Table Of Contents
X.25 Suppression of Security Signaling Facilities
Information About the X.25 Suppression of Security Signaling Facilities Feature
X.25 Security Facilities Suppression Scenarios
When Suppressing the Security Signaling Facilities Is Necessary
How to Suppress the X.25 Security Signaling Facilities
Disabling the X.25 Security Signaling Facilities
Configuration Example for Suppressing X.25 Security Signaling Facilities
X.25 Suppression of Security Signaling Facilities
The X.25 Suppression of Security Signaling Facilities feature allows the X.25 Call Redirection/Call Deflection Notification (CRCDN) and Called Line Address Modified Notification (CLAMN) security signaling facilities to be disabled (suppressed) in X.25 Call and Call Confirm packets (respectively) sent by an X.25-class service. This feature may be required when connecting to equipment that implements a proprietary or nonstandard X.25 service that does not accept X.25 security signaling facilities.
Feature Specifications for the X.25 Suppression of Security Signaling Facilities
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or Cisco Feature Navigator.
Contents
•
Information About the X.25 Suppression of Security Signaling Facilities Feature
•
•
Information About the X.25 Suppression of Security Signaling Facilities Feature
To configure the X.25 Suppression of Security Signaling Facilities feature, you need to understand the concepts described in the following sections:
•
•
X.25 Security Facilities Suppression Scenarios
X.25 networks encode security facilities in X.25 Call, Call Confirm, and Clear packets to notify both stations participating in the setup of a switched virtual circuit (SVC) of events that may result in a station connecting to an unexpected partner.
Note
The packets are encoded identically and, in many cases, the processing that X.25 does is identical; however, there are cases where the behavior is predicated on the station type receiving or sending the packet.For example, when an X.25 Call is redistributed by a network through a hunt group, a standard implementation will encode a CRCDN facility in the forwarded call. Thus, the receiver is notified that the Call packet was redistributed by a hunt group and is notified of the original destination address. A standard network will also, if such a Call is accepted by a returned Call Confirm packet, encode a CLAMN facility when forwarding the Call Confirm packet. This encoding notifies the originator that the accepting destination was reached by distribution through a hunt group, and may also encode the destination address of the accepting station. Both stations receive notification of what happened so each can decide to either proceed with the SVC, if the resulting connection is permissible, or to clear the channel if not.
When Suppressing the Security Signaling Facilities Is Necessary
Warning
There are many X.25 implementations that will not operate as intended if presented with X.25 features or facilities beyond a narrow set of those that occur most commonly. The security signaling facilities are less common, and there are a significant number of X.25 implementations that will not proceed with an SVC that encodes them during Call setup. This can cause connection failures when Cisco equipment is used to implement an X.25 hunt group. There are two security facilities that the Cisco hunt group feature encodes: An X.25 Call packet forwarded out from a hunt group has the CRCDN facility encoded in the packet and, when accepted, the returning X.25 Call Confirm packet has the CLAMN facility encoded in the packet.
Both the originator of the Call packet and the destination it reaches should be notified of the hunt group event, thus allowing each side to clear the SVC if communication is not permitted by the station's security policy. For this reason, the Cisco implementation of hunt groups is designed to signal both stations participating in the Call setup using the X.25-designated CRCDN and CLAMN facilities. The X.25 Suppression of Security Signaling Facilities feature allows this signaling to be suppressed by the CRCDN facility in a Call packet. The no x25 security crcdn command introduced in this feature provides this function, and there are no implications for correct protocol behavior by using it.
X.25 operation can also be modified to suppress a CLAMN facility in X.25 Call Confirm packets when the no x25 security clamn command is configured to disable that signaling. Configuring suppression of the CLAMN security signaling facility has an implication for correct protocol behavior: The X.25 Recommendations specify that the CLAMN facility must be present in a Call Confirm packet if that packet encodes a destination address that is not the null address and that differs from the address encoded in the Call packet. When X.25 is configured to suppress the encoding of a CLAMN facility, it will also suppress the encoding of the destination address. That is, when the address block is encoded in the Call Confirm packet, the destination address will be encoded as the null address (zero digits) because no representation should be made as to what destination was reached.
An X.25 profile may also be configured to suppress the X.25 security signaling facilities. This profile can be useful if the network administrator wants to localize the suppression of these facilities. For example, a hunt group that switches a connection using X.25 over TCP/IP (XOT) may be configured so that the security signaling facilities are not transmitted to either hop participating in the Call setup.
As another example, some telephone company data communications networks (telco DCNs) use a nonstandard X.25 implementation that blends elements of the 1980 and 1984 International Telecommunication Union Telecommunication Standardization Sector (ITU-T) Recommendations. Figure 1 shows a portion of a telco DCN network where X.25 devices, also called CPE, are connected to Cisco routers and the IP backbone network using serial links.
Figure 1 DCN Network Devices Connected to a Cisco IP Backbone Network
Early equipment in the telco DCN conformed to the ITU-T 1980 X.25 Recommendation, and Cisco provides support for this standard. However, substantial ITU-T 1984 X.25 Recommendation elements, such as maximum packet sizes of 2048 and 4096 and X.25 Annex G operation, have since been incorporated into the DCN. This mix of ITU-T 1980 and 1984 X.25 Recommendations in the telco DCN has resulted in a design requirement that would allow the CPE to operate according to the ITU-T 1984 X.25 Recommendation, but with a modification that would allow suppressing security signaling facilities encoded by the Cisco hunt group feature. Because the ITU-T 1980 X.25 Recommendation does not define these security signaling facilities, the Cisco X.25 implementation can now be configured to suppress them in the packets where they would otherwise be encoded.
How to Suppress the X.25 Security Signaling Facilities
This section contains the following optional procedure:
•
Disabling the X.25 Security Signaling Facilities
To disable the X.25 CLAMN and CRCDN signaling facilities, perform the following steps:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Troubleshooting Tips
Use the debug x25 EXEC command to determine when the X.25 facilities are present and when they are suppressed by the configured feature.
Configuration Example for Suppressing X.25 Security Signaling Facilities
The following example shows how to suppress both the CRCDN and CLAMN security signaling facilities:
interface serial 0no ip addressencapsulation x25no x25 security crcdnno x25 security clamnAdditional References
For additional information related to the X.25 Suppression of Security Signaling Facilities feature, refer to the following references:
Related Documents
X.25 commands
Cisco IOS Wide-Area Networking Command Reference, Release 12.2
X.25 configuration tasks
Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2
Standards
ITU-T X.25
•
•
•
•
1 Not all supported standards are listed.
MIBs
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
Technical Assistance
Command Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
x25 security clamn
To disable the Called Line Address Modified Notification (CLAMN) security signaling facility in X.25 Call Confirm packets, use the no x25 security clamn command in interface configuration mode. To reenable the CLAMN security signaling facility, use the x25 security clamn command.
no x25 security clamn
x25 security clamn
Syntax Description
This command has no arguments or keywords.
Defaults
The X.25 CLAMN security signaling facility is enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
The X.25-class services use the CLAMN security signaling facility in X.25 Call Confirm packets to notify the originator of the Call that a security event occurred during X.25 Call setup. The encoding of this facility specifies the reason for the signal, and the X.25 Recommendation also permits the Call Confirm packet to encode a different destination address when it encodes this facility. There are a number of reasons that can be encoded by the CLAMN facility. The Cisco X.25 hunt group implementation will cause the router to signal the hunt group event back to the X.25 Call originator using the CLAMN facility.
Warning
If no X.25 security issues apply, a network administrator may configure an X.25-class service to suppress the signaling of the CLAMN facility in Call Confirm packets using the no x25 security clamn command on an interface or x25 profile. This configuration may be necessary if the attached device or eventual recipient of the Call Confirm will not participate in a connection when the CLAMN security facility is encoded.
The X.25 Recommendations specify that the CLAMN facility must be present in the X.25 Call Confirm packet if that packet encodes a destination address which is not the null address and which differs from the address encoded in the Call packet. Therefore, when the no x25 security clamn command is used to suppress the encoding of the CLAMN facility, it will also suppress the encoding of the destination address; that is, if the address block is encoded in the Call Confirm packet, the destination address will be encoded as the null address (zero digits).
This command can be configured with the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) 1980 X.25 Recommendation mode with no error, although the 1980 mode does not define the CLAMN facility.
Examples
The following example shows how to suppress the CLAMN security signaling facility:
interface serial 0no ip addressencapsulation x25no x25 security clamnRelated Commands
no x25 security crcdn
Disables the CRCDN security signaling facility in X.25 Call packets transmitted.
x25 security crcdn
To disable the Call Redirection/Call Deflection Notification (CRCDN) security signaling facility in X.25 Call packets, use the no x25 security crcdn command in interface configuration mode. To reenable the CRCDN security signaling facility, use the x25 security crcdn command.
no x25 security crcdn
x25 security crcdn
Syntax Description
This command has no arguments or keywords.
Defaults
The CRCDN security signaling facility is enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
The X.25-class services use the CRCDN security signaling facility in X.25 Call packets to notify the destination of the Call that a security event occurred during Call processing. The encoding of this facility specifies the reason for the signal and the destination address that originally occurred in the call. There are a number of reasons that can be encoded by the CRCDN facility. The Cisco X.25 hunt group implementation will cause the router to signal the hunt group event to the X.25 Call destination using the CRCDN facility.
Warning
If no X.25 security issues apply, a network administrator may configure an X.25-class service to suppress the signaling of the CRCN facility in Call packets using the no x25 security crcdn command on an interface or X.25 profile. This configuration may be necessary if the attached device or eventual recipient of the X.25 Call will not participate in a connection when the CRCDN security facility is encoded.
This command can be configured with the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) 1980 X.25 Recommendation mode with no error, although the 1980 mode will always suppress the CRCDN facility.
Examples
The following example shows how to suppress the CRCDN security signaling facility:
interface serial 0no ip addressencapsulation x25no x25 security crcdnRelated Commands
no x25 security clamn
Disables the CLAMN security signaling facility in X.25 Call Confirm packets and suppresses any destination address.
Guest
