HP MSR Router Series. Terminal Access Configuration Guide(V5) Part number: Software version: CMW520-R2509 Document version: 6PW

Transcription

1 HP MSR Router Series Terminal Access Configuration Guide(V5) Part number: Software version: CMW520-R2509 Document version: 6PW

2 Legal and notice information Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents Configuring terminal access 1 Overview 1 Terminal access types 1 Typical applications of terminal access 3 Terminal access feature list 4 Terminal access features 5 Terminal access specifications 11 Terminal access configuration task list 12 Configuring TTY terminal access 13 Configuring the TTY initiator 13 Configuring the TTY receiver 17 TTY terminal access configuration example 17 Configuring Telnet terminal access 19 Configuring the Telnet initiator 19 Configuring the Telnet receiver 23 Telnet terminal access configuration example 23 Configuring ETelnet terminal access 25 Configuring the ETelnet initiator 25 Configuring the ETelnet receiver 28 ETelnet terminal access configuration example 29 Configuring SSH terminal access 30 Configuring the SSH initiator 30 Configuring the SSH receiver 34 SSH terminal access configuration example 34 Configuring RTC terminal access 35 Configuring the asynchronous TCP RTC one-to-one initiator (TCP_11_Client) 35 Configuring the asynchronous TCP RTC one-to-one receiver (TCP_11_Server) 39 Configuring the TCP RTC many-to-one relay server (TCP_n1_Server) 42 Configuring the synchronous UDP RTC one-to-one initiator (UDP_11_Client) 43 Configuring the synchronous UDP RTC one-to-one receiver (UDP_11_Server) 44 Configuring the synchronous UDP RTC one-to-many receiver (UDP_1n_Server) 45 Asynchronous TCP RTC one-to-one configuration example 45 Asynchronous RTC VPNs configuration example 47 TCP RTC many-to-one relay configuration example 48 UDP RTC one-to-one configuration example 49 UDP RTC one-to-many configuration example 50 Displaying and maintaining terminal access configuration 51 Installing and configuring an FEP 52 Installing and configuring SCO OpenServer server 52 Installing device drivers 52 Configuration prerequisites 54 Editing the ttyd configuration file 55 Modifying the ccbtelnetd configuration file 57 Modifying route configuration file 57 Running and terminating ttyd on Unix server 58 Installing and using ttyd administration program ttyadm 59 Installing and configuring SCO UnixWare server 66 Installing device drivers 66 i

4 Configuration prerequisites 66 Modifying system configuration file ttydefs 67 Editing ttyd configuration file 67 Modifying route configuration file 68 Running and terminating ttyd on Unix server 68 Installing and using ttyd administration program ttyadm 68 Installing and configuring SUN OS server 68 Installing device drivers 68 Configuration prerequisites 68 Editing the ttyd configuration file 69 Modifying route configuration file 69 Running and terminating ttyd on the Unix server 69 Installing and using ttyd administration program ttyadm 69 Installing and configuring IBM AIX server 69 Installing device drivers 70 Configuration prerequisites 70 Editing the ttyd configuration file 70 Modifying route configuration file 70 Running and terminating ttyd on the Unix server 71 Installing and using ttyd administration program ttyadm 71 Installing and configuring HP-UX server 71 Installing device drivers 71 Configuration prerequisites 71 Editing ttyd configuration file 72 Modifying route configuration file 72 Running and terminating ttyd on Unix server 72 Installing and using ttyd administration program ttyadm 73 Installing and configuring redhat Linux server 73 Installing device drivers 73 Configuration prerequisites 73 Editing the ttyd configuration file 74 Modifying route configuration file 74 Running and terminating ttyd on Unix server 74 Installing and using ttyd administration program ttyadm 74 Troubleshooting terminal access 75 Prompts on terminals 75 Terminal access troubleshooting 76 Terminal access FAQs 82 Configuring IP terminal access 86 Overview 86 IP terminal access features 86 IP terminal access specifications 89 IP terminal access configuration task list 90 Configuring the initiator 92 Enabling IP terminal access 92 Creating an IP terminal access service 92 Creating an IP terminal 92 Specifying a terminal access type 92 Configuring receiver parameters 93 Configuring terminal address binding 93 Configuring server connection authentication 94 Setting the terminal timeout lock timer 94 Specifying terminal lock hotkeys 94 ii

5 Setting the terminal timeout disconnection timer 94 Configuring manual link disconnection 94 Enabling encryption 95 Configuring source address binding 95 Configure VPN binding 95 Configuring AAA authentication 96 Configuring the processing approach for special characters 97 Configuring link detection 97 Configuring TCP buffers 98 Enabling Telnet parameters negotiation 98 Enabling filtering of flow control characters 98 Enabling screen saving 99 Setting the terminal screen display size 99 Configuring the terminal type 99 Configuring the receiver 100 Displaying and maintaining IP terminal access 100 IP terminal access configuration example 100 Support and other resources 104 Contacting HP 104 Subscription service 104 Related information 104 Documents 104 Websites 104 Conventions 105 Index 107 iii

6 Configuring terminal access NOTE: The HP MSR 900 and MSR 93X (except the JG514A, JG515A and JG531A) routers do not support interface modules and thus cannot provide terminal access through an asynchronous serial port module. Overview Terminal access enables a terminal to use an asynchronous interface to access a front-end processor (FEP) or another terminal through a router. The following types of network devices are used in terminal access: Terminal A character device that is generally connected to another device through a serial interface cable. A user inputs characters by using the terminal keyboard. Then the characters are transferred to another device through the serial interface cable. After processing the characters, the device returns the result to the terminal, which displays the result on its screen. Initiator Sends a connection request and serves as the client of the connection. Generally, a router is used as an initiator Receiver Responds to a connection request and serves as the server of the connection. A receiver can be an FEP or a router. An FEP is a system installed with an application program for banking, postal service, taxation, customs, civil aviation, and so on. A FEP can be a Unix server or a Linux server. Relay server Provides similar functions as a receiver, except that the relay server is not directly connected to terminals. Instead, the relay server is connected to multiple initiators simultaneously and manages them in different forwarding groups according to the listening port number. Data received from an initiator is forwarded to other initiators in the same group. After a connection is established, the router, functioning as either the terminal access initiator or receiver, can transparently transmit the data from the terminal to the peer over the connection. Transparent means that no manual or extra operation is required. Connections between an initiator and a receiver can use either TCP or UDP. Terminal access types The following types of terminal access are used in different applications: True type terminal (TTY) access Telnet terminal access Enhanced Telnet (ETelnet) terminal access Secure Shell (SSH) terminal access Remote terminal connection (RTC) access TTY terminal access, Telnet terminal access, ETelnet terminal access, and SSH terminal access are used to help implement services between a terminal and an FEP, with a router as the initiator and the FEP as the receiver. The difference between them is their method of data encryption and their way of 1

7 establishing a connection between the initiator and the receiver. Each terminal supports up to eight virtual type terminals (VTYs) using these access types, and supports switchover between the VTYs. RTC terminal access is used to monitor terminal data. It is initiated by a router and received by another router. Only RTC terminal access supports UDP connections with synchronous terminals. Support for features depends on the terminal access type. For more information, see "Terminal access feature list" and "Terminal access features." TTY terminal access The initiator and receiver of TTY terminal access are a router and an FEP respectively. The service terminal is connected to the router through an asynchronous serial interface. The router is connected to the FEP through a network. Application services run on the FEP. The FEP interacts with the router through the ttyd program, and the router pushes the service display to the service terminal. The router transports data transparently between the connected service terminal and FEP to implement service interaction and processing. The initiator and receiver programs of TTY terminal access are developed by HP. TTY terminal access implements the fixed terminal number function and offers many enhanced functions such as dynamic multi-service switching, real-time screen saving, terminal reset, and data encryption. The FEP provides professional terminal management software. The combination of TTY terminal access and routers makes remote offices possible and implementation of IP telephony easier, offering a solution for establishing highly efficient networks with diverse functions. Telnet terminal access The initiator and receiver of Telnet terminal access are a router and an FEP respectively. A service terminal is connected to the router (Telnet client) through an asynchronous serial interface. The router is connected to the FEP (Telnet server) through a network. Application services run on the FEP. The FEP interacts with the router through standard Telnet, thereby implementing data exchange between the terminal and the FEP. ETelnet terminal access The initiator and receiver of ETelnet terminal access are a router and an FEP respectively. A service terminal is connected to the router (ETelnet client) through an asynchronous serial interface. The router is connected to the FEP (ETelnet server) through a network. Application services run on the FEP. The FEP interacts with the router through an encrypted Telnet connection to further exchange data with the terminal. In addition to the functions supported by Telnet terminal access, ETelnet terminal access implements data encryption and terminal number binding to improve security. SSH terminal access The initiator and receiver of SSH terminal access are a router and an FEP respectively. A service terminal is connected to the router (secure shell) through an asynchronous serial interface. The router is connected to the FEP (SSH server) through a network. Application services run on the FEP. The FEP interacts with the router through standard SSH. RTC terminal access The initiator and receiver of RTC terminal access are both routers. RTC terminal access is another typical application of terminal access. It interconnects a local terminal and a remote terminal through routers for data exchange and data monitoring. RTC terminal access supports synchronous mode and asynchronous mode. 2

8 The monitoring terminal at the data center and the monitored terminal are each connected to a different router through a serial interface, and the routers exchange data with each other through an IP network. Normally, the router connected to the monitoring device acts as the terminal access initiator (the RTC client). The monitoring device is always ready to initiate a connection request at any time to access the data on the monitored device. The router connected to the monitored terminal acts as the terminal access receiver (the RTC server) and is always ready to receive the connection requests from the monitoring device and send monitored data in response. RTC terminal access also supports TCP-based many-to-one transparent data transmission and UDP-based one-to-many transparent data transmission. RTC terminal access serves the following purposes: Enabling the monitoring device to manage and monitor remote terminals. Sharing data among multiple terminals such as radar devices. Collecting data from remote terminals. Fulfilling the functions of a multiplexing device and transmitting data over IP networks for easy network upgrade. Typical applications of terminal access Terminal access is widely used in networks where large numbers of FEPs are deployed, such as banking, postal service, taxation, customs, and civil aviation. This document uses a banking system as an example to describe terminal access functions, configuration, and applications. Figure 1 shows a typical terminal access application. Figure 1 Typical terminal access application As shown in Figure 1, the arrowhead of the dotted line indicates the direction of an established TCP connection, from the initiator to the receiver. The purple dotted line represents TTY/Telnet/ETelnet/SSH terminal access. The bank outlet is connected to the FEP of the branch through Router A, which is capable of terminal access, over an IP network. Banking services run on the FEP, and the information entered by an employee at the bank outlet is sent to the FEP through Router A. The FEP then sends the corresponding service display to the service terminal though Router A, thereby implementing data exchange between the outlet and the branch. 3

9 The orange dotted line represents RTC terminal access. Router B acts as an RTC client and Router A as the RTC server. Router B initiates monitoring requests and Router A, upon receiving a monitoring request, sends the data from the monitored terminal to the monitoring device through Router B, to implement terminal monitoring. Terminal access feature list The following table lists the features of terminal access. "All" in this table means that the feature is supported by all the terminal access types, including TTY, Telnet, ETelnet, SSH, and RTC, which is further classified into TCP_11_Client (RTC TCP one-to-one client), TCP_11_Server (RTC TCP one-to-one server), TCP_N1_Server (relay server), UDP_11_Client (RTC UDP one-to-one client), UDP_11_Server (RTC UDP one-to-one server), and UDP_1N_Server (RTC UDP one-to-many server). Feature Supported by Description Source address binding TTY, Telnet, TCP_11_Client, ETelnet, SSH N/A Terminal menu TTY, Telnet, ETelnet, SSH N/A Pressing any key to return TTY, Telnet, ETelnet, SSH N/A Fast VTY service switching TTY, Telnet, TCP_11_Client, ETelnet, SSH N/A VTY redrawing TTY, Telnet, SSH, ETelnet N/A Idle connection timeout TTY, Telnet, TCP_11_Client, TCP_11_Server, ETelnet, SSH N/A Terminal number fixing TTY N/A Data encryption TTY, ETelnet, SSH N/A Automatic link establishment Automatic link teardown TTY, Telnet, TCP_11_Client, ETelnet, SSH TTY, Telnet, TCP_11_Client, TCP_11_Server, ETelnet, SSH N/A N/A TTY one-to-one access TTY N/A Terminal display language configuration All N/A Screen saving Telnet, ETelnet, SSH N/A Terminal screen display size Telnet, ETelnet, SSH N/A Read blocking Terminal reset Connectivity test Data send delay TTY, Telnet, TCP_11_Client, TCP_11_Server, ETelnet, SSH TTY, Telnet, TCP_11_Client, ETelnet, SSH TTY, Telnet, ETelnet, SSH TTY, Telnet, TCP_11_Client, TCP_11_Server, ETelnet, SSH N/A N/A For Telnet terminal access, only the connectivity test between the terminal and the router is supported. N/A 4

10 Feature Supported by Description TCP buffer parameter configuration Terminal buffer parameter configuration Threshold for VTY switching failure times TTY, Telnet, TCP_11_Client, TCP_11_Server, TCP_N1_Server, ETelnet, SSH TTY, Telnet, TCP_11_Client, TCP_11_Server, TCP_N1_Server, ETelnet, SSH TCP_11_Client N/A N/A N/A Receiver VTY switching rules TCP_11_Server N/A RTC terminal authentication TCP_11_Client, TCP_11_Server N/A Terminal access TTY, Telnet, TCP_11_Client, TCP_11_Server, UDP_11_Client, UDP_11_Server, ETelnet, SSH N/A Server connection authentication TTY N/A TCP RTC many-to-one transparent transmission UDP RTC one-to-one transparent transmission TCP_11_Client, TCP_N1_Server UDP_11_Client, UDP_11_Server N/A N/A Filtering of flow control characters TTY, Telnet, ETelnet, SSH N/A TCP_NODELAY TCP_11_Server, TCP_N1_Server N/A Statistics support All For more information, see "Displaying and maintaining terminal access configuration." Terminal access features Figure 2 shows a typical terminal access implementation. 5

11 Figure 2 Terminal access network Source address binding Terminal menu The principle of source IP address binding is to configure an IP address on a stable interface (the loopback interface or dialer interface is recommended) and use this address as the source IP address of the upstream TCP connection from the router through IP unnumbered configuration. If an FEP runs, the IP address of the router connected to the FEP needs to be authenticated. Therefore, when the dial-up backup function is used in a wide area network (WAN), if the primary link fails, the router begins to use the backup interface. In that case, the IP address of the router is changed, and the authentication fails if source IP address binding is not implemented. To avoid such failures, configure source IP address binding on the router to use a fixed IP address to establish a TCP connection with the FEP. For security or some other reason, you may need to hide the actual IP address used in the upstream TCP connection on the router, and use another IP address. In that case, you must also configure source IP address binding. Make sure the FEP and the router s IP address are reachable to each other. The terminal menu allows you to bring up the menu interface by pressing the menu hotkey at the terminal. The menu interface displays the services provided by each VTY on the terminal. By entering a service option, you can switch to the corresponding service display. The menu interface displays: TTY ACCESS SYSTEM VERSION SELECT VTY(0): chuxu 2. SELECT VTY(1): duigong 0. QUIT 6

12 Pressing any key to return INPUT YOUR CHOICE: When the following events happen, this feature enables the terminal to display an error message, and you can press any key to return to the menu interface: An invalid menu option is entered. The FEP providing the service you select is unreachable. A connection is terminated. Fast VTY service switching VTY redrawing The characteristics of banking services require each bank branch to provide services such as deposit and corporate services. However, a terminal at an outlet can process only one type of service. To solve this problem, the terminal access feature of the router implements the VTY switching function, enabling a terminal to process multiple services at the same time and to dynamically switch between the services. In terminal access, each terminal is logically divided into eight virtual type terminals (VTYs), each of which can be configured to correspond to a service (also known as an application). The operator can press the VTY switching menu hotkey to bring up the VTY switching menu and select a VTY to dynamically switch between different services. In addition, the VTY switching feature provides the screen saving function. When an operator switches from service 1 to service 2, the operating interface of service 1 is automatically saved. When the operator switches from service 2 back to service 1, the original operating interface is automatically restored. If the original operating interface is lost due to a fault, the operator can use the terminal redrawing function to recover it. You can set the VTY redrawing hotkey on the router. When a terminal does not display the normal terminal interface for some reasons (for example, illegible characters appear after the terminal is turned off and then turned on), pressing the terminal redrawing hotkey can restore the normal terminal interface. Idle connection timeout If the idle connection timeout function is enabled and no data is transmitted between the initiator and receiver within the idle connection timeout period, the initiator and receiver are automatically disconnected from each other. Terminal number fixing Data encryption As shown in Figure 2, the terminal access program running on the router connected to the terminal enables the terminals to access the FEPs. The terminals are connected to the router through asynchronous serial interfaces. The router numbers all the terminals. On the other side, the router connects to multiple FEPs over the network. Each FEP runs multiple applications. Terminal access universally numbers all the applications, regardless of whether these applications are running on the same FEP or on multiple FEPs. With the numbering of the terminals and the applications and the special processing through the router, the mappings between terminals and banking services are established to implement fixed terminal numbering. Due to the extensive use of terminal access in banking systems, the requirements of data security become higher and higher. The terminal access data encryption function can be used to encrypt the data transmitted between the router and FEPs to improve data security. 7

13 As shown in Figure 3, data is transmitted in ciphertext between Router A and the FEP. Router A and the FEP that runs the program ttyd/ccbtelnetd/sshd are responsible for data encryption and decryption. At present, the supported encryption algorithms are as follows: Advanced encryption standard (AES) encryption is supported by TTY terminal access. AES and RC4 encryption are supported by ETelnet terminal access. RSA and DSA encryption are supported by SSH terminal access. Figure 3 Data encryption procedure between router and FEP Automatic link establishment You can enable this function and configure the automatic link establishment time in terminal template view. When the terminal is in the "OK" state (meaning the physical connection is normal), the initiator automatically establishes a TCP connection to the receiver after the specified period. If the automatic link establishment function is disabled on the terminal, you must manually establish a link. In this mode, the initiator establishes a TCP connection to the receiver only when the operator enters a character on the terminal. Automatic link teardown You can enable the function and configure the automatic teardown time for the terminal in terminal template view. When the terminal device and the initiator are disconnected from each other, the terminal enters the "down" state. After a specified period of time, the initiator automatically tears down the TCP connection to the receiver. The TCP connection always remains active if the automatic link teardown function is disabled. TTY one-to-one access In TTY one-to-one access, each terminal communicates with the FEP (TTY) through a TCP connection to achieve optimum communication quality and highest communication speed under various link states. You can use this mode to achieve high communication speed on low-speed links by adjusting parameters. This mode can also meet the need for frequent and massive printing. Terminal display language configuration Screen saving The initiator generally sends some unsolicited information, such as menus and link establishment information, to the terminal. To meet different language needs, the prompt information can be displayed in either English or Chinese (the default). Screen saving is implemented in the following ways: A terminal can display the saved screen contents after receiving specific control characters from a router. 8

14 A FEP can send the saved screen contents to a terminal when the screen is switched or redrawn on the terminal. A router can send the saved screen contents to the terminal upon receiving control characters for switching or redrawing the screen from a terminal. The screen saving function of a terminal, FEP, or router varies. The screen saving function of a router supports Telnet, ETelnet, and SSH. With this function enabled, a router sends the saved screen contents to a terminal at startup, or when you select an item of the menu, switch between VTYs, or press the terminal redrawing hotkey. Only TTY supports screen saving. Some types of terminals provide the screen saving function, enabling the terminals to switch to the corresponding screen upon receiving the specified screen code, such as \E!10Q. When you perform VTY service fast switching, the router sends a screen code to the terminal, which switches to the corresponding operation interface after saving the current operation interface. To save the screens of multiple VTYs, you must set different screen codes for these VTYs and make sure the number of screen codes supported by the terminal is greater than the number of configured VTYs. Note that this function needs terminal support. In addition, the screen codes that can be identified vary with terminal types and the number of supported screen codes may also be different. Terminal screen display size Read blocking Terminal reset Connectivity test Data send delay The terminal screen display size determines the maximum lines and columns of characters that the screen can display. By default, a terminal screen can display up to 24 lines (screen height) and up to 80 characters in each line (columns or screen width). You can set the terminal screen display size to meet different service requirements. Terminal data read blocking means that, if the router has not sent data received from the terminal successfully, the router stops receiving data from the terminal until all the data is successfully sent. Generally, enable this function only when the transmission rate between the router and the FEP is less than that between the router and the terminal. In case the terminal fails to communicate with the receiver, you can press the terminal reset hotkey on the terminal to cause the initiating router to disconnect and then re-establish the TCP connection with the receiver. You can configure the terminal test hotkey on the router. By pressing the test hotkey on the terminal, you can test the connectivity between the terminal and the router and the TCP connectivity between the terminal and the FEP. When data send delay is configured on the router, upon receiving data from the terminal, the router does not send the data to the FEP until the specified period elapses. This allows the information collected within the specified period to be sent together, which increases bandwidth utilization. TCP buffer parameter configuration Terminal access allows you to perform two types of buffer parameter configuration operations: TCP buffer and terminal buffer. TCP buffer is used to store the data exchanged between the sender and receiver. Terminal buffer is used to store the data exchanged between the sender and the terminal. 9

15 You can set some parameters of TCP connection, including the receive buffer size, send buffer size, non-delay attribute, keepalive interval and transmission times. Terminal buffer parameter configuration You can set parameters for the terminal buffer, including whether to clear the buffer before receiving data, receive buffer size, send buffer threshold, and the maximum size of data to be sent to the terminal at one time. Threshold for VTY switching failure times When an RTC client needs to initiate a connection to an RTC server, it first initiates a connection to the RTC server that corresponds to the VTY with the lowest number. If the number of connection failures exceeds the threshold, the RTC client initiates a connection to the RTC server that corresponds to the VTY with the second lowest number. Receiver VTY switching rules If the RTC server is configured to switch between VTYs based on priority (the lower the VTY number, the higher the priority) and the VTY number corresponding to a new connection request is less than the VTY number corresponding to the existing connection, the RTC server tears down the existing connection and begins to use the new connection for communication. If the RTC server is not configured to perform VTY switching based on priority and a connection is already established, the RTC server will ignore any new connection request. RTC terminal authentication The RTC server can perform password authentication on RTC clients to enhance security. Authentication succeeds only when the passwords configured on the RTC server and the RTC client match. Terminal access VPNs Terminal access supports VPNs. That is, some of the terminals connected to the router can be grouped in one VPN domain and some other in another VPN domain. This allows a terminal to access the FEP or remote router that is in the same VPN domain as the terminal. Server connection authentication In practice, some users need to use the FEP to perform necessary authentication on the connected router to enhance data security. Two authentication modes are supported: character string-based authentication and MAC-based authentication. In character string-based authentication, which is similar to password authentication, the same authentication character string is configured on the FEP and the router. To establish a connection with the FEP, the router sends the authentication character string to the FEP, and the FEP checks whether the authentication strings match. If yes, the authentication succeeds. If not, the authentication fails and the connection attempt fails. The difference between MAC-based authentication and character string-based authentication is that the MAC addresses configured on the FEP and the router are the same. This MAC address is the MAC address of an interface on the router (You can specify the MAC address with a command). TCP RTC many-to-one transparent transmission Some terminal devices, such as radars, need to share data between each other. RTC terminal access provides many-to-one relay forwarding based on TCP. Routers connecting these terminals are connected to one relay server, which copies and forwards data between routers. 10

16 UDP RTC one-to-one transparent transmission This mode is mainly applied to voice transmission. TCP RTC transparent transmission has a certain forwarding delay, and is not suitable for voice communications. Because the voice service does not require high reliability, voice data can be transmitted through UDP. This mode provides one-to-one transmission in synchronous mode, but does not support asynchronous mode. Filtering of flow control characters TCP_NODELAY Access devices send flow control character strings received from terminals to the FEP. If the FEP receives a packet that contains both the flow control characters 0x13 to enable flow control, and 0x11 to disable flow control, the FEP enables flow control but does not disable it. As a result, the FEP stops sending data to the corresponding terminal, and the display pauses until you disable flow control by pressing the shortcut key. To prevent this issue, configure the device to filter flow control characters out of the data received from terminals and to perform flow control by itself. In TCP RTC many-to-one or TCP one-to-one transparent transmission mode, the RTC server complies with RFC 896 to use the Nagle algorithm to prevent network congestions caused by a large number of TCP packets. However, this algorithm also causes time delay during TCP packet transmission for application programs, especially for interactive ones. The RTC server allows you to disable the Nagle algorithm by setting the TCP_NODELAY option. Terminal access specifications Terminal access initiator specifications Number Item Description 1 Maximum number of TTYs 255. This number is subject to the number of router interfaces available for terminal access. For TTY terminal access, this number is also subject to the number of FEPs that can be configured. 2 Maximum number of APPs Maximum number of VTYs supported by each TTY Types of interfaces supported by terminal access 8. Asynchronous serial interface on interface modules such as 8AS, 16AS, 8ASE, and 16ASE. 5 Terminal emulation type VT100 and VT Terminal baud rate Ranges from 300 bps to bps. 7 8 Access types supporting asynchronous terminals Access types supporting synchronous terminals TTY, Telnet, ETelnet, SSH, TCP_11_Client, TCP_11_Server, TCP_N1_Server. UDP_11_Client, UDP_11_Server, UDP_1N_Server, TCP_N1_Server. Terminal access receiving router specifications 11

17 Number Item Description 1 Maximum number of TTYs 255. This number is subject to the number of router interfaces available for terminal access. 2 Maximum number of APPs Maximum number of VTYs supported by each TTY Maximum number of peer terminals supported by UDP_1N_Server Terminal access receiving FEP specifications Number Item Description Maximum number of VTYs supported by a Unix FEP Maximum number of VTYs supported by a Linux FEP Maximum number of VTYs supported by an AIX FEP Supported Unix/Linux versions SCO OpenServer to SCO UnixWare 7.1 (only for the one-to-one mode) Sun OS 5.7 IBM AIX HP UX 10.20, 11.0 Red Hat Linux 9.0 Turbo Linux Redflag Linux Redhat Relay server specifications Number Item Description 1 Maximum number of forwarding groups supported by a TCP_N1_Server 64 2 Maximum number of TCP_11_Clients supported by each forwarding group of a TCP_N1_Server 10 Terminal access configuration task list Configure the initiator and the receiver as required. RTC terminal access is initiated and received by routers. TTY terminal access, Telnet terminal access, ETelnet terminal access, and SSH terminal access are initiated by a router and received by a FEP. Functionally, the configuration commands fall into these types: Basic configuration commands Used for normal operation of terminal access. 12

18 Advanced configuration commands Used for implementing the extended functions of terminal access. Display and maintenance commands Used for displaying and debugging terminal access. The configuration commands can be classified into the commands available in user view, system view, template view, and interface view. Most important configurations of the terminal access system are performed in templates. You can save a series of router parameter configurations into a template. When applying a template to an interface (an asynchronous interface, for example), the system creates a TTY according to the contents of the template and the specified terminal number, and sets up VTYs on the basis of the configuration information in the template. If you modify a template that has been applied to an interface, use the update changed-config command to update the configuration. For convenience, you can configure multiple templates at the same time and apply the templates on different interfaces. Note that only one template can be applied on each interface. Complete the following tasks to configure terminal access: Task Configuring TTY terminal access Configuring Telnet terminal access Configuring ETelnet terminal access Configuring SSH terminal access Configuring RTC terminal access Configuring the TTY initiator Configuring the TTY receiver Configuring the Telnet initiator Configuring the Telnet receiver Configuring the ETelnet initiator Configuring the ETelnet receiver Configuring the SSH initiator Configuring the SSH receiver Configuring the asynchronous TCP RTC one-to-one initiator (TCP_11_Client) Configuring the asynchronous TCP RTC one-to-one receiver (TCP_11_Server) Configuring the TCP RTC many-to-one relay server (TCP_n1_Server) Configuring the synchronous UDP RTC one-to-one initiator (UDP_11_Client) Configuring the synchronous UDP RTC one-to-one receiver (UDP_11_Server) Configuring the synchronous UDP RTC one-to-many receiver (UDP_1n_Server) Remarks Configuring TTY terminal access Configuring the TTY initiator Basic TTY initiator configuration 13

19 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable terminal access on the router. 3. Create a terminal template and enter terminal template view. 4. Configure a TTY VTY. rta server enable rta template template-name vty vty-number tty remote ip-address port-number [ source source-ip ] Disabled by default. N/A After this configuration, Telnet VTYs can be configured in this template, but RTC client VTYs or RTC server VTYs cannot. 5. Exit terminal template view. quit N/A 6. Enter interface view. 7. Configure the asynchronous serial interface to operate in flow mode. 8. Apply the template to the interface. interface interface-type interface-number async mode flow rta terminal template-name terminal-number [ backup ] N/A By default, an asynchronous serial interface operates in the protocol mode and an AUX interface the flow mode. For more information about the async mode flow command, see the async mode command in Interface Command Reference. After you apply the template to the interface, you must set the flow control mode of the user interface corresponding to the interface to software flow control. To view associations between interfaces and user interfaces, use the display user-interface command. 9. Exit interface view. quit N/A 10. Enter TTY user interface view. 11. Enable software flow control of the data on the current user interface. user-interface { first-num1 [ last-num1 ] tty first-num2 [ last-num2 ] } flow-control software For more information about the user-interface command, see Fundamentals Command Reference. By default, the flow control mode is none. That is, no flow control is implemented. For more information about the flow-control software command, see the flow-control command in Fundamentals Command Reference. Advanced TTY initiator configuration When you configure advanced TTY initiator settings, follow these guidelines: If both the global source IP address and the source IP address for a VTY are configured, the source IP address for the VTY is used. 14

20 Configure TCP parameters before establishing a TCP connection. If you configure the parameters after a TCP connection is established, the TCP connection must be re-established for the parameters to take effect. You can press the reset hotkey on the terminal to re-establish the TCP connection. Configure the receive buffer size before applying the terminal template. If you configure the receive buffer size after a terminal template is applied, remove the application of the terminal template and apply the terminal template again for the receive buffer size to take effect. The ASCII value of the hotkey must be different from the ASCII value of any other hotkey configured on the device. Otherwise, hotkey conflicts will occur. For example, the hotkey value cannot be 17 or 19 because these two values are used for flow control. In addition, using the hotkey may not get a fast response when the terminal display is busy. With the idle timeout time configured, if no data is transmitted over the terminal access connection within the specified period of time, the connection is automatically torn down. To configure advanced TTY initiator settings: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the global source IP address of TCP connections. 3. Bind the MAC address of the interface for service connection authentication. 4. Bind the character string for service connection authentication. 5. Enable pressing any key to return. 6. Enter terminal template view. 7. Configure the automatic link teardown time. 8. Configure the automatic link establishment time. rta source-ip ip-address rta bind mac-address interface interface-type interface-number rta bind string string rta vty-style smart rta template template-name auto-close time auto-link time Not configured by default. Not configured by default. Not configured by default. Disabled by default. N/A 0 seconds by default. That is, no automatic link teardown is performed. 0 seconds by default. That is, no automatic link establishment is performed. 9. Bind a VPN instance. bind vpn-instance vpn-name 10. Enable data encryption. data protect router-unix Not configured by default. By default, data encryption is disabled between the router and the FEP. 11. Enable terminal data read blocking. 12. Configure the terminal data send delay. data read block data send delay milliseconds Disabled by default. 0 milliseconds by default. That is, there is no send delay. 15

21 Step Command Remarks 13. Configure the router to not clear the terminal receive buffer after the TCP connection is established. 14. Configure the terminal receive buffer size. 15. Enable filtering of flow control characters. 16. Configure the TCP connection idle timeout time. driverbuf save driverbuf size size filter flow-control character idle-timeout seconds By default, the router clears the terminal receive buffer after the TCP connection is established. 8 KB by default. Disabled by default. By default, the connection never times out. 17. Configure the menu hotkey. menu hotkey ascii-code&<1-3> Not configured by default. Use the print menu command before using this command. 18. Configure a screen code for the menu screen. 19. Configure the print language. 20. Enable the router to print information on the terminal. 21. Enable printing of terminal connection information on the terminal. 22. Enable printing of menu information on the terminal. 23. Configure the VTY redrawing hotkey. 24. Configure the terminal reset hotkey. 25. Configure the maximum size of data to be sent to a terminal at one time. 26. Configure the terminal send buffer threshold. menu screencode string print language { chinese english } print information print connection-info print menu redrawkey ascii-code&<1-3> resetkey ascii-code&<1-3> sendbuf bufsize size sendbuf threshold value Not configured by default. Use the print menu command before using this command. Chinese by default. Enabled by default. By default, terminal connection information is printed on the terminal. Use the print menu command before using this command. Enabled by default. Use the print information command before using this command. Not configured by default. Not configured by default. 500 bytes by default. Not configured by default. 16

22 Step Command Remarks 27. Configure the connectivity test hotkey. 28. Configure TCP parameters. 29. Configure a description for a VTY. 30. Configure the character string for triggering VTY screen saving. 31. Configure the VTY switching hotkey. testkey ascii-code&<1-3> tcp { keepalive time count nodelay recvbuf-size recvsize sendbuf-size sendsize } vty vty-number description string vty vty-number screencode string vty vty-number hotkey ascii-code&<1-3> Not configured by default. By default, the receive buffer size is 2048 bytes, the send buffer size is 2048 bytes, delay is enabled, the keepalive interval is 50 seconds, and the keepalive number is 3. Not configured by default. Not configured by default. Not configured by default. 32. Update the configuration. update changed-config If you modify the terminal template that has been applied to an interface, use this command to update the configuration. Executing this command will disconnect connections. Make sure critical services are not affected. Configuring the TTY receiver The receiver of TTY terminal access is an FEP. The main program of terminal access at an FEP is the program ttyd (ttyd executable), which implements the data exchange with the router-side programs. For information about how to configure your FEP, see "Installing and configuring an FEP." TTY terminal access configuration example Network requirements As shown in Figure 4, the deposit services run on the Unix server, whose IP address is /16. The listening port of the ttyd program on the Unix server is The router is connected to four terminals through its four asynchronous interfaces. The source IP address to be bound is /32. 17

23 Figure 4 Network diagram Configuring the initiator (router) Perform the following configuration in TTY one-to-one mode: # Enable terminal access. <Sysname> system-view [Sysname] rta server enable # Create a template and enter template view. [Sysname] rta template temp1 # Configure a VTY application. [Sysname-rta-template-temp1] vty 0 tty remote [Sysname-rta-template-temp1] quit # Configure the Ethernet interface. [Sysname] interface ethernet 0/0 [Sysname-Ethernet0/0] ip address [Sysname-Ethernet0/0] quit # Create a loopback interface and configure source IP address binding. [Sysname] interface loopback 0 [Sysname-loopback0] ip address [Sysname-loopback0] quit [Sysname] rta source-ip # Apply the template to the asynchronous serial interfaces. [Sysname] interface async 1/0 [Sysname-Async1/0] async mode flow [Sysname-Async1/0] rta terminal temp1 1 [Sysname-Async1/0] interface async 1/1 [Sysname-Async1/1] async mode flow [Sysname-Async1/1] rta terminal temp1 2 [Sysname-Async1/1] interface async 1/2 [Sysname-Async1/2] async mode flow [Sysname-Async1/2] rta terminal temp1 3 [Sysname-Async1/2] interface async 1/3 18

24 [Sysname-Async1/3] async mode flow [Sysname-Async1/3] rta terminal temp1 4 # Configure software flow control. [Sysname] user-interface tty [Sysname-ui-tty17-20] flow-control software Configuring the receiver (Unix server) Perform the following configuration by referring to "Installing and configuring an FEP." The following uses SCO OpenServer Unix as an example. 1. Edit the file /etc/ttyd.conf. serverport 9010 mode 1 ttyp ttyp ttyp ttyp Add a route on the FEP. # route add netmask Run ttyd. Start the ttyd program on the FEP. # /etc/ttyd /etc/ttyd.conf Or follow these steps to start automatically the ttyd program at system startup. a. Edit the file /etc/rc2.d/s99ttyd and type the following command to start the ttyd program. /etc/ttyd /etc/ttyd.conf b. Modify the execution mode of the file to executable mode. # chmod u+x /etc/rc2.d/s99ttyd After that, the ttyd program automatically starts at system startup. NOTE: The above examples are operated and configured based on Sco openserver Unix The operation and configuration differ between Unix platforms. For more information, see "Installing and configuring an FEP." Configuring Telnet terminal access Configuring the Telnet initiator Basic Telnet initiator configuration Step Command Remarks 1. Enter system view. system-view N/A 2. Enable terminal access on the router. rta server enable Disabled by default. 19

25 Step Command Remarks 3. Create a terminal template and enter terminal template view. rta template template-name N/A 4. Configure a Telnet VTY. vty vty-number telnet remote ip-address [ port-number ] [ source source-ip ] After this configuration, the template can be configured with Telnet VTYs, but not RTC client VTYs or RTC server VTYs. 5. Exit terminal template view. quit N/A 6. Enter interface view. 7. Configure the asynchronous serial interface to operate in flow mode. 8. Apply the template to an interface. interface interface-type interface-number async mode flow rta terminal template-name terminal-number [ backup ] The interface type must be supported by terminal access. By default, an asynchronous serial interface operates in the protocol mode and an AUX interface the flow mode. For more information about the async mode flow command, see the async mode command in Interface Command Reference. After you apply the template to the interface, you must set the flow control mode of the user interface corresponding to the interface to software flow control. To view associations between interfaces and user interfaces, use the display user-interface command. 9. Exit interface view. quit N/A 10. Enter TTY user interface view. 11. Enable software flow control of data on the current user interface. user-interface { first-num1 [ last-num1 ] tty first-num2 [ last-num2 ] } flow-control software For more information about the user-interface command, see the user-interface command in Fundamentals Command Reference. By default, the flow control mode is none. That is, no flow control is implemented. For more information about the flow-control software command, see the flow-control command in Fundamentals Command Reference. Advanced Telnet initiator configuration When you configure advanced Telnet initiator settings, follow these guidelines: If both the global source IP address and the source IP address of a VTY are configured, the source IP address of the VTY is used. Configure TCP parameters before establishing a TCP connection. If you configure parameters after a TCP connection is established, the TCP connection must be re-established for the parameters to take effect. You can press the reset hotkey on the terminal to re-establish the TCP connection. 20

26 Configure the receive buffer size before applying the terminal template. If you configure the receive buffer size after a terminal template is applied, you must remove the application of the terminal template and apply the terminal template again for the receive buffer size to take effect. The ASCII value of the hotkey must be different from the ASCII value of any other hotkey configured on the device. Otherwise, hotkey conflicts occur. For example, the hotkey value cannot be 17 or 19 because these two values are used for flow control. In addition, using the hotkey may not get a fast response when the terminal display is busy. Make sure that the terminal type configured is the actual type of the terminal. Otherwise, the screen becomes illegible when it is redrawn or the VTY is changed. If you modify the screen saving configuration after a terminal connection is established, use the update changed-config command to apply the latest configuration. To configure advanced Telnet initiator settings: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the global source IP address of TCP connections. 3. Enable pressing any key to return. 4. Enter terminal template view. 5. Configure the automatic link teardown time. 6. Configure the automatic link establishment time. rta source-ip ip-address rta vty-style smart rta template template-name auto-close time auto-link time Not configured by default. Disabled by default. N/A 0 seconds by default. That is, no automatic link teardown is performed. 0 seconds by default. That is, no automatic link establishment is performed. 7. Bind a VPN instance. bind vpn-instance vpn-name Not configured by default. 8. Enable terminal data read blocking. 9. Configure the terminal data send delay. 10. Configure the router to not clear the terminal receive buffer after a TCP connection is established. 11. Configure the terminal buffer size. 12. Enable filtering of flow control characters. data read block data send delay milliseconds driverbuf save driverbuf size number filter flow-control character Disabled by default. 0 milliseconds by default. That is, there is no send delay. By default, the router clears the terminal receive buffer after a TCP connection is established bytes by default. Disabled by default. 21