2000/03/28

                ComOS 3.9 Release Note for the PortMaster 3


________________ Introduction

The new Lucent Technologies ComOS(R) 3.9 software release is now
available for general availability (GA) for the PortMaster(R) 3
Integrated Access Server. This release note applies only to the
PortMaster 3.

This release is provided at no charge to all Lucent customers.

This release note documents commands and features added between
ComOS 3.8.2 and ComOS 3.9 on the PortMaster 3.

Before upgrading, thoroughly read "ComOS 3.9 Limitations" and
"Upgrade Instructions."

_______ Modem Code Supported

ComOS 3.9 contains modem code version i12600e---the same modem code
included in the ComOS 3.9b28 release.

Support for the obsolete "True Digital V.34 Card" (MDM-PM3-8 and
MDM-PM3-10), including support for V.110, has been removed from this
release. The "True Digital 56K Card" (MDM-56K-8 and MDM-56K-10)
is still supported.

_______ Warnings and Important Notices

WARNING: PortMaster 3 units manufactured after June 1, 2000 contain a
motherboard that requires ComOS 3.9 or later. Do not load an earlier
ComOS version onto these units.  They will be shipped with a notice
warning not to downgrade them.

WARNING! Due to the increased size of ComOS, the amount of nonvolatile
RAM (NVRAM) available for saving configurations has been reduced from
128KB to 64KB. PortMaster products with configurations greater than
64KB will lose some of their configuration. For this reason, be sure
to back up your PortMaster configuration before upgrading to this
release. You can check the amount of memory used for your
configuration with the "show files" command. Ignore any files that
also include an uncompressed size.

WARNING! The PortMaster 3 must be running ComOS 3.5 or later to upgrade
to ComOS 3.9. If you are running an earlier release of ComOS, upgrade
to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9.

IMPORTANT: Any PortMaster 3 running the Border Gateway Protocol (BGP)
requires 32MB of dynamic RAM (DRAM) so that it can store the more than
70,000 BGP paths in a full BGP feed.

IMPORTANT: Virtual private network (VPN) tunneling, including tunneling
based on the IP Security (IPSec) protocol, is not supported in this
release.

If you purchased an IPSec encryption ("coprocessor") card, contact
Lucent NetworkCare(R) for more information.


_______________ Contents

Introduction
Bugs Fixed in ComOS 3.9
Reconfiguring NVRAM
New Features in ComOS 3.9
        RADIUS Authentication Failover
        RADIUS Accounting Retry Interval and Count
        Non-Facility Associated Signaling (NFAS)
        Layer 2 Tunneling Protocol (L2TP)
        Network Address Translator (NAT)
        Assigned IP for Dial-Out Locations
        Port Required for Telnet Device Service
        Enhanced PMVision Support
Configuring NFAS
Configuring L2TP
Configuring NAT
ComOS 3.9 Limitations
Troubleshooting Modems
Upgrade Instructions
Technical Support


_______________ Bugs Fixed in ComOS 3.9

The ComOS 3.9 release fixes the following bug that was present in ComOS
3.9b28:

A constant was changed to increase non-facility associated signaling
(NFAS) support from 5 ISDN Primary Rate Interfaces (PRIs) to 28 PRIs.

The ComOS 3.9 release fixes the following bugs that were present in the
ComOS 3.8.2 release.

_______ General Bugs Fixed

* A sporadic reboot problem has been fixed. The stack trace displayed
the message "Assertion failed: nbuf_p->bytes_left, file mdp_os.c, line
1586" when this problem occurred.

* Unauthorized Telnet connections are now timed out after 2 minutes.

* The "set maximum pmconsole" command now takes effect immediately.
Previously, active connections on port 1643 had to be reset before
changes were applied.

* Output for the "set debug ?" command has been enhanced.

* Administrative logins logged to syslog no longer have the password
sent in clear text.

* The "show sessions" command no longer returns garbage characters at
the end of a 12-character location name.

* The "show table location" command now shows the full location name.

* Simple Network Management Protocol (SNMP) access to the serial table
for PortMaster user information now works properly. Earlier versions of
this release reported "No Response."

* The attributes associated with the user are now deleted when the user
entry is deleted. For example, if a network user (netuser) named lee
configured with NAT is deleted, the old NAT configuration parameters
are no longer listed for any new user named lee.

_______ RADIUS Bugs Fixed

* When a RADIUS server sends an improperly formatted vendor-specific
attribute (VSA) to the PortMaster, it is now handled properly.
Previously, improperly formatted VSAs caused the PortMaster to enter an
infinite loop. The watchdog timer would then reboot the PortMaster.

* A RADIUS Login-User with the telnet login service no longer generates
a Framed-User start record erroneously.

* Accounting records for a RADIUS Administrative-User logging in to
port S0 now show the correct service type.

* If a RADIUS menu user fails over a Telnet connection, an
administrative user is now allowed to telnet in. Previously, the
administrative user was rejected until the PortMaster 3 was rebooted.

* The authentication packet sent for telnet logins now reports the
correct user type to the access log. Previously, the authentication
packet erroneously reported a user type of Outbound-User.

* Startup and shutdown accounting packets are now resent like other
accounting packets.

_______ Routing and Tunneling Bugs Fixed

* When routing is disabled on a WAN port, the port status now reflects
this condition.

* The Point-to-Point Protocol (PPP) counters are now always reset when
a port is initialized. Previously, incorrectly set counters sometimes
caused the second link of a PPP multilink connection to fail.

* The PortMaster 3 no longer retains a remote router's Multichassis PPP
(MCPPP) master entry after the router disconnects. Previously, under
certain conditions, the master entry remained after disconnection and
prevented the PortMaster from routing the packets of this remote router
when it dialed in again.

* The command "set user protocol ppp" no longer deletes the
Point-to-Point Protocol (PPP) asynchronous map.

* BGP summarization settings that are configured with the "set bgp
summarization" command are now saved after you enter "save all" and
"reset bgp." Previously, only settings configured with the "add bgp
summarization" command were saved.

* Subnets included as part of an OSPF area range are now advertised as
internal OSPF routes. If not included as part of the range, they are
advertised as OSPF type 2 external (E2) routes. In previous releases,
the PortMaster 3 advertised routes in this way when they were part of
an assigned address pool, but not if they were subnets used to assign
static IP addresses.

* OSPF configuration information is now saved during an upgrade from
ComOS 3.7 to ComOS 3.9.

_______ Modem Code Bugs Fixed

* For all modems, retrain detection has been improved to prevent some
client disconnections.

* The aggressiveness of rates on calls coming into the PortMaster has
been reduced. The PortMaster now monitors cyclic redundancy check (CRC)
errors on inbound calls and instructs client modems to drop their rates
if necessary.

* K56flex connectability is improved by an increase in a K56flex timeout.

* The near-end echo canceller has been removed from K56flex-to-V.34
rate negotiation to improve operation.

* A V.90-to-V.34 fallback problem, which can result in a disconnection,
is fixed by earlier V.34 detection.

* A-law V.90 connectability is improved.

* The maximum digital modem transmission level for A-law V.90 has
been increased to -9dBm from -12dBm, to reduce the rate changes for
A-law modem clients in Europe.

* V.8 modem negotiation logic has been modified to check for the V.90
or V.34 data rate before falling back to V.32. Previously, some modems
completed V.8 negotiation and falsely triggered the PortMaster to use
V.32. By checking for V.90 or V.34 first, the PortMaster now ensures
that only V.32 modems connect at V.32 rates.

* Poor upstream connections, NO EC (no error control), and No Connect
problems on lines with more than one analog-to-digital conversion and
other lines that do not support V.90 have been fixed.

* Modems now detect loss of carrier for V.90 calls over T1 lines with
foreign exchange station (FXS) or foreign exchange office (FXO)
interfaces (loop-start lines).

* The PortMaster now supports selective reject to improve throughput
for modem clients that support this feature. Selective reject is an
important throughput adjustment that allows modems to retransmit only
frames that arrive with an error, to conserve precious bandwidth and
time.

For example, suppose that the PortMaster and a client modem agree on a
window size of five frames. The first frame from the client arrives
correctly, the second frame arrives in error, and subsequent frames
arrive without error. Modems without selective reject (most modems)
will retransmit  frames 2 through 5, but a modem with selective reject
retransmits only frame 2 and then continues on to transmit frame 6 and
subsequent frames. The PortMaster now supports this feature.

* When the PortMaster 3 receives an incoming V.110 setup request, it
now returns the message "Cause 88 Incompatible Destination."
Previously, the message "Release Complete with the Cause 17 User Busy"
was erroneously returned.

LAPM Bugs Fixed:

* To reduce the number of disconnections, the PortMaster now suspends
all Link Access Procedure for Modems (LAPM) negotiations and data
transfers during rate changes and retrains, and also resets timers.
LAPM is the final and highest-layer phase of V.90 modem negotiation
that occurs during the process of connecting to a communications server:

     1. Packets received from the OSI data link layer of the
     transmitting device traverse the LAPM layer during modem V.90
     negotiation and undergo compression and error control.

     2. Once the packets are compressed, they are transferred down
     through the V.90 layers to the physical transport layer and
     received by the modem on the other end.

     3. The receiving modem then passes the packets back up to the V.90
     layer of LAPM on the receiving device.

     4. The LAPM layer checks the packet header for errors and
     decompresses the packet data before passing the packet to the OSI
     data link layer of the receiving device.

Packet transmission rate is determined at the lower V.90 layers.
Because no packets can be transferred from a higher layer while the
lower layers are busy determining the speed of transfers, the
PortMaster suspends LAPM activity during this time.

* The modem code now suspends LAPM transactions during any rate
changes or retrains and thereby eliminates some connection failures,
connections without error control, and some disconnections.

* A downward spiraling upstream rate caused by an incorrect LAPM
error check is fixed.

* Rate reduction due to LAPM errors has been made less sensitive.

* In the presence of LAPM retransmission errors, the modem code
retrains to allow the link to adjust to a lower speed and improve
throughput.

* The number of disconnections from LAPM retrains within a retrain
has been reduced.

* Disconnections due to LAPM errors on V.90 and K56flex connections are
now reported accurately. Previously, these were reported as call
Circuit Closed disconnections because the network detected the
disconnection before ComOS did.

* The PortMaster now informs certain modem clients of the proper LAPM
window size to use, fixing some LAPM timeout errors that occurred in
previous releases. Window size determines how many packets are sent
before the other LAPM partner can report that it received the bits and
frames sent correctly. The two modems must agree on this number.
Sending a single frame of 128 bytes to the client and waiting for the
client to acknowledge is less efficient than sending multiple frames
and waiting for a single acknowledgement.

For example, suppose the PortMaster is set for a window size of three
frames and the remote device expects a window size of four. When the
PortMaster sends three frames and waits, the remote modem waits for a
fourth frame before acknowledging. Disagreement about window size can
cause timer expiration or even disconnection. This problem has now been
corrected for certain clients.

Bugs Fixed for Particular Modems:

* U.S. Robotics (USR) Telepath V.34 modems can now establish LAPM error
correction. Previously under certain conditions, the modem was choosing
too high a connection rate and was unable to establish LAPM error
correction. The modem code now detects these conditions and forces the
connection speed down by one rate to allow LAPM to be negotiated.

* For modems with Rockwell Semiconductor Systems (RSS) K56flex
chipsets, fast rate changes now work properly. Previously, a retrain
was forced after a rate change. (RSS is now Conexant Systems Inc.)

* A NO EC (no error control) connection problem with Cirrus Logic
modems is fixed, and overall performance with Cirrus Logic modems is
improved. Cirrus Logic modems are now supported by Ambient
Technologies.

* The number of rate renegotiations with USR/3Com and Cirrus Logic
modems has been reduced because ComOS now allows the client modem to
specify spectral shaping.

* USR/3Com modem connections are now more reliable.

* Rate renegotiation and retrain problems with USR/3Com and Rockwell
HCF modems are improved.

* Connectability with USR/3Com and Rockwell HCF modems and LT Winmodems
is improved.

* Motorola SM56 modems can now connect with V.90.

* V.8bis logic has been improved to force PCTEL modems to V.90.  PCTEL
modems do not set the V.90 bit during V.8bis negotiations, but set a
proprietary bit instead. If the PortMaster detects that this
proprietary bit is set on a PCTEL client modem, it uses V.90 rates.
A disadvantage of this approach is that a PCTEL modem set for K56flex
will fail V.90 and fall back to V.34.

* K56flex code has been improved to better handle rate renegotiations
with Rockwell client modems.


_______________ Reconfiguring NVRAM

After loading the new ComOS 3.9 and rebooting, look for messages like
the following on the console screen to verify that ComOS has loaded
successfully:

Testing System Memory.... 1024K
Checking Boot Rom....
Calibrating.... 33MHz
Starting FLASH Boot.....
Loading Image at 0fff0000
17110  flash copy complete
Verifying Load Module Checksum...
Starting Load Module ...
Loading kernel... 691260 bytes
Testing High Memory ... . 4096K
Loading kernel extensions... 125952 bytes
Async found in slot 1
Found 11 ports....
ether0 active ... 16K shared-RAM
Reconfiguring FLASH...
   Malloc size 65534 at 18a208
   Opened modules STD file
   Read 64506 bytes at 18a208
   read 1 buffers
   Call flash format
   Call freecntl
   Call save
   Call f_open
   Write 64506 bytes at 18a208
done - rebooting


_______________ New Features in ComOS 3.9

The following commands and features have been added in ComOS 3.9.

_______ RADIUS Authentication Failover

Authentication failover allows the PortMaster to dynamically switch
primary and alternate RADIUS authentication servers according to their
response. Use the following commands:

  set authentication interval Seconds
  set authentication failover on | off

The first command sets the response interval. The PortMaster sends a
RADIUS access-request packet every "interval" number of seconds. If no
response is received from the primary RADIUS server, the PortMaster
switches or "fails over" to the secondary authentication server. The
secondary RADIUS server then is treated as the primary, and is marked
with an asterisk (*) in "show global"output.

  set authentication interval Seconds

Seconds         A value between 1 and 255. The number of seconds that
                must elapse between RADIUS access-request
                retransmissions if the PortMaster receives no
                response.  The default is 3 seconds, and 0 resets the
                value to the default. If the primary server does not
                respond, failover occurs after two times the Seconds
                value. For example, if "set authentication interval 6"
                is used, failover occurs in 12 seconds.

The second command enables the failover feature on the PortMaster 3:

  set authentication failover on | off

on      If the primary server fails to respond three times in a row,
        the PortMaster sends the packet to both the primary and
        secondary servers for the next seven retransmissions. If the
        secondary server replies before the primary server, the
        PortMaster switches the primary and secondary servers.
        Then on the next login attempt, the PortMaster tries the
        secondary server first. If the secondary server fails to
        respond three times in a row, the PortMaster sends the
        packet to both servers and designates the server that replies
        first as the new primary server.

off     The PortMaster 3 always tries the primary server first, same as
        the current behavior. This is the default.

_____RADIUS Accounting Retry Interval and Count

The PortMaster attempts to send each RADIUS accounting packet every
"interval" seconds, and sends it the "count" number of times before
giving up. If an acknowledgement is received from the RADIUS accounting
server, the PortMaster no longer tries to resend the accounting packet.
If no acknowledgment is sent from the primary server in response to the
first packet, the PortMaster sends the packet to both the primary and
secondary RADIUS accounting servers.

   set accounting count Number
   set accounting interval Seconds

Number  A decimal number between 1 and 99. The number of
                times the PortMaster sends a RADIUS accounting
                packet without acknowledgement from a RADIUS
                server.

Seconds A decimal number between 1 and 255. The number of
                seconds that must elapse between RADIUS accounting
                packet retransmissions if not acknowledged by the
                accounting server. The default is 30 seconds.

Use the "show global" command to view the Accounting Count
and Accounting Interval settings.

Examples:

Command> set accounting count 45
Accounting retry count changed from 23 to 45

Command> set accounting interval 60
Accounting retry interval changed from 30 to 60 sec

_______ Non-Facility Associated Signaling (NFAS)

Non-facility associated signaling (NFAS) is a service offered by
telephone companies that permits a single D channel to provide the
signaling for a group of ISDN Primary Rate Interfaces PRIs. This
service allows the channel that is normally used for signaling on the
remaining PRIs to be used as a B channel.

Because combining the signaling onto a single D channel increases the
consequences if communication with that channel fails, some telephone
companies use the D channel backup (DCBU) system.  DCBU requires two
D channels per NFAS group, one as a primary and one as a secondary.

The Lucent ComOS implementation of NFAS supports both standard NFAS and
NFAS with DCBU across up to 20 PRIs.

See the section titled "Configuring NFAS" for NFAS configuration
information. For more information about NFAS commands, see the
PortMaster Command Line Reference. For detailed configuration
information, see the PortMaster Configuration Guide.

_______ Layer 2 Tunneling Protocol (L2TP)

ComOS 3.9 on the PortMaster 3 supports Layer 2 Tunneling Protocol
(L2TP). You can configure the PortMaster 3 as both an L2TP access
concentrator (LAC) and an L2TP network server (LNS).

See the section titled "Configuring L2TP" for L2TP configuration
information.

For more information about L2TP commands, see the PortMaster
Command Line Reference. For detailed configuration information,
see the PortMaster Configuration Guide.

_______ Network Address Translator (NAT)

ComOS 3.9 supports the network address translator (NAT) based on
RFC 2663.

The basic network address translator (basic NAT) maps IP addresses from
one group to another, transparently to users and applications. The
network address port translator (NAPT) is an extension to basic NAT in
which multiple network addresses and their TCP and UDP ports are mapped
to a single network address and its ports.

ComOS supports both basic NAT and NAPT for both outbound and inbound
sessions. It also supports an "outsource" mode in which all NAT
processing is done on the server side of the connection.

See the section titled "Configuring NAT" for more information.

For more information about NAT commands, see the PortMaster Command
Line Reference. For detailed configuration information, see the
PortMaster Configuration Guide.

_______ Assigned IP for Dial-Out Locations

Use the following command to configure a dial-out location on the
PortMaster 3 to receive a dynamically assigned address:

  set location Locname local-ip-address assigned  | Ipaddress

Locname Name of a location table entry.

In previous releases of ComOS for the PortMaster 3, dial-out locations
could not receive a dynamic address.

_______ Port Required for Telnet Device Service

The "set S0 service_device telnet" command now requires a TCP port number.

  set S0 service_device telnet Tport

Tport   Specifies the TCP port for the connection. The range is
        from 1 to 65535.

Previously, if the port number was omitted, the PortMaster listened on
port 23, the default Telnet port. This behavior caused problems for
users telnetting to the PortMaster.

_______ Enhanced PMVision support

Additional support has been added to ComOS 3.9 to allow PMVision(TM)
to monitor and configure ComOS 3.9 features on the PortMaster. See
the PMVision 1.10 Release Note for details.


_______________ Configuring NFAS

Non-facility associated signaling (NFAS) is a service offered by
telephone companies that permits a single D channel to provide the
signaling for a group of PRIs. This service allows the channel that is
normally used for signaling on the remaining PRIs to be used as a B
channel.

Because combining the signaling onto a single D channel increases the
consequences if communication with that channel fails, some telephone
companies use the D channel backup (DCBU) system. DCBU requires two
D channels per NFAS group, one as a primary and one as a secondary.

The Lucent ComOS implementation of NFAS supports both standard NFAS and
NFAS with DCBU across up to 20 PRIs.

See the "ComOS 3.9 Limitations" section before using NFAS.

_______ NFAS Configuration

To configure a line for NFAS operation, use the following command:

  set Line0 nfas primary | secondary | slave | disabled Identifier Group

Line0           line0 or line1.

primary         This PRI contains the primary D channel.

secondary       This PRI contains the secondary D channel.

slave           This PRI contains no D channel.

disabled        Clears this PRI's NFAS configuration.

Identifier      Number between 0 and 19 that is unique among all PRI
                interfaces in the same NFAS group.

Group           Number between 1 and 99 identifying which NFAS group
                this PRI belongs to.

Example:

The following example shows how to configure four PortMaster 3s on a
common Ethernet with two NFAS groups, one with DCBU and one without.
Each group contains two PortMaster 3s.

NFAS bundle #1 (with DCBU)
  PM3-1 (Line0 contains the primary D channel. Line1 is a slave line.):
    set line0 nfas primary 0 1
    set line1 nfas slave 1 1
    save all
    reboot

  PM3-2 (Line0 is a slave line, and Line1 contains the secondary
  D channel):
    set line0 nfas slave 2 1
    set line1 nfas secondary 3 1
    save all
    reboot

NFAS bundle #2 (without DCBU)
  PM3-3 (Line0 contains the primary D channel, and Line1 is a
  slave line):
    set line0 nfas primary 0 2
    set line1 nfas slave 1 2
    save all
    reboot

  PM3-4 (Line0 and Line1 are slave lines):
    set line0 nfas slave 2 2
    set line1 nfas slave 3 2
    save all
    reboot

_______ Displaying General NFAS Information

Several commands are available to display statistics and information
specific to NFAS operation.

  show nfas

The "show nfas" command displays neighboring PortMaster products in the
same NFAS group as this one and shows in-service D channel information
and slave status.

  show nfas history

The "show nfas history" command displays the last 40 significant
messages exchanged between this PortMaster and its neighbors.

  show nfas stat

The "show nfas stat" command displays the status of NFAS calls for
PortMaster products in the same group(s) as this one.

_______ Displaying NFAS Debugging Information

A new debug command has been added to aid in diagnosing problems that
might occur in testing.

set debug nfas on | off

This command enables or disables the logging of NFAS events to the
console. Remember to use "set console" before using this command, and
"reset console" after turning off the debug process.


_______________ Configuring L2TP

ComOS 3.9 on the PortMaster 3 supports Layer 2 Tunneling Protocol
(L2TP). You can configure the PortMaster 3 as both an L2TP access
concentrator (LAC) and an L2TP network server (LNS).

The implementation of L2TP in ComOS 3.9 is based on the latest IETF
L2TP draft (revision 12 and 13 as of this writing). For specific
details of operation and protocol implementation of L2TP, refer to the
IETF Internet-Drafts.

L2TP allows PPP frames to be tunneled as follows from one PortMaster
that answers an incoming call (the LAC) to another PortMaster that
processes the PPP frames (the LNS):

End user--->incoming call--->LAC--->LNS--->network access

NOTE: None of the IP addresses or networks used in the examples in
this section are intended to refer to any actual real-world company
or network assignment.

_______ Description and Applications

The Layer 2 Tunneling Protocol (L2TP) provides tunneling of PPP
connections, to separate the functionality normally provided by a
single network access server (NAS) into two parts:

 * The L2TP access concentrator (LAC) provides the "physical"
   connection point between the telephone network (and therefore the
   dial-in user) and the host network.

 * The L2TP network server (LNS) terminates the PPP sessions and
   handles the "server-side" of the connection, such as authentication
   of the user, routing network traffic to and from the PPP user, and
   so forth. The LNS does not have any physical ports, only virtual
   interfaces.

An outsourcer can use L2TP to provide dial-up ports to customers using
a central, "shared" common physical dial-up pool. The pool resides in a
shared access server (the LAC). The outsourcer's customers maintain a
home gateway (the LNS) and some type of IP connectivity to the
outsourcer. L2TP provides virtual dial-up ports to the outsourcer's
customers. This use of L2TP is sometimes referred to as a virtual
private dial-up network (VPDN).

The service is transparent to the customer because users still
terminate PPP sessions on the customer network via the LNS. RADIUS
authentication and accounting and IP address assignment are all done by
the customer. The LAC does no PPP processing unless it is using partial
authentication for determining the tunnel end point. It only accepts
the call and establishes a tunnel to the LNS for that PPP session. The
tunnel can be established based upon Called-Station-Id or User-Name
(where partial authentication occurs on the LAC before tunnel
establishment).

For example, if you use Called-Station-Id and call-check with L2TP,
the session follows these steps:

1. The end user places a call.

2. The LAC detects the incoming call.

3. The LAC using call-check sends an authentication request to a
   RADIUS server containing the Called-Station-Id and
   Calling-Station-Id check items before answering the call.

4. If the RADIUS server accepts the user, an access-accept message
   is returned to the LAC along with information on how to create the
   L2TP tunnel for this session: the type of tunnel, IP address of the
   LNS, and so on.

5. The LAC then creates a tunnel to the LNS by encapsulating the PPP
   frames into IP packets and forwarding those packets to the LNS.

6. The LNS negotiates PPP normally with the end user.

_______ RADIUS Dictionary Updates for L2TP

Add the following lines to your RADIUS dictionary:

VALUE           Service-Type    Call-Check      10
VALUE           NAS-Port-Type   Virtual         5

ATTRIBUTE       Tunnel-Type             64      integer
ATTRIBUTE       Tunnel-Medium-Type      65      integer
ATTRIBUTE       Tunnel-Server-Endpoint  67      string
ATTRIBUTE       Tunnel-Password         69      string

VALUE           Tunnel-Type             L2TP    3
VALUE           Tunnel-Medium-Type      IP      1

The RADIUS daemon must be stopped and restarted to read the new
dictionary.

_______ RADIUS User Profiles for L2TP

The user profiles for the LNS are the same as for your users who do not
use L2TP.

For the LAC, some new user profiles are required. Exactly which
additional user profiles you add depend on whether you are using
call-check or partial username-based tunneling on the LAC.  The
following profiles can be used on the RADIUS server serving the LAC for
either approach:

# Using Called-Station-Id with Call-Check to route callers who dial
# 555-1313 to the LNS "172.16.1.221".
# Note that the LNS address must be enclosed in double quotation
# marks because it is sent as a string, not as a 32-bit integer.

DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "172.16.1.221"

# Same as the previous profile, but with a shared secret to
# authenticate the session to the LNS.

DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Password = "mrsparkle",
        Tunnel-Server-Endpoint = "172.16.1.221"

In both user profiles, the first line contains the RADIUS check item,
with the Called-Station-ID being used to match the entry before the
call is answered. The L2TP tunnel parameters from the matching entry
are then sent in the RADIUS access-accept message.

The Tunnel-Type specifies the tunneling protocol to be used. The
Tunnel-Medium-Type specifies the transport medium over which the tunnel
is created, IP for now. Tunnel-Server-Endpoint indicates the other end
of the tunnel, the LNS in the case of L2TP.

Note that the LNS address must be enclosed in double quotation marks
because it is sent as a string, not as a 32-bit integer.

If you are not using call-check and are instead providing partial
authentication based on User-Name, the following user profile works.
The user "bgerald" dials in to the LAC, which initiates an L2TP tunnel
on the user's behalf to LNS 172.16.1.55.

bgerald Password = "wackamole"
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "172.16.1.55"

_______ L2TP and RADIUS Accounting

The LAC and LNS both log user sessions to RADIUS accounting, but
different accounting data is available from each.

If you are using call-check to establish the tunnel, the LAC's
accounting data shows the Calling-Station-Id, but not the user's name,
because that information has not yet been passed over the link. The LNS
accounting data shows both the Calling-Station-Id and the User-Name
along with the assigned IP address.

If partial authentication (instead of call-check) is taking place on
the LAC, then the username might be available to it. In that case, the
username appears in the RADIUS accounting logs for both the LNS and the
LAC.

In both cases, the LNS shows the NAS-Port-Type as "Virtual", while the
LAC shows the NAS-Port-Type set to the connection type of the physical
interface.

The LNS starts its NAS-Port numbering at 100.

_______ Redundant Tunnel Server End Points

To increase the robustness of L2TP, a user profile can be configured to
contain redundant tunnel server end points. If the primary LNS fails,
inbound L2TP tunnels can be redirected to other machines.

Up to three redundant tunnel server end points can be specified. Any
more than three are ignored by the LAC.

The following example shows a RADIUS user profile with multiple
redundant tunnel server end points. Each tunnel server end point is
preceded by the tunnel medium type for that tunnel.

DEFAULT Service-Type = Call-Check, Called-Station-Id = "5551234"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "192.168.11.2",
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "192.168.11.17",
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "192.168.230.97"

This feature provides redundant LNS backup, not load balancing.

_______ L2TP Command Summary

set l2tp noconfig | disable | enable lac | enable lns
set l2tp authenticate-remote on | off
set l2tp secret [ Password | none ]
show l2tp global | sessions | stats | tunnels
reset l2tp [ stats | tunnel Number]
create l2tp tunnel udp Ipaddress [ Password | none]
set l2tp choose-random-tunnel-endpoint on | off
set debug l2tp max | packets [Bytes] | setup | stats

Use the following command to have the PortMaster load the L2TP
feature on startup:

  set l2tp noconfig | disable | enable lac | enable lns

noconfig        Sets the PortMaster to have no L2TP
                configuration.

disable         Sets L2TP off. L2TP is not used.

enable lac      Sets the PortMaster to be a LAC.

enable lns      Sets the PortMaster to be an LNS.

When the PortMaster is configured to be an LNS, the line ports are
configured for T1 and cannot be used for dial-in. The virtual S0 ports
follow the W1 ports.

Example:

Command 0> set l2tp enable lns
L2TP LNS will be enabled after next reboot

After using the "set l2tp" command, you must use the "save all" command
to save the configuration and the "reboot" command for the L2TP module
to load.

_______ Configuring L2TP to Initiate Authentication

The following command configures L2TP to initiate tunnel authentication:

  set l2tp authenticate-remote on | off

on      The PortMaster initiates authentication with the other end point
        of the tunnel before a tunnel is established. This is the default.

off     The PortMaster does not initiate authentication.

This command determines only whether the PortMaster initiates the
authentication. It does not determine how the PortMaster responds to
an authentication request. The "set l2tp authenticate-remote" command
functions the same on both a LAC and an LNS.

_______ Configuring an L2TP Secret

The "set l2tp secret" global command configures the L2TP password that
the PortMaster uses to respond to all L2TP tunnel authentication
requests. The L2TP secret takes effect only after you issue a
"reset l2tp command.

  set l2tp secret Password | none

Password        String of up to 15 characters that the PortMaster
                uses to respond to L2TP tunnel authentication
                requests.

none            Removes the L2TP secret. This is the default.

The "set l2tp secret" command sets the L2TP secret for the entire
PortMaster.

If a PortMaster configured as a LAC receives a tunnel authentication
request, it uses the Tunnel-Password from the RADIUS access-accept
packet, if present, instead of the global L2TP secret.

_______ Displaying L2TP Information

The following command shows information on how L2TP is functioning:

  show l2tp global | sessions | stats | tunnels

Examples:

Command> show l2tp global
debug packets debug stats debug setup
Tunnel Authentication Enabled
Initiation of Authentication Remote Tunnel Disabled
Default Board Configuration

Command> show l2tp sessions
Id  Assign-Id   Tunnel-Id       PortnameState
31  21          75              S1      ESTABLISHED  fl=8045

Command> show l2tp stats
NEW_SESSION                     1
NEW_TUNNEL                      4
TUNNEL_CLOSED                   3
HANDLE_CLOSED                   3
L2TP_STATS_MEDIUM_HANDLE        3
INTERNAL_ERROR                  14
CTL_SEND                        9
CTL_REXMIT                      1
CTL_RCV                         10
MSG_CHANGE_STATE                4
WRONG_AVP_VALUE                 3
EVENT_CHANGE_STATE              3

Command> show l2tp tunnels
Id  Assign-Id   Hnd     State           #Ses    Server-Endpoint Client-Endpoint
75  65          14      L2T_ESTABLISH   1       192.168.6.13    192.168.10.28

_______ Resetting L2TP

Use the "reset l2tp" command to reset an L2TP tunnel or the L2TP
statistics counters.

  reset l2tp [ stats | tunnel Number ]

stats   Resets the L2TP counters displayed by "show l2tp
        stats" to zero.

tunnel  If no tunnel ID is specified, all L2TP tunnels are
        destroyed and all related PPP sessions are terminated.

Number  A tunnel ID from 1 to 100. If a tunnel ID is specified,
        only that one tunnel is destroyed. The "show l2tp
        tunnels" command displays a list of active tunnel IDs.

_______ Creating an L2TP Tunnel Manually

The following command manually brings up an L2TP tunnel for testing
and troubleshooting:

  create l2tp tunnel udp Ipaddress [ Password | none ]

Ipaddress       IP address of the L2TP tunnel end point.

Password        Password that the PortMaster uses when
                responding to a tunnel authentication request
                from the tunnel end point. If no password
                is specified, the global L2TP secret is used if
                configured.

none            Sets the PortMaster to use the L2TP secret
                configured for it with the "set l2tp secret"
                command. This is the default.

Example:

Command> create l2tp tunnel udp 149.198.110.19
OK

_______ Selecting a Tunnel End Point

The following command determines in what order to choose an end point
when multiple tunnel end points are returned in a RADIUS access-accept
packet.

  set l2tp choose-random-tunnel-end point on | off

on      Causes the tunnel end point to be chosen randomly from the list
        of tunnel end points returned by RADIUS.

off     Selects the first tunnel end point that can be reached.

Normally, when L2TP is configured with multiple tunnel end points, the
end points are chosen serially, always beginning with the first. If a
tunnel cannot be established with the first, then the second is tried,
and then the third. When this feature is enabled, a random tunnel end
point is selected from those returned in the RADIUS access-accept
packet.

_______ Debugging L2TP

The following command is used to troubleshoot L2TP problems:

  set debug l2tp max | packets Bytes | setup | stats

max     Provides the same debugging as setup, packets,
        and stats combined.

packets Shows a representation of the L2TP packets, similar to
        the "ptrace dump" command.

Bytes   0 to 1500, number of bytes to display.

setup   Shows L2TP control messages and errors.

stats   Displays information that appears in "show l2tp stats"
        in more detail.

Remember to use "set console" before using this command, and
"reset console" after turning off the debug process.


_______________ Configuring NAT

ComOS 3.9 supports the network address translator (NAT) based
on RFC 2663.

The basic network address translator (basic NAT) capability maps IP
addresses from one group to another, transparently to users and
applications. The network address port translator (NAPT) capability is
an extension to basic NAT in which multiple network addresses and their
TCP and UDP ports are mapped to a single network address and its
ports.

ComOS supports both basic NAT and NAPT for both outbound and inbound
sessions. It also supports an "outsource" mode in which all NAT
processing is done on the server-side of the connection.

NOTE: While this release note covers only the PortMaster 3, other
PortMaster products support NAT and might be used in the examples in
this section. None of the IP addresses or networks used in the examples
are intended to refer to any actual real-world company or network
assignment.

_______ Quick Setup of Outbound NAPT ("Many-to-One")

Outbound NAPT is very common in a small office/home office (SOHO)
situation. To configure, use the following command---entered all on one
line:

    set Ether0 | S0 | W1 | location Locname | user Username
    nat outmap defaultnapt

The port, location, or user is your connection to the outside world.
For example, on a PortMaster dialing out to location "myisp" you enter
the following:

    set location myisp nat outmap defaultnapt

Then connect normally. You must reset the port if the connection
has already been established. If this is a dial-on-demand location,
then you must also reboot the PortMaster, or follow the instructions
listed in the section "Handling Changes to On-Demand Locations."

With the "defaultnapt" NAT configuration, all the hosts behind the
PortMaster will have their addresses translated to the IP address of
the interface that is assigned to the location.

_______ NAT Concepts

This section explains some of the NAT terminology and provides
hints to assist you in developing more complex NAT configurations.

For example, you might want to allow inbound connections---external
connections into a web server that resides behind the PortMaster
running NAT. Or you might need to renumber your network and want
to use basic NAT to avoid renumbering the entire network.

Private vs. Global IP Addresses:

Global IP addresses are accessible from anywhere on the Internet.
They are  "external" to the PortMaster running NAT---at another branch
office, for example---because NAT is not limited to the Internet.
External hosts do not generally recognize any internal private IP
addresses that you might have assigned to your local hosts. Private IP
addresses are usually taken from one of the following ranges defined in
RFC 1918, which are reserved specifically for this purpose:

    10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
    172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
    192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

Lucent strongly recommends numbering your private IP network(s)
with IP addresses from one of the reserved ranges rather then just
selecting IP addresses randomly.

Inbound vs. Outbound Sessions:

A "session" in NAT is considered either inbound or outbound:

* An inbound session is initiated to a client behind the NAT router by
a host external to a private IP network.

* An outbound session is initiated to an external host by a client
within the NAT-covered private IP network.

Basic NAT vs. NAPT:

Basic NAT does a one-to-one mapping of a private IP address to a
global IP address. You still must have a global IP address for every
host with a private IP address that needs to connect to an external
host at the same time.

With basic NAT, you can configure dynamic IP address pools from
which IP address allocations are made, allowing a number of private
hosts to use a (possibly) smaller pool of global IP addresses. Or you
can configure static IP address pools in which a static mapping exists
for each host, requiring the size of the pool to match the number of
hosts being translated.

If you configure a dynamic pool and have fewer global IP addresses
available than total private hosts, you will have a shortage of IP
addresses if all the hosts try to access the external network
simultaneously. This possibility needs to be accounted for in your
planning.

The network address port translator (NAPT) performs a many-to-one
"port translation." This capability allows any number of private
hosts to communicate globally while using only a single global IP
address.

Outsource Mode NAT:

Outsource mode NAT allows a PortMaster to handle NAT processing and
management for a connected network interface. If a remote router that
the PortMaster is connected to cannot run NAT locally, the PortMaster
can perform NAT services for that device.

All NAT configuration is handled on the PortMaster. A central site
administrator can maintain all NAT mappings for all sites on the
PortMaster without having to worry about the capabilities or management
of a number of entirely separate routers.

_______ Map Management

NAT maps define the mappings and translations between global and
private IP address space. The following map table commands are
supported:

   show table map               Shows all map files.

   show map Mapname     Displays a map's contents.

   add map Mapname      Creates a new map.

   delete map Mapname   Deletes a map.

   save map             Saves map contents into
                        nonvolatile RAM.

NOTE: In the this release of NAT, inbound maps are restricted to static
address maps and/or static TCP/UDP port maps only. Outbound maps
do not have this limitation.

See the following section for map configuration commands.

_______ Configuring Map Contents

Entering NAT maps is very similar to configuring filters in ComOS.
The basic command "set map Mapname" has five versions that you can use
as follows---entered all on one line:

1.  To define a single dynamic pool IP address map entry or range or
    list of entries, use the following command:

    set map Mapname Rulenumber addressmap
        Ipaddrxfrom Ipaddrxto | @ipaddr [log]

2.  To define a single static pool IP address map entry or range
    or list of entries, use the following command:

    set map Mapname Rulenumber staticaddressmap
        Ipaddrxfrom Ipaddrxto | @ipaddr [log]

3.  To define a static or dynamic TCP or UDP port range map
    entry or list of entries, use the following command:

    set map Mapname Rulenumber static-tcp-udp-portmap
        Ipaddxfrom:Tport1 | Uport1 | Portname
        Ipaddxto: Tport2 | Uport2 | Portname [log]

4.  To remove rule Rulenumber in a map file, use the following
    command:

    set map Mapname Rulenumber

5.  To empty the contents of a map file, use the following command:

    set map Mapname blank

Mapname Address map name of up to 15 characters.

Rulenumber      Integer between 1 and 20.

Ipaddxfrom      IP address or range or list of IP addresses to be translated.

Ipaddxto        IP address or range or list of IP addresses to translate to.

Tport           TCP number or range of numbers---between 1 and 65535.

Uport           UDP number or range of numbers---between 1 and 65535.

Portname        One of the following services:
                telnet  TCP port 23.
                ftp     TCP ports 20 and 21.
                tftp    UDP port 69.
                http    TCP port 80.
                dns     TCP/UDP port 53.
                smtp    TCP port 25.

@ipaddr         IP address of the port being configured as the
                destination address.

log             Selectively logs events for this map entry.

The following keywords have abbreviations for ease of entry:

    addressmap = am
    staticaddressmap = sam
    static-tcp-udp-portmap = stupm

Values for "Ipaddxfrom" and "Ipaddxto" can be one or more of the
following, separated by commas (,):

     IP address/mask
     IP address - IP address
     IP address1,Ipaddress2, ...
     IP address

The value for "Portnumber" can be a single port number or a range of
ports such as "6000-6010" (for an inbound X Server) that you want
statically mapped. This capability prevents your needing multiple map
rules to accomplish the same mapping.

Although you have NAT configured for a specified port, user, or
location, you are not required to translate the addresses of all the
hosts behind the PortMaster running NAT. You can choose the hosts for
which NAT processing is done by designing your maps around them.

Example 1 --  Basic NAT:

When an outbound NAT map is defined for a port, the translation
succeeds when the source IP address matches the "Ipaddrxfrom" address
in the outbound map.

Here is an outbound map that maps a single host with the private IP
address 10.5.3.6 to the global IP address 192.168.5.3. This is a basic
NAT configuration.

1. Configure a map for outbound NAT named myisp.outmap:

    set map myisp.out 1 addressmap 10.5.3.6 192.168.5.3

2. Configure location myisp:

     set location myisp nat outmap myisp.out

BEFORE Outbound NAT:
    Src: 10.5.3.6:12023  Dest: 192.168.2.4:80

AFTER NAT translation using the example outbound map:
    Src: 192.168.5.3:12023  Dest: 192.168.2.4:80

Example 2 --  @ipaddr Keyword:

As a special case, the "Ipaddrxto" value for an address map can be set
to "@ipaddr" when the address map is being used for outbound or
outbound outsource connections. The special macro "@ipaddr" uses the IP
address assigned to the port on which the address map is being used.

  set map myisp.outmap 1 addressmap 10.2.3.0/0 @ipaddr

Example 3 -- defaultnapt Map:

The reserved map "defaultnapt," described in the section "Using the
Default NAPT Map," is equivalent to the following map:

  set map myisp.outmap  1 addressmap 0.0.0.0/0 @ipaddr

Example 4 -- Basic NAT Pools:

Using the "Ipaddrxfrom" and "Ipaddrxto" values for an address map
allows you to configure one-to-one mappings of private IP addresses to
global IP addresses. Using lists of addresses for these values allows
the configuration of IP address allocation pools, from which global IP
addresses can be allocated for outbound sessions as they are required.

Here is a configuration using a global IP address pool range of
192.168.9.1 through 192.168.9.10 for hosts in the private network
10.9.9.0/24 for outbound NAT. This configuration allows only 10
concurrent outbound NAT sessions from the 10.9.9.0 subnet.

1. Configure rule 1 for outbound NAT map myisp.outmap:

    set map myisp.out 1 addressmap 10.9.9.0/24 192.168.9.1-192.168.9.10

2. Configure location myisp:

     set location myisp nat outmap myisp.out

Example 5 -- Basic NAT Static Maps:

If you require that private addresses always be mapped to the same
global addresses, use a static address map instead of a dynamic address
map. The following example creates a NAT mapping in which the private
IP address range 10.1.1.0/24 is translated to the global IP address
range 192.168.65.0/24 on the outbound transmission. Because this is a
static address map, it always translates 10.1.1.1 to 192.168.65.1,
10.1.1.55 to 192.168.65.55, and so on.

Configure a map for outbound NAT named myisp.out, and apply it
as an outmap to the location:

    set map myisp.out 1 staticaddressmap 10.1.1.0/24 192.168.65.0/24
    set location myisp nat outmap myisp.out

Alternatively, to allow inbound sessions to the same set of hosts,
create an inbound map named myisp.in and apply it as an inmap to the
location:

    set map myisp.in 1 staticaddressmap 192.168.65.0/24 10.1.1.0/24
    set location myisp nat inmap myisp.in

For a static address map, the total ranges on both sides must have the
same number of IP addresses; otherwise, a one-to-one static mapping is
not possible.

If you do not have sufficient global addresses to do one-to-one
mapping, use NAPT for all or part of the private hosts (see Example 6),
or reduce the number of  IP addresses being translated.

Example 6 -- Mixing Static and Dynamic Address Maps:

This example uses a combination of static address maps for specific
hosts and NAPT for the remainder of the private hosts.

    set map myisp.out 1 staticaddressmap 192.168.65.1-192.168.65.10
        10.1.1.1-10.1.1.10
    set map myisp.out 2 staticaddressmap 192.168.65.73 10.1.1.73
    set map myisp.out 3 addressmap 192.168.65.0/24 10.1.1.11
    set location myisp nat inmap myisp.out

The order of the rules in a NAT map is important. In this example, a
private host with an address of 192.168.65.73 attempting outbound
access via the myisp location uses rule 2 and is translated to address
10.1.1.73. A private host with an address of 192.168.65.74 uses rule 3
and is translated to 10.1.1.11.

Example 7 -- Fully Specified Inbound Map:

When an inbound NAT map is defined for a port, the translation succeeds
when the destination IP address matches the "Ipaddrxfrom" address in
the inbound map.

Suppose you want to allow an Internet access to your internal HTTP
server running on 10.4.2.9. To do so, configure the following as an
inbound map. You also have a global IP address 192.168.2.4 assigned to
your PortMaster as the global address for all hosts residing behind NAT:

1. Configure inbound NAT map myisp.inmap:

    set map myisp.in 1 static-tcp-udp-portmap 192.168.2.4:http 10.4.2.9

2. Configure the location:

    set location myisp nat inmap myisp.in

BEFORE Inbound NAT:
    Src: 130.65.2.3:12023  Dest: 192.168.2.4:80 (80 is http)

AFTER NAT translation using the example inbound map:
    Src: 130.65.2.3:12023  Dest: 10.4.2.9:80

_______Configuring Interfaces, Locations, and Users

The basic command "set Ether0 | S0 | W1 | location Locname | user
Username" has five NAT commands that you can use as follows---entered
all on one line---to configure NAT on a PortMaster.

You must reset an active port for changes in its NAT configuration to
take effect. For more information, see the section "Resetting NAT
Sessions."

1.  To configure a NAT map for outbound sessions and optionally
    enable the outsource function, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
        nat outmap Mapname [outsource]

2.  To configure a NAT map for inbound sessions and optionally
    enable the outsource function, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
        nat inmap Mapname  [outsource]

To remove the map entry from the specified interface, user, or
location, re-enter the command, minus the "outsource" keyword, with a
space after the Mapname value.

3.  To set logging options for a NAT session on an interface, use this
    command:

    set Ether0 | S0 | W1 | location Locname | user Username
        nat log sessionfail | sessionsuccess | syslog | console
        on | off

4.  To set the default action that the PortMaster takes if a request for
    a NAT session is refused because the mapping configuration is invalid
    or does not exist, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
        nat session-direction-fail-action drop | icmpreject | passthrough

5.  To set the maximum idle time for a NAT session, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
        nat sessiontimeout  tcp | other Number [minutes | seconds]

_______ Using the Default NAPT Map

You can assign the reserved map name "defaultnapt" to an outbound-only
NAPT configuration, with the following results:

* When "defaultnapt" is assigned as an outbound map, without the
"outsource" option, all outbound IP sessions through the given port are
subject to NAPT and use the IP address assigned to the port.

* When "defaultnapt" is assigned as an outbound map for the
port---using "outsource" in the command line---all inbound IP sessions
(with respect to the calling device) through the given port are subject
to outsource NAPT and use the IP address assigned to the port.

NOTE: Inbound maps are restricted to static address maps and/or static
TCP/UDP port maps only. Outbound maps do not have this limitation.

_______ Using RADIUS for NAT

Many NAT configuration parameters can also be configured via RADIUS on
a per-user basis. For RADIUS to support the new vendor-specific
attributes, you must be running the Lucent RADIUS 2.1 server or another
RADIUS server---such as the NavisRadius(TM) product---that supports
vendor-specific attributes.

Add the following attributes and values to your RADIUS dictionary if
they are not already there. Then stop and restart your RADIUS server.

RADIUS Dictionary Updates:

ATTRIBUTE       LE-NAT-TCP-Session-Timeout      14      integer Livingston
ATTRIBUTE       LE-NAT-Other-Session-Timeout    15      integer Livingston
ATTRIBUTE       LE-NAT-Log-Options              16      integer Livingston
ATTRIBUTE       LE-NAT-Sess-Dir-Fail-Action     17      integer Livingston
ATTRIBUTE       LE-NAT-Inmap                    18      string  Livingston
ATTRIBUTE       LE-NAT-Outmap                   19      string  Livingston
ATTRIBUTE       LE-NAT-Outsource-Inmap          20      string  Livingston
ATTRIBUTE       LE-NAT-Outsource-Outmap 21      string  Livingston

VALUE   LE-NAT-Sess-Dir-Fail-Action     Drop            1
VALUE   LE-NAT-Sess-Dir-Fail-Action     ICMP-Reject     2
VALUE   LE-NAT-Sess-Dir-Fail-Action     Pass-Through    3

VALUE   LE-NAT-Log-Options      Session-Success-On      1
VALUE   LE-NAT-Log-Options      Session-Failure-On              2
VALUE   LE-NAT-Log-Options      Console-On              3
VALUE   LE-NAT-Log-Options      Syslog-On               4
VALUE   LE-NAT-Log-Options      Success-Off             5
VALUE   LE-NAT-Log-Options      Failure-Off             6
VALUE   LE-NAT-Log-Options      Console-Off             7
VALUE   LE-NAT-Log-Options      Syslog-Off              8

Each RADIUS parameter corresponds to its command line equivalent. Refer
to the usage information on a particular NAT command in this release
note for more information.

When configuring a user profile, be sure to list any multiple
occurrences of the LE-NAT-Log-Options attribute, which sometimes
requires multiple values, in the order in which the values are listed
in the dictionary---the order shown above. For example:

joe     Auth-Type = System, Framed-Protocol = PPP
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        LE-NAT-Outsource-Outmap = "defaultnapt",
        LE-NAT-Sess-Dir-Fail-Action = Drop,
        LE-NAT-Log-Options = Session-Failure-On,
        LE-NAT-Log-Options = Console-On

_______ NAT Session Management

NAT sessions can be managed, viewed, and reset in several ways.

You can display the currently active NAT sessions using the following
command:

  show nat sessions  [tcp | udp | ftp | Sessionid]

Enter "show nat sessions" to display NAT session identification
numbers.

You can also limit the display to the sessions for a single port, user,
or location by appending a regular expression at the end of the command
line, as you can do with the "show routes" command.

You can view real-time statistics on NAT:

  show nat statistics

This command displays statistics on a per-port basis, including
successful translations, failures, address shortages when you are using
IP pools, and unsuccessful translations and/or lookups due to
timeouts.

Use the following command for debugging and to see resource usage:

  show nat mapusage

This command displays a list of active IP address and port bindings,
including a list of the remaining resources---TCP/UDP ports or IP
addresses---available for use.

_______ Resetting NAT Sessions

CAUTION! Resetting any or all interfaces while sessions are active
might cause active connections on clients and servers to be left open
or terminated abruptly. Lucent recommends NOT entering this command
while the interface is being used because doing so can leave
connections in an unknown state between the two communicating hosts.

You can reset the entire NAT subsystem with the following command:

    reset nat [Ether0 | S0 | W1]

The default resets all existing NAT sessions on the PortMaster---like
the "reset all" command. Specifying the name of an interface resets all
NAT sessions associated with the specified interface. Use the
"ifconfig" command to see a list of interfaces.

Resetting NAT affects active NAT sessions only. If you modify the NAT
configuration on an active port, you must reset the port directly and
also reset NAT on that interface.

_______ Deleting Individual NAT Sessions

You can delete individual NAT sessions by using the session ID. This
value is displayed in the first column of a "show nat sessions" output.
Determine the session ID and then enter the following command:

  delete nat sessions [Sessionid]

_______ NAT Administrative Concerns

Be aware that you might need to do the following when configuring your
network in the presence of a NAT.

Stopping the Advertisement of Routing Information:

NAT creates a private network that cannot be advertised outside the
private boundary delimited by the NAT router. As a result, you must be
sure to disable network advertisements on the NAT router's global
interface.

For example if you are running NAT on a PortMaster IRX(TM) Router model
IRX-211, with Ether0 as your private interface and Ether1 as your
global interface with NAT enabled on it, you must disable RIP
broadcasts:

    set ether1 rip listen

Or use the "off" option if you do not need to listen to RIP routing
updates at all.

If you are using OSPF, you must specify the private IP address range as
"quiet":

  set ospf area 0.0.0.0 range 10.0.0.0/8 quiet

If you are using BGP, you must not advertise any private IP address
blocks to the outside world.

Rerouting Global IP Addresses Used by NAT to Static Routing:

Because NAT is not equipped to advertise routing, the global IP
addresses (or networks) used by NAT, might require the addition of
static routes on the routers that are external peers of the
PortMaster.

Particularly, if you are using basic NAT to manage a pool of global
addresses, you must configure a static route for the pool of addresses
on the next-hop router of the PortMaster.

Avoiding Ethernet LANs:

NAT does not provide Ethernet ARP services for the global IP addresses
it uses. For this reason, Lucent recommends that NAT be configured on
WAN interfaces instead of Ethernet interfaces. If you choose to
configure basic NAT on a LAN interface, be sure to select for use with
NAT a global IP address block that does not fall within the same
network prefix of the LAN interface itself.

Determining If Additional Security, Privacy, and/or Firewalls Are
Needed:

Security is viewed differently in different environments. Many people
view NAT as a one-way (session) traffic filter, restricting sessions
from external hosts into their network. In that context, NAT provides a
certain degree of security that might not be acceptable for your
situation.

In addition, address assignment in NAT is often done dynamically.
Dynamically assigned addresses can often hinder an attacker from
pointing to any specific host in the NAT domain as a potential target
of attack. Partial privacy is gained because tracing an individual
connection to a particular user is more difficult. You can use
firewalls with NAT maps to provide other ways to filter unwanted
traffic.

However, NAT maps cannot by themselves transparently support all
applications and often must co-exist with application-level gateways
(ALGs)---for example, SOCKS. If you use NAT, you must determine the
application requirements first so that you can assess the extensions to
NAT and the security they provide.

NAT routers have a security limitation that allows NAT and/or its
application-level gateway extensions to read the packet data in the end
user traffic that passes through them. This limitation is a security
problem if the NAT routers are not in a trusted boundary.

Although you can encrypt NAT traffic, NAT must usually be the end point
to such an encryption-decryption setup. For example, you cannot
configure an end-to-end virtual private network (VPN) tunnel with NAT
routers in between. The end point(s) must be a router running NAT.

Lucent does not guarantee NAT as an complete security solution.
Although placing your private network behind NAT might make it seem
inaccessible to the outside, this is not the intention of NAT. You must
evaluate the particular configuration, network topology, and security
requirement of your organization to determine whether simply installing
NAT eliminates the need for further security measures such as a
firewall.

Mapping for DNS:

When configuring DNS on the hosts behind NAT, if you add a map similar
to the following on the internal interface---Ether0 in this
example---you can enter the IP address of your PortMaster as the DNS
server. This is a useful feature if you do not always have the same DNS
server, because of multiple providers, but do not want to reconfigure
all your private hosts.  Use the following commands, entering each
command all on one line:

    set map dns.inmap 1 static-tcp-udp-portmap
        @ipaddr:dns <Primary DNS IP address>
    set ether0 nat inmap dns.inmap 
    set location Locname nat outmap defaultnapt

Handling Changes to On-Demand Locations:

Because of the way that on-demand locations and their corresponding
interfaces are traditionally handled within ComOS, NAT configuration
changes might not take effect in the way you expect. To get around this
problem, you can either reboot immediately after changing the settings
for a location that is currently set to on-demand, or do the
following:

1. Enter "set location Locname maxports 0".

2. Enter "reset dialer".

3. Change whatever settings you need to.

4. Enter the following:

   set location Locname maxports <Original_maxports_value>

Manually dialed locations are unaffected.

_______ NAT Examples

1.  Dial-Out Location Using defaultnapt with a Dynamically Assigned
    PPP IP Address:

Your PortMaster is dialing in to a corporate network's remote access
server (192.168.2.5). The remote access server has one dynamically
assigned IP address for the PortMaster in a NAPT configuration.
Everything behind the PortMaster is subject to NAPT. You configure
the PortMaster as follows:

    add location corporate
    set location corporate phone 5558583
    set location corporate username joeuser
    set location corporate password secrets
    set location corporate destination 192.168.2.5
    set location corporate max 2
    set location corporate idle 15 minutes
    set location corporate on-demand
    set location corporate local-ip-address assigned
    set location corporate nat outmap defaultnapt

2. Preventing Address Renumbering with Basic NAT:

ABC, Inc. (198.34.4.0/24) has just merged with Big Company (25.0.0.0/8)
and must renumber its hosts to access Big Company's network. ABC has an
ISDN connection from its PortMaster to Big Company's network. Big
Company has just assigned ABC the IP range 25.9.1.0/24 to use. ABC
configures its PortMaster as follows:

    add map abc.outmap
    set map abc.outmap 1 addressmap 198.34.4.0/24 25.9.1.0/24
    add location bigcomp
    set location bigcomp phone 5558583
    set location bigcomp username abc
    set location bigcomp password bigsecret
    set location bigcomp destination 25.1.1.7
    set location bigcomp idle 15 minutes
    set location bigcomp on-demand
    set location bigcomp local-ip-address 25.9.1.254
    set location bigcomp nat outmap abc.outmap

The abc.outmap NAT map assigns IP addresses dynamically as needed.
If ABC wants to have static translations, abc.outmap on the PortMaster
must be changed as follows:

    set map abc.outmap 1 staticaddressmap 198.34.4.0/24 25.9.1.0/24

3. Address Redirection to a Backup IRX-211 to Perform Server
   Maintenance:

The following two servers on your Ether1 provide inbound FTP and Web
service:

* primary.web.com at 129.65.2.1

* backup.web.com at 129.65.2.2

The IP addresses of primary and backup are global IP addresses.
However, you need to take primary off-line to perform some maintenance
work. Just before shutting down primary, you configure an inbound map
on Ether0 that statically maps primary's address to backup. You use a
basic NAT setup as follows:

    add map ether0.inmap
    set map ether0.inmap 1 addressmap 129.65.2.1 129.65.2.2
    set ether0 nat inmap ether0.inmap
    reset nat

As part of this configuration, you might also want to set the NAT
session-direction-fail-action (SDFA) to passthrough:

    set ether0 nat sdfa passthrough

This setting prevents NAT from intercepting outbound packets from the
remapped host when primary returns to service and you want to run a
Telnet or FTP session from it.

4. T1 or Fractional T1 WAN Link Using defaultnapt for Outbound and
   Providing Inbound HTTP Service:

Line1 on your PortMaster 3 is a T1 WAN link with a private network
10.0.0.0/8 behind it. The T1 point-to-point interfaces are numbered
with global addresses (local: 192.168.44.99, dest: 192.168.44.254). The
HTTP server in the private network resides at 10.1.1.10. You configure
the PortMaster 3 as follows:

    set w24 address 192.168.44.99
    set w24 destination 192.168.44.254
    set w24 nat outmap defaultnapt
    add map w24.inmap
    set map w24.inmap 1 static-tcp-udp-portmap 192.168.44.99:http
      10.1.1.10:http
    set w24 nat inmap w24.inmap
    reset w24

5. Dial-In User Using defaultnapt in Outsource Mode:

You want to provide NAT service to a user (or incoming network) by
connecting the user (or network) in an outsource-mode NAPT
configuration using the defaultnapt map on a PortMaster. The global IP
address 192.168.129.130 is assigned to the dial-up router and will be
used as the global address by NAT. Because this configuration uses the
defaultnapt map, the IP addresses that the client's network is using
are not needed in the NAPT configuration. Configure the PortMaster as
follows:

    add netuser joeuser
    set user joeuser password mysecret
    set user joeuser destination 192.168.129.130
    set user joeuser nat outmap defaultnapt outsource

No NAT configuration is required on the dial-up router (client) side.
If the client also wants to run an FTP server with a private IP address
of 192.168.5.1 on his network and have it accessible globally, you can
configure further as follows:

    add map joeuser.in
    set map joeuser.in 1 stupm 192.168.129.130:ftp 192.168.5.1:ftp
    set user joeuser nat inmap joeuser.in outsource

When you configure the NAT map for a user with outsource NAT, you can
consider the map as being on the calling router's outbound interface.

6.  Dial-Out Location Using a Dynamic IP Address Basic NAT Map:

Your ISP gives you a small address block (192.168.129.129/29), but you
have more hosts then global IP addresses available. You do not want to
request more global IP addresses because of the added expense. In
addition, because not all workstations use the connection at the same
time, additional addresses will be wasteful. You want to use a dynamic
IP address pool map instead. You configure your PortMaster as follows:

    add map isp.outmap
    set map isp.outmap 1 addressmap 10.1.1.0/24 192.168.129.129/29
    add location isp
    set location isp phone 5558583
    set location isp username mycompany
    set location isp password bigsecret
    set location isp destination negotiated
    set location bigcomp max 2
    set location bigcomp continuous
    set location bigcomp local-ip-address assigned
    set location bigcomp nat outmap isp.outmap

7.  Dial-Out Location Using a Static IP Address Basic NAT Map:

Your ISP gives you an address block (192.168.130.0/24). You can use a
dynamic IP address pool for your workstation IP addresses because they
do not need Internet access at the same time. However, you must give
two of your trusted systems static IP addresses for security
reasons---to perform packet filtering, for example. You configure your
PortMaster as follows:

    add map isp.outmap
    set map isp.outmap 1 addressmap 10.1.1.1 192.168.130.1
    set map isp.outmap 2 addressmap 10.1.1.2 192.168.130.2
    set map isp.outmap 3 addressmap 10.1.0.0/16 192.168.130.3-192.168.130.254
    add location isp
    set location isp phone 5558583
    set location isp username mycompany
    set location isp password bigsecret
    set location isp destination negotiated
    set location bigcomp max 2
    set location bigcomp continuous
    set location bigcomp local-ip-address assigned
    set location bigcomp nat outmap isp.outmap

_______ NAT-Unfriendly Applications:

The following applications are considered unfriendly to NAT because
they embed the IP source and/or destination addresses in the packet
data, are multicast based or broadcast based, or rely on end-to-end
node security:

* Multicast-based applications
* Routing protocols RIP and OSPF
* DNS zone transfers
* End-to-end VPN tunnels
* Anything that embeds the IP source and/or destination address(es)
into the packet data.

_______ NAT Debugging and Troubleshooting Tips

* Verify obvious values like correct IP addresses in map entries.

* Make sure your maps match the flow of the session (inbound or
outbound). Check "show nat sessions" output to make sure the correct
translations are taking place.

* Watch "show nat statistics" output for failed translations that can
indicate incorrect session flow direction and possibly incomplete
maps.

* Watch the source and destination IP addresses of packets going
through the PortMaster. You can find a simple ptrace debug filter for
this purpose in the PortMaster Troubleshooting Guide. If you are
running NAT on your WAN link, look for private IP addresses that are
exiting the ptp0 interface untranslated. If translation is not taking
place, either your NAT maps are not translated properly or NAT is not
active on the port.

* Make sure that you reset the active network interface to make its NAT
configuration take effect. In the case of an Ethernet interface, enter
"reset nat ether0".

* If a location is set to dial-on-demand, you might need to reboot the
PortMaster for configuration changes to take effect.

* If a port loses its network connectivity---for example, if the modem
drops carrier---NAT maintains the state of any existing sessions ONLY
if the IP address assigned to the port remains the same.

* Because of the nature of NAT operation, some applications that work
under basic NAT might not work with NAPT. If you are using a particular
application under NAPT and it is not working, try using basic NAT and
see if the situation improves.

_______ NAT Logging Control

You can activate syslog and console logging on a per-port basis to
identify configuration errors and for auditing purposes. Enter the
following commands---all on one line---to configure logging to the
PortMaster console of all NAT sessions that fail for any reason:

set Ether0 | S0 | W1 | location Locname | user Username
        nat log sessionfail on

set Ether0 | S0 | W1 | location Locname | user Username
        nat log console on

To log to syslog instead, enter "syslog" instead of "console".

Syslog logging is logged at the priority level shown in "show syslog"
output. If you have not set the PortMaster global option for logging
NAT information to syslog, then no logging takes place, regardless of
the logging options configured on any particular port. Lucent
recommends that you log NAT activity at the same priority as packet
filters:

    set syslog nat auth.notice

You can also log more selectively for only certain map entries by
appending the "log" keyword at the end of a particular map entry you
want logged. For example:

    set map abc.outmap 1 addressmap 192.168.1.1 172.16.1.1 log

Whenever a session from 192.168.1.1 is successfully translated to the
global IP address 172.16.1.1 via this outbound map, a syslog message
is sent to your loghost.

Here is some sample syslog output:

Mar 24 17:28:11 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:28:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:28:57 nat-or NAT: ptp3: Out TCP (192.168.3.1:34177)->
 (192.168.247.6:80) translated to (192.168.129.129:20001)->(192.168.247.6:80)

Mar 24 17:29:23 nat-or NAT: ptp3: Out TCP (192.168.3.1:34178)->
 (192.168.247.6:80) translated to (192.168.129.129:20002)->(192.168.247.6:80)

Mar 24 17:29:36 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:30:22 nat-or NAT: ptp3: Out TCP (192.168.3.1:34179)->
 (192.168.247.6:80) translated to (192.168.129.129:20003)->(192.168.247.6:80)

Mar 24 17:34:18 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 25 11:02:03 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
 (192.168.65.50:23) translated to (255.255.255.254:20001)->(192.168.65.50:23)

Mar 25 11:02:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
 (192.168.65.50:23) translated to (192.168.129.129:20001)->(192.168.65.50:23)

_______ Debugging NAT

The following commands set ComOS debugging options for NAT:

  set debug nat-ftp on | off            Displays FTP payload processing.

  set debug nat-icmp-err on | off       Displays ICMP error payload
                                processing.

  set debug nat-rt-interface on | off   Displays NAT parameters changes
                                during interface binding.

  set debug nat-max on | off            Enables full NAT debugging.

Remember to use "set console" before using these commands, and
"reset console" after turning off the debug process.

_______ Network Diagnostic Tools for NAT

Because NAT includes ICMP and UDP translation, the two most common
network diagnostic tools, ping and traceroute, can still be used---with
the following restrictions:

* When using NAPT, you will not be able to run traceroute or ping
inbound to the private hosts because you cannot reach them directly
from the outside. But you can use the tools in an outbound direction
without any problems.

* When using basic NAT, you can run traceroute and ping inbound but
only if you have an inbound map active. You still must include an entry
for the actual host you are trying to ping or trace routes to. As with
NAPT, you can do all network diagnostics in outbound mode.

_______ NAT References

* draft-ietf-nat-traditional-03.txt, Traditional IP Network Address
Translator (Traditional NAT)

* RFC 1918, Address Allocation for Private Internets

* RFC 2663, IP Network Address Translator (NAT) Terminology and
Considerations


_______________ ComOS 3.9 Limitations

The ComOS 3.9 release has the following limitations.

_______ Limitations on Upgrading and Downgrading

* The PortMaster must be running ComOS 3.5 or later to upgrade to
ComOS 3.9. If you are running an earlier release of ComOS, upgrade
to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9.

* Downgrading a PortMaster 3 from ComOS 3.9 to a previous release
requires two successful downgrades. After the first successful
downgrade the PortMaster is operational, but without system messages.
The second downgrade applies the system messages.

* Downgrading from ComOS 3.9 to ComOS 3.5 might change the Ether0 IP
address.

_______ No Online Help File

A ComOS online help file is not included in this release; therefore,
the "help" command is not supported.

_______ Modem Limitations

* Support for the obsolete "True Digital V.34 Card" (MDM-PM3-8 and
MDM-PM3-10), including support for V.110, has been removed from this
release. The "True Digital 56K Card" (MDM-56K-8 and MDM-56K-10) is
still supported.

* Lucent is still fixing some problems with Rockwell HCF and Cirrus
Logic modems. If you experience any difficulties with modems, verify
that the client modem is running the latest firmware. Then refer to
http://www.livingston.com/tech/bulletin/comos-modem.html. If these
instructions do not help, contact Lucent NetworkCare technical support

* A PCTEL modem set for K56flex in its proprietary bit will be
incorrectly identified as being set for V.90 by the PortMaster. As a
result, the modem will fail V.90 negotiations with the PortMaster and
will fall back to V.34 rates.

_______ Frame Relay Limitation

You cannot use Inverse Address Resolution Protocol (ARP) on a Frame
Relay interface with subinterfaces. The primary Frame Relay interface
does not automatically map IP addresses to data link connection
identifiers (DLCIs). When you enter a "show arp frm1" command, no ARP
tables appear, and the PortMaster cannot ping across the Frame Relay
cloud.

_______ NAT Limitations

* Inbound NAT maps are restricted to static address maps and/or static
TCP/UDP port maps only. Outbound NAT maps do not have this limitation.

* NAT translates only TCP, UDP, and ICMP packets. Point-to-Point
Tunneling Protocol (PPTP) traffic is not translated.

_______ L2TP Session Limitation

A Layer 2 Tunneling Protocol (L2TP) network server (LNS) can support
only 94 L2TP sessions in this release.

_______ NFAS Limitations

* This release does not support mixing NFAS and non-NFAS ISDN PRIs in
the same chassis. If one line is used for NFAS, the other line must be
used for NFAS or left empty.

* NFAS operates only on National ISDN (NI-2) switch types.

* Configuring NFAS settings on a line that is not configured for ISDN
or unable to perform ISDN functions makes the line behave strangely.

* When you are using NFAS and a problem occurs on the physical PRI line
with the D channel, the line sometimes does not return to service until
you reset the D channel.

* When a PortMaster running NFAS is rebooted, you must sometimes reset
the D channel to return the PRI line to service.

_______ OSPF Address Pool Limitation for Static Internal Routes

To advertise your address pools allocated for static users as internal
OSPF routes, you must add them to the OSPF area range as full class C
addresses. If these addresses are instead added as subnets of a class C
address, they are incorrectly advertised as OSPF type 2 external (E2)
routes.

An address pool on a PortMaster 3 is most commonly made up of 48
contiguous addresses, the first of which is a network address.  For
example, suppose you configure an address pool using subnets
192.168.110.16/28 and 192.168.110.32/27, with 192.168.110.16 as the
first address.

If you add the address pool to the OSPF area range as
*192.168.110.0/24, the address pool is correctly advertised as "ospf."
However, if you add the address pool to the OSPF area range as
*192.168.110.16/28 and *192.168.110.32/27, it is advertised as
"ospf/E2."


_______________ Troubleshooting Modems

As part of modem troubleshooting, confirm that the client modem is
running the latest firmware before submitting a modem trouble report.

When making a report of a new modem problem, send the following
information to Lucent NetworkCare technical support:

* ComOS version
* Client modem manufacturer
* Client modem model
* Results on the client modem of commands ATI0 through ATI11
* Whether the problem is reproducible

Lucent might want to monitor your PortMaster while the client modem
reproduces the problem.


_______________ Upgrade Instructions

You can upgrade your PortMaster 3 using PMVision 1.10, or pmupgrade
from PMTools 4.4. Alternatively, you can upgrade using the older
programs pminstall 3.5.3, PMconsole 3.5.3, or PMconsole for Windows
3.5.1.4. You can also upgrade using TFTP with the "tftp get comos"
command from the PortMaster command line interface.

See ftp://ftp.livingston.com/pub/le/software/java/pmvision110.txt for
installation instructions for PMVision 1.10.

*** CAUTION!  If the upgrade fails, do NOT reboot!  Contact *** Lucent
NetworkCare Technical Support without rebooting.

The upgrade process on the PortMaster 3 erases the configuration area
from nonvolatile memory and saves the current configuration into
nonvolatile memory. Never interrupt the upgrade process, or loss of
configuration information can result.

WARNING! Due to the increased size of ComOS, the amount of NVRAM
available for saving configurations has been reduced from 128KB to
64KB. PortMaster products with configurations greater than 64KB will
lose some of their configuration. For this reason, be sure to back up
your PortMaster configuration before upgrading to this release. You can
check the amount of memory used for your configuration with the "show
files" command. Ignore any files that also include an uncompressed
size.

WARNING! The PortMaster 3 must be running ComOS 3.5 or later to upgrade
to ComOS 3.9. If you are running an earlier release of ComOS, upgrade
to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9.

IMPORTANT: Any PortMaster 3 running BGP requires 32MB of DRAM so that
it can store the more than 70,000 BGP paths in a full BGP feed.

The installation software can be retrieved by FTP from
ftp://ftp.livingston.com/pub/le/software/, and the upgrade image can be
found at ftp://ftp.livingston.com/pub/le/upgrades:

ComOS           Upgrade Image   Product
_________       _____________   ________________________
3.9             pm3_3.9         PortMaster 3


____________________________________________________________________

Copyright and Trademarks

Copyright 2000 Lucent Technologies. All rights reserved.

PortMaster, ComOS, ChoiceNet, and NetworkCare are registered trademarks of
Lucent Technologies. PMVision, IRX, PortAuthority, and NavisRadius are
trademarks of Lucent Technologies. All other marks are the property of
their respective owners.

        Notices

Lucent Technologies makes no representations or warranties with respect
to the contents or use of this publication, and specifically disclaims
any express or implied warranties of merchantability or fitness for any
particular purpose. Further, Lucent Technologies reserves the right to
revise this publication and to make changes to its content, any time,
without obligation to notify any person or entity of such revisions or
changes.

        Contacting Lucent NetworkCare Technical Support

Lucent NetworkCare Professional Services provides PortMaster technical
support via voice or electronic mail, or through the World Wide Web at
http://www.livingston.com/. Specify that you are running ComOS 3.9
when reporting problems with this release.

Internet service providers (ISPs) and other end users in Europe, the
Middle East, Africa, India, and Pakistan must contact their authorized
Lucent NetworkCare sales channel partner for technical support; see
http://www.livingston.com/International/EMEA/distributors.html.

For North America, the Caribbean and Latin America (CALA), and Asia
Pacific customers, technical support is available Monday through Friday
from 7 a.m. to 5 p.m. U.S. Pacific Time (GMT -8). Dial 1-800-458-9966
within the United States (including Alaska and Hawaii), Canada, and
CALA, or 1-925-737-2100 from elsewhere, for voice support. For email
support, send to support@livingston.com (asia-support@livingston.com
for Asia Pacific customers).
