Ref: 99960053
Title: ESD Release Note:SW/20-TCP ver.3.0 Part#:86-0136-00 Rev.02
date: 05-04-89

Copyright 3Com Corporation, 1991.  All rights reserved.

3Com Corporation
Page 1
Software Release
SW/20-TCP Version 3.0
May 4, 1989

Part Number: 86-0136-00
             Revision: 02

TO:  CS/1 Users
FROM: 3Com Corporation
SUBJECT: SW/20-TCP Version 3.0
DATE: May 4, 1989

Enclosed is a distribution diskette containing SW/20-TCP Version 3.0
(Part Number: 86-0161-00).  This software runs on a CS/1 with an
MCPU20 board.

This release memo describes the compatibility requirements of SW/20-
TCP Version 3.0 and the procedures for upgrading from SW/20-TCP
Version 20000 and for making a copy of the distribution diskette.  It
also describes the new features, bugs fixed, lim
itations, and known problems in this version of SW/20-TCP.

** NOTE **

3Com changed its software version numbering scheme in early 1989.
Instead of  using a five-digit number, such as 20060, 3Com now uses
two- or three-digit  numbers, such as 2.2 and 2.21.  Higher version
numbers represent more recent  releases.  For
example, 2.21 is more recent than 2.2, 2.2 is more recent than  20060,
and 20060 is more recent than 20000.

Compatibility

SW/20-TCP Version 3.0 operates with the following products and
software releases:

 CS/1 running SW/1-TCP Version 20000 or later
 CS/50 running SW/50-TCP Version 3.0 or later
 IB/3 running SW/20-IB Version 11000 or later
 NCS/2 running SW/2-NCS Version 2.0 or later
 NCS/AT running SW/AT-NCS Version 2.0 or later
 CS/200 running SW/200-TCP Version 20000 or later
 CS/210 running SW/200-TCP-CS/210 Version 3.0 or later
 CS/100 running SW/100-TCP Version 3.0 or later
 Personal computer running SW/1-PCS Version 20000 or later

Table 1 illustrates the hardware and firmware compatibility
requirements of SW/20-TCP Version 3.0.

Table 1  Hardware/Firmware Compatibility For SW/20-TCP Version 3.0

 Product Firmware
 ================
 SIO-8  MCPU20  EC/2  IBC/M  TRC/M

 CS/1 M0 ASYN 15A M3 MMON 00D M0 EDL2 00A N/A  N/A
 M1 SYNC 01C M1 IECM 01F

 CS/1-B M0 ASYN 15A M3 MMON 00D N/A M2 IBCM 00E N/A
 M1 SYNC 01C

 CS/1-TR  M0 ASYN 15A M3 MMON 00D N/A N/A No PROMs
 M1 SYNC 01C

If an Ethernet controller is used with the MCPU20-based CS/1, it must
be an EC/2 board with 512 kilobytes of RAM.  Also, an MCPU20 must
operate with a 96 TPI disk drive.

Hardware and Firmware Requirements of SIO-16 Boards

The following requirements must be met if your CS/1 running SW/1-TCP-
NCS/AT Ver sion 3.0 is equipped with one or more SIO-16 boards:

The M1 MMON PROM Rev. 01G or later is required on the MCPU board.

An EC/2 with 512K memory, TRC/M, or IBC/M board must be installed on
the CS/1.

If the CS/1 is equipped with three or four SIO-16 boards, the MCPU
board must be upgraded to 12 MHz.  If it is equipped with one or two
SIO-16 boards, a 10 MHz  MCPU board can be used.

SIO-16 software must be version 11070 or later.

** NOTE **

You must press the Return key after you type each command described in
this release memo.

Refer to Chapter 3 of the TCP/IP Connection Service User's Guide for
an explanation of the notation used in commands referenced in this
release memo.
Upgrading your Software to SW/20-TCP Version 3.0

If your CS/1 is currently running SW/20-TCP Version 20100, use the
following procedure to upgrade your software to SW/20-TCP Version 3.0:

1.  Attach a terminal to the console port of the CS/1.

2.  Insert the diskette containing SW/20-TCP Version 20100 in the disk
drive.

3.  Press the Reset switch.

4.  Type the following command at the monitor prompt (>):

 r 216 4004000 ba00

This copies the macros, globals, and configurations files from the
Version 20100  diskette to memory.  When the monitor prompt appears,
remove the diskette and  store it in a safe place.

5. Insert the distribution diskette containing SW/20-TCP Version 3.0
in the disk drive.

6. Type the following command:

 w 429 4004000 3200

 and then type:

 w 442 4008000 7200

These commands restore the data copied from the diskette containing
SW/20-TCP  Version 20100 to the distribution diskette containing
SW/20-TCP Version 3.0.

7. When the monitor prompt appears, remove the newly updated diskette.

8. For each system being upgraded, repeat steps 1 through 7.

** NOTE **

3Com recommends that you make a backup copy of SW/20-TCP Version 3.0.
Use  the procedure described below to copy either the distribution
diskette or your  working copy of SW/20-TCP Version 3.0

Copying a Diskette

The following is the procedure for copying a diskette.  The source
diskette refers to the diskette to be copied.

1. Attach a terminal to the console port of the CS/1.

2. Press the Reset switch on the CS/1.

3. Type the following command at the monitor prompt (>):
 co <n>

where n is the number of copies to be made.  The following message
appears on the  screen:

 insert master and hit return key

4. Insert the source diskette in the disk drive.  Then press the
Return key.

The following messages appear on the screen if the read completes
successfully:

 reading ... OK
 insert copy 1 and hit return key

In the actual display, the number in the message varies according to
the number of  copies you have made.  If the message "read error"
appears instead of the message  "OK," contact your network supplier or
3Com for help.

5. Remove the source diskette from the disk drive and store it in a
safe place.

6. Insert a blank, 96-TPI, double-sided, double-density diskette in
the disk drive.   Then press the Return key.

If an error message appears, remove and replace the diskette.  If
errors continue to  occur, contact your network supplier or 3Com for
help.

The following messages appear on the screen if the copy completes
successfully.

 formatting ... writing ... verifying ... OK
 copy completed

7. Remove the diskette from the disk drive and label it appropriately.

New Features

The following features, which were not available in SW/20-TCP Version
20100, have been implemented in SW/20-TCP Version 3.0:

Access control is available on the CS/1, but an NCS must be present to
provide  access control services.  This NCS is called the security
server.

To use access control, you must specify the address of the security
server on the  CS/1, so that when a user attempts to log in, the
appropriate NCS is used to determine whether this user is allowed to
access the network.

The Sysgen program now includes Access Control Parameters and Remote
Access  Parameters to support access control on your CS/1.  Refer to
"Sysgen Changes" in  this release memo for a description of these
parameters.

Before you boot the CS/1 with Version 3.0 for the first time, use the
Sysgen  program to open the Access Control Menu.  Set the Security
Server Address  parameter to the address of the NCS acting as the
security server.  Then boot the  CS/1.
If you later want to change the security server address, you can
either run the  Sysgen program again, or use the SETDefault command to
modify the SECurity- ServerAddress parameter.  When the CS/1 is
rebooted, the CS/1 uses the NCS  specified by the
parameter as the security server.  If the SECurityServerAddress
parameter is different from the Security Server Address parameter in
Sysgen, the  one that was changed last before rebooting is used.

The network manager maintains the access control database on the NCS.
Refer to  the appropriate NCS operation guide for information on
maintaining the database  and on the new utilities that have been
provided on the NCS for this purpose.  In  addition, the following
access control parameters and commands have been implemented at local
network manager privilege level in SW/1-TCP-NCS/2 Version 3.0:

The DefaultLoginName parameter specifies the default user login name
assigned  to a port.  This default user name should be defined along
with other users in the  access control database on the NCS.  Before
you can set the DefaultLoginName  parameter, you must set the
TermPortDefLogin parameter in Sysgen.

The SECurityServerAddress parameter specifies the Internet address of
the NCS, which provides user authentication during login, and network
access control  services.  If no address is assigned, the address of
the server's file server is used.

The SHow InternetServers command also shows the address of the
Security Server on servers that use access control.

The SHow LOgins command shows the name of the user logged in to each
port on a Communications Server.  The user name is displayed whether
the login is  done by a user or by automatic default login.  The
access control service is  transparent to net
work users except for the following steps:

 - A user enters a user name and password before attempting to
 establish a   connection to a resource.  The user name is entered at
 the "NetworkLogin:"   prompt, which appears on the screen when the
 terminal is first powered on,   and the password at
 the "Password:" prompt.  The PassWord command   allows a user to
 change his or her password.

 - A user enters the LOgout command when disconnecting from the
 network.  This command disconnects all sessions and prevents
 unauthorized access to resources on the network.  Both user names and
 passwords are maintained in the access control database on the NCS.

If a user tries to connect to a resource to which he does not have
authorized access,  the following error message is displayed:

 Access to Resource denied

A new parameter, # of keep alive packets, has been added to the TCP
Parameters Menu in Sysgen.  This parameter determines the number of
keep alive  packets transmitted before a connection is terminated.
The possible values of this  parameter are
from 0 through 10 (hexadecimal) and the default value is 0.

The interval between transmission of keep alive packets is from 45 to
60 seconds.

For example, if this parameter is set to 8, the connection is
terminated after eight  keep alive packets have been sent.  When this
parameter is set to 0, the connection  is maintained indefinitely.

Another new parameter, maximum window size, has been added to the TCP
Parameters Menu in Sysgen.  The maximum window size parameter enables
you to  change the window size for transmission and reception.  The
default window size is  1,024 bytes.  This parameter can be set to
hexadecimal values from 1 to 400.

A new set of audit trail messages has been implemented for
Communications Servers that use access control.

The audit trail record codes, IX for ICMP transmitted and IR for ICMP
received, now display more information to aid in network fault
analysis.

Refer to the manual appropriate for your NCS for a description of the
revised audit trail messages and record codes.

Additional features have been provided to support Hewlett Packard
devices.  These include default parameter settings, context-sensitive
flow-control and spare XON  forwarding.

The SHow SESsion command has a new option, M.  This option displays
the Internet address and the TCP port number on the destination side
of a connection.  The new syntax for the SHow SESsion command is as
follows:

 SHow (!<port number>) SESsion M

 For example, if you enter this command:

 sh (!1) ses m

 the screen display generated is similar to the following:

 CONCTD from 192.9.205.071:099:006

This display shows that the host server is connected from port 6 of a
Communications Server with the address of 192.9.205.071.  The number
immediately following the Internet address ("099" in this example) may
be disregarded.

This feature only works if the destination server is a Communications
Server manufactured by 3Com.

In accordance with the latest updates in the TCP/IP implementation of
the Berkeley release 4.3 of the UNIX operating system, this version
has implemented retransmission and round-trip algorithms, delayed
acknowledgements, superior  silly-window
avoidance behavior, and improved timer handling and disconnection
procedures.

The effects of these implementations include higher data throughput
and more reliable connections.

When entering commands in remote mode, the response timeout period has
been  increased from 12 to 28 seconds.  This is particularly useful
for Communications  Servers that are booted from an NCS/2, which often
requires a response time of  more than
12 seconds.

The LongBReakAction parameter is now available for both host and
terminal  ports.  Previously this parameter could not be set for host
ports. For more  information on this parameter, refer to the TCP/IP
Connection Service User's  Guide.

Sysgen Changes

Two new options, Access Control Parameters and Remote Access
Parameters, have been added to the Module Select Menu in Sysgen.  The
following is the new Module Select Menu:

Module Select Menu

1. Kernel Parameters

2. Data Link Parameters

3. IP Parameters

4. TCP Parameters

5. User Interface Parameters

6. Virtual Terminal Parameters

7. Statistics Monitoring Parameters

8. Service Listener Port List

9. Access Control Parameters

A. Remote Access Parameters

(ESC to return to main menu) Select module:

Access Control Parameters

Select 9 from the Module Select Menu to display the Access Control
Parameters Menu.  The following menu is displayed:

Access Control Parameters

Parameter    Current Value

1. Acs Ctl Enable(0=Dis, 1=Ena)  0x0

2.TermPortDefLogin
   (`-` disabled, `*` enabled, <name> restricted)

3. Security Server Address    0.0.0.0
  (ESC to return to previous menu)
  Enter selection:

Type "1" at the "Enter Selection:" prompt to enable access control.
Enabling access control restricts access to the resources on your
network and prevents unauthorized access to the network and network
resources.  Access control is disabled by default.

Type "2" at the "Enter Selection:" prompt to set the TermPortDefLogin
parameter.  This pa rameter allows automatic user default logins on
terminal ports of a Communications Server.

If this parameter is set to disabled, ("-") which is the default
value, no default logins  are allowed on terminal ports.  The user
must type in the password and the  username.  If the SETD
DefaultLoginName command is entered on a terminal port  af
ter this parameter has been disabled, the system responds with the
following message:

Terminal Port Default Login disabled

If the TermPortDefLogin parameter is set to enabled "*", the global
network manager can define any name as an automatic default login name
for a terminal port  with the SETDefault DefaultLoginName command.
Once the default login name is  defined
for a terminal port, the user must either use the Listen command on
the port before the automatic login can take place or reboot the
server so that both host and  terminal ports that have a default login
name defined automatically log in.

The network manager must ensure that for each default login name there
is an entry  in the access control database on the NCS.

The value "<name> restricted" specifies a name in Sysgen that must be
used for  automatic user default login on terminal ports.  For
example, type "ZZZ" to specify  the name "ZZZ" as the default user
login name.  After the name has been specified
in Sysgen, the global network must use the SETDefault DefaultLoginName
command to define this name, and only this name, as the default user
login name  for that terminal port.

The sysgenned name must always be used when setting up automatic
default logins  for terminal ports.  After you define the automatic
default login name for the  specified port, you must enter the Listen
command or reboot the server so that the  login can take place.

If you try to set the DefaultLoginName parameter to any other value
besides the  sysgenned name, the following message is displayed:

Terminal port default login restricted to name:  <sysgenned name>

** NOTE **

This option allows the user to have transparent logins by defining
just one   username in the NCS database as opposed to defining
individual names.   This is useful on large networks.

Use the SHow DefaultLoginName command to display both host and
terminal default login names.

Type "3" at the "Enter Selection:" prompt on the Access Control
Parameters menu to define or change the address of the CS/20's
security server.

The Security Server Address parameter only appears on a Communications
Server that boots from an internal diskette.

Remote Access Parameters

The remote access parameters allow you to specify the addresses of
devices that can access your Communications Server with the REMOTE
command.

You can allow all devices, a group of devices, or individual devices
to have remote access. Select A from the Module Select Menu to display
the Remote Access Parameters Menu:

Remote Access Parameters

 1. Access Level   (Any device)

 2. Enter Device Addr here

    Enter selection:

The Access Level parameter allows you to choose from the following
groups of devices that may have remote access to your Communications
Server.  The address list consists of individual device addresses
defined by the Enter Device Addr Here option on
the Remote Access Parameters Menu.

 any device
 address list only
 address list plus subnetwork
 address list plus network

Select item 1 from the Remote Access parameters to set this parameter.
The screen  prompts:

 (ESC to return to previous menu)
 Enter selection: 1
 Choose 0(any), 1(address list), 2(also subnet) or 3(also  network):

 - Select 0 to enable any devices on the network to access the
 Communications Server. This is the default value.
 -  Select 1 to allow only those hosts listed in the address list of
 the Remote Access Parameters menu to access the Communications
 Server.
 - Select 2 to allow all devices specified in the address list and all
 devices on the local subnetwork to remote into the Communications
 Server.
 - Select 3 to allow all devices specified in the address list and all
 devices on the local network to access the Communications Server.

Select item 2, Enter Device Addr here, to create the address list.
The system displays the following:

 Enter an IP address:

If you enter a valid Internet address, the new address and the value
of the access level parameter appear on the screen and you are
prompted to add the next address.

For example, if you enter the valid Internet address 192.9.200.34, the
following is displayed:

 Remote Access Parameters
 1. Access Level   Address List
 2. Device IP addr 1   192.9.200.34
 3. Enter Device Addr here
 (ESC to return to previous menu)
 Enter selection:

The address list can contain up to three addresses.  The system
automatically  numbers and lists the device addresses as you enter
addresses.

For example, if you define three addresses, the screen display will be
similar to the  following:

 1.  Access Level Specified Addresses
 2.  Device IP addr 1  192.9.200.45
 3.  Device IP addr 2  192.9.201.33
 4.  Device IP addr 3   192.9.201.22

In this example, the address list consists of the three addresses
listed above.  To delete a device address from the address field,
select option 2, 3, or 4 and then enter  0.0.0.0 or x in the address
field.

To deny access to all devices on the network, set the access level
parameter to  "address list" and check that there are no entries in
the address list.

Bugs Fixed

Certain problems, which existed in previous versions of SW/20-TCP,
have been solved in SW/20-TCP Version 3.0.  These problems and their
resolutions are described below.

If you attempt to save default port parameters in a non-numbered file
and you do not have global network manager privilege level, the system
now displays the error  message "Insufficient privilege" after you
enter the SAve command.

Previously, this message or the system prompt was not displayed until
you pressed  the Break key.

Only a global network manager can save default port parameters in a
non-numbered  file.

The Domain name resolver no longer attempts to search infinitely for a
canonical  name when two canonical names that are aliases for each
other have been defined  by error in the Domain name server database,
and you specify one of these names with the Connect or SHow NAme
command.

Previously, you had to reboot the server to terminate this infinite
loop.

Previously, if you entered the command, SH NAmes or SH NAmes *, the
Domain  name server failed to respond and the system crashed after the
timeout period had  expired.

These commands are no longer valid so you must specify a name.  If you
attempt to  issue these commands without specifying a name, the
following error message  appears:

 can only show unique Domain names

You can now establish interconnections properly.  Previously, when
certain interconnections were requested, the system crashed.

You can now specify the local broadcast address when you enter the
global network  manager form of the Broadcast command without
disrupting the network. Previously, this command caused extremely
heavy traffic on the network.

The SHow LinePRotocol command now displays correct information.
Previously, it always showed the value of the LinePRotocol parameter
as BYTEsynchronous.  Also, you can no longer change the value of this
parameter with the SETD command.

You can now simultaneously run three or more recursive macros that
contain  Connect or DisConnect commands.  Previously, the system
crashed within three  hours of invoking the macros.

Setting the NetAscii parameter of a port to UseNul no longer causes
spurious ^A  characters to be inserted in the data stream sent to that
port.

The CS/1 now consistently passes special characters, for example,
<CR>, as data.  Previously, it often failed to do this in incoming
connections, and processed them  instead.

When the DataForward parameter is set as the result of an echo
negotiation by a  destination server using the Telnet protocol, it no
longer automatically changes to  None after the echo has been
negotiated.

An error, which caused the Domain name resolver to fail to respond to
inquiries  under certain circumstances, has been corrected.

This version attempts to establish connections to permanent circuits
(PVCs)  according to the order in which the connection requests are
received.  Previously,  priority was always given to the attempt to
connect to the lowest numbered PVC.

Also, you can successfully establish more than one PVC.  Previously,
you could  not reliably do this.

Domain name requests are sent to the NCS/AT address specified by the
FileServer- Address parameter if both the PrimaryNS and SecondaryNS
parameters are not  defined.

Previously, no alternate address was available to respond to these
requests.

Network errors are now recorded in the audit trail record with the
code "NE."  Previously, they were coded as "EE."

The boot time displayed by the SHow VERsion command now displays the
actual  boot time.

Previously, the time was computed.

Previously, you could not perform certain file transfer tasks if,
after establishing the  connection, you disabled the ECM character
with the following command:

 SET ECMchar = disabled

For example, if you attempted to transfer files from a personal
computer, setting  this parameter sometimes caused data loss.  This
resulted in failure of the file  transfer.

This problem has been corrected.

The session number field in the audit trail messages coded CD and DC
has been  replaced by a four-digit field which indicates the TCP port
number.

Previously the session number field always displayed 0, regardless of
the session  number.

You can no longer assign an Internet address beginning with 127 to a
Communications Server or a port.  This number is reserved for loopback
according  to the TCP/IP protocol implementation.  Existing addresses
which start with 127  must be reassigned.

If you attempt to assign an Internet address beginning with 127, the
following error  message is displayed:

 Address cannot be broadcast at loopback.

When forwarding data, the Telnet code now removes the ASCII control
character  NUL when it follows the control character CR.  Previously,
it failed to do this,  which caused problems when Telnet was used in
conjunction with the Berkeley 4.3  release of the UNIX operating
system.

When two Communications Servers on the network have the same Internet
address,  you can now issue commands from a source server that specify
the source server as  the destination.

Previously, for example, if ServerA and ServerB had the same Internet
address and  you issued the PIng command from ServerA, ServerB was
pinged instead of  ServerA.

A problem with the Domain name resolver, which arose on Communications
Servers on which the maximum number of sessions was being held, has
been  corrected.

Previously, for example, if a CS/20 had the maximum number of
sessions, and you  entered the Name or Connect command, the Domain
name resolver did not respond  and the following error message was
displayed:

 No memory resource

Even if the number of sessions was reduced, the Domain name resolver
still did not  respond.

The system no longer crashes if you perform the following sequence of
steps:

 - Enter the Connect command
 - Enter the ECM character to escape to command mode
 - Set the BreakAction parameter to Ignore and the BreakChar parameter
   to ^C
 - Resume the session
 - Hold the Control and C keys down simultaneously

Limitations

Version 3.0 has the following limitations:

You can change the virtual port configurations with the SETDefault
command only  on the first virtual port on your Communications Server.
If you attempt to change  other virtual port configurations with this
command, the following error message is
displayed:

 Portid out of range

Also, if you change the configurations for the first virtual port, you
must enter the  ReaD command before the changes can take effect.
These changes take effect on all  virtual ports.

You cannot execute commands that specify the Internet address of a
destination  server port number that is the same as the address of the
destination server itself.

For example, if the port number address 129.213.1.1 is defined on a
server with  the same address and you enter the following command:

 Listen 129.213.1.1

the following error message is displayed:

 Invalid remote command

Known Problems

SW/20-TCP Version 3.0 has the following known problems:

When using the IEN116 Name Server, the command SHow (<name>) VERSion
does not function correctly if <name> is defined on a secondary name
server but  not on a primary name server.

A CS/1 that uses access control normally performs a default login on a
host port.  However, if you add a host port to a rotary, you must use
the Listen command on  the rotary for it to be able to accept an
incoming connection on the newly added port.

If, when entering a macro, you press
the Break key before the macro input has been  fully entered, the
portion of the macro that has been entered is executed.
Consequently, an error message is usually displayed.

To prevent this, after you press the Break key while typing a macro,
press the  Return key twice before entering the next command.

If the server has terminal port default login enabled, it may take up
to 10 seconds  after the server has booted before those ports are
logged into the security server.  If  a key is pressed during the 10
seconds after the server has booted, it is
possible that  the port's default login has not yet completed, and the
"Network Login:" prompt  will appear.  If this occurs, wait until that
login times out and the (@) is displayed.  At that point, default
login will occur normally.  To avoid the problem, wait for 10 seconds
after the boot state LED on the server has gone off before using the
keyboard on any terminal ports with default login defined.

Documentation

The following manuals are shipped with SW/20-TCP Version 3.0:

 TCP/IP Connection Service User's Guide (3/89)
 (Part Number: 09-0173-00)

 Network Management Guide (9/87)
 (Part Number: 09-0067-02)

 Getting Started Guide (2/87)
 (Part Number: 09-0043-01)

 Configuration Guide (2/88)
 (Part Number: 09-0093-01)

 TCP/IP Connection Service Quick Reference Guide (3/89)
 (Part Number: 09-0165-00)

For more information on network planning, refer to the following:

 CS/1 Installation Guide (10/87)
 (Part Number: 09-0117-00)

 LAN Planning Guide (2/88)
 (Part Number: 09-0085-01)

If you have any questions, contact your network supplier or 3Com for
help.

Trademarks

UNIX is a registered trademark of AT&T Bell Laboratories.
