Getting Acquainted with the MAX

This chapter covers the following topics:

Using the MAX as an ISP or telecommuting hub

Overview of MAX configuration 1-3

Management features 1-5

MAX profiles

Where to go next

Using the MAX as an ISP or telecommuting hub

The MAX is a high-performance WAN router that concentrates many incoming connections onto a corporate backbone or another network, such as the Internet or a Frame Relay network. The connections are usually switched, but the MAX also supports leased connections for those users whose connection times justify a permanent virtual connection to the backbone network.

A switched connection is a temporary link between devices, established only for the duration of a call. When you use bandwidth-on-demand, the MAX adds and subtracts bandwidth as necessary, keeping connection costs as low as possible.

The MAX most commonly serves as an Internet Service Provider (ISP) hub, managing many switched IP connections to the Internet, or as a telecommuting hub, providing high-speed connections between a corporate backbone and remote locations. MAX configuration options provide the flexibility you need to optimize your installation. Management features include a comprehensive set of control and monitoring functions and easy upgrades.

Using the MAX as an ISP hub

Individuals subscribe to an Internet Service Provider to get a TCP/IP connection to the Internet. Subscribers dial in to a local Point-of-Presence (POP), typically by means of an analog modem, or an ISDN router such as an Ascend Pipeline. If you use the MAX as an ISP hub, configure it as an IP router, because it establishes the dial-in WAN connection with subscribers and routes their data streams to other Internet routers.

Figure 1-1 shows a typical ISP configuration with three POPs. Each POP has at least one MAX on an Ethernet LAN that also includes another Internet router, which could be, for example, an Ascend GRF 400 router.

Figure 1-1. Using the MAX as an ISP hub

Typically, the MAX has BRI lines that use ISDN signaling to connect to the WAN and handle the incoming switched connections. To connect to Internet routers, the MAX most often uses the local Ethernet. Large ISPs often support redundant MAX units and Internet routers on each Ethernet segment.

Using the MAX as a telecommuting hub

Telecommuters are typically at branch offices, at home, at customer sites, at vendor sites, or on the road. The MAX enables these remote users to access the corporate backbone just as though they were connected locally. The backbone might be a NetWare LAN, an IP network, or a multiprotocol network. Figure 1-2 shows an example in which home users, remote offices, and customer sites can access the backbone network.

Figure 1-2. Using the MAX as a telecommuting hub

In this sample network, a telecommuter in a home office uses a Pipeline 25 and Frame Relay to log into the corporate LAN. Users on a remote office LAN access the backbone via a Pipeline 400 with a Switched-56 connection. A customer can access selected corporate network resources by means of a Pipeline 50 with an ISDN BRI connection. A mobile user with an analog modem can dial into the backbone, provided that the MAX has a digital modem card installed.

Notice that each user can access the MAX through a different type of line. While one user might access the MAX by using the switched services on an ISDN BRI or Switched-56 line another might require a nailed 56K Frame Relay circuit.

Overview of MAX configuration

Before you configure the MAX, you should create a network diagram. Configuration tasks generally consist of:

Configuring the lines, channels, and ports, and how calls are routed between them
Configuring wide area network connections and security
Configuring routing and bridging across the WAN
Configuring Internet services, such as virtual private networks

Creating a network diagram

Ascend strongly recommends that, after you have read these introductory sections, you diagram your network and refer to the diagram while configuring the MAX. Creating a comprehensive network diagram helps prevent problems during installation and configuration, and can help in troubleshooting any problems later.

Configuring lines, slots, and ports for WAN access

You can add expansion modules to support additional bandwidth (BRI lines, and modems to support analog modem connections. The lines and ports on the modules (cards) have their own configuration requirements, including the assignment of phone numbers and information about routing calls.

Once you enable the lines, slots, and ports for WAN access, you need to configure the way in which outbound calls are routed to them (for dial-out access to the WAN) and the way in which inbound calls are routed from them to other destinations (such as the local network).

Configuring WAN connections and security

When the MAX receives packets that require establishment of a particular WAN connection, it automatically dials the connection. Software at both ends of the connection encapsulates each packet before sending it out over the phone lines. Each type of encapsulation supports its own set of options, which can be configured on a per-connection basis to enable the MAX to interact with a wide range of software and devices.

After a connection's link encapsulation method has been negotiated, the MAX typically uses a password to authenticate the call. For detailed information about authentication and authorization, see the MAX 6000 Series Security Supplement. Following are some of the connection security features the MAX supports:

Feature

Description

Authentication protocols

For PPP connections, the MAX supports both Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP). CHAP is more secure than PAP, and is preferred if both sides of the connection support it.

Callback security

You can have the MAX call back any user dialing into it, thus ensuring that the connection is made with a known location.

Caller-ID and called-number authentication

You can restrict who can access the MAX, by verifying the caller-ID before answering the call. You can also use the called number to authenticate and direct the call.

Authentication servers

You can offload the authentication responsibility to a RADIUS or TACACS server on the local network.

Security card authentication

The MAX supports hand-held personal security cards, such as those provided by Enigma Logic and Security Dynamics. These cards provide users with a password that changes frequently, usually many times a day. Support for dynamic passwords requires the use of a RADIUS server that has access to an authentication server, such as an Enigma Logic SafeWord AS or Security Dynamics ACE authentication server.

Terminal-server

After a dial-in user has passed the initial connection security, you ca demand another password for access to the MAX terminal services. Within the terminal server, you can restrict commands that are accessible to users, or prevent them from executing any command other than Telnet.

Filters and firewalls

Packet-level security mechanisms can provide a very high level of network security.

Configuring routing and bridging across the WAN

Routing and bridging configurations enable the MAX to forward packets between the local network and the WAN and also between WAN connections.

Enabling protocol-independent packet bridging

The MAX can operate as a link-level bridge, forwarding packets from Ethernet to a WAN connection (and vice versa) on the basis of the destination hardware address in each packet. Unlike a router, a bridge does not examine packets at the network layer. It simply forwards packets to another network segment if the address does not reside on the local segment.

Using IPX routing (NetWare 3.11 or newer)

The MAX can operate as an IPX router, linking remote NetWare LANs with the local NetWare LAN on Ethernet. IPX routing has its own set of concerns related to the client-server model and user logins. For example, users should remain logged in for some period even if the connection has been brought down to save connection costs.

IP routing

IP routing is the most widespread use of the MAX, and it has a wide variety of configurable options. IP routing is the required protocol for Internet-related services such as IP multicast support, OSPF, and cross-Internet tunneling for virtual private networks. Most sites create static IP routes to enable the MAX to reliably bring up a connection to certain destinations or to change global metrics or preferences settings.

Virtual private networks

Many sites use the Internet to connect corporate sites or to enable mobile nodes to log into a corporate backbone. Such virtual private networks use cross-Internet tunneling to maintain security or to enable the Internet to transport protocols that it would otherwise drop, such as IPX. To implement virtual private networks, the MAX supports both ATMP, which is an Ascend proprietary tunneling mechanism, and Point-to-Point Tunneling Protocol (PPTP).

ATMP enables the MAX to create and tear down a tunnel to another Ascend unit. In effect, the tunnel collapses the Internet cloud and provides a direct access to a home network. Packets received through the tunnel must be routed, so ATMP applies only to IP or IPX networks at this time.

A PPTP session occurs between the MAX and a Windows NT server over a special TCP control channel. Either end might initiate a PPTP session and open the TCP control channel. Note that opening a PPTP session does not mean that a call is active, it simply means that a call can be placed and received.

Management features

The terminal-server command line provides access to management features that are not available through the menus. The VT100 window does, however, provide status information. The MAX supports SNMP, remote management, serial port software upgrades, and Call Detail Reporting (CDR).

The MAX provides up to nine security levels to control the management and configuration functions that are accessible to users. For detailed information about security profiles, see the Security Supplement for your MAX. For more information on management features, see the Administration Guide for your MAX.

Using the terminal-server command line

To invoke the terminal server command-line interface, you must have administrative privileges. Once you have activated a Security profile that enables these privileges, you can invoke the command line by selecting Term Serv in the Sys Diag menu. To close the command line, use the Quit command at the command-line prompt. The command-line interface closes and the cursor returns to the VT100 menus. For detailed information on the terminal-server, see Chapter 3, Configuring WAN Links.

Using status windows to track WAN or Ethernet activity

The VT100 interface displays eight status windows to the right of the configuration menus. The windows provide a great deal of read-only information about what is currently happening in the MAX. If you want to focus on the activity of a particular slot card, you can change the default contents of the windows to show what is currently occurring in that slot.

Managing the MAX using SNMP

Many sites use Simple Network Management Protocol (SNMP) applications to obtain information about the MAX and make use of it to enhance security, set alarms for certain conditions, and perform simple configuration tasks.

The MAX supports the Ascend Enterprise MIB, MIB II, and some ancillary SNMP features. The MAX can send management information to an SNMP manager without being polled. SNMP security uses a community name sent with each request. The MAX supports two community names, one with read-only access, and the other with read/write access to the MIB.

Using remote management to configure far-end Ascend units

When you have an MP+ connection to another Ascend unit, you can use the management subchannel established by those protocols to control, configure, and obtain statistical and diagnostic information about that Ascend unit. Multi-level password security ensures that unauthorized personnel do not have access to remote management functions.

Flash RAM and software updates

Flash RAM technology enables you to perform software upgrades in the field without opening the unit or changing memory chips. You can upgrade the MAX through its serial port by accessing it either locally or through a dial-in modem. You cannot perform remote software upgrades over the WAN interface because of a conflict between running the WAN and reprogramming the software.

Call Detail Reporting (CDR)

Call Detail Reporting (CDR) is a feature that provides a database of information about each call, including date, time, duration, called number, calling number, call direction, service type, associated inverse multiplexing session, and port. Because the network carrier bills for bandwidth on an as-used basis, and bills each connection in an inverse multiplexed call separately, you can use the CDR feature to understand and manage bandwidth usage and the cost of each inverse multiplexed session.

You can arrange the information to create a wide variety of reports that can be based on individual call costs, inverse multiplexed WAN session costs, costs on an application-by-application basis, bandwidth usage patterns over specified time periods, and so on. With the resulting better understanding of your bandwidth usage patterns, you can make any necessary adjustments to the ratio of switched to nailed bandwidth between network sites.

MAX profiles

A profile is a group of related settings that appear on the VT100 interface. To navigate the interface, use the arrow keys or Control-key combinations as described in the Hardware Installation Guide for your MAX. When you first telnet to the VT100 interface, the Main Edit Menu typically appears:

Main Edit Menu

>00-000 System

  10-000 PC CARD Modem

  20-000 PC CARD BRI

  30-000 Empty

  40-000 PC CARD BRI

  50-000 Empty

  60-000 PC CARD Modem

  70-000 PC CARD Modem

  80-000 Empty

  90-000 Ethernet

The items in the Main Edit Menu open submenus, many of which have sub-menus. The 10-100 PC CARD Modem item, for example, represents the PCMCIA modem installed in slot 1on the MAX. By selecting 10-100 PC CARD Modem, you open a submenu from which you can select modem configuration:

10-100 PC CARD Modem

>10-100 Mod Config

The Mod Config menu provide access to the parameters for configuring the modem installed in slot 1 on the MAX. For example, the following set of parameters appears:

10-100 Mod Config

>Name=USRobotics

Product=PCMCIA 28800 Data/F+

Speaker=On

Strings=Default

Init=N/A

Speaker=Off=N/A

Hangup=N/A

Dial=N/A

Dialout Init=N/A

Baud Rate=N/A

In this manual, an instruction to access a parameter in a modem profile is written as follows:

PC CARD Modem > Mod Config > parameter name

Obtaining privileges to use the menus

As explained in the Hardware Installation Guide for your MAX, privileges are often required for changing settings in the MAX menus. To activate a profile, for example, you need full privileges. Unless you have a personal profile that grants full privileges, activate the Full Access profile, as follows:

At the Main Edit Menu, press Ctrl-D.
The Main Edit Menu's DO menu appears.
Select P (Password).
Press Enter or the Right-Arrow key.
The Security Profile menu appears.
Select Full Access.
Press Enter or the Right-Arrow key.
A password entry field appears.
Enter your password within the brackets.
Press Enter or the Right-Arrow key.
If your password is accepted, you have Full Access privileges.
Press Enter.
The Main Edit Menu reappears.

Activating a profile

After you have full privileges as described in the previous procedure, you can now make a profile active. Proceed as follows:

Open the profile that you want to make current.
Press Ctrl-D.
The profile's DO menu appears.
Select L (Load).
The Load Profile menu appears.
Select 1 to load the profile.
Profile loaded as current profile appears.
The profile reappears.

Where to go next

When you have planned your network, you are ready to configure the MAX. The flexibility of the MAX and its ever-increasing number of configurations means there is no set order for configuration. You can perform configuration tasks in any order you want. Table 1-1 shows where to look for the information you need.

Table 1-1. Where to go next


To do this:	Go to this chapter or document:
Configure slots, lines, and ports	Chapter 2, Configuring the MAX for WAN Access
Configure WAN connections	Chapter 3, Configuring WAN Links
Set up packet bridging	Chapter 6, Configuring Packet Bridging
Set up IPX routing	Chapter 7, Configuring IPX Routing
Set up IP routing	Chapter 8, Configuring IP Routing
Set up virtual private networks	Chapter 9, Setting Up Virtual Private Networks
Work with status windows	MAX Reference Guide
Write configuration scripts	MAX 800 Series Administration Guide
Set up security	MAX Security Supplement
Set up RADIUS	MAX RADIUS Configuration Guide

techpubs@ascend.com

Copyright © 1998, Ascend Communications, Inc. All rights reserved.