-
Cisco IOS Wide-Area Networking Configuration Guide, Release 12.4T
-
Part 1: Frame Relay
-
Configuring Frame Relay
-
Adaptive Frame Relay Traffic Shaping for Interface Congestion
-
Frame Relay 64-Bit Counters
-
Frame Relay MIB Enhancements
-
Frame Relay Point-Multipoint Wireless
-
Frame Relay Queueing and Fragmentation at the Interface
-
Frame Relay PVC Bundles with QoS Support for IP and MPLS
-
Frame Relay Voice-Adaptive Traffic Shaping and Fragmentation
-
Frame Relay IP RTP Priority
-
PPP over Frame Relay
-
MQC-Based Frame Relay Traffic Shaping
-
FRF.20 Support
-
Frame Relay PVC Interface Priority Queueing
-
Multilink Frame Relay (FRF.16.1)
-
Distributed Multilink Frame Relay (FRF.16)
-
RFC 3020 Multilink Frame Relay MIB Support
-
Frame Relay show Command and debug Command Enhancements
-
Configuring Frame Relay-ATM Interworking
-
-
Layer 2 Tunnel Protocol Version 3
-
Configuring SMDS
-
L2VPN Pseudowire Redundancy
-
L2VPN Interworking
-
Layer 2 Local Switching
-
Part 2: X.25 and LAPB
-
Configuring X.25 and LAPB
-
Terminal Line Security for PAD Connections
-
X.25 Annex G Session Status Change Reporting
-
X.25 Dual Serial Line Management
-
X.25 over TCP Profiles
-
X.25 Record Boundary Preservation for Data Communications Networks
-
X.25 Suppression of Security Signaling Facilities
-
X.25 Call Confirm Packet Address Control
-
X.25 Data Display Trace
-
X.25 Version Configuration
-
X.25 Station Type for ISDN D-channel Interface
-
- Appendixes
-
Part 1: Frame Relay
Table Of Contents
Terminal Line Security for PAD Connections
PAD Call Behavior When a Line Is Configured for CUG Subscription
PAD Call Behavior When Only the Line is Configured for CUG Service
PAD Call Behavior When Both a Line and an Interface Are Configured for CUG Service
Supported Standards, MIBs, and RFCs
Configuring X.25 CUG Support on Terminal Lines
Verifying X.25 CUG Support on Terminal Lines
Monitoring and Maintaining X.25 CUG Support on Terminal Lines
Configuring X.25 CUG Support on Terminal Lines Example
Terminal Line Security for PAD Connections
Feature History
This document describes the Terminal Line Security for PAD Connections feature in 12.2(13)T. It includes the following sections:
•
Supported Standards, MIBs, and RFCs
•
Feature Overview
X.25 closed user group (CUG) service is a network service that allows subscribers to be segregated into private subnetworks with limited outgoing and incoming access. A data terminal equipment (DTE) device becomes a member of a CUG by subscription; the DTE must obtain membership from its network service for the set of CUGs to which it needs access.
The Terminal Line Security for PAD Connections feature allows a CUG service to be configured on terminal lines, enabling terminal lines to participate in X.25 CUG security for packet assembler/disassembler (PAD) connections. A CUG service can be applied to console lines, auxiliary lines, and tty and vty devices. Configuring a CUG service on terminal lines allows you to specify CUG protection for lines that are part of the point of presence (POP). Before the introduction of this feature, a CUG service could be configured only on X.25 synchronous data communications equipment (DCE) interfaces.
A line configured for CUG service will apply CUG security to PAD, X.28 mode, and protocol translation sessions. The Terminal Line Security for PAD Connections feature ensures that CUG protection is applied to incoming calls destined for the terminal line and call requests specified from the line. This feature also supports the signaling of the CUG selection facility in call requests that originated on the line and incoming calls received on an X.25 service that are terminated by the line.
Figure 1 shows a typical topology in which CUG service would be configured on asynchronous terminal lines.
Figure 1 Network Topology with Asynchronous Lines Configured for CUG Service
Security Considerations
Caution
PAD Call Behavior When a Line Is Configured for CUG Subscription
This section describes the overall behavior of PAD-initiated calls when a terminal line or an X.25 interface is configured for CUG subscription.
The x25 map pad and x25 facility cug commands can be used to cause a CUG selection facility to be encoded in calls placed within the networks. The following rules describe which CUG selection facility is encoded in the call:
•
•
•
The following sections provide examples that illustrate the behavior of PAD-initiated calls.
PAD Call Behavior When Only the Line is Configured for CUG Service
This section describes PAD call behavior when only the line is configured for CUG service.
Configuration A
In the following example, a line is configured for CUG subscription, and the interface on which the resulting call is to be placed is configured with the x25 facility cug and x25 map pad commands. CUG subscription is not configured on the interface.
interface Serial1encapsulation x25 dcex25 facility cug 99x25 map pad 1221 cug 10 no-outgoingx25 map pad 1222 cug 99x25 map pad 1234 cug 10!line tty 1x25 subscribe cug-servicex25 subscribe local-cug 99 network-cug 9999 preferentialx25 subscribe local-cug 10 network-cug 100x25 subscribe local-cug 20 network-cug 200![...]!x25 route ^12..$ interface Serial1[...]When the line initiates an X.28 mode or PAD call without a CUG subscription set, the line will decode the interface's CUG selection facility, and the network will encode the line's signaled CUG selection facility. The x25 facility cug command implicitly identifies the local CUG to use for PAD-originated calls.
Table 1 shows the CUG value sent when a line initiates a PAD or an X.28 mode call without a CUG subscription set.
Table 1 CUG Value Sent for Line-Initiated Calls Without a CUG Subscription
pad 1234
Call 1234, CUG 9999 sent on Serial 1.
*1234
Call 1234, CUG 9999 sent on Serial 1.
Using configuration A, if a call is initiated on a line using the pad command with the /use-map option, the line will decode the matching map entry's CUG, and the network will encode the line's signaled CUG selection facility. The map's CUG identifies the local CUG to use for PAD-originated calls and overrides the interface's CUG selection facility on a per-call basis.
If the pad command is used with the /use-map option, the interface on which the resulting call is to be placed must have a matching X.25 map statement for the PAD call and must permit outgoing calls. Any CUG specified in the map statement must identify the local CUG ID to be used for generating the call.
Table 2 shows the values sent when a line initiates a PAD call with the /use-map option.
Using configuration A, if an X.28 mode call specifies a CUG, the line will decode the specified CUG, and the network will encode the line's signaled CUG selection facility. The X.28 mode commands do not use X.25 map statements when originating calls.
Table 3 shows the CUG value sent when a line initiates a call using an X.28 interface with CUG specified.
Table 3 CUG Value Sent for Line-Initiated Calls Using an X.28 Mode with CUG Specified
*g10-1234
Call 1234, CUG 100 sent on Serial 1.
PAD Call Behavior When Both a Line and an Interface Are Configured for CUG Service
This section describes PAD call behavior when a line and an interface are both configured for CUG service.
Configuration B
In the following example a line and an interface are configured for CUG subscription:
interface Serial1encapsulation x25 dcex25 subscribe cug-servicex25 subscribe local-cug 5599 network-cug 9999 preferentialx25 subscribe local-cug 5510 network-cug 100x25 subscribe local-cug 5520 network-cug 200x25 facility cug 99x25 map pad 1234 cug 10x25 map pad 1221 cug 10 no-outgoingx25 map pad 1222 cug 99!line tty 1x25 subscribe cug-servicex25 subscribe local-cug 10 network-cug 100x25 subscribe local-cug 20 network-cug 200x25 subscribe local-cug 99 network-cug 9999 preferential![...]!x25 route ^12..$ interface Serial1[...]Table 4 shows examples of line-initiated PAD commands and the CUG values sent when the terminal line and the X.25 interface are both configured for CUG subscription.
Benefits
Before the introduction of this feature, CUG functionality required all CPE devices to be attached to the router at an X.25 synchronous DCE interface. The Terminal Line Security for PAD Connections feature extends the existing X.25 CUG functionality to terminal lines, allowing PAD access devices (console lines, auxiliary lines, and tty and vty devices) to be configured for CUG security enforcement.
Restrictions
The CUG selection facility suppression options are not available for terminal lines because incoming PAD calls are terminated by the terminal line.
Related Documents
For information about X.25 CUGs, refer to the following documents:
•
•
For information about PAD connections, refer to the following documents:
•
•
Supported Platforms
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
The tasks in this document assume a basic understanding of the X.25 CUG service and how it works.
Configuration Tasks
See the following sections for configuration tasks for the Terminal Line Security for PAD Connections feature. Each task in the list is identified as either required or optional.
•
•
Configuring X.25 CUG Support on Terminal Lines
To configure X.25 CUG support on terminal lines, use the following commands beginning in global configuration mode:
Verifying X.25 CUG Support on Terminal Lines
To verify support for X.25 CUG service on terminal lines, perform the following steps:
Step 1
Step 2
Router# show line vty 2Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int132 VTY - - - - - 0 0 0/0 -Line 132, Location: "", Type: ""Length: 24 lines, Width: 80 columnsBaud rate (TX/RX) is 9600/9600Status: No Exit BannerCapabilities: CUG Security EnabledModem state: IdleGroup codes: 0Special Chars: Escape Hold Stop Start Disconnect Activation^^x none - - noneTimeouts: Idle EXEC Idle Session Modem Answer Session Dispatch00:10:00 never none not setIdle Session Disconnect WarningneverLogin-sequence User Response00:00:30Autoselect Initial Waitnot setModem type is unknown.Session limit is not set....Step 3
Router# show x25 cug local-cugX.25 Serial1/1, 3 CUGs subscribed with no public accesslocal-cug 99 <-> network-cug 9999, no-incoming, preferentiallocal-cug 100 <-> network-cug 1000local-cug 101 <-> network-cug 1001PROFILE cugs, 2 CUGs subscribed with with incoming public accesslocal-cug 1 <-> network-cug 10, no-outgoinglocal-cug 2 <-> network-cug 20, no-incoming, preferentialLine: 129 aux 0 , 1 CUGs subscribed with outgoing public accesslocal-cug 1 <-> network-cug 10Line: 130 vty 0 , 4 CUGs subscribed with incoming and outgoing public accesslocal-cug 1 <-> network-cug 10local-cug 50 <-> network-cug 5, preferentiallocal-cug 60 <-> network-cug 6, no-incominglocal-cug 70 <-> network-cug 7, no-outgoingLine: 131 vty 1 , 1 CUGs subscribed with no public accesslocal-cug 1 <-> network-cug 10Step 4
Router# show x25 cug network-cug 10PROFILE cugs, 2 CUGs subscribed with no public accessnetwork-cug 10 <-> local-cug 1 , no-outgoingLine: 129 aux 0 , 1 CUGs subscribed with no public accessnetwork-cug 10 <-> local-cug 1Line: 130 vty 0 , 4 CUGs subscribed with incoming and outgoing public accessnetwork-cug 10 <-> local-cug 1Line: 131 vty 1 , 1 CUGs subscribed with no public accessnetwork-cug 10 <-> local-cug 1
Monitoring and Maintaining X.25 CUG Support on Terminal Lines
To monitor and maintain X.25 CUG support on terminal lines, use the following command in privileged EXEC mode:
Configuration Examples
This section provides the following configuration example:
•
Configuring X.25 CUG Support on Terminal Lines Example
The following example shows the configuration of CUG behavior on asynchronous line 1 and virtual terminal lines 0 to 9. The user of async line 1 has only outgoing access to CPE that is subscribed to the corporate CUG designated for finance (CUG 1101) but can receive calls from those same CUG members or from the open network (that is, calls from a network X.25-class service that are destined for the line and have no CUG restriction).
The users of virtual terminal lines 0 to 9 have access only within the corporate CUGs designated for engineering (CUGs 1102 or 1103). Any call from a network X.25-class service destined for the line will be refused unless the inbound POP validates it as a member of one of those two CUGs.
Line 1Location Company A. Finance Connectionx25 subscribe cug-service incoming-accessx25 subscribe local-cug 1 network-cug 1101 preferential!line vty 0 9Location Company A. Engineering Accessx25 subscribe cug-servicex25 subscribe local-cug 2 network-cug 1102 preferentialx25 subscribe local-cug 3 network-cug 1103!Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Wide-Area Networking Command Reference at http://www.cisco.com/en/US/docs/ios/wan/command/reference/wan_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
•
•
Glossary
call request—An X.25 call packet sent from a DTE to a DCE that initiates a connection to a destination DTE.
closed user group selection facility—A specific encoding element that can be presented in a call request or incoming call. A CUG selection facility in a call request allows the source DTE to identify the CUG within which it is placing the call. A CUG selection facility in an incoming call allows the destination DTE to identify the CUG to which both DTEs belong.
CPE—customer premises equipment. Terminating equipment, such as terminals, telephones, and modems, supplied by the telephone company, installed at customer sites, and connected to the telephone company network. This equipment is available for customer modification and is considered insecure by the network.
CUG—closed user group. A collection of DTE devices for which the network controls access among members and between members and nonmembers. A DTE may subscribe to zero, one, or more CUGs. A DTE that does not subscribe to a CUG is referred to as being in the open part of the network.
DCE—data communications equipment. A network connection where a subscriber can be attached. A DCE is configured with the operational details for which a given subscriber (DTE) has contracted.
DTE—data terminal equipment. A network subscriber that can be reached at a specific network attachment point. A network identifies each DTE device by assigning an X.121 address.
incoming call—An X.25 call packet sent from a DCE to a DTE that presents a connection requested by the source DTE.
PAD—packet assembler/disassembler. Device used to connect simple devices (like character-mode terminals) that do not support the full functionality of a particular protocol to a network. PADs buffer data and assemble and disassemble packets sent to such end devices.
POP—point of presence. In the context of a public data network, a POP is the part of the network to which CPE is attached. A POP is configured and controlled by the public network and serves as the boundary equipment between the trusted network and insecure client attachments.
preferential closed user group—The CUG that is assumed when a CUG is not specified in call setup. A DTE that subscribes to more than one CUG and does not have incoming or outgoing access must designate a preferred CUG.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
