Retronetworking

1999/12/08 (revised 12/10)

		ComOS 3.9b26 Open Beta Release Note

			for the PortMaster 3

________________ Introduction

The new Lucent Technologies ComOS(R) 3.9b26 open beta software release

is now available for the PortMaster(R) 3 Integrated Access Server.

This open beta release is provided at no charge to all Lucent

customers, but is recommended only for customers who wish to test the

new functionality before the general availability (GA) release of 

ComOS 3.9.

Command syntax for new commands might change between this open beta

release and the general availability release of ComOS 3.9.

This release note documents commands and features added between ComOS

3.8.2 and ComOS 3.9b26 on the PortMaster 3.  This release note applies

only to the PortMaster 3.

The modem code in ComOS 3.9b26 is the same modem code included in 

ComOS 3.9b22 and ComOS 3.9b24 for the PortMaster 3.

Before upgrading, thoroughly read "ComOS 3.9b26 Limitations" and

"Upgrade Instructions."

WARNING! Due to the increased size of ComOS, the amount of nonvolatile

RAM (NVRAM) available for saving configurations has been reduced from

128KB to 64KB. PortMaster products with configurations greater than

64KB will lose some of their configuration. For this reason, be sure to

back up your PortMaster configuration before upgrading to this

release.  You can check the amount of memory used for your

configuration with the "show files" command. Ignore any files that also

include an uncompressed size.

WARNING! The PortMaster 3 must be running ComOS 3.5 or later to upgrade

to ComOS 3.9b26. If you are running an earlier release of ComOS,

upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26.

NOTE: Any PortMaster running ComOS 3.9b26 requires 4MB of dynamic RAM

(DRAM). Use 16MB if you are running the Border Gateway Protocol (BGP).

_______________ Export Restrictions

This release of ComOS 3.9b26, available to any Lucent customer

worldwide, does not include support for the Data Encryption System

(DES) and Triple DES (3DES) encryption methods.

However, the Authentication Header (AH) RSA Data Security, Inc.  MD5

Message-Digest Algorithm (MD5) authentication feature of the IPSec

encryption ("coprocessor") card is available worldwide and is included

in ComOS 3.9b26.

Because of export restrictions, the DES and 3DES features for ComOS

3.9b26 will be handled on a case-by-case basis outside of the standard

release process. Any US-owned or Canadian-owned company wishing to

obtain this feature should call Cary Hayward at 1-925-730-2637. This

restricted release of ComOS 3.9b26enc168, which supports DES and 3DES,

is available to Lucent customers in the United States and Canada only.

To use DES or 3DES for encrypting data payloads, you must install the

IPSec encryption card (PM3-VPN).

Versions of ComOS 3.9b26 supporting DES and 3DES on the IPSec 

encryption card will be made available to customers in other countries 

as export licensing permits. Licensing approval is being sought at this 

time.

For more information, see the sections on "Virtual Private Network

(VPN) Tunneling" and "IPSec Encryption Card for the PortMaster 3".

_______________ Contents

Introduction

Export Restrictions

Bugs Fixed in ComOS 3.9b26

Reconfiguring NVRAM

New Features in ComOS 3.9b26

	RADIUS Authentication Failover

	RADIUS Accounting Retry Interval and Count

	Non-Facility Associated Signaling (NFAS)

	Layer 2 Tunneling Protocol (L2TP)

	Virtual Private Network (VPN) Tunneling

	IPSec Encryption Card for the PortMaster 3

	Network Address Translator (NAT)

	Assigned IP for Dial-Out Locations

	Port Required for Telnet Device Service

	Enhanced PMVision Support

Configuring NFAS

Configuring L2TP

Configuring VPN Tunneling

Configuring NAT

ComOS 3.9b26 Limitations

Troubleshooting Modems

Upgrade Instructions

Technical Support

_______________Bugs Fixed in ComOS 3.9b26

* The Point-to-Point Protocol (PPP) counters are now always reset when

a port is initialized. Previously, incorrectly set counters sometimes

caused the second link of a PPP multilink connection to fail.

* The PortMaster 3 no longer retains a remote router's Multichassis PPP

(MCPPP) master entry after the router disconnects.  Previously, under

certain conditions, the master entry remained after disconnection and

prevented the PortMaster from routing the packets of this remote router

when it dialed in again.

* Simple Network Management Protocol (SNMP) access to the serial table

for PortMaster user information now works properly. Earlier versions of

this release reported "No Response."

* A sporadic reboot problem has been fixed. The stack trace displayed

the message "Assertion failed: nbuf_p->bytes_left, file mdp_os.c, line

1586" when this problem occurred.

* Unauthorized Telnet connections are now timed out after 2 minutes.

* The "set maximum pmconsole" command now takes effect immediately.

Previously, active connections on port 1643 had to be reset before

changes were applied.

* Output for the "set debug ?" command has been enhanced.

* A RADIUS Login-User with the telnet login service no longer generates

a Framed-User start record erroneously.

* The AH and Encapsulating Security Payload (ESP) protocols now work

together.

* An administrative reset of a Layer 2 Tunneling Protocol (L2TP)

session now generates only one stop record instead of two.

* Accounting records for a RADIUS Administrative-User logging in to

port S0 now show the correct service type.

* Administrative logins logged to syslog no longer have the password

sent in clear text.

* The authentication packet sent for telnet logins now reports the

correct user type to the access log. Previously, the authentication

packet erroneously reported a user type of Outbound-User.

* Startup and shutdown accounting packets are now resent like other

accounting packets.

* When the PortMaster 3 receives an incoming V.110 setup request, it

now returns the message "Cause 88 Incompatible Destination."

Previously, the message "Release Complete with the Cause 17 User Busy"

was erroneously returned.

* The "show sessions" command no longer returns garbage characters at

the end of a 12-character location name.

* The "show table location" command now shows the full location name.

* The command "set user protocol ppp" no longer deletes the

Point-to-Point Protocol (PPP) asynchronous map.

* The attributes associated with the user are now deleted when the user

entry is deleted. For example, if a network user (netuser) named lee

configured with NAT is deleted, the old NAT configuration parameters

are no longer listed for any new user named lee.

* When the call-check feature has been enabled ("set call-check on"),

callback users specified through RADIUS are now authenticated.

* If a RADIUS menu user fails over a Telnet connection, an

administrative user is now allowed to telnet in. Previously, the

administrative user was rejected until the PortMaster 3 was rebooted.

* RADIUS accounting records for an L2TP access concentrator (LAC) now

include the Tunnel-Server-Endpoint information.  This information was

not provided in previous releases.

* When routing is disabled on a WAN port, the port status now reflects

this condition.

* BGP summarization settings that are configured with the "set bgp

summarization" command are now saved after you enter "save all" and

"reset bgp." Previously, only settings configured with the "add bgp

summarization" command were saved.

* Subnets included as part of an OSPF area range are now advertised as

internal OSPF routes. If not included as part of the range, they are

advertised as OSPF type 2 external (E2) routes. In previous releases,

the PortMaster 3 advertised routes in this way when they were part of

an assigned address pool, but not if they were subnets used to assign

static IP addresses.

* OSPF configuration information is now saved during an upgrade from

ComOS 3.7 to ComOS 3.9b26.

* Modem code fixes:

  - A downward spiraling upstream rate caused by an incorrect Link

    Access Procedure for Modems (LAPM) error check is fixed.

  - Rate reduction due to LAPM errors has been made less sensitive.

  - In the presence of LAPM retransmission errors, the modem code

    retrains to allow the link to adjust to a lower speed and improve

    throughput.

  - The number of disconnections from LAPM retrains within a retrain

    has been reduced.

  - The modem code now suspends LAPM transactions during any rate

    changes or retrains and thereby eliminates some connection

    failures, connections without error control, and some

    disconnections.

  - U.S. Robotics (USR) Telepath V.34 modems can now establish

    LAPM error correction. Previously under certain conditions, the 

    modem was choosing too high a connection rate and was unable 

    to establish LAPM error correction. The modem code now detects 

    these conditions and forces the connection speed down by one rate 

    to allow LAPM to be negotiated. 

  - For all modems, retrain detection has been improved to prevent some 

    client disconnections. 

  - For modems with Rockwell Semiconductor Systems (RSS) K56flex

    chipsets, fast rate changes now work properly. Previously, a retrain 

    was forced after a rate change. (RSS is now Conexant Systems Inc.) 

  - A NO EC (no error control) connection problem with Cirrus Logic 

    modems is fixed, and overall performance with Cirrus Logic 

    modems is improved. Cirrus Logic modems are now supported by

    Ambient Technologies.

  - The number of rate renegotiations with USR/3Com and Cirrus 

    Logic modems has been reduced because ComOS now allows 

    the client modem to specify spectral shaping. 

  - USR/3Com modem connections are now more reliable. 

  - Rate renegotiation and retrain problems with USR/3Com and Rockwell 

    HCF modems are fixed. 

  - Connectability with USR/3Com and Rockwell HCF modems and 

    LT Winmodems is improved. 

  - Motorola SM56 modems can now connect with V.90. 

  - A V.90-to-V.34 fallback problem, which can result in a disconnection,

    is fixed by earlier V.34 detection. 

  - A-law V.90 connectability is improved. 

  - K56flex connectability is improved by an increase in a K56flex timeout.

_______________ Reconfiguring NVRAM

After loading the new ComOS 3.9b26 and rebooting, look for messages

like the following on the console screen to verify that ComOS has

loaded successfully:

Testing System Memory.... 1024K

Checking Boot Rom....

Calibrating.... 33MHz

Starting FLASH Boot.....

Loading Image at 0fff0000

17110  flash copy complete

Verifying Load Module Checksum...

Starting Load Module ...

Loading kernel... 691260 bytes

Testing High Memory ... . 4096K

Loading kernel extensions... 125952 bytes

Async found in slot 1

Found 11 ports....

ether0 active ... 16K shared-RAM

Reconfiguring FLASH...

   Malloc size 65534 at 18a208

   Opened modules STD file

   Read 64506 bytes at 18a208

   read 1 buffers

   Call flash format

   Call freecntl

   Call save

   Call f_open

   Write 64506 bytes at 18a208

done - rebooting

_______________ New Features in ComOS 3.9b26

The following commands and features have been added in ComOS 3.9b26.

_______ RADIUS Authentication Failover

Authentication failover allows the PortMaster to dynamically switch 

primary and alternate RADIUS authentication servers according to 

their response. Use the following commands:

  set authentication interval Seconds

  set authentication failover on | off

The first command sets the response interval. The PortMaster sends a

RADIUS access-request packet every "interval" number of seconds. If no

response is received from the primary RADIUS server, the PortMaster

switches or "fails over" to the secondary authentication server. The

secondary RADIUS server then is treated as the primary, and is marked

with an asterisk (*) in "show global"output.

  set authentication interval Seconds

Seconds		A value between 1 and 255. The number of seconds that

		must elapse between RADIUS access-request

		retransmissions if the PortMaster receives no response.

		The default is 3 seconds, and 0 resets the value to the

		default. If the primary server does not respond,

		failover occurs after two times the Seconds value. For

		example, if "set authentication interval 6" is used,

		failover occurs in 12 seconds.

The second command enables the failover feature on the PortMaster 3:

  set authentication failover on | off

on	If the primary server fails to respond three times in a row,

	the PortMaster sends the packet to both the primary and

	secondary servers for the next seven retransmissions. If the

	secondary server replies before the primary server, the

	PortMaster switches the primary and secondary servers. 

	Then on the next login attempt, the PortMaster tries the 

	secondary server first.  If the secondary server fails to 

	respond three times in a row, the PortMaster sends the 

	packet to both servers and designates the server that replies 

	first as the new primary server.

off    	The PortMaster 3 always tries the primary server first, same as

	the current behavior. This is the default.

_____RADIUS Accounting Retry Interval and Count

The PortMaster attempts to send each RADIUS accounting packet every

"interval" seconds, and sends it the "count" number of times before

giving up. If an acknowledgement is received from the RADIUS 

accounting server, the PortMaster no longer tries to resend the 

accounting packet. If no acknowledgment is sent from the primary 

server in response to the first packet, the PortMaster sends the packet 

to both the primary and secondary RADIUS accounting servers.

   set accounting count Number

   set accounting interval Seconds

Number 		A decimal number between 1 and 99. The number of  

		times the PortMaster sends a RADIUS accounting  

		packet without acknowledgement from a RADIUS 

		server. 

Seconds		A decimal number between 1 and 255. The number of 

		seconds that must elapse between RADIUS accounting

		packet retransmissions if not acknowledged by the

		accounting server. The default is 30 seconds.

Use the "show global" command to view the Accounting Count and the

Accounting Interval settings.

Examples:

Command> set accounting count 45

Accounting retry count changed from 23 to 45

Command> set accounting interval 60

Accounting retry interval changed from 30 to 60 sec

_______ Non-Facility Associated Signaling (NFAS)

Non-facility associated signaling (NFAS) is a service offered by

telephone companies that permits a single D channel to provide the

signaling for a group of ISDN Primary Rate Interfaces PRIs. This 

service allows the channel that is normally used for signaling on the 

remaining PRIs to be used as a B channel.

Because combining the signaling onto a single D channel increases the

consequences if communication with that channel fails, some telephone

companies use the D channel backup (DCBU) system. DCBU requires two

D channels per NFAS group, one as a primary and one as a secondary.

The Lucent ComOS implementation of NFAS supports both standard NFAS 

and NFAS with DCBU across up to 20 PRIs.

See the section titled "Configuring NFAS" for NFAS configuration

information. For more information about NFAS commands, see the 

PortMaster Command Line Reference. For detailed configuration 

information, see the PortMaster Configuration Guide.

_______ Layer 2 Tunneling Protocol (L2TP)

ComOS 3.9b26 on the PortMaster 3 supports Layer 2 Tunneling Protocol

(L2TP). You can configure the PortMaster 3 as both an L2TP access

concentrator (LAC) and an L2TP network server (LNS).

See the section titled "Configuring L2TP" for L2TP configuration

information.

For more information about L2TP commands, see the 

PortMaster Command Line Reference. For detailed configuration 

information, see the PortMaster Configuration Guide.

_______ Virtual Private Network (VPN) Tunneling

ComOS 3.9b26 on the PortMaster 3 supports virtual private networks

(VPNs) and IP Security (IPSec). A properly configured PortMaster is

capable of tunneling using the IP Encapsulation within IP (IPIP) and

IPSec protocols and a Lucent proprietary Proxy Tunnel protocol.

Tunneling allows you to create custom network topologies that are

independent of the underlying physical topology of the network, with or

without additional security and authentication.

See the section titled "Configuring VPN Tunneling" for more 

information.

For more information about VPN tunneling commands, see the 

PortMaster Command Line Reference. For detailed configuration 

information, see the PortMaster Configuration Guide.

_______ IPSec Encryption Card for the PortMaster 3

ComOS 3.9b26 now supports the IPSec encryption ("coprocessor") card 

for the PortMaster 3 (PM3-VPN).  To use IPSec, you must install the 

IPSec encryption card in the PortMaster 3, into the same interface on 

the motherboard used by the Stac compression card (PM3-CMP).  The

PortMaster 3 can support either the Stac compression card or the

IPSec encryption card, not both.

The PortMaster 3 does not require the IPSec encryption card to run the 

IPIP or Proxy Tunnel protocols.

The following message is displayed on the console port at boot time if

the IPSec encryption card is installed correctly and operating:

  Found MIPS 4640 daughter board with 512Kb bytes of memory

The IPSec encryption card is booted from the file named "mipsboot" 

on the NVRAM file system. You can use the "show files" command to 

verify that this file exists. If it does not, you must upgrade your 

release of ComOS. To see which encryption algorithms and protocols 

are supported, use the "show ipsec modules" command.

_______ Network Address Translator (NAT)

ComOS 3.9b26 supports the network address translator (NAT) based on 

RFC 2663.

The basic network address translator (basic NAT) maps IP addresses from

one group to another, transparently to users and applications. The

network address port translator (NAPT) is an extension to basic NAT, in

which multiple network addresses and their TCP and UDP ports are mapped

to a single network address and its ports.

ComOS supports both basic NAT and NAPT for both outbound 

and inbound sessions. It also supports an "outsource" mode in 

which all NAT processing is done on the server side of the 

connection.

See the section titled "Configuring NAT" for more information.

For more information about NAT commands, see the PortMaster 

Command Line Reference. For detailed configuration information, 

see the PortMaster Configuration Guide.

_______ Assigned IP for Dial-Out Locations

Use the following command to configure a dial-out location on the

PortMaster 3 to receive a dynamically assigned address:

  set location Locname local-ip-address assigned  | Ipaddress

Locname		Name of a location table entry.

In previous releases of ComOS for the PortMaster 3, dial-out locations

could not receive a dynamic address.

_______ Port Required for Telnet Device Service

The "set S0 service_device telnet" command now requires a TCP port number. 

  set S0 service_device telnet Tport

Tport	Specifies the TCP port for the connection. The range is from 

	1 to 65535.

Previously, if the port number was omitted, the PortMaster listened on

port 23, the default Telnet port. This behavior caused problems for

users telnetting to the PortMaster.

_______ Enhanced PMVision support

Additional support has been added to ComOS 3.9b26 to allow PMVision(TM) 

to monitor and configure ComOS 3.9b26 features on the PortMaster. See 

the most recent PMVision release note for details.

_______________ Configuring NFAS

Non-facility associated signaling (NFAS) is a service offered by

telephone companies that permits a single D channel to provide the

signaling for a group of PRIs. This service allows the channel that is

normally used for signaling on the remaining PRIs to be used as a

B channel.

Because combining the signaling onto a single D channel increases the

consequences if communication with that channel fails, some telephone

companies use the D channel backup (DCBU) system. DCBU requires two

D channels per NFAS group, one as a primary and one as a secondary.

The Lucent ComOS implementation of NFAS supports both standard NFAS and

NFAS with DCBU across up to 20 PRIs.

See the "ComOS 3.9b26 Limitations" section before using NFAS.

_______ NFAS Configuration

To configure a line for NFAS operation, use the following command:

  set Line0 nfas primary | secondary | slave | disabled Identifier Group

Line0		line0 or line1.

primary		This PRI contains the primary D channel.

secondary	This PRI contains the secondary D channel.

slave		This PRI contains no D channel.

disabled	Clears this PRI's NFAS configuration.

Identifier     	Number between 0 and 19 that is unique among all PRI

		interfaces in the same NFAS group.

Group          	Number between 1 and 99 identifying which NFAS group

		this PRI belongs to.

Example:

The following example shows how to configure four PortMaster 3s on a

common Ethernet with two NFAS groups, one with DCBU and one without.

Each group contains two PortMaster 3s.

NFAS bundle #1 (with DCBU)

  PM3-1 (Line0 contains the primary D channel. Line1 is a slave line.):

    set line0 nfas primary 0 1

    set line1 nfas slave 1 1

    save all

    reboot

  PM3-2 (Line0 is a slave line, and Line1 contains the secondary

  D channel):

    set line0 nfas slave 2 1

    set line1 nfas secondary 3 1

    save all

    reboot

NFAS bundle #2 (without DCBU)

  PM3-3 (Line0 contains the primary D channel, and Line1 is a

  slave line):

    set line0 nfas primary 0 2

    set line1 nfas slave 1 2

    save all

    reboot

  PM3-4 (Line0 and Line1 are slave lines):

    set line0 nfas slave 2 2

    set line1 nfas slave 3 2

    save all

    reboot

_______ Displaying General NFAS Information

Several commands are available to display statistics and information

specific to NFAS operation.

  show nfas

The "show nfas" command displays neighboring PortMaster products 

in the same NFAS group as this one and shows in-service D channel 

information and slave status.

  show nfas history

The "show nfas history" command displays the last 40 significant

messages exchanged between this PortMaster and its neighbors.

  show nfas stat

The "show nfas stat" command displays the status of NFAS calls for

PortMaster products in the same group(s) as this one.

_______ Displaying NFAS Debugging Information

A new debug command has been added to aid in diagnosing problems that

might occur in testing.

set debug nfas on | off

This command enables or disables the logging of NFAS events to the

console. Remember to use "set console" before using this command, 

and "reset console" after turning off the debug process.

_______________ Configuring L2TP

ComOS 3.9b26 on the PortMaster 3 supports Layer 2 Tunneling Protocol

(L2TP). You can configure the PortMaster 3 as both an L2TP access

concentrator (LAC) and an L2TP network server (LNS).

The implementation of L2TP in ComOS 3.9b26 is based on the latest IETF

L2TP draft (revision 12 and 13 as of this writing). For specific

details of operation and protocol implementation of L2TP, refer to the

IETF Internet-Drafts.

L2TP allows PPP frames to be tunneled as follows from one PortMaster

that answers an incoming call (the LAC) to another PortMaster that

processes the PPP frames (the LNS):

End user--->incoming call--->LAC--->LNS--->network access

NOTE: None of the IP addresses or networks used in the examples in 

this section are intended to refer to any actual real-world company 

or network assignment.

_______ Description and Applications

The Layer 2 Tunneling Protocol (L2TP) provides tunneling of PPP

connections, to separate the functionality normally provided by a

single network access server (NAS) into two parts:

 * The L2TP access concentrator (LAC) provides the "physical"

   connection point between the telephone network (and therefore the

   dial-in user) and the host network.

 * The L2TP network server (LNS) terminates the PPP sessions and

   handles the "server-side" of the connection, such as authentication

   of the user, routing network traffic to and from the PPP user, and

   so forth. The LNS does not have any physical ports, only virtual 

   interfaces.

An outsourcer can use L2TP to provide dial-up ports to customers 

using a central, "shared" common physical dial-up pool. The pool 

resides in a shared access server (the LAC). The outsourcer's 

customers maintain a home gateway (the LNS) and some type of 

IP connectivity to the outsourcer. L2TP provides virtual dial-up 

ports to the outsourcer's customers. This use of L2TP is sometimes 

referred to as a virtual private dial-up network (VPDN).

The service is transparent to the customer because users still

terminate PPP sessions on the customer network via the LNS.  RADIUS

authentication and accounting and IP address assignment are all done by

the customer. The LAC does no PPP processing unless it is using partial

authentication for determining the tunnel end point. It only accepts

the call and establishes a tunnel to the LNS for that PPP session. The

tunnel can be established based upon Called-Station-Id or User-Name

(where partial authentication occurs on the LAC before tunnel

establishment).

For example, if you use Called-Station-Id and call-check with L2TP,

the session follows these steps:

1. The end user places a call.

2. The LAC detects the incoming call.

3. The LAC using call-check sends an authentication request to a 

   RADIUS server containing the Called-Station-Id and 

   Calling-Station-Id check items before answering the call.

4. If the RADIUS server accepts the user, an access-accept message

   is returned to the LAC along with information on how to create the

   L2TP tunnel for this session: the type of tunnel, IP address of the

   LNS, and so on.

5. The LAC then creates a tunnel to the LNS by encapsulating the PPP

   frames into IP packets and forwarding those packets to the LNS.

6. The LNS negotiates PPP normally with the end user.

_______ RADIUS Dictionary Updates for L2TP

Add the following lines to your RADIUS dictionary:

VALUE         Service-Type		Call-Check	10

VALUE         NAS-Port-Type		Virtual	5

ATTRIBUTE	Tunnel-Type		64      integer

ATTRIBUTE	Tunnel-Medium-Type	65      integer

ATTRIBUTE	Tunnel-Server-Endpoint	67      string

ATTRIBUTE	Tunnel-Password		69      string

VALUE		Tunnel-Type		L2TP	3

VALUE		Tunnel-Medium-Type 	IP	1

The RADIUS daemon must be stopped and restarted to read the new

dictionary.

_______ RADIUS User Profiles for L2TP

The user profiles for the LNS are the same as for your users who do 

not use L2TP.

For the LAC, some new user profiles are required. Exactly which 

additional user profiles you add depend on whether you are 

using call-check or partial username-based tunneling on the LAC. 

The following profiles can be used on the RADIUS server serving 

the LAC for either approach:

# Using Called-Station-Id with Call-Check to route callers who dial

# 555-1313 to the LNS "172.16.1.221".

# Note that the LNS address must be enclosed in double quotation 

# marks because it is sent as a string, not as a 32-bit integer.

DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check

        Service-Type = Framed-User,

        Framed-Protocol = PPP,

        Tunnel-Type = L2TP,

        Tunnel-Medium-Type = IP,

        Tunnel-Server-Endpoint = "172.16.1.221"

# Same as the previous profile, but with a shared secret to 

# authenticate the session to the LNS.

DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check

        Service-Type = Framed-User,

        Framed-Protocol = PPP,

        Tunnel-Type = L2TP,

        Tunnel-Medium-Type = IP,

        Tunnel-Password = "mrsparkle",

        Tunnel-Server-Endpoint = "172.16.1.221"

In both user profiles, the first line contains the RADIUS check item,

with the Called-Station-ID being used to match the entry before the

call is answered. The L2TP tunnel parameters from the matching entry

are then sent in the RADIUS access-accept message.

The Tunnel-Type specifies the tunneling protocol to be used. The

Tunnel-Medium-Type specifies the transport medium over which the tunnel

is created, IP for now. Tunnel-Server-Endpoint indicates the other end

of the tunnel, the LNS in the case of L2TP.

Note that the LNS address must be enclosed in double quotation marks

because it is sent as a string, not as a 32-bit integer.

If you are not using call-check and are instead providing partial

authentication based on User-Name, the following user profile works.

The user "bgerald" dials in to the LAC, which initiates an L2TP tunnel

on the user's behalf to LNS 172.16.1.55.

bgerald Password = "wackamole"

        Tunnel-Type = L2TP,

        Tunnel-Medium-Type = IP,

        Tunnel-Server-Endpoint = "172.16.1.55"

_______ L2TP and RADIUS Accounting

The LAC and LNS both log user sessions to RADIUS accounting, but

different accounting data is available from each.

If you are using call-check to establish the tunnel, the LAC's

accounting data shows the Calling-Station-Id, but not the user's name,

because that information has not yet been passed over the link. The LNS

accounting data shows both the Calling-Station-Id and the User-Name

along with the assigned IP address.

If partial authentication (instead of call-check) is taking place on

the LAC, then the username might be available to it. In that case, the

username appears in the RADIUS accounting logs for both the LNS and the

LAC.

In both cases, the LNS shows the NAS-Port-Type as "Virtual", while the

LAC shows the NAS-Port-Type set to the connection type of the physical

interface.

The LNS starts its NAS-Port numbering at 100.

_______ Redundant Tunnel Server End Points

To increase the robustness of L2TP, a user profile can be configured to

contain redundant tunnel server end points. If the primary LNS fails,

inbound L2TP tunnels can be redirected to other machines.

Up to three redundant tunnel server end points can be specified.  Any

more than three are ignored by the LAC.

The following example shows a RADIUS user profile with multiple

redundant tunnel server end points. Each tunnel server end point is

preceded by the tunnel medium type for that tunnel.

DEFAULT Service-Type = Call-Check, Called-Station-Id = "5551234"

        Service-Type = Framed-User,

        Framed-Protocol = PPP,

        Tunnel-Type = L2TP,

        Tunnel-Medium-Type = IP,

        Tunnel-Server-Endpoint = "192.168.11.2",

        Tunnel-Medium-Type = IP,

        Tunnel-Server-Endpoint = "192.168.11.17",

        Tunnel-Medium-Type = IP,

        Tunnel-Server-Endpoint = "192.168.230.97"

This feature provides redundant LNS backup, not load balancing.

_______ L2TP Command Summary

set l2tp noconfig | disable | enable lac | enable lns

set l2tp authenticate-remote on | off

set l2tp secret [ Password | none ]

show l2tp global | sessions | stats | tunnels

reset l2tp [ stats | tunnel Number]

create l2tp tunnel udp Ipaddress [ Password | none]

set l2tp choose-random-tunnel-endpoint on | off

set debug l2tp max | packets [Bytes] | setup | stats

Use the following command to have the PortMaster load the L2TP 

feature on startup:

  set l2tp noconfig | disable | enable lac | enable lns

noconfig	Sets the PortMaster to have no L2TP 

		configuration.

disable		Sets L2TP off. L2TP is not used.

enable lac	Sets the PortMaster to be a LAC.

enable lns	Sets the PortMaster to be an LNS.

When the PortMaster is configured to be an LNS, the line ports are

configured for T1 and cannot be used for dial-in. The virtual S0 ports

follow the W1 ports.

Example:

Command 0> set l2tp enable lns

L2TP LNS will be enabled after next reboot

After using the "set l2tp" command, you must use the "save all" command

to save the configuration and the "reboot" command for the L2TP module

to load.

_______ Configuring L2TP to Initiate Authentication

The following command configures L2TP to initiate tunnel authentication:

  set l2tp authenticate-remote on | off

on	The PortMaster initiates authentication with the other end point

	of the tunnel before a tunnel is established. This is the default.

off	The PortMaster does not initiate authentication.

This command determines only whether the PortMaster initiates the

authentication. It does not determine how the PortMaster responds to

an authentication request. The "set l2tp authenticate-remote" command

functions the same on both a LAC and an LNS.

_______ Configuring an L2TP Secret

The "set l2tp secret" global command configures the L2TP password that

the PortMaster uses to respond to all L2TP tunnel authentication

requests. The L2TP secret takes effect only after you issue a 

"reset l2tp command.

  set l2tp secret Password | none

Password	String of up to 15 characters that the PortMaster

		uses to respond to L2TP tunnel authentication 

		requests.

none		Removes the L2TP secret. This is the default.

The "set l2tp secret" command sets the L2TP secret for the entire

PortMaster.

If a PortMaster configured as a LAC receives a tunnel authentication

request, it uses the Tunnel-Password from the RADIUS access-accept

packet, if present, instead of the global L2TP secret.

_______ Displaying L2TP Information

The following command shows information on how L2TP is functioning:

  show l2tp global | sessions | stats | tunnels

Examples:

Command> show l2tp global

debug packets debug stats debug setup

Tunnel Authentication Enabled

Initiation of Authentication Remote Tunnel Disabled

Default Board Configuration

Command> show l2tp sessions

Id  Assign-Id	Tunnel-IdPortname	State

31  21         	75	S1		ESTABLISHED  fl=8045

Command> show l2tp stats

NEW_SESSION 			1

NEW_TUNNEL 			4

TUNNEL_CLOSED 			3

HANDLE_CLOSED 			3

L2TP_STATS_MEDIUM_HANDLE 	3

INTERNAL_ERROR 			14

CTL_SEND    			9

CTL_REXMIT  			1

CTL_RCV     			10

MSG_CHANGE_STATE   		4

WRONG_AVP_VALUE 		3

EVENT_CHANGE_STATE 		3

Command> show l2tp tunnels

Id  Assign-IdHnd State      		#Ses	Server-Endpoint	Client-Endpoint

75  65	14 	L2T_ESTABLISH	1	192.168.6.13	192.168.10.28

_______ Resetting L2TP

Use the "reset l2tp" command to reset an L2TP tunnel or the L2TP

statistics counters.

  reset l2tp [ stats | tunnel Number ]

stats		Resets the L2TP counters displayed by "show l2tp 

		stats" to zero.

tunnel		If no tunnel ID is specified, all L2TP tunnels are

		destroyed and all related PPP sessions are terminated.

Number		A tunnel ID from 1 to 100. If a tunnel ID is specified, 

		only that one tunnel is destroyed. The "show l2tp 

		tunnels" command displays a list of active tunnel IDs.

_______ Creating an L2TP Tunnel Manually

The following command manually brings up an L2TP tunnel for testing 

and troubleshooting:

  create l2tp tunnel udp Ipaddress [ Password | none ]

Ipaddress	IP address of the L2TP tunnel end point.

Password	Password that the PortMaster uses when 

		responding to a tunnel authentication request 

		from the tunnel end point. If no password 

		is specified, the global L2TP secret is used if

		configured.

none		Sets the PortMaster to use the L2TP secret

		configured for it with the "set l2tp secret"

		command. This is the default.

Example:

Command> create l2tp tunnel udp 149.198.110.19

OK

_______ Selecting a Tunnel End Point

The following command determines in what order to choose an end point

when multiple tunnel end points are returned in a RADIUS access-accept

packet.

  set l2tp choose-random-tunnel-end point on | off

on	Causes the tunnel end point to be chosen randomly from the list

	of tunnel end points returned by RADIUS.

off	Selects the first tunnel end point that can be reached.

Normally, when L2TP is configured with multiple tunnel end points, the

end points are chosen serially, always beginning with the first. If a

tunnel cannot be established with the first, then the second is tried,

and then the third. When this feature is enabled, a random tunnel end

point is selected from those returned in the RADIUS access-accept

packet.

_______ Debugging L2TP

The following command is used to troubleshoot L2TP problems:

  set debug l2tp max | packets Bytes | setup | stats

max		Provides the same debugging as setup, packets, 

		and stats combined.

packets		Shows a representation of the L2TP packets, similar to

		the "ptrace dump" command.

Bytes		0 to 1500, number of bytes to display.

setup		Shows L2TP control messages and errors.

stats		Displays information that appears in "show l2tp stats"

		in more detail.

Remember to use "set console" before using this command, and 

"reset console" after turning off the debug process.

_______________ Configuring VPN Tunneling 

ComOS 3.9b26 on the PortMaster 3 supports virtual private networks

(VPNs) and IP Security (IPSec). A properly configured PortMaster is

capable of tunneling using the IP Encapsulation within IP (IPIP) and

IPSec protocols and a Lucent proprietary Proxy Tunnel protocol.

Tunneling allows you to create custom network topologies that are

independent of the underlying physical topology of the network, with or

without additional security and authentication.

For example, you can use VPN and IPSec to do the following on a

PortMaster 3:

* Encapsulate, encrypt, and/or authenticate IP packets

* Outsource tunnels by user, location, or interface

* Redirect packets in the clear

* Perform UDP packet-forwarding services

IPSec tunneling encapsulates, encrypts, and/or authenticates IP

packets.

IPIP ("IP within IP") tunneling encapsulates IP packets inside IP

packets, with no encryption or authentication.

Proxy Tunnel is a Lucent proprietary tunneling protocol. Proxy 

Tunnel places IP packets into UDP packets with the RSA Data 

Security, Inc. MD5 Message-Digest Algorithm signature for 

authentication.

_______ Security Associations

The security of the communications between two nodes is described

manually by a security association (SA) table entry. This security

association describes the parameters necessary to accomplish the

desired security (security association bundle) between a pair of

gateway nodes. Multiple security associations can be created to match

different security policies for different peers or types of traffic.

The following files are created in the PortMaster nonvolatile RAM file

system:

vpn		Contains the saved security association table.

random		Contains random seed data for the next reboot.

mipsboot	Encryption card image.

_______ VPN Command Summary

Use the following commands to configure VPN security associations. 

The commands for configuring security profiles are listed in the section 

"Configuring Security Profiles."

show sa Saname

show table sa

show ipsec modules

add sa Saname

delete sa Saname

reset ipsec  [Ether0 | S0 | W1] 

set sa Saname ah-inb-key | ah-inbound-key Key/[Bits] | random 

set sa Saname ah-inb-spi | ah-inbound-spi SPI

set sa Saname ah-outb-key | ah-outbound-key Key/[Bits] | random

set sa Saname ah-outb-spi | ah-outbound-spi SPI

set sa Saname esp-inb-key | esp-inbound-key Key/[Bits] | random

set sa Saname esp-inb-spi | esp-inbound-spi SPI

set sa Saname esp-outb-key | esp-outbound-key Key/[Bits] | random

set sa Saname esp-outb-spi | esp-outbound-spi SPI

set sa Saname local-address @ether0 | @ipaddress

set sa Saname mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none

set sa Saname peer-identifier Ipaddress

set sa Saname proxy-destport Uport

set sa Saname proxy-localport Uport

set sa Saname proxy-secret Key/Bits

set sa Saname sec-proposal Method1  [Method2]

Saname		Security association name up to 15 characters long.

Key		A number in decimal, hexadecimal or binary. 

Bits            	The key length in bits optionally follows the key

		value, separated by a slash "/".

SPI		Number in decimal, hex or binary---a 32-bit value 256 or

		higher.

Ether0		Ethernet interface.

Ipaddress	IP address in dotted decimal format, or hostname up to 

		39 characters long.

Uport		UDP port between 1 and 65535.

Method1	Supported security method.

Method2	Supported security method.

_______ Displaying Security Association Information

The "show sa Saname" command shows the entire configuration 

for the security association called Saname. The output varies with 

the protocol used for that security association. The command also 

displays the status of the IPSec encryption card (PM3-VPN) if the 

card is not installed or not operating correctly.

The "show table sa" command displays all security associations in a

summary format.

The "show ipsec modules" command displays available Layer 3

VPN tunneling methods. See the section titled "IPSec Commands" 

for more information.

_______ Creating Security Associations

Use the following commands to create the security association and

define the mode (protocol) that it uses:

  add sa Saname

  set sa Saname mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none

The "set sa Saname mode" command can also be used to change 

the mode of an existing security association. Setting the security 

association mode erases any keys that were previously associated 

with this security association.

ipip-tunnel     	Encapsulates packets into other IP packets.

		No security is provided. See the "IPIP 

		Commands" section.

proxy-tunnel   	This is a Lucent proprietary tunneling protocol.

		Proxy Tunnel places IP packets into UDP packets 

		with an MD5 signature for authentication. See the 

		"Proxy Tunnel Commands" section.

sec-ipip-tunnel	Encapsulates packets using the IPSec protocols in

		tunnel mode.  See the "IPSec Commands" section.

none           	Null configuration mode. Packets received on

		this security association are dropped.

_______ Deleting Security Associations

The following command deletes a security association:

  delete sa Saname

_______ Common Security Association Configuration Commands

Each security association has a few common commands, and a few 

mode-specific commands. The common commands are listed in this 

section.

The following command sets the IP address of the peer at the other 

end of this tunnel.

  set sa Saname peer-identifier Ipaddress

The following command sets the IP address of this end of this tunnel.

The default is to use the address of the Ether0 interface.

  set sa local-address @ether0 | @ipaddress

_______ IPSec Commands

To set up a security association using IPSec, you must configure 

the following information. First, create the security association

and set the mode to "sec-ipip-tunnel" as follows:

  add sa Saname

  set sa Saname mode sec-ipip-tunnel

Security Parameter Index:

The security parameter index (SPI) is a 32-bit number. The first 256

values are reserved and cannot be entered by users. The inbound SPI

set on an IPSec gateway must match the outbound SPI set on the peer.

Be careful not to assign the same SPI to two security associations on

the same PortMaster.

  set sa Saname ah-inb-spi | ah-inbound-spi SPI

  set sa Saname ah-outb-spi | ah-outbound-spi SPI

  set sa Saname esp-inb-spi | esp-inbound-spi SPI

  set sa Saname esp-outb-spi | esp-outbound-spi SPI

Examples:

Command> set sa net172 esp-inbound-spi 11111111

Command> set sa net172 esp-outbound-spi 11110000

Command> set sa net172 ah-inbound-spi 11112222

Command> set sa net172 ah-outbound-spi 22220000

AH and ESP Protocols:

Configure the security association to define the methods used for 

the Authentication Header (AH) and Encapsulating Security Payload 

(ESP) protocols.

ESP is the method used to encrypt the actual data (the "payload")

contained in a packet.

AH is used to authenticate a packet. Authentication guarantees that

the packet comes from the node with which you share a security

association and was not tampered with during transit.

Use the "show ipsec module" command to see which methods are 

available.

To use both ESP and AH together, specify two methods. Otherwise, 

just specify one in the following command:

  set sa Saname sec-proposal Method [ Method2 ]

The following methods are supported in ComOS 3.9b26:

esp-des			Sets the ESP protocol for a security 

			association using the US Data Encryption

			Standard-cipher block chaining (DES-CBC)

			encryption algorithm defined in RFC 2405.

			The keys must be exactly 64 bits in length.

esp-des-rfc1827		Uses the DES-CBC encryption protocol 

			defined in RFC 1827 and RFC 1829. The 

			keys must be exactly 64 bits in length.

esp-3des		Sets the ESP protocol for a security 

			association using the Triple DES-CBC

			(3DES) encryption algorithm defined in

			RFC 2451. The keys must be exactly 

			192 bits in length.

esp-3des-rfc1827		Uses the 3DES encryption protocol.

			The keys must be exactly 192 bits in length.

ah-md5			Sets the AH protocol for a security 

			association using MD5 and authentication

			methods defined in RFC 2403. The keys 

			must be exactly 128 bits in length.

ah-md5-rfc1826         	Uses the MD5 hashing protocol

			defined in RFC 1826 and 1828. The keys 

			must be exactly 128 bits in length.

ah-sha			Sets the AH protocol for a security

			association using the Secure Hash

			Algorithm (SHA-1 defined in RFC 2404.

			The keys must be exactly 160 bits long.

Use the following commands to set inbound and outbound keys for the

chosen protocols:

  set sa Saname esp-inbound-key Key/[Bits] | random

  set sa Saname esp-outbound-key Key/[Bits] | random

  set sa Saname ah-inbound-key Key/[Bits] | random

  set sa Saname ah-outbound-key Key/[Bits] | random

Saname	Security association name up to 15 characters long.

Key		Decimal, hexadecimal, or binary key. The secret

		shared between the ends of a security association.

/Bits		The key length in bits optionally follows the key 

		value.

random		Applies a randomly generated key and key length that 

		match the requirements for the specified encryption

		method.

Example:  

Command> set sa net172 esp-inbound-key 0x0123456789abcd/64

Command> set sa net172 esp-outbound-key 0x0123456789abcd/64 

Command> set sa net172 ah-inbound-key 0x0123456789abcd/128 

Command> set sa net172 ah-outbound-key 0x0123456789abcd/128 

Although these examples use the same key for both inbound and 

outbound, and for both ESP and AH, Lucent recommends that you use 

different keys for each of these.

_______ Entering Static Keys

You can enter keys as the following types of numbers:

* Hexadecimal (hex)---base 16, starting with 0x

* Decimal (the default)---base 10

* Binary---base 2, starting with 0b

The key value is followed by a slash ("/") and the key length 

in bits.

For example:

* 0x12345678/32 is a 32-bit key in hexadecimal.

* 346345/64 is a 64-bit key in decimal.

* 0b1000001/64 is a 64-bit key in binary.

Keys must fall on 8-bit boundaries. Some protocols allow only 

specific key lengths, while others allow a range of lengths. ESP 

and AH protocols require specific key lengths. See the section 

"AH and ESP Protocols" for more information. 

Keys are displayed in hexadecimal format. High-order bits not 

specified are zero-filled. For example, 0x12/32 is the same as 

0x00000012/32. Once the key is entered, you cannot see it again.

The security of your network depends on picking appropriate keys. 

You can have the PortMaster generate a key by using the special key 

value "random".  For example:

  set sa Saname esp-inbound-key random

This command generates a random key of the correct length for the

protocol. You must then copy this key to the peer in a secure fashion.

NOTE: To configure secure keys and avoid unintended typing errors, 

Lucent recommends that you set a random value for each key on one 

node and then copy and paste it on the other node.

_______ IPIP Commands

To use the IPIP protocol, set the security association to IPIP mode

using the following command:

  set sa Saname mode ipip-tunnel

_______ Proxy Tunnel Commands

To use the Lucent proprietary Proxy Tunnel protocol, set the 

security association mode using the following command:

  set sa Saname mode proxy-tunnel

Each end of the tunnel chooses a UDP port between 1 and 65535 for

sending and receiving packets. Lucent strongly recommends using a 

port that does not conflict with well-known services. The same port 

number can be used at both ends, if desired.

  set sa Saname proxy-localport Uport

  set sa Saname proxy-destport Uport

Each end of the tunnel chooses a shared secret and configures it.

Lucent supports secrets from 32 to 128 bits long, and each secret

must be a multiple of 8 bits long.

  set sa Saname proxy-secret Key/Bits

Saname	Security association name up to 15 characters long.

Key		Number in decimal, hexadecimal, or binary. The secret

		shared between the ends of a security association.

/Bits		Key length in bits.

Uport		UDP Port between 1 and 65535.

Example:

Command> add sa lu77

Command> set sa lu77 proxy-tunnel

Command> set sa lu77 proxy-localport 1050

Command> set sa lu77 proxy-destport 1051

Command> set sa lu77 proxy-secret 0x123456789/64

_______ Configuring Security Profiles

A security profile defines the security association and policy 

filter used on a router interface. A profile can be attached directly to 

a network interface, user, or location, or can be assigned to a user  

with RADIUS. Security profiles use the security association and policy  

filters to transfer packets. Profile names can be up to 15 characters 

long.

Use the following commands to configure security profiles:

  show table sec-profile

  show sec-profile Profile

  show ipsec statistics

  add sec-profile Profile

  delete sec-profile Profile

  set Ether0 | S0 | W1 ipsec active-profile Profile

  set user Username ipsec active-profile Profile

  set location Locname ipsec active-profile Profile

  set sec-profile Profile blank

  set sec-profile Profile Profilerule pfilter | policy-filter Filtername |

none

  set sec-profile Profile Profilerule static-sa  Saname | none

  set Ether0 | S0 | W1 ipsec outsource-profile Profile

  set user Username ipsec outsource-profile Profile

  set location Locname ipsec outsource-profile Profile

  set Ether0 | S0 | W1 ipsec pda drop | icmp reject | passthrough

  set user Username ipsec pda drop | icmp reject | passthrough

  set location Locname ipsec pda drop | icmp reject | passthrough

Profile		Security profile name up to 15 characters long.

Profilerule	Rule number between 1 and 20.

Filtername	Policy filter name up to 15 characters long.

Saname		Security association name up to 15 characters long.

________ Displaying Security Profile Information

The "show table sec-profile" command displays a summary of 

all the security profiles.

The "show sec-profile Profile" command displays information about the

security profile named.

The "show ipsec statistics" command displays a summary of all the

security profiles and the traffic generated:

Router	Profile	Sec-AssocMode	In-pktsOut-pktsIn-BadOut-Dropped

PortType		Name				Pkts  	Pkts

--- ------------------------------------------------------------------

ether0	Active-pr	local	sec-ip	3678	4534	0	0

ptp0	Active-pr	remote	ipip	2987	3768	0	0

_______ Adding Security Profiles

Use the following command to add a security profile:

  add sec-profile Profile

Profile	Security profile name up to 15 characters long.

_______ Deleting Security Profiles

Use the following command to delete a security profile:

  delete sec-profile Profile

Profile	Security profile name.

_______ Setting Security Profiles

Use the following commands to configure a security profile after

adding it:

  set sec-profile Profile Profilerule policy-filter Filtername | none

  set sec-profile Profile Profilerule static-sa Saname | none

A profile can be an active profile, a passive profile, or an outsource

profile.

You assign an active profile to a user, location, or interface that is

configured as an end point of a tunnel. An active profile is applied to

outbound traffic and identifies a set of peers with which the

PortMaster knows how to communicate.

Passive profiles are not supported in this release.

You assign an outsource profile to a user, location, or interface that

is not configured as an end point of a tunnel. An outsource profile

refers to security associations established from any port of the

PortMaster, based on the inbound traffic on a port. The policies set

are based on the wire traffic, just as with the policies on other

profiles.

_______ Policy Filters

Policy filters determine which data the PortMaster sends through its

security profiles. Policy filtering takes place right before the

PortMaster routes a packet. The packet is compared against all the

defined policy filters in a security profile. If none apply, the packet

is routed as usual, without any VPN processing.

NOTE: You must be very careful to not create security filters that

might overlap each other in their coverage. For example, IP address

ranges in two filters might overlap. If two filters overlap, only one

security association is applied to the packet and you cannot determine

which one.

Policy filters are created like packet filters. For example, to process

all packets destined for the network 10.200.1.0/24, you can create the

following filter:

  add filter internal.sec

  set filter internal.sec 1 permit 0.0.0.0/0 10.200.1.0/24

Then you add and configure your security profile "examplespf":

  set sec-profile examplespf 1 policy-filter internal.sec

You can also selectively process only certain types of traffic and not

others using "deny" statements.  For example, you might use the 

following filter to encrypt all traffic except packets to TCP port 80 

for HTTP:

  add filter internal.sec

  set filter internal.sec 1 deny tcp dst eq 80

  set filter internal.sec 2 permit

A "deny" keyword in a policy filter does not block packets that meet 

its criteria. Instead, the "deny" keeps the security association from 

being applied to those packets and passes the IP traffic through, 

unprocessed. If you want to block the traffic entirely, you must place 

input or output packet filters on the appropriate interface(s).

_______ Policy Deny Action

Use the following commands to determine what to do with packets 

denied by policy filters.

  set Ether0 | S0 | W1 ipsec pda drop | icmp reject | passthrough

  set user Username ipsec pda drop | icmp reject | passthrough

  set location Locname ipsec pda drop | icmp reject | passthrough

drop		The PortMaster drops packets that do not fit the

		security profile. This is the default.

icmpreject	The PortMaster rejects packets that do not fit the 

		security profile and sends an ICMP reject message to 

		inform the remote end of the tunnel.

passthrough	The PortMaster transmits the packets with no VPN

		processing, even if they do not fit the security profile.

_______ Filter Extensions

The IPSec and IPIP protocols use their own protocols on top of IP,

instead of using UDP or TCP. You can filter these protocols in packet

filter rules, as in this example:

  add filter eg