Ref: 99960063
Title: ESD Rel.Note:SW/200-TCP-NCS/2 Ver.3.0 Part#:86-0142-00 Rev.03
date: 05-04-89

Copyright 3Com Corporation, 1991.  All rights reserved.

3Com Corporation
Software Release
SW/200-TCP-NCS/2 Version 3.0
May 4, 1989

Part Number: 86-0142-00
             Revision 03

TO:  CS/200 and CS/210 Users
FROM: 3Com Corporation
SUBJECT: SW/200-TCP-NCS/2 Version 3.0
DATE: May 4, 1989

Enclosed is a distribution tape cartridge containing SW/200-TCPNCS/2
Version 3.0 (Part Number: 83-0135-00) for use with CS/200s and CS/210s
that are booted from an NCS/2.

This release memo describes how to prepare your Series/200 server to
use SW/200-TCP-NCS/2 Version 3.0.  It also describes the new features,
bugs fixed, limitations, and known problems in this version of SW/200-
TCP-NCS/2.

** NOTE **

3Com changed its software version numbering scheme in early 1989.
Instead of  using a five-digit number, such as 20060, 3Com now uses
two- or three-digit  numbers, such as 2.2 and 2.21.  Higher version
numbers represent more recent  releases.  For
example, 2.21 is more recent than 2.2, 2.2 is more recent than  20060,
and 20060 is more recent than 20000.

Compatibility

SW/200-TCP-NCS/2 Version 3.0 operates with the following products and
software re leases:

 CS/1 running SW/1-TCP Version 20000 or later
 CS/1 running SW/20-TCP Version 3.0 or later
 CS/50 running SW/50-TCP Version 3.0 or later
 IB/3 running SW/20-IB Version 11000 or later
 NCS/2 running SW/2-NCS Version 2.0 or later
 NCS/AT running SW/AT-NCS Version 2.0 or later
 CS/210 running SW/200-TCP-CS/210 Version 3.0 or later
 CS/100 running SW/100-TCP Version 3.0 or later
 Personal computer running SW/1-PCS Version 20000 or later.

Table 1 illustrates the hardware and firmware compatibility
requirements of SW/200-TCP-NCS/2 Version 3.0.

 Table 1  Hardware/Firmware Compatibility
 Product Software    Firmware

 CS/210 SW/200-TCP-NCS/2 Version 3.0 F2 MMON 01D
        or later
 CS/200 SW/200-TCP-NCS/2 Version 3.0 C1 MMON 01C
        or later
 CS/200-B SW/200-TCP-NCS/2 Version 3.0 D2 MMON 00B
        or later

** NOTE **

You must press the Return key after you type each command described
in this  release memo.

Refer to Chapter 3 of the TCP/IP Connection Service User's Guide for
an  explanation of the notation used in commands referenced in this
release memo.

Installation

If you want to make a backup copy of the software, use the tapecopy
utility on the NCS/2 to make the copy.

Because your Series/200 server is booted from an NCS/2, you must
install SW/200-TCP-NCS/2 Version 3.0 on the NCS/2.  Refer to the
section Installing Client Server Software in the NCS/2 Installation
Guide for this procedure.

The tape cartridge containing SW/200-TCP-NCS/2 Version 3.0 has the
following files:

 /usr/ncs/BIN/cs200t.3.0  - image
 /usr/ncs/BIN/cs200l - loader
 /usr/ncs/bin/sgn/sgncs200t12 - sysgen
 /usr/ncs/local/cmac_install
 /usr/ncs/local/cmac_uninstall
 /usr/ncs/local/cmac_src_unpac
 /usr/ncs/local/mac_src_inkinstall

The last four files on this list are conditional macros.

Binding the Series/200 Server to the NCS/2

Your Series/200 server must be bound to the NCS/2 before it can boot
from the NCS/2.  Follow these steps to bind your Series/200 server to
the NCS/2 using the new loaderfile option on the NCS/2.

If your server is already bound to the NCS/2, start at step 1.
Otherwise, continue on to step 3.

1. Enter the UNBind command on the NCS/2 by typing:

 unb <address>

 where address is the Internet address of your server.

This command removes your Series/200 server from the list of servers
bound to the  NCS/2.

The system prompts you to indicate whether you wish to remove the
client server's  global parameter, Internet address, and configuration
files from the NCS/2 disk.

2. Type "n" to save your configurations.

3. Enter the BInd command on the NCS/2 by typing:

 bi <Ethernet address> <Internet add.> -f cs200t.3.0 -l  cs200l
 [<nports>]

This binds the Series/200 server to the NCS/2. In this command, "l"
refers to the  new loaderfile option and "cs200l" is the name of the
loaderfile.

If you do not specify the last argument, nports, the NCS/2 creates
port  configurations for the maximum number of ports on your
Communications Server.

New Features

The following features, which were not available in SW/200-TCP-NCS/2
Version 20100, have been implemented in SW/200-TCP-NCS/2 Version 3.0.
Refer to the TCP/IP Con nection Service User's Guide for more
information on these features.

Access control is available on all Communications Servers that are
booted from an  internal diskette, an NCS/AT, or an NCS/2.  It is not
available on a  Communications Server that is booted from an NCS/150.

Access control services are provided on the NCS and supported by your
Communications Server.  Access control is disabled by default but it
can be enabled  from the Sysgen program on your NCS/2.

The Sysgen program now includes Access Control Parameters and Remote
Access Parameters to support access control on your Series/200
server.  Refer to the  section Sysgen Changes in this release memo for
a complete description of these  parameters.

The network manager maintains the access control database on the NCS.
Refer to  the NCS/2 Operation Guide for information on maintaining the
database and on the  new utilities that have been provided on the NCS
for this purpose.

In addition, the following access control parameters and commands
have been  implemented in SW/200-TCP-NCS/2 Version3.0.  Your privilege
level must be set  to local or global network manager to use these
commands or set these parameters.

The DefaultLoginName parameter specifies the default user login name
assigned  to a port.  This default user name should be defined along
with other user names in  the access control database on the NCS.

Before you can set the DefaultLoginName parameter, you must set the
TermPort- DefLogin parameter in Sysgen.

The SECurityServerAddress parameter specifies the Internet address of
the  NCS, which provides user authentication during login and network
access control  services.  If no address is assigned, the address of
the server's File Server is used.

The SHow InternetServers command also shows the address of the
Security  Server on servers that use access control.

The SHow LOgins command shows the name of the user logged in to each
port on a Communications Server.  The user name is displayed whether
the login is  done by a user or by automatic default login.

The access control service is transparent to network users except for
the following steps:

 - A user enters a user name and password before attempting to
 establish a connection to a resource.

The user name is entered at the "Network Login:" prompt, which
appears on the screen when the terminal is first powered on, and the
password at the "Password:" prompt.  The PassWord command allows a
user to change his password.

 - A user enters the LOgout command when disconnecting from the
 network.  This command disconnects all sessions and prevents
 unauthorized access to resources on the network.

If a user tries to connect to a resource to which he does not have
authorized access,  the following message appears: access to resource
denied Both user names and  passwords are maintained in the access
control database on the NCS.

A new parameter, # of keep alive packets, has been added to the TCP
Parameters Menu in Sysgen.  This parameter determines the number of
packets  transmitted to maintain a connection before it is terminated.
The possible values of this parameter are from 0 through 10
(hexadecimal) and the default value is 0.

For example, if this parameter is set to 8, the connection is
terminated after eight  keep alive packets have been sent.  When this
parameter is set to 0, the connection  is maintained indefinitely.

The interval between the transmission of keep alive packets is from
45 to 60  seconds.

Another new parameter, maximum window size, has been added to the
TCP  Parameters Menu in Sysgen.  The maximum window size parameter
enables you to  change the window size for transmission and reception.
The default window size is  1,024 bytes (400 hexadecimal).  This
parameter can be set to hexadecimal values  from
1 to 1000.

A new set of audit trail messages has been implemented for
Communications  Servers that use access control.

The audit trail record codes, IX for ICMP transmitted and IR for ICMP
received,  now display more information to aid in network fault
analysis.

Refer to the NCS/2 Operation Guide for a description of the revised
audit trail  messages and record codes.

Additional features have been provided to support Hewlett Packard
devices.  These  include default parameter settings, context-sensitive
flow control, and spare XON  forwarding.

The SHow SESsion command has a new option, M.  This option displays
the  Internet address and the TCP port number on the destination side
of a connection.  The new syntax for the SHow SESsion command is as
follows:

 SHow (!<port number>) SESsion M

For example, if you enter this command: sh (!1) ses m the screen
display generated  is similar to the following:

 CONCTD from 192.9.205.071:099:006

This display shows that port 1 of the host server is connected from
port 6 of a  Communications Server with the address of 192.9.205.071.
The number  immediately following the Internet address ("099" in this
example) can be  disregarded.

This feature only works if the destination server is a Communications
Server  manufactured by 3Com.

In accordance with the latest updates in the TCP/IP implementation
of the Berkeley  release 4.3 of the UNIX operating system, this
version has implemented  retransmission and round-trip algorithms,
delayed acknowledgements, superior  silly-window
avoidance behavior, and improved timer handling and disconnection
procedures.

The effects of these implementations include higher data throughput
and a reliable  connection procedure.

When entering commands in remote mode, the response timeout period
has been  increased from 12 to 28 seconds.  This is particularly
useful for Communications  Servers that are booted from an NCS/2,
which often requires a response time of  more than
12 seconds.

The LongBReakAction parameter is now available for both host and
terminal  ports. Previously this parameter could not be set for host
ports.  For more  information on this parameter, refer to the TCP/IP
Connection Service User's  Guide.

Sysgen Changes

Two new options have been added to the Sysgen program to support
access control on your Series/200 server.

Invoke the sysgen utility on the NCS/2 by typing the following
command:

sysgen cs200t.3.0

The main sysgen menu is displayed.

The new options, Access Control Parameters and Remote Access
Parameters, have been added to the Module Select Menu in the Sysgen
program.  The following is the new mod ule select menu:

Module Select Menu

1. Kernel Parameters

2. Data Link Parameters

3. IP Parameters

4. TCP Parameters

5. User Interface Parameters

6. Virtual Terminal Parameters

7. Statistics Monitoring Parameters

8. Service Listener Port List

9. Access Control Parameters

A. Remote Access Parameters

(ESC to return to main menu) Select module:

Access Control Parameters

Select 9 from the Module Select Menu to display the Access Control
Parameters menu.  The following menu is displayed:

Access Control Parameters

Parameter     Current Value

1. Acs Ctl Enable(0=Dis, 1=Ena)  0x0

2.TermPortDefLogin     *
  (`-` disabled, `*` enabled, <name> restricted)
  (ESC to return to previous menu)
  Enter selection:

Type "1" at the "Enter Selection:" prompt to enable access control.
Enabling access control restricts access to the resources on your
network and prevents unauthorized access to the network and network
resources.  Access control is disabled by default.

Type "2" at the "Enter Selection:" prompt to set the TermPortDefLogin
parameter.  This pa rameter allows automatic user default logins on
terminal ports of a Communications Server.  The TermPortDefLogin
parameter can be set to the following values:

Disabled is the default value.  When this parameter is disabled, no
default logins are  allowed on terminal ports.  The user must type
in the password and the username.  If the SETDefault
DefaultLoginName command is entered on a terminal port after
this parameter has been disabled, the system responds with the
following message:

 Terminal Port Default Login disabled

Type "-" to set the TermPortDefLogin parameter to disabled.

The value enabled allows the global network manager to define any
name as an  automatic login name for a terminal port with the
SETDefault DefaultLoginName  command.  Once the default login name is
set for a terminal port, the user must  either use
the Listen command on the port before the automatic login can take
place  or reboot the server so that both host and terminal ports that
have a default login  name defined automatically log in.

The network manager must ensure that for each default login name
defined for a  terminal port there is an entry in the access control
database on the NCS.

Type "*" to set this parameter to enabled.

The value "<name> restricted" specifies a name in Sysgen that must
be used for  automatic user default login for a terminal port.

For example, type "zzz" to specify that only the name zzz can be used
for automatic  user default login.  After the name has been specified
in Sysgen, the global network  manager must use the SETDefault
DefaultLoginName command to define this  name,
and only this name, as the default user login name for that terminal
port.

The sysgenned name must always be used when setting up automatic
default logins  for terminal ports.  After you define the automatic
default login login name for the  specified port with the SETDefault
DefaultLoginName command, you must enter  the L
isten command or reboot the server so that the login can take place.

If you try to set the DefaultLoginName parameter to any other value
besides the  sysgenned name, the following message is displayed:

Terminal port default login restricted to name:  <sysgenned name>

** NOTE **

This option allows the user to have transparent logins by defining
just one   username in the NCS database instead of defining individual
names.  This is useful on large networks.

You can display both host and terminal port default login names by
entering the  SHow DefaultLoginName command.

Type "3" at the "Enter Selection:" prompt on the Access Control
Parameters menu to define or change the address of the security
server.

The Security Server Address parameter only appears on a Communications
Server that boots from an internal diskette.

Remote Access Parameters

The remote access parameters allow you to restrict the devices that
can access your Com munications Server with the REMOTE command.

You can grant access to all devices, a group of devices, or individual
devices.

Select A from the Module Select Menu to display the Remote Access
Parameters Menu:

Remote Access Parameters

1. Access Level  (Any device)

2. Enter Device Addr here
   (ESC to return to previous menu)
    Enter selection:

The Access Level parameter can be set to the following values.  The
address list consists of individual device addresses defined by the
"Enter Device Addr here" option on the Remote Access Parameters menu.

 any device
 address list only
 address list plus subnetwork
 address list plus network

Select item 1 from the Remote Access Parameters menu to set this
parameter.  The  screen prompts you as follows:

 (ESC to return to previous menu)
 Enter selection: 1
 Choose 0(any), 1(address list), 2(also subnet) or 3(also  network):

 - Select 0 to enable all devices on the network to access the
 Communications   Server. This is the default value.
 - Select 1 to allow only the devices listed in the address list to
 access the   Communications Server.
 - Select 2 to allow all devices specified in the address list and all
 devices on   the local subnetwork to access the Communications
 Server.
 - Select 3 to allow all devices specified in the address list and all
 devices on   the local network to access the Communications Server.

Select item 2, Enter Device Addr here, to create the address list.
The system  displays the following:

 Enter an Internet address:

If you enter a valid Internet address, the new address and the value
of the Access  Level parameter appear on the screen and you are
prompted to add the next address.

For example, if you enter the valid Internet address 192.9.200.34,
the following is  displayed:

 Remote Access Parameters

 1. Access Level   Address List

 2. Device IP addr 1  192.9.200.34

 3. Enter Device Addr here
    (ESC to return to previous menu)
    Enter selection:

The address list can contain up to three addresses.  The system
automatically  numbers and lists the device address as you enter them.

For example, if you define three addresses, the screen display will
be similar to the  following:

 1.  Access Level   Specified Addresses

 2.  Device IP addr 1  192.9.200.45

 3.  Device IP addr 2  192.9.201.33

 4.  Device IP addr 3  192.9.201.22

In this example, the address list consists of the three addresses
listed above.  To  delete a device address from the address field,
select option 2, 3, or 4 and then enter  0.0.0.0 or x in the address

If you wish to prevent all other devices from accessing your
Communications  Server via the REMOTE command, set the Access Level
parameter to "address  list," and check that there are no entries in
the address list.

Bugs Fixed

The following problems, which existed in previous versions of SW/200-
TCP-NCS/2, have been solved in SW/200-TCP-NCS/2 Version 3.0.  These
problems and their resolutions are described below.

If you attempt to save default port parameters in a non-numbered
file and you do  not have global network manager privilege level, the
system now displays the error  message "Insufficient privilege" after
you enter the SAve command.

Previously, this message or the system prompt was not displayed until
you pressed  the Break key.

Only a global network manager can save default port parameters in a
non-numbered  file.

The Domain name resolver no longer attempts to search infinitely for
a canonical  name when two canonical names that are aliases for each
other have been defined  by error in the Domain name server database,
and you specify one of these names  with
the Connect or SHow NAme command.

Previously, you had to reboot the server to terminate this infinite
loop.

Previously, if you entered the command, SH NAmes or SH NAmes *, the
Domain  name server failed to respond and the system crashed after the
timeout period had  expired.

These commands are no longer valid so you must specify a name.  If
you attempt to  issue these commands without specifying a name, the
following error message  appears:

 can only show unique Domain names

You can now establish interconnections properly.  Previously, when
certain  interconnections were requested, the system crashed.

You can now specify the local broadcast address when you enter the
global network  manager form of the Broadcast command without
disrupting the network.   Previously, this command caused extremely
heavy traffic on the network.

The SHow LinePRotocol command now displays correct information.
Previously,  it always showed the value of the LinePRotocol parameter
as BYTEsynchronous.

Also, you can no longer change the value of this parameter with the
SETD  command.

You can now simultaneously execute three or more recursive macros
that contain  Connect and DisConnect commands.  Previously, the system
crashed within three  hours of invoking the macros.

Setting the NetAscii parameter of a port to UseNul no longer causes
spurious ^A  characters to be inserted in the data stream sent to that
port.

Your Communications Server now consistently passes special
characters, for  example, <CR>, as data.  Previously, it often failed
to do this in incoming  connections, and processed them instead.

When the DataForward parameter is set as the result of an echo
negotiation by a  destination server using the Telnet protocol, it no
longer automatically changes to  None after the echo has been
negotiated.

An error, which caused the Domain name resolver to fail to respond
to inquiries  under certain circumstances, has been corrected.

This version attempts to establish connections to permanent circuits
(PVCs)  according to the order in which the connection requests are
received.  Previously,  priority was always given to the attempt to
connect to the lowest numbered PVC.

Also, you can successfully establish more than one PVC.  Previously,
you could  not reliably do this.

Domain name requests are sent to the NCS address specified by the
FileServer- Address parameter if both the PrimaryNS and SecondaryNS
parameters are not  defined.

Previously, no alternative address was available to respond to these
requests.

Network errors are now recorded in the audit trail record with the
code "NE."  Previously, they were coded as "EE."

The boot time displayed by the SHow VERsion command now displays the
actual  boot time.

reviously, the time was computed.

Previously, you could not perform certain file transfer tasks if,
after establishing a  connection, you disabled the ECM character with
the following command:

 SET ECMchar = disabled

For example, if you attempted to transfer files from a personal
computer, setting  this parameter sometimes caused data loss.  This
resulted in failure of the file  transfer.

This problem has been fixed.

The session number field in the audit trail messages coded CD and DC
has been  replaced by a four-digit field which indicates the TCP
protocol port number.

Previously the session number field always displayed 0, regardless of
the session  number.

You can no longer assign an Internet address beginning with 127 to a
Communications Server or a port.  This number is reserved for loopback
according  to the TCP/IP protocol specification.

If you attempt to assign an Internet address beginning with 127, the
following error  message is displayed:

 Address cannot be broadcast at loopback.

Also, you must reassign existing Internet addresses beginning with
127.

When two Communications Servers on the network have the same
Internet address,  you can now issue commands from a source server
that specify the source server as  the destination.

Previously, for example, if ServerA and ServerB had the same Internet
address and  you issued the PIng command from ServerA, ServerB was
pinged instead of  ServerA.

A problem with the Domain name resolver, which arose on
Communications  Servers on which the maximum number of sessions was
being held, has been  corrected.

Previously, for example, if you entered the Name or Connect command
on a  Series/200 server, on which the maximum number of sessions was
being held, the  Domain name resolver did not respond and the
following error message was  displayed:

 No memory resource

Even if the number of sessions was reduced, the Domain name resolver
still did not  respond.

When forwarding data, the Telnet code now removes the ASCII control
character  NUL when it follows the control character CR.  Previously,
it failed to do this,  which caused data forwarding problems when
Telnet was used in conjunction with  the Berkeley 4.3 release of the
UNIX operating system.

A problem that arose when users connected via a dial-in modem to a
CS/200 or  CS/210 has been corrected.

Previously, for example, if user A failed to complete the autobaud-
autoparity  sequence, that is, <Return . Return>, and user B whose
terminal had a different  baud rate setting subsequently attempted to
connect to the same server, User B  could not make a successful
connection.  This was because the server failed to properly disconnect
User A.

The CS/210 or CS/200 running Version 3.0 can now reinitialize itself
in such  circumstances and successfully establish User B's connection.
However, in order  for it to do this, the UseDTR parameter must be set
to AsDCD and the DCD option  on the modem must be set to drop the DCD
signal on disconnection.

The CS/210 or CS/200 no longer crashes if you do the following:

 - Enter the Connect command
 - Enter the ECM character
 - Set the BReakAction parameter to IGnore and the BReakChar parameter
   to   ^C
 - RESume the session
 - Press and hold down the Control key and the "c" key simultaneously.

Limitations

Version 3.0 has the following limitations:

You cannot execute port specific commands that specify the Internet
address of a  destination server port number that is the same as the
address of the destination  server itself.

For example, if the port number address 129.213.1.1 is defined on a
server with  the same address and you enter the following command:

 Listen (129.213.1.1)

 the following error message is displayed:

 Invalid remote command

You can change the virtual port configurations with the SETDefault
command only  on the first virtual port on your Communications
Server.  If you attempt to change  other virtual port configurations
with this command, the following error message is
displayed:

 Portid out of range

Also, if you change the configurations for the first virtual port,
you must enter the  ReaD command before the changes can take effect.
These changes take effect on all  virtual ports.

A CS/200 that uses access control normally performs a default login
on a host or  terminal port.  However, if you add a port to a rotary,
you must use the Listen  command on the rotary before it can accept
an incoming connection on the newly  added
port.

Known Problems

SW/200-TCP-NCS/2 Version 3.0 has the following known problems:

When using the IEN116 Name Server, the command SHow (<name>) VERSion
does not function correctly if <name> is defined on a secondary name
server but  not on a primary name server.

If, when entering a macro, you press the Break key before the macro
input has been  fully entered, the portion of the macro that has been
entered is executed.  Consequently, an error message is usually
displayed.

To prevent this, after you press the Break key while typing a macro,
press the  Return key twice before entering the next command.

If the server has terminal port default login enabled, it may take
up to 10 seconds  after the server has booted before those ports are
logged into the security server.  If  a key is pressed during the 10
seconds after the server has booted, it is
possible that  the port's default login has not yet completed, and the
"Network Login:" prompt  will appear. If this occurs, wait until that
login times out and the (@) is displayed.  At that point, default
login will occur normally.  To avoid the problem, wait for 10 seconds
after the boot state LED on the server has
gone off before using the  keyboard on any terminal ports with default
login defined.

Documentation

The following manuals are shipped with SW/200-TCP-NCS/2 Version 3.0:

 TCP/IP Connection Service User's Guide (3/89)
 (Part Number: 09-0173-00)

 Network Management Guide (9/87)
 (Part Number: 09-0067-02)

 Getting Started Guide (2/87)
 (Part Number: 09-0043-01)

 Configuration Guide (2/88)
 (Part Number: 09-0093-01)

 TCP/IP Connection Service Quick Reference Guide (3/89)
 (Part Number: 09-0165-00)

For more information on the Series/200 server and network planning,
refer to the following:

 Series/200 Installation Guide (6/88)
 (Part Number: 09-0151-00)

 NCS/2 Installation Guide
 (Part Number: 09-0159-00)

 NCS/2 Operation Guide
 (Part Number: 09-0171-00)

 LAN Planning Guide (2/88)
 (Part Number: 09-0085-01)

If you have any questions, contact your network supplier or 3Com for
help.

Trademarks

UNIX is a registered trademark of AT&T Bell Laboratories.
