Cisco IOS Software Releases 12.2 T

Table Of Contents

Terminal Line Security for PAD Connections

Feature Overview

Security Considerations

PAD Call Behavior When a Line Is Configured for CUG Subscription

PAD Call Behavior When Only the Line is Configured for CUG Service

PAD Call Behavior When Both a Line and an Interface Are Configured for CUG Service

Benefits

Restrictions

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring X.25 CUG Support on Terminal Lines

Verifying X.25 CUG Support on Terminal Lines

Monitoring and Maintaining X.25 CUG Support on Terminal Lines

Configuration Examples

Configuring X.25 CUG Support on Terminal Lines Example

Command Reference

debug pad

show line

show x25 cug

x25 subscribe cug-service

x25 subscribe local-cug

Glossary

Terminal Line Security for PAD Connections

---

Feature History

Release	Modification
12.2(13)T	This feature was introduced.

This document describes the Terminal Line Security for PAD Connections feature in 12.2(13)T. It includes the following sections:

•Feature Overview

•Supported Platforms

•Supported Standards, MIBs, and RFCs

•Prerequisites

•Configuration Tasks

•Monitoring and Maintaining X.25 CUG Support on Terminal Lines

•Configuration Examples

•Command Reference

•Glossary

Feature Overview

X.25 closed user group (CUG) service is a network service that allows subscribers to be segregated into private subnetworks with limited outgoing and incoming access. A data terminal equipment (DTE) device becomes a member of a CUG by subscription; the DTE must obtain membership from its network service for the set of CUGs to which it needs access.

The Terminal Line Security for PAD Connections feature allows a CUG service to be configured on terminal lines, enabling terminal lines to participate in X.25 CUG security for packet assembler/disassembler (PAD) connections. A CUG service can be applied to console lines, auxiliary lines, and tty and vty devices. Configuring a CUG service on terminal lines allows you to specify CUG protection for lines that are part of the point of presence (POP). Before the introduction of this feature, a CUG service could be configured only on X.25 synchronous data communications equipment (DCE) interfaces.

A line configured for CUG service will apply CUG security to PAD, X.28 mode, and protocol translation sessions. The Terminal Line Security for PAD Connections feature ensures that CUG protection is applied to incoming calls destined for the terminal line and call requests specified from the line. This feature also supports the signaling of the CUG selection facility in call requests that originated on the line and incoming calls received on an X.25 service that are terminated by the line.

Figure 1 shows a typical topology in which CUG service would be configured on asynchronous terminal lines.

Figure 1 Network Topology with Asynchronous Lines Configured for CUG Service

Security Considerations

---

Caution X.25 CUG security relies on the correct, complementary configuration of CUG sets at all the boundaries between client premises equipment (CPE) and POPs. Any POP that is connected to a CPE device that is not configured for CUG security has compromised the X.25 network security because that CPE device will be a considered a trusted host, even though it is not secure.

---

PAD Call Behavior When a Line Is Configured for CUG Subscription

This section describes the overall behavior of PAD-initiated calls when a terminal line or an X.25 interface is configured for CUG subscription.

The x25 map pad and x25 facility cug commands can be used to cause a CUG selection facility to be encoded in calls placed within the networks. The following rules describe which CUG selection facility is encoded in the call:

•A call initiated using the pad command or in X.28 mode without a CUG subscription set encodes the interface CUG selection facility, if one was specified.

•A call initiated using the pad command with the /use-map option encodes the CUG selection facility for the matching map entry, if one was specified.

•A call initiated in X.28 mode with a specified CUG encodes the specified X.28 CUG.

The following sections provide examples that illustrate the behavior of PAD-initiated calls.

PAD Call Behavior When Only the Line is Configured for CUG Service

This section describes PAD call behavior when only the line is configured for CUG service.

Configuration A

In the following example, a line is configured for CUG subscription, and the interface on which the resulting call is to be placed is configured with the x25 facility cug and x25 map pad commands. CUG subscription is not configured on the interface.

interface Serial1

 encapsulation x25 dce

 x25 facility cug 99

 x25 map pad 1221 cug 10 no-outgoing

 x25 map pad 1222 cug 99

 x25 map pad 1234 cug 10

!

line tty 1

 x25 subscribe cug-service

 x25 subscribe local-cug 99 network-cug 9999 preferential

 x25 subscribe local-cug 10 network-cug 100

 x25 subscribe local-cug 20 network-cug 200

!

[...]

!

x25 route ^12..$ interface Serial1

[...]

When the line initiates an X.28 mode or PAD call without a CUG subscription set, the line will decode the interface's CUG selection facility, and the network will encode the line's signaled CUG selection facility. The x25 facility cug command implicitly identifies the local CUG to use for PAD-originated calls.

Table 1 shows the CUG value sent when a line initiates a PAD or an X.28 mode call without a CUG subscription set.

Table 1 CUG Value Sent for Line-Initiated Calls Without a CUG Subscription

User Command	Result
pad 1234	Call 1234, CUG 9999 sent on Serial 1.
*1234	Call 1234, CUG 9999 sent on Serial 1.

Using configuration A, if a call is initiated on a line using the pad command with the /use-map option, the line will decode the matching map entry's CUG, and the network will encode the line's signaled CUG selection facility. The map's CUG identifies the local CUG to use for PAD-originated calls and overrides the interface's CUG selection facility on a per-call basis.

If the pad command is used with the /use-map option, the interface on which the resulting call is to be placed must have a matching X.25 map statement for the PAD call and must permit outgoing calls. Any CUG specified in the map statement must identify the local CUG ID to be used for generating the call.

Table 2 shows the values sent when a line initiates a PAD call with the /use-map option.

Table 2 CUG Value Sent for Line-Initiated PAD Calls Initiated with the /use-map Option

User Command	Result
pad 1234 /use-map	Call 1234, CUG 100 sent on Serial 1.
pad 1221 /use-map	Call is cleared, outgoing calls are barred.
pad 1255 /use-map	Call is cleared (no matching map found on Serial 1).

Using configuration A, if an X.28 mode call specifies a CUG, the line will decode the specified CUG, and the network will encode the line's signaled CUG selection facility. The X.28 mode commands do not use X.25 map statements when originating calls.

Table 3 shows the CUG value sent when a line initiates a call using an X.28 interface with CUG specified.

Table 3 CUG Value Sent for Line-Initiated Calls Using an X.28 Mode with CUG Specified

User Command	Result
*g10-1234	Call 1234, CUG 100 sent on Serial 1.

PAD Call Behavior When Both a Line and an Interface Are Configured for CUG Service

This section describes PAD call behavior when a line and an interface are both configured for CUG service.

Configuration B

In the following example a line and an interface are configured for CUG subscription:

interface Serial1

 encapsulation x25 dce

  x25 subscribe cug-service

 x25 subscribe local-cug 5599 network-cug 9999 preferential

 x25 subscribe local-cug 5510 network-cug 100

 x25 subscribe local-cug 5520 network-cug 200

 x25 facility cug 99

 x25 map pad 1234 cug 10

 x25 map pad 1221 cug 10 no-outgoing

 x25 map pad 1222 cug 99

!

line tty 1

 x25 subscribe cug-service

 x25 subscribe local-cug 10 network-cug 100

 x25 subscribe local-cug 20 network-cug 200

 x25 subscribe local-cug 99 network-cug 9999 preferential

!

[...]

!

x25 route ^12..$ interface Serial1

[...]

Table 4 shows examples of line-initiated PAD commands and the CUG values sent when the terminal line and the X.25 interface are both configured for CUG subscription.

Table 4 CUG Values Sent for Line-Initiated Calls When the Line and Interface Are Configured for CUG Subscription

User Command	Result
pad 1234	Call 1234, CUG 5599 sent on Serial 1.
pad 1221	Call 1221, CUG 5599 sent on Serial 1.
pad 1222	Call 1222, CUG 5599 sent on Serial 1.
pad 1234 /use-map	Call 1234, CUG 5510 send on Serial 1.
pad 1221 /use-map	Call is cleared, outgoing calls are barred
pad 1222 /use-map	Call 1222, CUG 5599 sent on Serial 1

Benefits

Before the introduction of this feature, CUG functionality required all CPE devices to be attached to the router at an X.25 synchronous DCE interface. The Terminal Line Security for PAD Connections feature extends the existing X.25 CUG functionality to terminal lines, allowing PAD access devices (console lines, auxiliary lines, and tty and vty devices) to be configured for CUG security enforcement.

Restrictions

The CUG selection facility suppression options are not available for terminal lines because incoming PAD calls are terminated by the terminal line.

Related Documents

For information about X.25 CUGs, refer to the following documents:

•"Configuring X.25 and LAPB" chapter, Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2

•"X.25 and LAPB Commands" chapter, Cisco IOS Wide-Area Networking Command Reference, Release 12.2

For information about PAD connections, refer to the following documents:

•"Configuring the Cisco PAD Facility for X.25 Connections" chapter, Cisco IOS Terminal Services Configuration Guide, Release 12.2

•Cisco IOS Terminal Services Command Reference, Release 12.2

Supported Platforms

•Cisco 1400 series

•Cisco 1600 series

•Cisco 1700 series

•Cisco 2500 series

•Cisco 2600 series

•Cisco 2600XM

•Cisco 2691

•Cisco 3600 series

•Cisco 3725

•Cisco 3745

•Cisco 7100 series

•Cisco 7200 series

•Cisco 800 series

•Cisco AS5300

•Cisco AS5350

•Cisco AS5400 series

•Cisco AS5800

•Cisco AS5850

•Cisco IAD2400 series

•Cisco MC3810

•Cisco uBR7200 Series

•Universal Router Module (URM) for Cisco IGX 8400

Determining Platform Support Through Cisco Feature Navigator

Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.

Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.

To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:

http://www.cisco.com/go/fn

Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

No new or modified RFCs are supported by this feature.

Prerequisites

The tasks in this document assume a basic understanding of the X.25 CUG service and how it works.

Configuration Tasks

See the following sections for configuration tasks for the Terminal Line Security for PAD Connections feature. Each task in the list is identified as either required or optional.

•Configuring X.25 CUG Support on Terminal Lines (required)

•Verifying X.25 CUG Support on Terminal Lines (optional)

Configuring X.25 CUG Support on Terminal Lines

To configure X.25 CUG support on terminal lines, use the following commands beginning in global configuration mode:

	Command	Purpose
Step 1	Router(config)# line [aux | console | tty | vty] line-number [ending-line-number]	Identifies a specific line or range of lines for configuration and enters line configuration mode.
Step 2	Router(config-line)# x25 subscribe cug-service [incoming-access | outgoing-access]	Enables and controls standard CUG behavior. CUG protection will be applied to PAD calls destined for and originated on the line. Note The CUG selection facility suppression option is not available for terminal lines because incoming PAD calls are terminated by the line.
Step 3	Router(config-line)# x25 subscribe local-cug number network-cug number [no-incoming | no-outgoing | preferential]	Configures subscription to a specific CUG and maps the desired local CUG number to its corresponding network CUG. This command can be entered as many times as needed to configure the access needs of a line.

Verifying X.25 CUG Support on Terminal Lines

To verify support for X.25 CUG service on terminal lines, perform the following steps:

---

Step 1 Enter the show running-config command to verify that the configuration is correct.

Step 2 Enter the show line command to display the configured CUG capability in the Capabilities field:

Router# show line vty 2

Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int

   132 VTY              -    -      -    -    -      0       0     0/0       -

Line 132, Location: "", Type: ""

Length: 24 lines, Width: 80 columns

Baud rate (TX/RX) is 9600/9600

Status: No Exit Banner

Capabilities: CUG Security Enabled

Modem state: Idle

Group codes:    0

Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation

                ^^x    none   -     -       none         

Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch

               00:10:00        never                        none    not set

                            Idle Session Disconnect Warning

                              never 

                            Login-sequence User Response

                             00:00:30

                            Autoselect Initial Wait

                              not set

Modem type is unknown.

Session limit is not set.

.

.

.

Step 3 Enter the show x25 cug command with the local-cug keyword to display information about all local CUGs configured on the router:

Router# show x25 cug local-cug

X.25 Serial1/1, 3 CUGs subscribed with no public access

  local-cug 99 <-> network-cug 9999, no-incoming, preferential

  local-cug 100 <-> network-cug 1000 

  local-cug 101 <-> network-cug 1001 

PROFILE cugs, 2 CUGs subscribed with with incoming public access

  local-cug 1 <-> network-cug 10, no-outgoing

  local-cug 2 <-> network-cug 20, no-incoming, preferential

Line: 129 aux 0  , 1 CUGs subscribed with outgoing public access

  local-cug 1 <-> network-cug 10 

Line: 130 vty 0  , 4 CUGs subscribed with incoming and outgoing public access

  local-cug 1 <-> network-cug 10 

  local-cug 50 <-> network-cug 5, preferential

  local-cug 60 <-> network-cug 6, no-incoming

  local-cug 70 <-> network-cug 7, no-outgoing

Line: 131 vty 1   , 1 CUGs subscribed with no public access

  local-cug 1 <-> network-cug 10 

Step 4 Enter the show x25 cug command with the network-cug keyword to display information about all network CUGs configured on the router. The following sample output displays the local CUGs associated with network CUG 10:

Router# show x25 cug network-cug 10

PROFILE cugs, 2 CUGs subscribed with no public access

  network-cug 10 <-> local-cug 1 , no-outgoing

Line: 129 aux 0   , 1 CUGs subscribed with no public access

  network-cug 10 <-> local-cug 1 

Line: 130 vty 0   , 4 CUGs subscribed with incoming and outgoing public access

  network-cug 10 <-> local-cug 1 

Line: 131 vty 1   , 1 CUGs subscribed with no public access

  network-cug 10 <-> local-cug 1

---

Monitoring and Maintaining X.25 CUG Support on Terminal Lines

To monitor and maintain X.25 CUG support on terminal lines, use the following command in privileged EXEC mode:

Command	Purpose
Router# debug pad	Displays debug messages for all PAD connections.

Configuration Examples

This section provides the following configuration example:

•Configuring X.25 CUG Support on Terminal Lines

Configuring X.25 CUG Support on Terminal Lines Example

The following example shows the configuration of CUG behavior on asynchronous line 1 and virtual terminal lines 0 to 9. The user of async line 1 has only outgoing access to CPE that is subscribed to the corporate CUG designated for finance (CUG 1101) but can receive calls from those same CUG members or from the open network (that is, calls from a network X.25-class service that are destined for the line and have no CUG restriction).

The users of virtual terminal lines 0 to 9 have access only within the corporate CUGs designated for engineering (CUGs 1102 or 1103). Any call from a network X.25-class service destined for the line will be refused unless the inbound POP validates it as a member of one of those two CUGs.

Line 1

 Location Company A. Finance Connection

 x25 subscribe cug-service incoming-access

 x25 subscribe local-cug 1 network-cug 1101 preferential

!

line vty 0 9

 Location Company A. Engineering Access

 x25 subscribe cug-service

 x25 subscribe local-cug 2 network-cug 1102 preferential

 x25 subscribe local-cug 3 network-cug 1103

!

Command Reference

This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

•debug pad

•show line

•show x25 cug

•x25 subscribe cug-service

•x25 subscribe local-cug

debug pad

To display debug messages for all packet assembler/disassembler (PAD) connections, use the debug pad command in privileged EXEC mode. To disable PAD debugging, use the no form of this command.

debug pad

no debug pad

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0	This command was introduced in a release prior to Cisco IOS Release 12.0.

Examples

Use the debug pad command to gather information to forward to the Cisco Technical Assistence Center (TAC) to assist in troubleshooting a problem that involves packet assembler/disassembler (PAD) connections.

The following example shows output of the debug pad and debug x25 event commands for an incoming PAD call destined for a terminal line. The incoming PAD call is rejected by the terminal line because the selected network closed user group (CUG) has not been subscribed to by the caller:

Router# debug pad

Router# debug x25 event

Serial1/1:X.25 I R1 Call (16) 8 lci 8

  From (7):2001534 To (9):200261150

  Facilities:(2)

    Closed User Group (basic):99

  Call User Data (4):0x01000000 (pad)

pad_svc_announce:destination matched 1

PAD:incoming call to 200261150 on line 130 CUD length 4

!PAD130:Incoming Call packet, Closed User Group (CUG) service protection, selected network 
CUG not subscribed

PAD:CUG service protection Cause:11 Diag:65

Serial1/1:X.25 O R1 Clear (5) 8 lci 8

  Cause 0, Diag 65 (DTE originated/Facility code not allowed)

Serial1/1:X.25 I R1 Clear Confirm (3) 8 lci 8

The following example shows the output of the debug pad command for an outgoing PAD call initiated from a terminal line with a subscribed CUG that bars outgoing access:

!PAD130:Outgoing Call packet, Closed User Group - CUG service validation, selected CUG 
!bars outgoing access

PAD130:Closing connection to .  In 0/0, out 0/0

show line

To display parameters of a terminal line, use the show line command in EXEC mode.

show line [line-number]

Syntax Description

line-number

(Optional) Absolute line number of the line for which you want to list parameters.

Command Modes

EXEC

Command History

Release	Modification
10.0	This command was introduced.
12.1	Output from this command was modified to show the transport method configured.
12.2(13)T	This command was modified to indicate when support for CUG security is enabled on the line.

Usage Guidelines

If CUG security is configured on a line, the show line command used with the line-number argument will cause "CUG Security Enabled" to be displayed in the Capabilities field of the output.

Examples

The following sample output of the show line vty 4 command shows that virtual terminal line 4 has a send and receive rate of 9600 bits per second. Also shown are the terminal screen width and length, modem state, preferred transport method, and other characteristics.

Router# show line vty 4

    Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns

     22 VTY              -    -      -    -    -      0       0     0/0 -

 Line 22, Location: "", Type: ""

 Length: 24 lines, Width: 80 columns

 Baud rate (TX/RX) is 9600/9600

 Status: No Exit Banner

 Capabilities: CUG Security Enabled

 Modem state: Idle

 Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation

                 ^^x    none   -      -       none         

 Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session

 Dispatch

                never         never         none          not set

                             Idle Session Disconnect Warning

                              never 

                             Login-sequence User Response

                              00:00:30

                             Autoselect Initial Wait

                              not set 

 Modem type is unknown.

 Session limit is not set.

 Time since activation: never

 Editing is enabled.

 History is enabled, history size is 10.

 DNS resolution in show commands is enabled

 Full user help is disabled

 Allowed input transports are none.

 Allowed output transports are pad v120 telnet rlogin udptn.

 Preferred transport is telnet.

 No output characters are padded

 No special data dispatching characters

Table 5 describes the significant fields shown in the show line output.

Table 5 show line Field Descriptions 

Field	Description
Tty	Line number.
Typ	Type of line. In this case, a virtual terminal line, which is active, in asynchronous mode denoted by the preceding "A." Other possible values follow: •CTY—console •AUX—auxiliary port •TTY—asynchronous terminal port •lpt—parallel printer
Tx/Rx	Transmit rate/receive rate of the line.
A	Indicates whether autobaud has been configured for the line. A value of F indicates that autobaud has been configured; a hyphen indicates that it has not been configured.
Modem	Types of modem signals that have been configured for the line. Possible values follow: •callin •callout •cts-req •DTR-Act •inout •RIisCD
Roty	Rotary group configured for the line, if set.
AccO, AccI	Output or input access list number configured for the line.
Uses	Number of connections established to or from the line since the system was restarted.
Noise	Number of times noise has been detected on the line since the system restarted.
Overruns	Hardware Universal Asynchronous Receiver/Transmitter (UART) overruns or software buffer overflows, both defined as the number of overruns or overflows that have occurred on the specified line since the system was restarted. Hardware overruns are buffer overruns; the UART chip has received bits from the software faster than it can process them. A software overflow occurs when the software has received bits from the hardware faster than it can process them.
A (or I or *)	An A at the upper left of the display indicates that the user is running an asynchronous interface; an I indicates that the line has an asynchronous interface available; an asterisk (*) indicates that the line is otherwise active (in character mode).
Line	Definition of the specified protocol and address of the line.
Location	Location of the current line.
Type	Type of line, as specified by the line global configuration command.
Length	Length of the terminal or screen display, in rows.
Width	Width of the terminal or screen display, in columns.
Baud rate (TX/RX)	Transmit rate/receive rate of the line, in bps.
Status	State of the line: ready or not, connected or disconnected, active or inactive, exit banner or no exit banner, asynchronous interface active or inactive.
Capabilities	Current terminal capabilities.
Modem state	Modem control state. This field should always say READY.
Special Chars	Current settings of special characters that were input by the user (or taken by default) from the following global configuration commands: •escape-character •hold-character •stop-character •start-character •disconnect-character •activation-character
Timeouts	Current settings that were input by the user (or taken by default) from the following global configuration commands: •exec-timeout •session-timeout •dispatch-timeout •modem answer-timeout •session-disconnect-warning •timeout login response •autoselect timeout
Session limit	Maximum number of sessions.
Time since activation	Last time start_process was run.
Editing	Whether command-line editing is enabled.
History	Current history list size, set by the user (or taken by default) from the history configuration command.
DNS resolution in show commands is	Whether Open Shortest Path First (OSPF) is configured to look up Domain Name System (DNS) names for use in show EXEC command displays.
Full user help	Whether full user help has been set by the user with the terminal full-help EXEC command or by the administrator with the full-help line configuration command.
Allowed input transports are	Current set transport method, set by the user (or taken by default) from the transport input line configuration command.
Allowed output transports are	Current set transport method, set by the user (or taken by default) from the transport output line configuration command.
Preferred transport is	Current set transport method, set by the user (or taken by default) from the transport preferred line configuration command.
...characters are padded	Current set padding, set by the user (or taken by default) from the padding line configuration command.
...data dispatching characters	Current dispatch character set by the user (or taken by default) from the dispatch-character line configuration command.

show x25 cug

To display information about all closed user groups (CUGs) or specific CUGs (defined by the local or network CUG number), use the show x25 cug commandin EXEC mode.

show x25 cug {local-cug number | network-cug number}

Syntax Description

local-cug	Locally significant CUG identifier.
number	Local CUG number (0 to 9999).
network-cug	Network translated CUG identifier.
number	Network CUG number (0 to 9999).

Command Modes

EXEC

Command History

Release	Modification
12.0(7)T	This command was introduced.
12.1(5)T	This command was modified to show information about CUG selection facility suppression.
12.2(13)T	This command was modified to display information about all or specific CUGs configured on terminal lines.

Usage Guidelines

You must designate either the local CUG or the network CUG by the choice of keyword. Within that designation you can view all CUGs or a specific CUG defined by its local or network CUG identifier.

Examples

CUG Selection Facility Suppress Option Example

The following is sample output for the show x25 cug command when CUG selection facility is suppressed for all CUGs on serial interface 1/2 and for the preferential CUG on the X.25 profile named "cug".

Router# show x25 cug local-cug 

X.25 Serial1/2, 2 CUGs subscribed with no public access 

  CUG selection facility suppressed for all CUGs 

  local-cug 100 <-> network-cug 10 

  local-cug 1 <-> network-cug 11 

PROFILE cug, 2 CUGs subscribed with incoming public access 

  CUG selection facility suppressed for preferential CUG 

  local-cug 0 <-> network-cug 0 , preferential 

  local-cug 100 <-> network-cug 100 

  local-cug 200 <-> network-cug 200 

Local CUG Example

The following sample output from the show x25 cug local-cug command displays information about all local CUGs on configured on the router.

Router# show x25 cug local-cug

X.25 Serial1/1, 3 CUGs subscribed with no public access

  local-cug 99 <-> network-cug 9999, no-incoming, preferential

  local-cug 100 <-> network-cug 1000 

  local-cug 101 <-> network-cug 1001 

PROFILE cugs, 2 CUGs subscribed with with incoming public access

  local-cug 1 <-> network-cug 10, no-outgoing

  local-cug 2 <-> network-cug 20, no-incoming, preferential

Line: 129 aux 0  , 1 CUGs subscribed with outgoing public access

  local-cug 1 <-> network-cug 10 

Line: 130 vty 0  , 4 CUGs subscribed with incoming and outgoing public access

  local-cug 1 <-> network-cug 10 

  local-cug 50 <-> network-cug 5, preferential

  local-cug 60 <-> network-cug 6, no-incoming

  local-cug 70 <-> network-cug 7, no-outgoing

Line: 131 vty 1   , 1 CUGs subscribed with no public access

  local-cug 1 <-> network-cug 10 

Network CUG Example

The following is sample output from the show x25 cug network-cug command specifically for network number 10 showing that local CUG 1 is associated with it.

Router# show x25 cug network-cug 10

X.25 Serial1/2, 5 CUGs subscribed with no public access

  network-cug 10 <-> local-cug 1

PROFILE cugs, 2 CUGs subscribed with no public access

  network-cug 10 <-> local-cug 1 , no-outgoing

Line: 129 aux 0   , 1 CUGs subscribed with no public access

  network-cug 10 <-> local-cug 1 

Line: 130 vty 0   , 4 CUGs subscribed with incoming and outgoing public access

  network-cug 10 <-> local-cug 1 

Line: 131 vty 1   , 1 CUGs subscribed with no public access

  network-cug 10 <-> local-cug 1

Table 6 describes the significant fields shown in the display for the show x25 cug command.

Table 6 show x25 cug Field Descriptions 

Field	Description
X.25 Serial 0	DCE interface with X.25 CUG service subscription.
PROFILE	X.25 profile with X.25 CUG service subscription.
Line	Terminal line with X.25 CUG service subscription.
local-cug	Local CUG details.
network-cug	Network CUG details.
preferential	Identifies which CUG, if any, is preferred. A single CUG listed for an interface is assumed to be preferred.

Related Commands

Command	Description
x25 subscribe cug-service	Enables and controls standard CUG behavior on an X.25 DCE interface.
x25 subscribe local-cug	Configures a DCE X.25 interface for a specific CUG subscription.

x25 subscribe cug-service

To enable and control standard closed user group (CUG) service, use the x25 subscribe cug-service command in interface configuration mode. To disable standard CUG service, use the no form of this command.

x25 subscribe cug-service [incoming-access | outgoing-access] [suppress preferential | suppress all]

no x25 subscribe cug-service [incoming-access | outgoing-access] [suppress preferential | suppress all]

Syntax Description

incoming-access	(Optional) Allows incoming access from the open network to the data terminal equipment (DTE) device.
outgoing-access	(Optional) Allows outgoing access from the data terminal equipment (DTE) device to the open network.
suppress preferential	(Optional) Suppresses CUG selection facility for the preferred CUG. This option is not available when configuring terminal lines.
suppress all	(Optional) Suppresses CUG selection facility for all CUGs. This option is not available when configuring terminal lines.

Defaults

No incoming access and no outgoing access. (This is the most restrictive setting.)

CUG selection facilities are not suppressed.

Command Modes

Interface configuration
Line configuration
X.25 profile configuration

Command History

Release	Modification
12.0(7)T	This command was introduced.
12.1(5)T	The suppress preferential and suppress all keywords were added to enable CUG selection facility suppression.
12.2(13)T	This command was modified to configure support for X.25 CUG service on terminal lines.

Usage Guidelines

When entering this command, specify the incoming-access or the outgoing-access keyword or both, unless you intend to have neither incoming nor outgoing access on that interface.

This command assumes that an X.25 network connection is being implemented and observes rules defined by X.25 and X.301 for CUG access. This command is enabled on a per-interface or per-line basis. Use this command to modify existing specified options without otherwise affecting the CUGs already defined.

The x25 subscribe cug-service command can be used to configure CUG security on synchronous X.25 data communications equipment (DCE) interfaces or terminal lines. A CUG service can be applied to console lines, auxiliary lines, standard asynchronous lines, and virtual terminal lines. A line configured for CUG service will apply CUG security to packet assembler/disassembler (PAD), X.28 mode, and protocol translation sessions. CUG protection is applied to incoming calls destined for the terminal line and call requests specified from the line.

The CUG selection facility suppression options are not available for terminal lines because incoming PAD calls are terminated by the line.

Use the x25 subscribe cug-service command with the suppress preferential or suppress all keywords to configure CUG selection facility suppression. The CUG selection facility suppression options are available on synchronous X.25 DCE interfaces only; they are not available on terminal lines because incoming PAD calls are terminated by the line.

The following restrictions apply to the x25 subscribe cug-service command:

•Disabling this command deconfigures all the CUGs defined for the device and disables all CUG-related commands, but it does not terminate the associated CUG switched virtual circuit (SVC) connections.

•The DTE cannot call the open part of the network unless the outgoing-access option is configured. Even if outgoing-access is permitted, the DCE will enforce any additional CUG requirements when handling an outgoing call (call request) from the DTE.

•The DTE will not receive calls from the open part of the network unless the incoming-access option is configured. Even if incoming-access is permitted, the DCE will enforce any additional CUG requirements before presenting an incoming call to the DTE.

Examples

CUG Service on a Terminal Line Example

The following example shows the configuration of CUG behavior on asynchronous line 1 and virtual terminal lines 0 to 9. The users of virtual terminal lines 0 to 9 have access only within the corporate CUGs designated for engineering (CUG 1102 or 1103); any call from a network X.25-class service destined for the line will be refused unless the inbound point of presence (POP) has validated it as a member of one of those two CUGs.

line vty 0 9

 Location Company A. Engineering Access

 x25 subscribe cug-service

 x25 subscribe local-cug 2 network-cug 1102 preferential

 x25 subscribe local-cug 3 network-cug 1103

CUG Service with CUG Selection Facility Suppression and Incoming Access Example

In the following example, CUG selection facility suppression and incoming access are configured for all CUGs, including the preferred CUG on the X.25 profile:

x25 profile CUG-SUPRS-ALL dce 

 x25 subscribe cug-service incoming-access suppress all 

 x25 subscribe local-cug 0 network-cug 10 preferential 

 x25 subscribe local-cug 20 network-cug 202 

 x25 subscribe local-cug 40 network-cug 40 

CUG Service with Incoming and Outgoing Access Example

The following example shows subscribing to both incoming and outgoing CUG service on the interface:

interface serial0

 encapsulation x25 dce

 x25 subscribe cug-service incoming-access outgoing-access

Related Commands

Command	Description
show x25 cug	Displays information about all CUGs or specific CUGs (defined by the local or network CUG number).
x25 facility	Forces facilities on a per-call basis for calls originated by the router (switched calls are not affected).
x25 map	Sets the maximum number of virtual circuits that a protocol can have open simultaneously to one host.
x25 subscribe local-cug	Configures subscription to a specific CUG.

x25 subscribe local-cug

To configure subscription to a specific closed user group (CUG), use the x25 subscribe local-cug command in interface configuration or line configuration mode. To remove the CUG subscription, use the no form of this command.

x25 subscribe local-cug number network-cug number [no-incoming | no-outgoing | preferential]

no x25 subscribe local-cug number network-cug number [no-incoming | no-outgoing | preferential]

Syntax Description

number	Specific local CUG number (0 to 9999).
network-cug	Network translated CUG identifier.
number	Specific network CUG number (0 to 9999).
no-incoming	(Optional) Bars calls to data terminal equipment (DTE) within the specified CUG, unless x25 subscribe cug-service incoming-access is configured.
no-outgoing	(Optional) Bars calls from DTE within the specified CUG, unless x25 subscribe cug-service outgoing-access is configured.
preferential	(Optional) Specified on only one CUG, and is the assumed CUG when none is provided in call setup. (A single CUG listed at the interface is automatically considered a preferred CUG.)

Defaults

Incoming and outgoing access.

Preferential (if this is the only CUG specified)

Command Modes

Interface configuration
Line configuration

Command History

Release	Modification
12.0(7)T	This command was introduced.
12.2(13)T	This command was modified to configure X.25 CUG subscription on terminal lines.

Usage Guidelines

The first x25 subscribe local-cug command in a group of configurations will automatically enable CUG service behavior on the interface or line, if it is not already enabled, with the default setting of no public access.

The x25 subscribe cug-service command can be used to configure CUG subscription on X.25 synchronous data communications equipment (DCE) interfaces, console lines, auxiliary lines, standard asynchronous lines, and virtual terminal lines. A line configured for CUG service will apply CUG security to packet assembler/disassembler (PAD), X.28 mode, and protocol translation sessions. CUG protection is applied to incoming calls destined for the terminal line and call requests specified from the line.

A CUG number has only local significance. Because CUG service is a cooperative process between the network attachments (DCE devices), the local CUG number may have to be translated into a number that is significant to the network as a whole. For instance, two DTE devices may use CUG numbers 1 and 5 to refer to the global CUG number 1043 of the network. In this instance, both DCE devices would be configured to translate between the local CUG number of their DTE and the network CUG number. Duplicate network CUG identifiers are permitted for different local CUG identifiers.

A DTE subscription to a CUG that also includes the no-incoming option prevents incoming calls on that CUG (however, the DTE may still receive calls within other CUGs to which it is subscribed, or from the open network if incoming public access is subscribed).

CUG subscription of a DTE will not permit an outgoing call (call request) from the CUG if the no-outgoing option is configured.

The CUG will be assumed to be set to "preferential" (preferred) if there is only one CUG subscribed on that interface.

Examples

X.25 CUG Subscription on an Interface Example

The following example subscribes local CUGs 5000, 100, 200, and 300 to networks 55, 11, 22, and 33, respectively, with local CUG 5000 being set as the preferred CUG:

Router(config)# interface serial0

Router(config-if)# encapsulation x25 dce

Router(config-if)# x25 subscribe cug-service incoming-access outgoing-access

Router(config-if)# x25 subscribe local-cug 5000 network-cug 55 preferential

Router(config-if)# x25 subscribe local-cug 100 network-cug 11

Router(config-if)# x25 subscribe local-cug 200 network-cug 22

Router(config-if)# x25 subscribe local-cug 300 network-cug 33

X.25 CUG Subscription on a Terminal Line Example

The following example shows the configuration of CUG behavior on asynchronous line 1 and virtual terminal lines 0 to 9. The users of virtual terminal lines 0 to 9 have access only within the corporate CUGs designated for engineering (CUG 1102 or 1103); any call from a network X.25-class service destined for the line will be refused unless the inbound POP has validated it as a member of one of those two CUGs.

Router(config)# line vty 0 9

Router(config-line)# Location Company A. Engineering Access

Router(config-line)# x25 subscribe cug-service

Router(config-line)# x25 subscribe local-cug 2 network-cug 1102 preferential

Router(config-line)# x25 subscribe local-cug 3 network-cug 1103

Related Commands

Command	Description
show x25 cug	Displays information about all or specific (defined by the local or network CUG number) CUGs.
x25 facility	Forces facilities on a per-call basis for calls originated by the router (switched calls are not affected).
x25 map	Sets the maximum number of virtual circuits a protocol can have open simultaneously to one host.
x25 subscribe cug-service	Enables and controls standard CUG behavior on an X.25 DCE interface.

Glossary

call request—An X.25 call packet sent from a DTE to a DCE that initiates a connection to a destination DTE.

closed user group selection facility—A specific encoding element that can be presented in a call request or incoming call. A CUG selection facility in a call request allows the source DTE to identify the CUG within which it is placing the call. A CUG selection facility in an incoming call allows the destination DTE to identify the CUG to which both DTEs belong.

CPE—customer premises equipment. Terminating equipment, such as terminals, telephones, and modems, supplied by the telephone company, installed at customer sites, and connected to the telephone company network. This equipment is available for customer modification and is considered insecure by the network.

CUG—closed user group. A collection of DTE devices for which the network controls access among members and between members and nonmembers. A DTE may subscribe to zero, one, or more CUGs. A DTE that does not subscribe to a CUG is referred to as being in the open part of the network.

DCE—data communications equipment. A network connection where a subscriber can be attached. A DCE is configured with the operational details for which a given subscriber (DTE) has contracted.

DTE—data terminal equipment. A network subscriber that can be reached at a specific network attachment point. A network identifies each DTE device by assigning an X.121 address.

incoming call—An X.25 call packet sent from a DCE to a DTE that presents a connection requested by the source DTE.

PAD—packet assembler/disassembler. Device used to connect simple devices (like character-mode terminals) that do not support the full functionality of a particular protocol to a network. PADs buffer data and assemble and disassemble packets sent to such end devices.

POP—point of presence. In the context of a public data network, a POP is the part of the network to which CPE is attached. A POP is configured and controlled by the public network and serves as the boundary equipment between the trusted network and insecure client attachments.

preferential closed user group—The CUG that is assumed when a CUG is not specified in call setup. A DTE that subscribes to more than one CUG and does not have incoming or outgoing access must designate a preferred CUG.