The default value is 0.0.0.0. You can specify multiple instances of this attribute. At present, the MAX does not use the list of radipad client units. If no Ascend-Assign-IP-
Client attribute is present, the list of client units defaults to those present in the RADIUS clients file.

The default value is 0.0.0.0. Only one instance of this attribute can appear in the profile. The default value is a place-holder only. You must specify a valid IP address for radipad to work.

Global-Pool-name Password="Ascend", User-Service=Dialout-Framed-User

The Ascend-IP-Pool-Definition attribute has this format:

Ascend-IP-Pool-Definition="num first_ipaddr max_entries"

For information on each Ascend-IP-Pool-Definition argument, see Table 6-2.

Specify the name of the pseudo-user profile containing the global IP pool definitions. The Ascend unit tries to allocate an address from the pools in order, and chooses an address from the pool with the first available IP address.

Do not set the Framed-Address attribute. If you do, the MAX will require the caller to use the static IP address the attribute specifies.

At startup, the MAX syslog notes RADIUS requests to release any RADIUS-allocated IP addresses. Some versions of the RADIUS server timeout the request, resulting in one of these log messages:

RADIUS release global-pool address

RADIUS release all global-pool addresses

• A pseudo-user profile containing the IP address of the host running radipad

• A pseudo-user profile contains the global IP pool definitions

• A user profile containing a pointer to the pseudo-user profile containing the pool definitions

Radipa-Hosts Password="Ascend", User-Service=Dialout-Framed-User

    Ascend-Assign-IP-Server=10.4.0.1

Global-Pool-CA Password="Ascend", User-Service=Dialout-Framed-User

    Ascend-IP-Pool-Definition="1 10.1.0.1 7",

    Ascend-IP-Pool-Definition="2 10.2.0.1 48"

    Ascend-IP-Pool-Definition="3 10.3.0.1 49"

In the user profile, the user requests an address from a pool specified in the Global-Pool-CA pseudo-user profile:

Emma Password="m2dan", User-Service=Framed-User

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Ascend-Metric=2, 

     Ascend-Assign-Global-IP-Pool=Global-Pool-CA

To set up IP redirection, follow these steps:

1. Specify the User-Name and Password attributes, authentication attributes, and WAN
   connection attributes.

   For details on setting the User-Name, Password, and authentication attributes, see Chapter 3, Setting Up RADIUS Authentication. For details on setting up WAN
   connection attributes, see Chapter 4, Setting Up WAN Connections in RADIUS.

2. To specify the caller's IP address, set the Framed-Address attribute (and, optionally, the Framed-Netmask attribute).

3. Set Ascend-Route-IP=Route-IP-Yes.

4. Set Ascend-Bridge=Bridge-No.

5. Set Ascend-IP-Direct to the IP address to which the MAX redirects packets from the user.

   For example, to specify that the MAX redirects packets to IP address 10.2.3.11, specify this setting:

   Ascend-IP-Direct=10.2.3.11

6. Set Framed-Routing=None.

   Ascend-IP-Direct connections typically turn off RIP. If you configure the connection to receive RIP, the MAX keeps all RIP packets from the remote end and forwards them to the IP address you specify.

7. Ensure that Framed-Protocol is not set to COMB or FR.

IP direct example

Figure 6-4. Directing incoming IP packets to one local host

In Figure 6-4, the MAX redirects incoming packets from site B to the host at IP address 10.2.3.11. The user profile looks like this one:

Emma Password="m2dan", User-Service=Framed-User

          Framed-Protocol=PPP,

          Framed-Address=10.8.9.10,

          Framed-Netmask=255.255.252.0,

          Ascend-Route-IP=Route-IP-Yes,

          Ascend-Bridge=Bridge-No,

          Ascend-IP-Direct=10.2.3.11,

          Ascend-Metric=2,

          Framed-Routing=None,

          ...

1. The MAX consults its routing table to find a next-hop address.

2. If the next hop is the default route for the system (destination 0.0.0.0), the Ascend unit uses the per-user default address as a next hop instead of the system-wide default route.

   The unit also uses the per-user default if the normal routing logic fails to find a route and there is no system-wide default route.

To configure a per-user route, follow these steps:

1. Configure the RADIUS user profile with a User-Name and Password on the first line.

2. On the second or succeeding lines, set the Ascend-Client-Gateway attribute to the IP address of the next hop router.

   Enter the IP address in dotted decimal notation. The default value is 0.0.0.0. If you accept this value, the Ascend unit routes packets as specified in the routing table, using the system-wide default route if it cannot find a more specific route.

   The Ascend unit must have a direct route to the address you specify. The direct route can take place via a profile or an Ethernet connection. If the Ascend unit does not have a direct route, it drops the packets on the connection. When you diagnose routing problems with a profile using this feature, an error in a per-user gateway address is not apparent from inspection of the global routing table.

Configuring static IP routes

A dynamic route can overwrite a static route to the same network if the dynamic route's metric is lower than that of the static route. However, dynamic routes age. If the MAX does not receive updates for a route, the route eventually expires. In this case, the hidden static route reappears in the routing table.

In RADIUS, you can create a static route in one of two ways:

• In a pseudo-user profile containing one or more explicit routes

• In a user profile specifying a WAN connection

For example, suppose a MAX has a static route to network 1.10.1.10 with a metric of 10. A user profile in RADIUS has a metric of 7 in a static route to the same network. When the route is not connected, the MAX routing table indicates that the route has a metric of 10. When the route is connected, the MAX routing table indicates that the route has a metric of 7, with an r in the flags column to indicate that the route came from RADIUS. Furthermore, the old route with a metric of 10 remains in the routing table, with an asterisk (*) in the flags column, indicating that it is a hidden route.

Specifying static IP routes in a pseudo-user profile

If you configure the MAX with a subnet address on a backbone network using the IP Adrs parameter in the Ethernet\>Mod Config\>Ether Options menu, you must set up a static route to the backbone router on the main network. If you do not, the MAX can only see the subnets to which it directly connects.

You cannot create static routes for dynamically assigned IP addresses, because the actual route to those addresses changes with each dynamic assignment.

To set up static IP routes in a RADIUS pseudo-user profile, follow these steps:

1. Create the first line of a pseudo-user profile using the User-Name, Password, and
   User-Service attributes.

   You create a pseudo-user profile to store information that the MAX can query-in this case, in order to store IP routing information. You can configure pseudo-users for both global and MAX-specific configuration control of IP dialout routes. The MAX adds the unit-specific dialout routes in addition to the global dialout routes.

   For a unit-specific IP dialout route, specify the first line of a pseudo-user profile in this format:

Route-unit_name-num Password="Ascend", User-Service=Dialout-Framed-
User

Route-num Password="Ascend", User-Service=Dialout-Framed-User

The Framed-Route attribute has this format:

Framed-Route="host_ipaddr[/subnet_mask] router_ipaddr 

metric [private] [profile_name][preference]"

Table 6-3 describes each Framed-Route argument.

Table 6-3. Framed-Route arguments

Syntax element	Description
host_ipaddr/subnet_mask	Indicates the IP address of the destination host or subnet reached by the route. The default value is 0.0.0.0/0. If the address includes a subnet mask, the remote router specified by router_ipaddr is a router to that subnet, rather than to a whole remote network. To specify the entire remote network, do not specify a subnet mask.
router_ipaddr	Specifies the IP address of the router at the remote end of the connection. The default value is 0.0.0.0. The 0.0.0.0 address is a wildcard entry the MAX replaces with the caller's IP address. When RADIUS authenticates a caller and sends the MAX an Access-Accept message with a value of 0.0.0.0 for router_ipaddr, the MAX updates its routing tables with the Framed-Route value, but substitutes the caller's IP address for the router. This setting is especially useful when RADIUS cannot know the IP address of the caller because the IP address comes from an address pool.
metric	Indicates the metric for the route. If the MAX has more than one possible route to a destination network, it chooses the one with the lower metric. The default value is 8.
private	Specifies y if the route is private, or n if it is not private. If you specify that the route is private, the MAX does not disclose the existence of the route when queried by RIP or another routing protocol. The default value is n.
profile_name	Indicates the name of the outgoing user profile that uses the route. The default value is null.
preference	Specifies the preference that the MAX gives the route.

Whenever you power on or reset the MAX, or when you select the Upd Rem Cfg command from the Sys Diag menu, RADIUS adds IP dialout routes to the routing table in this way:

1. RADIUS looks for profiles having the format Route-unit_name-1, where unit_name is the system name.

2. If at least one profile exists, RADIUS loads all existing profiles with the format
   Route-unit_name-num to initialize the IP routing table.

   The variable num is a number in a sequential series, starting with 1.

3. The MAX queries Route-unit_name-1, then Route-unit_name-2, and so on, until it receives an authentication reject from RADIUS.

4. RADIUS loads the global configuration profiles.

   These configurations have the format Route-num.

5. The MAX queries Route-1, then Route-2, and so on, until it receives an authentication reject from RADIUS.

Figure 6-5. A two-hop connection that requires a static route when RIP is off

In Figure 6-5, if RIP is disabled in the RADIUS user profile for site B, the MAX must have a static route like this one to route to site C:

Route-1 Password="Ascend", User-Service=Dialout-Framed-User

        Framed-Route="10.4.5.0/22 10.9.8.10 1 n inu-out"

In addition, you might wish to update the MAX unit's routing tables when connecting to a user whose profile specifies User-Service=Framed-User. In this case, you can set the Framed-Route attribute in an incoming user profile to specify the user's IP address and subnet mask with the host_ipaddr and /subnet_mask arguments. The route you specify in this manner exists only during the time the call is online. However, when you enter a nonzero router address for the router_ipaddr argument that is different from the caller's address, the static route of a dial-in framed-user persists even after the connection goes offline.

Summarizing host routes in an IP address pool

Before you begin

Configuring host route summaries in RADIUS

1. Using the Ascend-IP-Pool-Definition attribute, make sure that each and every address pool is network aligned.

   For an address pool to be network aligned, these conditions must apply:

   • The first address in the pool must be the first host address.
     The value first_ipaddr - 1 determines the network alignment-that is, the zero address on the subnet. first_ipaddr specifies the first IP address in the pool for the Ascend-IP-Pool-Definition attribute.

     The maximum number of entries you specify with the max_entries argument of Ascend-IP-Pool-Definition must be two less than the total number of addresses in the pool.

     The value max_entries + 2 determines the total number of addresses in the subnet. You can calculate the subnet mask based on this total.

   For example, suppose you have this specification for Ascend-IP-Pool-Definition:

   Ascend-IP-Pool-Definition="1 10.12.253.1 62"

   Because first_ipaddr=10.12.253.1, the network alignment address is 10.12.153.0 (first_ipaddr - 1).

   Because max_entries=62, you must specify a subnet mask for 64 addresses (max_entries + 2). The subnet mask for 64 addresses is 255.255.255.192. (Note that 256-64=192). The Ascend notation for a 255.255.255.192 subnet mask is /26.

   The resulting address pool network is 10.12.253.0/26. This address and subnet mask become the first values you specify for the Framed-Route attribute in step 3.

   For instructions on setting up address pools, see Defining a pool of IP addresses for dynamic assignment.

2. Create the first line of a pseudo-user profile containing static routes using the User-Name, Password, and User-Service attributes.

   You can configure pseudo-users for both global and MAX-specific configuration control of IP routes. The MAX adds the unit-specific routes in addition to the global routes.

   For a unit-specific IP route, specify the first line of a pseudo-user profile in this format:

   Route-unit_name-num Password="Ascend", User-Service=Dialout-Framed-User
   

   For a global IP route, specify the first line of a pseudo-user profile in this format:

   Route-num Password="Ascend", User-Service=Dialout-Framed-User
   

   unit_name is the system name of the MAX-that is, the name specified by the name parameter in the System profile. num is a number in a sequential series, starting at 1.

3. For each Framed-Route attribute, specify the host address and subnet mask for a summarized address pool.

   The Framed-Route attribute has this format:

   Framed-Route="host_ipaddr[/subnet_mask] router_ipaddr 
   metric [private] [profile_name][preference]"
   

   For the host_ipaddr argument, specify the address of the summarized network. For the subnet_mask argument, specify the associated subnet mask.

4. For the router_ipaddr argument, specify the router address for each summarized network.

   Because the MAX creates a host route for every address assigned from the pools, and because host routes override subnet routes, the MAX routes packets whose destination matches an assigned IP address from the pool. However, because the MAX advertises the entire pool as a route, and only privately knows which IP addresses in the pool are active, a remote network might improperly send the MAX a packet to an inactive IP address.

   The router address handles all IP addresses not assigned to users. When the MAX receives a packet whose IP address matches an unused IP address in a pool, it either returns the packet to the sender with an ICMP reject message, or simply discards the packet.

   To enable the router to handle packets with destinations to invalid hosts on the summarized network, you must specify one of these internal interfaces as the router_ipaddr argument.

   • The reject interface (rj0)
     The reject interface has an IP address of 127.0.0.2. When you specify this address as the router to the destination pool network, the MAX rejects packets to an invalid host on that network, appending an ICMP host unreachable message.

     The black-hole interface (bh0)

     The black-hole interface has an IP address of 127.0.0.3. When you specify this address as the router to the destination pool network, the MAX silently discards packets to an invalid host on that network.

5. Set the metric argument to 0.

6. Set the private argument to n for No.

7. Set the profile_name argument to the name of the pseudo-user profile.

8. If you want to specify a preference other than the default value of 120, set the preference.

Framed-Route="10.12.253.0/26 127.0.0.2 0 n Summary 130"

Setting up an interface-based IP routing connection

An alternative form of routing is called interface-based routing. With interface-based routing, each physical or logical interface on the unit has its own IP address. In some situations, it is useful to number some of the interfaces- in other words, to have the MAX operate partially as a system-based router and partially as an interface-based router. Reasons for using numbered interfaces include troubleshooting nailed-up point-to-point connections and forcing routing decisions between two links going to the same final destination. More generally, interface-based routing allows the MAX to operate more as a multi-homed Internet host behaves.

You can now configure each link in RADIUS as numbered (interface-based) or unnumbered (system-based). If no interfaces are numbered, the MAX operates as a purely system-based router.

If a MAX is using a numbered interface, you should be aware of these features:

• IP packets that the MAX generates and sends to the remote address have an IP source address corresponding to the numbered interface, not to the default (Ethernet) address of the MAX.

• During authentication of a call the MAX places using a numbered interface, the MAX reports the address of the interface as its IP address.

• The MAX adds all numbered interfaces listed in Connection profiles and RADIUS user profiles to its routing table.

• The MAX accepts IP packets whose destination is a numbered interface listed in a Connection profile or a RADIUS user profile, considering them to be destined for the MAX itself.

  The packet may actually arrive over any interface, and the numbered interface corresponding to the packet's destination address need not be in the active state.

Overview of RADIUS attributes for interface-based routing

Table 6-4. RADIUS attributes for interface-based routing

Configuring interface-based routing in RADIUS

If both the system and interface addresses are known

1. To specify the IP address of the MAX, set the Ascend-PPP-Address attribute.

2. To specify the subnet mask in use for the local interface, specify the Ascend-IF-Netmask attribute.

3. To specify the remote interface address, set the Ascend-Remote-Addr attribute.

1. The MAX generates host routes to both Framed-Address and Ascend-Remote-Addr.

   The Ascend-Remote-Addr appears in the routing table as the next hop to Framed-Address.

2. The MAX generates a route the remote system's subnet, showing the Ascend-Remote- Addr value as the next hop.

3. An incoming PPP, MP, or MP+ call must report its IP address as the Ascend-Remote-Addr attribute (rather than the Framed-Address attribute)-that is, the caller must be using a numbered interface, and its interface address must agree with the Ascend-Remote-Addr value on the receiving side.

If only the interface address is known

1. To specify the IP address of the MAX, set the Ascend-PPP-Address attribute.

2. To specify the subnet mask in use on the local interface, set the Ascend-IF-Netmask attribute.

3. Accept the default address of 0.0.0.0 for the Ascend-Remote-Addr attribute.

   Note that the Framed-Address attribute must always have a value, so if the only known address is the interface address, specify it using the Framed-Address attribute rather than the Ascend-Remote-Addr attribute.

1. The MAX creates a host route to Framed-Address.

2. The MAX creates a route to the subnet of the remote interface.

3. An incoming PPP, MP, or MP+ call must report its IP address as Framed-Address.

When a local interface is numbered but no corresponding remote interface address exists, the remote interface must have an address on the same subnet as the local, numbered interface. RADIUS rejects incoming PPP calls if the user profile numbers the local interface and the remote caller supplies an address not on the same subnet.

Setting up an IPX routing connection

• Before you begin

• Introducing IPX routing

• Overview of RADIUS attributes for IPX routing

• Specifying IPX routing

• Configuring static IPX routes

1. Set up the MAX as a router.

2. In the Ethernet > Answer > PPP Options menu, set the Recv Auth parameter to PAP, CHAP, MS-CHAP, or Either.

   Unlike an IP routing configuration, in which the MAX uniquely identifies the calling device by its IP address, an IPX routing configuration does not include a built-in way to uniquely identify callers. For this reason, you must use PAP, CHAP, or MS-CHAP password authentication, unless you configure IP routing in the same RADIUS user profile.

Introducing IPX routing

NetWare servers broadcast Service Advertising Protocol (SAP) packets every 60 seconds to make sure that routers (such as the MAX) know about their services. Each router builds a SAP table with an entry for each service advertised by each known server. The router uses the SAP table to respond to client queries.

When a NetWare client sends a SAP request to locate a service, the MAX consults its SAP table and replies with its own hardware address and the internal address of the requested server. The client can then transmit packets whose destination address is the internal address of the server. When the MAX receives those packets, it consults its IPX RIP table. If it finds an entry for that destination address, it brings up the connection or forwards the packet across the active connection.

For complete information on IPX routing, see the MAX ISP and Telecommuting Configuration Guide.

Overview of RADIUS attributes for IPX routing

Table 6-5. IPX routing attributes

Specifying IPX routing

1. In the RADIUS user profile, specify the User-Name and Password attributes and WAN connection attributes.

   For details on setting the User-Name and Password attributes, see Chapter 3, Setting Up RADIUS Authentication. For details on setting up WAN connection attributes, see Chapter 4, Setting Up WAN Connections in RADIUS.

2. To turn on IPX routing for the user profile, set Ascend-Route-IPX=Route-IPX-Yes.

3. If the MAX operates with a non-Ascend router that uses a numbered interface, set the Ascend-IPX-Alias attribute to specify a network number for the link.

4. To specify whether the caller is a dial-in PPP client or an Ethernet client with its own IPX network address, set the Ascend-IPX-Peer-Mode attribute.

   Dial-in clients do not belong to an IPX network, so you must assign them an IPX network number. When you do so, a dial-in client can establish a routing connection with the MAX. To provide an IPX network number, you must define a virtual IPX network using the IPX Pool# parameter in the MAX configuration interface. The MAX advertises the route to this virtual network and assigns it as the network address for dial-in clients.

   For the Ascend-IPX-Peer-Mode attribute, specify one of these settings:

   • IPX-Peer-Router (0) indicates that the calling device is on the Ethernet network and has its own IPX address.
     This setting is the default.

     IPX-Peer-Dialin (1) indicates that the caller is a dial-in NetWare client that incorporates PPP software and dial-out hardware, but has no Ethernet interface.

     This setting causes the MAX to assign the caller an IPX address using the value of the IPX Pool# parameter on the MAX. If the client does not supply its own unique node number, the MAX assigns a unique node number as well. The MAX does not send IPX RIP and SAP advertisements across the connection and ignores IPX RIP and SAP advertisements it receives from the remote end. However, it does respond to IPX RIP and SAP queries it receives from dial-in clients.

Figure 6-6. A dial-in NetWare client requiring dynamic IPX network assignment

In this example, the MAX is connected to a corporate NetWare LAN and the dial-in client has a modem, NetWare client software, and PPP dial-up software. This example assumes that the IPX Pool# attribute has been set in the Ethernet\>Mod Config\>Ether Options menu. To configure the MAX to accept a connection from the PC dial-in user, enter these specifications:

NetWareClient1 Password="m2dan", User-Service=Framed-User

          Framed-Protocol=PPP,

          Ascend-Route-IPX=Route-IPX-Yes,

          Ascend-IPX-Peer-Mode=IPX-Peer-Dialin,

          ...

Most sites configure only a few IPX routes and rely on IPX RIP for most other connections. If you have servers on both sides of the WAN connection, we recommend that you define a static route to the remote site even if your environment requires dynamic routes. If you have one static route to a remote site, it should specify a master NetWare server that knows about many other services. NetWare workstations can then learn about other remote services by connecting to that remote NetWare server. If the MAX does not receive IPX RIP broadcasts from a remote unit, you should configure a static route to at least one server on that network.

You must manually update static routes whenever the administrator at the remote end removes the specified server or updates its address. You do not need to create IPX routes to servers that reside on the local Ethernet network.

To set up static IPX routes in RADIUS, follow these steps:

1. Create the first line of a pseudo-user profile using the User-Name, Password, and
   User-Service attributes.

   You create a pseudo-user profile to store information that the MAX can query-in this case, in order to store IPX routing information. You can configure pseudo-users for both global and MAX-specific configuration control of IPX dialout routes. The MAX loads the unit-specific dialout routes in addition to the global dialout routes.

   For a unit-specific IPX dialout route, specify the first line of a pseudo-user profile in this format:

   IPXRoute-unit_name-num Password="Ascend", User-Service=Dialout-Framed-User
   

   For a global IPX dialout route, specify the first line of a pseudo-user profile in this format:

   IPXRoute-num Password="Ascend", User-Service=Dialout-Framed-User
   

   unit_name is the system name of the MAX-that is, the name specified by the Name parameter in the System profile. num is a number in a sequential series, starting at 1.

2. For each pseudo-user profile, specify one or more routes using the Ascend-IPX-Route attribute.

   When you define a static route to an internal network, the Ascend-IPX-Route attribute has the following format:

   Ascend-IPX-Route="profile_name network# [node#] [socket#] [server_type] [hop_count] [tick_count] [server_name]"
   

   Limit each profile to about 25 routes-that is, you should specify up to 25 settings for the Ascend-IPX-Route attribute. The MAX fetches information from each pseudo-user profile in order to gather routing information.

   Table 6-6 describes each Ascend-IPX-Route argument.

   Table 6-6. Ascend-IPX-Route arguments

   Argument	Description
   profile_name	Specifies the RADIUS user profile to use to reach the network. The default value is null.
   network#	Indicates the unique internal network number of the NetWare server. The default value is 00000000.
   node#	Specifies the node number of the NetWare server. The default value is 0000000000001-the typical node number for a NetWare file server.
   socket#	Indicates the socket number of the NetWare server. Typically, NetWare file servers use socket 0451. The default value is 0000. The number you specify must be a well-known socket number. Services that use dynamic socket numbers may use a different socket each time they load. To bring up a connection to a remote service that uses a dynamic socket number, specify a master server that uses a well-known socket number.
   server_type	Specifies the SAP service type of the NetWare server. NetWare file servers have SAP service type 0004. The default value is 0000.
   hop_count	Indicates the distance to the destination network in hops. The default value is 1.
   tick_count	Specifies the distance to the destination network in IBM PC clock ticks (one-eighteenth of a second). This value is for round-trip timer calculation and for determining the nearest server of a given type.The default value is 12.
   server_name	Indicates the name of an IPX server. The default value is null.

   When you define a static route to an internal network, the Ascend-IPX-Route attribute has the following format:

   Ascend-IPX-Route= "route-only network# transit_network#"
   

   Table 6-7 describes each Ascend-IPX-Route argument.

   Table 6-7. Ascend-IPX-Route arguments

   Argument	Description
   network #	Indicates the unique external network number. The default value is 00000000.
   transit_network #	Indicates an intermediate network: Between the MAX and the destination network. To which the MAX knows how to route.

1. RADIUS looks for profiles having the format IPXRoute-unit_name-1, where
   unit_name is the system name.

2. If at least one profile exists, RADIUS loads all existing profiles having the format
   IPXRoute-unit_name-num to initialize the IPX routing table.

   The variable num is a number in a sequential series, starting with 1.

3. The MAX queries IPXRoute-unit_name-1, then IPXRoute-unit_name-2, and so on, until it receives an authentication reject from RADIUS.

4. RADIUS loads the global configuration profiles.

   These configurations have the form IPXRoute-num.

5. The MAX queries IPXRoute-1, then IPXRoute-2, and so on, until it receives an authentication reject from RADIUS.

IPXRoute-CA-1 Password="Ascend", User-Service=Dialout-Framed-User

        Ascend-IPX-Route="def 6 7 8 9 10"

IPXRoute-1 Password="Ascend", User-Service=Dialout-Framed-User

        Ascend-IPX-Route="abc 1 2 3 4 5 "

Setting up a bridging connection

• Before you begin

• Introducing bridging

• Overview of special IPX bridging requirements

• Overview of RADIUS bridging attributes

• Specifying protocol-independent bridging

• Configuring bridge entries

Introducing bridging

When you configure the MAX for bridging, it accepts all packets on the Ethernet network and forwards only those that do not have a physical address on the local Ethernet segment, or that have a broadcast address. A physical address is a unique, hardware-level address associated with a specific network controller. A device's physical address is also called its Media Access Control (MAC) address. A broadcast address is recognized by multiple nodes on a network. All devices on the same network receive packets with the same address (FFFFFFFFFFFF on Ethernet).

The MAX is a transparent bridge (also called a learning bridge). As the MAX forwards a packet, it notes the packet's source address and creates a bridge table that associates node addresses with a particular interface. Figure 6-7 shows the physical addresses of some nodes on the local Ethernet and at a remote site. The MAX at site A acts as a bridge.

Figure 6-7. Bridging configuration

The MAX at site A gradually learns addresses on both networks by looking at each packet's source address, and it develops a bridge table like this one:

0000D801CFF2              SITEA

080045CFA123              SITEA

08002B25CC11              SITEA

08009FA2A3CA              SITEB

The MAX associates a Connection profile or RADIUS user profile with a bridging link either because the remote caller used the profile to dial the link, or because the profile matched an incoming call. You can also specify static bridge table entries in RADIUS pseudo-user profiles.

Overview of special IPX bridging requirements

For the Ascend-Handle-IPX attribute to have any effect, the IPX Frame parameter in the MAX configuration interface must specify the IPX frame type in use. Your setting for Ascend-Handle-IPX depends upon your bridging configuration. The following sections describe different types of bridging configurations.

Bridging when only the local network supports NetWare clients

Bridging when only the local network supports NetWare servers

Bridging when both sides of the link support NetWare servers

IPX routing and bridging on the same connection

If IPX Frame=802.3 on the MAX, the settings you make in RADIUS have the following effects:

• If Ascend-Route-IPX=Route-IPX-Yes and Ascend-Bridge=Bridge-No in the RADIUS user profile, the MAX routes only 802.3 IPX packets, and drops all other packets.

• If Ascend-Route-IPX=Route-IPX-Yes and Ascend-Bridge=Bridge-Yes in the RADIUS user profile, the MAX routes 802.3 IPX packets and bridges all other packets, including IPX packets in other frame types.

  For example, if the MAX receives an IPX packet in the 802.2 packet frame, it uses the physical address in that packet to bridge it across all active bridging sessions.

Table 6-8. Bridging attributes

Specifying protocol-independent bridging

1. Specify the User-Name and Password attributes, authentication attributes, and WAN
   connection attributes.

   The most common cause of trouble when setting up a bridging connection is specifying the wrong name for the MAX or the remote device. You must specify the name of the remote device or user exactly as it appears remotely, including case changes, dashes, and underscores.

   For details on setting the User-Name, Password, and authentication attributes, see Chapter 3, Setting Up RADIUS Authentication. For details on setting up WAN
   connection attributes, see Chapter 4, Setting Up WAN Connections in RADIUS.

2. To turn on bridging for the user profile, set Ascend-Bridge=Bridge-Yes.

3. To turn off IPX routing, set Ascend-Route-IPX=Route-IPX-No.

4. To specify special IPX bridging behavior, set the Ascend-Handle-IPX attribute.

   For details on the appropriate setting for your environment, see Overview of special IPX bridging requirements. Note that if Ascend-Route-IPX=Route-IPX-Yes in the RADIUS user profile, the Ascend-Handle-IPX attribute acts as though it is set to Handle-IPX-Server.

5. If you set Ascend-Handle-IPX=Handle-IPX-Server, set the Ascend-Netware-timeout attribute to indicate the maximum length of idle time during which the MAX performs watchdog spoofing for NetWare connections.

Figure 6-8. An example IPX client bridging connection

To configure the MAX in this example, you might use a profile like this one:

MAX1 Password="m2dan", User-Service=Framed-User

     Framed-Protocol=PPP,

     Ascend-Route-IPX=Route-IPX-No,

     Ascend-Bridge=Bridge-Yes,

     Ascend-Handle-IPX=Handle-IPX-Client,

     Ascend-Netware-timeout=30

Figure 6-9. An example IPX server bridging connection

To configure the MAX in this example, you might use a profile like this one:

MAX1 Password="m2dan", User-Service=Framed-User

     Framed-Protocol=PPP,

     Ascend-Route-IPX=Route-IPX-No,

     Ascend-Bridge=Bridge-Yes,

     Ascend-Handle-IPX=Handle-IPX-Server,

     Ascend-Netware-timeout=30

1. Create the first line of a pseudo-user profile using the User-Name, Password, and
   User-Service attributes.

   You create a pseudo-user profile to store information that the MAX can query-in this case, in order to store bridging information. For a unit-specific bridge profile, specify the first line of a pseudo-user profile in this format:

   Bridge-unit_name-num Password="Ascend", User-Service=
   Dialout-Framed-User
   

   unit_name is the system name of the MAX-that is, the name specified by the Name parameter in the System profile. num is a number in a sequential series, starting at 1.

2. For each pseudo-user profile, specify one or more bridge entries using the Ascend-Bridge- Address attribute.

   The Ascend-Bridge-Address attribute has this format:

   Ascend-Bridge-Address="MAC_address profile_name IP_address"

   Table 6-9 describes Ascend-Bridge-Address arguments.

   Table 6-9. Ascend-Bridge-Address arguments

   Argument	Description
   MAC_address	Specifies a MAC address in standard 12-digit hexadecimal format (yyyyyyyyyyyy) or in colon-separated format (yy:yy:yy:yy:yy:yy). If the leading digit of a colon-separated pair is 0 (zero), you do not need to enter it. That is, :y is the same as :0y. The default value is 000000000000.
   profile_name	Specifies the name of the dialout profile the MAX uses to bring up the connection. You can specify either a Connection profile or a RADIUS user profile. The MAX looks for a local profile first.
   IP_address	Specifies an IP address in dotted decimal notation. The default value is 0.0.0.0.

Whenever you power on or reset the MAX, or when you select the Upd Rem Cfg command from the Sys Diag menu, RADIUS adds bridging entries to the bridge table in this way:

1. RADIUS looks for profiles having the format Bridge-unit_name-num, where unit_name is the system name and num is a number in a sequential series, starting with 1.

2. RADIUS loads the data to create the bridging tables.

Bridge-Ascend-1 Password="Ascend", User-Service=Dialout-Framed-User

        Ascend-Bridge-Address="2:2:3:10:11:12 Prof1 1.2.3.4 1",

        Ascend-Bridge-Address="2:2:3:13:14:15 Prof2 5.6.7.8 2"

Setting up a DHCP connection

For example, if a group of DHCP clients reside on a LAN connected to a Pipeline, and the Pipeline connects to the MAX over a bridged PPP connection, the MAX can assign dynamic IP addresses to any of the DHCP clients on the remote LAN (Figure 6-10).

Figure 6-10. Pipeline connected to DHCP clients

The RADIUS server holds the configuration information the MAX uses to identify and authenticate each DHCP client.

When the DHCP client requests an address, the MAX allocates an IP address from one of its IP address pools and assigns it to the client for 30 minutes. The client must renew the IP address assignment after the 30-minute period expires. In its local memory, the MAX keeps track of all IP addresses it has assigned. Therefore, it loses the entries for current, unexpired IP address assignments when you reset it.

A client may hold an unexpired IP address assignment when you reset the MAX. After the reset, the MAX may assign that address to a new client. These duplicate IP addresses cause network problems until the first assignment expires or one of the clients reboots.

Overview of DHCP attributes

Table 6-10. DHCP attributes

Configuring a DHCP connection

1. Set up one or more IP address pools in a RADIUS pseudo-user profile.

   For details, see Defining a pool of IP addresses for dynamic assignment.

2. Configure a bridging connection in a RADIUS user profile.

   For details, see Setting up a bridging connection.

3. In the RADIUS user profile, set Ascend-DHCP-Reply=DHCP-Reply-Yes.

   This setting enables DHCP functionality.

4. In the RADIUS user profile, set the Ascend-DHCP-Pool-Number attribute.

   Specify the number of the IP address pool the MAX uses when allocating a dynamic IP address to this connection. You can specify a number between 1 and the number of IP pools defined on the MAX. The default value is 0 (zero). When you accept the default, the MAX uses the first defined IP address pool.

Setting up Network Address Translation (NAT) for LAN

Because the supply of addresses is rapidly diminishing, a company may not be able to get official addresses for its entire network. Other sites may already have unofficial addresses, but now need access to the Internet, where an official address is required. For these reasons, you need a facility to borrow an official address and dynamically translate between the local and official addresses.

NAT for LAN allows a Pipeline to connect a LAN to another network even if the devices on the LAN do not have valid addresses for the remote network. The Pipeline translates between the local network addresses and the remote network addresses.

When you enable NAT for LAN, the Pipeline attempts to perform IP address translation on all packets it receives. The Pipeline has no notion of what may or may not be official addresses on the LAN. The Pipeline acts as a DHCP client on behalf of all hosts on the LAN and relies on the MAX unit (acting as the DHCP server) to provide addresses suitable for the remote network from its IP address pool. On the local network, the Pipeline and the hosts all have local addresses on the same network, and use them only for local communication between the hosts and the Pipeline over the Ethernet.

Figure 6-11 illustrates a basic NAT for LAN setup.

Figure 6-11. NAT for LAN setup

In Figure 6-11, the Pipeline itself does not have an address on the remote network. Therefore, clients can gain access to the Pipeline only from the local network, not from the WAN.

When the first client on the LAN requests access to the remote network, the Pipeline gets the address through PPP negotiation. When subsequent clients request access to the remote network, the Pipeline asks for an IP address from the MAX using a DHCP request packet. In return, the MAX sends an address to the Pipeline from its IP address pool. The Pipeline uses the dynamic addresses it receives from the MAX to translate IP addresses on behalf of local clients.

As it receives packets on the LAN, the Pipeline determines whether the source IP address has a corresponding translated address. If so, the Pipeline translates the packet, and forwards it out the WAN. If the Pipeline has not assigned a translated address (and one is not pending), the Pipeline issues a new DHCP request for this IP address. While waiting for the MAX to offer an IP address, the Pipeline drops corresponding source packets. For packets it receives from the WAN, the Pipeline checks the destination address against its table of translated addresses. If the destination address exists and is active, the Pipeline forwards the packet. If the destination address does not exit, or is not active, the Pipeline drops the packet.

The MAX typically offers IP addresses for a limited duration, but the Pipeline automatically renews the lease on these addresses. If the connection to the remote server goes down, all leased addresses are considered revoked. Therefore, TCP connections do not persist across calls.

In some installations, the MAX handles both NAT for LAN DHCP requests and ordinary DHCP requests. In this situation, if the ordinary DHCP clients are connecting to the MAX over a non-bridged connection, you must have a separate DHCP server to handle these requests.

Before you begin

Configuring the Pipeline for NAT for LAN

Configuring the MAX for NAT for LAN

To configure NAT for LAN in RADIUS, you use the attributes listed in Table 6-11.

Table 6-11. NAT for LAN attributes

Attribute	Description	Possible values
Ascend-DHCP-Pool-Number (148)	Specifies the address pool to use for allocating an IP address to a NAT for LAN client on this connection.	Integer between 1 and the number of defined IP address pools. The default value is 0 (zero), which represents the first defined IP address pool.
Ascend-DHCP-Reply (147)	Specifies whether the MAX processes DHCP packets and acts as a DHCP server on this connection.	DHCP-Reply-No (0) DHCP-Reply-Yes (1) The default value is DHCP-Reply-No.
Ascend-DHCP-Maximum-Leases	Specifies the maximum number of dynamic addresses the MAX can assign to NAT for LAN clients using this connection	Integer between 1 and 254. The default value is 4.

To set up NAT for LAN for a MAX in a RADIUS user profile, follow these steps:

1. Set up one or more IP address pools in a RADIUS pseudo-user profile.

   For details, see Defining a pool of IP addresses for dynamic assignment.

2. Set up routing or bridging in RADIUS.

   For information on setting up routing, see Setting up a system-based IP routing connection. For information on setting up bridging, see Setting up a bridging connection.

3. To enable DHCP functionality, set Ascend-DHCP-Reply=DHCP-Reply-Yes.

   • For a bridged connection, the MAX responds to all DHCP requests.

   • For a non-bridged connection, the MAX responds only to NAT for LAN DHCP packets.

4. Set the Ascend-DHCP-Pool-Number attribute.

   Specify the number of the IP address pool the MAX uses when allocating a dynamic IP address to a NAT client on this connection. You can specify a number between 1 and number of IP pools defined on the MAX. The default value is 0 (zero). When you accept the default, the MAX uses the first defined IP address pool.

5. Set the Ascend-DHCP-Maximum-Leases attribute to specify the maximum number of addresses that the MAX can give to the Pipeline.

   You can specify a value between 1 and 254. The default value is 4.

Copyright © 1998, Ascend Communications, Inc. All rights reserved.