X.25 over TCP Profiles
This feature was introduced.
This document describes the X.25 over TCP Profiles feature in Cisco IOS Release 12.2(8)T. It includes the following sections:
•Supported Standards and MIBs and RFCs
Cisco's X.25 over TCP (XOT) service was originally developed as an X.25 class of service that was only designed to switch X.25 traffic across an IP network. This functionality allowed network administrators to connect X.25 devices across the rich connectivity and media features available to IP traffic. XOT uses a set of default parameters to make this type of network easy to design.
When XOT's capabilities were enhanced to support packet assembler/disassembler (PAD) traffic on an XOT session, network designers saw a need to be able to configure parameters for increased flexibility. For instance, because XOT does not have any physical interfaces that an administrator can configure, PAD over XOT sessions cannot be configured with interface map or facility commands to establish a PAD connection using nondefault values.
The introduction of X.25 profiles for XOT allows the network designer the added flexibility to control the X.25 class services of XOT for PAD and XOT switching usage.
Another important aspect of this feature is that it affords you to associate access lists with XOT connections, enabling you to apply security on the basis of IP addresses and to have a unique X.25 configuration for specified IP addresses.
X.25 over TCP Profiles Functional Description
•XOT Access Groups
•X.25 Profiles for XOT
XOT Access Groups
The X.25 over TCP Profiles feature introduces the xot access-group command, which allows you to create XOT access groups by associating IP access lists with XOT. An access list provides a pass or fail indicator of whether a particular IP address is authorized.
Only standard IP access lists are supported. Standard IP access lists use the remote address, which can be either a source or destination address, depending on where a call originated. For outgoing XOT calls, the destination IP address is tested against the access lists. For incoming XOT calls, the source IP address is tested.
The XOT access groups are sorted by access-group number. When a new XOT connection is made, the IP address is tested against the access list of the first access group. If the IP address does not match the first list, the second list is tested, and so on.
Deleting an access list while it is still associated with XOT will cause the access list to be skipped when a new XOT connection is evaluated. If the access list has been deleted and is being recreated, any XOT access not yet permitted (because the commands have not been configured) will be denied.
A nonexistent access list will deny all access in the same way that an access list configured to "deny all" will. The result is that a call fails to match that access list and moves on to the next XOT access-group entry. If the deleted access list is the last one on the access-group list, then the call is rejected.
The xot access-group command disables the legacy XOT behavior and enables the new XOT access behavior. If you enter the xot access-group command after the legacy XOT context has been created, the message "Active connection(s) will terminate [confirm]" will be displayed if any XOT connections are active. If the message is confirmed, any active XOT connections using the legacy context will be detached and the legacy context will be deleted.
Deleting an XOT access group by entering the no xot access-group command will also cause the message "Active connection(s) will terminate [confirm]" to be displayed if any connections are active. Confirming the message will cause active connections using the access list to be detached and the associated XOT context to be deleted.
X.25 Profiles for XOT
XOT access groups can be associated with X.25 profiles. By this means, the IP addresses specified in the access list can have a unique X.25 configuration. An access group can be associated with one X.25 profile. If an access group is not associated with an X.25 profile, then the XOT connections associated with the access group will use the default X.25 configuration.
An X.25 profile must already have been created and must specify a data exchange equipment (DXE) station type before it can be associated with an XOT access group. An X.25 profile can be associated with multiple access groups.
The station type of a profile cannot be changed once the profile has been created.
An X.25 profile cannot be deleted as long as it is associated with one or more XOT access groups.
Application of X.25 Profiles on XOT Switched Virtual Circuits
The X.25 parameter settings will be applied to incoming or an outgoing XOT switched virtual circuits (SVCs) according to the following rules:
1. If one or more access lists are applied to XOT, an XOT call will be rejected unless it matches at least one of the access lists.
2. The first access list that permits the XOT connection defines the X.25 settings that apply to the XOT connection. If an X.25 profile was associated with the first qualifying access list, the X.25 settings from that profile are used. If an X.25 profile was not associated with the qualifying access list, the default X.25 settings are used.
3. If no access lists are applied to XOT, the default X.25 settings are used.
Application of X.25 Profiles on Remote Switched XOT Permanent Virtual Circuits
The X.25 parameter settings will be applied to remote switched XOT permanent virtual circuits (PVCs) according to the following rules:
1. If the destination of the XOT PVC does not pass any of the access lists because the access lists have not been defined, the PVC setup will be retried every 20 seconds until the access list is defined.
2. The PVC setup retry will be canceled if the XOT PVC is deleted.
3. The first access list that includes the destination of the XOT PVC defines the X.25 settings that apply to the XOT PVC setup. If an X.25 profile was associated with the qualifying access list, the X.25 settings from that profile are used. If an X.25 profile was not associated with the qualifying access list, the default X.25 settings are used.
The X.25 over TCP Profiles feature
•Enables you to apply X.25 profiles to XOT connections so you can configure the X.25 parameters for use by the XOT service.
•Allows a Cisco router to have multiple X.25 configurations that can be used for XOT connection.
•Allows IP access lists to be associated with XOT, enabling you to apply security on the basis of IP addresses.
•Allows the IP addresses specified in the access list to have a unique X.25 configuration.
•An X.25 profile must already have been created and must specify a DXE station type before it can be referenced by the XOT command. To create an X.25 profile with a DXE station type, use the x25 profile command with the dxe keyword in global configuration mode.
•Closed user group (CUG) service cannot be configured for XOT. CUG behavior is defined to occur at the boundary between user and network. XOT connections are defined as internetwork connections. The CUG facility in a switched Call or Call Confirm packet can only be passed transparently over XOT.
•Named and extended access lists are not supported by XOT access groups.
•LAPB parameters do not apply to XOT and are ignored if configured under an X.25 profile applied to XOT connections. For information about why LAPB parameters do not apply to XOT, see RFC 1613, Cisco Systems X.25 over TCP (XOT).
•The x25 subscribe flow-control command with the never keyword should not be configured in an X.25 profile that will be used for XOT connections. The never keyword means that negotiation of flow-control parameters is disabled and that flow-control parameters will not be included with call setup packets and will not be permitted on inbound packets. Because XOT always sends window and packet size facilities in call setup packets, the application of the x25 subscribe flow-control never command to XOT services will cause calls to fail.
For more information about configuring X.25, see the following documents:
•The chapter "Configuring X.25" in the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2
•The chapter "X.25 Commands" in the Cisco IOS Wide-Area Networking Command Reference, Release 12.2
For information about configuring IP access lists, see the following documents:
•The chapter "Configuring IP Services" in the Cisco IOS IP Configuration Guide, Release 12.2.
•The chapter "IP Services Commands" in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
•Cisco 805 Serial Router
•Cisco 1400 series
•Cisco 1600 series
•Cisco 2600 series
•Cisco 3600 series
•Cisco 7100 series
•Cisco 7200 series
•Cisco 7500 series
XOT is available on any Cisco router that runs Cisco IOS software and supports X.25.
Determining Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.
To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to firstname.lastname@example.org. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.
Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Feature Navigator home page at the following URL:
Supported Standards and MIBs and RFCs
No new or modified standards are supported by this feature.
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
RFC 1613, Cisco Systems X.25 over TCP
The configuration tasks in the following sections assume you know how to configure IP access lists and X.25 profiles.
•Configuring an XOT Access Group (required)
•Verifying XOT Access Groups (optional)
Configuring an XOT Access Group
To configure an XOT access group and associate an X.25 profile with it, use the following command in global configuration mode:
Router(config)# xot access-group access-list-number [profile profile-name]
Creates an XOT access group.
Verifying XOT Access Groups
To verify XOT access group configuration and performance, perform the tasks in the following steps. For descriptions of the output fields, see the command pages later in this document.
Step 1 Use the show x25 xot command with the access-group keyword to find out which X.25 profiles are associated with each XOT access group.
Router# show x25 xot access-group
xot access-group 1 using built-in default configuration
xot access-group 10 using x.25 profile xot-cisco
xot access-group 55 using x.25 profile xot-sita
Step 2 Use the show x25 profile command to view the X.25 parameter settings that apply to XOT connections.
X.25 profile name: XOT-DEFAULT
PROFILE dxe/DTE, address 12345, state R/Inactive, modulo 128, timer 0
Defaults: idle VC timeout 0
input/output window sizes 20/20, packet sizes 256/256
Timers: T20 180, T21 200, T22 180, T23 180
Channels: Incoming-only none, Two-way 1-4095, Outgoing-only none
Step 3 Use the show x25 context command with the xot keyword to display information about the operational state of XOT links.
Router# show x25 context xot
PROFILE mod128 station DXE/DTE, address 2222, state R1, modulo 128, timer 0
Defaults: idle VC timeout 0
input/output window sizes 80/80, packet sizes 256/256
Timers: T20 180, T21 200, T22 180, T23 180
RESTARTs 0/0 CALLs 5+0/7+0/0+0 DIAGs 0/0
station DXE/DTE, address <none>, state R1, modulo 8, timer 0
Defaults: idle VC timeout 0
input/output window sizes 2/2, packet sizes 128/128
Timers: T20 180, T21 200, T22 180, T23 180
RESTARTs 0/0 CALLs 21+0/50+0/0+0 DIAGs 0/0 D
To troubleshoot XOT connections, use the following commands in EXEC mode:
Router# debug x25 events
Displays information about all X.25 traffic except data and resource record packets.
Router# show x25 services
Displays information pertaining to X.25 services.
•Unrestricted XOT Access with Defined X.25 Parameters for All XOT Connections Example
•Restricted XOT Access with Default X.25 Parameters for All XOT Connections Example
•Restricted XOT Access with Multiple X.25 Parameter Configurations Example
Unrestricted XOT Access with Defined X.25 Parameters for All XOT Connections Example
In the following example, an access list is defined to permit all XOT connections. All XOT connections will use the X.25 configuration defined in the X.25 profile called "NEW-DEFAULT".
! Create a DXE station type profile with any name and configure the X.25 parameters under
! the named profile
x25 profile NEW-DEFAULT dxe
! Define an IP standard access list to permit any XOT connection
access-list 10 permit any
! Apply the access list and X.25 profile to all XOT connections
xot access-group 10 profile NEW-DEFAULT
Restricted XOT Access with Default X.25 Parameters for All XOT Connections Example
In the following example, an X.25 profile is not associated with the access group, so the default X.25 configuration will be applied to all permitted XOT connections.
! Define an IP access list by specifying an IP access list number and access condition
access-list 12 permit 184.108.40.206 0.0.0.255
! Apply the access list to XOT connections
Restricted XOT Access with Multiple X.25 Parameter Configurations Example
In the following example, XOT connections permitted by access list 10 will use the default X.25 configuration. XOT connections permitted by access list 22 will use the X.25 configuration that is defined in the X.25 profile "TRANSPAC".
! Define the IP access lists by specifying an IP access list number and access condition
ip access-list standard 10
ip access-list standard 22
permit 220.127.116.11 0.0.255.255 log
! Apply the default X.25 configuration to XOT connections permitted by access list 10
! Configure an X.25 profile with station type DXE
! Apply the X.25 profile to XOT connections permitted by access list 22
xot access-group 22 profile TRANSPAC
access list—List kept by routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).
CMNS—Connection Mode Network Service. Extends local X.25 switching to a variety of media (Ethernet, FDDI, Token Ring).
CUG—closed user group. A collection of DTE devices for which the network controls access between members and between members and nonmembers. A DTE may subscribe to zero, one, or more CUGs. A DTE that does not subscribe to a CUG is referred to as being in the open part of the network.
DCE—data communications equipment. Devices and connections of a communications network that make up the network end of the user-to-network interface. The DCE provides a physical connection to the network, forwards traffic, and provides a clocking signal used to synchronize data transmission between DCE and DTE devices. Modems and interface cards are examples of DCE.
DTE—data terminal equipment. Device at the user end of a user-network interface that serves as a data source, destination, or both. DTE connects to a data network through a DCE device (for example, a modem) and typically uses clocking signals generated by the DCE. DTE includes such devices as computers, protocol translators, and multiplexers.
HDLC—high-level data link control. Bit-oriented synchronous data link layer protocol developed by ISO. HDLC specifies a data encapsulation method on synchronous serial links using frame characters and checksums.
LAPB—Link Access Procedure, Balanced. Data link layer protocol in the X.25 protocol stack. LAPB is a bit-oriented protocol derived from high-level data link control (HDLC).
PVC—permanent virtual circuit. Virtual circuit that is permanently established.
SVC—switched virtual circuit. Virtual circuit that is dynamically established on demand and is torn down when transmission is complete.
X.25—ITU-T standard that defines how connections between DTE and DCE are maintained for remote terminal access and computer communications in PDNs. X.25 specifies LAPB, a data-link-layer protocol, and PLP, a network-layer protocol.
X.25 profile—Bundled X.25 and LAPB commands that can be applied to specific connections.
XOT—X.25 over TCP.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.