias some routes over others creating primary routes and alternate or backup routes. This manual configuration (Figure 2 15) also gives you control over the network topology and its routing. By manually defining a resilient topology, you can allow dialogs to the same destination to use additional routes to those that can be learned from the network through RIP or IRDP (IPv4 networks) or through Neighbor Discovery (IPv6 networks). Defined static routes are also persistent routes and do not disappear due to route aging and other dynamic mechanisms operating within the network. ClearPath Host /24 FEC0:0:0:42F0::1/64 CA-1 "Primary " Router Router /24 Preference = 1 FEC0:0:0:42F0::2/ /11 FEC0:0:0:42F1::/64 Router /11 FEC0:0:0:42F3::/64 Router /24 Preference = 5 FEC0:0:0:42F0::3/64 "Alternate"/Backup Router Router /16 Preference = NA FEC0:0:0:42F2::1/64 Host /16 FEC0:0:0:42F2::2/ A Figure Alternate Route Topology As shown in Figure 2 15, there are two possible routes from the ClearPath host to Host- 1; one route via Router-1 and a second route via Router-2. The first route requires two hops (Router-1 and Router-4) while the second route requires three hops (Router-2, Router-3, and Router-4). Router-1 is considered the "primary" route to Host-1 since it requires fewer hops

53 Overview of TCP/IP Routing In addition to allowing more than one route to the same destination, the ROUTE command provides you with the option to assign a route preference value to each route in order to specify the primary route and the alternate route. The route with the lowest preference value for a destination becomes the primary route (a value of 1 has a higher preference than a value of 2) and all routes with higher values (lower preference) become alternate routes according to their preference values. In the topology example, Router-1 should be configured with a lower preference value (higher preference) in order to reflect the fewer number of hops to the destination, Host- 1, while Router-2 should be assigned a higher preference value (lower preference) to represent the larger number of hops. This will make Router-2 the alternate router. Since more than one route to a destination can now be configured, providing a preference with the route description enables the routing algorithm to determine the fact that one route is better than the other, thus biasing the first route over the second. Under these conditions, the second route would only be selected if the first route fails as detected by the Dead Gateway algorithm for IPv4 networks or by Neighbor Unreachability for IPv6 networks. Dead Gateway Detection (IPv4 Networks) In IPv4 networks, Dead Gateway Detection prevents a router from being marked offline under certain circumstances. Prior to the implementation of this feature, if PING commands were disabled on a router and a single destination became unavailable, the router was marked offline and was not used, even though it was in use by other dialogs to other hosts. The Dead Gateway Detection feature prevents this from happening as follows. The TCPIPSUPPORT library sends a PING request, checks RIP input, and issues an ARP request to determine if a gateway is reachable If an ARP reply is received and a PING reply is not received, the gateway is not marked as offline and Dead Gateway processing does not select a new gateway. If neither an ARP reply nor a PING reply is received, the gateway is marked as offline and a new gateway is selected, if available. If RIP messages are received from a gateway that is suspected of being offline, the status of the router remains active. Discovering Unreachable Neighbors (IPv6 Networks) In IPv6 networks, two features of Neighbor Discovery Router Discovery and Neighbor Unreachability Detection enable nodes to determine which neighbors are reachable and to find routers that are able to forward packets for them. These features are described in more detail earlier in this section in IPv6 Neighbor Discovery

54 Overview of TCP/IP Routing Parallel Routes In both IPv4 and IPv6 networks, you can assign the same preference value to more than one route and create parallel routes to a destination. Based on the actual values, there can be primary parallel routes and alternate parallel routes. Any combination of the two is also acceptable. Assume that two primary parallel routes have been configured as shown in Figure Figure Parallel Route Topology As shown, there are two possible routes from the ClearPath host to Host-1; one route via Router-1 and a second route via Router-2. Regardless of which route is used in this example, the destination is always two hops away. Here, one route is not better than the other as the destination is the same distance from the local host. You can assign both routes the same preference value. This is what is referred to as having parallel routes routes with equal preference values

55 Overview of TCP/IP Routing Since parallel routes are equal routes, this implementation utilizes a balancing algorithm to evenly distribute transport layer dialogs across all primary parallel routes to the same destination. If Router-1 fails, Router-2, which provides a redundant path, seamlessly picks up the dialog load originally assigned to Router-1. Upon the recovery of Router-1, its original dialogs are not moved back to avoid potential route flapping. New dialogs however, are assigned to Router-1. In fact, Router-1 is assigned all new dialogs until a load equilibrium is reached. Special Topologies The following topics, Same Network/Subnet and Alternate Networks/Subnets, provide a description of solutions for handling multiple parallel routes by Network Services. These solutions are supported on IPv4 and IPv6 networks. Figure 2 17 and Figure 2 18 demonstrate network topologies designed to be fully connected and to have built-in redundancy, but do not necessarily provide the elimination of single points of failure. Figure 2 17 demonstrates the elimination of single points of failure while Figure 2 18 does not. Network redundancy, as demonstrated by both topologies, is achieved by providing more than one parallel path/route to and from common remote destinations. If one of these parallel routes fails, the alternate route is capable of handling the traffic for the network. Also note that when more than one parallel route is active, dialogs can effectively be balanced across the active routes such that no single next-hop router need handle the full traffic burden. All redundant configurations, such as those described here, do not necessarily imply the capability for dialog resiliency. Redundancy and resiliency are not synonymous, nor does one imply the other. Achieving seamless dialog recovery (resiliency) in the event of a route failure requires that the networks within the topology eliminate any single point of failure. Same Network/Subnet Figure 2 17 demonstrates network redundancy in which there are multiple parallel routes using next-hop routers that are in the same network as the local host. Note: Providing more than one route from the same network eliminates any single point of failure for that network. Such a topology also supports dialog resiliency on route failures

56 Overview of TCP/IP Routing Figure Parallel Routes Through the Same Subnet Route redundancy, as configured in Figure 2 17, is provided by next-hops Router-1 and Router-2. If both routers are configured to have equal preference, dialogs between a remote destination and the local host will be balanced across each route. Should one of the next-hop routers fail, the other is capable of handling the complete dialog load until the failure can be corrected. Not only is this topology redundant, it also offers route resiliency if one of the routers fail. Route resiliency can be supported by this topology because there is no single point of failure for routes to external destinations from network /24. If either Router- 1 or Router-2 fails, the other router still provides external routing capability. For example, should next-hop Router-1 fail, dialogs using that next-hop will eventually report potential failure information to IP. Upon receiving this information, IP executes its Dead Gateway algorithm. When Dead Gateway determines that Router-1 has failed, an alternate route to the same destination, Router-2, is located and the dialogs are seamlessly rerouted through Router-2. This operation has no effect on the local network interface servicing the dialogs. Only the dialog s route cache has been updated to reflect the new next hop. The same network interface, SA-2, is used since the alternate route, via Router-2, is in the same network as the route that failed

57 Overview of TCP/IP Routing Alternate Networks/Subnets Figure 2 18 demonstrates another form of network redundancy by configuring a network where there are alternate routes using next-hop routers that are not in the same network or subnetwork as the local host. Unlike Figure 2 17, Figure 2 18 has single points of failure for routes to external destinations. While this topology is technically redundant and has more than a single route to external destinations, it does not provide dialog resiliency on route failures. FEC0:0:0:42F0::1/64 FEC0:0:0:42F3::2/64 FEC0:0:0:42F0::2/64 FEC0:0:0:42F1::2/64 FEC0:0:0:42F3::1/64 FEC0:0:0:42F2::1/64 FEC0:0:0:42F2::2/ Figure Parallel Routes Through Alternate Networks

58 Overview of TCP/IP Routing As shown in Figure 2 18, route redundancy is provided by next-hops Router-1 and Router-2. Since each network only has a single route to external destinations (single point of failure), the loss of either Router-1 or Router-2 will force the termination of those dialogs using the route that failed. Dialog resiliency cannot be achieved in topologies where routes to external destinations are configured with a single point of failure. In Figure 2 18, Router-2 cannot act as a backup router for Router-1. While there is a mechanism to internally forward datagrams between the two networks, a host has no means of informing the external routers that a route to (or FEC0:0:0:42F0::1/64 in an IPv6 network) still exists via Router-2 and subsequently via the local network interface at SA-2. External routers only know, and learn, routes that have been discovered through their router-to-router protocols. The best that can be expected is that Router-2 will eventually learn that Router-1 has failed and remove routes via Router-1 from its own routing tables thus enabling it to inform a host that CA-1 is no longer reachable by returning destination unreachable ICMP messages. Such a topology can be corrected to support dialog resiliency by configuring additional redundant routes for each network such that there is no longer any single point of failure. The handling of multiple parallel routes through alternate networks becomes the same as handling parallel routes in the topic, Same Network/Subnet." As the local host receives datagrams from a remote destination intended for logical network interface, (SA-2), (or FEC0:0:0:42F3::2/64 in an IPv6 network), Network Services will direct them to the MCP TCP/IP for processing. Since SA-2 is in a different network from CA-1, datagrams for will only arrive over Router-2 and datagrams for (CA-1) will only arrive over Router-1. If Router-1 fails, dialogs using Router-1 will eventually terminate since they cannot be rerouted through a different network. Therefore, Network Services will not receive datagrams that are not for the local network interface owned by SA-2. New dialogs established to and from the local host will now only use the route via Router-2 and network interface SA-2. Weak-Model Multihoming Figure 2 19 illustrates a topology known as weak-model multihoming since traffic entering a server uses a different path than the traffic exiting. This topology is supported only on IPv4 networks. Although this topology might not apply to all traffic processed by a server, it is typical of most remote traffic (one or more hops away). There are two physical paths between the ClearPath server and the remote host, Host-1; one via Router-1 and another via Router-2. Since multiple routes can be configured to a destination, both paths to Host-1 can be configured. Routes can be defined for both Router-1 and Router-2. Using preference values, one path using Router-1 could be designated as the primary route and the other using Router-2 as the alternate route. This would permit an organization to continue the use of a weak-model multihoming operation with one exception. If the primary route, Router-1, fails, there is now an alternate route, Router-2, available. While dialogs to and from the address assigned to CA-1 might no longer be possible (no viable path to network-prefix /24), in-progress dialogs to and from the address assigned to CA-2 can be rerouted and new dialogs with CA-2 can still be established

59 Overview of TCP/IP Routing ClearPath Host IPForwarding = ON /24 CA-1 CA /24 Router /24 Preference = /11 Router /24 Preference = 2 "Primary " Router "Alternate " Router Router /16 Preference = NA Host / Figure Weak-Model Multihoming Topology (IPv4 Only) Figure 2 19 illustrates a topology with single points of failure in network-prefix /24 and /24 as there is only one router that services each network. To eliminate the single points of failure, you can add additional routers within each network-prefix to increase resiliency, as shown in Figure

60 Overview of TCP/IP Routing ClearPath Host IPForwarding = ON /24 CA-1 CA /24 Router /24 Preference = 1 Router /24 Preference = /11 Router /24 Preference = 4 Router /24 Preference = 3 "Primary " Router Router /16 Preference = NA Host / Figure Resilient Weak-Model Multihoming Topology (IPv4 Only) Unlike Figure 2 19, if Router-1 fails in Figure 2 20, there is still another router, Router-4, capable of servicing that network-prefix. Here, all dialogs are preserved and new dialogs can still be established with both CA-1 and CA-2. Multiple Assigned Default Routes Routing in both IPv4 and IPv6 networks enables you to configure a system default route that is selected if a specific route (direct or indirect) is not available. The system default route is system-wide and used regardless of actual destination reachability. It is assumed that the system default route provides access to the entire set of desired destinations. This might not always be true, preventing some destinations from being reached. Though multiple system default routes can be configured, there is only one system default route in use at any one time. All of the other system defaults configured are backup routes, used if the current system default is detected to be offline by the Dead Gateway Protocol (IPv4 networks) or by the Neighbor Discovery Protocol (IPv6 networks). Under large dialog loads, this places a heavy routing burden on a single system default router when the server host might actually be multihomed to multiple networks, each being able to reach the desired destination

61 Overview of TCP/IP Routing By using VLSM and CIDR support, assigned default routes can be defined to address any remote destination from within a local aggregation rather than configuring multiple masked indirect routes. Figure 2 21 demonstrates the use of multiple assigned default routes. ClearPath Host /24 FEC0:0:0:42F0::1/64 CA-1 CA /24 FEC0:0:0:42F3::2/64 Router /24 Preference = 1 FEC0:0:0:42F0::2/64 Router /24 Preference = 1 FEC0:0:0:42F3::4/ /11 FEC0:0:0:42F1::/ /11 FEC0:0:0:42FH::/64 Internet Router /16 Preference = NA FEC0:0:0:42F2::1/64 Host /16 FEC0:0:0:42F2::2/ Figure Multiple Default Routes Topology In Figure 2 21, both Router-1 and Router-4 have been configured as an assigned default route. Each has been assigned to a local address aggregation by providing a networkprefix when configured. Both of these default routes have physical access to all destinations within the Internet but reside within different address aggregations; Router- 1 belongs to /24 and Router-4 belongs to /24 (assuming IPv4 networks in this example). Conversely, Host-1 can access either CA-1 via Router-1 or CA- 2 via Router-4. Incoming dialogs from Host-1 supply the desired destination address, either CA-1 or CA-2. Based on the dialog s destination address (a local IP address of the ClearPath host), the routing algorithm locates an assigned default route belonging to the same address aggregation as the destination of the dialog. Assume that Host-1 is establishing a dialog with CA-1, having an IP address of When the ClearPath host attempts to locate the return route and there are no direct or indirect routes defined for Host-1, the assigned default route, Router-1, belonging to the same address aggregation as CA-1, is used

62 Overview of TCP/IP Routing Outgoing dialogs are handled differently. If the IP address of the local socket is specified, the routing algorithm behaves similarly to incoming dialogs; however, if the IP address of the local socket is not specified, the routing algorithm must choose a network interface and assign the address. If there are no direct or indirect routes defined, the current configured system default route is used and the network interface is chosen based on that selected system default route. Therefore, configure system default routes carefully, ensuring that each default route has access to all desired destinations. Since multiple assigned default routes can be configured, more than one route can be configured and assigned to the same address aggregation as shown in Figure ClearPath Host /24 FEC0:0:0:42F0::1/64 CA-1 CA /24 Router /24 Preference = 1 FEC0:0:0:42F0::2/ /11 FEC0:0:0:42F1::/64 Router /24 Preference = 2 FEC0:0:0:42F0::3/64 Router /24 Preference = 1 FEC0:0:0:42F3::3/ /11 FEC0:0:0:42FH::1/64 Router /24 Preference = 2 FEC0:0:0:42F3::4/64 Internet Router /16 Preference = NA FEC0:0:0:42F2::1/64 Host /16 FEC0:0:0:42F2::2/ Figure Multiple Parallel Default Route Topology Figure 2 22 is configured to provide a backup route for each local aggregation. As with configuring indirect routes, this is accomplished through the assignment of a preference value producing, "primary" and "alternate" assigned default routes. Only the primary assigned default routes will be selected unless a router failure has been detected at which time all dialogs will be routed through the alternate router. Note that as with system default routes, no more than one assigned default route can be defined with the same preference value

63 Overview of TCP/IP Routing Multiple Local IP Addresses In both IPv4 and IPv6 networks, a local network interface, legacy or offloaded, can be assigned up to 32 local IP addresses and can be configured to participate in more than one logical subnet or supernet, providing the underlying physical network is properly constructed. One-to-one mapping of local IP addresses to network interfaces is no longer necessary, which allows support for many local IP addresses mapped to a single, common network interface. Multiple IP addresses per network interface allow the mapping of many host names (non-aliased), each to a single IP address also within a single server, even though that server might only have one physical network interface. Since multiple logical interfaces (IP addresses) can be mapped to a single physical network interface, the multihoming model can be extended to include support of multiple logical networks as shown in Figure Figure Multiple Logical Networks Topology The topology shown in Figure 2 23 is configured to have three aggregated addresses: /27, /24, and /27 (assuming an IPv4 network in this example). Both /27 and /24 share the same physical network, whereas /27 is a separate physical network

64 Overview of TCP/IP Routing To demonstrate multiple logical networks, the ClearPath server in Figure 2 23 has two logical interfaces, /27 and /27. Each share a single physical interface, CA-1, and one logical interface, /27, that uses a separate physical interface, CA-2. Both physical interfaces connect to the same physical network. Thus, this ClearPath server is connected to a single physical network, configured to handle traffic for each of two different logical networks. As configured, there are three logical interfaces (local IP addresses) servicing the same physical network. Two of these logical interfaces share a single physical interface, CA-1, while the third logical interface uses a separate physical interface, CA

65 Section 3 Configuring a TCP/IP Network Using the NAU This section describes how to configure TCP/IP into a sample basic network using the Network Administrative Utility (NAU). The NAU is a menu-driven interface that you can run from CANDE or from a Java-capable web browser as described in Appendix C, Using the NAU in a Web Browser. Note: IPsec is not configured with the NAU because the IPsec policies are not placed in the NAU init files. Refer to the Security Administration Guide for details on configuring IPsec. This section contains the following topics: Overview of the implementation process Traversing the NAU screens Configuring a sample TCP/IP network Adding TCP/IP to an existing network Optional enhancements to the TCP/IP configuration Configuring dynamic initiation of specified port numbers Configuring port filtering using the FILTERFRAMES command Configuring TCP and UDP port event monitoring Configuring default policies for selecting source and destination IPv6 addresses Configuring TCP/IP timer values Configuring TCP/IP options Configuring TCP/IP neighbor address parameters Editing the ICP LAN line connection and specifying a multicast address list Auto-configuring BNA-over-IP connections Configuring FC3-IOP networking Checking network consistency Generating initialization files

66 Configuring a TCP/IP Network Using the NAU Printing the network description reports Ending an NAU session Initializing the TCP/IP network Overview of the Implementation Process To configure a TCP/IP network, create either a BNA or a CNS initialization file and a TCP/IP initialization file for each ClearPath MCP host in the TCP/IP network. The initialization files contain the Operations Interface (OI) commands that identify the role each host will play in the network as well as The host name The machines it can communicate with The security rules The lines and devices attached to it When each component is initialized, the initialization file is read, and the component is ready to communicate with other components in the network. Unisys recommends that you use the NAU to create the initialization files to define the physical and logical characteristics of each host and communications host in the network. The NAU then uses this information to build the initialization files. This section assumes that you have used the NAU to configure your basic BNA/CNS network, and now want to add TCP/IP functionality to existing hosts. The NAU performs the following functions: Creates the network configuration and status database (NCSDB) Verifies the network consistency of the entries Generates initialization files for hosts in the network Generates TCP/IP initialization files Generates network configuration reports Applying NAU TCP/IP Profiles A profile is a defined set of attributes that apply to one specific type of network component. The NAU provides sample profiles that contain commonly used attribute values. This saves effort when configuring a network and also ensures consistency in related components. When a profile is applied, the values it provides are preceded by an asterisk (*) on the NAU screen. If a sample profile is appropriate for your network, you can use it as is. If some of the values need to be changed, you can modify the sample profiles or create your own. Refer to the BNA/CNS Network Implementation Guide, Volume 2: Configuration for more details on when and where to apply profiles

67 Configuring a TCP/IP Network Using the NAU Using Default Attribute Values Many attributes have a default value. The NAU screens show each default value in the appropriate attribute field; unless you overwrite it with a different value, it is the value that is used when you transmit the screen. Refer to the Networking Attributes Data Dictionary Help for a description of each attribute and the values you can assign to it. Traversing the NAU Screens The NETWORK HOME MENU screen is the controlling screen for NAU operations. To return to this screen from any other screen, place the cursor on the ACTION line, enter HOme, and transmit the screen. When using the NAU, keep the following in mind. To... Do the following... Move between fields Enter data Move the cursor to the HOme position Advance from one NAU screen to the next Select an item on an NAU list screen Change data on an NAU list screen Transmit an altered NAU list screen Provide names to the NAU (such as host names, session names, and database version names) Duplicate a value on a list screen column Restore the default value for a specific attribute using the hash symbol (#) Press the Tab key. Fill in the appropriate fields on the screen. Data can be entered in uppercase or lowercase. Press the HOme key. Transmit the screen unchanged or choose an ACTION line command and transmit. Place the cursor on the item you want to select and press the Specify key. In this guide, this is called specifying the item, which makes the related NAU screens appear. Move the cursor to the data you want to change and type over it. Then, move the cursor to the HOme position and transmit the screen. Transmit the screen. The screen redisplays with the new data. Transmit again to advance to the next screen. Make them unique. Enter a double quotation mark (") below the list screen value you want to duplicate. This will work for most columns on the list screen. Move the cursor to the value of the attribute in the screen. Type a hash symbol (#) over the first character in the data field and then transmit. The default value of the attribute (if a default exists) is restored

68 Configuring a TCP/IP Network Using the NAU As you traverse the NAU screens, keep the following field notation conventions in mind. If the field is... It means... Underlined Preceded by an angle bracket (>) Preceded by an asterisk (*) The field is required. You must enter a value in the field before you can move to the next screen. The field has been locally defined by the user. The field has been changed by a profile. Configuring a Sample TCP/IP Network To become familiar with using the NAU, configure the sample network before configuring TCP/IP into your own network. The sample used is shown in Figure 3 1. When configuring TCP/IP, keep the following in mind: Configure the following for each TCP/IP application host: Network interfaces designated to run TCP/IP. A network interface is the interface that provides TCP/IP networking from an enterprise server to a local area network (LAN). Some examples of network interfaces include Network Services (Shared Adapters or MCP Adapters), and FC3-IOPs. IP addresses for network identification Host parameters that relate to TCP/IP The NAU enables you to create profiles that contain attribute values that can be applied when you configure your network. The sample network uses both IPv4 and IPv6 addresses. This section shows NAU screens that have been modified to support operating in either IPv4 or IPv6 mode. What the Sample Network Contains The configuration procedures in this section define the sample network shown in Figure 3 1. This network illustrates a typical TCP/IP configuration and shows sample IPv4 and IPv6 addresses for the routers and the destination host in the configuration. The network contains the following: One ClearPath host, ES1, configured as a TCP/IP system. ES1 contains one network interface, NP210, which supports two lines, Line 1 and Line 2. Each line supports two local IP addresses. Line 1 supports IP addresses /24 and /24. Line 2 supports IP addresses /24 and /24. RIPv2 Authentication, set on Line 1 to use a password, and on Line 2 to use NoAuthentication (that is, to reject frames of type Password or MD5)

69 Configuring a TCP/IP Network Using the NAU Three possible routes from ClearPath host ES1 to Host-1 through Router-1, Router-2, and Router-3. Regardless of which route is used in this example, the destination is always two hops away. Router-1 and Router-2 have been assigned the same preference value (1) and are therefore parallel routes. Router-3 has a lower preference value (2) and is therefore an alternate route. One common hop, Router-4 to the destination Host-1. Figure 3 1 illustrates the sample TCP/IP network. RIP Authentication Password = v17gy5nqd /24 NP / / /24 Line 2 Line 1 No Authentication Router /24 FEC0::1:215:C6FF:FE00:1/64 Preference = 1 "Primary" Router /11 FEC0:0:0:2::/64 Router /24 FEC0::1:215:C6FF:FE00:2/64 Preference = 1 "Parallel" Primary Router Router /16 FEC0::3:215:C6FF:FE00:4/64 Preference = NA Router /24 FEC0::1:215:C6FF:FE00:3/64 Preference = 2 "Alternate" Router Host /16 FEC0::3:2A0:C9FF:FED8:5E35/ Figure 3 1. Sample TCP/IP Network The destination host and the routers in Figure 3 1 are labeled with their IPv4 and IPv6 Internet IP addresses. This network information is used later in this section as input for NAU screens as the network is configured. Appendix B identifies the NAU initialization files generated based on the sample in Figure

70 Configuring a TCP/IP Network Using the NAU Adding TCP/IP to an Existing Network This section describes how to use the NAU to add TCP/IP to an existing network. If you have not yet configured your basic network using the NAU, refer to the BNA/CNS Network Implementation Guide, Volume 1: Planning, and Volume 2: Configuration, for specific configuration details. Starting the NAU To start the NAU, perform the following steps: Note: Run the NAU in expert mode to configure TCP/IP. To determine which mode you are in, look at the lower right corner of any NAU screen. If the NAU is in novice mode, type US on the ACTION line to toggle to expert mode. 1. Enter the following from CANDE: RUN $SYSTEM/NAU The WELCOME screen displays. * NAU -- WELCOME * 0 ACTION: _ QUit TEach REfresh USer MOde ***************************************** * UNISYS Network Administrative Utility * ********** Release *********** Welcome to the NAU (UNISYS Network Administrative Utility). You may choose one of two modes of NAU operation. If you are initially defining a network, choose the Network Generate mode (GNN). If you have already generated a network, choose the Edit Generated Network mode (EDG). Session Usercode/Password = MYUSERCODE / Working Database Version = TCPIPSAMPLE GNN Generate Network EDG Edit Generated Network VER Database Version Maintenance NCF Define NCF Global Attributes SES Show Session Recovery Names REC Check Recovery Information Choice: EDG Figure 3 2. WELCOME Screen

71 Configuring a TCP/IP Network Using the NAU 2. Fill in the following fields. Field Name Session Usercode/Password (Required) Working Database Version (Required) Description If your site is using the NAU security feature, enter the usercode that was used to configure the network version to which you are adding TCP/IP. You must then enter a valid password in the Password field. If version security is not used, enter either your name or your usercode in the Usercode field and leave the Password field blank. Enter the name of the network version that you want to edit in this field. You might need to use the VER option to view the list of versions or create a new version before continuing. 3. Enter EDG in the Choice field, as shown in Figure 3 2, to add TCP/IP to your existing network. Transmit the screen. The NETWORK HOME MENU screen displays, which is the first screen used in the process of configuring TCP/IP into your existing network. In the subsections that follow, the NAU screen path is illustrated to guide you through the sequence of NAU screens as you configure your network. Configuring TCP/IP on an Application Host To generate a TCP/IP initialization file using the NAU, perform the following steps: 1. Enter ANH in the Choice field of the NETWORK HOME MENU screen and transmit the screen. The APPLICATION HOST LIST screen displays, as shown in Figure 3 3. * NAU -- APPLICATION HOST LIST * 65 ACTION: HOme PArent PRevious FInd WElcome QUit TEach REfresh Total - Node Address - Total Inbuilt Updt Level Host Name SSS CCC NNNN Style ICPs Comm Hosts Stat ID ES CLEARPATH Figure 3 3. APPLICATION HOST LIST Screen

72 Configuring a TCP/IP Network Using the NAU Note: The Host Name field is displayed with ES1. All sample entries shown in this guide, including this one, are based on the sample configuration shown in Figure 3 1. The remaining screens for your network will list the name of the host that you are configuring. 2. Place the cursor on the name of the host to which you are adding TCP/IP (in this example, ES1) and press the Specify key. The APPLICATION HOST MENU screen displays, as shown in Figure 3 4. * NAU -- APPLICATION HOST MENU * 66 ACTION: HOme PArent PRevious WElcome QUit TEach REfresh INstall Host: ES1 Host Information Aux Network Product Information HST Host Attributes OST OSI Transport Characteristics Optional Host Profiles: 1 A_HOST_PROF TCP TCP/IP Configuration 2 SNM SNMP Agent Configuration ICP ICP LAN Assignments CFL ICP Code File List SNA SNA Configuration SET ICP Sets LIN Line List LFT Load/Merge File Titles Choice: Figure 3 4. APPLICATION HOST MENU Screen 3. Enter HST in the Choice field and transmit the screen. The APPLICATION HOST ATTRIBUTES screen displays, as shown in Figure

73 Configuring a TCP/IP Network Using the NAU * NAU -- APPLICATION HOST ATTRIBUTES * 145 ACTION: HOme HOSt PArent PRevious WElcome QUit TEach REfresh COpy ADd Host: ES1 Generate explicit station objects? (Yes/No) BNA Mode (Independent/Dependent) Host Group Name (<Host Group Name>) Logging Local STA (BASic, STAndard, ALL, NONe) Logging Remote NON (BASic, STAndard, ALL, NONe) CNS Logging Type (Cns, Bnav2) Validate Host USE (STRict, USEr, NONe) Use BNA > ( ) Use TCP/IP > + (+) Use SNA PUT5 (5) Use SNMP Agent (+) NP Heartbeat Timer 0 (0-60 minutes) Validate Neighbor - (+/-) Primary Host Name (<Primary Host Name>) Auto-configure BIP connections (+) Define other application host attributes? N (Y/N) Figure 3 5. APPLICATION HOST ATTRIBUTES Screen 4. Enter + in the Use TCP/IP field and transmit the screen. The APPLICATION HOST MENU screen redisplays. This step causes the NAU to generate a TCP/IP initialization file when you generate your network. Repeat this procedure for each host listed on the APPLICATION HOST LIST screen that will run TCP/IP. Defining the Network Interface as a TCP/IP Connection Once you enter + in the Use TCP/IP field on the APPLICATION HOST ATTRIBUTES screen (indicating that you want a separate TCP/IP initialization file generated for that host), you must also define the network interface on the host that provides the TCP/IP interface for the enterprise server

74 Configuring a TCP/IP Network Using the NAU The following procedure enables the NAU to generate a TCP/IP connection for the specified ICP. To identify ICP assignments, perform the following steps: 1. Enter ICP in the Choice field of the APPLICATION HOST MENU screen (Figure 3 4), and transmit the screen. The ICP ASSIGNMENTS screen displays (Figure 3 6). This screen contains a list of ICPs for the system, and enables you to define the ICPs that will be used to connect to the TCP/IP network. * NAU -- ICP ASSIGNMENTS * 67 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 *In EDG mode, specify on device number for configuration information Device Attachment Number ICP Type Type Attachment Identifier MAICP4 Figure 3 6. ICP ASSIGNMENTS Screen 2. In the Device Number field, enter the number for the first ICP that is a LAN interface to the TCP/IP network, enter MAICP4 in the ICP Type field, and transmit the screen. 3. Then, specify on the ICP. The SHARED ADAPTERS ICP CONFIGURATION screen (Figure 3 7) displays. * NAU SHARED ADAPTERS ICP CONFIGURATION * 430 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 ICP Device: 210 ICP Type: MAICP4 NOTE: The total of both fields cannot exceed 8 Total Total LAN/ATM LANE ATM Lines Lines (0-8) (0-8) Figure 3 7. SHARED ADAPTERS ICP CONFIGURATION Screen

75 Configuring a TCP/IP Network Using the NAU 4. Enter 2 in the Total LAN/ATM LANE Lines field and transmit. The SHARED ADAPTERS CONFIGURATION screen (Figure 3 8) displays. * NAU SHARED ADAPTERS CONFIGURATION * 447 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 ICP Device: 155 ICP Type: MAICP4 Total Number of ICP NT LAN LAN CPLAN TCP/IP SNA Static Line ID Line ID Name Local Address (+/-/S) (+/-/S) Endpt ATM ATM Endpts EVLAN B LAN DFF + 2 LAN DFE + Figure 3 8. SHARED ADAPTERS CONFIGURATION Screen 5. Enter + in the TCP/IP field as shown in Figure 3 8. This field enables the NAU to generate a LAN connection group and a TCP/IP component connection for each ICP. Transmit the screen. The ICP ASSIGNMENTS screen redisplays. The Local Address fields are filled with default values which you can change to the actual MAC addresses or the value *DEFAULT. For the VNP ICP type, you can also assign the *FACTORY value, which indicates that the original factory setting for the Local Address should be used. Repeat steps 3 through 5 for each individual ICP if more than one is used to connect to the TCP/IP network. If you change the number of ICPs on this screen, you must go to the NETWORK HOME MENU, enter UPD in the Choice field, and transmit. This resets the host update status. 6. When you are finished defining ICPs, transmit the screen. The APPLICATION HOST MENU screen redisplays. Once the appropriate values are set for the NAU to generate a TCP/IP initialization file and the ICPs that will run TCP/IP are identified, you must define the Internet IP addresses for each ICP and some TCP/IP host parameters. Note: Line ID 0 (EVLAN) is automatically created for CNP, VNP, and MAICP4 ICP types. If Line ID 0 is manually deleted, the corresponding ICP needs to be deleted on the ICP ASSIGNMENTS screen and re-created for it to have Line ID

76 Configuring a TCP/IP Network Using the NAU Identifying IP Addresses, Subnet Mask, and Router Discovery Attributes for ICPs TCP/IP routing supports classless addressing and multiple local IP addresses. For each TCP/IP line configured in your network, you can enter multiple IP addresses. The format of IP addresses is explained in Section 2, Overview of TCP/IP Routing, in the topics IPv4 Addressing and IPv6 Addressing. The TCP/IP Internet is made up of individual networks that can be accessed based on the configuration of the network and local portions of the IP address. If the enterprise server TCP/IP host has more than one network path used for TCP/IP LAN connectivity, the host is known in the network by more than one IP address. Subnetting is the addressing scheme used to support topologies that have a network identifiable by a single address, but span multiple physical networks (for example, multiple LANs with multiple hosts connected to each LAN). This collection of multiple physical networks can be thought of as a set of subnetworks (subnets). The subnet address mask enables the host to identify the bit (or bits) in the local portion of the IP address that indicates the subnet number. See Section 2, "Overview of TCP/IP Routing," for more information on subnetting. To define IP addresses for a network path on a TCP/IP host, perform the following steps: 1. Enter TCP in the Choice field of the APPLICATION HOST MENU screen and transmit the screen. The TCP/IP CONFIGURATION MENU screen displays, as shown in Figure 3 9. * NAU -- TCP/IP CONFIGURATION MENU * 325 Action: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 TIL Define TCP/IP Identity, Address Mask and Router Discovery Parameters THP Define TCP/IP Host Parameters TRL Define TCP/IP Routes TDL Define TCP/IP Default Routes TAP Define TCP/IP ARP Addresses MIL Define TCP/IP MACP100/150 IP Addresses MAP Define TCP Host/IP Address Mappings TDI Define TCP/IP DynamicInit Commands TFF Define TCP/IP FilterFrames Commands MEV Define TCP/IP MonitorEvents Commands TAS Define TCP/IP Address Selection Policy TNE Define TCP/IP Neighbor Address Parameters Choice: TIL Figure 3 9. TCP/IP CONFIGURATION MENU Screen

77 Configuring a TCP/IP Network Using the NAU This screen enables you to access other screens to modify TCP/IP host parameters; identify local IP addresses, address mask, and router discovery attributes; and define TCP/IP route addresses. 2. Enter TIL in the Choice field and transmit the screen. The TCP/IP IDENTITY ADDRESS LIST screen is displayed (Figure 3 10). Use this screen to assign IP addresses to the network paths used to connect to the TCP/IP network. See Classless Interdomain Routing (CIDR) in Section 2, "Overview of TCP/IP Routing," for an explanation of CIDR notation. * NAU -- TCP/IP IDENTITY ADDRESS LIST * 326 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 NT NP Line Line-ID/ BIP Dev # -ID VLANID IP Address Config _ / / FEC0::1:04:23FF:FE09:2DFE/64 Figure TCP/IP IDENTITY ADDRESS LIST Screen

78 Configuring a TCP/IP Network Using the NAU 3. Fill in the following fields for each network path. Field Name IP Address (Required) BIP Config Description For IPv4 addresses, consists of a 32-bit (4-byte) number that includes a network number and a local address. This number must be unique within the IP network. Note: If you are defining an IP address for an ICP22 or ICP26, and are configuring both lines (or taps) as TCP/IP connections, you must enter a unique IP address for each ICP line (or tap) you are configuring as a TCP/IP connection. If both taps of the ICP22 or ICP26 are connected to the same LAN segment, all broadcasts on that segment are received on both taps and processed on both the channel adapter and host system which could result in performance degradation. For the sample network, you can enter IP addresses as shown in Figure For IPv6 addresses, consists of a 128-bit (16-byte) number that includes a network prefix and a link local identifier. The link local identifier must be unique within the link. The nodes of an IPv6 address are separated by colons (:). You can leave this field blank if IPv6 autoconfiguration is enabled (set to +) on the TCP/IP NETWORK ADDRESS PARAMETERS screen (Figure 3 11). Used to configure BNA-over-IP connections. See Auto-Configuring BNA-over-IP (BIP) Connections later in this section for more information. Entering a value in the IP Address field causes the NAU to generate the NW TCPIP TCPIPIDENTITY command in the TCP/IP initialization file. 4. Transmit the screen. The screen is refreshed. If you do not want to further define the host for optional TCP/IP configuration parameters, transmit the screen again to return to the TCP/IP CONFIGURATION MENU screen. To continue configuring your network with required TCP/IP configuration parameters, see Specifying the Enterprise Server TCP/IP Internet Host Name and ICMP Report Display Parameters later in this section. If you want to define the host for optional TCP/IP configuration parameters, see Optional Enhancements to the TCP/IP Configuration later in this section

79 Configuring a TCP/IP Network Using the NAU Defining TCP/IP Network Parameters You can define TCP/IP network parameters to enable the host to do the following: Act as an authoritative agent to other hosts connected to the same subnet by exchanging subnet mask address information. This alleviates the need to configure an address mask for each host on the subnet. Discover its subnet mask address from the agent. Dynamically discover the existence of neighboring routers. For additional information on router discovery, see "Enabling a Host to Use the Router Discovery Protocol" in Section 4 of this guide. Use RIPv2 Authentication (IPv4 only). See Routing Information Protocol Version 2 (RIPv2) in Section 2 for more information. If you are using RIPv2, you must specify multicast addresses (see Editing the ICP LAN Line Connection and Specifying a Multicast Address List later in this section). Use address autoconfiguration to enable hosts on a link to automatically configure themselves with IPv6 addresses for the link and with addresses derived from prefixes advertised by local routers. Use duplicate address detection to verify autoconfigured IPv6 addresses to ensure they are not already in use by another interface on the link. Use multiple IP addresses on a single network interface. See Multiple Local IP Addresses in Section 2 for more information. 1. On the TCP/IP IDENTITY ADDRESS LIST screen (Figure 3 10), move the cursor to the IP address and press the Specify key. The TCP/IP NETWORK ADDRESS PARAMETERS screen is displayed (Figure 3 11). * NAU -- TCP/IP NETWORK ADDRESS PARAMETERS * 375 ACTION: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 ICP Device-Line ID-VLANID: IP Address: ICMP Address Mask Attributes: Configuration ST (STatic, ENabled, AGent, Static Agent) Retry Limit 5 (1-255) ICMP Router Discovery Attributes: Perform (ENabled, DIsabled) Time to Live 1 (1-255) Solicitation Address... RIPv2 Authentication: Type (Ignore, None, Password, Md5) Password AutoConfiguration - (-/+) Duplicate Address Detection Transmits 1 (0-9) Visible + (-/+) Figure TCP/IP NETWORK ADDRESS PARAMETERS Screen

80 Configuring a TCP/IP Network Using the NAU 2. Fill in the appropriate optional fields to specify the options you want to configure. Unless indicated otherwise, the following fields apply to both IPv4 and IPv6 operations. Field Name Configuration Retry Limit Perform Time-To-Live Solicitation Address Description Enables you to control the behavior of the host in regard to the exchange of subnet mask addressing information among other hosts in the subnet. Valid values: STatic, ENabled, AGent, Static Agent. Default = STatic; indicating that the host will ignore all requests/replies from other hosts in the subnet. If you want to modify this value, do so now. For additional information on how each value impacts the behavior of the host, refer to related information on subnetting in Section 2. Identifies the number of times the host will retransmit a request if no reply is received from the agent in the subnet. Valid values: Default = 5 Enables or disables a host to dynamically discover the IP addresses of neighboring routers when routing IP traffic beyond their directly attached subnet. Valid values: ENabled or DIsabled Default = None For additional details on the use of the router discovery protocol, see "Enabling a Host to Use the Router Discovery Protocol," in Section 4 of this guide. Identifies the number of hops an IP datagram can take before becoming invalid and discarded. This value is inserted in the Time To Live (TTL) field of the IP header. Valid values: 1 if the Solicitation Address field is set to However, if a broadcast address is used, you can set this value greater than or equal to 1. The maximum value for this attribute is 255. Default = 1 Identifies the IP destination address used for sending router solicitations from the interface. Valid values: = multicast address = broadcast address For a link to be multicast-capable, the MULTICASTADDRLIST attribute must be set for the connection

81 Configuring a TCP/IP Network Using the NAU Field Name Solicitation Address (continued) Type Password AutoConfiguration Duplicate Address Detection Transmits Visible Description The MULTICASTADDRLIST attribute is automatically generated by the NAU if you set the Solicitation Address field to If you are not using the NAU, and you want to statically configure a value for the MULTICASTADDRLIST attribute, you can issue either of the following OI commands: ADD CONNECTION MODIFY CONNECTION For IPv4 operation: Sets the type of RIPv2 authentication used by each line on each NP device. If you specify a type, you must also specify a multicast address. The RIPv2 port is configured to listen for messages that are received on the IP multicast address ( ). See Editing the ICP LAN Line Connection and Specifying a Multicast Address List later in this section for information on how to specify multicast addresses with the NAU. The four types of authentication are Ignore authentication No authentication Password MD5 If you enter P (Password) or M (MD5), you must also enter a valid password in the Password field. For IPv4 operation: Enter a valid password (16 characters or less) if you enter P (Password) or M (MD5) in the Type field. Do not enter a password if you entered authentication type I or N. When the NAU generates the TCP/IP init file, each password is enclosed in quotes. Enter + in this field to specify that IPv6 autoconfiguration must occur for the interface. The default for this option is " " (OFF). For IPv6 operation: Enables duplicate address detection on an IPv6 address. The number entered indicates the number of consecutive neighbor solicitation messages sent while performing duplicate address detection on a tentative address. The value 0 (zero) indicates that duplicate address detection is not performed on tentative addresses. The value 1 indicates a single transmission with no follow-up retransmissions. Allows all the IP addresses associated with the network interface to be passed to other applications. The default value is "+" (ON). See Section 4, Operating TCP/IP Software

82 Configuring a TCP/IP Network Using the NAU 3. Transmit the screen. The TCP/IP MULTIPLE IDENTITY ADDRESS LIST screen is displayed for that line (Figure 3 12). Enter one or more IP addresses and masks for the line, in addition to the main IP address on the TCP/IP IDENTITY ADDRESS LIST screen. For IPv4 operations, a mask can be entered in traditional IP or CIDR slash notation. If you fill in all the rows on this screen and transmit, a continuation screen appears with more empty rows. Each IP address entered on this screen causes the NAU to generate a separate NW TCPIP [TCPIP]IDENTITY command in the TCP/IP initialization file. Note: On VNP and MAICP4 adapters, Line 0 is reserved for use by the EVLAN adapter. Do not define additional IP addresses for this line. The consistency checker will flag such assignments as errors. * NAU -- TCP/IP MULTIPLE IDENTITY ADDRESS LIST * 452 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach Refresh Host: ES1 ICP Device-Line ID: IP Address FEC0::1:04:23FF:FE09:2DFE/ / /24 Figure TCP/IP MULTIPLE IDENTITY ADDRESS LIST Screen 4. Transmit the screen. The TCP/IP IDENTITY ADDRESS LIST screen redisplays. 5. Transmit through the TCP/IP LINE ATTRIBUTES screen to return to the TCP/IP CONFIGURATION MENU screen

83 Configuring a TCP/IP Network Using the NAU Specifying the Enterprise Server TCP/IP Internet Host Name and ICMP Report Display Parameters This procedure enables you to specify certain host-specific parameters, define the Internet TCP/IP host name of the local host, and specify how various ICMP messages are to be reported. To define TCP/IP host parameters, perform the following steps: 1. Enter THP in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 9) and transmit the screen. The TCP/IP APPLICATION HOST PARAMETERS screen displays (Figure 3 13). * NAU -- TCP/IP APPLICATION HOST PARAMETERS * 327 ACTION: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 ICMP LimitedBroadCast E (Enabled, Disabled) RIPEnabled + (+/-) LANRESIL Timer 30 ( Sec) Retry Limit 15 (0-50) RIPRouteTimeout 180 ( Sec) Maximum Connections 64 ( ) Tcp Inact Timer 8 (0-24 Hours) Tcp ATM KeepAlive NO (Never, VCopen, NOrmal) ATM Cache Timer 7 (1-7 Minutes) MulticastDefaultAddress for IPv6 MulticastDefaultAddress for IPv4 Broadcast Filter Thresholds: Low High ( ) Disable TCP Security Support Library? N (Y/N) TCP Security Support Library Rules File Name: TCP/IP Internet Host Name ES1.TCP.HOST.NAME Figure TCP/IP APPLICATION HOST PARAMETERS Screen

84 Configuring a TCP/IP Network Using the NAU 2. Fill in the fields described in the following table. All fields are optional except for TCP/IP Internet Host Name. Field Name ICMP LimitedBroadCast RIPenabled LANRESIL Timer Retry Limit RIPRouteTimeout Maximum Connections TCP Inact Timer TCP ATM KeepAlive Description An enterprise server TCP/IP attribute that can be set to prevent possible flooding of the network when a link using router discovery is configured with a broadcast address. Note: Some routers are known to disobey the Request for Comments (RFC) and retransmit limited broadcast onto other physical LANs. Setting the Limited Broadcast field to disabled will limit the retransmission to a particular network. Valid values: E (Limited broadcast enabled) D (Directed broadcast limited broadcast disabled) Default = Enabled. If you want to modify this value, do so now. Enables or disables the RIP protocol. Valid values: + (Enabled) (Disabled) Default = +. If you accept the default to specify RIPenabled, you must specify a multicast address. If you want to modify this value, do so now. Specifies the number of seconds used for checking for TCP/IP network interfaces that are unavailable. Specifies the number of minutes an unacknowledged TCP packet is retransmitted before the connection is terminated. Valid values: 0 through 50 (minutes). Default = 15 (minutes). If you want to modify this value, do so now. Specifies the routing expiration timer in seconds. Specifies the maximum number of connections to the TCP/IP host. Valid values: 1 through Default and maximum allowed value is based on the TCP/IP style purchased. If you want to modify this value, do so now. Allows a user to set the length of time in hours that the TCP connections are considered available and in use when there is no activity on the associated ATM SVC connection. Allows a user to determine if a TCP KeepAlive frame should be sent from the system on an ATM SVC connection. Note: If the TCP ATM KeepAlive field is set to Never and the TCP Inact Timer expires, TCP sessions are terminated

85 Configuring a TCP/IP Network Using the NAU Field Name ATM Cache Timer MulticastDefaultAddress for IPv4 MulticastDefaultAddress for IPv6 Broadcast Filter Thresholds Disable TCP Security Support Library? TCP Security Support Library Rules File Name: TCP/IP Internet Host Name (Required) Description Specifies the ATM Cache Timer used for aging entries in the ATMARP table. Specifies the IP addresses of the default interfaces to be used for IP multicasting via IPv4 and IPv6, respectively. Note: If the IPv4 Only Operation field on the TCP/IP OPTION (1/2) screen is set to "+", only IPv4 addresses are valid on this host. Enables filtering of broadcast packets from the network. If the number of packets per second exceeds the high threshold, all broadcast packets are filtered until the rate drops below the low threshold. If either threshold is specified, both are required, and the low threshold must be less than the high threshold. Allows you to disable TCP/IP end system security. Normally, the TCP/IP end system security feature is enabled by default and the *TCPIP/RULES/DEFAULT is loaded as the active rules file. If you want to disable TCP/IP end system security, enter Y. The default value is N. If TCP/IP end system security is enabled, it identifies a rules file that you want to reload over the *TCPIP/RULES/DEFAULT file. If this field is blank and TCP/IP end system security is enabled, the *TCPIP/RULES/DEFAULT file is loaded automatically. Identifies the TCP/IP Internet Host Name that will be used to identify the local host. Identifying a value for this field causes the NAU to generate the NW TCPIP TCPIPHOSTNAME command in the initialization file. Valid values: 1 through 255 characters 3. Transmit the screen. The TCP/IP ICMP REPORT DISPLAY screen displays, as shown in Figure This screen is used to optionally control or limit the ICMP reports displayed to the ODT and SUMLOG

86 Configuring a TCP/IP Network Using the NAU * NAU -- TCP/IP ICMP REPORT DISPLAY * 429 ACTION: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 For each report category, enter Always, Never, or First time only. Default value is Always. All of the following except as individually specified: Address Mask Router Discovery Destination Unreachable Source Quench Information Request/Reply Time Exceeded Parameter Problem Timestamp Request/Reply Redirect ICMPV6 Router Information ICMPV6 Packet Too Big ICMPV6 Neighbor Discovery Multicast Listener Discovery ICMPV6 Redirect TCP/IP Display Interval 2 (1-48 hours) Figure TCP/IP ICMP REPORT DISPLAY Screen 4. Fill in the fields as described in Table Transmit through the TCP/IP OPTION (2/2) screen. The TCP/IP CONFIGURATION MENU is displayed

87 Configuring a TCP/IP Network Using the NAU Table 3 1. TCP/IP ICMP REPORT DISPLAY Screen Field Summary Field Name All of the following except as individually specified Message Categories (Address Mask through ICMPV6 Redirect) TCP/IP Display Interval Description When a valid value is entered, the NAU enters the following command in the initialization file: NW TCPIP DISPLAY ICMPRPTS option where option is a value defined by the field entry: Field Entry A N F Command Option/Meaning ALWAYS / Always report the message at the ODT and write it to the SUMLOG. This is the default option. NEVER / Never report the message. FIRST / Report only the first unique message within the time interval specified at the bottom of this screen. This command defines message reporting for all ICMP messages. You can use individual message category fields to override the specified option for one or more message type. When a valid value is entered (A, N, or F), the previously defined reporting option is overridden for the corresponding message category. For each non blank field, the NAU enters the following command in the initialization file: NW TCPIP DISPLAY <message> <option> where message is a code that defines the message type: Code Message Type ICMPADMSK ICMP Address Mask ICMPDSTUNR ICMP Destination Unreachable ICMPINF ICMP Information Request/Reply ICMPPRMPRB ICMP Parameter Problem ICMPRED ICMP Redirect ICMPRDISC ICMP Router Discovery ICMPSRCQ ICMP Source Quench ICMPTMEXC ICMP Time Exceeded ICMPTMSTP ICMP Timestamp Request/Reply ICMPV6PKTTOOBIG ICMPV6 Packet Too Big ICMPV6MLD ICMPV6 Multicast Listener Discovery ICMPV6RDISC ICMPV6 Router Information ICMPV6NDISC ICMPV6 Neighbor Discovery ICMPV6RED ICMPV6 Redirect option is a reporting option (ALWAYS, NEVER, or FIRST) If this field contains an integer (allowable values are 1 48), a TCPIP DISPLAY INTERVAL command is entered in the initialization file. This command defines the ICMP message reporting time interval (in hours). The command is in the form NW TCPIP DISPLAY INTERVAL integer The default interval is 2 hours

88 Configuring a TCP/IP Network Using the NAU Updating LAN Lines and Connections to Include TCP/IP To generate the LAN lines and connections required for TCP/IP, perform the following steps: 1. Enter HOme on the ACTION line of the TCP/IP CONFIGURATION MENU screen and transmit the screen. The NETWORK HOME MENU screen displays. 2. Enter UPL in the Choice field and transmit the screen. This action updates the LAN to include TCP/IP. Upon completion, the following message displays: SUCCESSFUL REGENERATION OF LAN NETWORK At this point, all the required TCP/IP information has been entered to enable the enterprise server to function in a TCP/IP network. The following procedures describe additional options that are not required but are available on the TCP/IP CONFIGURATION MENU screen. Optional Enhancements to the TCP/IP Configuration The following subsections describe how to use additional options on the TCP/IP CONFIGURATION MENU screen. These options are not required but, if used, could make your TCP/IP configuration more efficient. Use this option... To define... TRL TDL TAP MAP TDI TFF MEV TAS TNE Known routes to TCP/IP hosts not directly connected to the LAN Unknown routes to TCP/IP hosts not directly connected to the LAN TCP/IP ARP address list TCP/IP host name to IP address mapping TCP/IP Dynamic Init commands TCP/IP Filterframes commands TCP/IP MonitorEvents commands Default policies for selecting source and destination IPv6 addresses Define TCP/IP Neighbor Address Parameters

89 Configuring a TCP/IP Network Using the NAU Defining Known Routes to TCP/IP Hosts Not Directly Connected to the LAN The following procedure enables you to define routes to other TCP/IP hosts that are not directly connected to the LAN. This procedure enables you to identify the networks or hosts that are reachable by way of known gateways. In performing the following steps, you are defining a static route (one that is not dynamically discovered) that will always be the route used to reach the specified destination. This list should identify TCP/IP hosts that are not directly connected to the local LAN. To define known routes through the NAU, perform the following steps: 1. From the NETWORK HOME MENU screen, enter ANH in the Choice field and transmit the screen. The APPLICATION HOST LIST screen (Figure 3 3) displays. 2. Specify on the host for which you want to define the known route. The APPLICATION HOST MENU screen (Figure 3 4) displays. 3. Enter TCP in the Choice field and transmit the screen. The TCP/IP CONFIGURATION MENU screen displays, as shown in Figure 3 15 (it is also shown earlier in Figure 3 9). * NAU -- TCP/IP CONFIGURATION MENU * 325 Action: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 TIL Define TCP/IP Identity, Address Mask and Router Discovery Parameters THP Define TCP/IP Host Parameters TRL Define TCP/IP Routes TDL Define TCP/IP Default Routes TAP Define TCP/IP ARP Addresses MIL Define TCP/IP MACP100/150 IP Addresses MAP Define TCP/IP Host/IP Address Mappings TDI Define TCP/IP DynamicInit Commands TFF Define TCP/IP FilterFrames Commands MEV Define TCP/IP MonitorEvents Commands TAS Define TCP/IP Address Selection Policy TNE Define TCP/IP Neighbor Address Parameters Choice: TRL Figure TCP/IP CONFIGURATION MENU Screen

90 Configuring a TCP/IP Network Using the NAU 4. Enter TRL in the Choice field and transmit the screen. The TCP/IP ROUTE LIST screen displays. This screen enables you to define which networks can be reached by way of known gateways. For this example, Host-1 has been added and can be reached through Router-1, Router-2, or Router-3 based on the sample network defined in Figure 3 1. You can enter a mask value to identify the subnet/network/supernet to which the destination belongs. The mask can be entered in the traditional four-node IP notation or in the CIDR slash notation. If you use the CIDR notation, it must be entered in the first of the four mask fields, and the other three fields must be left blank. CIDR notation can be entered either left- or right-justified. If you do not enter a mask, the destination address is considered to be classful and therefore self-identifies a network. If you enter a preference value, it can indicate alternate routes to the destination (when values for the same destination are different) or parallel routes (when the values are the same). Valid values are 1 to 255 with a default of Enter the IPv4 Destination address and the IPv4 Gateway addresses for Router-1, Router-2, and Router-3 as shown in Figure * NAU -- TCP/IP ROUTE LIST * 328 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 Destination IP Address Gateway IP Address Pref / / / Transmit the screen. Figure TCP/IP ROUTE LIST Screen The screen is refreshed. 7. Enter the IPv6 Destination address and the IPv6 Gateway addresses for Router-1, Router-2, and Router-3 as shown in Figure

91 Configuring a TCP/IP Network Using the NAU * NAU -- TCP/IP ROUTE LIST * 328 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 Destination IP Address Gateway IP Address Pref / / / FEC0::3:2A0:C9FF:FED8:5E35/64 FEC0::1:215:C9FF:FE00:1 1 FEC0::3:2A0:C9FF:FED8:5E35/64 FEC0::1:215:C9FF:FE00:2 1 FEC0::3:2A0:C9FF:FED8:5E35/64 FEC0::1:215:C9FF:FE00: Transmit the screen. Figure TCP/IP ROUTE LIST Screen The screen is refreshed. 9. Transmit again. The TCP/IP CONFIGURATION MENU screen redisplays. Defining Unknown (Default) Routes to TCP/IP Hosts Not Directly Connected to the LAN This procedure enables you to identify a communications host to act as a default communications host to route IP traffic to TCP/IP destinations. There are two types of default routes: System default routes (Do not have a mask) Assigned default routes (Have a mask) The route that is identified with the lowest preference number is tried first. To define default routes within your network, perform the following steps: 1. Enter TDL in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 15), and transmit the screen. The TCP/IP DEFAULT ROUTE LIST screen displays, as shown in Figure

92 Configuring a TCP/IP Network Using the NAU * NAU -- TCP/IP DEFAULT ROUTE LIST * 329 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 Destination IP Address Pref FEC0::1:215:C6FF:FE00:1/64 4 FEC0::1:215:C6FF:FE00:2 3 FEC0::1:215:C6FF:FE00: / Figure TCP/IP DEFAULT ROUTE LIST Screen 2. Fill in the following fields. Field Name Destination IP Address Preference Description Defines the default routes to be used to send messages to destinations whose explicit routes are not known. For the sample network identified in Figure 3 1, enter (IPv4 network) or FECO::1:215:C6FF:FE00:1 (IPv6 network) for Router-1. If the destination IP addresses include a mask or network prefix length value, the default route is defined to be an assigned default route. If the mask is absent, the destination address is considered to be a system default route. Identifies the order in which the routes will be used to send messages. For a given host, for routes with no mask, each preference value must be unique. Valid values: Transmit the screen. The screen is refreshed. 4. Transmit again. The default routes are defined and the TCP/IP CONFIGURATION MENU screen redisplays

93 Configuring a TCP/IP Network Using the NAU Defining the TCP/IP ARP Address List The TCP/IP ARP Address List is a list (table) stored in memory that is used to translate IP addresses to physical addresses. This table is necessary because IP addresses and physical addresses are independently selected. The IP address is selected by the network manager based on the location of the computer in the Internet. The physical address is selected by the manufacturer based on the physical address space licensed by the manufacturer. To identify an IP address and its corresponding physical address, perform the following steps: Note: Permanent configurations do not get removed from the ARP tables. The default value is temporary if the Temporary or Permanent field is left blank. 1. Enter TAP in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 15) and transmit the screen. The TCP/IP ARP ADDRESS LIST screen displays, as shown in Figure * NAU -- TCP/IP ARP ADDRESS LIST * 330 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 Temporary(T) Network Physical Permanent(P) Address Address PUblic (U) Figure TCP/IP ARP ADDRESS LIST Screen 2. Fill in the following fields. Field Name Network Address Physical Address Temporary (T) Permanent (P) Public (U) Description The IP address of the host that you want to add to the TCP/IP ARP address list. Consists of a 32-bit (4-byte) number that includes a network number and a local address. This number must be unique within the IP network. The corresponding physical address for the IP address specified in the Network IP Address field. This is a unique address that is stamped on the LAN board. Indicates status of the entry, as well as how long the entry will remain in the ARP table. T = Entry is to be removed if not recently used P = Entry is not to be removed U = A proxy address definition is provided

94 Configuring a TCP/IP Network Using the NAU 3. Transmit the screen. The IP address and its corresponding physical address are identified and the TCP/IP CONFIGURATION MENU screen redisplays. Mapping a TCP/IP Host Name to IP Addresses You can create a mapping between a remote TCP/IP host name and domain name and one or more IP addresses on the enterprise server either by using the NW TCPIP MAPPING command, or by using the SYSTEM/RESOLVER. If you use the NW TCPIP MAPPING command, follow the steps in this section to configure the TCP/IP Host/IP Address pairing and then enter the NW TCPIP MAPPING command as described in Creating a Mapping between a TCP/IP Host and One or More IP Addresses in Section 4. If you use the SYSTEM/RESOLVER, see How the System Resolves a TCP Host Name in Section 4. Configuring the TCP/IP Host/IP Address Pairing 1. Enter MAP in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 15) and transmit the screen. The TCP/IP HOST MAPPING LIST screen displays, as shown in Figure * NAU -- TCP/IP HOST MAPPING LIST * 422 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach Refresh COpy ADd Host: ES1 TCP/IP Host Name HOST-1.BIGCO.COM Figure TCP/IP HOST MAPPING LIST Screen

95 Configuring a TCP/IP Network Using the NAU 2. In the TCP/IP Host Name field, enter the host name or domain name of the remote host, or hosts, that you want to map to the application host. Field Name Description Domain Name or Host Name (Required) Identifies the TCP/IP domain name that will be used to identify the remote host. Valid values: 1 through 255 characters. Each node of the domain name cannot exceed 64 characters. HOST-1.BIGCO.COM is shown as a sample value in Figure Specify on a TCP/IP Host Name entry. The TCP/IP MAPPING IP ADDRESS LIST screen displays, as shown in Figure * NAU -- TCP/IP MAPPING IP ADDRESS LIST * 441 ACTION: HOme Host PArent PRevious FInd WElcome QUit TEach Refresh Host: ES1 TCP/IP Host: HOST-1.BIGCO.COM IP Address FEC0::3:2A0:C9FF:FED8:5E35 Figure TCP/IP MAPPING IP ADDRESS LIST Screen 4. In the IP Address field, enter the IP addresses that you want to map to the TCP/IP host

96 Configuring a TCP/IP Network Using the NAU Field Name Description IP Address (Required) Made up of IPv4 addresses, IPv6 addresses, or both types of addresses that include a network number and a local address of the remote host. These numbers must be unique within the IP network and FECO::3:2A0:C9FF:FED8:5E35 are shown as sample IPv4 and IPv6 address values in Figure Each pairing of a TCP/IP host name with the IP address or IP addresses listed in the IP Address field causes the NAU to generate a TCPIP MAPPING command in the TCP/IP initialization file. 5. Transmit the screen. The screen is refreshed. 6. Transmit again to return to the TCP/IP HOST MAPPING LIST screen. Configuring Dynamic Initiation of Specified Port Numbers This section describes how to configure the NW TCPIP DYNAMICINIT command so that it is emitted to the TCP/IP initialization file for the specified application host. Use this command to enable and disable the dynamic initiation of specified port numbers for registered TCP and UDP applications, and to inquire on the current dynamic initiation status of all valid port numbers. For more information on this command, see Disabling and Enabling the Dynamic Initiation of Specified Port Numbers in Section 4. Configuration Procedure The following procedure shows a sample screen path used to configure the NW TCP/IP DYNAMICINIT command on an application host: 1. Enter TDI in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 15) and transmit the screen. The TCP/IP DYNAMICINIT COMMANDS screen (Figure 3 22) is displayed

97 Configuring a TCP/IP Network Using the NAU * NAU -- TCP/IP DYNAMICINIT COMMANDS * 448 Action: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 Select the desired TCPIP DYNAMICINIT command(s). Additional screens will follow for the entry of the port specification(s). Disable TCP Disable UDP (Except, Port) (Except, Port) Figure TCP/IP DYNAMICINIT COMMANDS Screen The NAU provides a subset of the TCP/IP DYNAMICINIT commands, so that selected ports can be disabled. Since all ports are enabled by default at initialization, including the ENABLE command is not necessary. 2. Enter E or P in either the Disable TCP or the Disable UDP field. If you enter a selection for Disable TCP, go to step 3. If you enter a selection for Disable UDP, go to step Enter the Beginning and Ending port numbers you want to disable or exclude from disabling in the appropriate columns and transmit. The TCP/IP DISABLE TCP PORT SPECIFICATION screen (Figure 3 23) is displayed. This screen contains a Command header which describes the command being configured, showing either DISABLE TCP EXCEPT or DISABLE TCP PORT depending on your selection on the TCP/IP DYNAMICINIT COMMANDS screen. * NAU -- TCP/IP DISABLE TCP PORT SPECIFICATION * 450 Action: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 Command: DISABLE TCP EXCEPT Port Numbers ( ) Beginning - Ending Figure TCP/IP DISABLE TCP PORT SPECIFICATION Screen

98 Configuring a TCP/IP Network Using the NAU 4. Enter the Beginning and Ending port numbers you want to either disable or exclude from disabling in the appropriate columns and transmit. The TCP/IP DISABLE UDP PORT SPECIFICATION screen (Figure 3 24) is displayed. This screen contains a Command header which describes the command being configured, showing either DISABLE UDP EXCEPT or DISABLE UDP PORT depending on your selection on the TCP/IP DYNAMICINIT COMMANDS screen. * NAU -- TCP/IP DISABLE UDP PORT SPECIFICATION * 451 Action: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 Command: DISABLE UDP PORT Port Numbers ( ) Beginning - Ending Figure TCP/IP DISABLE UDP PORT SPECIFICATION Screen

99 Configuring a TCP/IP Network Using the NAU Configuring Port Filtering Using the FILTERFRAMES Command Note: See Configuring TCP/IP Options" later in this section for details on configuring the dynamic port filtering and the IPv6 filtering features. The NW TCPIP FILTERFRAMES command enables port filtering of incoming frames (packets) on specific TCP or UDP port numbers. This prevents unwanted frames from reaching the MCP host while the host continues to receive other frames from the network. This command can also be used to disable filtering or to inquire on the filtering status of frames that are intended for specific port numbers. Port filtering can be implemented for all 65,535 TCP and UDP port numbers and is only available for systems using the FC3-IOP, MAICP4, and VNP network interfaces. This command cannot be used with legacy interfaces such as ICP20. The NAU supports the ENABLE action of the command, which starts the filtering of frames. The NAU does not support the DISABLE action of the command because disabled is the default status of filtering at initialization. Use the NW TCPIP FILTERFRAMES Operations Interface command to manually enter the DISABLE action. Configuration Procedure The following procedure shows a sample screen path used to configure the NW TCP/IP FILTERFRAMES command on an application host. See "Filtering Frames Based on Port Numbers" in Section 4, "Operating TCP/IP Software" for additional information on using this command. 1. Enter TFF in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 15) and transmit the screen. The TCP/IP FILTERFRAMES COMMANDS screen (Figure 3 25) is displayed. * NAU -- TCP/IP FILTERFRAMES COMMANDS * 459 Action: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 Select the desired TCPIP FILTERFRAMES command(s). Additional screens will follow for the entry of the port specification(s) Enable TCP Enable UDP (Except, Port, All) (Except, Port, All) Figure TCP/IP FILTERFRAMES COMMANDS Screen

100 Configuring a TCP/IP Network Using the NAU 2. Enable filtering for TCP and/or UDP ports as follows: If A is entered in either or both Enable fields, the ENABLE command is emitted for TCP and/or UDP ports with the ALL option. This option enables filtering for all TCP and/or UDP ports. For example, if A is entered in the Enable TCP field, the following command is emitted: NW TCPIP FILTERFRAMES ENABLE TCP ALL If E or P is entered in either or both Enable fields, the corresponding TCP and/or UDP screen (or screens) is displayed. Use these screens to enter port numbers. The E option enables filtering for all ports except those which are specified. The P option enables filtering for the ports or range of ports specified. The following screen (Figure 3 26) is displayed if the P option is entered in the Enable TCP field. Enter a single port number in the Beginning field, or the start and end of a range in the Beginning and Ending fields. Note that the Command field shows whether Except or Port and TCP or UDP was selected on the previous screen. * NAU -- TCP/IP FILTERFRAMES ENABLE TCP PORTS * 454 Action: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 Command: ENABLE TCP PORT Port Numbers ( ) Beginning - Ending Figure TCP/IP FILTERFRAMES ENABLE TCP PORTS Screen Configuring TCP and UDP Port Event Monitoring This section describes how to configure the NW TCPIP MONITOREVENTS command so that it is emitted to the TCP/IP initialization file for the specified application host. Use this command to monitor events happening on a specific port or range of ports. For more information on this command, see Monitoring TCP and UDP Port Events in Section 4 of this guide

101 Configuring a TCP/IP Network Using the NAU Configuration Procedure The following procedure shows a sample screen path used to configure the NW TCPIP MONITOREVENTS command on an application host: 1. Enter MEV in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 15) and transmit the screen. The TCP/IP MONITOREVENTS COMMANDS screen (Figure 3 27) is displayed. * NAU -- TCP/IP MONITOREVENTS COMMANDS * 460 Action: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 Select the desired TCPIP MONITOREVENTS command(s). Additional screens will follow for the entry of the port specification(s). TCP ALL (+) (Except) TCP OPEN TCP LISTEN TCP RESET TCP CLOSE UDP Monitor interval 180 ( seconds) Figure TCP/IP MONITOREVENTS COMMANDS Screen 2. Make the following entries on this screen: For each of the TCP and UDP choices, enter + in the first field to enable monitoring of that event type. The syntax of the TCPIP MONITOREVENTS command allows using a minus sign ( ) to disable monitoring. This choice is not needed in an init file because monitoring is off by default. To include the EXCEPT keyword in the command, enter E in the second field. If you do not make an entry in the first field, an E in the second field is ignored. If the Monitor interval field is left blank, the command in the init file does not include an interval and the default value is used. Note: The TCP/IP provider treats a monitor interval of 0 seconds as disabling all monitoring. The NAU does not support this value in init files. Instead, to disable all monitoring, leave all the TCP and UDP fields blank so that there are no TCPIP MONITOREVENTS commands in the init file. 3. When finished making entries, transmit the screen. For each row on the TCP/IP MONITOREVENTS COMMANDS screen that contains an entry in the first field, the NAU presents a TCP/IP MONITOREVENTS PORT SPECIFICATION screen (Figure 3 28). Up to six different screens can be displayed

102 Configuring a TCP/IP Network Using the NAU * NAU -- TCP/IP MONITOREVENTS PORT SPECIFICATION * 461 Action: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 Command: MONITOREVENTS + TCP ALL EXCEPT Port Numbers ( ) Beginning - Ending Figure TCP/IP MONITOREVENTS PORT SPECIFICATION Screen 4. On this screen, the read-only Command field displays the portion of the command constructed from the entries on the preceding screen. Enter single numbers in the Beginning column, or enter ranges of port numbers in the Beginning and Ending columns of the same row. If you fill in all the rows on the screen, additional copies of the screen are presented to continue the list. If all the fields on this screen are blank, the command is not emitted to the init file

103 Configuring a TCP/IP Network Using the NAU Configuring Default Policies for Selecting Source and Destination IPv6 Addresses You can configure address selection policies to override the default address selection behavior as specified by RFC These policies establish which addresses are preferred over other addresses. The Precedence value on the TCP/IP ADDRESS SELECTION POLICY screen (Figure 3 29) is used for sorting destination addresses. If Precedence A is greater than Precedence B, address A has higher precedence than address B. The list of addresses on the screen is sorted alphanumerically on IP address only. The Label value allows for policies that prefer a particular source address prefix for use with a destination address prefix. The address selection algorithms prefer to use a source address S with a destination address D if Label (S) is equal to Label (D). For additional details on address selection, see TCPIP Address Selection Policy in Section 4, Operating TCP/IP Software. Perform the following steps to configure policies for selecting source and destination addresses: 1. Enter TAS in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 15) and transmit the screen. The TCP/IP ADDRESS SELECTION POLICY screen is displayed. 2. Enter the addresses and specify their associated precedence and label values on the screen as shown in Figure * NAU -- TCP/IP ADDRESS SELECTION POLICY * ACTION: HOme Host PArent PRevious WElcome QUit TEach Refresh Host: ES1 Precedence Label IP Address (1-100) (1-10) ::/ ::FFFF:0:0/ ::1/ Figure TCP/IP ADDRESS SELECTION POLICY Screen 3. When finished making entries, transmit the screen. The TCP/IP CONFIGURATION MENU screen redisplays

104 Configuring a TCP/IP Network Using the NAU Configuring TCP/IP Timer Values Specify a routing expiration time so that if a route becomes unreachable, the system can switch to alternate routing paths more quickly. The RIProutetimeout MIB object enables the value (in seconds) of the routing expiration timer to be set or inquired on. The LAN resiliency timer value, which is used to check for network interfaces that are unavailable, can also be set or inquired on. The procedure in this section shows how to configure the RIProutetimeout object and the LANRESILTIMER object to specify a routing expiration time and/or a LAN resiliency time. If non-default expiration times are configured, the new setting or settings are emitted in the NW SNMP SET command. Configuration Procedure The following procedure shows a sample screen path used to configure the RIProutetimeout object and LANRESILTIMER values: 1. Enter THP in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 15) and transmit the screen. The TCP/IP APPLICATION HOST PARAMETERS screen (Figure 3 13) is displayed. 2. Enter values in the RIPRouteTimeout field (permitted range is 30 to 300 seconds) and the LANRESIL Timer field (permitted range is 15 to 3600 seconds) and transmit the screen. The values you enter are the new timing values. For information on how to set timer values, see Setting Timer Values in Section

105 Configuring a TCP/IP Network Using the NAU Configuring TCP/IP Options You can configure your system via the NAU TCP/IP OPTION screens to specify TCP/IP options that control various types of network behavior. These options are presented on two OPTION screens and are listed in Table 3 2 and Table 3 3 later in this section. The options on the first OPTION screen (TCP/IP OPTION 1/2) can be enabled or disabled. You must enter a value for the options on the second OPTION screen (TCP/IP OPTION 2/2) to specify which options you want to use. If you configure the non-default command settings for any of these options, the NW TCPIP OPTION command is emitted to the TCP/IP initialization file for the application host. This allows you to specify which of these options is enabled or disabled each time TCP/IP is initialized. This command is only supported on application hosts. For details on specifying these options via the TCPIP OPTION OI command, see Using TCP/IP Options in Section 4. Configuration Procedure This procedure assumes that you have already used the NAU to generate a CNS network. If you have not yet configured your CNS network, refer to the BNA/CNS Network Implementation Guide, Volume 2: Configuration for detailed information on configuring the lines and devices that are part of the CNS functionality. 1. Enter THP in the Choice field of the TCP/IP CONFIGURATION MENU screen (Figure 3 15) and transmit the screen. The TCP/IP APPLICATION HOST PARAMETERS screen (Figure 3 13) is displayed. 2. Transmit the screen. The TCP/IP ICMP REPORT DISPLAY screen is displayed (Figure 3 14). 3. Transmit the screen. The TCP/IP OPTION (1/2) screen is displayed (Figure 3 30)

106 Configuring a TCP/IP Network Using the NAU LANBW551 * NAU -- TCP/IP OPTION (1/2) * 449 ACTION: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: AH001 For each category, enter (+/-). IPv4 Only Operation - All of the following except as individually specified: ATM Resiliency - LAN Resiliency + LAN Resiliency Timer - Use RFC 1122 MTU + 80SESSWARN + 90SESSWARN + 95SESSWARN + SESSWARN + SSL - WAITFORHN - CACHELEARNEDMAP + UPDATEYHBLEARNED + USERFCACKSTRATEGY - ISSUEICMPRESET + DYNAMICPORTFILTER + ACDEFAULT No Auto Addr Update - IPSEC No Unnecessary Done Report - TCP Selective Acknowledgment + SSH - Figure TCP/IP OPTION Screen 4. Enable (+) or disable ( ) these options as necessary for your configuration. Note that the All of the following except as individually specified field is used to override the individual option defaults. Enter + in this field to enable all of these options. Enter in this field to disable all of these options. You can specify a value in the All of the following except as individually specified field and then override it by entering a value for a specific option in one of the option fields. Table 3 2 describes each of the options available on the TCP/IP OPTION (1/2) screen. See Using TCP/IP Options in Section 4 for information on entering these options as commands

107 Configuring a TCP/IP Network Using the NAU Table 3 2. TCP/IP Options (OPTION Screen 1/2) Option IPv4 Only Operation ATM Resiliency LAN Resiliency/ LAN Resiliency Timer Use RFC 1122 MTU 80SESSWARN 90SESSWARN 95SESSWARN Description Provided as a safeguard for preventing the unintentional issuance of configuration commands that either explicitly configure IPv6 interfaces or enable IPv6 address autoconfiguration. In this mode, commands that attempt to configure IPv6 interfaces receive the Invalid operating mode or command processed with exceptions negative response, depending on the type of command and the TCPIP context at the time of processing. The default value is disabled ( ). To enable this option, enter + in this field and transmit. No longer supported. LAN Resiliency provides high-availability services to LAN-based clients. These services can survive the failure of a network interface without interruption to the dialogs using that interface. They enable you to continue using resilient paths for a particular port across a halt/load if the path was in effect before the halt/load. The default value for LAN Resiliency is enabled (+). To disable this option, enter in the LAN Resiliency field and transmit. The LAN Resiliency Timer provides the on-off switch for a timer used to check for TCP/IP network interfaces that are unavailable. The default value is disabled ( ). To comply with RFC 1122, TCP/IP uses a maximum transmission unit (MTU) of 536. This is used to avoid fragmentation of a datagram by intermediate gateways along the path. The default value is enabled (+). To disable this option, enter in this field and transmit. Sends a TCP/IP Session Warning waiting entry to the ODT when the number of in use connections reaches 80 percent of the allowable connection count. The default is enabled (+). To disable this option, enter in this field and transmit. Sends a TCP/IP Session Warning waiting entry to the ODT when the number of in use connections reaches 90 percent of the allowable connection count. The default is enabled (+). To disable this option, enter in this field and transmit. Sends a TCP/IP Session Warning waiting entry to the ODT when the number of in use connections reaches 95 percent of the allowable connection count. The default is enabled (+). To disable this option, enter in this field and transmit

108 Configuring a TCP/IP Network Using the NAU Table 3 2. TCP/IP Options (OPTION Screen 1/2) Option SESSWARN SSL WAITFORHN CACHELEARNEDMAP UPDATEYHBYLEARNED USERFCACKSTRATEGY ISSUEICMPRESET Description Enables or disables all three session warning thresholds (80SESSWARN, 90SESSWARN, and 95SESSWARN). The default is enabled (+). To disable this option, enter in this field and transmit. Used to enable or disable the Secure Socket Layer (SSL) module. When the ClearPath Secure Transport CD is installed, this module supports the SSL protocol for secure transfer of information over the Internet. For more information on SSL, refer to the Security Administration Guide. Within the NAU, the default is disabled ( ). To enable this option, enter + in this field and transmit. Enables you to delay the incoming OPEN request to resolve the Hostname for updating the YourHost and YourDomainName attributes. The default is disabled ( ); if enabled (+), it can cause incoming OPEN requests to be delayed. Allows you to disable the caching of learned Hostname IP address pairs in the TCPIP mapping table. The default is enabled (+); when disabled ( ), TCPIP will not add learned entries to the mapping table. You can view the mapping table with the NW TCPIP MAP command. Enables you to disable the updates to the YourHost and YourDomain attributes by TCPIP if a connection specifies an IPAddress during open. The default is enabled (+); when disabled ( ), TCPIP will not update the YourHost and YourDomain attributes for all connections. Exception: If the WaitForHN option is enabled, the UpdateYHByLearned option is ignored for incoming OPEN requests. Enables you to direct the Windows server to force the MCP to acknowledge (ACK) every 2 maximum transmission units (MTUs). If this option is disabled, the Windows server will tune when the MCP needs to send an ACK. The default is disabled ( ), which optimizes performance. Allows you to enable and disable TCP dialog resets caused by Internet Control Message Protocol (ICMP) messages. The default state is enabled (+), which activates the RFC 1122 features. The disabled state ( ) activates new security features that protect TCP dialogs against ICMP attacks

109 Configuring a TCP/IP Network Using the NAU Table 3 2. TCP/IP Options (OPTION Screen 1/2) Option DYNAMICPORTFILTER ACDEFAULT No Auto Addr Update IPSEC No Unnecessary Done Report Description Enables you to configure FC3-IOP and Network Services networking devices to prevent unwanted transmission control protocol (TCP) and user datagram protocol (UDP) traffic from reaching the MCP host. This can help prevent a Denial of Service attack on the MCP host by ensuring that port scans do not cause excess overhead. If this option is enabled (+), an application on the MCP host that opens a socket will cause TCP or UDP to allow traffic for that socket. Incoming frames containing a destination port number that is not associated with an MCP application will be blocked by the networking device and will not be seen by the MCP host. The default for this option for MCP 12.0 is enabled (+). Specifies the autoconfiguration value that is assigned to a TCP/IP interface. When a TCP/IP interface is added, this value specifies the autoconfiguration property for the interface. If this value is modified, any newly added interface uses the new value. Specify this option at the beginning of the TCP/IP initialization file if one autoconfiguration value is to be used for every interface. To modify the autoconfiguration property of an already added interface, use the TCPIP [TCPIP]IDENTITY command. If not changed, the default value for this option is disabled. Causes TCP/IP to allow only multicast address handling for IPv4 addresses specified in the multicast address list of the connection for that interface. The protocol for IPv6 multicast addresses is not operational and prevents applications from being able to join any IPv6 multicast group. Default = OFF Enables or disables the IP Security module. When enabled, IPsec encrypts and filters data. Prevents a done report from being sent. If a node receives another node s report for a multicast address while it has a pending action for that same address, a report for that address does not need to be sent thus suppressing duplicate reports on the link. Default = OFF

110 Configuring a TCP/IP Network Using the NAU Table 3 2. TCP/IP Options (OPTION Screen 1/2) Option TCP Selective Acknowledgment Secure Shell (SSH) Description The TCPIP SACK feature enables MCP administrators to set the TCP Selective Acknowledgement option when the TCP dialog is established. You can use the SACK option to overcome TCP limitations when recovering from multiple lost packets within one window of data. SACK is described in RFC 2018 (TCP Selective Acknowledgement Options) and extended by RFCs 2883 and Default = ON SSH allows data to be exchanged using a secure channel between two networked devices. SSH can be used for secure file transfer or remote command execution. SSH is described in RFCs and Default = OFF 5. Transmit the TCP/IP OPTION (1/2) screen to display the TCP/IP OPTION (2/2) screen (Figure 3 31). Note: Options that are prefaced with ND are Neighbor Discovery options. Options that are prefaced with MLD are Multicast Listener Discovery options. * NAU -- TCP/IP OPTION (2/2) * ACTION: HOme HOSt PArent PRevious Find WElcome QUit TEach REfresh Host: ES1 For each category, enter a numeric value ICMPv6 Error Report Burst Rate [ 20] ICMPv6 Error Report Rate [ 20] IP Default Hop Limit [ 10] MLD Unsolicited Report Interval [ 10] MLD Unsolicited Report Retry [ 3] ND First Probe Delay [ 5] ND Max AnyCast Delay [ 1] ND Max Multicast Solicitations [ 3] ND Max Neighbor Advertisement [ 3] ND Max Router Solicitation Delay [ 1] ND Max Router Solicitations [ 3] ND Max Random Factor [ 3] ND Max Unicast Solicitations [ 3] ND Min Random Factor [ 1] ND Reachable Interval [30000] ND Retrans Interval [ 1000] ND Router Solicitation Interval[ 1] PMTU Verification Level [ 10] TCP Window Scale Factor (-1 to 14)[ ] Figure TCP/IP OPTION (2/2) Screen

111 Configuring a TCP/IP Network Using the NAU Table 3 3 describes each of the options available on the TCP/IP OPTION (2/2) screen. See Using TCP/IP Options in Section 4 for information on entering the following options as OI commands. Table 3 3. TCP/IP Options (OPTION Screen 2/2) Option ICMPv6 Error Report Burst Rate ICMPv6 Error Report Rate IP Default Hop Limit MLD Unsolicited Report Interval MLD Unsolicited Report Retry ND First Probe Delay ND Max AnyCast Delay ND Max MultiCast Solicitations Description The maximum number of ICMPv6 error reports that are permitted to be sent in a burst. The amount is limited to prevent a node that is sending invalid frames and is ignoring the error reports from overloading the system with report processing. Default = 20 The average number of ICMPv6 error reports permitted each second. The amount is limited to prevent a node that is sending invalid frames and is ignoring the error reports from overloading the system with report processing. Default = 20 The default to be used if there is no hop count reported by a router from the network. Range Default = 10 The time between repetitions of a node's initial report of interest in a specific multicast address. Default = 10 seconds The maximum number of times the system tries to deliver an unsolicited report. Default = 3 The delay before a node sends a probe packet to a neighbor on the network. Default = 5 seconds The time a node waits when sending a neighbor advertisement in response to a valid neighbor solicitation, targeting one of the assigned addresses of the node. The address is an anycast address. The node sends the address resolution response at a random time ranging from 0 to the defined number. Default = 1 second The maximum number of multicast solicitation retries when a node has a unicast packet to send to a neighbor but does not know the link-layer address of the neighbor. The node performs address resolution by retrying the neighbor solicitations defined maximum. Default = 3 transmissions

112 Configuring a TCP/IP Network Using the NAU Table 3 3. TCP/IP Options (OPTION Screen 2/2) Option ND Max Neighbor Advertisement ND Max Router Solicitation Delay ND Max Router Solicitations ND Max Random Factor ND Max UniCast Solicitations ND Min Random Factor ND Reachable Interval Description The maximum number of neighbor advertisement retries. In some cases, a node might be able to determine that its link-layer address has changed and might want to quickly inform its neighbors of the new link-layer address by sending unsolicited neighbor advertisements to the all-nodes multicast address up to the defined maximum. Default = 3 transmissions The maximum delay before a host sends an initial solicitation. The delay is a random amount of time between 0 and the maximum. This serves to alleviate congestion when many hosts start up on a link in unison. Default = 1 second The maximum number of router solicitation retries. When an interface is enabled, a host might be unwilling to wait for the next unsolicited router advertisement to locate default routers or learn prefixes. To obtain router advertisements quickly, a host transmits router solicitations up to the defined maximum. Default = 3 transmissions The multiplier for maximum random base value, which is used in calculating a variable timeout value. The MaximumRandomBase value is.5. Default = 3 The maximum number of unicast solicitation retries. When a node enters the PROBE state, it sends a unicast neighbor solicitation message to the neighbor using the cached link-layer address. While in the PROBE state, a node retransmits neighbor solicitation messages up to the defined maximum. Default = 3 transmissions The multiplier for minimum random base value, which is used in calculating a variable timeout value. The MinimumRandomBase value is.5. Default = 1 The base time used for computing the random reachable time value. Modifying this option through this command overrides any network information received to update this value. Default = 30,000 milliseconds

113 Configuring a TCP/IP Network Using the NAU Table 3 3. TCP/IP Options (OPTION Screen 2/2) Option ND Retrans Interval ND Router Solicitation Interval Description The time between retransmissions of a message to a neighbor when resolving the address or when probing the reachability. Modifying this option through this command overrides any network information received to update this value. Default = 1,000 milliseconds The interval by which router solicitations are separated when requesting router information. Default = 1 second

114 Configuring a TCP/IP Network Using the NAU Table 3 3. TCP/IP Options (OPTION Screen 2/2) Option TCP Window Scale Factor ( 1 to 14) Description Enables the system administrator to set the window scale factor used by the TCP Window Scale option. This option is an extension to the TCP protocol that improves performance over large bandwidth paths by allowing larger blocks of data to be sent and received. This option is based on RFC The TCP header uses a 16-bit window field to report the size of the receive window to the sender. Therefore, the largest window that can be used is 2 16 or 65,535 bytes, and the largest amount of data that can be sent or received is limited to 65,535 bytes. The window scale extension expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. The scale factor sets the number of bits that the TCP window is to be adjusted (left-shifted). This TCP option allows the window to increase up to a maximum of 2 30 or 1Gbyte. The scale factor is carried in this option. The option is sent only in a SYN segment, so the window scale is fixed in each direction when a connection is opened. Both sides must send Window Scale options in their SYN segments to enable window scaling in either direction. The scale factor is an integer between 1 (negative one) and 14. A scale factor of 1 means no scaling is performed and leaves the TCPIP window scale option unset in a SYN and SYN ACK frame. A scale factor of 0 indicates that the MCP TCP window is not scaled, but window scaling is performed to the remote system if the remote system sets the option in its SYN or SYN ACK frame. Range = 1 to 14; enter a value only if you want to enable window scaling. Default = 1 (no window scaling)

115 Configuring a TCP/IP Network Using the NAU Table 3 3. TCP/IP Options (OPTION Screen 2/2) Option PMTU Verification Interval Description The time interval between attempts at path MTU verification. Nodes using Path MTU Discovery must detect decreases in PMTU as soon as possible. Nodes can detect increases in PMTU, but this detection must be done at infrequent intervals because it requires sending packets larger than the current estimated PMTU, and because it is unlikely that the PMTU has increased. An attempt to detect an increase (by sending a packet larger than the current estimate) must not be done less than five minutes after a Packet Too Big message has been received for the given path. Range 0, indicating no verification 5 - Operator defined maximum minutes Default = 10 minutes Configuring TCP/IP Neighbor Address Parameters This section describes how to configure the NW TCPIP NEIGHBOR ADD command so that it is emitted to the TCP/IP initialization file for the specified application host. IPv6 discovers and records information concerning neighbor nodes on the local link. This command will work in conjunction with neighbor discovery to permit you to add, modify, and delete a neighbor. The IPv6 NEIGHBOR function is similar to the IPV4 ARP function

116 Configuring a TCP/IP Network Using the NAU Configuration Procedure The following procedure shows a sample screen path used to configure the NW TCPIP NEIGHBOR ADD command on an application host: 1. Enter TNE in the Choice field of the TCP/IP CONFIGURATION MENU screen and transmit the screen. * NAU -- TCP/IP CONFIGURATION MENU * 325 Action: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host: ES1 TIL Define TCP/IP Identity, Address Mask and Router Discovery Parameters THP Define TCP/IP Host Parameters TRL Define TCP/IP Routes TDL Define TCP/IP Default Routes TAP Define TCP/IP ARP Addresses MIL Define TCP/IP MACP100/150 IP Addresses MAP Define TCP/IP Host/IP Address Mappings TDI Define TCP/IP DynamicInit Commands TFF Define TCP/IP FilterFrames Commands MEV Define TCP/IP MonitorEvents Commands TAS Define TCP/IP Address Selection Policy TNE Define TCP/IP Neighbor Address Parameters Choice: TNE Figure TCP/IP CONFIGURATION MENU Screen 2. Make the following entries on this screen: Enter a Network Address in the field. Network Address can be IPv4 or IPv6 type. Enter the Physical Address in the field provided. This entry is optional. Enter the Network Processor (NP) ID. Enter the Line ID and the Virtual LAN (VLAN) ID in the respective fields. The Line ID field has a range of 0 to 255. The VLAN ID has a range of 1 to Enter P for Permanent and T for Temporary

117 Configuring a TCP/IP Network Using the NAU * NAU -- TCP/IP CONFIGURATION MENU * 100 Action: HOme HOSt PArent PRevious Find Welcome Quit Teach REfresh Host: ES1 Physical NP Line Vlan P/T Network Address Address ID ID ID FECO::1:04:23FF:FE09:2DFE DFE 12 1 P Figure TCP/IP NETWORK ADDRESS PARAMETERS Screen 3. When finished making entries, transmit the screen

118 Configuring a TCP/IP Network Using the NAU Editing the ICP LAN Line Connection and Specifying a Multicast Address List To set line and/or device attributes to values other than the prefilled default values and specify a multicast address list, perform the following steps: 1. Enter ANH in the Choice field on the NETWORK HOME MENU screen and transmit the screen. The APPLICATION HOST LIST screen displays. 2. Specify on the host that has the ICP for which you want to edit the connection. The APPLICATION HOST MENU screen (Figure 3 4) displays. 3. Enter LIN in the Choice field and transmit the screen. The LINE LIST screen displays. 4. Specify on the Connection Group Name. The LAN LINE ATTRIBUTES screen displays for the specified LAN. 5. Edit any of the prefilled default values on this screen and transmit the screen. The LAN LINE COMMENTS screen displays. 6. Transmit the screen to display the LAN DEVICE LIST screen, as shown in Figure * NAU -- LAN DEVICE LIST * 76 ACTION: HOme PArent PRevious FInd WElcome QUit TEach REfresh * Enpt: H=BNA Host, I=TCP/IP, LAN Name/Host: LAN001/ES1 T=Terminal, O=OSI, Group: SG_ICP_155/CG_ICP_155 S=SNA Add Enpt Connection Name Device Profile Conn? (*) Remote Host Remote Addr _TCPIP_155 CMP_LAN_PROF + I TCPIPSYSTEM Figure LAN DEVICE LIST Screen Note: If Remote Address is set to all zeros, this implies that you are using a Proxy ARP-capable router. 7. Specify on the TCP/IP Connection Name (Enpt = I). The LAN TCP/IP DEVICE ATTRIBUTES screen displays, as shown in Figure

119 Configuring a TCP/IP Network Using the NAU * NAU -- LAN TCP/IP DEVICE ATTRIBUTES * 335 ACTION: HOme PArent PRevious WElcome QUit TEach REfresh Host: ES1 Group: SG_ICP_155 /CG_ICP_155 Endpoint: 155_TCPIP_155 NCF Utilization Threshold (0-99%): In = Out = NCF Object Fault Filter = NON (NONe, CONnection) Close on Deactivated = - (+/-) Retry Limit Xid = * 10 (1-100) Monitor Indicator = NO (NOne, SHort, LOng) FrameTrace * - (+/-) Max Message Size Limit ( ): Input 1496 Output 1496 Max Message Size ( ): Input 1496 Output 1496 Link Activity Monitor1 Timer = 10 ( seconds) Fresponse1 Timer = 1. 0 ( seconds) Auto Init = + (+/-) Direction = OU (OUT, IN) Class = ETH (CPL, XN8, XNB, ETH, CL1, CL2) Do you want to modify the IP address list (Y/N)? N Figure LAN TCP/IP DEVICE ATTRIBUTES Screen 8. If you want to specify an optional multicast address list for each TCP/IP device, enter Y as a response to the Do you want to modify the IP address list (Y/N)? question at the bottom of the screen and transmit through the LAN Device Comments screen and the IP Address List screen. The LAN TCP/IP MULTICAST ADDRESS LIST screen displays, as shown in Figure Use this screen to specify multicast addresses for TCP/IP networks only (enter the addresses as 12-digit hexadecimal values). Note that the 23 low-order bits of the IP multicast address are placed in the low-order 23 bits of the Ethernet or IEEE 802 network multicast address 01:00:5E:00:00:00. For example, the Ethernet multicast address for a multicast IP address of would be 01005E This address is derived as follows: 01005E is the IEEE part is the 23 bits from the multicast IP address part

120 Configuring a TCP/IP Network Using the NAU * NAU -- TCP/IP MULTICAST ADDRESS LIST * 453 ACTION: HOme PArent PRevious FInd WElcome QUit TEach Refresh Host: ES1 Group: SG_ICP_155 /CG_ICP_155 Endpoint: 155_TCPIP_155 Multicast Address E Figure TCP/IP MULTICAST ADDRESS LIST Screen Auto-Configuring BNA-over-IP (BIP) Connections A network in which each ICP on each host has at least one BIP connection to each other ICP requires many entries in the Neighbor IP Address List for each host. To auto-configure these entries and maintain the lists as addresses change, use the Auto-Configure BIP Connections field on the APPLICATION HOST ATTRIBUTES screen (Figure 3 5). The automated BIP configuration feature is enabled only for application hosts for which this field is set to +. The BIP Config field on the TCP/IP IDENTITY ADDRESS LIST screen (Figure 3 10) can then be used to specify autoconfiguration for a line. Enter + in the field to include the associated line in the automatic configuration algorithm; if the field is left blank or is entered, the line is ignored by the algorithm. Automatic configuration occurs during LAN update processing (see Updating LAN Lines and Connections to Include TCP/IP earlier in this section). In order to use automated BIP configuration, the application hosts must be on independent LAN names. Autoconfiguration does not occur between endpoints that are on the same LAN, as defined on the SHARED ADAPTERS CONFIGURATION screen (Figure 3 8) or on the DIRECT ATTACH LINE CONFIGURATION screen (Figure 3 39)

121 Configuring a TCP/IP Network Using the NAU Adding an IPv6 BNA-over-IP (BIP) Neighbor To add a BIP neighbor, you must specify a set of paired IPv6 addresses: a destination address and the source address, which is used to reach the destination. Use the NEIGHBOR PAIRED IP ADDRESS LIST screen to specify these addresses as follows: 1. From the NETWORK HOME MENU screen, enter ANH in the Choice field and transmit the screen. The APPLICATION HOST LIST screen is displayed. 2. Specify on the host for which you want to define a neighbor. The APPLICATION HOST MENU screen is displayed. 3. Enter HST in the Choice field and transmit the screen. The APPLICATION HOST ATTRIBUTES screen is displayed. 4. Enter Y as a response to the "Define other application host attributes?" question and transmit the screen. The APPLICATION HOST ATTRIBUTES MENU screen is displayed. 5. Enter VAL in the Choice field and transmit the screen. The VALIDATION LIST screen is displayed. 6. Enter the remote BNA host name in the Host Name field and enter + in the Add Neighbor field. Transmit the screen. The HOST/NEIGHBOR PASSWORDS screen is displayed

122 Configuring a TCP/IP Network Using the NAU 7. Transmit past the HOST/NEIGHBOR PASSWORDS screen and the NEIGHBOR IP ADDRESS LIST screen to the NEIGHBOR PAIRED IP ADDRESS LIST screen (Figure 3 37). * NAU -- NEIGHBOR PAIRED IP ADDRESS LIST * 422 ACTION: HOme PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 Other Host: ASN001 Destination IP Address Source IP Address FEDC:BA98:7654:3210:FEDC:BA12:3456:6890 FEC0::1:04:23FF:FE09:2DFE Figure NEIGHBOR PAIRED IP ADDRESS LIST Screen 8. Enter the IP address associated with your remote application host in the Destination IP Address field and the source IP address in the Source IP Address field. When you specify source IP addresses, BNA over IP connections destined for the destination IP address are routed through the local host whose IP address is specified in the Source IP Address field

123 Configuring a TCP/IP Network Using the NAU Configuring FC3-IOP Networking The FC3-IOP is a PCI-based network processor with one gigabit Ethernet port that is used to provide the interface to the network. The FC3-IOP offers networking capabilities that are functionally equivalent to a Network Services device and supports TCP/IP and BNA. It simplifies support for IEEE 802.1Q VLANs and enables the use of VLANs with a managed switch for a large number of remote LANs. The FC3-IOP can have more than one connection group per line, but each connection group must have a different VLANID defined in the attribute list for that connection group. The NAU treats each LINEID and VLANID pair as the equivalent of a separate line. Use the following procedure to assign VLANIDs to each of the two lines on the adapter and to specify values for each VLANID. Specifying VLANID Attribute Values 1. Enter ICP in the Choice field of the APPLICATION HOST MENU screen (Figure 3 4), and transmit the screen. The ICP ASSIGNMENTS screen displays (Figure 3 38). 2. Enter NET1G in the ICP Type field and transmit. * NAU -- ICP ASSIGNMENTS * 67 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 *In EDG mode, specify on Device Number for configuration information Device Attachment Number ICP Type Type Attachment Identifier ICP CNP 8002 NET1G Figure ICP ASSIGNMENTS Screen 3. Specify on the row containing NET1G. The DIRECT ATTACH ADAPTER CONFIGURATION screen displays (Figure 3 39)

124 Configuring a TCP/IP Network Using the NAU * NAU DIRECT ATTACH ADAPTER CONFIGURATION * 453 ACTION: HOme HOSt PArent PRevious WElcome QUit TEach REfresh Host : ES1 Device # : 8002 Type : NET1G Number of VLANIDs on Line 1 4 (0-32) Number of VLANIDs on Line 2 3 (0-32) Figure DIRECT ATTACH ADAPTER CONFIGURATION Screen 4. Enter the number of VLANIDs you want for each of the two lines on this adapter and transmit the screen. Valid values range from 0 to 32; a blank field is interpreted as 0 (zero). The DIRECT ATTACH LINE CONFIGURATION screen displays (Figure 3 40). This screen contains one row for each VLANID requested on the DIRECT ATTACH ADAPTER CONFIGURATION screen. The index and line numbers are preassigned. Note the following on this screen: The values must be unique within each line (for example, entering VLANID = 3 on Line 1 and VLANID = 3 on Line 2 is permitted, but entering two values of VLANID = 3 on Line 1 is not permitted). If a line has only one VLANID, assigning a number to its VLANID field is optional. If this screen is transmitted while an index field is blank, that row will be deleted and the number of VLANIDs on the screen will decrease. The Local Address fields are filled with default values which can be changed to the actual MAC addresses or the value *DEFAULT. If the total number of VLANIDs exceeds 10, additional screens are presented until the list is exhausted

125 Configuring a TCP/IP Network Using the NAU 5. Enter any VLANID values between 1 and 4094 inclusive in the VLANID field as shown in Figure 3 40 and transmit. * NAU DIRECT ATTACH LINE CONFIGURATION * 454 ACTION: HOme HOSt PArent PRevious FInd WElcome QUit TEach REfresh Host: ES1 ICP Device: 8002 ICP Type: NET1G LAN LAN CPLAN TCP/IP Index Line ID Name Local Address (+/-/S) (+/-/S) VLANID LAN B0039B LAN B0039B LAN B0039B LAN B0039B LAN B0039B LAN B0039B LAN B0039B All LAN Local Addresses will be made equal to the first one for that Line ID. Figure DIRECT ATTACH LINE CONFIGURATION Screen

126 Configuring a TCP/IP Network Using the NAU Specifying the VLANID Attribute in TCPIP Commands The VLANID attribute is an optional field on the following commands: NW TCPIP TCPIPIDENTITY NW TCPIP RIP RIPAUTHENTICATION Use this attribute to specify to which VLAN, for a line on the FC3-IOP network processor, the command applies. Use the following procedure to include VLANID in these commands in the host TCPIP initialization file. 1. Enter TCP in the Choice field of the APPLICATION HOST MENU screen (Figure 3 4) and transmit the screen. The TCP/IP CONFIGURATION MENU screen displays (Figure 3 15). 2. Enter TIL in the Choice field and transmit the screen. The TCP/IP IDENTITY ADDRESS LIST screen displays (Figure 3 10). This screen includes a row for each LineID/VLANID pair that has a "+" in the TCP/IP column on the DIRECT ATTACH LINE CONFIGURATION screen (Figure 3 40), in addition to the TCP/IP lines from other processors attached to the same host. The VLANID shares a read-only column with the NT LineID attribute, which is not applicable to FC3-IOP processor lines. 3. Enter the IP address and mask for each row. 4. To enable RIPv2 Authentication for any of the lines, specify on one of the rows on this screen that contains a VLANID. The NETWORK ADDRESS PARAMETERS screen displays (Figure 3 11). 5. Enter the values + or for Visible field. It is used to mark all addresses on the associated interface as visible (Visible +) or invisible (Visible -). Interfaces marked as invisible are only invisible to the applications that make use of an internal API such as Client Access Services. 6. Enter values for the RIPv2 Authentication Type and Password or other fields as appropriate and transmit the screen. The TCP/IP MULTIPLE IDENTITY ADDRESS LIST screen displays (Figure 3 12). 7. Transmit the screen. The VLANID is included in the NW TCPIP TCPIPIDENTITY and the NW TCPIP RIP RIPAUTHENTICATION commands in the TCPIP initialization file for the host

127 Configuring a TCP/IP Network Using the NAU Checking Network Consistency Note: For a detailed description of attributes that appear on NAU screens, refer to the Networking Attributes Data Dictionary Help. To verify the consistency of your TCP/IP entries with the rest of your network, use the NAU Consistency Checker program. Perform the following steps: 1. Enter CHK in the Choice field of the NETWORK GENERATION ENDING MENU screen and transmit. The CONSISTENCY CHECK MENU screen displays, as shown in Figure * NAU -- CONSISTENCY CHECK MENU * 247 ACTION: HOme PArent PRevious WElcome QUit TEach REfresh VIew Specify Which Hosts: Suppress Warnings: (ALl Hosts plus NCF and Network Attributes, UPdated Hosts, NAme of Host =, NCf and Network Attributes only) Y (Yes/No) Run Consistency Check in batch mode?: N (Yes/No) EXPERT:EDIT Figure CONSISTENCY CHECK MENU Screen 2. Enter NA in the Specify Which Hosts field, the host name (ES1 in this example) in the Name of Host field, and N in the Suppress Warnings field. Transmit the screen. Messages are displayed as the NAU performs the consistency check. Any consistency errors that the NAU finds are reported in the NAU/CONSISTENCY file. This file has the following name format: NAU/CONSISTENCY/<date>/<time> where <date>/<time> represent when the consistency check was run. Once the consistency checks are complete, a message displays indicating the number of errors (if any) encountered. Record the name of the file so it can be printed later if necessary. If errors are detected, examine the NAU/CONSISTENCY file to determine what errors exist

128 Configuring a TCP/IP Network Using the NAU 3. To display the NAU/CONSISTENCY file on the terminal screen, enter VI on the ACTION line and transmit the screen. Table 3 4 describes the TCP/IP consistency check errors. 4. After determining which errors need to be corrected, enter PA on the ACTION line and transmit the screen. The CONSISTENCY CHECK MENU redisplays. 5. Enter HO on the ACTION line and transmit the screen. The NETWORK HOME MENU screen displays. From this screen, you can redefine any incorrect attributes for the components in your network. 6. After correcting all errors that appear in the consistency report, rerun the consistency checker. Repeat this process until you have corrected all errors. Consistency Errors and Solutions Use Table 3 4 to help troubleshoot potential consistency check errors. Table 3 4. NAU TCP/IP Consistency Checker Error Messages Error Message TCP/IP CONNECTION IS DEFINED AND USE TCP/IP IS NOT SET TCP/IP INTERNET HOST NAME IS BLANK AND REQUIRED IP ADDRESS BLANK & REQUIRED ON TCP/IP IDENTITY ADDRESS LIST ICP DEVICE <ICP device number> DUPLICATE TCP/IP ADDRESS Description To use TCP/IP on any connection within an ICP, you must set the Use TCP/IP field to + on the Application Host Attributes screen. Check that the host name has been set (see the following message in this table). The Internet host name is blank. When it is determined that TCP/IP is running on the application host, the host's TCP/IP host parameters record is checked for an Internet host name. An ICP on the ICP ASSIGNMENT screen is designated to be used by TCP/IP. The required IP address on the TCP/IP Identity Address List for that ICP was not entered. It is possible to enter equivalent IP addresses, one in traditional mask format and one in CIDR format. For example, the mask and the network prefix /24 are equivalent. This duplication is not detected during data entry, but is reported as a consistency error

129 Configuring a TCP/IP Network Using the NAU Generating Initialization Files The NAU creates initialization files, which contain networking OI commands generated by the entries you made on the NAU screens. These commands define the components and operating characteristics of the network. Initialization files can be generated from either of the following screens: NETWORK HOME MENU screen NETWORK GENERATION ENDING MENU screen To generate initialization and code files, perform the following steps: 1. On either screen, enter GEN in the Choice field to generate initialization and code files. 2. Transmit the screen. The GENERATION MENU screen displays, as shown in Figure * NAU -- GENERATION MENU * 248 ACTION: HOme PArent PRevious WElcome QUit TEach REfresh Set Mode AU (INteractive, AUtomatic, BAtch) Specify Which Hosts AL (ALl Hosts, UPdated Hosts, NAme of Host =, LEvel ID = all hosts at the specified Level ID) Generate Init File Only N (Yes/No) Init File Security PU (PUblic, PRivate) Configurator Priority 50 (0-99) Send Output to BO (DIsk, PRinter, BOth printer and disk) Generate Init/Code File Distribution WFLs? (Yes, No) Generate Pre-encode CP Init File WFLs? N (Yes/No) Files To Copy/Encode NE (NEw files only, ALl files) Copy Media DI (DIsk, TApe, BOth) Queue (0-1023) Figure GENERATE MENU Screen

130 Configuring a TCP/IP Network Using the NAU 3. Fill in the appropriate values on the GENERATION MENU screen. Set Mode Field Name Specify Which Hosts Generate Init File Only Init File Security Configurator Priority Send Output To Generate Init/Code File Distribution WFLs? Generate Pre-encode CP Init File WFLs? Files To Copy/Encode AU. Description AL. If you would rather generate the initialization file for a specific host, enter NA in this field and the host name in the Host Name field. Y. If you enter N, the NAU will generate code files. Your security selection. A value from 0 to 99 to indicate the configurator priority when generating code files. The default is 50. One of the following: DI. Stores the initialization files on disk. PR. Prints the initialization files. No initialization files are written to disk. BO. Prints the initialization files and stores the initialization files and code files on disk. Y. A distribution Work Flow Language (WFL) program is generated for each application host in your network. The WFL issues a file transfer command or a copy to tape command for each initialization file and code file needed to initialize a particular host. If you enter Y in this field, then you must also specify the copy media in the previous field. N. A WFL program encodes the CP initialization files generated in the initialization file generation session. The set of CP initialization files to be processed in each WFL is determined by the value entered in the Files to Copy/Encode field. One of the following: NE. Includes the initialization and code files for all hosts processed in a single initialization file generator run. This includes code files for processed communication hosts which might not have to be regenerated. AL. Includes all files needed to initialize the application host

131 Configuring a TCP/IP Network Using the NAU Field Name Copy Media One of the following: DI. Description For a control agent or backup control agent: If you select disk, the information on the CONTROL AGENT PARAMETERS (1) screen is used to copy the files to the proper disk and usercode on the remote or local system. For a host that is not a control agent or backup control agent: If you select disk, the information on the INITIALIZATION FILE LOCATION screen is used to copy the files to the proper disk and usercode on the remote or local system. For all hosts: If a location is not specified on the CONTROL AGENT PARAMETERS screen or the INITIALIZATION FILE LOCATION screen, the files are copied without a usercode to disk. TA. The initialization and code files are copied to tape. The tape has the same name as the destination host. Note that if you select tape, two WFLs are generated for the host on which you are running the NAU: one WFL copies the initialization and code files to disk and the other WFL copies the files to tape. BO. The NAU creates two WFLs for a host, one that it copies to disk, and one that it copies to tape. Queue A queue to be entered in the WFL. The queue must be within the range of 0 to Transmit the screen. When the NAU finishes generating the files, the GENERATION MENU screen redisplays. The TCP/IP default initialization file name has the following format: <initialization file prefix>/<host name>/<product name> For example TCPIPSAMPLE/ES1/TCPIP

132 Configuring a TCP/IP Network Using the NAU The NAU automatically creates a diagnostic file on the NAU pack based on the network definitions you provided on the NAU screens. This file has the following name format: NAU/DIAGNOSTICS/<date><time> where <date>/<time> represent when the NAU was opened. The diagnostics file contains status and error reports created by the NAU. Check this file after generating the initialization file to ensure that no problems were encountered during the generating process. Printing the Network Description Reports The NAU can provide a printable listing that shows how the network is defined, component by component. The NAU generates a separate TCP/IP INFORMATION SUMMARY report for enterprise servers

133 Configuring a TCP/IP Network Using the NAU Figure 3 43 illustrates a sample TCP/IP Information Summary report for an application host. ******************************************************************************** * NCS DB Version: TEST Print Network Report NAU Version Page: 17 * * Date: 1/18/2010 * * Time: 2:35 AM TCP/IP Information Summary * * * ******************************************************************************** ******************************************************************************** * Host Name: AH001 * ******************************************************************************** Attribute Value ATM Cache Timer (D) 7 ATM SVC Inactivity Timer (D) 8 ATM SVC Keep Alive (D) Normal Broadcast Filter High (D) Broadcast Filter Low (D) ICMP Limited Broadcast (D) Enabled Internet Host Name (U) ES1.TREDY.BIGCO.COM LAN Resiliency Timer (D) 30 Maximum Connections (D) 64 MulticastDefaultAddress (D) IPv4 MulticastDefaultAddress (D) RIPEnabled (D) + RIP Route Timeout (D) 180 Retry Limit (D) 15 Disable TCP Security Library (D) No TCP Security Library Rules File (D) TCP/IP ICMP REPORT OPTIONS Attribute Value Attribute Value All ICMP Reports (D) ICMP Redirect (D) ICMP Address Mask (D) ICMP Router Discovery (D) ICMP Destination Unreachable (D) ICMP Source Quench (D) ICMP Information Request/Reply (D) ICMP Time Exceeded (D) ICMP Parameter Problem (D) ICMP Timestamp Request/Reply (D) Display Interval (D)2 hours (continued)

134 Configuring a TCP/IP Network Using the NAU ******************************************************************************** * NCS DB Version: TEST Print Network Report NAU Version Page: 18 * * Date: 1/18/2010 * * Time: 2:35 AM TCP/IP Information Summary * * * ******************************************************************************** TCP/IP OPTIONS Attribute Value Attribute Value IPv4 Only Operation mode (D) - DynPortFilt ReportInterval (D) ATM Resiliency (D) - ICMPv6 Error Report Burst Rate (D) 20 LAN Resiliency (D) + ICMPv6 Error Report Rate (D) 20 LAN Resiliency Timer (D) - Router Default Maximum Hop (D) 10 Use RFC MTU (D) + MLD Unsolicited Report (D) 10 80Sesswarn (D) + MLD Unsolicited Report Retry (D) 3 90Sesswarn (D) + ND First Probe Delay (D) 5 95Sesswarn (D) + ND Anycast Delay (D) 1 Sesswarn (D) + ND Max Multicast Solicitations (D) 3 SSL (D) - ND Max Neighbor Advts (D) 3 Cache Learned Map (D) + ND Max Router Solicitation Delay(D) 1 Update YourHost by Learned (D) + ND Max Router Solicitations (D) 3 Wait for Hostname (D) - ND Max Random Factor (D) 3 Use RFC Ack Strategy (D) - ND Max Unicast Solicitations (D) 3 Issue ICMP Reset (D) + ND Min Random Factor (D) 1 Dynamic Port Filtering (D) - ND Reachable Interval (D) Autoconfiguration Default (D) ND Retrans Interval (D) 1000 IPsec Functionality (D) ND Router Solicitation Interval (D) 1 No Automatic Address List Update(D) - Path MTU Verification Interval (D) 10 No Unnecessary Done Report (D) - AC Interface Identifier Source (D) TCP Selective Acknowledgement (D) + Window Scaling Factor (D) 0 (continued)

135 Configuring a TCP/IP Network Using the NAU *************************************************************************************** * NCS DB Version: TEST Print Network Report NAU Version Page: 19 * * Date: 1/18/2010 * * Time: 2:35 AM TCP/IP Information Summary * * * *************************************************************************************** *************************************************************************************** * Host Name: AH001 * *************************************************************************************** TCP/IP LINE INFORMATION ICP NT Device#: Line Internet Config Address Mask Attributes: Router Discovery Attributes: Line ID ID IP Address BIP Mask IP Address Config Retry Limit Perform TimetoLive : /24 STATIC 5 ENABLED 1 Solicitation Addr AutoConfiguration Duplicate Address Detection Transmits Visible : /24 STATIC 5 ENABLED 1 RIPv2 Authentication Type Password Password v17gy5nqd3 AutoConfiguration Duplicate Address Detection Transmits Visible : 2 FEC0::1:04:23FF:FE09:2DF /64 STATIC 5 ENABLED 1 AutoConfiguration Duplicate Address Detection Transmits Visible TCP/IP ROUTE LIST Destination IP Address Gateway IP Address Preference FEC0::3:2A0:C9FF:FED8:5E35/64 FEC0::1:215:C9FF:FE00:1 1 FEC0::3:2A0:C9FF:FED8:5E35/64 FEC0::1:215:C9FF:FE00: / / (continued)

136 Configuring a TCP/IP Network Using the NAU *************************************************************************************** * NCS DB Version: TEST Print Network Report NAU Version Page: 19 * * Date: 1/18/2010 * * Time: 2:35 AM TCP/IP Information Summary * * * *************************************************************************************** *************************************************************************************** * Host Name: AH001 * *************************************************************************************** TCP/IP DEFAULT ROUTE LIST Destination IP Address Preference FEC0::1:215:C6FF:FE00:1/64 4 FEC0::1:215:C6FF:FE00: / /24 2 TCP/IP NEIGHBOR Network Address Physical Address NP ID Line ID VLan ID P/T FEC0::1:04:23FF:FE09:2DFE 08000B0003B P B0011B T TCP/IP HOST MAPPING LIST Network Address TCP Host Name FEC0::3:2A0:C9FF:FED8:5E35 HOST-1.BIGCO.COM HOST-1.BIGCO.COM TCP/IP DYNAMIC INIT COMMANDS Command Beginning Ending DISABLE UDP EXCEPT 1 5 Figure Sample TCP/IP Information Summary Report for Enterprise Server Notes: (D) Indicates that an attribute setting is the default value. (U) Indicates that an attribute setting is user defined

137 Configuring a TCP/IP Network Using the NAU Start the print function from either of the following screens: NETWORK HOME MENU screen NETWORK GENERATION ENDING MENU screen To print the report, perform the following steps: 1. On either screen, enter PRT in the Choice field. Transmit the screen. The PRINT GENERATED NETWORK DESCRIPTION MENU screen displays. 2. Enter USERPRODEF in the Choice field, as shown in Figure * NAU -- PRINT GENERATED NETWORK DESCRIPTION MENU * 231 ACTION: HOme PArent PRevious WElcome QUit TEach REfresh Generate reports in batch mode?: Print reports: N (Yes/No) I (Immediately, EOJ, Never) Backup file directory (optional): Select the level of detail: SUMMARY USER USERPRO USERPRODEF ALL Summary Information User specified information User and profile specified information (all except defaults) User specified, profile specified, and default information Print all available types of information on the whole network Choice: USERPRODEF Figure PRINT GENERATED NETWORK DESCRIPTION MENU Screen 3. Transmit the screen. The PRINT SELECT INFORMATION screen displays. 4. Enter X next to any information to be printed. For the sample, enter X next to TCP/IP information, as shown in Figure

138 Configuring a TCP/IP Network Using the NAU * NAU -- PRINT SELECT INFORMATION * 232 ACTION: HOme PArent PRevious WElcome QUit TEach REfresh Enter one or more 'X's to select the type of information: All the information below NAU Global information Network information Control Agent information NCF information Host information Line information Optional format Device information Optional format Terminal summary information.. Optional format Profile information X TCP/IP information OSI information Terminal Gateway Localization Figure PRINT SELECT INFORMATION Screen 5. Transmit the screen. The following message displays while the report is printing: The requested information is being printed. Please wait. When the printing is complete, the PRINT GENERATED NETWORK DESCRIPTION MENU screen redisplays. 6. Once the network is generated, end the NAU session

139 Configuring a TCP/IP Network Using the NAU Ending an NAU Session To end an NAU session, enter QU on the ACTION line of any NAU screen and transmit the screen. If you quit a session before completely defining your network, all the information that you entered on the screens is saved. If you quit before generating the basic network, use the generate (GNN) mode (not the EDG mode) on the WELCOME screen when you start a new session. The NAU automatically redisplays all the screens in order, rather than starting from the last screen on which information was entered. Initializing the TCP/IP Network Once the network has been created using the NAU, you can apply the enterprise server TCP/IP initialization file and bring up the TCP/IP software. For specific instructions on initializing the TCP/IP network, see Section 4, "Operating TCP/IP Software."

140 Configuring a TCP/IP Network Using the NAU

141 Section 4 Operating TCP/IP Software This section describes the following TCP/IP network operations: Initializing the TCP/IP network Terminating TCP/IP on the enterprise server host Inquiring on the status of TCP/IP software Setting timer values Configuring multiple routes and default routes Inquiring about routing problems Modifying TCP/IP components online Filtering TCP/IP traffic Deleting TCP/IP components online Enabling a host to use the address mask protocol Using router discovery Using neighbor discovery Setting the IPADDRESSLIST attribute Controlling TCP/IP end system security Using TCP/IP options Specifying and inquiring on IP multicast frames Disabling and enabling the dynamic initiation of specified port numbers Monitoring TCP and UDP port events Unisys recommends that you use the Network Administrative Utility (NAU) to create network component descriptions and to modify them. The NAU is the preferred way to make permanent changes to your network configuration and provides consistency checking to minimize configuration errors. See Section 3, Configuring a TCP/IP Network Using the NAU, for additional information on using the NAU. You can also use Operations Interface (OI) commands to perform TCP/IP functions. If you use these commands to modify network components online, the modifications are temporary, lasting only until the next initialization of the network. Appendix A briefly describes TCP/IP OI commands and inquiries. For complete command descriptions, refer to the Networking Commands and Inquiries Help

142 Operating TCP/IP Software Initializing the TCP/IP Network Initializing the TCP/IP network for ClearPath MCP servers means starting (or restarting) the following software on each enterprise server in the network: Core Network Services (CNS) Heritage Network Services (BNAv2), if installed TCP/IP SNMP, if installed When TCP/IP is initialized on the enterprise server, the host automatically reads the initialization files, which contain the networking commands that define how the host operates in the network. Each time you change the initialization files and/or code files for a host through the NAU, you must initialize the network to enable it to read the new files. U. S. Export Regulations Concerning IPv6 and IPsec Use of IPv6 requires a run-time key which tracks IPv6 use (because IPv6 includes IPsec and its cryptography). The run-time keys for IPv6 and IPsec are included with the IOE Encryption Option, which is separately orderable at no charge. The MCP run-time keys should be installed during normal MCP software installation. Dual Mode Initialization If the IPv6 MCP run-time key is present, TCP/IP initializes in dual mode, where TCP/IP is IPv4 capable and IPv6 capable. If the IPv6 MCP run-time key is not present, TCP/IP initializes in IPv4 only operating mode and a waiting entry similar to the following warns the user that the key is not present and that the system is running in IPv4 only mode. 4233/ :29 TCPIP/WARNING/TASK/ACCEPT/0 ACCEPT: The IPv6 key is missing or expired. IPv6 Run-Time Key is required. Running in IPv4Only Mode. TCPIP will need to be restarted for IPv6 operation. *** ENTER: 'AX OK', OR DS. If TCP/IP is IPv6 capable and you want to restrict TCP/IP operation and configuration to IPv4 only, set the IPV4OnlyOperation option of the TCPIP OPTION (TCPIP OPT) command as follows: NW TCPIP OPT + IPV4OnlyOperation This command must be the first command processed by TCP/IP during initialization; it sets the operating mode context for processing subsequent configuration commands. This command is provided as a safeguard to prevent configuration commands that either explicitly configure IPv6 interfaces or enable IPv6 address autoconfiguration from being unintentionally issued

143 Operating TCP/IP Software In IPv4 only operating mode, commands that attempt to configure IPv6 interfaces receive the Invalid operating mode or Command processed with exceptions negative response, depending on the type of command and the TCPIP context at the time of processing. If the TCPIP OPT command is not the first command in the initialization file, the command is rejected as an invalid phase. IPv6 Initialization Although TCP/IP initializes in dual mode, the IPv6 address autoconfiguration feature defaults to disabled to prevent automatic IPv6 operation. The IPv6 networking stacks and appropriate data structures are initialized for a particular interface when either The network administrator manually (statically) configures an IPv6 address on the interface using the TCPIP ROUTE command. See Configuring Multiple Routes to a Remote Destination for details on using this command. Address autoconfiguration is enabled for the interface and network connectivity is available. See Assigning IP Addresses to a Network Interface for details on using the TCPIP [TCPIP]IDENTITY command to enable IPv6 autoconfiguration for an interface. Modifying the Autoconfiguration Setting Use the ACDEFAULT (ACDEF) option of the TCPIP OPT command to modify the autoconfiguration setting. The autoconfiguration setting for each TCPIP interface defaults to the value of this option when the interface is added. Modifying this value changes the default for any newly added interface. Modify this option at the beginning of the TCPIP initialization file if the default value is to be used for every interface. To enable autoconfiguration, enter the following: NW TCPIP OPT + ACDEF To modify the autoconfiguration property of an already added interface, use the TCPIP [TCPIP]IDENTITY command. For more information on enabling autoconfiguration with the TCPIP OPTION command, see Specifying Autoconfiguration for a Network Interface later in this section. IP Security (IPsec) Initialization If the MCP run-time keys for IPv6 and IPsec are present, IPsec can be initialized. IPsec can be initialized by enabling the IPsec option of the TCPIP OPT command as follows: NW TCPIP OPT + IPSEC During IPsec initialization, TCP/IP calls Security Center to retrieve IPsec policies. Security Center creates and manages the policies and saves them in the Security Center database. When IPsec is enabled, these policies are activated in TCP/IP. IPsec uses these policies to secure IPv6 network data at the IP level. For further information on Security Center and IPsec, refer to the Security Administration Guide

144 Operating TCP/IP Software Initialization File Names An initialization file name created by the NAU has the following format: <initialization file prefix>/<host name>/<product name> For example SAMPLETCPIP/ES1/CNS SAMPLETCPIP/ES1/TCPIP SAMPLETCPIP/ES1/SNMP SNMP Agent Initialization If you are running SNMP, the SNMP Agent software is automatically initialized when you initialize TCP/IP. If you do not want to implement the MCP SNMP Object Manager functionality and you do not want the MCP SNMP Agent to interact with external SNMP agents, change the SL for SNMPAGENTSUPPORT to use *SYSTEM/TCPIPAGENT. This will enable SNMP OI commands to be used locally while not allowing interaction with external SNMP hosts. For additional details on initializing the SNMP Agent on a TCP/IP host, refer to the SNMP Agent Implementation and Operations Guide. Initializing TCP/IP Before bringing up the TCP/IP software, perform the following steps: 1. Load the MCP software using the Simple Installation program as described in the Simple Installation Operations Guide. CNS and all network providers on an application host must be at the same release level. 2. Install the networking software using the Simple Installation program. 3. Install the IPv6 and IPsec run-time keys from the IOE Encryption Option (if necessary). After you install and configure the TCP/IP software, you are ready to apply the CNS and TCP/IP initialization files and bring up the TCP/IP software. To do so, enter the following command at the TCP/IP host: NW TCPIP + <TCP/IP initialization file name> where <TCP/IP initialization file name> is the name of the TCP/IP initialization file for that TCP/IP host

145 Operating TCP/IP Software If you do not specify the <TCP/IP initialization file name>, the system looks for a previously specified initialization file or the default initialization file, *SYSTEM/NETINIT, on the pack where the TCPIPSUPPORT library resides. If TCP/IP does not initialize, see Section 5, Troubleshooting TCP/IP Installation and Configuration Problems, for troubleshooting information. Terminating TCP/IP on the Enterprise Server Host To terminate the TCP/IP software, enter the following at the TCP/IP host: NW TCPIP - Issuing the TCPIP - command does not terminate the following: CNS. CNS terminates automatically when no network providers are present. BNAv2 or any other network provider. SNMP Agent. For instructions on terminating the SNMP Agent on the TCP/IP host, refer to the SNMP Agent Implementation and Operations Guide. Socket Support. Socket support terminates when all sockets users delink. Socket Route is a sockets client that is often linked. Inquiring on the Status of TCP/IP Software To verify that the TCP/IP software and its auxiliary functions are active, issue the following command from the system console: NW TCPIP STATUS Depending on its current operating state, the system responds to the inquiry with a summary of status information for the following modules: TCP/IP software Routing information protocol (RIP) module TCP/IP end system security module Secure sockets layer (SSL) module IP Security (IPsec) module SSH module The basic response format is TCPIP IS CURRENTLY <phase> RIP IS CURRENTLY <rip-phase> TCPIP SECURITY IS CURRENTLY <security-phase>

146 Operating TCP/IP Software SSL IS CURRENTLY <ssl-phase> IPSEC IS CURRENTLY <ipsec-phase> SSH IS CURRENTLY <ssh-phase> The TCPIP STATUS command now provides a summary of status information for IPsec, the module that secures and validates IPv6 network traffic. You can also display detailed status for IPsec; see Inquiring on the Status of IPsec for details. The IPsec summary information (<ipsec-phase>) can be any of the following: IPSEC WAITING FOR SECURITY CENTER IPSEC WAITING FOR CRYPTOGRAPHY IPSEC ENABLED/RUNNING (IPv6 - ONLY) IPSEC DISABLED/NOT RUNNING IPSEC TERMINATING The response to the TCPIP STATUS command is also modified for the TCPIP <phase> to expand the status of NETWORKING status as follows: NETWORKING (IPv4 - ONLY) NETWORKING (IPv6 - CAPABLE) NETWORKING (IPv6 - ENABLED) For a detailed description of all the phase variables, refer to the Networking Commands and Inquiries Help. Inquiring on the Status of IPsec Enter the following TCPIP STATUS command to display the summary status for IPsec: NW TCPIP STATUS IPSEC The following response format, referred to as the summary response, is displayed. Table 4 1. IPSEC Summary Response Response Format IPSEC MODULE STATUS KEY EXCHANGE METHODS SUPPORTED ENCRYPTION ALGORITHMS SUPPORTED Description This is the same as the NW TCPIP STATUS summary response for the IPsec module. MANUAL 3DES_CBC AES_CBC

147 Operating TCP/IP Software Table 4 1. IPSEC Summary Response Response Format INTEGRITY ALGORITHMS SUPPORTED NUMBER OF SECURITY POLICIES AUTH_HMAC_SHA1_96 Description The number of security policies that have been defined by the security administrator. Displaying Detailed Status for Security Policies Enter the following to display more detailed IPsec status listing all security policies: NW TCPIP STATUS IPSEC ALL The following response format is displayed. Response Format IPSEC SUMMARY RESPONSE LIST ALL SECURITY POLICIES Description The information in Table 4 1 is displayed. Detailed information describing each security policy is displayed. Displaying Detailed Status for Security Policies Selected by IP Address Enter the following to display each security policy selected by the specified remote IP address: NW TCPIP STATUS IPSEC IPADDRESS <IP address> The following response format is displayed. Response Format IPSEC SUMMARY RESPONSE LIST ALL SECURITY POLICIES SELECTED BY IP ADDRESS Description The information in Table 4 1 is displayed. Detailed information describing each security policy is displayed

148 Operating TCP/IP Software TCPIP Status Command Examples Enter the following command: NW TCPIP STATUS The following response is displayed if IPsec is enabled/running: TCPIP IS CURRENTLY NETWORKING (IPV6 ENABLED), RIP IS CURRENTLY ENABLED/RUNNING, TCPIP SECURITY IS CURRENTLY RUNNING, SSL IS CURRENTLY RUNNING, IPSEC IS CURRENTLY ENABLED/RUNNING (IPV6 - ONLY), SSH IS CURRENTLY RUNNING The following response is displayed if IPsec (and TCPIP in general) is initializing: TCPIP IS CURRENTLY INITIALIZING, RIP IS CURRENTLY ENABLED/RUNNING, TCPIP SECURITY IS CURRENTLY LOADING, SSL IS CURRENTLY WAITING, IPSEC IS CURRENTLY WAITING FOR SECURITY CENTER, SSH IS CURRENTLY WAITING FOR CRYPTOGRAPHY The following response is displayed if IPsec (and TCPIP in general) is terminating: TCPIP IS CURRENTLY TERMINATING, RIP IS CURRENTLY DISABLED/NOT RUNNING, TCPIP SECURITY IS CURRENTLY DISABLED, SSL IS CURRENTLY TERMINATING, IPSEC IS CURRENTLY TERMINATING, SSH IS CURRENTLY TERMINATING The following response is displayed if IPsec is disabled/not running: TCPIP IS CURRENTLY NETWORKING (IPv6 ENABLED), RIP IS CURRENTLY ENABLED/RUNNING, TCPIP SECURITY IS CURRENTLY RUNNING, SSL IS CURRENTLY TERMINATING, IPSEC IS CURRENTLY DISABLED/NOT RUNNING, SSH IS CURRENTLY DISABLED/NOT RUNNING

149 Operating TCP/IP Software Enter the following command: NW TCPIP STATUS IPSEC The following response is displayed if IPsec is enabled/running: IPSEC IS CURRENTLY ENABLED/RUNNING (IPV6 - ONLY) KEY EXCHANGE METHODS SUPPORTED = MANUAL ENCRYPTION ALGORITHMS SUPPORTED = 3DES_CBC, AES_CBC INTEGRITY ALGORITHMS SUPPORTED = AUTH_HMAC_SHA1_96 SECURITY POLICIES = 2 The following response is displayed if IPsec is initializing: IPSEC IS CURRENTLY WAITING FOR SECURITY CENTER The following response is displayed if IPsec is terminating: IPSEC IS CURRENTLY TERMINATING The following response is displayed if IPsec is disabled/not running: IPSEC IS CURRENTLY DISABLED/NOT RUNNING Enter the following command: NW TCPIP STATUS IPSEC ALL The following response is displayed if IPsec is enabled/running. The IPsec status is displayed followed by each security policy. IPSEC IS CURRENTLY ENABLED/RUNNING (IPV6 - ONLY) KEY EXCHANGE METHODS SUPPORTED = MANUAL ENCRYPTION ALGORITHMS SUPPORTED = 3DES_CBC, AES_CBC INTEGRITY ALGORITHMS SUPPORTED = AUTH_HMAC_SHA1_96 SECURITY POLICIES = 1 SECURITY POLICY #1 = Policy Name = TRPROGDOUT, Local IP Address = 2001:0db8::1428:57ab, Local Selector Name =, Remote IP Address = FE80::2A0:D2FF:FEA5:E9F5 TO FE80::2A0:D2FF:FEA5:EA00, Remote Selector Name =, Next Layer Protocol = TCP, Local Ports = TO 64500, Remote Ports = 23400, Direction = OUTBOUND, IPsec Action = PROTECT, Security Policy Index = 35, Protocol = AH, IPsec Mode = TRANSPORT, Integrity Algorithm Type = AUTH_HMAC_SHA1_96, Integrity Key Name = IPSECKEY

150 Operating TCP/IP Software Enter the following command: NW TCPIP STATUS IPSEC IPADDRESS The following response is displayed if IPsec is enabled/running. The IPsec status is displayed followed by each security policy selected by the specified REMOTE IP address. IPSEC IS CURRENTLY ENABLED/RUNNING (IPV6 - ONLY) KEY EXCHANGE METHODS SUPPORTED = MANUAL ENCRYPTION ALGORITHMS SUPPORTED = 3DES_CBC, AES_CBC INTEGRITY ALGORITHMS SUPPORTED = AUTH_HMAC_SHA1_96 SECURITY POLICIES = 2 SECURITY POLICY # 1 = Policy Name = TRPROGD, Local IP Address = ANY, Local Selector Name = NULL, Remote IP Address = FEC0::2A0:D2FF:FEA5:E9F5 TO FEC0::2A0:D2FF:FEA5:EA00, Remote Selector Name = NULL, Next Layer Protocol = TCP, Local Ports = TO 64500, Remote Ports = 23400, Direction = OUTBOUND, IPsec Action = DISCARD SECURITY POLICY # 2 = Policy Name = CORPORATE, Local IP Address = ANY, Local Selector Name = TRPROGD, Remote IP Address = FEC0::2A0:D2FF:FEA5:0000 TO FEC0::2A0:D2FF:FEA5:FFFF, Remote Selector Name = CORPLAN, Next Layer Protocol = ANY, Local Ports = ANY, Remote Ports = ANY, Direction = OUTBOUND, IPsec Action = PROTECT, Security Policy Index = 57, Protocol = ESP Confidentiality & ESP Integrity, IPsec Mode = TRANSPORT, Confidentiality Key Name = TRPROGDCONF, Confidentiality Algorithm = 3DES_CBC, Integrity Key Name = TRPROGDINT, Integrity Algorithm = AUTH_HMAC_SHA1_

151 Operating TCP/IP Software Enter the following command: NW TCPIP STATUS SSH The following response is displayed if SSH is waiting for cryptography: NW TCPIP STATUS SSH SSH IS CURRENTLY WAITING FOR CRYPTOGRAPHY The following response is displayed if SSH is enabled/running: NW TCPIP STATUS SSH SSH IS CURRENTLY ENABLED/RUNNING KEY EXCHANGE ALGORITHMS SUPPORTED: DIFFIE-HELLMAN-GROUP1, DIFFIE-HELLMAN-GROUP14 ENCRYPTION ALGORITHMS SUPPORTED: AES256-CBC, AES128-CBC, 3DES-CBC MAC ALGORITHMS SUPPORTED: HMAC-SHA1, HMAC-SHA2-256 HOST KEY ALGORITHMS SUPPORTED: SSH-RSA USER AUTHENTICATION MECHANISMS SUPPORTED: PUBLIC KEY, PASSWORD The following response is displayed if SSH is terminating: NW TCPIP STATUS SSH SSH IS CURRENTLY TERMINATING The following response is displayed if SSH is disabled/not running: NW TCPIP STATUS SSH SSH IS CURRENTLY DISABLED/NOT RUNNING

152 Operating TCP/IP Software Enter the following command: NW TCPIP STATUS SSL The following response is displayed if SSL is waiting for cryptography: NW TCPIP STATUS SSL SSL IS CURRENTLY WAITING FOR CRYPTOGRAPHY The following response is displayed if SSL is enabled/running: NW TCPIP STATUS SSL SSL IS CURRENTLY ENABLED/RUNNING VERSIONS SUPPORTED = SSL 3.0, TLS 1.0, TLS 1.2 CIPHERS SUPPORTED = RSA_WITH_RC4_128_MD5, RSA_WITH_RC4_128_SHA, RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256 The following response is displayed if SSL is enabled/running, and if there is a condition which causes TLS 1.2 to not be offered: NW TCPIP STATUS SSL SSL IS CURRENTLY ENABLED/RUNNING VERSIONS SUPPORTED = SSL 3.0, TLS 1.0, TLS 1.2 NOT AVAILABLE DUE TO UNSUPPORTED HARDWARE (CCP) CIPHERS SUPPORTED = RSA_WITH_RC4_128_MD5, RSA_WITH_RC4_128_SHA, RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA The following response is displayed if SSL is terminating: NW TCPIP STATUS SSL SSL IS CURRENTLY TERMINATING The following response is displayed if SSL is disabled/not running: NW TCPIP STATUS SSL SSL IS CURRENTLY DISABLED/NOT RUNNING

153 Operating TCP/IP Software Setting Timer Values Use the commands in this section to set the following timer values: Routing information timer value (IPv4 only) LAN resiliency timer value Setting the Routing Information Timer Value Note: This feature is supported only in the IPv4 operating mode. You can set a routing expiration time by using the NW SNMP SET command to set a value for the RIProutetimeout MIB object. This MIB object enables you to inquire on and set the value (in seconds) of the routing expiration timer so that if a route becomes unreachable, your system can switch to alternate routing paths more quickly. Background Information IP routers send out routing updates on a regular basis, usually every 30 seconds as recommended in RFC These routings are used by neighboring systems for the time period specified by the RIProutetimeout attribute, after which they expire if not refreshed by another routing update. A routing expiration time of 180 seconds is recommended by RFC If a router fails, neighboring systems continue to attempt to use the router until its routings expire. If the system has multiple routings available, you might want to reduce the value of RIProutetimeout in order to switch to an alternate routing more quickly. The value of RIProutetimeout on your system should always be higher than the routing update times used by neighboring routers, to prevent routings from expiring unnecessarily due to timing differences or delays in sending/processing routing updates. To set the value for the routing expiration timer, enter the following command: NW SNMP SET RIProutetimeout=<value> The variable is described as follows. Variable Description <value> The routing expiration timer value in seconds. Must be in the range of ; default value is

154 Operating TCP/IP Software Setting the LAN Resiliency Timer Value The LANRESILTIMER command enables a system administrator to inquire on or set a value for the LAN resiliency timer, which is used to check for network interfaces that are unavailable when TCP/IP initializes. The format of the command is NW TCPIP LANRESILTIMER <timervalue> The variable is described as follows. <timervalue> Variable Description The valid range is 15 to 3600 seconds. The default value is 30 seconds. For more information, see Inquiring on the LAN Resiliency Timer

155 Operating TCP/IP Software Configuring Multiple Routes and Default Routes You can use the TCP/IP ROUTE command to Configure networks reachable through known routers Configure multiple routes to a destination Configure multiple assigned default routes Configure variable-length subnet masking (VLSM) and classless interdomain routing (CIDR) routes IPv4 Networks In IPv4 networks, the TCP/IP ROUTE command provides an optional MASK attribute or / <network-prefix length> attribute that allows the configuration of VLSM and CIDR addressed routes. The presence of a mask identifies the subnet, network, or supernet to which the destination belongs. If the mask is absent, the destination address is considered to be classless and therefore identified as a network or subnet. The PREFERENCE option enables you to designate primary or alternate routes to a destination based on the <preference> value specified. IPv6 Networks In IPv6 networks, the TCP/IP ROUTE command uses the / <network-prefix length> attribute to enable the configuration of VLSM and CIDR addressed routes. The networkprefix length can range from 0 to 128; the MASK attribute is not supported. IPv6 is designed for fully classless routing. The PREFERENCE option is supported and, as with IPv4, enables you to designate primary or alternate routes to a destination based on the <preference> value specified. Route States Part of the route information returned with each route is the current <route state>, which can be used in conjunction with other tools to assist in the diagnoses of network problems. There are four different route states as follows: ACTIVE IDLE INACTIVE OFF-LINE See MCP Route States in Section 2, Overview of TCP/IP Routing, for a description of each route state

156 Operating TCP/IP Software Configuring Multiple Routes to a Remote Destination Use the TCPIP ROUTE command with the ADD option to manually configure static routes (routes that are not dynamically discovered) between an intermediate system and remote destination hosts, subnets, networks, and supernets. This command enables you to add routes for specific remote destinations or as default paths to all remote destinations. The ROUTE command requires the intermediate system and the remote destination to use the same networking protocol, either IPv4 or IPv6. That is, IPv4 hosts can communicate only with other IPv4 hosts and IPv6 hosts can communicate only with other IPv6 hosts. You cannot use mixed mode IPv4/IPv6 addressing with this command. You can configure "specific" routes by supplying both the destination IP address and a next-hop IP address as the required attributes. The optional MASK attribute is supported only for IPv4 networks and can be specified to configure classless VLSM and CIDR routes to remote subnets, networks, or supernets. The network-prefix length attribute can be specified for IPv4 and IPv6 networks to configure classless VLSM and CIDR routes. Specify the optional PREFERENCE attribute, supported by IPv4 and IPv6 networking, to configure alternate backup routes, or parallel routes, to a common destination. If parallel routes are configured, outgoing dialogs are balanced. Enter the TCP/IP ROUTE command in one of the following formats: Supported for IPv4 Only: NW TCPIP ROUTE ADD <ip address 1> MASK <ip address 2> VIA <ip address 3>[PREF]<preference> Supported for IPv4 and IPv6: NW TCPIP ROUTE ADD <ip address 1>/<network-prefix length>via <ip address 3>[PREF]<preference> NW TCPIP ROUTE ADD <ip address 1> VIA <ip address 3>[PREF] <preference> Variables The variables are described as follows. Variable <ip address 1> <ip address 2> <network-prefix length> Description The IP address of the destination host/subnet/network/supernet that you want the intermediate system to route IP traffic to. (Optional; IPv4 only) Provides the mask associated with the remote subnet, network, or supernet. (Optional) The length of the classless network-prefix that when applied to the ip address yields the destination subnet/network/supernet

157 Operating TCP/IP Software Variable <ip address 3> <preference> Description The IP address of the next-hop router along the path to the destination. (Optional) Used to configure alternate and/or parallel backup routes to the destination. When specifying alternate, backup routes, the preference identifies the backup order that will be used when a lower preference next-hop fails. A preference value can range from 1 to 255. A value of 1, the default when a preference attribute is not specified, identifies the primary next-hop router. Multiple routes of the same preference, to the same destination, can be configured as parallel routes for dialog load-balancing purposes. IPv4 Examples Add a route to destination host NW TCPIP ROUTE ADD VIA Add a route to destination subnet /25. NW TCPIP ROUTE ADD /25 VIA or NW TCPIP ROUTE ADD MASK VIA Add a route to destination supernet /16. NW TCPIP ROUTE ADD /16 VIA or NW TCPIP ROUTE ADD MASK VIA Add a route to destination network NW TCPIP ROUTE ADD VIA or NW TCPIP ROUTE ADD /24 VIA or NW TCPIP ROUTE ADD MASK VIA

158 Operating TCP/IP Software Add two parallel routes to destination host that load-balances dialogs to this destination. or NW TCPIP ROUTE ADD VIA NW TCPIP ROUTE ADD VIA NW TCPIP ROUTE ADD VIA PREFERENCE 1 NW TCPIP ROUTE ADD VIA PREFERENCE 1 Add two routes to destination where the first router is the primary router and the second router is an alternate, backup router to be used in case the primary router fails. NW TCPIP ROUTE ADD VIA PREFERENCE 1 NW TCPIP ROUTE ADD VIA PREFERENCE 2 Add two routes to destination where the first router is the primary router and the second router is an alternate, backup router in another locally attached prefix. The backup router is to be used in case the primary router fails. NW TCPIP ROUTE ADD VIA PREFERENCE 1 NW TCPIP ROUTE ADD VIA PREFERENCE 2 IPv6 Examples Add a host-specific backup router. NW TCPIP ROUTE ADD 090F:0:0:0:9F:FF:89:98 VIA 090F:0:0:0:9F:FF:89:99 PREF 2 Add a route to the destination network. NW TCPIP ROUTE ADD 090F:0:0:0:9F:FF:: VIA 090F:0:0:0:9F:FF:89:99 PREF

159 Operating TCP/IP Software Configuring Default IP Routes Issue the TCP/IP ROUTE ADD command with the ADD and DEFAULT options to configure a default next-hop router for those TCP/IP destinations that do not have a Statically defined route Dynamically discovered route (IPv4 networks only) Default routes are taken in the absence of a "specific" route to the destination. There are two types; assigned default routes and system default routes. When an assigned default route is configured, that route is used before searching for a "system" default route to the destination. Configure default routes by supplying the next-hop router and a preference as required attributes. For IPv4 networks only, the optional MASK (network-prefix length) attribute provides a mechanism to configure an assigned default route. If the MASK (networkprefix length) attribute is not present, a "system" default route is configured. You can configure multiple default routes associated with a common local subnet/network/supernet for resiliency purposes. While there can only be one primary default route at any time, multiple alternate default routes can be configured as long as each has a unique preference value. As with the assigned default routes, only one "system" default route can be active at a time. Multiple alternate system default routes can also be configured as long as each has a unique preference value. Alternate default routes (assigned and system) are ordered and used according to their preference values. Enter the command in one of the following formats: Supported for IPv4 Only: NW TCPIP ROUTE ADD DEFAULT <ip address 1> MASK <ip address 2> [PREF] <preference> Supported for IPv4 and IPv6: NW TCPIP ROUTE ADD DEFAULT <ip address 1> / <network-prefix length> [PREF] <preference> NW TCPIP ROUTE ADD DEFAULT <ip address 1> [PREF] <preference> Variables The variables are described as follows. Variable <ip address 1> <ip address 2> <network-prefix length> Description The IP address of the default next-hop router for destinations which there is no "specific" route. (Optional; IPv4 only) The mask that, when applied to the <ip address> attribute, yields the local subnet/network/supernet for which this is a default route. (Optional) The length of the classless network-prefix that, when applied to the ip address, yields the subnet/network/supernet for which this is a default route

160 Operating TCP/IP Software Variable <preference> Description Identifies the rank it has against other default routes identified. You must identify a unique value for <preference>. This value must be between 0 and 255. A value of 0 indicates the preferred path you want to use routing IP traffic. IPv4 Examples Add a default route for locally attached network or NW TCPIP ROUTE ADD DEFAULT MASK PREF 1 NW TCPIP ROUTE ADD DEFAULT /24 PREF 1 Add a system default route. NW TCPIP ROUTE ADD DEFAULT PREF 1 IPv6 Example Add a system default route. NW TCPIP ROUTE ADD DEFAULT 090F:0:0:0:9F:FF:89:98 PREF

161 Operating TCP/IP Software Inquiring About Routing Problems In order to debug routing related problems, you might want to clear the IP routing table and specify selection criteria for route inquiries. Debugging routing related problems can become quite cumbersome, especially if the routing table is large. Clearing the routing table enables you to start debugging from a smaller, more manageable base. You can then selectively allow new routes into the routing table and gradually build up a node s connectivity. This helps to establish a point where connectivity works and a point where it no longer works. That is, it eliminates a known set of routes that work and reduces the scope of the problem. The following subsections discuss how to: Clear the routing table Specify selection criteria for route inquiries Clearing the Routing Table For IPv4 networks, use the CLEAR option on the TCP/IP ROUTE command to clear the routing table. This option enables you to clear (delete) all dynamically discovered and/or learned routes from the routing table including routes learned by the Routing Information Protocol (RIP), the Internet Control Message Protocol (ICMP), and the Neighbor Discovery Protocol. Routes that are statically (manually) configured and in-use routes with active dialogs are not cleared. For both IPv4 and IPv6 networks, you can clear all routes in the routing table by entering the TCP/IP ROUTE command with the CLEAR and the NOW options. The NOW option clears dynamic and static routes (manually configured routes) including those that have active dialogs associated with them. Examples Clear all dynamic routes not in use (IPv4 routes only). NW TCPIP ROUTE CLEAR If the preceding command is successful, you receive the following response: ROUTE TABLE CLEARED EXCEPT FOR IN-USE AND STATICALLY ADDED ROUTES Clear all routes. NW TCPIP ROUTE CLEAR NOW If the preceding command is successful, you receive the following response: ROUTE TABLE CLEARED EXCEPT FOR STATICALLY ADDED ROUTES

162 Operating TCP/IP Software Specifying Selection Criteria for Route Inquiries There are three different options for the ROUTE inquiry Inquire on all routes (no attributes specified) Inquire on filtered routes (filter attributes are present) Inquire only on the default routes If you do not enter ROUTE inquiry attributes, all known routes are returned. This includes indirect, direct, and default routes. Inquiring on All Routes Inquire on all routes in the current routing table by issuing the following inquiry at your system console: NW TCPIP ROUTE The results of the inquiry reports all known routes in the routing table. Inquiring on Filtered Routes The NW TCPIP ROUTE inquiry with the [IPADDRESS] <IP address> interrogate option specified performs either a host-specific or network-only inquiry, based on which IP address is specified. The results of the inquiry reports all routes in the routing table associated with the destination or network ID specified in the inquiry. The NW TCPIP ROUTE [IPADDRESS] <ipv4 address> MASK <ipv4 address> inquiry locates networks and subnets, in addition to specific hosts. The MASK is applied to the IP address specified to provide selection criteria for the target set of routes to be returned. The NW TCPIP ROUTE [IPADDRESS] <ipv6 address> / <network-prefix length> inquiry locates networks and subnets in addition to specific hosts. The <network-prefix length> filter is applied to the IP address specified to provide selection criteria for the target set of routes to be returned. The NW TCPIP ROUTE DEFAULT inquiry returns only the default routes. The variables are described as follows. Variable <ipv4 address> Description (IPv4 only) The classful host-specific destination IP address of a remote host or network. Made up of a 32-bit (4-byte) number that includes a network number and a local address

163 Operating TCP/IP Software Variable <ipv6 address> <network-prefix length> Description (IPv6 only) A 128-bit (16-byte) number that includes a network prefix and an interface identifier. The interface identifier must be unique within the link. The nodes of an IPv6 address are separated by colons (:). (Optional) The length of the classless network prefix that when applied to the IP address yields the filter criteria used for matching routes to display. Inquiring on Default Routes By using the DEFAULT option of the route inquiry in the following command, only the default routes are returned: NW TCPIP ROUTE DEFAULT IPv4 Examples Display all routes to destination or NW TCPIP ROUTE NW TCPIP ROUTE IPADDRESS Display all routes to network or NW TCPIP ROUTE MASK NW TCPIP ROUTE /24 Display all routes to supernet /16. or NW TCPIP ROUTE MASK NW TCPIP ROUTE /16 Display all default routes. NW TCPIP ROUTE DEFAULT

164 Operating TCP/IP Software IPv6 Examples Display all routes to network 090F:0:0:0:0:0:0:0. or NW TCPIP ROUTE 090F:0:0:0:0:0:0:0/64 NW TCPIP ROUTE 090F::/64 Display all default routes. NW TCPIP ROUTE DEFAULT Inquiring on the Routing Information Protocol (RIP) Note: This feature is supported only in the IPv4 operating mode. You can inquire on the current Routing Information Protocol (RIP) status and obtain configuration information for your system using the TCPIP RIP inquiry. Issue the inquiry as follows: NW TCPIP RIP Response Examples RIP is enabled on the system with two active devices. Each device is listening to the RIPv2 multicast address. Rip is enabled. NP 254 Line 1 supports RIP Version 2 NP 255 Line 2 supports RIP Version 2 RIP is enabled on the system with three active devices. Two of the devices are listening to the RIPv2 multicast address. Rip is enabled. NP 253 Line 1 supports RIP Version 2 NP 254 Line 1 supports RIP Version 2 NP 255 Line 1 supports RIP Version

165 Operating TCP/IP Software Setting the Routing Information Protocol Authentication Type Note: This feature is supported only in the IPv4 operating mode. You can set the type of RIPv2 authentication for a specified device and line using the TCPIP RIP RIPAUTHENTICATION command. You can also use this command to inquire on the current authentication types set for each device and line configured on the system. Issue the command as follows: NW TCPIP RIP RIPAUTHENTICATION NP <np id> LINE <line id> <authentication type> When you enter this command, the authentication type specified becomes the current authentication type. Variables The <np id> and <line id> variables are the network processor (device) ID and the Line ID respectively. The Authentication Type option allows you to set a level of authentication for RIPv2 message processing. If the specified device and line are present, the authentication type is set to the value supplied. There are four authentication types supported by this command. Authentication Type Ignore Authentication No Authentication Password MD5 Description All RIP messages are processed, regardless of the presence or lack of the authentication fields in the RIP message. This setting is used primarily so that systems can process all incoming RIP information received. Only those RIP messages that have the authentication field of the RIP message set to "NoAuthentication" are processed. RIP messages with no authentication field set or with a type other than "NoAuthentication" are ignored. Only those RIP messages that have the authentication field of the RIP message set to "Password" and have a supplied password that matches one defined in the current configuration are processed. RIP messages with no authentication field set, with a type other than "Password", or supply an invalid password are ignored. Only those RIP messages that have the authentication field of the RIP message set to "MD5" and have a supplied keychain that matches one defined in the current configuration are processed. RIP messages with no authentication field set, with a type other than "MD5" or that supply an invalid keychain are ignored

166 Operating TCP/IP Software The Password and MD5 authentication types also have an additional option that allows for setting the authentication password or keychain associated with the device and line. In the current implementation, the authentication list can only have one item and is a maximum of 16 bytes in length. IPv6 Default Address Selection Multiple IP addresses can be assigned to a local network interface with each local IP address possibly belonging to multiple network aggregations. IPv6 unicast addresses can be assigned to local interfaces in addition to IPv4 addresses. Since local IPv6 addresses might have different prefix lengths, address scopes, or other address properties, IPv6 implementations have multiple possibilities for source address selection and destination address preference when initiating communication. RFC 3484, Default Address Selection for IPv6, defines a set of default algorithms for selecting source and destination addresses so that developers and administrators can predict the behavior of their systems. You can specify that default address selection be based on a set of predefined default policies as defined by RFC 3484 by using the IPv6 Default Address Selection (IPv6DAS) option of the TCPIP OPTION (OPT) command. This option enables or disables the use of the IPv6 default address selection algorithms for source and destination address selection as follows. To enable the IPv6DAS option so that default address selection is based on a set of predefined default policies as defined by RFC 3484, enter the following. These default policies can be changed using the TCPIP Address Selection Policy command as described in the following subsection. NW TCPIP OPT + IPv6DefaultAddressSelection To disable IPv6DAS, enter the following: NW TCPIP OPT IPv6DefaultAddressSelection When disabled, the default behavior is identical to that used in IPv4. In a multi-homed environment where there is more than one interface to the same network, local address selection is performed in a round-robin fashion. This distributes the TCPIP dialogs among the available interfaces. The IPv6 Default Address Selection option is disabled by default

167 Operating TCP/IP Software TCPIP Address Selection Policy The TCPIP ADDRESS SELECTION POLICY (TCPIP ASP) command enables an administrator to override the default selection behavior as specified by RFC The administrator can use this command to set up policies to establish which addresses are preferred over other addresses. For example, an administrator can specify a preferred prefix that can be used to select one source address from other potential candidates assigned to the same interface when communicating with a particular destination prefix. This command can also be used to select destination addresses with higher precedence values over addresses of lower precedence. The command is not valid unless IPv6 has been enabled. The address selection policy does not override the explicit choice of a legal destination or source address. This command updates the address selection policy table. However, default address selection using the defined policies does not occur unless the IPv6 default address selection feature has been enabled using the IPv6DAS option of the TCPIP OPT command. When enabled, default address selection is based on a set of predefined default policies as defined by RFC These default policies can be deleted, changed, or amended using the TCPIP ADDRESS SELECTION POLICY command. The default option deletes all entries in the table and restores the table to the RFC definition. Examples: Setting Precedence and Label Values When precedence values are set, they can be used for sorting destination addresses. An address with a higher precedence value can be preferred over an address with a lower precedence value. Label values can also be set to create policies that prefer a particular source address prefix for use with a destination address prefix. The algorithm uses a particular source address with a destination address if their labels match. The ADDRESS SELECTION POLICY command uses precedence values and label values for sorting addresses as follows. Variable precedence label Description Used for sorting destination addresses. If precedence (A) is greater than precedence (B), address A has higher precedence than address B and destination address A is preferred over destination address B. Range: 1 to 100 A value that allows for policies that prefer a particular source address prefix for use with a destination address prefix. If label (S) is equal to label (D), source address S is the preferred address to be used with destination address D. Range: 0 to

168 Operating TCP/IP Software Refer to the Networking Commands and Inquiries Help for additional information on the syntax and usage of the ADDRESS SELECTION POLICY command. Examples NW TCPIP ASP NW TCPIP ASP 090F::9FFF:8998/128 NW TCPIP ASP Add 090F::9FFF:8998/ NW TCPIP ASP Add / NW TCPIP ASP Add / , 090F::9FFF:8998/ NW TCPIP ASP Delete /29 NW TCPIP ASP Modify / NW TCPIP ASP Modify 090F::9FFF:8998/ Inquiring on the Route Used to Reach a Remote Node You can inquire on the route being used to reach a remote node in your TCP/IP network using the NW TCPIP TRACERT command. This command enables you to interrogate your TCP/IP network to determine whether the remote node is reachable, and the path used to try to reach it. The TCPIP TRACERT command specifies a target system in the IP network, either by IP address or domain name. A sequence of ICMP Echo messages are sent to the target system with gradually increasing Time-To-Live values, starting at 1. This continues until a successful Echo response is received or the Time-To-Live value exceeds the MAXHOPS value you specify. When all Echoes are complete, one or more trace reports are returned containing the consolidated Echo results. The success or failure of the TCPIP TRACERT command is reported in either the TCPIP TRACERT REPORT FOR NODE report (41010) or the TCPIP REPORT TRACERT NO TRACE TO report (41011). To redisplay these reports on the system console, enter MSG NW at the system console. In addition, if the TRACERT command was initiated from the system console, then the TRACERT report is also displayed in a manner similar to a response on the system console. Refer to the Networking Reports and Log Messages Help for complete syntax on these reports. To inquire on a route, enter the following command: NW TCPIP TRACERT IPADDRESS <ip address> HOSTNAME <domain name> TIMEOUT <timeout value> MAXHOPS <hop limit> REPORTLINES <number of lines> RESOLVEADDRESS <+/->

169 Operating TCP/IP Software The variables are described as follows. Variable IPADDRESS <ip address> HOSTNAME <domain name> TIMEOUT <timeout value> MAXHOPS <hop limit> REPORTLINES <number of lines> RESOLVEADDRESS <+/-> Description IP address of the target system; can be either an IPv4 address or an IPv6 address. Domain name of the target system. Specifies how long TCP/IP will wait for a response to each Echo message or a time exceeded report before regarding the Echo as lost. The value is in the range of 1 to 2000 milliseconds, with a default value of 1 second (1000 milliseconds). The maximum Time-To-Live value for this trace execution. The value is in the range of 1 to 255 network hops, with a default value of 30. A formatting instruction for the TRACERT REPORT. One line in the report is used for all the results for a particular Time-To-Live value. This variable specifies the limit of the number of lines to be included in each TRACERT REPORT. If the actual length of the Echo sequence is larger than <number of lines>, the report is divided into one or more PARTIAL TRACERT REPORTs, followed by a FINAL TRACERT REPORT. The value is in the range of 1 to 255 lines, with a default value of 255. A formatting instruction for the TRACERT REPORT. If set, the report attempts to convert the IP addresses responding to the Echo commands to domain names. RESOLVEADDRESS is reset by default. IPv4 Examples NW TCPIP TRACERT TIMEOUT 1000 MAXHOPS 20 This command interrogates for the path used to reach the system at IP address , with the limitation that it should be reached in no more than 1 second (1000 milliseconds) and in no more than 20 network hops. NW TCPIP TRACERT abc.def.ghi.net REPORTLINES 12 RESOLVEADDRESS + This command interrogates for the path used to reach the system named abc.def.ghi.net, with the result broken into report segments of 12 routing hops each, and with available node names of all the nodes in the path listed in the reports

170 Operating TCP/IP Software IPv6 Example NW TCPIP TRACERT 090F:0:0:0:9F:FF:89:98 TIMEOUT 1000 MAXHOPS 20 This command interrogates for the path used to reach the system at IP address 090F:0:0:0:9F:FF:89:98, with the limitation that it should be reached in no more than 1 second (1000 milliseconds) and in no more than 20 network hops. Modifying TCP/IP Components Online Notes: Changes made to your network using TCP/IP OI commands are in effect only until the next initialization of the network. To make permanent changes to your network, use the NAU or modify your TCP/IP initialization file with a text editor. The following topics are covered in this subsection: Identifying a local TCP/IP host to the network Assigning IP address or addresses to a network interface Detecting a duplicate IP address on your network Creating a mapping between a TCP/IP host and one or more IP addresses Inquiring on one or more host names Reaching a remote host or other network interface on the same logical host Verifying that packets are received by a remote host Identifying a Local TCP/IP Host to the Network To identify your local TCP/IP host, you must assign a TCP/IP host name that will be used by the network administrator. To do so, enter the following at the system console: NW TCPIP TCPIPHOSTNAME = <tcpip hostname> where <tcpip hostname> is the official host name, used by the network administrator, for this local TCP/IP host. If the command is successful, you will receive the following response: TCPIPHOSTNAME = <tcpip hostname> You can only assign a TCP/IP host name once for each enterprise server host in the network. If you configure your network using the NAU, the host name is automatically placed in the local host's TCP/IP initialization file. If you then issue this command to reset or change the host name assigned to the local host, you will receive the following error message: ERROR: SEMANTIC ERROR IN COMMAND: UNABLE TO PROCESS COMMAND

171 Operating TCP/IP Software Assigning IP Addresses to a Network Interface You must assign an IP address to each network interface (the network processor and Line ID) to uniquely identify the TCP/IP host to the rest of the connected networks. A TCP/IP host can have multiple IP addresses defined based on the number of network interfaces configured on the system. To assign a unique IP address to each network interface, issue the TCPIP [TCPIP] IDENTITY (TCPIP ID) command at the TCP/IP host for which you are assigning an IP address. You can issue IPv4 and IPv6 TCPIP ID commands on the same network interface. The command provides different syntax and capabilities depending on whether you are configuring IPv4 address and mask pairs or IPv6 addresses. IPv4 Usage The TCPIP ID command enables an IPv4 network administrator to configure and delete multiple local IP addresses and/or address and mask pairs for each network interface. This extends MCP TCP/IP multihoming capabilities to support multiple logical networks. With IPv4 networks, you can also use this command to set the RIP Authentication type for each network interface. IPv6 Usage For IPv6, the network administrator can also use the TCPIP ID command to enable autoconfiguration and duplicate address detection. If address autoconfiguration is enabled, IPv6 hosts are automatically configured when connected to a routed IPv6 network. This means that you can use the TCPIP ID command without specifying an address. You can also specify the number of consecutive Neighbor Solicitation messages sent while performing duplicate address detection on a tentative address. This ensures that an address is not already in use by another interface before it is permanently assigned to an interface. Note: For a complete description of the syntax of the TCPIP ID command, refer to the Networking Commands and Inquiries Help

172 Operating TCP/IP Software Assigning IPv4 Addresses Enter the TCPIP ID command in the following format to assign unique IPv4 addresses to each network interface: NW TCPIP ID ADD NP <device id> Line <line id> [VLAN <vlan id>] <ipaddress>/<prefix> The variables are described as follows. Variable <device id> <line id> <vlan id> <ip address> <prefix> Description An integer used to specify the network processor device. An integer used to specify the line. (Optional) Is used to match the definition of a CONNECTION GROUP on an FC3-IOP or SAS-IOP. Specifies the local IPv4 address of the host/subnet/network. An integer used in CIDR format that indicates the number of bits used in the mask. If subnet masks are used, all hosts in the same IP network must use the same subnet mask. Example Add a single local IP address on NP 6000, Line 1 NW TCPIP ID ADD NP 6000 LINE /27 Assigning IPv6 Addresses Enter the TCPIP ID command in the following format to assign unique IPv6 addresses to each network interface: NW TCPIP ID ADD NP <device id> Line <line id> [VLAN <vlan id>] <interface properties> <ip address>/<prefix-length> The variables are described as follows. Variable <device id> <line id> <vlan id> Description An integer used to specify the network processor device. An integer used to specify the line. (Optional) Is used to match the definition of a CONNECTION GROUP on an FC3-IOP or SAS-IOP

173 Operating TCP/IP Software Variable <interface properties> <ip address> <prefix-length> Description AutoConfiguration: Indicates IPv6 autoconfiguration should occur for the interface. The default value is used if not specified in the command. To enable IPv6 autoconfiguration of the interface, modify this property through the add or modify options of this command. Default: " " (OFF) Note: You can specify the autoconfiguration property for any newly added device using the ACDEFault option of the TCPIP OPTION command. See Specifying Autoconfiguration for a Network Interface for details on using this option. DAD Transmits type: Indicates the number of consecutive neighbor solicitation messages sent while performing duplicate address detection on a tentative address. The value 0 indicates that duplicate address detection is not performed on tentative addresses. The value 1 indicates a single transmission with no follow-up retransmissions. Range: 0 through 10 Visible: Indicates that the IP addresses associated with the networking interface can be passed to other applications. Turning the Visible attribute off means that none of the IP addresses associated with the interface can be passed to other applications. Default: "+" (ON) For a complete description of the syntax of the TCPIP ID command, refer to the Networking Commands and Inquiries Help. Specifies the local IP address of the host/subnet/network. The number of bits from the beginning of the address that make up the prefix. Example Add a single local IP address FF0F:0:0:0:9F:FF:89:98/64 on NP 1, Line 0 with autoconfiguration turned off and duplicate address detection not performed on tentative addresses. NW TCPIP ID ADD NP 1 LINE 0 FF0F:0:0:0:9F:FF:89:98/64 AC - DADT=

174 Operating TCP/IP Software Assigning Multiple Local IP Addresses and Mask Pairs to a Network Interface You can also configure multiple local IP addresses and mask pairs for each network interface using the TCPIP ID command. In addition, you can use this command to set the type of RIPv2 authentication. To configure multiple local IP address and mask pairs, issue the following TCPIP ID command: NW TCPIP ID ADD NP <device id> Line <line id> [VLAN <vlan id>] <ip address>/<prefix>, <ip address>/<prefix> The variables are described in Assigning IP Addresses to a Network Interface. To set the type of RIPv2 authentication, issue the following command: NW TCPIP ID ADD NP <device id> Line <line id> [VLAN <vlan id>] RAA <authentication type> <ip address>/<prefix> where <authentication type> is the authentication type assigned to the network processor and Line ID. The other variables are the same as described above. Examples Add a single local IP address on NP 2, Line 1. NW TCPIP ID ADD NP 2 LINE /27 Add a single local IP address on NP 2 using specific mask. NW TCPIP ID ADD NP 2 LINE / Add a single local IP address using CIDR format and authentication. NW TCPIP ID ADD NP 2 LINE 1 RAA = PASSWORD SET ABCDEFGHIJK /8 Add three local IP addresses to single NP using CIDR format. NW TCPIP ID ADD NP 3 LINE /8, /8, /8 Add two local IP addresses to a VLAN NP. NW TCPIP TCPIPID ADD NP 1 LINE 0 VLAN /8, /8 Add two local IPv6 IP addresses to a single NP Line 0 with autoconfiguration enabled and duplicate address detection performed twice on tentative addresses. NW TCPIP ID ADD NP 1 LINE 0 FF0F:0:0:0:9F:FF:89:98/64, FF0F:0:0:0:9F:FF:88: 98/64 AC + DADT=

175 Operating TCP/IP Software Detecting a Duplicate IP Address on Your Network The following TCPIP report alerts you that another host in the network has identified itself as having the same IP address as one belonging to the local ClearPath host: DUPLICATE IP ADDRESS DETECTED ON NETWORK: <ipaddr> IN USE BY <physical addr> (41012) The variables are described as follows. Variable <ipaddr> <physical addr> Description The IP address of the host that has the same address as the local ClearPath host. The physical address of the host that has the same address as the local ClearPath host. The physical address is selected by the manufacturer based on the physical address space licensed by the manufacturer. Reporting on Autoconfigured Interfaces The following TCPIP report provides information about autoconfigured interfaces: TCPIP AUTOCONFIGURED INTERFACE FOR <identity info> The variable is described as follows. Variable <identity info> Description Identifies local IP addresses that are autoconfigured and provides information about the addresses. Refer to the Networking Reports and Log Messages Help for further details about this report

176 Operating TCP/IP Software Creating a Mapping Between a TCP/IP Host and One or More IP Addresses Use the TCPIP MAPPING command to create a mapping between a TCP/IP host name or domain name and one or more IP addresses. If the mapping is host name to IP address, the host is assumed to be in the local domain. This command will not create a route on the host. If a specific route is required, the route must be added via the TCPIP ROUTE command. Enter the following from your system console: NW TCPIP MAPPING + <tcp/ip hostname> <ip address> [,<ip address>] If the command is successful, you receive the following response: <TCPIP hostname> MAPPED TO <ip address> [,<ip address>] How the System Resolves a TCP Host Name If no mapping is defined for a TCP host name in the TCP host name table, then SYSTEM/RESOLVER is called to resolve this TCP host name. SYSTEM/RESOLVER calls the TCPIPSUPPORT library to request rankings of all IP addresses configured with that TCP host name. Each IP address is given a rank value based on the criteria indicated in the following table. The value 0 is the highest rank. Value Criteria 0 A local direct route. a. In the Local Subnet 1. Learned by OI 2. Learned by Resolver b. Not in the Local Subnet 1. Learned by OI 2. Learned by Resolver 1 An indirect route added with an OI command. n An IP route metric associated with a learned route. 250 No route specified; a default route exists. 256 No route specified; no default route exists. You should use the RESOLVER configuration file to assign the loopback host name to and ::1 if sockets applications are expected to resolve local host to one of these addresses. Note: For information on how to configure hosts in the Resolver, refer to the TCP/IP Distributed Systems Services Operations Guide

177 Operating TCP/IP Software If a program opens a port file and one or more port subfiles with a certain description, including specific values for the MYNAME, YOURNAME, and YOURDOMAINNAME file attributes, TCPIPSUPPORT tries to find a matching IPAddress for the value assigned to the YOURDOMAINNAME attribute. If a Hostname/IPAddress pairing is not configured via the NW TCPIP MAPPING command, then TCPIPSUPPORT passes the value assigned to the YOURDOMAINNAME attribute to SYSTEM/RESOLVER to obtain the IPAddress associated with the specified YOURDOMAINNAME attribute. If SYSTEM/RESOLVER does not find a match in its cached data for the YOURDOMAINNAME attribute value and there is a domain name server configured, SYSTEM/RESOLVER requests information from the domain name server. When the Hostname/IPAddress pairing is returned to SYSTEM/RESOLVER and caching is set, SYSTEM/RESOLVER caches the returned information and passes the corresponding IPAddress to TCPIPSUPPORT. If caching is not set, the corresponding IPAddress is passed to TCPIPSUPPORT, but the information is not stored by SYSTEM/RESOLVER. The Hostname/IPAddress pairing is then stored in the mapping table of the TCPIPSUPPORT library. This information can be displayed via the NW TCPIP MAPPING inquiry command. Since the information is stored in the TCPIPSUPPORT library, the call to SYSTEM/RESOLVER is not necessary for any subsequent programs using this YOURDOMAINNAME value, unless the entry in the mapping table has been aged. Note: For information on aging, see Aging of Learned Host Name/IP Address Pairings later in this section. How the System Determines Reachability of Remote Multi-Homed Hosts In a remote multi-homed environment, an internal PING request is sent to each IP address of the remote host. When a successful PING reply is received, a reachable flag associated with that IP address is set. The IP address that is chosen is the first IP address with the reachable flag set for that remote host name. Example Given the following entry in the mapping table: HOST1.SOME.BIG.COM MAPPED TO , , An internal PING request is sent to all three IP addresses but only two of the addresses, and , return a positive response to the request. The IP address is chosen because it is the first address in the list of IP addresses with the reachable flag set. If all the PING requests fail, the host is marked unreachable

178 Operating TCP/IP Software Dynamic Association of Host Name/IP Address Information The TCP/IP provider retains the host name/ip address information acquired from a domain name server when a connection is established. The acquired information is then assigned to the appropriate subport attributes associated with the connection. These attribute values can then be used by the application. For example, Telnet can create a specific station name. The YourHost attribute is set to the leftmost element of the fully specified domain name provided; it is 17 characters or less. The YourDomainName attribute is assigned to the specified domain name. Once a host name/ip address pairing is established, subsequent connectivity will use this pairing. You can use the following command to remove learned pairings: NW TCPIP MAP - LEARNED Example Assume the following host name/ip address pairing is defined in the domain name server: HOST1.SOME.BIG.COM The following port file attributes are assigned when you initiate a Telnet session to , HOST1, or HOST1.SOME.BIG.COM. YourHost becomes HOST1. Note that YourHost is updated if it is 17 characters or less. YourDomainName becomes HOST1.SOME.BIG.COM. YourDomainName is always updated. YourIPAddress becomes The host name/ip address pairing is stored in the mapping table. Use the NW TCPIP MAP inquiry to view these mappings. For this example, the following response would be returned: HOST1.SOME.BIG.COM MAPPED TO [LEARNED] Note: The information provided in this section explains how subport attributes are updated by the TCP/IP product. Note that existing port applications which do not explicitly set these attributes will not have them automatically reset when the subfile closes. For example, an application defines a passive subport without setting the YOURHOST attribute to NULL. Prior to opening the connection, TCP/IP learns the hostname (for example, HOST1) from a Domain Name Server and updates the YOURHOST attribute with HOST1. When the connection closes, and because the attribute is not reset, the YOURHOST attribute is maintained as HOST1. Therefore, subsequent connections will only be successful from HOST1. To ensure that any host will be able to use this port, the applications should explicitly set the YOURHOST attribute to NULL in the port definition

179 Operating TCP/IP Software Using the TCP Host Names Defined in the Mapping Table as Telnet Station Names The station name for incoming Telnet sessions default to the format IP1_2_3_4/<station #>. However, if the TCP Host is statically configured via the NW TCPIP MAPPING command, the station name will contain the TCP Hostname instead. Alternatively, if the TCP Host is dynamically learned from Resolver (or from a DNS), the format of the Telnet station name is controlled by the Telnet STATION_NAME CONVERTIPADDRESS option. For example, the NW TCPIP MAPPING (TCPIP MAP) inquiry yields the following: HOST1.SOME.BIG.COM MAPPED TO HOST2.SOME.BIG.COM MAPPED TO [LEARNED] Incoming Telnet sessions from will have the station name of HOST1/<station #>. Incoming Telnet sessions from will have the station name of IP192_10_1_6/<station #> or HOST2/<station #> depending on the setting of CONVERTIPADDRESS. For more information on Telnet Station Naming or an example of an IPv6 conversion, refer to the Telnet STATION_NAME option in the TCP/IP Distributed Systems Services Operations Guide. Aging of Learned Host Name/IP Address Pairings A 60-minute timer is used to delete learned entries in the host name table. When the timer expires, the host name table is searched for learned entries not currently in use or used within the last 60 minutes. Existing dialogs are not interrupted by the aging algorithm. When a new dialog is initiated, reachability information is learned. Inquiring on One or More Host Names Use the TCPIP MAPPING (TCPIP MAP) command to inquire on a particular TCP/IP host name or all the TCP/IP host names. Enter one of the following from your system console: NW TCPIP MAP NW TCPIP MAP <tcp/ip hostname> NW TCPIP MAP <ip address>

180 Operating TCP/IP Software If you want to inquire on all host names, enter the command without any variables. To inquire on a particular host name, enter the following variables. Variable <tcp/ip hostname> (optional) <ip address> (optional) Description The name of the host or a fully qualified domain name. The IP address of the host. If the inquiry is successful, you receive the following response: <TCPIP hostname> MAPPED TO <IP address> [,<IP address>] Reaching a Remote Host or Other Network Interface on the Same Logical Host To determine whether a remote host or other network interface on the same logical host is reachable, you can issue a TCPIP PING command. This command serves as a diagnostic tool to test the connectivity within or between hosts. It enables you to determine if a problem originates at the local host or at a remote host somewhere in your network. When you issue this command, an ICMP echo request is sent to a specific destination. This destination could be either of the following: A specific remote destination host or domain name Another network interface on the same logical host When the destination receives the request, it responds by sending an ICMP echo reply back to you at the initiating source. When the initiating source receives the responding packet from the destination host, you will know that the network connection between the two hosts or two network interfaces on the same logical host are correctly configured. The success or failure of the PING is reported in either the TCPIP PING REPORT FOR NODE report (41007) or the TCPIP PING REQUEST NOT SENT report (41009). To redisplay these reports on the system console, enter MSG NW at the system console. In addition, if the PING command was initiated from the system console, then the PING report is also displayed in a manner similar to a response on the system console. Refer to the Networking Reports and Log Messages Help for complete syntax on these reports

181 Operating TCP/IP Software Determining Whether a Remote Host or Domain Name Is Reachable To issue this command to determine if a specific remote host or domain name is reachable, enter one of the following from your system console: NW TCPIP PING <destination ip address> NW TCPIP PING <destination hostname> NW TCPIP PING <destination domain name> The variables are described as follows. Variable <destination ip address> or <destination hostname> <destination domain name> Description The remote destination (ip address or hostname) to which you are sending the echo request. IP address can be either an IPv4 address or an IPv6 address. The domain name on which the hostname is configured. This is a fully qualified domain name. For example: Some.Big.Company.Com Host name = Some Domain name = Some.Big.Company.Com Note that there is no keyword token associated with this variable (see Note 2 below). Determining Whether Another Network Interface Is Reachable You can also issue the TCPIP PING command and include the FROM keyword token to specify a source for the echo request. This enables you to determine if another network interface on the same logical host is reachable. To specify a source address for the echo request, enter the following from your system console: NW TCPIP PING <destination ip address> FROM <source ip address> The variables are described as follows. Variable <destination ip address> <source ip address> Description The destination IP address to which you are sending the echo request. This could be on the same logical host or it could be on a remote host. The IP address can be either an IPv4 address or an IPv6 address. The network interface from which the echo request is being sent

182 Operating TCP/IP Software If the TCPIP PING command is successful, you receive the following response: TCPIP PING ENABLED TO: <TCPIP hostname>/<ip address> FROM: <IP address> This response indicates that the TCP/IP PING command was successfully issued. You must then view the TCP/IP PING REPORT FOR NODE report to determine the success or failure of the PING. If the PING is successful, it is an indication that the network connection between the destination host that you sent a PING (echo request) to and your source host is correctly configured. Notes: The TCPIP PING command has many options that are available to you when sending a PING request. To view all the options, refer to the full command syntax in the Networking Commands and Inquiries Help. For additional operational information on this command, see "Verifying that Packets Are Received by a Remote Host. You can use the TCPIP PING command to check on a destination domain name by issuing a TCPIP PING <domain name> command. The domain name can be either a host name or a fully qualified domain name. Note that there is no keyword token associated with <domain name>. Verifying That Packets Are Received by a Remote Host You can issue the TCPIP PING command to check that packets being sent to a remote host are being received by the remote host. To determine if packet loss is occurring between two hosts in your network, issue one of the following TCPIP PING commands from your system console: NW TCPIP PING <destination ip address> COUNT = <count integer> NW TCPIP PING <destination hostname> COUNT = <count integer> NW TCPIP PING <destination ip address> SIZE = <size integer> NW TCPIP PING <destination hostname> SIZE = <size integer> Note: You can use the SIZE and COUNT options of the TCPIP PING command at the same time; for full command syntax capabilities, refer to the Networking Commands and Inquiries Help

183 Operating TCP/IP Software The variables are described as follows. Variable <destination ip addr> or <destination hostname> <count integer> <size integer> Description The remote destination (ip address or hostname) on which you are inquiring. The IP address can be either an IPv4 address or an IPv6 address. The number of times you want the IP packet to be sent to the remote destination host. If the count is set to 0 (zero), each time a reply (echo) is sent back from the destination host, the initiating host will send another PING request. If you choose this option, you must issue the following command to discontinue echo requests from being sent to that destination host: NW TCPIP PING <TCPIP hostname> Note: The <IP address> can be substituted for the <TCPIP hostname> in this command syntax. Range = 0 through Default = 1 The size of the packet you want to send to the destination host. Range = 0 through Default = 0 The result of this command is reported in the TCP/IP PING REPORT FOR NODE report. To redisplay this report, enter MSG at the system console. Complete syntax for this report can be found in the Networking Reports and Log Messages Help. This report identifies how many messages were sent, how many messages were received, and the percentage of packets that were lost

184 Operating TCP/IP Software Filtering TCP/IP Traffic You can configure the networking devices of your ClearPath MCP complex to filter unwarranted traffic and prevent it from reaching the MCP environment. The types of filtering you can implement include the following: Filtering on transmission control protocol (TCP) or user datagram protocol (UDP) port numbers; see Filtering Frames Based on Port Numbers for details. Filtering out broadcast traffic; see Filtering Broadcast Traffic for details. IPv6 protocol filtering, which stops IPv6 networking traffic without affecting IPv4 networking traffic; see IPv6 Protocol Filtering for details. Filtering Routing Information Protocol (RIP) frames; see Filtering RIP Frames for details. This feature is supported only by IPv4 networking. Filtering Frames Based on Port Numbers You can filter incoming frames (packets) based on TCP and UDP port numbers in either of the following ways: Dynamically, using dynamic port filtering Statically, using the TCPIP FILTERFRAMES command. If the FILTERFRAMES command is "enabled" for a port or range of ports, then those ports will always be closed and no traffic can reach the MCP environment. If the FILTERFRAMES command is "disabled" for a port or range of ports (the default), then dynamic port filtering can be used as described in the following subsection. Enabling Dynamic Port Filtering Dynamic port filtering (DPF) enables you to configure FC3-IOP, SAS-IOP, MAICP4, and VNP networking devices to prevent unwanted TCP and UDP traffic from reaching the MCP host. This can help prevent a Denial of Service attack on the MCP host by ensuring that port scans do not cause excess overhead. To discard (filter) unwanted traffic, the MCP tells the networking devices which ports are accepting connections and data. The list of port numbers includes those associated with registered DSSs. The data on these ports is the only data forwarded to the MCP host. All other data is filtered and logged. To use dynamic port filtering, enter the NW TCPIP OPTION command with the DYNAMICPORTFILTER (DPF) option enabled as follows: NW TCPIP OPT + DPF DPF is enabled by default. To disable DPF, enter the following: NW TCPIP OPT - DPF

185 Operating TCP/IP Software When you enable DPF, a one line ODT display and log report is generated advising the operator of the total number of frames filtered on a particular interface. In addition, a logonly port filtering report is created that indicates when TCP and UDP messages have been filtered and provides statistics for traffic that has been filtered. These statistics provide information including the source address, destination address, protocol number, and TCP control flags. If the frame is not a TCP frame (UDP), the status of the TCP control flags is set to false. These reports are generated every 3 minutes or whenever the report buffer fills, whichever occurs first. A report is generated only when packets are filtered. Note: If IPsec is enabled, DPF will not be able to filter frames. You can use the NW TCPIP FILTERFRAMES command to interrogate the current status of all port numbers associated with port filtering by entering the following: NW TCPIP FILTERFRAMES The following response is displayed: STATIC PORT FILTERING STATUS: THE FILTERING OF FRAMES WITH THE FOLLOWING <protocol> PORT NUMBERS HAS BEEN <status>: [,...<list of port numbers>]. THE FILTERING OF FRAMES WITH THE FOLLOWING <protocol> PORT NUMBERS HAS BEEN <status>: [,...<list of port numbers>]. The variables are described as follows. Variable Description <status> <list of port numbers> <protocol> Can be either enabled or disabled. Specifies a port number or range of port numbers. Can be either TCP or UDP. The following is a sample response: STATIC PORT FILTERING STATUS: THE FILTERING OF FRAMES WITH THE FOLLOWING TCP PORT NUMBERS HAS BEEN ENABLED: NONE. THE FILTERING OF FRAMES WITH THE FOLLOWING UDP PORT NUMBERS HAS BEEN ENABLED: NONE. Refer to the Networking Commands and Inquiries Help for additional details on the syntax and usage of this command. Check the Errata for any restrictions or guidelines concerning dynamic port filtering

186 Operating TCP/IP Software Enabling Static Port Filtering The NW TCPIP FILTERFRAMES command allows you to set filters on incoming frames (packets) based on TCP and UDP port numbers. By enabling port filtering on specific TCP or UDP port numbers, you can prevent unwanted frames from reaching the MCP host while the host continues to receive other frames from the network. You can also use this command to disable filtering (the default) or to inquire on the filtering status of frames that are intended for specific port numbers. Filtering can be implemented for all 65,535 TCP and UDP port numbers and is only available for systems using the FC3-IOP, SAS IOP, MAICP4, and VNP network interfaces. For example, if you do not want your MCP host to receive frames destined for specific TCP ports, you can use this command to enable filtering for TCP on the port numbers you specify. Port filtering is implemented uniformly on an MCP host. It does not allow for specific settings for individual network processors. The port numbers you supply must be in the range of 1 through Filtering of traffic across the EVLAN path applies only to MCP systems using VNP network interfaces. On VNP devices, TCP frames traversing the EVLAN path will be received by the local MCP host only if they meet the port filtering criteria. The port filtering criteria has no impact on delivery of TCP frames across the EVLAN path on MAICP4 or CNP network interfaces, and no EVLAN path exists on FC3-IOP or SAS-IOP network interfaces. The NW TCPIP FILTERFRAMES command without an ENABLE/DISABLE selection serves as the inquiry command, returning the current configuration setup for frame filtering for all TCP and UDP ports. Refer to the Networking Commands and Inquiries Help for additional details on the syntax and usage of this command. The following command enables filtering on the TCP port numbers or range of port numbers you specify: NW TCPIP FILTERFRAMES ENABLE TCP [EXCEPT/ALL] [PORT] <port specification> The following command disables filtering on the UDP port numbers or range of port numbers you specify: NW TCPIP FILTERFRAMES DISABLE UDP [EXCEPT/ALL] [PORT] <port specification> The variable is described as follows. Variable <port specification> Description The port numbers or range of port numbers for which filtering is enabled or disabled

187 Operating TCP/IP Software Filtering Broadcast Traffic Broadcast filtering enables you to filter out broadcast traffic such as ARP storms or UDP broadcasts on attached FC3-IOP, SAS-IOP, MAICP4, and VNP networking devices. By eliminating excessive broadcast traffic at the network interface level rather than within the MCP host, you can free up the MCP processor for its normal workload and prevent a Denial of Service from being imposed on the MCP host. Use the NW TCPIP BROADCASTFILTER command to enable, disable, and inquire about the configuration of broadcast filtering. You can specify high and low threshold values with this command so that if the number of broadcast packets received per second from the network is higher than the high threshold, all broadcast packets will be filtered (not processed) until the rate drops below the low threshold value. Note: This command does not apply to IPv6 traffic because broadcasts are not supported in IPv6. For example, suppose you use the command to set the high threshold at 800 and the low threshold at 400. If the rate of broadcast packets received per second rises to 801 (or any rate above 800), broadcast filtering is enabled. If the rate then decreases to 700, broadcast filtering remains enabled. If the rate drops further to 399 (or any rate below 400), broadcast filtering is disabled and remains so until the rate again rises above 800. Enter the following command to enable broadcast filtering: NW TCPIP BROADCASTFILTER ENABLE [HIGHTHRESHOLD <threshold> LOWTHRESHOLD <threshold>] The variable is described as follows. Variable <threshold> Description The threshold values of packets received per second (high and low) for which broadcast filtering is enabled or disabled. You must specify both the high and low threshold values, or no values at all. If you enter this command without specifying thresholds, the default value is 1000 for high threshold and 500 for low threshold. Enter the following command to disable broadcast filtering: NW TCPIP BROADCASTFILTER DISABLE If you enter the TCPIP BROADCASTFILTER command without an ENABLE or DISABLE selection, the command serves as an inquiry and returns the current configuration of the broadcast filtering feature. Refer to the Networking Commands and Inquiries Help for additional details on the syntax and usage of this command

188 Operating TCP/IP Software IPv6 Protocol Filtering TCP/IP initializes in dual mode and is both IPv4-capable and IPv6-capable. This is the default operating mode. However, after TCP/IP initialization and IPv6 configuration has occurred, a network administrator can stop IPv6 network traffic without affecting the IPv4 network traffic. This capability is provided through the IPV6FILTERING option on the NW TCPIP OPTION command. This option Does not shut down IPv6 network operation. Is intended to be applied if the network administrator believes that IPv6 traffic is adversely affecting MCP operation. Stops any IPv6 message flow in either direction between the host and the network. Stops IPv6 network traffic until the TCPIP network is reinitialized. Reduces the likelihood of any repeat occurrence of events that cause filtering to be enabled. Does not log any information concerning IPv6 traffic that is stopped because this might increase the chance of repeat occurrence of events that cause filtering to be enabled. If the network administrator wants to prevent the use of IPv6 for all future initiations of TCP/IP, the IPv4 only option should be applied as the first command in the TCP/IP initialization file. To enable IPv6 filtering, enter the following command: NW TCPIP OPT + IPV6FILTERING The IPv6 Filtering option is initially disabled, which means that IPv6 traffic is allowed between the host and the network. Once the option is enabled, it cannot be disabled without stopping and then restarting TCP/IP (NW TCPIP-/+ command). Filtering RIP Frames Note: This feature is supported only in the IPv4 operating mode. TCP/IP networking can include the internal broadcast of network routing information in Routing Information Protocol (RIP) frames. However, heavy RIP broadcast activity can cause a significant increase in MCP processor usage. While the processing of RIP frames by the MCP server can be disabled via the OI command, this does not eliminate the MCP overhead required to receive these frames. This overhead can be substantial in some configurations

189 Operating TCP/IP Software When a shared adapter is used as the network connection, you can prevent (filter) RIP frames from being forwarded to the host from a specific network processor, such as an MAICP4 device. To filter RIP frames, disable (uncheck) the Forward RIP frames to MCP option on the Adapter Properties dialog box when you install the Network Services software. This option can be set for each shared adapter and is enabled by default. When this option is disabled, Network Services software filters all RIP frames received from the network via the shared adapter; that is, they are not forwarded to the MCP server. Note that this method of filtering RIP frames does not apply to VNP devices. Note that the setting of the TCP/IP FILTERFRAMES command might impact how this feature works. For example, you might want to send RIP frames to the host but, if either the RIP frame filtering feature or the TCP/IP FILTERFRAMES feature is set to filter RIP frames away from the MCP host, the RIP frames will not be forwarded. Thus, if you decide to forward RIP frames when you install NNS (enable Forward RIP frames to MCP ) but use the FILTERFRAMES command to filter out RIP frames, the host will not receive the frames. In addition, if you decide not to forward RIP frames when you install NNS, but you then enter the FILTERFRAMES command to forward RIP frames to the host, the host will not receive the frames. For additional information, refer to the Network Services installation and setup procedures in the Network Services Implementation Guide. Deleting TCP/IP Components Online This subsection discusses how to delete the following TCP/IP components: Deleting an IP route to a TCP/IP host Deleting default IP routes Deleting a user-specified mapping between a TCP/IP host and an IP address Deleting all learned mappings Deleting an enterprise server IP address from the network Deleting an IP Route to a TCP/IP Host The DELETE option of the TCP/IP ROUTE command enables you to manually delete a route from the routing tables. By default, only inactive routes can be deleted. Inactive routes are those that currently have no dialogs associated with them. The NOW attribute can be used to delete a route that has open dialogs associated with it. Both specific and default routes can be deleted. All routes satisfying the specified criteria are deleted

190 Operating TCP/IP Software To delete a route, enter a command similar to one of the following: NW TCPIP ROUTE DELETE <ip address 1> MASK <ip address 2> VIA <ip address 3> [PREF] <preference> NW TCPIP ROUTE DELETE <ip address 1> / <network-prefix length> VIA <ip address 3> [PREF] <preference> NOW NW TCPIP ROUTE DELETE <ip address 1> VIA <ip address 3> [PREF] <preference> The variables are described as follows. Variable <ip address 1> <ip address 2> <network-prefix length> <ip address 3> <preference> Description The IP address of the destination host/subnet/network/supernet. (Optional; used for IPv4 addressing only) The mask of the remote subnet/network/supernet. (Optional) The length of the classless network-prefix that when applied to the ip address yields the subnet/network/supernet. The IP address of the next-hop router along the path to the destination. (Optional) Identifies alternate backup routes to the destination. The preference value identifies the backup order that is used when a lower preference next-hop fails. Multiple routes with the same preference value represent a parallel route that can be used for dialog load balancing. A preference value can range from 1 to 255. IPv4 Examples Delete the route to NW TCPIP ROUTE DELETE VIA Delete the route to even if it is in use. NW TCPIP ROUTE DELETE VIA NOW IPv6 Example Delete the route to 090F:0:0:0:9F:FF:89:98. NW TCPIP ROUTE DELETE 090F:0:0:0:9F:FF:89:98/128 VIA 090F:0:0:0:9F:89:

191 Operating TCP/IP Software Deleting Default IP Routes You can use the TCP/IP ROUTE command to delete default routes by supplying the DELETE DEFAULT options and all required default route attributes. In IPv4 networks, when an assigned default route is to be deleted, the MASK/network-prefix length attribute must also be provided. By default, only inactive default routes can be deleted. Inactive default routes are those that currently have no dialogs associated with them. Use the NOW attribute to delete a default route that has open dialogs associated with it. To delete a default IP route, enter a command similar to one of the following: NW TCPIP ROUTE DELETE DEFAULT <ip address 1> MASK <ip address 2> [PREF] <preference> NW TCPIP ROUTE DELETE DEFAULT <ip address 1> / <network-prefix length> [PREF] <preference> NOW NW TCPIP ROUTE DELETE DEFAULT <ip address 1> [PREF] <preference> The variables are described as follows. Variable <ip address 1> <ip address 2> <network-prefix length> <preference> Description The IP address of the default next-hop router for destinations which there is no "specific" route. (Optional; used for IPv4 addressing only) The mask that, when applied to the <ip address> attribute, yields the local subnet/network/supernet ID for which this is a default route. (Optional) The length of the classless network prefix that when applied to the ip address yields the local subnet/network/supernet ID for which this is a default route. Used to define the order of alternate, backup default routes. Each alternate default route must have a unique preference value. A preference value can range from 1 to 255. Examples Delete the default route for network NW TCPIP ROUTE DELETE DEFAULT MASK PREF 1 or NW TCPIP ROUTE DELETE DEFAULT /24 PREF 1 Delete the system default route. NW TCPIP ROUTE DELETE DEFAULT PREF 1 Delete a previously defined static IPv6 route. NW TCPIP ROUTE DELETE DEFAULT 090F:0:0:0:9F:FF:89:98 PREF

192 Operating TCP/IP Software Deleting a User-Specified Mapping (TCP/IP Host to IP Address) To remove a user-specified mapping between a TCP/IP host name or domain name and one or more IP addresses, issue either of the following commands at your system console: NW TCPIP MAP <ip address> NW TCPIP MAP <TCP/IP hostname> Note that for the first command format, only one IP address can be specified. For the second command format, the command removes all IP address mappings to the specified host name. If the command is successful, you receive the following response: <TCPIP hostname> / <IP address> [, <IP address>] REMOVED FROM MAPPING TABLE Deleting All Learned Mappings The local name server caches IP address mappings that it learns through queries onto the Internet-based Domain Name System. You can use the TCP/IP MAPPING command to delete these learned mappings. To explicitly delete all learned mappings, issue the following command at your system console: NW TCPIP MAP LEARNED If the command is successful, you receive the following response: ALL LEARNED MAPPINGS HAVE BEEN REMOVED Deleting an Enterprise Server IP Address from the Network To prevent a host from communicating (functioning) in a TCP/IP network, use the TCP/IP IDENTITY DELETE command to delete the local IP address from the network. To do so, enter the following at your system console: NW TCPIP ID DELETE IPADDRESS = <ip address> where <ip address> is the enterprise server address that you are deleting from the network. Note: For the DELETE option to work properly, you must use the TCPIP OPTION command to turn off LAN resiliency (LANRESIL) before issuing this command with the DELETE option

193 Operating TCP/IP Software If the command is successful, you receive the following response: TCPIPIDENTITY IPADDRESS = <ip address> DELETED If the connection you are attempting to delete is in use, or if when entering the command syntax IPADDRESS is misspelled, the following message will display: ** ERROR: SEMANTIC ERROR IN TCPIP TCPIPIDENTITY DELETE COMMAND: IPADDRESS NOT FOUND OR IN USE: TCPIP TCPIPIDENTITY DELETE IPADDRESS = If this message displays, close the connection, and reissue the TCP/IP IDENTITY DELETE command. Deleting Local IP Address and Mask Pairs To delete multiple local IP address and mask pairs, or all local IP address and mask pairs, use the TCPIP ID DELETE command. Enter one of the following commands at your system console: NW TCPIP ID DELETE <ipaddress>/<ip address> NW TCPIP ID DELETE <ipaddress>/<prefix>, <ipaddress>/<prefix> NW TCPIP ID DELETE NP <device id> <line id> [VLAN <vlan id>] The variables are described as follows. Variable <ip address> <prefix> <device id> <line id> <vlan id> Description Specifies the local IP address of the host/subnet/network. An integer used in CIDR format that indicates the number of bits used in the mask. An integer used to specify the network processor device. An integer used to specify the line. (Optional) Is used to match the definition of a CONNECTION GROUP on an FC3-IOP or SAS-IOP. Examples Delete a single local IP address with a "classical" mask NW TCPIP ID DELETE / Delete all IP address/mask pairs assigned to one line on one NP. NW TCPIP ID DELETE NP 2 LINE

194 Operating TCP/IP Software Delete all IP address/mask pairs assigned to one line on one NP with an invalid NP/Line ID. NW TCPIP ID DELETE NP 32 LINE 1 Delete a single local IP address using specific mask. NW TCPIP ID DELETE / Delete a single local IP address using CIDR format NW TCPIP ID DELETE /8 Delete three local IP addresses using CIDR format. NW TCPIP ID DELETE /8, /8, /8 Delete IPv6 address FF0F:0:0:0:9F:FF:89:98 NW TCPIP ID DELETE FF0F:0:0:0:9F:FF:89:98/

195 Operating TCP/IP Software Enabling a Host to Use the Address Mask Protocol Note: This feature is supported only in the IPv4 operating mode. The address mask protocol enables you to configure your network so that the hosts in a particular network can dynamically discover the mask, thus avoiding the need for each host to have a statically configured subnet mask. To enable a host to use the address mask protocol, set one or more of the following address mask attributes. Attribute IPMASKNETMASK IPMASKNETADDR IPMASKCONFIG IPMASKRETRYLIMIT Description The 32-bit address mask for this network, used to find the subnet number. For additional information about address masks, see "Subnetting" in Section 2 of this guide. The network address for which the address mask information applies. For additional information about address masks, see "Subnetting" in Section 2 of this guide. Identifies how the host will behave in exchanging subnet mask addressing information among other hosts in the network. Identifies how many times an enabled host should retransmit a request when a reply is not received from the agent in the subnet. The address mask attributes that you set will be stored in an Address Mask table, indexed by IPMASKNETADDR. To enable the address mask protocol, you must set the IPMASKCONFIG attribute to configure a <state> for each host on the network. The <state> you assign enables you to control the behavior of the host in regard to the exchange of subnet mask addressing information among other hosts in the network. Note: The TCPIP IDENTITY command automatically defaults the <state> of a host to static, until an SNMP SET command is issued to define a different value for the <state>. Enabling a Host to Exchange Subnet Mask Address Information To enable a host to exchange subnet mask address information, issue the following command from your system console: NW SNMP SET IPMASKCONFIG <ip address> = <state>

196 Operating TCP/IP Software The variables are described as follows. Variable <IP address> <state> Description The local IP address of the host that you want to participate in dynamic address mask discovery. Any one of the following values: Enabled Static_Agent Agent Static (Default) If this command is successful, you receive the following response: SNMP OBJECTS REQUEST ID = 0 ERROR STATUS = 0 ERROR INDEX = 0 OBJECT ID = IPMASKCONFIG <IP address> OBJECT DESC = <1,2,3,or 4> Note: Verify that the ERROR STATUS and ERROR INDEX fields shown in the system response are set to 0 (zero). If any other value is shown, it is an indication that the SNMP command has failed; for additional information, refer to the SNMP SET command responses listed in the Networking Commands and Inquiries Help. The OBJECT DESC field indicates the setting of the IPMASKCONFIG attribute. The following table identifies the available configurations. OBJECT DESC Values When set to this value, the host will act as... 1 Enabled 2 Static_Agent 3 Agent 4 Static The <state> that you assign to the IPMASKCONFIG attribute identifies how the host will behave in exchanging subnet mask addressing information among other hosts in the network

197 Operating TCP/IP Software Table 4 2 identifies the <states> that can be assigned to a subnet mask. Table 4 2. IPMASKCONFIG Attribute Values If you set the state to... Enabled Agent Static_Agent Static And you issue a CLEAR CALL or ESTABLISH CALL command (with the AUTOINIT attribute set to TRUE), then the host will... Send address mask requests and receive address mask replies from the agent in the network. When address mask requests are being sent to another host in the network, the initiating host will send requests based on the retry limit set for that host. Requests will continue to be sent until one of the following occurs: The retry limit is exceeded. A reply is received from the agent in the network. Send unsolicited replies to other hosts in the network, and answer requests from other hosts in the network. However, the host will ignore all incoming replies received from other hosts in the network. Have the same functionality as if the state was set to Agent except the host will only answer specific requests from other hosts; it will not send out unsolicited replies to other hosts in the network. Ignore all requests/replies from other hosts in the network. In addition, the host will not send out any requests for information about other hosts in the network. A static host uses the address mask that was statically configured through the TCP/IP IDENTITY command or the SNMP SET command using the IPMASKNETMASK attribute. If while operating, you modify the state of that network, the host will... Receive address mask replies from the agent in the network, providing you have reinitialized the agent in your network. Respond to all incoming requests received from other hosts in the network. Respond to all incoming requests received from other hosts in the network. Ignore all requests/replies from other hosts in the network. In addition, the host will not send out any requests for information about other hosts in the network. A static host uses the address mask that was statically configured through the TCP/IP IDENTITY command or the SNMP SET command using the IPMASKNETMASK attribute

198 Operating TCP/IP Software Tips on Identifying a Value for the IPMASKCONFIG Attribute There are some things you should keep in mind when setting a value for the IPMASKCONFIG attribute. When enabling a host to act as Agent You must statically configure an address mask for the host that is to act as an agent by setting the IPMASKNETMASK attribute through the SNMP SET command. For specific details on how to statically configure an address mask for a host in your network, see "Subnetting" in Section 2, "Overview of TCP/IP Routing." Set the IPMASKCONFIG attribute to Agent (through issuing the SNMP SET command). Note: It is recommended that the host that is acting as an agent for the subnet is either the first or last host to be initialized in the network. You can configure more than one host in the network to act as an agent to the rest of the hosts in the network; however, be advised that an enabled host will only accept the "first" reply received from an agent as its address mask. Note: If you change the value of the IPMASKCONFIG attribute for a host from Agent to another state (Enabled, Static, or Static_Agent), you must identify another host in the network to act as the agent. For additional information on changing the value of the IPMASKCONFIG attribute, see "Changing the Setting of the IPMASKCONFIG Attribute" later in this section. Static_Agent If you set a host to Static_Agent, it will have the same functionality as that of a host set to Agent, except the host will only answer specific requests from other hosts in the network; it will not send out unsolicited replies to other hosts in the network upon initialization. Enabled A host must be set to Enabled to discover its subnet mask from the agent in the network. If you are setting the <state> of a host in the subnet to Enabled, you have an additional option to determine how many times the enabled host should retransmit a request when a reply is not received from the agent in the network. To set the number of address mask requests issued by an enabled host, set the IP Mask Retry Limit attribute through the SNMP SET command. To do so, issue the following command from the system console: NW SNMP SET IPMASKRETRYLIMIT <IP address> = <retry limit value> where <retry limit value> is a range from 1 to 255. For example, if you issue the following command from the system console, you are enabling the host to retransmit a request for address mask information ten times before the request is dropped

199 Operating TCP/IP Software If you do not identify a value and no reply is received for this attribute, a default value of 5 will be used. If the number of retries expires, it is an indication that there might be a configuration problem in the subnet (for example, an agent is not defined). NW SNMP SET IPMASKRETRYLIMIT <IP address> = 10 To inquire on the current setting of the IPMASKRETRYLIMIT attribute for any enabled host on a network, issue the following command from the system console: NW SNMP GET IPMASKRETRYLIMIT <IP address> Static If you do not want a host in the network to participate in the exchange of subnet mask addressing information among other hosts in the network, set the IPMASKCONFIG attribute for that host to Static. This enables the host to ignore all requests and replies from other hosts in the network. In addition, when set to static, the host will not request information from the agent in the network. Static is the default configuration setting for the IPMASKCONFIG attribute. If you want the host to act as static, you do not need to issue the SNMP SET command. The TCPIP IDENTITY command will automatically default the IPMASKCONFIG attribute to Static until an SNMP SET command is issued to define a different value for the IPMASKCONFIG attribute. If you change the <state> of a host's configuration from Enabled, Static_Agent, or Agent to Static, the host will maintain the same subnet mask from the previous <state>. You can change the <state> of the IPMASKCONFIG attribute for any host in the network as often as you want; however, in doing so, you could potentially introduce network problems. Therefore, it is important that you understand the implications of modifying the <state> before you alter your initial configuration. For details, see "Changing the Setting of the IPMASKCONFIG Attribute" later in this section. Changing the Setting of the IPMASKCONFIG Attribute Changing the setting of the IPMASKCONFIG attribute is the same as initially setting this attribute for the host through the SNMP SET command. For example, to change the setting of the IPMASKCONFIG attribute from a value of Static to Enabled, issue the following command from your system console: NW SNMP SET IPMASKCONFIG <IP address> = ENABLED where <IP address> is the IP address of the host for which you want to change the setting of the IPMASKCONFIG attribute. A change will take effect immediately; however, the behavior of the host for a particular <state> can be different depending on how the <state> is applied

200 Operating TCP/IP Software For example, if you change a host from Static to Enabled and do not issue a CLEAR CALL command (with the Auto Init attribute set to TRUE) or an ESTABLISH CALL command on the appropriate LAN connection, the host will accept replies from the agent in the network (provided the agent has been reinitialized), but will not send requests to the agent. The only way to get the newly enabled host to send a request to the agent is to issue one of the following commands from the system console: NW CLEAR CALL command (with the Auto Init attribute set to TRUE) on the appropriate LAN connection NW ESTABLISH CALL command on the appropriate LAN connection For a complete description of each command, refer to the Networking Commands and Inquiries Help. Selecting a New Agent for the Network If you are selecting a new agent for your network, you must change the <state> of two hosts in the network. To select a new agent for the network, perform the following steps: 1. Change the value of the IPMASKCONFIG attribute of the host that you want to act as an agent in the network from its current setting to Agent, using the SNMP SET command. 2. Verify that the host that you want to act as the new agent has a statically configured address mask. If it does not, you can statically configure an address mask by issuing the SNMP SET command, using the IPMASKNETMASK attribute. For additional details, see "Subnetting" in Section 2, "Overview of TCP/IP Routing." 3. Change the setting of the old Agent's IPMASKCONFIG attribute from Agent to another value (for example, Enabled), using the SNMP SET command. If you issue a CLEAR CALL command on the appropriate LAN connection of the host that is acting as the new agent, it will send out unsolicited replies with the new mask. Keep in mind however, that the first reply received from an agent is the one and only subnet mask that is accepted by the enabled host (as per RFC 1122). To get an enabled host to accept a new subnet mask (for example, if the new agent in the network has a different subnet mask than the previous agent), you must do one of the following to each host in the network: 1. Reissue the SNMP SET command to set the IPMASKCONFIG attribute to Enabled on each host that you want to accept the new subnet mask, and issue a CLEAR CALL command or an ESTABLISH CALL command on the agent. 2. Issue a CLEAR CALL command (with the Auto Init attribute set to TRUE) or an ESTABLISH CALL command on the appropriate LAN connection of the host that you want to accept the new subnet mask. 3. Statically configure the new mask for the host by issuing the SNMP SET IPMASKNETMASK command

201 Operating TCP/IP Software Address Mask Log Messages The following address mask log messages might be displayed in your system log: If you set a new address mask using an OI command, the log displays the following message: MASK <subnet mask> PROVIDED IN SNMP SET COMMAND FOR IP ADDRESS HAS REPLACED MASK <subnet mask> FOR IP ADDRESS <IP address> IN IP_ADDR_TABLE If a mask is set by an address mask reply, the log displays the following message: MASK <subnet mask> PROVIDED IN ADDRESS MASK REPLY FOR NETWORK ADDRESS <IP address> HAS REPLACED MASK <subnet mask> IN IP_ADDR_TABLE If a request is received by a host, and the IPMASKCONFIG attribute is set to Agent - but the mask was not set through the SNMP SET command, no reply is sent and the log report displays the following error message: ICMP ADDRESS MASK REQUEST RECEIVED ON NETWORK <IP address>; MASK IN MASK TABLE NOT SET BY OI, CAN'T USE THIS MASK TO REPLY Using Router Discovery IPv4 networks use the router discovery protocol to dynamically discover the IP addresses of their neighboring routers. The router discovery protocol is discussed in the following subsection. IPv6 networks use Neighbor Discovery to enable nodes to determine the neighbors that can be reached and to find routers that are able to forward packets for them. In IPv6 networks, the only routes that are dynamically discovered are default routes. All other routes must be statically (manually) configured using the TCPIP ROUTE command. Neighbor discovery is discussed in the subsection Using Neighbor Discovery. Enabling a Host to Use the Router Discovery Protocol The router discovery protocol enables enterprise server TCP/IP hosts attached to multicast or broadcast IPv4 networks to dynamically discover the IP addresses of their neighboring routers. This is especially useful when an enterprise server TCP/IP host is attempting to route IP traffic to a host that is beyond its directly attached subnet. Use of the router discovery protocol eliminates the need for you to manually configure IP addresses of neighboring routers. Note: RFC 1256 defines different actions to be taken by a system involved in router discovery depending on whether the system is a host or a router. The TCP/IP library checks the setting of the IPFORWARDING attribute to determine whether the system is capable of forwarding datagrams. If IPFORWARDING is enabled, the router discovery frames (along with data packets) will be forwarded to the appropriate destination

202 Operating TCP/IP Software When a system is a host, it can perform router discovery, receiving router advertisements and sending router solicitations. It cannot forward IP packets since the IPFORWARDING attribute is set to disabled. RFC 1009 contains a list of functions which must all be performed for a system to be considered a router. RFC 1256 requires that to act as a router in router discovery, RFC 1009 must be followed. However, at this time, the enterprise server TCP/IP implementation does not fully support RFC 1009, and therefore the TCP/IP library cannot act as a router. This means that the system cannot send router advertisements or answer router solicitations, but this system can forward IP packets. The IPFORWARDING attribute is settable through the SNMP SET command. Issue the SNMP GET command to inquire on a systems current setting of the IPFORWARDING attribute. Router discovery is performed by issuing the following ICMP messages. ICMP Message Types Advertisements Solicitations Description Periodically sent from neighboring routers to announce their IP address for the multicast interface. The enterprise server TCP/IP host, enabled for router discovery, will listen to the advertisements received from neighboring routers to discover their IP addresses. Current enterprise server TCP/IP implementation of router discovery enables the hosts to listen but not send advertisements to other neighboring routers on the network. Issued by a host to request advertisements from neighboring routers in the network. When a host that is enabled for router discovery and attached to a multicast link is initialized (or reinitialized), it will multicast a router solicitation message to ask for immediate advertisements from neighboring routers. Issuing an SNMP SET command also causes the host to send an ICMP router discovery solicitation message. Current TCP/IP implementation of router discovery enables the hosts to solicit IP addresses of neighboring routers but not respond to solicitations received from other routers in the network. Solicitations received from neighboring routers are discarded by the TCP/IP host

203 Operating TCP/IP Software Enabling a Host to Dynamically Discover Neighboring Router's IP Addresses To enable a host to use the router discovery protocol, set one or more of the following router discovery attributes: Note: Setting any one of the following attributes causes the other three attributes to automatically be set to default values. Attribute ICMPRDISCPERFORM ICMPRDISCNETADDR ICMPRDISCSOLICITATIONADDR ICMPRDISCTTL Description Enables a host to use the router discovery protocol. The network for which the router discovery information applies. The IP destination address used for sending router solicitations from the interface. The number of hops an IP datagram can take before becoming invalid and discarded. This value is inserted in the Time To Live (TTL) field of the IP header of a router discovery message. The router discovery attributes that you have set will be stored in the Router Discovery table, which is indexed by ICMPRDISCNETADDR. Setting Router Discovery Attributes on a Per-Network Basis To set a router discovery attribute, issue the following command from the system console: NW SNMP SET <attribute name> <ip address> = <value> where <ip address> is the IP address of the host that you want to perform router discovery. The variables are described as follows. <attribute name> = <value> = ICMPRDISCPERFORM ICMPRDISCNETADDR One of the following values: 1 = Enabled 2 = Disabled Default = 1 (Enabled) Note: Setting ICMPRDISCPERFORM to 1 will send an ICMP router discovery solicitation message. <ip address>

204 Operating TCP/IP Software <attribute name> = <value> = ICMPRDISCSOLICITATIONADDR One of the following: = multicast address = broadcast address For a link to be multicast-capable, the MULTICASTADDRLIST attribute must be set for the connection. To statically configure a value for the MULTICASTADDRLIST attribute, you must issue either of the following OI commands: ADD CONNECTION MODIFY CONNECTION Note: For command syntax, refer to the Networking Commands and Inquiries Help. Default = ICMPRDISCTTL 1 if the solicitation address is set to if a broadcast address is used. Default = 1 Note: The SNMP SET command can also be issued to disable the router discovery protocol. To disable the router discovery protocol for a host, set the ICMPRDISCPERFORM attribute equal to 2 (Disabled). For example, if you issue an SNMP SET command (using the ICMPRDISCPERFORM attribute), and the command is successful, the system returns the following response: SNMP OBJECTS REQUEST ID = 0 ERROR STATUS = 0 ERROR INDEX = 0 OBJECT ID = ICMPRDISCPERFORM <IP address> OBJECT DESC = <1 or 2> To verify that a router discovery attribute is correctly set, issue the SNMP GET inquiry. For example, to verify that the ICMPRDISCPERFORM attribute is set to enabled, issue the following inquiry from the system console: NW SNMP GET ICMPRDISCPERFORM <ip address>

205 Operating TCP/IP Software Setting an Additional Global Router Discovery Attribute In addition to setting the router discovery attributes on a per-network basis, you have the option of setting an additional router discovery attribute on a global basis. The enterprise server TCP/IP ICMPLIMITEDBCAST attribute can be set for the entire system. It is recommended that you set this attribute to prevent possible flooding of the network when a link using router discovery is configured with a broadcast address and if you have one or more routers that retransmit limited broadcast messages. To set the ICMPLIMITEDBCAST attribute, issue the following command from the system console: NW SNMP SET ICMPLIMITEDBCAST = <value> where <value> can be one of the following: 1 = Enabled (Limited broadcast) 2 = Disabled (Directed broadcast) Default = 1 Note: Some routers are known to disobey the RFCs and retransmit limited broadcast onto other physical LANs. Setting the ICMPLIMITEDBCAST attribute to 2 (Disabled) will limit the retransmission to a particular network. Router Discovery Log Message The following message will appear in the SUMLOG if a router discovery advertisement message is received on a network for which there is no information in the Router Discovery table. This message will only appear in the SUMLOG if the tracing option of the TCP/IP DEBUG command is enabled for ICMP. ROUTER DISCOVERY ERROR MESSAGE: AN ADVERTISEMENT WAS RECEIVED FROM THE SOURCE IP ADDRESS <IP address> BUT NO ENTRY EXISTS IN THE ROUTER DISCOVERY TABLE If you want a host to participate in router discovery, see "Enabling a Host to Dynamically Discover Neighboring Router's IP Addresses" earlier in this section

206 Operating TCP/IP Software Using Neighbor Discovery MCP IPv6 uses Neighbor Discovery in conjunction with the TCPIP NEIGHBOR command to discover routing information and manage neighbor nodes. Neighbor Discovery enables nodes to determine neighbors that are reachable and to find routers that are able to forward packets for them. Nodes can also use Neighbor Discovery to determine the data link-layer addresses for neighbors on attached links and to detect when these addresses change. The TCPIP NEIGHBOR command enables the administrator to add, modify, and delete a neighbor. This section provides an overview of Neighbor Discovery and describes how to specify Neighbor Discovery options with the TCPIP OPTION command. For information on using the TCPIP NEIGHBOR command, refer to the Networking Commands and Inquiries Help. Neighbor Discovery provides a means for resolving the following: Router Discovery Router Discovery enables nodes to locate routers residing on a link and to determine the appropriate next hop. On multicast-capable links, each router periodically multicasts a router advertisement packet announcing its availability. Receipt of router advertisements from all routers facilitates the building of a list of default routers (routers to which packets can be sent) and address prefixes. Address Resolution Address Resolution enables mapping from an IP address to a link-layer address. Neighbor address resolution, previously done through ARP in IPv4, is accomplished by multicasting a neighbor solicitation that asks the target node to return its link-layer address. When a node acknowledges that its link-layer address has changed, it multicasts a few unsolicited neighbor advertisement packets to all nodes to quickly update cached link-layer addresses that have become invalid. Neighbor Unreachability Detection Neighbor Unreachability Detection determines that a neighbor is no longer reachable on a link. Communication to or through a neighbor can fail for numerous reasons at any time. If it is the path that has failed, because of a router failure, link or half-link failure, or because of a change in the link-layer address of a node, recovery might be possible. Therefore, a node actively tracks the reachability "state" for the neighbors to which it is sending packets. Redirection Redirect messages are sent by routers to redirect a host to a better first-hop router for a specific destination or to inform hosts that a destination is in fact a neighbor (that is, on-link). Unlike IPv4, the recipient of an IPv6 redirect assumes that the new next-hop is on-link

207 Operating TCP/IP Software Neighbor Discovery is facilitated by the following five new ICMPv6 message types: Router Solicitation (Type 133) Router Advertisement (Type 134) Neighbor Solicitation (Type 135) Neighbor Advertisement (Type 136) Redirect (Type 137) These messages are described in detail in RFC 2461, Neighbor Discovery for IP Version 6 (IPv6). Specifying Neighbor Discovery Options You can specify Neighbor Discovery options by entering the TCPIP OPTION command as follows: NW TCPIP OPT <neighbor discovery option> = <value> The Neighbor Discovery options are described as follows. Option NDFirstProbeDelay NDMAXAnyCastDelay NDMAXMultiCastSolicitations Description The Neighbor Discovery First Probe Delay option is the delay before a node sends a probe packet to a neighbor on the network for the first time. Default = 5 seconds The Neighbor Discovery Anycast Delay option indicates the amount of time a node waits before sending a neighbor advertisement in response to a valid neighbor solicitation, targeting one of the assigned addresses of the node. The address is an anycast address. The node sends the address resolution response at a random time ranging from 0 to the defined number. Default = 1 second The Neighbor Discovery Maximum Multicast Solicitations option indicates the maximum number of multicast solicitation retries when a node has a unicast packet to send to a neighbor but does not know the link-layer address of the neighbor. The node performs address resolution by retrying the neighbor solicitations defined maximum. Default = 3 transmissions

208 Operating TCP/IP Software Option NDMAXNeighborAdvertisement NDMAXRtrSolicitationDelay NDMAXRtrSolicitations NDMAXRandomFactor NDMAXUniCastSolicitations NDMINRandomFactor Description The Neighbor Discovery Maximum Neighbor Advertisement option indicates the maximum number of times the neighbor advertisement is retried. In some cases, a node might be able to determine that its link-layer address has changed and might want to quickly inform its neighbors of the new link-layer address by sending unsolicited neighbor advertisements to the all-nodes multicast address up to the defined maximum. Default = 3 transmissions The Neighbor Discovery Maximum Router Solicitation Delay option indicates the maximum delay before a host sends an initial solicitation. The delay is a random amount of time between 0 and the maximum. Using this option alleviates congestion when many hosts start up on a link in unison. Default = 1 second The Neighbor Discovery Maximum Router Solicitations option indicates the maximum number of router solicitation retries. When an interface becomes enabled, a host might be unwilling to wait for the next unsolicited router advertisement to locate default routers or learn prefixes. To obtain router advertisements quickly, a host transmits router solicitations up to the defined maximum value. Default = 3 transmissions The Neighbor Discovery Maximum Random Factor option indicates the multiplier for the maximum random base and is used in calculating a variable timeout value. The MaximumRandomBase value is.5. Default = 3 The Neighbor Discovery Maximum Unicast Solicitations option indicates the maximum number of unicast solicitation retries. After entering the PROBE state, a node sends a unicast neighbor solicitation message to the neighbor using the cached link-layer address. While in the PROBE state, a node retransmits Neighbor Solicitation messages up to the defined maximum. Default = 3 transmissions The Neighbor Discovery Minimum Random Factor option indicates the multiplier for the minimum random base and is used in calculating a variable timeout value. The MinimumRandomBase value is.5. Default =

209 Operating TCP/IP Software Option NDREACHableInterval NDRETransInterval NDRtrSolicitationInterval Description The Neighbor Discovery Reachable Interval option indicates the base time used for computing the random reachable time value. Modifying this option through this command overrides any network information received to update this value. Modifying the value to *DEFAULT updates the value to the default value and permits dynamic update through the network. Default = 30,000 milliseconds The Neighbor Discovery Retrans Interval option indicates the time between retransmissions of a message to a neighbor when resolving the address or when probing whether the neighbor can be reached. Modifying this option through this command overrides any network information received to update this value. Modifying the value to *DEFAULT updates the value to the default value and permits dynamic update through the network. Default = 1,000 milliseconds The Neighbor Discovery Router Solicitation Interval option indicates the interval that separates router solicitations when requesting router information. Default = 1 second

210 Operating TCP/IP Software Setting the IPADDRESSLIST Attribute Note: This feature is supported only in the IPv4 operating mode. When several ICPs are available to reach the same remote node and the MYIPADDRESS system attribute is not specified, the local IP address chosen is based on the memory utilization of the ICPs. When a connection is initiated and the MYIPADDRESS attribute is not specified, the ICP with the least utilization (including BNA and TCP traffic) is used for the duration of the connection. If Specific ICPs Are Required If specific ICPs are required for communication to certain IP addresses, you can use the IP Address List (IPADDRESSLIST) attribute to specify these IP addresses. This is a connection attribute that is set in the IP connection definition. This attribute will only be used when connections are initiated at the enterprise server. Passive connections will use the IP address specified with the incoming connection as the source IP address on all outgoing frames, regardless of the setting of the IPADDRESSLIST attribute. However, the path (route) of the outgoing frames is determined by the IPADDRESSLIST attribute. This functionality is the same for ICPs that are shared for BNA and TCP/IP traffic and does not depend on ICP type. Specifying the IPADDRESS Value for Local and Remote Addresses You can use the IPADDRESSLIST attribute to specify both local IP Addresses (on the same LAN segment), and remote IP Addresses (must traverse a router). If you are configuring a local IP Address, specify the destination IP Address for this attribute. If you are configuring a remote IP Address, specify the IP Address of the next-hop router for this attribute. Example For example, if Host A has two ICPs with the following IP addresses: (ICP1) (ICP2) and you want Host A to use ICP1 for communicating with two local hosts, Host B ( ) or Host C ( ), the IP connections for ICP1 should be set as follows: IPADDRESSLIST=( , ) If you want Host A to use ICP2 for communicating with Host D ( ), which is reached through a router ( ), the IP connections for ICP2 should be set to specify the address of the next-hop router as follows: IPADDRESSLIST=( )

211 Operating TCP/IP Software All connections initiated at Host A will use ICP1 to communicate with Host B and Host C, and ICP2 to communicate with Host D. However, if Host A receives a connection request from Host B or Host C for IP address , ICP2 will be used for the duration of this connection. (Figure 4 1 shows this network). Host A Network Host B ICP2 ICP1 Enterprise Server Host D PC Gateway-3 PC Host C PC A37 Figure 4 1. Specifying IPADDRESSLIST Values Configuring Connections with the NAU To use the NAU to modify the IP Address List attribute, access the IP ADDRESS LIST screen using the following screen flow: APPLICATION HOST LIST APPLICATION HOST MENU LINE LIST LAN LINE ATTRIBUTES LAN DEVICE LIST LAN TCP/IP DEVICE ATTRIBUTES IP ADDRESS LIST

212 Operating TCP/IP Software Controlling TCP/IP End System Security An administrator can invoke a security facility to monitor and control TCP/IP traffic to and from ClearPath MCP servers. Such security is critical in today s Internet-oriented operating environment. Unrestricted access can result in compromised data, corrupted program or data files, and serious service disruptions. TCP/IP end system security applies to the TCP, UDP, and ICMP protocols, with both IPv4 and IPv6 addresses. When TCP/IP end system security is running, the TCPIPSECURITY library controls the TCP/IP security function. Essentially, security is maintained by evaluating every TCP/IP dialog establishment against a set of Deny and Allow rules provided in an active rules file. If the TCPIPSECURIY library is SLed, end system security is enabled. Otherwise, it is disabled. If TCP/IP end system security is enabled and there is no active rules file, complete security is assured and all TCP/IP dialog establishment requests will fail. If there is an active rules file, then A request fails if it matches a Deny rule. A request fails if it does not match any Deny or Allow rule. A request is allowed if it matches an Allow rule and did not match any previous Deny rule. For every request failure, a TCP/IP SECURITY REPORT log entry is made in the SUMLOG. The system security administrator must establish system-specific security rules, encode them in a rules file, provide ongoing maintenance of these rules, and regularly analyze the rule violations reported in the SUMLOG. For details about these security-related tasks, refer to the Security Administration Guide. Note that any number of rules files can be defined; however, only one rules file can be in use at any time. You can add, delete, modify, and test rules files by using the MCP TCP/IP Filtering component of Security Center. Refer to the Security Administration Guide and the Security Center Help for information on using MCP TCP/IP Filtering

213 Operating TCP/IP Software Differentiating Rules for Inbound/Outbound Dialogs and for TCP/UDP Protocols You can use Security Center to configure a security rules file to distinguish between inbound and outbound TCP dialogs and to differentiate access to ports on a TCP or UDP port basis. Distinguishing between inbound and outbound dialogs makes it possible, for example, to allow all dialogs established by MCP applications to any IP address, but to prevent any dialog established from some IP addresses to MCP applications. Differentiating between TCP and UDP ports is useful in the following type of situation. If access to ports 137 and 138 was previously restricted to some subsets of IP addresses, this would restrict access for both the TCP and UDP protocols. Access can now be restricted on a TCP or UDP port basis. You can configure these features with the TCP Open (Active/Passive) and the Transport Protocol (TCP/UDP) attributes. These attributes have been added to the following screens: Add a Rule Modify a Rule Test a Rule Set The TCPIP SECURITY REPORT (18126) has been modified to add two new fields, TCP Open and Transport Protocol. For further details on the rules file, refer to the Security Administration Guide. For further details on the modified TCPIP SECURITY REPORT, refer to the Networking Commands and Inquiries Help. Initialized Security Environment By default, the TCP/IP network provider initializes with TCP/IP end system security Enabled (if TCPIPSECURITY has been correctly SLed) Disabled (if TCPIPSECURITY has not been SLed) If TCP/IP end system security is enabled, the default rules file is *SYSTEM/TCPIPSECURITY/RULES. You can enter commands in the TCP/IP initialization file to enable or disable TCP/IP end system security or to reload a specific (non-default) rules file. Use the NAU s TCP/IP APPLICATION HOST PARAMETERS screen to enter these commands

214 Operating TCP/IP Software As soon as TCP/IP end system security becomes enabled (at startup or by the OI command), a secure environment is established and no TCP/IP activity can occur unless explicitly allowed by a rule. Therefore, conditions such as an unloaded, invalid, or nonexistent rules file can completely, and unexpectedly, disable your TCP/IP environment. For additional information, see "Verifying That TCP/IP End System Security is Operable" in Section 5. Note: The *SYSTEM/TCPIPSECURITY/RULES file is factory-configured to allow all TCP/IP requests. Therefore, the first TCP/IP default state is equivalent to running with security disabled. Unisys recommends that you update *SYSTEM/TCPIPSECURITY/RULES to include your primary set of security rules. This will enable a default initialization into your primary TCP/IP end system security environment. Determining the Current TCP/IP End System Security State The following command can be used to determine the current TCP/IP end system security state: NW TCPIP SECURITY One of the following messages is returned: TCP/IP Security Disabled <filename> TCP/IP Security Enabled <filename> TCP/IP Security Running <filename> Figure 4 2 illustrates how end system security is enabled or disabled and how rules files can be loaded, reloaded, or unloaded. The following table briefly describes each TCP/IP security phase. Phase Disabled Enabled Running Description The TCPIPSUPPORT library is running with TCP/IP end system security disabled. The TCPIPSECURITY library can be SLed or not SLed. TCP/IP requests are not subject to security validation. The TCPIPSUPPORT library is running with the TCPIPSECURITY library SLed and with TCP/IP end system security enabled. End system security remains Enabled if no rules file is loaded or if an error occurs in the active rules file. It is important to note that no incoming or outgoing TCP/IP requests will be honored until TCP/IP end system security is either disabled or it enters the Running state. The TCPIPSECURITY library is SLed and a rules file has successfully loaded. Every TCP/IP request is evaluated against the applicable set of rules

215 Operating TCP/IP Software Figure 4 2. TCP/IP End System Security Phases Enabling or Disabling TCP/IP End System Security If the TCPIPSECURITY library is correctly SLed, you can use the following commands to change the current state of TCP/IP end system security: NW TCPIP SECURITY ENABLE NW TCPIP SECURITY DISABLE Note: If TCPIPSECURITY is not SLed, TCP/IP end system security is disabled and it cannot be enabled. You must SL the TCPIPSECURITY library before you can enable TCP/IP end system security

216 Operating TCP/IP Software Loading a Rules File When TCP/IP end system security is enabled, a security administrator or operator can use the following command to load a rules file: NW TCPIP SECURITY + [ <filename> ] where <filename> is the quoted name of a sequence data file that contains a set of Deny and Allow rules. If no file is specified, the *SYSTEM/TCPIPSECURITY/RULES file (normally located on the pack where TCPIPSECURITY is SLed) is loaded. Note that library initiation takes place asynchronously. An attempt is made to start the TCPIPSECURITY library immediately. No TCP/IP traffic will be allowed until the library is linked and a rules file is loaded. The following message is returned if the library is not linked: TCP/IP End System Security Library Not Linked If the command is unsuccessful, one of the following messages might be logged: TCP/IP Security Linkage Failure. Link error = < # >. TCP/IP Security Rule File Missing TCP/IP Security Rule in Error Changing to Another Rules File If TCP/IP end system security is running, the security administrator or operator can use the following command to load another rules file. There is no need to disable TCP/IP end system security during this transition. NW TCPIP SECURITY RELOAD [ <filename> ] where <filename> is the quoted name of a sequence data file that contains a set of Deny and Allow rules. If no file is specified, the last file used is loaded again. When the command completes successfully, the following message is returned: TCP/IP Security Running <filename> If the command is unsuccessful, one of the following messages might be returned: TCP/IP Security File Not Found TCP/IP Security Rule in Error

217 Operating TCP/IP Software Reviewing Security Rule Violations When TCP/IP end system security is enabled and running, all rule violations are securely logged; they are not reported on the system console. Each rule violation is logged with a TCPIP security report that contains a denial access report explaining why the request is denied. The denial access report lists the request parameters and the denial reasons. The denial reasons could be any of the following: ACCESS TO WELL KNOWN PORT RESTRICTED ACCESS DENIED BY NO MATCHING ALLOW RULE FOUND ACCESS DENIED BY DENY RULE <deny rules> Refer to the Networking Reports and Log Messages Help for details on this log report syntax including a complete list of the <deny rules>. The security administrator should review logged TCP/IP security reports on a regular basis. Refer to the Security Administration Guide for information on establishing an effective site security program. Authorizing the Use of Well-Known TCPIP Ports TCPIPSECURITY prevents the unauthorized use of well-known TCP/IP port numbers 1 through Sessions using well-known ports are not permitted for any program that is not properly authorized. Your security administrator can authorize programs that use well-known ports by using the MP (Mark Program) system command to mark the programs with a service attribute of TCPIP. To mark programs with the TCPIP service attribute, enter the following: MP <program name> + SERVICE TCPIP Programs supplied by Unisys are appropriately marked. A warning message is generated by TCP/IP for any program requesting a well-known port number that is not marked. Opening subports using well-known port numbers is not permitted for any program that is not authorized. User-written applications that provide well-known port numbers can be authorized by marking the code file with SERVICE=TCPIP by a security administrator. See Appendix E, TCP/IP Port Numbers for more information on well-known ports

218 Operating TCP/IP Software Using TCP/IP Options The TCPIP OPTION (OPT) command enables you to configure TCP/IP options to control various network features. This subsection describes the tasks you can perform using this command. Some of these options can be turned on and off to enable or disable the option by entering the OPTION command in the following format: NW TCPIP OPT <+/ > <option> where <+> turns on the specified option and <-> turns off the specified option. For other options you must specify a value in the following format: NW TCPIP OPT <option> = <value> Note: The default values for these options are set in accordance with related Internet specifications, and should not be changed unless directed by Unisys support engineers. Options can be turned on or off all at once with the ALL option, or individually, separated by commas. If you specify an option without a trailing option string, an inquiry is initiated on the current setting of each option. Note: The ALL option does not apply to the IPsec, SSL, IPDESTADDR, and RESTRICTOFFPORT options. See Configuring TCP/IP Options in Section 3 for details about configuring these options via the NAU. Refer to the Networking Commands and Inquiries Help for information about command syntax. Some options of this command are described in other subsections of this guide. For information on IPV4ONLYOPERATION, see Initializing the TCP/IP Network earlier in this section. SSL and SSH, see Configuring TCP/IP Options in Section 3, Configuring a TCP/IP Network Using the NAU. DYNAMICPORTFILTER, see Enabling Dynamic Port Filtering earlier in this section. IPV6FILTERING, see IPv6 Protocol Filtering earlier in this section. Neighbor Discovery options, see Using Neighbor Discovery earlier in this section

219 Operating TCP/IP Software Enabling and Disabling IP Security (IPsec) Use the TCPIP OPTION command to enable or disable IPsec. To enable IPsec, enter the following: NW TCPIP OPT + IPSEC To disable IPsec, enter the following: NW TCPIP OPT IPSEC The default state of IPsec is disabled. Enabling and Disabling SSH Use the TCPIP OPTION command to enable or disable SSH. To enable SSH, enter the following: NW TCPIP OPT + SSH To disable SSH, enter the following: NW TCPIP OPT SSH The default state of SSH is disabled. Enabling and Disabling SSL Use the TCPIP OPTION command to enable or disable SSL. To enable SSL, enter the following: NW TCPIP OPT + SSL To disable SSL, enter the following: NW TCPIP OPT SSL The default state of SSL is disabled. Configuring LAN Resiliency LAN Resiliency LAN resiliency provides high-availability services to all network interfaces. High-availability services can survive the failure of a network interface without interruption to the dialogs using that interface

220 Operating TCP/IP Software LAN resiliency eliminates single points of failure for network interfaces by logically moving the IP address associated with a network interface that failed to another, alternate network interface that is in the same subnet as the interface that failed. The default state for this option is enabled. To enable LAN resiliency, enter the following: NW TCPIP OPT + LANRESIL In order for LAN resiliency to operate, the system must be configured in a fully redundant manner with more than one network interface providing the same physical connectivity. This eliminates all single points of failure. The MCP system should be configured as an edge node at the LAN switches. If you do not configure the MCP system as an edge node, messages associated with LAN resiliency might not reach their destination and LAN resiliency will fail. The system must have multiple network interface components and must be multihomed to the same subnet by two or more of those components. Inquiring on the LAN Resiliency Timer The LANRESILTIMER option enables a system administrator to inquire on or specify a value for the LAN resiliency timer, which is used to check for network interfaces that are unavailable (do not have an open IP connection). If there are any unavailable network interfaces, current TCP addresses are moved to a backup network interface, which subsequent TCP dialogs will use. The value specified by the LAN resiliency timer determines when TCPIPSUPPORT checks for networking interfaces that have not been initialized for a variety of reasons. For example The EC BY CONN command failed. The LAN cable is unplugged. A problem exists with the physical hardware. The LAN resiliency timer starts under the following conditions: TCPIP transitions into a NETWORKING phase. The user issues a NW TCPIP OPT + LANRESILTIMER command to turn on the timer

221 Operating TCP/IP Software The format of the command is NW TCPIP OPT +/- LANRESILTIMER <timervalue> The variable is described as follows. <timervalue> Variable Description The valid range is 15 to 3600 seconds. The default value is 30 seconds. Note: The TCPIP LANRESILTIMER command changes the LANRESILTIMER value whether the LANRESIL option of the NW TCPIP OPTION command is enabled or disabled. When issued without a timer value specified, this command returns the current value setting of the timer. When issued with a timer value specified, this command sets the timer to the value specified. TCPIP LAN Resiliency Report The TCPIP LAN Resiliency Report is a log-only report that notifies the system administrator when an IP address is moved from one network interface to another, as a result of the TCPIP LAN Resiliency feature. Examples IP ADDRESS HAS BEEN MOVED FROM [NP 210, LineID 2, VLAN 3] TO [NP 210, LineID 1, VLAN 3] IP ADDRESS FEC0:42F0:6:BFF:FE0E:A082 HAS BEEN MOVED FROM [NP 40, LineID 1] TO [NP 30, LineID 1] Note: This report is issued only when an IP address is moved from its original interface to an alternate one. This report is not issued when the IP address moves back from the alternate interface to the original interface. Disabling Mapping of Learned Host Names and IP Addresses You can use the NW TCPIP OPTION command to enable and disable the mapping of learned host names and IP addresses, and prevent TCP/IP from updating the YourHost and YourDomainName attributes with information from a domain name server. See Dynamic Association of Host Name/IP Address Information earlier in this section for details on how TCP/IP updates these attributes. The format of the command is NW TCPIP OPT +/- <mapping option>

222 Operating TCP/IP Software The mapping options are described in as follows. Mapping Option Default Description WaitForHN OFF Enables you to delay the incoming OPEN request to resolve the Hostname for updating the YourHost and YourDomainName attributes. The default is set to OFF; when turned ON, it can cause incoming OPEN requests to be delayed. CacheLearnedMap ON Enables you to disable the caching of learned Hostname IPAddress pairs in the TCPIP mapping table. The default is set to ON; when turned OFF, TCPIP will not add learned entries to the mapping table. You can view the mapping table with the NW TCPIP MAP command. UpdateYHByLearned ON Enables you to disable the updates to the YourHost and YourDomain attributes by TCPIP if a connection specifies an IPAddress during open. The default is set to ON; when turned OFF, TCPIP will not update the YourHost and YourDomain attributes for all connections. Exception: If the WaitForHN option is set to ON, the UpdateYHByLearned option is ignored for incoming OPEN requests. If all these options are set to OFF, TCPIP will not call the Resolver for opens that specify an IPAddress. You can also set these options with the NAU TCP/IP OPTION screen. See Configuring TCP/IP Options in Section 3 for details about configuring these options via the NAU. Enabling Use of RFC 1122 MTU Note: This option is supported only in the IPv4 operating mode. To comply with RFC 1122, TCP/IP uses a maximum transmission unit (MTU) of 536. This is used to avoid fragmentation of a datagram by intermediate gateways along the path. The RFC-recommended MTU size is used by default. You can use the TCP/IP Option command with the USERFCMTU option to turn off the default. You can then specify a larger MTU size. See Configuring TCP/IP Options in Section 3 for details about configuring this feature via the NAU

223 Operating TCP/IP Software Enabling the Windows Server to Force the MTU to Acknowledge Every Two MTUs Note: This option applies to offloaded ports only. You can use the USERFCACKSTRATEGY option of the NW TCPIP OPTION command to enable the Windows server to force the MCP to acknowledge (ACK) every 2 maximum transmission units (MTUs). If this option is disabled, the Windows server will tune when the MCP needs to send an ACK. The default is disabled, which is optimal for performance. The format of the command is NW TCPIP OPT +/- USERFCACKSTRATEGY You can also set this option with the NAU TCP/IP OPTION screen. See Configuring TCP/IP Options in Section 3 for details about configuring this option via the NAU. Protecting TCP/IP Dialogs Against ICMP Attacks The Internet Draft entitled ICMP attacks against TCP, dated December 22, 2004 describes how a server can be attacked by using Internet Control Message Protocol (ICMP) messages to reset or slow down data transmission. Unisys has developed a security change to prevent these attacks. The change, which is not compliant with RFC 1122, addresses the following security issues: When an ICMP Destination Unreachable message with reason = Protocol_Unavailable is received, RFC 1122 states that the dialog should be reset. The security change does not reset the dialog. When an ICMP Destination Unreachable message with reason = Port_Unavailable is received, RFC 1122 states that the dialog should be reset. The security change does not reset the dialog. When an ICMP Source Quench message is received, RFC 1122 states that a slow start algorithm should be initiated. The security change ignores the ICMP message

224 Operating TCP/IP Software Since these security changes override RFC 1122 recommendations, an ISSUEICMPRESET option has been added to the TCPIP OPTION command. If the ISSUEICMPRESET option is enabled (the default), the RFC 1122 compliant actions are taken. However, if ISSUEICMPRESET is disabled, the RFC 1122 compliant actions are not taken and the security changes listed above are activated. To enable TCP dialog resets caused by ICMP messages and activate RFC 1122 features, enter the following: NW TCPIP OPT + ISSUEICMPRESET To disable TCP dialog resets caused by ICMP messages and activate security changes which protect TCP dialogs against ICMP attacks, enter the following: NW TCPIP OPT ISSUEICMPRESET Setting Path MTU Verification Interval Path MTU Verification Interval is the time interval between attempts at Path MTU verification. Nodes using Path MTU Discovery must detect decreases in PMTU as soon as possible. Nodes can detect increases in PMTU, but this detection must be done at infrequent intervals because it requires sending packets larger than the current estimated PMTU, and because it is unlikely that the PMTU has increased. The PMTU Verification Interval option is set on the TCP/IP OPTION (2/2) NAU screen. To change the PMTU Verification Interval option through the user Operations Interface, enter the following: NW TCPIP OPT PathMTUVerificationInterval = 15 The default value is 10. Note: The default value for this option is set in accordance to related Internet specifications and must not be changed unless directed by Unisys support personnel

225 Operating TCP/IP Software Enabling and Disabling Session Warnings The session warning options enable you to send a TCP/IP Session Warning waiting entry to the ODT, when the number of in use connections reaches a certain percentage of the allowable connection count. Session warnings are enabled by default. To disable session warnings, enter the TCPIP OPTION command in the following format: NW TCPIP OPT - <session warning option> The session warning options are described as follows. Session Warning Option 80SESSWARN 90SESSWARN 95SESSWARN SESSWARN Description Sends a TCP/IP Session Warning waiting entry to the ODT when the number of in use connections reaches 80 percent of the allowable connection count. The default is enabled. Sends a TCP/IP Session Warning waiting entry to the ODT when the number of in use connections reaches 90 percent of the allowable connection count. The default is enabled. Sends a TCP/IP Session Warning waiting entry to the ODT when the number of in use connections reaches 95 percent of the allowable connection count. The default is enabled. Enables or disables all three session warning thresholds. The default is enabled

226 Operating TCP/IP Software Specifying Autoconfiguration for a Network Interface The ACDEFAULT option of the TCPIP OPTION command enables you to modify the autoconfiguration property for IPv6 interfaces. The autoconfiguration property for each TCPIP interface defaults to the value of this option when the interface is added. Modifying this value changes the default for any newly added interface. This option must be modified at the beginning of the TCP/IP initialization file if the default value is to be used for every interface. To modify the autoconfiguration property of an already added interface, use the TCPIP [TCPIP]IDENTITY command. To enable autoconfiguration, enter the following: NW TCPIP OPT + ACDEFault The default for this option is disabled. Obtaining an Autoconfigured IP Address Using the MAC Address You can specify that autoconfigured IP addresses are obtained using the interface MAC address to build the local interface identifier. To enable this option, enter the following: NW TCPIP OPT ACInterfaceIdentifierSource = ACIIS_MAC The default is ACIIS_MAC

227 Operating TCP/IP Software Specifying ICMPv6 Error Report Values You can specify the ICMPv6 error report burst rate and the ICMPv6 error report rate using the TCPIP OPTION command. To enable either of these options, enter the command in the following format: NW TCPIP OPT <error report option> = <value range> The ICMPv6 error report options are as follows. Error Report Option ICMPV6ErrorReportBurstRate ICMPV6ErrorReportRate Description Specifies the maximum number of ICMPv6 error reports that are permitted to be sent in a burst. The amount is limited to prevent a node that is ignoring error reports from sending invalid frames that are overloading the system with report processing. Default = 20 Specifies the average number of ICMPv6 error reports permitted each second. The amount is limited to prevent a node that is ignoring error reports from sending invalid frames that are overloading the system with report processing. Default = 20 Specifying the Default Maximum Hop Limit for a Router Use the IPDEFAULTHOPLIMIT (IPDHL) option of the TCPIP OPTION command to specify the default value to be used for the maximum number of hops when not specified by a router (via a router advertisement message). Modifying this option through this command overrides any network information received to update this value. Modifying the value to *DEFAULT updates the value to the default value and permits dynamic update through the network. Enter the command as follows: NW TCPIP OPT IPDEFAULTHOPLIMIT = <range> where <range> is an integer from 0 to 255. The default is

228 Operating TCP/IP Software Closing Sockets by Job Number To close sockets for an application by job number, enter the following: NW TCPIP OPT + SOCKDELBYJOB When enabled, the system closes all sockets associated with the process identifier or job number for an application. This occurs when the application delinks from Socket Support. To disable this option, enter the following: NW TCPIP OPT SOCKDELBYJOB When disabled, the system closes only sockets associated with the process identifier of an application. This occurs when the application delinks from Socket Support. The default for this option is enabled. Specifying and Inquiring on IP Multicast Frames You can specify or inquire on the IP address of the network interface which is used, by default, for the sending and receiving of IP multicast frames. To specify the IP address of the local network device used for multicasting, enter the following command: NW TCPIP MDA <ip address> This command assigns the device associated with the IP address to be the default interface to be used for IP multicasting. To inquire on the IP address of the local network device used for multicasting, enter the following command: NW TCPIP MDA This command returns the local IP address associated with the network device assigned for IP multicasting. Updating an Initialization File to Use Multicast Addresses To update an initialization file to use multicast addresses, enter the following command in the initialization file: NW TCPIP MDA <ip address> Add the following attribute to the TCPIP connection: MULTICASTADDRESSLIST

229 Operating TCP/IP Software Deriving Ethernet Multicast Addresses from Multicast IP Addresses For TCP/IP networks, the 23 low-order bits of the IP multicast address are placed in the low-order 23 bits of the Ethernet or IEEE 802 network multicast address 01:00:5E:00:00:00. For example, the Ethernet multicast address for a multicast IP address of would be 01005E This address is specified in your initialization file as shown in Mapping a TCP/IP Host Name to IP Addresses in Section 3. The address is derived as follows: 01005E is the IEEE part is the 23 bits from the multicast IP address part. Enabling Multicast Address Handling for IPv4 Addresses Only The MLDNoAutoAddrUpd (No Automatic Address List Update) option of the TCPIP OPTION command causes TCPIP to enable only multicast address handling for IPv4 addresses specified in the Multicast Address list of the connection for that interface. The protocol for IPv6 multicast addresses is not operational and prevents applications from being able to join any IPv6 multicast group. The default for this option is OFF. To enable this option, enter the following: NW TCPIP OPT + MLDNoAutoAddrUpd Preventing a Done Report From Being Sent The MLDNoUnnecDoneRpt (No Unnecessary Done Report) option of the TCPIP OPTION command prevents a done report from being sent. If a node receives another node s report for a multicast address while it has a pending action for that same address, a report for that address does not need to be sent thus suppressing duplicate reports on the link. The default for this option is OFF. To enable this option, enter the following: NW TCPIP OPT + MLDNoUnnecDoneRpt

230 Operating TCP/IP Software Specifying the Unsolicited Report Options for Multicast Listener Discovery Note: This option is supported only in the IPv6 operating mode. You can specify unsolicited report intervals and retry limits for multicast listener discovery. To enable either of these options, enter the following TCPIP OPTION command: NW TCPIP OPT <multicastlistener discovery option> = <value> The report options are described as follows. Multicastlistener Discovery Option MLDUnsolicitedReportInterval MLDUnsolicitedReportRetry Description Specifies the time between repetitions of a node's initial report of interest in a specific multicast address. Default = 10 seconds Specifies the maximum number of retries to deliver an unsolicited report. Default = 3 retries Specifying the Window Scale Factor You can enable or disable the TCP/IP window scale factor by using the TCP Window Scale Factor (TWSF) option as follows: NW TCPIP OPT TWSF = <value> where <value> is within the range -1 (negative one) to 14. Enter 0 (zero) or a positive value only if you want to enable window scaling. The TCP Window Scale Factor option is an extension to the TCP protocol that improves performance over large bandwidth paths by allowing larger blocks of data to be sent and received. It is based on RFC The TCP header uses a 16-bit window field to report the size of the receive window to the sender. Therefore, the largest window that can be used is 2 16 or 65,535 bytes, and the largest amount of data that can be sent or received is limited to 65,535 bytes. The window scale extension expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. The scale factor sets the number of bits that the TCP window is to be adjusted (left-shifted). This TCP option allows the window to increase to a maximum of 2 30 or 1 Gbyte

231 Operating TCP/IP Software The scale factor is carried in the TCP Window Scale option. This option is sent only in a SYN segment, so the window scale is fixed in each direction when a connection is opened. Both sides must send Window Scale options in their SYN segments to enable window scaling in either direction. A scale factor of 1 means no scaling is performed and leaves the TCPIP window scale option unset in a SYN and SYN ACK frame. A scale factor of 0 indicates that the MCP TCP window will not be scaled, but window scaling will be performed to the remote system if the remote system sets the option in its SYN or SYN ACK frame. The default is 1 (no window scaling). Specifying the TCP Selective Acknowledgement Option You can enable or disable the TCP Selective Acknowledgement option by setting the TCPIP SACK option value to either + (ON) or " " (OFF) on the TCP/IP OPTION (1/2) NAU screen. To change the TCP Selective Acknowledgement option through the user Operations Interface, enter the following: NW TCPIP OPT + SACK Multiple packet loss from a window of data can cause TCP to lose its ACK-based clock, reducing overall throughput. TCP Selective Acknowledgment (SACK) provides a mechanism where the data receiver can inform the sender about all the segments that have successfully arrived. This provides the required information to allow the sender to retransmit only the segments that are lost. This reduces the overall number of retransmits that are generally made on multiple packet loss. SACK is described in RFC 2018 and extended by RFCs 2883 and The default is value is + (ON)

232 Operating TCP/IP Software Disabling and Enabling the Dynamic Initiation of Specified Port Numbers The NW TCPIP DYNAMICINIT command helps eliminate the overhead of determining if an application should be dynamically initiated as a result of an incoming request. You can use this command to enable and disable the dynamic initiation of specified port numbers for registered TCP and UDP applications, and to inquire on the current dynamic initiation status of all valid port numbers. The port numbers specified must be in the valid range of 1 to in order for the requested action to take effect. Disabling the Dynamic Initiation of an Application Use the NW TCPIP DYNAMICINIT DISABLE command to disable the dynamic initiation of an application based on the port number or numbers associated with the application. Port numbers can be entered as a list separated by commas or as a range, for example 2 to 4 or 800 to You can use the ALL keyword to disable all TCP or UDP ports, and the EXCEPT keyword to disable all port numbers except those specified. Examples The following command disables the dynamic initiation of applications with TCP port numbers 1 through 3, 400, and 800 through 1000: NW TCPIP DYNAMICINIT DISABLE TCP PORTS 1,2,3,400,800 TO 1000 The following example is another way to enter this command: NW TCPIP DYNAMICINIT DISABLE TCP PORTS 1 TO 3,400,800 TO 1000 The following command disables all UDP port numbers: NW TCPIP DYNAMICINIT DISABLE UDP ALL The following command disables all TCP port numbers except for 4 through 399, 401 through 799, and 1001 through 65535: NW TCPIP DYNAMICINIT DISABLE TCP PORTS EXCEPT FOR 4 TO 399, 401 TO 799, 1001 TO

233 Operating TCP/IP Software Enabling the Dynamic Initiation of an Application Use the NW TCPIP DYNAMICINIT ENABLE command to enable the dynamic initiation of an application based on the port number or numbers associated with the application. Port numbers can be entered as a list separated by commas or as a range, for example 2 to 4 or 800 to You can use the ALL keyword to enable all TCP or UDP ports, and the EXCEPT keyword to enable all port numbers except those specified. Examples The following command enables the dynamic initiation of applications with TCP port numbers 1 through 3, 400, and 800 through 1000: NW TCPIP DYNAMICINIT ENABLE TCP PORTS 1,2,3,400,800 TO 1000 The following command enables all TCP port numbers: NW TCPIP DYNAMICINIT ENABLE TCP ALL The following command enables all UDP port numbers except for 4 through 399, 401 through 799, and 1001 through 65535: NW TCPIP DYNAMICINIT ENABLE UDP PORTS EXCEPT FOR 4 TO 399, 401 TO 799, 1001 TO Inquiring on the Dynamic Initiation Status of an Application Use the NW TCPIP DYNAMICINIT command without an ENABLE/DISABLE selection to inquire on the current configuration setup for dynamic initiation of applications for all TCP and UDP ports. Example The following command inquires on the configuration status of all port numbers associated with dynamic initiation of an application: NW TCPIP DYNAMICINIT See Configuring Dynamic Initiation of Specified Port Numbers in Section 3 for details about configuring these options via the NAU. Refer to the Networking Commands and Inquiries Help for information about command syntax

234 Operating TCP/IP Software Monitoring TCP and UDP Port Events You can use the TCPIP MONITOREVENTS command to Monitor events happening on a specific port or range of ports. The port events monitored include OPEN, CLOSE, LISTEN, RESET (both LOCAL and REMOTE), UDP SEND, and UDP RECEIVE. Dynamically add and remove ports being monitored. Display the monitoring options that are currently being logged. Specify the interval for logging monitored events. Turn monitoring on and off. The default for monitoring events is OFF. The default logging interval is 3 minutes (180 seconds). The valid range you can specify is from 1 to 1800 seconds. The following is a sample MONITOREVENTS response: MONITORING UDP ON PORTS: NONE, MONITORING TCP OPEN ON PORTS: 1 TO 1099, 1201 TO 65535, MONITORING TCP LISTEN ON PORTS: 1 TO 1099, 1201 TO 65535, MONITORING TCP RESET ON PORTS: 1 TO 1099, 1201 TO 65535, MONITORING TCP CLOSE ON PORTS: 1 TO 1099, 1201 TO 65535, LOG INTERVAL 180 Refer to the Networking Commands and Inquiries Help for additional information on the syntax and usage of this command. See Configuring TCP and UDP Port Event Monitoring in Section 3 of this guide for information on adding this command to your init file. Examples Display the MONITOREVENTS status, which shows the ports that are being monitored for each of the monitored events. The log interval is also displayed. NW TCPIP MONITOREVENTS Enable monitoring of all ports for TCP and UDP events. NW TCPIP MONEV + ALL Disable monitoring of all ports for TCP and UDP events. NW TCPIP MONEV - ALL Disable monitoring on the specified ports for the OPEN event. NW TCPIP MONEV - TCP OPEN 21, 100, 101, 1000 TO

235 Operating TCP/IP Software Disable monitoring on all ports for the LISTEN event. NW TCPIP MONEV - TCP LISTEN Disable monitoring on all ports except port 900 for the CLOSE and LISTEN events. NW TCPIP MONEV - TCP CLOSE EXCEPT 900, - TCP LISTEN EXCEPT 900 Enable monitoring for the OPEN event for ports 400 through 500. NW TCPIP MONEV + TCP OPEN 400 TO 500 Enable monitoring for the OPEN, LISTEN, RESET, and CLOSE events for ports 300 through 600. NW TCPIP MONEV + TCP ALL 300 TO 600 Enable monitoring for the OPEN, LISTEN, RESET, and CLOSE events for all ports except 1100 through NW TCPIP MONEV + TCP ALL EXCEPT 1100 TO 1200 Set the log interval to 180 seconds. NW TCPIP MONEV LOG INTERVAL

236 Operating TCP/IP Software Implementing Time-Wait for TCP/IP on MCP Systems When a TCP/IP connection is terminated with an orderly CLOSE (FIN, FIN-ACK, ACK), the application that initiated the CLOSE is not notified that the connection is CLOSED until the TIME-WAIT timeout expires. On an MCP system, prior to MCP Networking release 57.1 (16.0), this caused a 2 second delay before the application could proceed, which was a performance issue for programs that opened and closed many files. As of MCP Networking release 57.1 (16.0), the application is notified that the connection is closed when the TCP/IP state is changed to Time-Wait. Note: An application cannot open a new connection with the identical addressing, that is, the same MyIPAddress/YourIPAddress and MyName/YourName pairing, until the Time-Wait state has ended. An attempt to open a connection before that time will result in an open error. The errorcode returned will be dependent on the programming interface used (Error 246 = ConnectionInUse if using TCPIPNATIVESERVICE Port files or Error -56 EisConn if using BSD Sockets)

237 Section 5 Troubleshooting TCP/IP Installation and Configuration Problems This section describes how to identify and correct problems specific to your enterprise server TCP/IP software when encountered during routine operations. It includes the following topics: Verifying that TCP/IP end system security is operable Verifying that IP Security (IPsec) is operable Inquiring about the TCP/IP environment Displaying enterprise server TCP/IP reports Monitoring TCP/IP system activity with TCPIP DEBUG Understanding the TCP/IP CONNECTION RESET report diagnostic codes Refer to the section on troubleshooting in the BNA/CNS Network Operations Guide for additional information on identifying and resolving BNA network and CNS related problems. Refer to the section on troubleshooting in the Security Administration Guide for additional information on identifying and resolving IPsec and SSL related problems. Electronic Service Request (ESR) Agreement If you have an Electronic Service Request (ESR) agreement, your Customer Support Center (CSC) is automatically notified if certain networking products generate a system dump on the application host. These products include TCP/IP, SNMP Agent, CNS, BNA, and NAU. A Unisys service representative will contact you, but in the meantime, you should also report the problem to Unisys

238 Troubleshooting TCP/IP Installation and Configuration Problems Verifying That TCP/IP End System Security Is Operable You can use the TCP/IP end system security feature to control TCP/IP traffic to and from your host server. This feature is operable only when it is enabled, when the TCPIPSECURITY library is linked, and when a rules file is loaded. When TCP/IP end system security is enabled, all TCP/IP traffic is denied if the TCPIPSECURITY library cannot be linked or if a rules file cannot be loaded. If the TCPIPSECURITY library is correctly SLed, the default TCP/IP end system security state is enabled. If this library is not SLed, the default state is disabled. To verify proper operation of the TCP/IP end system security feature, perform the following steps: 1. Enter NW TCPIP SECURITY at the system console. 2. Continue in accordance with the message response that is received. Note: The TCPIP STATUS inquiry also provides TCP/IP end system security information. While TCPIP STATUS obtains the same end system security information as TCPIP SECURITY, its response format is significantly different

239 Troubleshooting TCP/IP Installation and Configuration Problems If this message is returned... Then... TCP/IP Security Disabled... TCP/IP Security Enabled... TCP/IP Security Running <filename> The TCP/IP end system security feature is not active and all TCP/IP messages will be allowed. See "Controlling TCP/IP End System Security" in Section 4 for information on enabling and running this feature. If the message TCP/IP End System Security Library Not Linked is logged, check that the TCPIPSECURITY library has been properly SLed with the LINKCLASS=1 attribute. The TCP/IP end system security feature is enabled but all TCP/IP requests are currently being denied. To correct this condition, enter the command NW TCPIP SECURITY + [ <filename> ] at the system console. Where <filename> is the name of a rules file; if no name is specified, the *SYSTEM/TCPIPSECURITY/RULES file is used. If the message TCP/IP End System Security Rule File Missing is returned, check that the rules file is present, properly named, and located on the specified pack. If the message TCP/IP End System Security Rule in Error is returned, a syntactically incorrect rule has been detected in the rules file. You must correct this file before it can be used. The Security Administration Guide describes how to create and modify TCP/IP end system security rules. The TCP/IP end system security feature is active and <filename> is running as the active rules file. All TCP/IP requests are being evaluated against the Deny and Allow rules provided in the file. If unexpected results occur, the rules file can contain one or more incorrectly coded (but syntactically correct) rules. Consult the system SUMLOG for information about each denied request

240 Troubleshooting TCP/IP Installation and Configuration Problems Verifying that IP Security (IPsec) Is Operable To verify that IPsec is operable, use the TCPIP STATUS command as described in "Inquiring on the Status of IPsec" in Section 4, Operating TCP/IP Software. Refer to the Security Administration Guide for information on troubleshooting IPsec. Inquiring About the TCP/IP Environment The Operations Interface (OI) provides inquiries to check network configuration and status. Appendix A lists and briefly describes these inquiries. Refer to the Networking Commands and Inquiries Help for complete syntax and details. Displaying Enterprise Server TCP/IP Reports An additional enumeration to the REPORTS command supports the TCP/IP report category. The TCP/IP option sends TCP/IP-related reports to a user program agent or to a remote enterprise server. To specify the TCP/IP option, enter the following at the system console: NW REPORTS + TCPIP If the command is successful, you receive the following response: REPORTS + TCPIP In addition to specifying TCP/IP reports, you can include or exclude specific reports by their decimal report numbers by using the following command: NW REPORTS <report operation> where <report operation> is REQUEST, SUPPRESS, or *DEFAULT. Examples To include one or more specific TCP/IP reports, use the REQUEST option as shown in the following example: REPORTS REQUEST 40004, To exclude one or more specific TCP/IP reports, use the SUPPRESS option as shown in the following example: REPORTS SUPPRESS 40004, The *DEFAULT option defers to the report message categories to determine whether or not to forward reports for the specified report codes. For example, NW REPORTS *DEFAULT would only stop the flow of reports for as long as the TCP/IP report category is not set

241 Troubleshooting TCP/IP Installation and Configuration Problems Refer to the Networking Commands and Inquiries Help for a detailed description of the REPORTS command. Refer to the Networking Reports and Log Messages Help for a list of TCP/IP-related reports. Monitoring TCP/IP System Activity with TCPIP DEBUG You can use the TCPIP DEBUG command to set specific debug options to monitor TCP/IP system activity. The DEBUG command has two options: TRACE, which traces the data flow through the TCP/IP software, or DUMP, which enables you to examine the contents of various data structures. These options are described in more detail in the following subsections. The DEBUG command enables you to specify the environment (MCP server, Windows server, or both) you want to examine or trace. The environments you can specify when running DEBUG are as follows: All The command applies to the MCP server and all Windows servers. This is the default. MCP The command applies only to the MCP server. NP<#> The command applies only to the Windows server specified. Note: The DEBUG command reports diagnostic messages to the SUMLOG for internal use only. Examples of some diagnostic error messages include procedure entrance and exit tracing, internal data structure contents, and detection of error conditions. These messages are subject to change or deletion at any time during the lifetime of the TCP/IP product. The sole purpose of the DEBUG command is to provide additional diagnostic capabilities if a problem occurs. The output from this command should be forwarded to the TCP/IP engineering group along with a UCF for further analysis. Be aware that setting options of the DEBUG command could have an adverse effect on network performance. Table 5 1 and Table 5 2 identify the TCP/IP DEBUG command options that can be helpful when identifying the area preventing TCP/IP communication. For more information on this command, refer to the Networking Commands and Inquiries Help

242 Troubleshooting TCP/IP Installation and Configuration Problems Using the Trace Option of the TCPIP DEBUG Command Note: With the exception of the NPDATA, IPDESTADDR, and SECURITY trace options, you must be running the diagnostic version of the software to trace the data path. Issue the NW TCPIP DEBUG command, using the TRACE option, to trace one or more of the options listed in Table 5 1. Note that using any trace option will have some effect on system performance. Table 5 1. Trace Options Trace Options Action AC ALL ALL MODULES ARP ARPALL ATMARP BUFFERUTIL CIA DP DTCM ICMP IP IPDESTADDR <IP address> IPSEC MCPCRYPTO* Traces within Auto-Address Configuration module. Traces all of the options described in this table. Traces the following modules: ARP, ATMARP, CIA, DP, ICMP, MSS, PIM, RIP, Security, TCP, TCPM, and UDP. Traces within the ARP module. Traces ARP in both LAN and ATM environments. Traces ARP in an ATM environment. Traces within the buffer utilities. Traces within the CIA module (turns on CIADATA, MSSDATA). Traces routines that handle transferring TCP/IP frames to and from network devices (ICPs). Traces within the distributed TCP/IP communications management (DTCM) module. The DTCM module supports the enhanced VLAN performance feature on ClearPath systems. Traces within the ICMP module. Note: Use the NW TCPIP DISPLAY command to control reporting of ICMP messages. Traces within the IP and MSS modules. Traces the IP header and Upper Layer Protocol (ULP) header information of all packets that are coming from or are being sent to the specified IP address. Note: Do not use the "NP x" option for this trace. This trace option can only be used in requests applicable to all server environments. Attempting to do otherwise results in a negative response to the request. Traces within the IPsec module. The following response is displayed when enabling IPsec tracing: PROCESSED SUCCESSFULLY: TRACE+IPSEC The following response is displayed when disabling IPsec tracing: PROCESSED SUCCESSFULLY: TRACE-IPSEC Traces all frames that handle SSL MCPCRYPTO operations (see note at end of table)

243 Troubleshooting TCP/IP Installation and Configuration Problems Table 5 1. Trace Options MSS Trace Options NEIGHBOR NEIGHBORALL NPDATA PIM RIP SSH* SECURITY* SOCKETS SSL* SSLHANDSHAKE* TCP TCPCONN <connection id> TCPM UDP Action Traces within the messaging subsystem (MSS) module. The MSS module supports the enhanced VLAN performance feature on ClearPath systems. Traces within the Neighbor Discovery module. Traces Neighbor Discovery for all environments. Logs TCP/IP frames to and from network devices (ICPs). Turns on CIADATA, MSSDATA. Traces within the PIM module. Tracing within the RIP module. Traces within the SSH module (see note at end of table). Traces within the TCP internal module, including the security logic (see note at end of table). Note: This option should only be used when instructed by Unisys support personnel. Traces within the SOCKETSUPPORT library. Traces within the SSL module (see note at end of table). Traces all frames that handle the SSL handshake (see note at end of table). Traces with the TCP and DTCM modules. Traces a specific connection. Traces with the TCPM module. Traces with the UDP module. Note: For the MCPCRYPTO, SSH, SECURITY, SSL, and SSLHANDSHAKE trace options, most of this tracing is written to the securitylog file

244 Troubleshooting TCP/IP Installation and Configuration Problems Using the Dump Option of the TCPIP DEBUG Command Issue the NW TCPIP DEBUG command, using the DUMP option, to dump information related to one or more of the options in Table 5 2 to the system log under the DIAG keyword. Table 5 2. Dump Options Dump Option ACTIVEDEFAULTROUTE ACTIVEDEVSPECROUTE ARP ARPALL ATMARP CIA DEFAULTROUTE DEVSPECROUTE DTCM HOSTNAMETBL ICMP ICMPACTIVERDISC ICMPRDISCTABLE IP IPACTIVE IPACTIVEADDR IPACTIVEMASK IPACTIVEROUTES IPADDRTBL IPDESTADDR <ip address> IPMASKTABLE IPROUTES IPSEC MSS NEIGHBOR NEIGHBORALL Action Dumps all active entries in the Default Route table. Dumps all active entries in the Device Specific Route table. Dumps active ARP entries. Dumps entries in both the ARP and ATM tables. Dumps entries in the ATM tables. Dumps all CIA tables (this turns on MSS tracing). Dumps all entries in the Default Route table. Dumps all entries in the Device Specific Route table. Dumps all DTCM tables. The DTCM modules support the enhanced VLAN performance feature. Dumps all entries in the Host Name table. Dumps the PING table and ICMP-specific information. Dumps all active entries in the Router Discovery table. Dumps all entries in the Router Discovery table. Dumps all entries in all IP tables. Dumps all active entries in all IP tables. Dumps all active entries in the IP address table. Dumps all active entries in the IP Mask table. Dumps all active entries in the IP address table. Dumps all entries in the IP address table. Dumps all IP table entries for the specified address. Dumps all entries in the IP Mask table. Dumps all entries in the IP route table. Dumps all entries in all IPsec tables. The following response is displayed when requesting an IPsec dump: PROCESSED SUCCESSFULLY: DUMP IPSEC Dumps all MSS tables. The MSS modules support the enhanced VLAN performance feature. Dumps entries in the neighbor table. Dumps the neighbor table in all environments

245 Troubleshooting TCP/IP Installation and Configuration Problems Table 5 2. Dump Options Dump Option Action PIM RIP ROUTEHASHTBL SSH SOCKETS SSL TCP TCPCONNTBL ALL/INUSE/ <connection identifier> UDP Dumps in-use entries in the PCB table. Dumps RIP-specific information. Dumps all entries in the Route Hash table. Dumps the SSH information into the securitylog file. Dumps the tables in the SOCKETSUPPORT library. Dumps the SSL information into the securitylog file. Dumps all TCP tables. Dumps the table entry, TCB, for the connection or connections. Dumps the UDP connection (UCB) table. Using the TCPIP DISPLAY, TCPIP DISPLAY INTERVAL, and TCPIP DISPLAY OPTIONS Commands Note: If you enter both the TCPIP DEBUG and TCPIP DISPLAY commands, message reporting is based on the last command entered. The TCPIP DISPLAY command controls when all (or specific) ICMP messages are reported to the system consoles and sent to the SUMLOG. The TCPIP DISPLAY command offers two advantages over the TCPIP DEBUG TRACE command TCPIP DISPLAY can be defined in the initialization file with the NAU utility. TCPIP DISPLAY allows a specified message type to be reported just once within a specified time interval. Three options are available to specify how messages are reported ALWAYS The message is always reported. This is the default condition. NEVER The message is never reported. FIRST Only the first occurrence of a message within a specified time interval is reported. You can set this interval with the TCPIP DISPLAY INTERVAL command. The default interval is 2 hours. If the NEVER or FIRST option is specified, the unreported ICMP message information can still be accessed using the TCPIP DISPLAY TABLE command. See Using the TCPIP DISPLAY TABLE command later in this section

246 Troubleshooting TCP/IP Installation and Configuration Problems Table 5 3 identifies specific ICMP messages that can be controlled by issuing the TCPIP DISPLAY command. Table 5 3. ICMP Message Options To control the reporting of this message: ICMP Address Mask ICMP Destination Unreachable ICMP Information Request/Reply ICMP Parameter Problem ICMP Redirect ICMP Router Discovery ICMP Source Quench ICMP Time Exceeded ICMP Timestamp Request/Reply ICMPV6 Packet Too Big ICMPV6 Multicast Listener Discovery ICMPV6 Router Information ICMPV6 Neighbor Discovery ICMPV6 Redirect All of the previous messages Use this command option: ICMPADMSK ICMPDSTUNR ICMPINF ICMPPRMPRB ICMPRED ICMPRDISC ICMPSRCQ ICMPTMEXC ICMPTMSTP ICMPV6PKTTOOBIG ICMPV6MLD ICMPV6RDISC ICMPV6NDISC ICMPV6RED ICMPRPTS The enterprise server TCP/IP INFORMATION SUMMARY report displays the reporting option (ALWAYS, NEVER, or FIRST) for every message type. You can also use the TCPIP DISPLAY OPTIONS command to obtain the current reporting option for a specified ICMP message. Refer to the Networking Commands and Inquiries Help for a detailed description of the TCPIP DISPLAY, TCPIP DISPLAY INTERVAL, and TCPIP DISPLAY OPTIONS commands

247 Troubleshooting TCP/IP Installation and Configuration Problems Note: The NAU TCP/IP ICMP REPORT DISPLAY screen provides a way of adding TCPIP DISPLAY and TCPIP DISPLAY INTERVAL command information to an application host initialization file. To access this screen, select the TCP option from the APPLICATION HOST MENU screen, select the THP option from the TCP/IP CONFIGURATION MENU screen, and then transmit the TCP/IP APPLICATION HOST PARAMETERS screen. Examples The following examples illustrate how you can use the TCPIP DISPLAY command to control when specific messages are reported. Typically, such command sequences are not necessary if you use the NAU to enter control information into the application host initialization file. 1. To enable all ICMP messages to always be reported, enter the following command at the system console: NW TCPIP DIS ICMPRPTS ALWAYS After this command is entered, the following command: NW TCPIP DIS OPT ICMPRPTS results in the following response: ICMPADMSK ICMPDSTUNR ICMPINF ICMPPRMPRB ICMPRED ICMPRDISC ICMPSRCQ ICMPTMEXC ICMPTMSTP ICMPV6PKTTOOBIG ICMPV6MLD ICMPV6RDISC ICMPV6NDISC ICMPV6REDP DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS DISPLAY ALWAYS 2. To enable only the first occurrence of a unique ICMP Redirect message to be reported, enter the following command: NW TCPIP DIS ICMPRED FIRST After this command is entered, the following command: NW TCPIP DIS OPT ICMPRED results in the following response: ICMPRED DISPLAY FIRST

248 Troubleshooting TCP/IP Installation and Configuration Problems 3. To disable all reporting of the ICMP Parameter Problem message, enter the following command: NW TCPIP DIS ICMPPRMPRB NEVER After this command is entered, the following command: NW TCPIP DIS OPT ICMPPRMPRB results in the following response: ICMPPRMPRB DISPLAY NEVER Using the TCPIP DISPLAY TABLE Command The TCP/IP library contains both TCP and ICMP report data. This information is maintained in the following three tables: Reset table This table contains information for TCP RESETS (RSTs) sent by and received at the enterprise server. Error table This table contains information about frames that contain checksum errors or invalid TCP header lengths. ICMP table This table contains ICMP message information that is not being reported to the ODT and SUMLOG because the FIRST or NEVER option is specified with the TCPIP DISPLAY command. The TCP/IP ICMP Reports log message provides a summary of the information provided in these tables. You can use the TCPIP DISPLAY TABLE command to access the information contained in any of these tables. This command can also access information about a specific ICMP message. See Table 5 4 for a list of valid TCPIP DISPLAY TABLE command options. Table 5 4. Message and Table Options To access information about the: ICMP Address Mask message ICMP Destination Unreachable message ICMP Information Request/Reply message ICMP Parameter Problem message ICMP Redirect message ICMP Router Discovery message ICMP Source Quench message ICMP Time Exceeded message Use this command option: ICMPADMSK ICMPDSTUNR ICMPINF ICMPPRMPRB ICMPRED ICMPRDISC ICMPSRCQ ICMPTMEXC

249 Troubleshooting TCP/IP Installation and Configuration Problems Table 5 4. Message and Table Options To access information about the: ICMP Timestamp Request/Reply message ICMPV6 Packet Too Big ICMPV6 Multicast Listener Discovery ICMPV6 Router Information ICMPV6 Neighbor Discovery ICMPV6 Redirect ICMP table Reset table Error table Use this command option: ICMPTMSTP ICMPV6PKTTOOBIG ICMPV6MLD ICMPV6RDISC ICMPV6NDISC ICMPV6RED ICMPRPTS RESETRPTS ERRORRPTS Refer to the Networking Commands and Inquiries Help for a detailed description of the TCPIP DISPLAY TABLE command. Refer to the Networking Reports and Log Messages Help for a detailed description of the TCP/IP Display Reset, TCP/IP Display Error, and TCP/IP Display ICMP log messages. Examples 1. To display the TCP/IP Display Reset table information, enter the following command at the system console: NW TCPIP DIS TAB RESETRPTS If applicable, one or more RESET entries are returned in the command response. 2. To display the TCP/IP Display Error table information, enter the following command at the system console: NW TCPIP DIS TAB ERRORRPTS If applicable, one or more ERROR entries are returned in the command response. 3. To display the TCP/IP Display ICMP table information, enter the following command at the system console: NW TCPIP DIS TAB ICMPRPTS If applicable, one or more ICMP entries are returned in the command response

250 Troubleshooting TCP/IP Installation and Configuration Problems Understanding the TCP/IP CONNECTION RESET Report Diagnostic Codes The TCP/IP CONNECTION RESET report is issued when a particular TCP/IP connection is reset. This report identifies one of the following as the reason the connection was reset: PACKET RESEND LIMIT EXCEEDED UNKNOWN DTCM FAILURE DIAGNOSTIC CODE: <diagnostic code> Table 5 5 provides a brief description of the diagnostic codes. Table 5 5. Diagnostic Codes for TCP/IP CONNECTION RESET Report Code and Text Description 0 Unknown A reset was received from the remote system. 1 Frame Received for Unknown Socket Pair 2 TCP ACK Indication Received in Invalid_State 3 TCP SYN Indication Received in Invalid_State 4 Security Precedence Failure A TCP frame was received for a connection that does not currently exist. A TCP layer detected an error in the TCP protocol. This implies that the remote side is not issuing the correct protocol. A TCP layer detected an error in the TCP protocol. This implies that the remote side is not issuing the correct protocol. Reserved for future use. 5 Update Subfile Failure Indicates an internal software error. An attempt to update information for a subfile failed. This is considered as a fatal error for the connection. 6 Application Abort The local application issued a close (abort) and did a block exit where the port file was declared or DSed. All cases cause a reset to be sent. 7 Logical I/O Interface Establishment Failed 8 Unexpected Connection Destroy Invoked 9 Reset Due to ICMP Destination Unreachable Message 10 Reset Due to an Invalid State Transition Indicates an internal software error. The interface between the TCP layer and logical I/O failed to establish. Indicates an internal software error. The logical I/O notified the TCP layer to remove the data structure for a connection, but the connection is not closed. An ICMP destination unreachable message for the remote system was received. Indicates an internal software error. An attempt to change the file state failed

251 Troubleshooting TCP/IP Installation and Configuration Problems Table 5 5. Diagnostic Codes for TCP/IP CONNECTION RESET Report Code and Text 11 SYN Received for Unknown Port 12 Subfile Open Attempt Failed 13 Reset Due to SNMP Request 14 Max Connections Exceeded 15 No Response Received for SYN 16 Application Closed with Data to Read 17 Keep Alive packet Limit Exceeded Description A TCP SYN frame was received for a connection that does not currently exist. Indicates an internal software error. The file state cannot be set to OPEN. The SNMP protocol allows a TCP connection to be deleted. The local system received the appropriate SNMP command for deleting a connection. The maximum number of TCP/IP connections has been exceeded. The initial SYN frame timed out. The application issued a close while data was queued to be read. Valid only for connections using the Keep Alive option. The keep alive packets were not responded to in the designated time limit

252 Troubleshooting TCP/IP Installation and Configuration Problems

253 Section 6 Running OSI Applications over a TCP/IP Network Users can no longer configure OSI networks on a ClearPath MCP server. The only OSI product available is the RFC1006 standard, which allows communication over a TCP/IP network. OSI over TCP/IPv6 is not supported. This section provides the information necessary to configure and operate OSI applications over a TCP/IP network. This section describes how to Determine software requirements Associate OSI and TCP/IP addresses in either of the following ways: Specify an IP address inside of an OSI NSAP address or Map TCP/IP IP addresses to OSI NSAP addresses Check network consistency Print related NAU-generated reports Configure a more complex network Functional Overview The capability to run OSI applications over a TCP/IP network is made available in accordance with the following Request for Comments (RFC) document: RFC 1006 ISO Transport Service on top of the TCP Version: 3, May 1987 This standard serves as a basis for providing the interface between the transport layer of the OSI stack and the transport layer of the TCP/IP stack. You are provided with the capability to run OSI applications over TCP/IP as an additional enhancement to existing TCP/IP services offered, such as running TCP/IP applications over a TCP/IP network

254 Running OSI Applications over a TCP/IP Network Overview of the Implementation Process To enable TCP/IP hosts to run OSI applications, perform the following steps (which are described in detail in the subsections that follow): 1. Verify that the appropriate software is installed on your system. Refer to the ClearPath MCP Migration Guide for your software release details. Consult the release letter for specific software level requirements. 2. Make a conceptual drawing of your existing network. It is assumed that you have already configured your TCP/IP network through the NAU. If you have not yet done this, see Section 3, "Configuring a TCP/IP Network Using the NAU" before you continue with the next step. You must create two OSI initialization files for each TCP/IP host that you want to enable to run OSI applications. If you use the NAU to configure OSI, the NAU will create the appropriate OSI initialization files based on the input you enter as you traverse through the NAU screens. The OSI endpoint initialization file should contain a unique ADD OSI ENDPOINT NAME command for each OSI application (one endpoint for the local application and in some cases one endpoint for the remote application) that you want to run on the TCP/IP host. If you are an existing OSI user who has already created an OSI endpoint initialization file (to identify the location of the applications in your network), you do not have to make any further modifications to this file to run those applications over a TCP/IP network. Each ADD OSI ENDPOINT NAME command is made up of a combination of the following application endpoint attributes: File Name Host Name Name Application Group NSAP Address ** Presentation Selector ** Session Selector ** Transport Selector ** ** See Note for details. For a complete description of each of the preceding attributes, refer to the Networking Attributes Data Dictionary Help

255 Running OSI Applications over a TCP/IP Network Note: When configuring an application endpoint (other than the OSI TP application) on a non-clearpath MCP system, you must provide values for those attributes that are shown with an asterisk (**). When configuring OSI TP, you are required to identify file names and endpoints for the local applications within your network. However, with the support of settable remote OSI addresses at the Port File Interface, you are not required to generate remote destination system network information. For additional information on identifying OSI application endpoints, refer to the OSI Software Implementation Guide, Volume 1: Planning. The OSI initialization file should contain the OSI + command to initialize the appropriate parts of the OSI software. The initialization file can also optionally contain ADD NETWORK ADDRESS PAIR commands that map application hosts IP addresses to the hosts OSI NSAP addresses. The ADD NETWORK ADDRESS PAIR command also allows a domain name to be substituted for or entered in addition to the IP address. The ADD NETWORK ADDRESS PAIR commands are now optional because starting with SSR 45.1, you can specify an IP address inside of an OSI NSAP address. This eliminates the need to configure Network Address Pairs. For details on specifying an IP address inside an OSI NSAP address, see Associating OSI and TCP/IP Addresses later in this section. For specific details on how to create the appropriate OSI initialization files, see "Configuring OSI-TCP/IP Address Pairs" later in this section. 3. Verify the consistency of the entries made on the NAU screens. View the error file created for you by the NAU Consistency Checker program and correct any errors. 4. Print the report that contains a description of the network OSI-TCP/IP network address pairing information. 5. Generate initialization files using the NAU. The network configuration and status database will be updated to reflect your network definition. Sample OSI initialization files are provided at the end of this section

256 Running OSI Applications over a TCP/IP Network Initializing the OSI Software on the TCP/IP Host Before you can attempt to configure application endpoints or OSI-TCP/IP address pairs through the Operations Interface (OI), you must issue the following command at the system console to initialize the OSI software: NW OSI + Note: If you are using the NAU to configure OSI application endpoints and OSI-TCP/IP address pairs in your network, the OSI + command is automatically placed in the appropriate OSI initialization file for you when the NAU generates the initialization files for your network. Identifying OSI Application Endpoints This subsection assumes that you have already performed the following steps: Installed the required software Configured your TCP/IP network Note: If you are an existing OSI user, you do not have to make any changes to the application endpoints that are already configured for your network. Skip the rest of this subsection and continue with "Associating OSI and TCP/IP Addresses." You must now create a network to identify the location of the OSI applications in your network. OSI provides the following application services: MHS 1984 /MHS 1988 (Message Handling System) MHS MS (MHS Message Store) OSI DIR (OSI Directory Services) IPC (Interprocess Communication) You can identify the location of each OSI application in your network in either of the following ways: By filling in the appropriate endpoint attributes as you traverse through the NAU screens. Using the NAU to generate your network will simplify your configuration in that the NAU generates the appropriate initialization files for you after you finish defining your network configuration. By issuing the appropriate ADD OSI ENDPOINT NAME commands through the OI. In either case, a unique ADD OSI ENDPOINT NAME command is required for each local, and in some cases, remote OSI application. For example, if you have two or more applications on the same host, you can see endpoints in your endpoint initialization file that have the same NSAP address. You can use the same NSAP address in more than one endpoint because multiple NSAP addresses can be associated to a single host

257 Running OSI Applications over a TCP/IP Network Note: OSI file names and endpoints must be defined before applications can run over a TCP/IP network. When configuring OSI, you might find it helpful to refer to the following OSI documentation: OSI Software Implementation Guide, Volume 1: Planning OSI Software Implementation Guide, Volume 2: Configuration OSI Software Operations Guide Use the following table as a guide to locate the appropriate OSI reference materials. Topic Document/Section Subsection Title Available OSI applications Volume 1, Section 2 Format of an NSAP address Volume 1, Section 3 Services Provided by OSI The Structure of an NSAP Address Planning OSI file names and endpoints Identifying the NSAP address through the NAU The NSAP address is one of several attributes that make up an OSI application endpoint. Identifying application endpoints through the NAU Identifying application endpoints through the OI Volume 1, Section 6 Volume 2, Section 3 Volume 2, Section 3 Operations Guide, Section 3 Selecting OSI File Names and Endpoints Selecting Network Service Access Point Addresses Defining OSI Files and Endpoints Adding an OSI Application Endpoint Once you have configured the necessary OSI application endpoint information for the hosts in your network, you are ready to associate OSI and TCP/IP addresses

258 Running OSI Applications over a TCP/IP Network Associating OSI and TCP/IP Addresses There are two ways in which you can associate OSI addresses with the IP addresses used by TCP/IP. For example Specify (embed) an IP address inside of an OSI NSAP address. This feature is available to users of release 45.1 or later software and is described in Defining an NSAP Address Which Contains an Embedded IP Address later in this section. Pair an IP address with an OSI NSAP address. Users running on software levels prior to release 45.1 must use this method to associate OSI and TCP/IP addresses. You can configure OSI-TCP/IP address pairs using the NAU or by issuing the appropriate OI commands. Both ways of performing address pairing are described in Configuring OSI-TCP/IP Address Pairs later in this section. Defining an NSAP Address Which Contains an Embedded IP Address The ClearPath MCP OSI product has been enhanced for releases 45.1 and later to enable you to specify an IP address inside of an OSI NSAP address. This capability is made available in accordance with the following RFC document: RFC 1888 OSI NSAPs and IPv6 August 1996 The format of the RFC 1888 NSAP address is as follows: FFFF<IPv4 address>00 where <IPv4 address> is a hexadecimal representation of each of the four nodes of the IP address. For example, the IP address is encoded as C03BE229. The resulting NSAP address would be as follows: FFFFC03BE22900 If an NSAP address with RFC 1888 format is specified in a network address pair, the IP address contained in the network address pair always takes precedence over the IP address embedded in the NSAP address. If you use NSAP addresses with RFC 1888 format in OSI endpoint definitions, you cannot specify a local IP address to use on outbound connection establishment unless you also configure a corresponding network address pair specifying the RFC 1888 format NSAP address as allowed by the ADD NETWORKADDRESSPAIR command. You also cannot specify a domain name if you use RFC 1888 format

259 Running OSI Applications over a TCP/IP Network Configuring OSI-TCP/IP Address Pairs This subsection assumes that you have already performed the following steps: Installed the required software Configured your TCP/IP network Configured the appropriate OSI application endpoints for the hosts in your network. If you want to use RFC 1888 format to specify an IP address inside of an OSI NSAP address, see Defining an NSAP Address Which Contains an Embedded IP Address earlier in this section. Generated the appropriate OSI endpoint initialization files for your network The next step is to create a pairing between each application host's TCP/IP IP address and its OSI NSAP address. You must also create an OSI-TCP/IP address pair for each non-clearpath MCP host in your network that will be running OSI applications. When configuring a destination host's OSI-TCP/IP address pair, a domain name can be substituted for the IP address. You can create the pairing in either of the following ways: By filling in the appropriate OSI-TCP/IP address pairing attributes as you traverse through the NAU screens. Using the NAU to generate your OSI network will simplify your configuration in that the NAU generates the appropriate initialization files for you after you finish defining your network configuration. By issuing the appropriate ADD NETWORK ADDRESS PAIR commands through the OI. Keep in mind that a host can have multiple NSAP addresses and/or multiple IP addresses in this instance one application host would require multiple ADD NETWORK ADDRESS PAIR commands in the host's OSI initialization file one OI command for each OSI-TCP/IP address pair mapping. Using the NAU to Configure OSI-TCP/IP Address Pairs You can become familiar with pairing OSI-TCP/IP addresses by configuring the sample network before configuring this capability into your own network. The sample network shown in Figure 6 1 identifies OSI applications and OSI NSAP addresses for each TCP/IP host in the network. Figure 6 1 illustrates the sample OSI-TCP/IP network, which is referenced throughout this section

260 Running OSI Applications over a TCP/IP Network Enterprise Server 1 (ES1) TCP/IP Host 3 Gateway 1 MHS OLTP MHS LAN001 CP 2000 CP Host 1 TCP/IP Host 1 MHS OLTP TCP/IP Host 2 X.25 MHS Host IP Address NSAP Address Enterprise Server 1 (ES1) C1F1F0C9D6E2E301 TCPHOST C3C8C9C3C7D6F101 TCPHOST D7C8C9D3C1F101 TCPHOST D1FE8C9D6E6F201 Figure 6 1. Sample TCP/IP Network Running OSI Applications A

261 Running OSI Applications over a TCP/IP Network Hierarchy of NAU Screens to Enable a TCP/IP Host to Run OSI Applications The following provides the hierarchy in which screens are presented when configuring OSI-TCP/IP address pairs. APPLICATION NETWORK HOME MENU HOST APPLICATION OSI MENU HOST MENU APPLICATION SYSTEM LIST HOST MENU APPLICATION OSI SYSTEM MENU HOST MENU NSAPA APPLICATION ASSIGNMENT HOST LIST MENU DESTINATION APPLICATION OSI NETWORK HOST ADDRESS MENU PAIRS NSAPA/IP APPLICATION ADDRESS HOST PAIRING MENU LOCAL IP APPLICATION ADDRESS HOST ASSIGNMENT MENU Figure 6 2. Hierarchy of NAU Screens to Enable TCP/IP Hosts to Run OSI Applications A

262 Running OSI Applications over a TCP/IP Network Starting the NAU To start the NAU, perform the following steps: 1. Enter the following from a CANDE session: RUN $SYSTEM/NAU The NAU WELCOME screen displays. 2. Fill in the following fields. Field Name Session Usercode Password Working Database Version Description If your site is using the NAU security feature, you must also enter a valid password in the Password field. If version security is not used, enter either your name or usercode in the Usercode field and leave the Password field blank. Enter the name of the OSI network version that defines your basic OSI network (endpoint descriptions and NSAP addresses). You might need to use the VER option to view the list of versions or create a new version before continuing. 3. Enter EDG in the Choice field. Transmit the screen. The NETWORK HOME MENU screen displays. Note: All sample entries shown in this guide are based on the sample network as shown in Figure

263 Running OSI Applications over a TCP/IP Network Pairing a TCP/IP Host's IP Address to its OSI NSAP Address To configure a TCP/IP host's IP address with its OSI NSAP address, perform the following steps: 1. Enter OSI in the Choice field of the NETWORK HOME MENU screen. Transmit the screen. The OSI MENU screen displays, as shown in Figure 6 3. OSISAMPLE * NAU -- OSI MENU * 125 ACTION: [ ] HOme PArent PRevious WElcome QUit TEach REfresh NSA Assign Host NSAPAs and Gateways OSF OSI File List PDE Pre-Defined Endpoints Choice: [NSA] EXPERT: EDIT Figure 6 3. OSI MENU Screen 2. Enter NSA in the Choice field and transmit the screen. The SYSTEM LIST screen displays, as shown in Figure

264 Running OSI Applications over a TCP/IP Network OSISAMPLE * NAU -- SYSTEM LIST * 126 ACTION: [ ] HOme OSi PArent PRevious FInd WElcome QUit TEach REfresh Application Host Only Generate Host Services OSI System Name Style OSI Level Endpoints (Y/N) [ES1 ] [A11 ] [43].[2] [Y] [TCPHOST1 ] [ ] [ ].[ ] [ ] [TCPHOST2 ] [ ] [ ].[ ] [ ] [TCPHOST3 ] [ ] [ ].[ ] [ ] Figure 6 4. SYSTEM LIST Screen 3. Place the cursor on the name of the host that you want to enable to run OSI applications (in this example, ES1) and press the Specify key. The OSI SYSTEM MENU displays as shown in Figure 6 5. OSISAMPLE * NAU -- OSI SYSTEM MENU * 287 ACTION: [ ] HOme OSi PArent PRevious WElcome QUit TEach REfresh INstall System: ES1 NSA Define System NSAP Addresses and NSAPA/IP Address Pairings GTY System Gateways NAP Add Destination System OSI-TCP Network Address Pairings Choice: [ ] EXPERT:EDIT Figure 6 5. OSI SYSTEM MENU Screen

265 Running OSI Applications over a TCP/IP Network 4. Enter NSA in the Choice field and transmit the screen. The NSAPA ASSIGNMENT LIST screen displays with the Network Service Access Point Address field prefilled for the ES1 host, as shown in Figure 6 6. Note: If the ES1 host was configured with multiple NSAP addresses, multiple NSAP addresses would be displayed in the Network Service Access Point Address field. If this is the case in your network configuration, you must repeat this procedure for each NSAP address listed on the NSAPA ASSIGNMENT LIST screen. OSISAMPLE * NAU -- NSAPA ASSIGNMENT LIST * 288 ACTION: [ ] HOme OSi PArent PRevious FInd WElcome QUit TEach REfresh System: ES1 Network Service Access Point Address Local Endpoint Reference [ C1F1F0C9D6E2E301 ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] EXPERT:EDIT Figure 6 6. NSAPA ASSIGNMENT LIST Screen

266 Running OSI Applications over a TCP/IP Network 5. Place the cursor on the Network Service Access Point Address field, and press the Specify key. The NSAPA/IP ADDRESS PAIRING screen displays. 6. Fill in the following fields. Field Name IP Address Domain Name (Optional Field) Description The IP address of the TCP/IP host that you are configuring to run OSI applications. If the TCP/IP host you are configuring has multiple IP addresses (or paths), and you want to enable each IP address to run OSI applications, enter each IP address separately on this screen. For the sample network, shown in Figure 6 1, enter The Internet TCP/IP host name of the local host. For the sample network leave this field blank. When configuring remote hosts, you can either identify a domain name (and leave the IP Address field blank), or you can identify both an IP address and domain name for the remote host. For an example of using the NAU to configure a remote host with a domain name, see "Configuring a More Complex Network" later in this section. The screen displays as shown in Figure 6 7. Transmit the screen. The OSI SYSTEM MENU screen redisplays. OSISAMPLE * NAU -- NSAPA/IP ADDRESS PAIRING * 393 ACTION: [ ] HOme OSi PArent PRevious FInd WElcome QUit TEach REfresh System: ES1 NSAPA: C1F1F0C9D6E2E301 IP Address: [192].[039].[000].[020] Domain Name: [ ] IP Address: [ ].[ ].[ ].[ ] Domain Name: [ ] IP Address: [ ].[ ].[ ].[ ] Domain Name: [ ] EXPERT:EDIT Figure 6 7. NSAPA/IP ADDRESS PAIRING Screen

267 Running OSI Applications over a TCP/IP Network 7. Repeat these steps (beginning at step 3) to pair the IP address and NSAP address for each non-enterprise server TCP/IP host that you want to configure to run OSI applications. For the sample network, enter each of the following IP addresses on the NSAPA/IP ADDRESS PAIRING screen for the respective host. Host IP Address TCPHOST TCPHOST TCPHOST Identifying Destination Hosts To identify which destination hosts you want the application host to communicate with, perform the following steps: 1. Enter NSA in the Choice field of the OSI MENU screen, and transmit the screen. The SYSTEM LIST screen displays. 2. Place the cursor on the OSI system name that represents the host for which you are defining destination hosts, and press the Specify key. To continue configuring the sample, identified in Figure 6 1, specify on the ES1 host. The OSI SYSTEM MENU screen displays. 3. Enter NAP in the Choice field and transmit the screen. The OSI DESTINATION NETWORK ADDRESS PAIRS screen displays. 4. Enter the name of each destination host that will communicate with the local application host. For the sample network, enter TCPHOST1, TCPHOST2, and TCPHOST3, as shown in Figure 6 8. OSISAMPLE * NAU -- OSI DESTINATION NETWORK ADDRESS PAIRS * 392 ACTION: [ ] HOme OSi PArent PRevious FInd WElcome QUit TEach REfresh System: ES1 Use this screen to reference OSI Systems for which you want NSAPA/IP Address pairs specified in the system's initialization file. OSI System Name [TCPHOST1 ] [TCPHOST2 ] [TCPHOST3 ] [ ] [ ] EXPERT:EDIT Figure 6 8. OSI DESTINATION NETWORK ADDRESS PAIRS Screen

268 Running OSI Applications over a TCP/IP Network Identifying a Specific Network Path to Be Used When Communicating with Destination Hosts If the local host in your network is configured with multiple IP addresses (network paths), you have the option of identifying which network path the local host should use as an outbound connection when communicating with the destination host. Note: If the local TCP/IP host is configured with one IP address (or network path), you do not have to identify the path used to communicate with the destination hosts in the network. In this instance, skip the rest of this subsection and continue with "Checking Network Consistency." To specify a specific local network path to be used for outbound communication with a destination host in your network, perform the following steps: 1. From the OSI MENU screen, enter NSA in the Choice field and transmit the screen. The SYSTEM LIST screen displays. 2. Place the cursor on the name of the local host in your network that you selected to specify a network path to be used for outbound communication to the destination host, and press the Specify key. The OSI SYSTEM MENU screen displays. 3. Enter NAP in the Choice field and transmit the screen. The OSI DESTINATION NETWORK ADDRESS PAIRS screen displays with the destination hosts prefilled, as shown in Figure 6 9. OSISAMPLE * NAU -- OSI DESTINATION NETWORK ADDRESS PAIRS * 392 ACTION: [ ] HOme OSi PArent PRevious FInd WElcome QUit TEach REfresh System: ES1 Use this screen to reference OSI Systems for which you want NSAPA/IP Address pairs specified in the system's initialization file. OSI System Name [TCPHOST1 ] [TCPHOST2 ] [TCPHOST3 ] [ ] [ ] EXPERT:EDIT Figure 6 9. OSI DESTINATION NETWORK ADDRESS PAIRS Screen 4. Place the cursor on the OSI system name of the destination host that you want the local host to communicate with over a specific network path, and press the Specify key. The LOCAL IP ADDRESS ASSIGNMENT screen displays. The Network Service Access Point Address field is prefilled with the destination host's

269 Running OSI Applications over a TCP/IP Network (for this example, TCPHOST1) NSAP address, as shown in Figure OSISAMPLE * NAU -- LOCAL IP ADDRESS ASSIGNMENT * 391 ACTION: [ ] HOme OSi PArent PRevious FInd WElcome QUit TEach REfresh System: ES1 Destination System: TCPHOST1 Network Service Access Point Address Local IP Address [ D7C1F0C9D6E2E301 ] [ ].[ ].[ ].[ ] [ ] [ ].[ ].[ ].[ ] [ ] [ ].[ ].[ ].[ ] [ ] [ ].[ ].[ ].[ ] [ ] [ ].[ ].[ ].[ ] EXPERT:EDIT Figure LOCAL IP ADDRESS ASSIGNMENT Screen 5. Enter the IP address that represents the network path the local host should use as an outbound connection when communicating with the destination host. Transmit the screen. The screen is refreshed. Checking Network Consistency To verify the consistency of your recent entries with the rest of your network, run the NAU Consistency Checker program as described in Section 3. Table 6 1 identifies the related consistency errors that the NAU might find with your entries when enabling TCP/IP hosts in your network to use OSI applications. Table 6 1. Correcting Consistency Errors Found When Enabling TCP/IP Hosts to Use OSI Applications For this consistency error... IP ADDRESS IN NSAPA/IPADDRESS LIST NOT DEFINED ON HOST IP ADDRESS IS BLANK & REQUIRED ON NSAPA/IP ADDRESS LIST LOCAL SYSTEM NAME CANNOT BE A DESTINATION SYSTEM DESTINATION SYSTEM NOT DEFINED ON THE OSI SYSTEM LIST Go to this NAU screen... TCP/IP IDENTITY LIST NSAPA/IP ADDRESS PAIRING DESTINATION SYSTEM NETWORK ADDRESS PAIRS OSI SYSTEM LIST And make this correction... Enter the IP address associated with that TCP/IP host. Enter the IP address. It is not acceptable to enter only a domain name for an application host. Remove the local system name from the OSI System Name field. Verify that each destination host listed on the OSI DESTINATION NETWORK ADDRESS PAIRS screen is also listed on the OSI SYSTEM LIST screen

270 Running OSI Applications over a TCP/IP Network Table 6 1. Correcting Consistency Errors Found When Enabling TCP/IP Hosts to Use OSI Applications For this consistency error... DESTINATION SYSTEM HAS NO NSAPA/IP ADDRESS PAIRINGS DEFINED LOCAL IP ADDRESS NOT DEFINED ON HOST'S TCPIP IDENTITY LIST NSAPA DOES NOT EXIST ON THE DESTINATION SYSTEM Go to this NAU screen... NSAPA/IP ADDRESS PAIRING TCP/IP IDENTITY LIST NSAPA ASSIGNMENT LIST And make this correction... Enter the NSAPA/IP address pair for the destination host. Verify that the IP address of the local host is listed on the TCP/IP IDENTITY LIST. Verify that each destination system listed on the LOCAL IP ADDRESS ASSIGNMENT screen has a defined NSAPA. Printing OSI-TCP/IP Address Pairing Information View the OSI NSAPA/Network Address Pairing Summary report to see a printed version of how you defined your network, component by component. To generate the OSI NSAPA/Network Address Pairing Summary report, perform the following steps: 1. On either the NETWORK HOME MENU or the NETWORK GENERATION MENU screen, enter PRT in the Choice field and transmit the screen. The PRINT GENERATED NETWORK DESCRIPTION MENU screen displays. 2. Enter USERPRODEF in the Choice field and transmit. The PRINT SELECT INFORMATION screen displays. 3. Enter X next to OSI information and transmit

271 Running OSI Applications over a TCP/IP Network Figure 6 11 displays a sample OSI NSAPA/Network Address Pairing Summary report. **************************************************************************** * NCS DB Version: TEST Print Network Report NAU Version Page:3 * * Date: 3/24/96 * * Time: 11:18 AM OSI NSAPA/Network Address Pairing Summary * **************************************************************************** * OSI System Name: ES1 * **************************************************************************** NSAPA IP Address Domain Name C1F1F0C9D6E2E Destination System NSAPA Local IP Address CHICAGO C3C8C9C3C7D6F **************************************************************************** * OSI System Name: CHICAGO1 * **************************************************************************** NSAPA IP Address Domain Name C3C8C9C3C7D6F **************************************************************************** Figure Sample OSI Network Address Pairing Summary Report Using the Operations Interface (OI) to Configure OSI-TCP/IP Address Pairs The following commands enable you to configure, modify, and inquire on OSI-TCP/IP address pairs: ADD NETWORK ADDRESS PAIR DELETE NETWORK ADDRESS PAIR NETWORK ADDRESS PAIR OSITCP CONNECTION For a complete description of each command, refer to the Networking Commands and Inquiries Help. For more information about basic OSI commands, refer to the OSI Software Operations Guide. Notes: If you make any changes to your network using these commands, those changes are only in effect until the next initialization of your network. Use the NAU to make permanent changes to your network. The NAU is a menu-driven program that verifies your changes for consistency to minimize configuration errors

272 Running OSI Applications over a TCP/IP Network Mapping a TCP/IP Host's IP Address to Its OSI NSAP Address For a local or remote TCP/IP host to run OSI applications, you must identify a pairing between the host's IP address (when configuring a destination host you can use a domain name in place of, or with, the destination host's IP address) and its NSAP address. To do so, issue the following commands: When configuring a local host, enter one of the following commands at the system console: NW ADD NETWORKADDRESSPAIR NSAPADDRESS = <NSAP address> TO IPADDRESS = <IP address> NW ADD NETWORKADDRESSPAIR NSAPADDRESS = <NSAP address> TO IPADDRESS = <IP address> DOMAINNAME = <domain name> The variables are described as follows. Variable <NSAP address> <IP address> <domain name> Optional Description The OSI NSAP address configured for the local host. The TCP/IP IP address configured for the local host. The TCP/IP domain name configured for the local host. This value must be entered enclosed in double quotation marks (") when entered as part of the command syntax. When configuring a remote host, enter one of the following commands at the system console: NW ADD NETWORKADDRESSPAIR NSAPADDRESS = <NSAP address> TO IPADDRESS = <IP address> NW ADD NETWORKADDRESSPAIR NSAPADDRESS = <NSAP address> TO IPADDRESS = <IP address> DOMAINNAME = <domain name> NW ADD NETWORKADDRESSPAIR NSAPADDRESS = <NSAP address> TO DOMAINNAME = <domain name> Note: If the local TCP/IP host in your network is configured with multiple network paths (multiple IP addresses), you might want to issue one of the following commands as a means of controlling the specific outbound connection (network path) that will be used by the local host when communicating with the remote host

273 Running OSI Applications over a TCP/IP Network NW ADD NETWORKADDRESSPAIR NSAPADDRESS = <NSAP address> TO IPADDRESS = <IP address> DOMAINNAME = <domain name> LOCALIPADDRESS = <local IP address> NW ADD NETWORKADDRESSPAIR NSAPADDRESS = <NSAP address> TO DOMAINNAME = <domain name> LOCALIPADDRESS = <local IP address> The variables are described as follows. Variable <NSAP address> <IP address> <domain name> <local IP address> Description The OSI NSAP address configured for the remote host. The TCP/IP IP address configured for the remote host. The TCP/IP domain name configured for the remote host. This value must be entered enclosed in double quotation marks (") when entered as part of the command syntax. The TCP/IP IP address of the local host that identifies the outbound connection you want the local host to use in communication with the remote host. If the command is successful, the system responds with the following response: NETWORK ADDRESS PAIRING ADDED

274 Running OSI Applications over a TCP/IP Network Deleting the Mapping Between an OSI-TCP/IP Address Pair Use the DELETE NETWORK ADDRESS PAIR command to delete a previously configured OSI-TCP/IP address pair. To delete an OSI-TCP/IP address pair, issue one of the following commands at the system console: To delete all the OSI-TCP/IP address pairs configured in your network, issue the following command at the system console: NW DELETE NETWORKADDRESSPAIR *ALL There are many variations of the command syntax that are acceptable when you have a specific OSI-TCP/IP address pair that you want to delete from the network. For a complete syntax diagram illustrating all of your options, refer to the Networking Commands and Inquiries Help. The following table lists several command syntax options that are available for deleting a specific OSI-TCP/IP address pair. To delete... Issue this command at the system console... All OSI-TCP/IP address pairings associated with a specific NSAP address An OSI-TCP/IP address pair associated with a specific NSAP address and domain name All OSI-TCP/IP address pairings associated with a specific IP address An OSI-TCP/IP address pair associated with a specific domain name All OSI-TCP/IP address pairings associated with a local host's local IP address NW DELETE NETWORKADDRESSPAIR NSAPA = <NSAP address> TO *ALL NW DELETE NETWORKADDRESSPAIR NSAPA = <NSAP address> TO DOMAINNAME = <domain name> NW DELETE NETWORKADDRESSPAIR IPADDRESS = <IP address> TO *ALL NW DELETE NETWORKADDRESSPAIR DOMAINNAME = <domain name> NW DELETE NETWORKADDRESSPAIR LOCALIPADDRESS= <local IP address> Checking the OSI-TCP/IP Pairings Using Network Inquiries You can verify that you have mapped the OSI-TCP/IP addresses correctly using network inquiries. Table 6 2 lists the inquiries available for verifying the OSI-TCP/IP pairings

275 Running OSI Applications over a TCP/IP Network Table 6 2. OSI-TCP/IP Address Pair Inquiries To retrieve this information... Enter this inquiry... All OSI-TCP/IP pairs configured for your network OSI-TCP pairs associated with a specific NSAP address Current number of TCP subports in use You can also optionally specify an NSAP address with this syntax NW NETWORKADDRESSPAIR NW NETWORKADDRESSPAIR NSAPADDRESS <NSAP address> * NW OSITCP CONNECTION NW OSITCP CONNECTION NSAPADDRESS <NSAP address> You can optionally replace the NSAPADDRESS <NSAP address> syntax with IPADDRESS <IP address>, DOMAIN NAME <domain name>, or LOCALIPADDRESS <IP address> for this command. Sample OSI Initialization Files Figure 6 12 and Figure 6 13 identify the OSI initialization files that would be generated by the NAU based on the configuration in Figure 6 1. These OSI initialization files are required for each TCP/IP application host that you are enabling to run OSI applications. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % NETWORK ADMINISTRATIVE UTILITY VERSION % % HOST: ES1 % % CNS RELEASE: 44.2(200) % % DATE: August 20, 1997 % % FILE TITLE: (NAU)OSISAMPLE/INIT/ES1/OSI ON NETINFO % % NCS DB VERSION: OSISAMPLE % % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NW OSI+;% % % % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = C1F1F0C9D6E2E301 TO% IPADDRESS = % ;% % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = C3C8C9C3C7D6F101 TO% IPADDRESS = % ;% % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = D7C8C9D3C1F101 TO% IPADDRESS = % ;%

276 Running OSI Applications over a TCP/IP Network % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = D1FE8C9D6E6F201 TO% IPADDRESS = % ;% Figure Initialization File for OSI in ES1 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % % NETWORK ADMINISTRATIVE UTILITY VERSION % % HOST: ES1 % % CNS RELEASE: 44.2(200) % % DATE: August 20, 1997 % % FILE TITLE: (NAU)OSISAMPLE/INIT/ES1/OSI/ENDPOINTS ON NETINFO % % NCS DB VERSION: OSISAMPLE % % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % NW ADD OSIENDPOINTNAME% ( % FILENAME = TPOSI%, HOSTNAME = ES1%, NAME = "TP"%, APPLICATIONGROUP = *BNA_HOST_SERV%, PRESENTATIONSELECTOR = 5450%, SESSIONSELECTOR = 4F %, TRANSPORTSELECTOR = 01%, NSAPADDRESS = C1F1F0C9D6E2E301% );% % % NW ADD OSIENDPOINTNAME% ( % FILENAME = TPOSI%, HOSTNAME = TCPHOST1%, NAME = "TP"%, APPLICATIONGROUP = *BNA_HOST_SERV%, PRESENTATIONSELECTOR = 5450%, SESSIONSELECTOR = 4F %, TRANSPORTSELECTOR = 01%, NSAP ADDRESS = C3C8C9C3C7D6F101% );% % % NW ADD OSIENDPOINTNAME% ( % FILENAME = MHSOSI%, HOSTNAME = ES1%, NAME = "X400MHS"%, APPLICATIONGROUP = *BNA_HOST_SERV%

277 Running OSI Applications over a TCP/IP Network, SESSIONSELECTOR = *NULL%, TRANSPORTSELECTOR = 01%, NSAPADDRESS = C1F1F0C9D6E2E301% );% % % NW ADD OSIENDPOINTNAME% ( % FILENAME = MHSOSI%, HOSTNAME = TCPHOST1%, NAME = "X400MHS"%, APPLICATIONGROUP = *BNA_HOST_SERV%, SESSIONSELECTOR = *NULL%, TRANSPORTSELECTOR = 01%, NSAPADDRESS = C3C8C9C3C7D6F101% );% % % NW ADD OSIENDPOINTNAME% ( % FILENAME = MHSOSI%, HOSTNAME = TCPHOST2%, NAME = "X400MHS"%, APPLICATIONGROUP = *BNA_HOST_SERV%, SESSIONSELECTOR = *NULL%, TRANSPORTSELECTOR = 01%, NSAP ADDRESS = D7C8C9D3C1F101% );% % % NW ADD OSIENDPOINTNAME% ( % FILENAME = MHSOSI%, HOSTNAME = TCPHOST3%, NAME = "X400MHS"%, APPLICATIONGROUP = *BNA_HOST_SERV%, SESSIONSELECTOR = *NULL%, TRANSPORTSELECTOR = 01%, NSAPADDRESS = D1F8C9D6E6F201% );% % % Figure Initialization File for the OSI Endpoints in ES

278 Running OSI Applications over a TCP/IP Network Configuring a More Complex Network Figure 6 1 (earlier in this section) illustrates a simple network configuration where each host in the network is configured with one OSI NSAP address and one TCP/IP IP address. However, in a more complex network configuration, a local or remote host in your network could be configured with multiple IP addresses (network paths) and/or multiple NSAP addresses. For example, you have the following options: Pairing one NSAP address to multiple IP addresses Pairing one domain name address to multiple NSAP addresses Identifying one IP address to pair with a specific NSAP address Figure 6 1 illustrates a sample TCP/IP configuration consisting of one enterprise server host and three other hosts (TCPHOST1, TCPHOST2, and TCPHOST3). In this example, assume the sample network is configured with the following IP addresses, domain names, and NSAP addresses. Host IP Address Domain Name NSAP Address ES Not Identified TCPHOST1 Not Identified TCPHOST1.TREDY.BIGCO.COM TCPHOST Not Identified TCPHOST TCPHOST3.TREDY.BIGCO.COM It is recommended that you use the NAU to configure your network. The NAU will generate initialization files based on the input you enter as you traverse through the screens. The initialization files generated consist of a series of commands

279 Running OSI Applications over a TCP/IP Network Generating the Appropriate OSI Endpoints Based on the information provided, the following OSI endpoints should already be configured in the OSI endpoint initialization file for ES1. Note: To enable OSI applications to run over a TCP/IP network, you do not have to make any changes to existing OSI endpoint definitions. OSI Endpoint Needed to Enable ES1 to run Open/OLTP applications ES1 to run MHS applications TCPHOST1 to run Open/OLTP applications Command Generated by NAU NW ADD OSIEPN (FN = TPOSI, HN = ES1, NAME = "TP", APPLGRP = *BNA_HOST_SERV, PSEL = 5450, SSEL = 4F , TSEL = O1, NSAPA = ) NW ADD OSIEPN (FN = MHSOSI, HN = ES1, NAME = "X400MHS", HN = *BNA_HOST_SERV, SSEL = *NULL, TSEL = 01, NSAPA = ) NW ADD OSIEPN (FN = TPOSI, HN = TCPHOST1, NAME = "TP", APPLGRP = *BNA_HOST_SERV, PSEL = 5450, SSEL = 4F , TSEL = 01, NSAPA = ) TCPHOST1 to run MHS applications NW ADD OSIEPN (FN = MHSOSI, HN = TCPHOST1, NAME = "X400MHS", HN = *BNA_HOST_SERV, SSEL = *NULL, TSEL = 01, NSAPA = ) TCPHOST2 to run MHS applications NW ADD OSIEPN (FN = MHSOSI, HN = TCPHOST2, NAME = "X400MHS", HN = *BNA_HOST_SERV, SSEL = *NULL, TSEL = 01, NSAPA = ) TCPHOST3 to run MHS applications NW ADD OSIEPN (FN = MHSOSI, HN = TCPHOST3, NAME = "X400MHS", HN = *BNA_HOST_SERV, SSEL = *NULL, TSEL = 01, NSAPA = )

280 Running OSI Applications over a TCP/IP Network Pairing the Appropriate OSI-TCP/IP Addresses If you do not care which network path ES1 selects as an outbound connection path when communicating with remote hosts TCPHOST1, TCPHOST2, and TCPHOST3 (and you configure the network using the NAU according to the instructions provided in the "Pairing a TCP/IP Host's IP Address to Its OSI NSAP Address", and "Identifying Destination Hosts" subsections of this section), the NAU will generate the following ADD NETWORK ADDRESS PAIR commands in your OSI initialization file. Host Commands Placed in the OSI Initialization File ES1 TCPHOST1 TCPHOST2 TCPHOST3 NW ADD NETADDRPAIR NSAPA TO IPADDR NW ADD NETADDRPAIR NSAPA TO IPADDR NW ADD NETADDRPAIR NSAPA TO IPADDR NW ADD NETADDRPAIR NSAPA TO IPADDR NW ADD NETADDRPAIR NSAPA TO DN "TCPHOST1.TREDY.BIGCO.COM" NW ADD NETADDRPAIR NSAPA TO DN "TCPHOST1.TREDY.BIGCO.COM" NW ADD NETADDRPAIR NSAPA TO IPADDR NW ADD NETADDRPAIR NSAPA TO IPADDR DN "TCPHOST3.TREDY.BIGCO.COM" These commands enable the enterprise server to communicate with remote hosts TCPHOST1, TCPHOST2, and TCPHOST3 running OSI applications over either outbound connection path. Identifying a Specific Outbound Path to Be Used for Communication If you always want ES1 to use the same network path as an outbound connection when communicating with TCPHOST1 and TCPHOST3, you must configure your network a bit differently when entering input as you traverse through the NAU screens. Assuming you want ES1 to always use network path as an outbound connection path when communicating with TCPHOST1 and TCPHOST3, enter the following input on the NAU screens: 1. On the NETWORK HOME MENU screen, enter OSI in the Choice field and transmit the screen. The OSI MENU screen displays. 2. Enter NSA in the Choice field and transmit the screen. The SYSTEM LIST screen displays. 3. Place the cursor on the name of the host that you want to run OSI applications, and press the Specify key. For this example, specify on ES1. The OSI SYSTEM MENU screen displays

281 Running OSI Applications over a TCP/IP Network 4. Enter NSA in the Choice field and transmit the screen. The NSAPA ASSIGNMENT screen displays with the Network Service Access Point Address field prefilled with NSAP addresses and Specify on the first NSAP address. The NSAPA/IP ADDRESS PAIRING screen displays. 6. Enter IP address in the first IP Address field, and in the second IP Address field. The screen appears as displayed in Figure OSISAMPLE * NAU -- NSAPA/IP ADDRESS PAIRING * 393 ACTION: [ ] HOme OSi PArent PRevious FInd WElcome QUit TEach REfresh System: ES1 NSAPA: IP Address: [192].[029].[001].[111] Domain Name: [ ] IP Address: [192].[030].[002].[112] Domain Name: [ ] IP Address: [ ].[ ].[ ].[ ] Domain Name: [ ] EXPERT:EDIT Figure NSAPA/IP ADDRESS PAIRING Screen 7. Repeat the steps beginning with the SYSTEM LIST screen to specify on the other hosts in the network (for the sample network this includes TCPHOST1, TCPHOST2, and TCPHOST3) to define their OSI-TCP pairing information as identified in the following table. Host IP Address Domain Name TCPHOST1 Leave this field blank. TCPHOST1.TREDY.BIGCO.COM TCPHOST Leave this field blank. TCPHOST TCPHOST3.TREDY.BIGCO.COM

282 Running OSI Applications over a TCP/IP Network Identifying the Destination Systems Once you have identified the pairing between the host's IP address and its OSI NSAP address, you must identify which destination hosts the local host can communicate with. This is done on the OSI DESTINATION NETWORK ADDRESS PAIRS screen. To define the appropriate destination hosts to the local host, perform the following steps using the NAU: 1. On the SYSTEM LIST screen, specify on local host ES1. The OSI SYSTEM MENU screen displays. 2. Enter NAP in the Choice field and transmit the screen. The OSI DESTINATION NETWORK ADDRESS PAIRS screen displays. 3. Enter the name of the destination hosts with which the local host will communicate. For the sample, enter TCPHOST1, TCPHOST2, and TCPHOST3, and transmit the screen. The screen is refreshed. 4. Specify on TCPHOST1 (to further define the configuration so that ES1 will always use the same network path when it communicates with TCPHOST1). The LOCAL IP ADDRESS ASSIGNMENT screen displays with the Network Service Access Point Address field prefilled with TCPHOST1's NSAP addresses. 5. Enter the IP address of ES1 that you want to use as an outbound connection path to TCPHOST1; for the sample, enter for both NSAP addresses. 6. Repeat these steps beginning with step 4 to define the same ES1 IP address to be used as an outbound connection path when communicating with TCPHOST

283 Running OSI Applications over a TCP/IP Network OI Commands Generated by the NAU The NAU will place the following ADD NETWORK ADDRESS PAIR commands in the ES1 OSI initialization file: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % % NETWORK ADMINISTRATIVE UTILITY VERSION % % HOST: ES1 % % CNS RELEASE: 44.2(200) % % DATE: August 20, 1997 % % FILE TITLE: (NAU)OSISAMPLE/INIT/ES1/OSI ON NETINFO % % NCS DB VERSION: OSISAMPLE % % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NW OSI+;% % % % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = TO% IPADDRESS = % ;% % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = TO% IPADDRESS = % ;% % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = TO% IPADDRESS = % ;% % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = TO% IPADDRESS = % ;% % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = TO% DOMAINNAME = "TCPHOST1.TREDY.BIGCO.COM"% LOCALIPADDRESS = % ;% % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = TO% DOMAINNAME = "TCPHOST1.TREDY.BIGCO.COM"% LOCALIPADDRESS = % ;%

284 Running OSI Applications over a TCP/IP Network % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = TO% IPADDRESS = % ;% % % NW ADD NETWORKADDRESSPAIR% NSAPADDRESS = TO% IPADDRESS = % DOMAINNAME = "TCPHOST3.TREDY.BIGCO.COM"% LOCALIPADDRESS = % ;% Operating OSI Applications Once you have completed all the procedures described in this section, you are ready to begin operating OSI applications over a TCP/IP network. Refer to the OSI Message Handling System (OSI-MHS) Installation and Administration Guide for more information on related OSI applications

285 Appendix A TCP/IP Commands and Inquiries This appendix lists and briefly describes the OI commands and inquiries that you can use to perform TCP/IP operations. For a complete description of each OI command and inquiry, refer to the Networking Commands and Inquiries Help. To initialize, terminate, or inquire on the TCP/IP software, see Section 4, Operating TCP/IP Software. Table A 1. TCP/IP Commands and Inquiries SNMP GET Inquiry Command SNMP GETNEXT Inquiry SNMP GET TCPVERSION SNMP RESET SNMP SET SNMP SET RIProutetimeout TCPIP ADDRESS SELECTION POLICY TCPIP ARP TCPIP ARP ATM TCPIP ARP SERVER TCPIP ATMCACHETIMER Description Displays SNMP object values. Displays the SNMP object values located at the hexagraphical MIB II location. Enables SNMP agents to inquire about the TCPIP AND TCPIP Security version in use. Resets or disables the SNMP objects and functions. Sets and enables SNMP objects and functions. Sets the value (in seconds) for the routing expiration timer. Enables an administrator to override the default address selection as specified by RFC 3484 and set up policies for selecting preferred source and destination addresses. Sets, deletes, adds, or displays the IP address, physical address, and status for all entries in the ARP table. Used to add an ARP ATM entry for either a PVC or SVC connection, delete an ARP ATM entry, or inquire on an ARP ATM entry. Used to Add ARP servers with PVC or SVC connections Delete a specific ARP server entry, all entries to a specific ARP server, or all ARP server entries Inquire on ARP servers Enables you to specify or inquire on the ATMCacheTimer used for aging entries in the ATMARP table A 1

286 TCP/IP Commands and Inquiries Table A 1. TCP/IP Commands and Inquiries Command TCPIP BROADCASTFILTER TCPIP CONNECTION Description Enables you to filter out broadcast traffic (packets) on attached MAICP4, FC3-IOP, SAS-IOP, or VNP networking devices. By eliminating excessive broadcast traffic at the network interface level rather than within the MCP host, you can free up the MCP processor for its normal workload and prevent a Denial of Service from being imposed on the MCP host. Displays a list of TCP/IP connections to a specified IP host or IP network address. The inquiry details of this command allow the network administrator to inquire on the specific attributes identified by the following subport keys: FILENAME HOSTNAME IPADDRESS MYNAME SECURED SSH YOURNAME TCPSTATE RESUMABLE (SSL connections only) SSL SACK UNSECURED This command, when issued without a subport key selection, returns all known connections from the connections table. When issued with a subport key, the response to this command defaults to connection details regarding the subport identifiers specified. The returned responses also include SSL connections if they exist. You can limit the returned responses only to SSH, SECURED, or UNSECURED connections by specifying the respective keyword. The optional VERBOSE keyword, when specified, expands the response details to include transmission statistics. When the SACK option is used with the VERBOSE keyword, the response details are expanded to display the current usage of a negotiated TCP option or connection attributes for a TCP dialog instance. If a TCP dialog has successfully negotiated any of the supported options, the new response indicates the option that has been negotiated. Supported options include Selective ACK (SACK), Window Scale Factor (WSF), and Timestamp (TS). A

287 TCP/IP Commands and Inquiries Table A 1. TCP/IP Commands and Inquiries Command TCPIP DEBUG TCPIP DISPLAY TCPIP DISPLAY INTERVAL TCPIP DISPLAY OPTIONS Inquiry TCPIP DISPLAY TABLE Inquiry TCPIP DYNAMICINIT TCPIP FILTERFRAMES Description Enables, disables, or interrogates the TCP/IP debug options. This command has two options: DUMP, which examines the contents of various data structures, and TRACE, which traces the data flow through the TCP/IP software. You can specify the environment you want to examine or trace. The environments you can specify are the MCP server only, a Windows server only, or the MCP server and all Windows servers. Sets when all (or specified) ICMP messages are reported at the ODT and in the SUMLOG. There are three message reporting options: ALWAYS, NEVER, or only the FIRST message within a specified time interval. Sets the interval (in hours) that ICMP, Reset, and Error table information is written to the SUMLOG. The default interval is 2 hours. If no interval value is specified, this command displays the currently-defined interval. Displays the current display setting (ALWAYS, NEVER, or FIRST) for a particular ICMP message type. Displays TCP and ICMP report information maintained in the TCP/IP library. You can display all information contained in the ICMP table, Error table, or Reset table. You can also display information about a specified ICMP message type. Enables and disables the dynamic initiation of specified port numbers for registered TCP and UDP applications, and inquires on the current dynamic initiation status of all valid port numbers. Enables and disables filtering on specific TCP or UDP port numbers. If the command is entered without an enable or disable selection, it serves as an inquiry command and returns the current configuration setup for frame filtering for all TCP and UDP ports A 3

288 TCP/IP Commands and Inquiries Table A 1. TCP/IP Commands and Inquiries Command TCPIP [TCPIP]IDENTITY TCPIP [TCPIP]IDENTITY Inquiry TCPIP LANRESILTIMER TCPIP MAPPING Inquiry TCPIP MAPPING TCPIP MONITOREVENTS Description Sets the local IP address, the network processor used for a particular IP address, and the subnet Mask for an IP address. Sets the Visible attribute for a network interface. Enhancements to this command enable a network administrator to Configure multiple local IP address and mask pairs for each network interface Delete multiple local IP address and mask pairs for each network interface Delete all local IP address and mask pairs for a network interface without specifying individual pairs Set the RIP Authentication type for each network interface Set the IP addresses associated with the interface to be available instead of being passed to Client Access Services or other applications For IPv6 interfaces, this command enables an administrator to specify whether autoconfiguration should occur for an interface and to specify the number of consecutive neighbor solicitation messages to be sent when performing duplicate address detection. Displays the local IP address, the IP address mask or prefix-length, the network provider, backup network provider device ID, the backup network provider device Line ID, the VLAN ID, and the physical address. For IPv6 interfaces, can display VLAN ID, autoconfiguration, and duplicate address detection characteristics. Enables a system administrator to specify or inquire on the LAN Resiliency Timer, which is used to check for network interfaces that are unavailable. Displays the host or domain name currently mapped to the specified IP address or the IP addresses currently mapped to the specified host or domain name. Creates or removes one or more user-specified mappings between a TCP/IP host or domain name and an IP address. If the LEARNED option is specified, it removes all names to IP address mappings that were learned during domain name resolver queries over the Internet. Enables a system administrator to monitor port events, which include OPEN, CLOSE, LISTEN, RESET (both LOCAL and REMOTE), UDP SEND, and UDP RECEIVE. A

289 TCP/IP Commands and Inquiries Table A 1. TCP/IP Commands and Inquiries Command TCPIP MULTICASTDEFAULTADDRESS (MDA) TCPIP NEIGHBOR TCPIP OPTION TCPIP PING TCPIP RIP Description Enables a system administrator to specify or inquire on the IP address of the network interface that is to be used, by default, for sending and receiving IP multicast frames. There can be one IPv4 address and one IPv6 address defined for the system, with each address entered by a different command. IPv6 discovers and records information concerning neighbor nodes on the local link. This command works in conjunction with Neighbor Discovery to permit the administrator to add, modify, and delete a neighbor. The IPv6 NEIGHBOR function is similar to the IPV4 ARP function. Enables a system administrator to configure TCP/IP options to control network behavior. Some options are enabled or disabled; others require that a value be supplied. The IPV4OnlyOperation option of this command restricts operation and configuration to IPv4 only. This command is provided as a safeguard to prevent the unintentional issuance of configuration commands that either explicitly configure IPv6 interfaces or enable IPv6 address autoconfiguration. The IPV4OnlyOperation option must be the first command processed by TCPIP during initialization. This sets the operating mode context for processing subsequent configuration commands. If IPV4OnlyOperation is not the first command, it is rejected as an invalid phase. In IPv4 only operating mode, commands that attempt to configure IPv6 interfaces receive the Invalid operating mode or Command processed with exceptions negative response, depending on the type of command and the TCPIP context at the time of processing. See Using TCP/IP Options in Section 4 for details on using this command. Initiates the IP PING function. Use this command to determine if a remote host or another network interface on the same logical host is reachable. Provides network administrators with current Routing Information Protocol Version 2 (RIPv2) status and configuration information. Supported only for IPv4 interfaces A 5

290 TCP/IP Commands and Inquiries Table A 1. TCP/IP Commands and Inquiries Command TCPIP RIP RIPAUTHENTICATION TCPIP ROUTE TCPIP SECURITY TCPIP SECURITY STATE TCPIP STATUS Inquiry TCPIP TCPIPHOSTNAME TCPIP TCPIPHOSTNAME Inquiry TCPIP TRACERT TCPIP UDP ENDPOINTS VERSION Description Enables network administrators to set the type of RIPv2 authentication that is in effect for a specified network processor and line. Administrators can also inquire on the current authentication types set on each device and line configured on the system. Supported only for IPv4 interfaces. This command enables a network administrator to Set or interrogate which networks are reachable by way of known gateways Clear learned routes from the routing table Configure VLSM and CIDR routes Configure multiple routes to a destination Configure multiple default routes Instantiates the TCPIPSECURITY library and loads a rules file (with the + parameter), terminates the TCPIPSECURITY library (with the - parameter), or loads a different rules file (with the RELOAD parameter). Filename (in quotation marks) is optional for the + and RELOAD command forms. Filename is ignored for the - command form. Enables or disables TCP/IP network security settings. Displays the current phase of the TCP/IP network provider. If a module is not specified, the summary response is returned. If a module is specified, then detailed status for that module is returned. The following modules can be specified: IPsec: Can be used to inquire the status of the IPsec module and detailed information about the policies in use. SSL: Can be used to inquire the status of the SSL module and the list of versions and ciphers supported. SSH: Can be used to inquire the status of the SSH module and which algorithms are available for use. Defines the TCP/IP host named used by the network administrator. Displays the TCP/IP host name. Enables you to interrogate your TCPIP network to determine whether a remote node is reachable, and the path used to try to reach it. Enables the inquiry on all UDP endpoints or on a specific UDP endpoint identified by a subport key. This command has been modified to display the versions of TCPIPSUPPORT and TCPIPSECURITY. A

291 TCP/IP Commands and Inquiries Table A 1. TCP/IP Commands and Inquiries Command ADD NETWORK ADDRESS PAIR DELETE NETWORK ADDRESS PAIR NETWORK ADDRESS PAIR Inquiry OSITCP CONNECTION Inquiry Description Maps a TCP/IP application host's IP address to its OSI NSAP address. Deletes a previously configured OSI-TCP/IP address pair. Displays all OSI-TCP/IP address pairs configured for your network. Displays the current number of TCP subports in use A 7

292 TCP/IP Commands and Inquiries A

293 Appendix B Initialization File for the Sample Network This appendix contains the initialization files that were generated by the NAU for the sample TCP/IP network described in Section 3. Figure B 1 shows the CNS initialization file. Figure B 2 shows the TCP/IP initialization file. CNS Initialization File %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Init file generated by UNISYS' % % Network Administrative Utility Version % % Host: ES1 % % CNS Release: 53.1(100) % % Explicit station objects not generated % % DATE: January 17, 2008 % % File Title: (NAU)IPV6/ES1/CNS ON DISK % % NCS DB Version: IPV6 % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NW NETWORK INITIALIZATION FILE VERSION = "TREDY";% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Host Attributes % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Configuration Commands % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NW ADD CONNECTIONGROUP CG_ICP_2100% % Connection Group Information % ( TYPE = LAN%, ICPDEVICEID = 210%, LINEMODULEID = 1%, LINEID = 0%, LOCALADDRESS = 08000B000210%, MAXINPUTMESSAGESIZELIMIT = 4352%, MAXOUTPUTMESSAGESIZELIMIT = 4352%, MAXINPUTMESSAGESIZE = 4352%, MAXOUTPUTMESSAGESIZE = 4352% )% ;% NW ADD CONNECTIONGROUP CG_ICP_2101% % Connection Group Information % B 1

294 Initialization File for the Sample Network ( TYPE = LAN%, ICPDEVICEID = 210%, LINEMODULEID = 1%, LINEID = 1%, LOCALADDRESS = DFF%, MAXINPUTMESSAGESIZELIMIT = 1500%, MAXINPUTMESSAGESIZE = 1500%, ADAPTERTYPE = GIGABIT% )% ;% NW ADD CONNECTIONGROUP CG_ICP_2102% % Connection Group Information % ( TYPE = LAN%, ICPDEVICEID = 210%, LINEMODULEID = 1%, LINEID = 2%, LOCALADDRESS = DFE%, MAXINPUTMESSAGESIZELIMIT = 1500%, MAXINPUTMESSAGESIZE = 1500%, ADAPTERTYPE = GIGABIT% )% ;% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % End Initialization % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NW CNS ENDINIT;% Figure B 1. CNS Initialization File B

295 Initialization File for the Sample Network TCP/IP Initialization File %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % % Init file generated by UNISYS' % % Network Administrative Utility Version % % Host: AH001 % % CNS Release: 54.1(100) % % Explicit station objects not generated % % Date: January 18, 2010 % % File Title: (NAUDB4)TEST/AH001/TCPIP ON NETINFO % % NCS DB Version: TEST % % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NW TCPIP TCPIPIDENTITY ADD NP 210 LINE 0% /24 % VISIBLE +% ;% % % NW TCPIP TCPIPIDENTITY ADD NP 210 LINE 1% /24 % VISIBLE +% ;% % % NW TCPIP RIP RIPAUTHENTICATION NP 210 LINE 1 PASSWORD SET "v17gy5nqd3";% NW TCPIP TCPIPIDENTITY ADD NP 210 LINE 2% FEC0::1:04:23FF:FE09:2DFE/64 % VISIBLE +% ;% % % NW TCPIP TCPIPHOSTNAME ES1.TREDY.BIGCO.COM;% % % NW TCPIP DYNAMICINIT DISABLE UDP EXCEPT PORT% 1 TO 5% ;% NW TCPIP NEIGHBOR ADD FECO::1:04:23FF:FE09:2DFE % 08000B0003B0 NP 12 LINE 1 VLAN 4 PERMANENT;% NW TCPIP NEIGHBOR ADD % 08000B0011B0 NP 22 LINE 5 VLAN 9 TEMPORARY;% NW TCPIP ROUTE ADD FEC0::3:2A0:C9FF:FED8:5E35/64 % VIA FEC0::1:215:C9FF:FE00:1 PREF 1;% NW TCPIP ROUTE ADD FEC0::3:2A0:C9FF:FED8:5E35/64 % VIA FEC0::1:215:C9FF:FE00:3 PREF 2;% NW TCPIP ROUTE ADD /16 % VIA PREF 2;% NW TCPIP ROUTE ADD /16 % VIA PREF 1;% NW TCPIP ROUTE ADD DEFAULT FEC0::1:215:C6FF:FE00:1/64 % PREF 4;% NW TCPIP ROUTE ADD DEFAULT FEC0::1:215:C6FF:FE00:2 % PREF 3;% B 3

296 Initialization File for the Sample Network NW TCPIP ROUTE ADD DEFAULT MASK % PREF 5;% NW TCPIP ROUTE ADD DEFAULT /24 % PREF 2;% % % NW TCPIP MAPPING + HOST-1.BIGCO.COM% FECO::3:2A0:C9FF:FED8:5E35 %, % ;% NW ADD CONNECTION TO CG_ICP_2100% 2100_TCPIP_2100% % Connection Information % ( NETWORKLAYERENTITY = IP%, REMOTEADDRESS = %, CLASS = CLASS_1%, RETRYLIMITXID = 10%, MAXINPUTMESSAGESIZELIMIT = 4470%, MAXOUTPUTMESSAGESIZELIMIT = 4470%, MAXINPUTMESSAGESIZE = 4470%, MAXOUTPUTMESSAGESIZE = 4470% )% ;% NW ADD CONNECTION TO CG_ICP_2101% 2101_TCPIP_2101% % Connection Information % ( NETWORKLAYERENTITY = IP%, REMOTEADDRESS = %, CLASS = ETHIP%, RETRYLIMITXID = 10% )% ;% NW ADD CONNECTION TO CG_ICP_2102% 2102_TCPIP_2102% % Connection Information % ( NETWORKLAYERENTITY = IP%, REMOTEADDRESS = %, CLASS = ETHIP%, RETRYLIMITXID = 10% )% ;% Figure B 2. TCP/IP Initialization File B

297 Appendix C Using the NAU in a Web Browser If you have a ClearPath MCP system with the Web Enablement Package, you can use Web Enabler for ClearPath MCP to run the Network Administrative Utility (NAU) within a Java-capable web browser. Web Enabler for ClearPath MCP web pages includes an applet that is executed within the browser to emulate the MCP-based terminal screen. Web Enabler for ClearPath MCP can be accessed from a variety of client environments. Refer to the Web Enabler for ClearPath MCP Implementation Guide for specific browser and platform compatibility requirements. Web Enabler for ClearPath MCP is very flexible from a user s perspective. It can be configured to have the nostalgic look-and-feel of a traditional TD/MT/T27 style terminal or the more contemporary appearance of a typical form-based web page. It can also be configured to reflect a user s operational preferences. This appendix describes how to Prepare the Web Enabler for ClearPath MCP HTML page Run the NAU in Web Enabler for ClearPath MCP Preparing the Web Enabler for ClearPath MCP HTML Page To use Web Enabler for ClearPath MCP, you must place an HTML page on the Web Transaction Server for ClearPath MCP of your ClearPath system. This page gives the Transaction Server the information it needs to display Web Enabler for ClearPath MCP in your browser. Depending on how you configure the page, it can give you generalpurpose access to the MCP environment through a CANDE or MARC prompt, or it can take you directly to the NAU. You can manually create a Web Enabler for ClearPath MCP HTML page by configuring the applet as described in the Web Enabler for ClearPath MCP Implementation Guide. However, this manual process is not recommended. Instead, Unisys recommends that you Use an existing Sample HTML page, or Use the Web Enabler Wizard to create an NAU-specific Web Enabler HTML page that meets your needs C 1

298 Using the NAU in a Web Browser Using a Sample Page Web Enabler for ClearPath MCP sample HTML pages provide an easy way to get started. A number of fully operational pages are available from the Web Enabler for ClearPath MCP Welcome page. On a simple corporate intranet, the Welcome page should be located at and the Samples page should be located at Each of the Sample pages provides the MARC log-on screen. From any sample, you should be able to access the NAU following normal operational procedures. Creating a Page with the Web Enabler Wizard The Web Enabler Wizard is an applet that provides users with a convenient way to create Web Enabler for ClearPath MCP HTML pages and publish them on the web server. Once published, these pages can be retrieved by anyone with access to their URL. The Web Enabler Wizard includes an easy-to-use GUI that has been designed to guide a user through the applet configuration process. Context-sensitive help screens are available if required. Web Enabler Wizard is intended primarily for a system administrator, however, many end users will find it useful for creating their own custom web pages. Users can easily create applet-based Web Enabler for ClearPath MCP pages that include scripting, specific functional attributes, and appearance characteristics. On a simple corporate intranet, the Web Enabler Wizard should be located at name>/nxwebstation/wizard/wizard.htm C

299 Using the NAU in a Web Browser Running the NAU in Web Enabler for ClearPath MCP 1. Open an Internet session with the applicable Web Enabler web page. Notes: The Web Enabler for ClearPath MCP web page can be delivered in a digitally signed code file. Such files provide a security certificate to specify that the program is from a specified source and that it is genuine. If you accept a digitally signed code file, certain normally restricted applet features become enabled. These features include copying and pasting between native applications, printing, and the ability to connect to any host in the network. The message "Warning: Applet Window" appears on the browser's status bar. This is a normal function of Java, intended to remind you that applets downloaded from unknown systems are not necessarily secure. 2. When the page is accessed, the Web Enabler for ClearPath MCP opens a MARC logon window with Usercode and Password fields. When you transmit a valid usercode and password, you are logged onto the system on which the web server is running. Depending on the definition of your station, you see the initial window. 3. If the NAU resides on a system other than the one at which the web server is running, perform a station transfer (CONNECT TO system_name) to the NAU's system and log on there with a valid usercode and password. 4. Run the NAU as you would through a terminal attached to the same system C 3

300 Using the NAU in a Web Browser C

301 Appendix D TCP/IP Capabilities When making decisions on which TCP/IP features to implement for ClearPath and ClearPath Plus systems, one of the key factors is the TCP/IP strategy developed by the TCP/IP engineering staff and ClearPath Product Management. The ClearPath Enterprise Server is positioned as a host end-node within an IP network. The strategy is to implement RFCs that are relevant to this positioning and that have the greatest impact for the client base. From an Internet Engineering Task Force (IETF) model, this could preclude various network layer (routing) protocols and some transport layer protocols that are not relevant to the general ClearPath markets. The TCP/IP engineering staff and ClearPath Product Management review functional requirements on an on-going basis as part of the software development cycle. Sources of these requirements come from our customers, usually via new feature suggestions (NFSs), our sales and marketing force (driven by target market requirements), as well as engineering research. The selection of the implementation approach is done on a feature by feature basis. Performance, ease-of-use, and time-to-market are all considered when determining an implementation. Table D 1 and Table D 2 in this section divide TCP/IP capabilities into Network Services and Host Services. For each category, TCP/IP related features and attributes of the feature are listed, along with Support and Release stream indications, related Unisys Product Information, and the applicable industry RFCs, if any. If an RFC is not listed, you can assume that it has not been implemented. See Network Services Related Documentation after Table D 1 for the list of documents associated with the numbers in the Related Documentation column of the table. See Host Services Related Documentation after Table D 2 for the list of documents associated with the numbers in the Related Documentation column of the table. Unless otherwise noted, all features are available in the MCP environment of the ClearPath servers D 1

302 TCP/IP Capabilities TCP/IP Capabilities - Network Services Table D 1. Network Services Capabilities Feature Subfeature Support Release Related Documentation RFC Transmission Control Protocol (TCP) API Port File Sockets Yes Yes All Rel , 2, 3, 4, 5 793, 1122 User Datagram Protocol (UDP) API Port File Sockets No Yes N/A Rel , 5 768, 1122 Internet Protocol (IP) Programmatic Interface Yes No All N/A 4, 5 791, 919, 922, 950, 1112, 1122 Internet Control Message Protocol (ICMP) Yes All 5, 6 792, 1256 ICMP Router Discovery Messages Yes All Routing Information Protocol (RIP) Listening Mode Active Mode Yes No All N/A Routing Information Protocol Version 2 (RIPv2) Listening Mode Active Mode Yes No Rel. 8.0 N/A To be added 1722, 1723, 2453 Path MTU Discovery Address Resolution Protocol (ARP) No N/A N/A 1191 Yes All 5, IP over Ethernet Yes All IP over 802 No N/A N/A 1042 LAN Resiliency Yes Rel N/A PING Command Interface Yes All 5 N/A Programmatic Interface No N/A D

303 TCP/IP Capabilities Table D 1. Network Services Capabilities Feature Subfeature Support Release Related Documentation RFC TRACERT Yes Rel , 6, 7 N/A Classless Interdomain Routing (CIDR) Variable-Length Subnet Masking (VLSM) Yes Rel , Yes Rel Secure Sockets Layer (SSL) WEB Server Yes Rel. 6.0 (CS and LX) 3, 8, 9, (TLS 1.0) Application Sockets Yes Rel. 7.0 (CS and LX) 5246 (TLS 1.2) TCPIPNATIVES ERVICE Ports Yes Rel Secure Shell (SSH) Filtering Frames Based on TCP or UDP Ports Dead Gateway Detection Using ARP/RIP SFTP SSH Remote Command Yes Rel , Yes Rel , 6, 7 Yes Rel D 3

304 TCP/IP Capabilities Table D 1. Network Services Capabilities Feature Subfeature Support Release Related Documentation RFC IPv6 Internet Addressing Yes Rel , 2, 3, 4, 8, 13 See Section 1, IPv6 Internet Standards (IETF RFCs)" IPsec Yes Rel , 3, 4, , 4302, 4303, 4835 See Section 1, IPv6 Internet Standards (IETF RFCs)" Protecting TCP/IP Dialogs Yes Rel , 6, Broadcast Filtering Yes Rel , 6, 7 Monitoring TCP and UDP Port Events Yes Rel , 6, 7 D

305 TCP/IP Capabilities Table D 1. Network Services Capabilities Feature Subfeature Support Release Related Documentation RFC Dynamic Port Filtering TCP Window Scale Factor Note: Check the Errata for restrictions or guidelines concerning dynamic port filtering. Yes Rel , 6, 7 Yes Rel , Fast Retransmit Yes Rel IPv6: Path MTU Discovery TCP Selective Acknowledgement Yes Rel Yes Rel , 2883, D 5

306 TCP/IP Capabilities Network Services Related Documentation Refer to the following related documentation for information on network services: I/O Subsystem Programming Guide ( ) File Attributes Programming Reference Manual ( ) MCP Sockets Service Programming Guide ( ) Networking Capabilities Overview ( ) Networking Commands and Inquiries Help ( ) Networking Reports and Log Messages Help ( ) TCP/IP Implementation and Operations Guide ( ) Web Transaction Server for ClearPath MCP Site Manager Help ( ) Web Transaction Server for ClearPath MCP Administration and Programming Guide ( ) Security Administration Guide ( ) D

307 TCP/IP Capabilities TCP/IP Capabilities - Host Services Table D 2. Host Services Capabilities Feature Subfeature Support Release Related Documentation RFC File Transfer Protocol (FTP) Server Clear Command Channel for FTPS Unprotected data Channel for FTPS Client: Batch Interactive Script Security: Implicit SSL Explicit SSL SSH Transfer Mode: Binary ASCII EBCDIC Initiate FTP from WEB browser Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No All Rel. 9.0 All All All All Rel Rel Rel All All All N/A 7 959, 1123, 2228, 4217 Trivial File Transfer Protocol (TFTP) Server Client No No N/A N/A 783 TELNET Server Client Commands: Abort Output Interrupt Process Are You There Break Sync No Operation Erase Line Erase Character Options: Binary Suppress Goahead Timing Mark EXOPL Authenticate NAWS STATUS Echo Send Location End of Record Terminal Types: Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes All All All All All All All All All All All All All All All Rel. 5.0 N/A All All All (Telnet) 855 (Negotiations) 856 (Binary) 857 (Echo) 858 (Suppress GA) 859 (Status) 860 (Timing Mark) D 7

308 TCP/IP Capabilities Table D 2. Host Services Capabilities Feature Subfeature Support Release NVT DEC-VT100 DEC-VT102 DEC-VT200 DEC-VT220 ANSI IBM IBM E UNISYS-TD830 UNISYS-TD830- ASCII UNISYS-TD830- NDL UNISYS-TD830- INTL Kerberos Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes All All All All All All All All All All Rel. 4.0 All Related Documentation (EOR) RFC 1091 (Term Type) 1123 (IETF) 1411 (Authenticatio n) 1576 (TN3270) Simple Mail Transfer Protocol (SMTP) Server Client Yes Yes All All (Rel. 6.0 is last release) (not 100%) 1123 (all must ) Character Generator Protocol No N/A 864 ECHO No N/A 862 DISCARD No N/A 863 Quote of the Day Protocol (QUOTE) Daytime Protocol (DAYTIME) Dynamic Host Configuration Protocol (DHCP) WEB Server (ATLAS) No N/A 865 No N/A 867 No N/A 1541 Yes All 5, D

309 TCP/IP Capabilities Table D 2. Host Services Capabilities Feature Subfeature Support Release Related Documentation RFC Domain Name System (DNS) Server Resolver No Yes N/A All , 1035, 1123 (resolver must s) Line Printer Daemon Protocol (LPD) Server Client Yes Yes All All Simple Network Management Protocol (SNMP) Agent Manager Yes No All N/A 8, 9, ONC+RPC Client Server Sync Async TCP UDP RPCBIND Yes Yes Yes Yes Yes Yes Yes All All All All All All All 11 Built to SUN spec RFC WINRPC Client TCP/UDP Server TCP UDP Yes Yes No Rel. 5.0 (SSP1) 12 DCE RPC as modified by Microsoft D 9

310 TCP/IP Capabilities Host Services Related Documentation Refer to the following related documentation for information on host services: MCP Sockets Service Programming Guide ( ) Networking Commands and Inquiries Help ( ) Networking Reports and Log Messages Help ( ) TCP/IP Implementation and Operations Guide ( ) Web Transaction Server for ClearPath MCP Site Manager Help ( ) Web Transaction Server for ClearPath MCP Administration and Programming Guide ( ) TCP/IP Distributed Systems Services Operations Guide ( ) SNMP Agent for ClearPath MCP Implementation and Operations Guide ( ) SNMP Object Manager Programming Guide ( ) SNMP Object Managers for ClearPath MCP Implementation Guide ( ) WIN RPC Installation and Programming Guide ( ) ONC+ Remote Procedure Call (RPC) for MCP/AS Installation and Programming Guide ( ) Security Administration Guide ( ) D

311 Appendix E TCP/IP Port Numbers The TCP/IP port numbers used by Unisys software on a ClearPath system are divided into three groups Well Known Ports (0 through 1023) Registered Ports (1024 through 49151) Dynamic and/or Private Ports (49152 through 65535) The Well Known Ports and the Registered Ports are described further in Table E 1 and Table E 2. Note that Table E 1 does not list all of the TCP/IP Well Known Ports. Instead, it lists some of the Well Known Ports which are most commonly used by Unisys ClearPath applications. For a complete list of Well Known Ports, visit the following website for the Internet Assigned Numbers Authority: Table E 1. TCP/IP Well Known Ports Port Number 20/tcp 21/tcp 22/tcp 23/tcp 25/tcp 53/tcp 80/tcp 102/tcp 111/tcp 123/tcp 126/tcp 135/tcp Port Name/Description FTP (Data Port) - used by FTPSUPPORT FTP (Control Port) - used by FTPSUPPORT Secure Shell (SSH) service port TELNET - used by TELNETSUPPORT for non-secure connections. SMTP - used by Universal Messaging Solution (UMS) DNS (queries only) - used by RESOLVERSUPPORT Default HTTP port - used by the ATLASSUPPORT provider OSI-TP applications such as: Transaction Integrator (WebTx) Open Transaction Integrator (OpenTi) BEA elink (OSI-TP) used by Enterprise Output Manager (DEPCON) ONCRPC - used by ONCRPCSUPPORT TIMESUPPORT Used by NX/EDIT Used by WIN/RPC E 1

312 TCP/IP Port Numbers Table E 1. TCP/IP Well Known Ports Port Number 137/udp 138/udp 139/tcp 148/tcp 161/tcp 162/tcp 279/tcp 443/tcp 445/tcp 515/tcp 520/udp 989/tcp 990/tcp 992/tcp Port Name/Description NETBIOS Name Service - used by Client Access Services NETBIOS Datagram Service - used by Client Access Services NETBIOS Session Service - used by Client Access Services CRONUS - used by Reliable Session Services (RSS), part of Continuous Service Platform SNMP SNMPTRAP DTP - used by Open/OLTP - Distributed Transaction Processing (DTP) HTTP over SSL - used by the ATLASSUPPORT provider Microsoft-DS CIFS - used by Client Access Services Printer (spooler) - used by TCPPRT UDP - Local Routing Process - (RIP) FTPS data port FTP over SSL (explicit mode) TELNET - used by TELNETSUPPORT for secure connections E

313 TCP/IP Port Numbers Table E 2. TCP/IP Registered Ports Port Number 1050/tcp 1051/tcp 1052/tcp 1054/tcp 1055/tcp 1058/tcp 1060/tcp 1802/tcp 1871/tcp Port Name/Description Voice/Fax Service Library Port - used by UMS Hand Set/ service port - used by UMS Subscriber Data Service Library Port - used by UMS Subscriber Data Service access port - used by UMS Debug trace port - used by UMS Shared Session Data Service port - used by UMS External Library port - used by UMS ODBC OLEDB 1897/tcp DMSQL and JDBC Type /tcp 2002/tcp 2060/tcp 2488/tcp 2489/tcp 3001/tcp /tcp 3984/tcp 3985/tcp 3986/tcp 7001/tcp 7002/tcp 7003/tcp 7004/tcp 7005/tcp 8080/tcp 12564/tcp 12596/tcp 28348/tcp 28349/tcp 28350/tcp 28351/tcp CCF SAMPLE MARC WINDOW CCF SAMPLE CANDE WINDOW Application library port - used by UMS Web Transaction Server for ClearPath MCP Admin (non-ssl) Web Transaction Server for ClearPath MCP Admin (SSL) Web Enabler for ClearPath MCP WLM Perf Port WLM performance port from Cloud MCP server to Customer PC MAPPER network node manager MAPPER TCP/IP server MAPPER workstation server Enterprise Portal for ClearPath MCP Enterprise Portal for ClearPath MCP Enterprise Portal for ClearPath MCP Enterprise Portal for ClearPath MCP Enterprise Portal for ClearPath MCP Custom Web Application allows Customer Site to access MCP Cloud Web Application Web Enabler for ClearPath MCP (with auto logon) Web Enabler for ClearPath MCP (without auto logon) Locum SafeSurvey (non-ssl based port) Locum SafeSurvey (SSL based port) Locum SecureAudit (non-ssl based port) Locum SecureAudit (SSL based port) E 3

314 TCP/IP Port Numbers Table E 2. TCP/IP Registered Ports Port Number 30101/tcp 30102/tcp 56287/tcp 56288/tcp 56298/tcp 57371/tcp 57372/tcp Port Name/Description MCPSERVER used for secure (SSL/TLS) connections MCPSERVER used for non-secure connections Locum RealTime Monitor Locum RealTime Config (non-ssl based port) Locum RealTime Config (SSL based port) Security Center (non-ssl based port) Security Center (SSL based port) E

315 Index * *SYSTEM/TCPIPSECURITY/RULES file, 4-73 A address classes, 2-4 address mask protocol attributes IPMASKCONFIG, 4-55 IPMASKNETADDR, 4-55 IPMASKNETMASK, 4-55 IPMASKRETRYLIMIT, 4-55 log messages, 4-61 overview, 4-55 addresses deriving multicast addresses, 4-89 addressing IPv4, 2-4 IPv6, 2-9 IPv6 address representation, 2-9 IPv6 address types, 2-10 advertisement messages, overview, 4-62 alternate route topology, 2-26 alternate routes, 2-26 application host defined, 1-4 application services, OSI, 6-4 applications dynamic initiation, 4-92 applications, running OSI, 6-1 ARP address list, defining, 3-29 attacks protecting against ICMP attacks, 4-83 autoconfiguration specifying for a network interface, 4-86 autoconfigured interfaces, 4-35 auto-configured interfaces configuring with the NAU, 3-45 auto-configuring BNA-over-IP connections, 3-56 automatic stateless address configuration, 1-9 B BNA-over-IP, adding a neighbor, 3-57 BNA-over-IP, configuring, 3-56 broadcast filtering description, 4-47 TCPIP BROADCASTFILTER command, 4-47 C CIDR (classless interdomain routing, 2-16 CIDR Supernet/Subnet Table, 2-16 classful addressing, 2-4 limitations, 2-6 classless interdomain routing (CIDR), 2-16 ClearPath MCP servers defined, 1-4 CNS initialization file, B-1 code files generating, 3-65 commands (See also OI command) configuring a sample network, 3-1 configuring BNA-over-IP connections, 3-56 configuring BNA-over-IP paired IPv6 addresses, 3-57 configuring FC3-IOP devices, 3-59 configuring parameters NW TCPIP NEIGHBOR ADD command, 3-51 configuring routes TCPIP ROUTE command, 4-15 configuring TCP and UDP port event monitoring, 3-36 connections, generating LAN, 3-24 consistency checker, running, Index 1

316 Index D default address selection IPv6, 4-26 default IP routes, 2-24 deleting, 4-51 identifying, 4-19 multiple assigned, 2-34 defining host parameters, 3-19 ICMP log message reporting, 3-19 IP and mask TCP/IP addresses, 3-12 router discovery attributes, 3-12 TCP/IP ARP address list, 3-29 deleting a TCP/IP host name to IP address mapping, 4-52 deleting learned TCP/IP host name to IP address mappings, 4-52 detecting a duplicate IP address, 4-35 diagnostic codes, TCP/IP CONNECTION RESET report, (table), 5-14 dump option, TCPIP DEBUG command, 5-8 duplicate address detection, 1-9 duplicate IP address, 4-35 dynamic initiation of applications, 4-92 dynamic initiation of specified port numbers, 3-32, 4-92 dynamic port filtering using the DynamicPortFilter option, 4-44 dynamic port filtering configuring, 3-45 description, 4-44 DynamicPortFilter option, TCPIP OPTION command, 4-44 E ending an NAU session, 3-75 endpoints identifying OSI application, 6-4 error messages, consistency checker, (table), 3-64 EVLAN defined, 1-4 F FC3-IOP configuring, 3-59 networking capabilities, 3-59 FILTERFRAMES command, usage, 4-46 filtering based on port numbers, 4-44 dynamic port filtering, 4-44 filtering frames, 4-44 filtering IPv6 traffic, 4-44 filtering network traffic, 4-44 filtering RIP frames, 4-44, 4-48 H host names mapping, 4-81 Host Names Inquiring on, 4-39 hosts parameters, defining, 3-19 remote, determining reachability, 4-40 I ICMP attacks protecting against, 4-83 ICMP log message reporting, defining, 3-19 ICMP messages, controlling display of, 5-9 ICMP messages, determining current reporting option, 5-11 ICP LAN Line connections, editing, 3-54 ICPs IPADDRESSLIST attribute for, 4-70 initialization files creating, using the NAU, 3-1 default NAU naming conventions, TCP/IP, 3-67, 4-4 description, 3-65 generating, 3-65 overview, 3-2 sample, B-1 Initialized security environment, 4-72 initializing the network, 4-4 initializing, OSI software on a TCP/IP host, 6-4 inquiring about the TCP/IP environment, 5-4 inquiring on TCP/IP host name, 4-39 Internet Control Message Protocol (ICMP) address mask how the protocol works, 4-55 log messages, 4-61 router discovery how the protocol works, 4-61 log messages, 4-65 Index

317 Index IP address creating a mapping to a host, 4-36 defining, 3-12 deleting, 4-52, 4-53 deleting a mapping to a host, 4-52 deleting learned mappings to a host, 4-52 dynamically discovering an, 4-63 IP address classes, 2-4 IP multicast address , 2-22 IP multicast frames, 4-88 IP Security, See IPsec IP Security (IPsec) enabling and disabling, 4-79 features, 1-7 IPADDRESSLIST attribute, setting, 4-70 IPMASKCONFIG attribute changing the setting, 4-59 changing the setting of the, 4-59 identifying, 4-58 setting the, 4-58 valid values, 4-57 IPsec configuring, 3-45 determining status, 4-5 enabling and disabling, 4-79 features, 1-7 initialization, 4-3 IPv4 addressing overview, 2-4 configuring IPv4 only operation, 3-43 routing, 2-1 sample network, 3-5 subnetting, 2-6 IPv6 addressing overview, 2-9 autoconfiguration, 4-3 automatic stateless address configuration, 1-9 default address selection, 4-26 differences between IPv4 and IPv6, 1-11 duplicate address detection, 1-9 extended addressing, 1-7 extension headers, 1-7 features, 1-7 header format simplification, 1-7 ICMPv6 messages, 1-8 initialization, 4-3 IP Security (IPsec), 1-7 migrating to, 1-10 multicast listener discovery, 1-9 neighbor discovery, 1-9, 4-66 RFCs, 1-12 routing, 2-1 K sample network, 2-21, 3-5 selecting source and destination addresses, 3-39 specifying autoconfiguration, 4-86 specifying the Window Scale Factor, 4-90 supported in MCP release 12.0, 1-6 known routes, defining, 3-25 L LAN lines and connections, generating, 3-24 LAN Resiliency, 4-79 configuring, 3-43 LAN Resiliency Timer Inquiring on, 4-80 Setting with TCPIP OPTION command, 4-80 learned host names TCPIP OPTION command, 4-81 learned TCP/IP host name to IP address mappings, deleting, 4-52 Libra Model 585 and 595 FC3-IOP network processor, 3-59 local host, identifying, 4-30 log messages address mask, 4-61 router discovery, 4-65 M mapping of learned host names, 4-81 mapping TCP/IP host name to IP address, 4-36 mask TCP/IP addresses, defining, 3-12 migrating TCP/IP NAU, using the, 3-1 migrating to IPv6, 1-10 migration, issues migrating TCP/IP NAU, using the, 3-1 mixed classful and classless topology, 2-20 monitoring events on ports, 4-94 monitoring events on specified port numbers, 3-36 multicast address , Index 3

318 Index multicast addresses, 4-89 multicast frames, 4-88 multicast listener discovery, 1-9 multihoming, 2-32 multiple assigned default routes, 2-24, 2-35 multiple logical networks, 2-37 N naming conventions TCP/IP initialization file, 3-67, 4-4 NAU checking network consistency, 3-63 configuring OSI-TCP/IP address pairs, 6-7 ending a session, 3-75 functions, 3-2 how to initialize the network, 4-4 initiating the, 3-6 traverse through the screens, how to, 3-3 using the, 3-1 neighbor discovery, 1-9 discovering IPv6 routing information, 2-23 IPv6, 4-66 network consistency, checking, 3-63 network integrity, verifying, 4-42 network interface defined, 1-4 networking FC3-IOP network processor, 3-59 O OBJECT DESC field, values, 4-56 OI command ADD NETWORK ADDRESS PAIR, 6-20 ADD OSI ENDPOINT NAME, 6-2 ADDRESS SELECTION POLICY, 4-27 DELETE NETWORK ADDRESS PAIR, 6-22 NETWORK ADDRESS PAIR, 6-22 NW REPORTS, 5-4 OSI +, 6-4 OSITCP CONNECTION, 6-22 SNMP GET, 4-59, 4-64 SNMP SET, 4-55, 4-59, 4-63 summary list, A-1 TCP/IP -, 4-5 TCP/IP MAPPING, 4-52 TCPIP [TCPIP]IDENTITY DELETE, 4-53 TCPIP +, 4-4 TCPIP DEBUG, 5-5, 5-8 TCPIP DISPLAY, 5-9 TCPIP DYNAMICINIT, 4-92 TCPIP FILTERFRAMES, 4-46 TCPIP INTERVAL, 5-9 TCPIP MAPPING, 4-36, 4-52 TCPIP MONITOREVENTS, 4-94 TCPIP OPTION, 4-44, 4-78 TCPIP PING, 4-41, 4-42 TCPIP RIP, 2-3 TCPIP RIP RIPAUTHENTICATION, 2-3 TCPIP ROUTE, 4-15 TCPIP ROUTE, 2-2 TCPIP ROUTE, 4-50 TCPIP ROUTE, 4-51 TCPIP SECURITY, 4-74 TCPIP SECURITY +, 4-76 TCPIP SECURITY DISABLE, 4-75 TCPIP SECURITY ENABLE, 4-75 TCPIP SECURITY RELOAD, 4-76 TCPIP STATUS, 4-5 TCPIP TABLE, 5-13 TCPIP TCPIPHOSTNAME, 4-30 TCPIP TCPIPIDentity, 4-31 TCPIP TCPIPIDENTITY, 2-3, 4-52 TCPIP TRACERT, 4-28 OI inquiry TCP/IP MAPPING, 4-39 operating TCP/IP, 4-1 options configuring TCP/IP options, 3-43 configuring with the TCP/IP OPTION command, 3-41 specifying with the TCPIP OPTION command, 4-78 OSI application services, 6-4 OSI applications, running over TCP/IP application endpoints, OSI, defining, 6-4 checking network consistency, 6-17 identifying destination hosts, 6-15 implementation, overview, 6-2 overview, 6-1 pairing the OSI NSAP address to the hosts IP address, 6-11 reference material, OSI, (table), 6-5 sample network, 6-7 specifying a network path for communication, 6-16 OSI applications, running, overview, 6-1 OSI endpoints, identifying, 6-4 OSI software, initializing on TCP/IP, 6-4 OSI-TCP/IP address pairs configuring using the NAU, 6-7 Index

319 Index P using the OI, 6-19 parallel routes, 2-28 PathMTU Verification Interval, 4-84 port filtering, 4-44 TCPIP FILTERFRAMES command, 4-46 port numbers dynamic initiation, 4-92 monitoring events on specified port numbers, 3-36 preference value assigning to a route, 2-27 preference values used in configuring routes, 2-24 primary routes, 2-26 printing reports, 3-68 profiles, applying, 3-2 R redundancy, 2-29 redundant configuration necessary for LAN Resiliency, 4-80 remote hosts, determining reachability, 4-40 reports, displaying, 5-4, 5-13 reports, printing, 3-68 resiliency, 2-29 resolving a TCP hostname, 4-36 RFC 1006, overview, 6-1 RFC 1122 enabling use of, 4-82 RFC 1878 contains standard subnet table, 2-17 RFC 2453 RIPv2, 2-22 RFCs IPv6, 1-12 RIP determining status, 4-5 determining status of, 4-5 RIP command, 2-3 RIP frame broadcast overhead, reducing, 4-48 RIP RIPAUTHENTICATION command, 2-3 RIPv2 (routing information protocol version 2), 2-22 ROUTE command, 2-2 defining primary and alternate routes, 2-26 route preference value assigning, 2-27 route states descriptions, 2-25 route used to reach a remote node, 4-28 route, default IP, deleting an, 4-51 route, IP, deleting an, 4-50 router discovery protocol advertisement messages, 4-62 attributes ICMPRDISCNETADDR, 4-63 ICMPRDISCPERFORM, 4-63 ICMPRDISCSOLICITATIONADDR, 4-63 ICMPRDISCTTL, 4-63 attributes, setting through the NAU, 3-12 attributes, setting through the OI, 4-63 log messages, 4-65 solicitation messages, 4-62 routes, defining default IP, 4-19 known, 3-25 unknown, 3-27 routing IPv4, 2-1 IPv6, 2-1 routing expiration time, 3-40 setting, 4-13 routing information protocol, See RIP routing information protocol version 2 (RIPv2), 2-22 rules file loading, 4-76 reloading, 4-76 S sample network, 3-5 Secure sockets layer, See SSL security protecting against ICMP attacks, 4-83 security rules file distinguishing between inbound and outbound TCP dialogs, 4-73 services OSI application, 6-4 Session Warnings configuring, 3-43 set a routing expiration time, 4-13 SNMP SET, 4-55 solicitation messages, overview, 4-62 special topologies handling multiple parallel routes, Index 5

320 Index SSL determining status of, 4-5 enabling or disabling, 3-44 standard subnet table see RFC 1878, 2-17 status of TCP/IP software, 4-5 subnet mask, 2-7 subnet mask address information, exchange of, 4-55 subnet masks defining through the NAU, 3-12 subnetting example, 2-6 sample topology, 2-8 use in IPv4 networks, 2-6 SUMLOG, setting time interval for updating with Error, Reset, and ICMP table information, 5-9 Supernet/Subnet Table, 2-16 Supernetting, 2-16 system default route, 2-34 SYSTEM/NETINIT, default initialization file, 4-5 SYSTEM/RESOLVER, 4-36 T TCP hostname, resolving, 4-36 TCP/IP configuring a sample network, 3-1 determining status, 4-5 implementation, overview, 3-2 initialization file, B-1 network operations, 4-1 profiles, applying, 3-2 purpose on ClearPath servers, 1-5 reports, displaying, 5-4, 5-13 software, terminating, 4-5 TCP/IP CONNECTION RESET report diagnostic codes, (table), 5-14 TCP/IP end system security *SYSTEM/TCPIPSECURITY/RULES file, 4-73 changing rules files, 4-76 determining status, 4-5 determining status of, 4-74 disabling, 4-75 enabling, 4-75 general description, 4-72 initialized environment, 4-72 loading a rules file, 4-76 reloading a rules file, 4-76 reviewing security violations, 4-77 state (phase) descriptions, 4-74 state (phase) transitions (figure), 4-75 TCP/IP end system security status, 4-5 TCP/IP library tables Error], 5-12 Reset, 5-12 TCP/IP OPTION command, 3-41 TCP/IP security, See TCP/IP end system security TCP/IP SECURITY REPORT log entry, 4-72 TCP/IP traffic filtering, 4-44 TCPIP [TCPIP]IDENTITY DELETE, 4-53 TCPIP ADDRESS SELECTION POLICY command, 4-27 TCPIP BROADCASTFILTER command filtering broadcast traffic, 4-47 TCPIP DEBUG, 5-5 TCPIP DYNAMICINIT command, 3-32, 4-92 TCPIP MONITOREVENTS command configuring, 3-36 monitoring events on ports, 4-94 TCPIP OPTION command, 4-83 TCPIP options TCPIP OPTION command, 4-78 TCPIP RIP command, 2-3 TCPIP RIP RIPAUTHENTICATION command, 2-3 TCPIP ROUTE command, 2-2 TCPIP ROUTE OI command, 4-15 TCPIP SECURITY REPORT explanation, 4-77 TCPIP STATUS OI command, 4-5 TCPIP TCPIPIDentity, 4-31 TCPIP TCPIPIDENTITY Visible (See "Visible" TCPIP TCPIPIDENTITY command, 2-3 TCPIP TRACERT command, 4-28 TCPIPSECURITY library, 4-72 timer value specifying a routing expiration time, 3-40 topologies, sample subnetting, 2-6 trace option, TCP/IP DEBUG command, 5-6 traffic filtering, 4-44 transmission unit maximum of 536, 4-82 troubleshooting, 5-1 controlling display of ICMP messages, 5-9 displaying reports, 5-4, 5-13 Index

321 Index U inquiring about the TCP/IP environment, 5-4 monitoring system activity TCPIP DEBUG command, 5-5, 5-8 setting time interval for updating SUMLOG with Error, Reset, and ICMP table information, 5-9 unknown routes, defining, 3-27 upgrading TCP/IP using the NAU, 3-1 V variable length subnet masking (VLSM), 2-14 Visible, 3-17, 4-33 VLSM (variable length subnet masking), 2-14 VLSM aggregation, 2-15 W weak-model multihoming, 2-32 well-known TCP/IP port numbers, 4-77 Window Scale Factor, 4-90 Windows references to, Index 7

322 Index Index

323 .

324 2014 Unisys Corporation. All rights reserved. * *