Tripp Lite 0 Idades Manual

							71
Chapter 4: Serial Port, Device and User Configuration
4.12 IP Passthrough
IP Passthrough is used to make a modem connection (e.g. the Appliance’s \
internal cellular modem) appear like a regular 
Ethernet connection to a third-party downstream router, allowing the downstream router to use the Appliance’s modem 
connection as a primary or backup WAN interface.
The appliance provides the modem IP address and DNS details to the downs\
tream device over DHCP and transparently passes 
network traffic to and from the modem and router.
While IP Passthrough essentially turns an Appliance into a modem-to-Ethernet half \
bridge, some specific layer 4 services 
(HTTP/HTTPS/SSH) may still be terminated at the Appliance (Service Intercepts). Also, services running on the Appliance can 
initiate outbound cellular connections independent of the downstream rou\
ter.
This allows the Appliance to continue to be used for out-of-band management and alerting while in IP Passthrough mode.
4.12.1  Downstream router setup 
To use failover connectivity on the downstream router (aka Failover to Cellular or F2C), it must have two or more WAN 
interfaces.
Note: Failover in IP Passthrough context is performed entirely by the downstrea\
m router, and the built-in out-of-band failover 
logic on the Appliance itself is not available while in IP Passthrough m\
ode.
Connect an Ethernet WAN interface on the downstream router to the Appliance’s Network Inte\
rface or Management LAN port 
with an Ethernet cable.
Configure this interface on the downstream router to receive its netwo\
rk settings via DHCP.  If failover is required, configure the 
downstream router for failover between its primary interface and the Eth\
ernet port connected to the Appliance.
4.12.2 IP Passthrough pre-configuration 
Prerequisite steps to enable IP Passthrough are:
• Configure the Network Interface and where applicable Management LAN interfaces with static network settings
o Click Serial & Network: IP
o For Network Interface and where applicable Management L AN, select Static for the Configuration Method and 
enter the network settings (see the section entitled Network Configuration for detailed instructions)
o For the interface connected to the downstream router, you may choose any dedicated private network – this network 
will only exist between the Appliance and downstream router and will not\
 normally be accessible
o For the other interface, configure it as you would per normal on the lo\
cal network 
o For both interfaces, leave Gateway blank
• Configure the Appliance modem in Always On Out-of-band mode
o For a cellular connection, click System: Dial: Internal Cellular Modem
o Select Enable Dial-Out and enter carrier details such as APN (see the section entitled Cellular Modem Connection 
for detailed instructions)  
						

							72
Chapter 4: Serial Port, Device and User Configuration
4.12.3 IP Passthrough configuration 
To configure IP Passthrough:
• Click Serial & Network: IP Passthrough and check Enable
• Select the Appliance Modem to use for upstream connectivity
• Optionally, enter the MAC Address of downstream router’s connected interface
Note: If MAC address is not specified, the Appliance will passthrough to the\
 first downstream device requesting a DHCP 
address.
• Select the Appliance Ethernet Interface to use for connectivity to the downstream router
• Click Apply
4.12.4  Service intercepts 
These allow the Appliance to continue to provide services for out-of-band management when in IP Passthrough mode.  
Connections to the modem address on the specified intercept port(s) \
will be handled by the Appliance, rather than being 
passed through to the downstream router.
• For the required service of HTTP, HTTPS or SSH, check Enable
• Optionally, modify the Intercept Port to an alternate port (e.g. 8443 for HTTPS). This is useful if you want to continue to 
allow the downstream router to remain accessible via its regular port
4.12.5  IP Passthrough status 
Refresh the page to view the Status section.  It displays the modem’s External IP Address being passed through, the 
Internal MAC Address of the downstream router (only populated when the downstream router ac\
cepts the DHCP lease), and 
the overall running status of the IP Passthrough service. 
Additionally, you may be alerted to the failover status of the downstream router by \
configuring a Routed Data Usage Check 
under Alerts & Logging: Auto-Response.
4.12.6 Caveats 
Some downstream routers may be incompatible with the gateway route. This\
 may happen when IP Passthrough is bridging a 
3G cellular network where the gateway address is a point-to-point destin\
ation address and no subnet information is available. 
The Appliance sends a DHCP netmask of 255.255.255.255. Devices will norm\
ally correctly construe this as a “single host 
route” on the interface, but as this is an unusual setting for Ethern\
et, some older downstream devices may have issues.
Intercepts for local services will not work if the Appliance is using a \
default route other than the modem. As per normal 
operation, they will also not work unless the service is enabled and acc\
ess to the service is enabled (see System: Services: 
Service Access: Dialout/Cellular).
Outbound connections originating from Appliance to remote services are s\
upported (e.g. sending SMTP email alerts, SNMP 
traps, getting NTP time, IPSec tunnels). However, there is a miniscule risk of connection failure should both the Applia\
nce and 
the downstream device try to access the same UDP or TCP port on the same remote host at the same time where they have 
randomly chosen the same originating local port number.  
						

							73
Chapter 5: Firewall, Failover and Out-of-Band
The Console Server has a number of failover and out-of-band access capabilities to ensure availability in the event there are 
difficulties in accessing the Console Server through the principal net\
work path. This chapter covers:
• Out-of-band (OoB) access from a remote location using dial-up modem 
• Out-dial failover
• OoB access using an alternate broadband link 
• Broadband failover 
The Console Server can also provide basic routed firewall facilities w\
ith NAT (Network Address Translation), packet filtering and 
port forwarding support on all network interfaces.
5.1  OoB Dial-In Access
To enable OoB dial-in access, first set up the Console Server configu\
ration for dial-in PPP access. Once the Console Server is 
so configured, it will wait for an incoming connection from a dial-in \
at a remote site.
Then remote Administrator’s must be configured to dial-in and must \
establish a network connection to the Console Server. 
 Note: The B094-008-2E-M-F, B096-048/032/016 and BO095-003-M Console Servers have an internal modem for dial-up 
OoB access. The B092-016 Console Server needs an external modem to be at\
tached via a serial cable to its DB9 port. With 
the B095-004 Console Server the four serial ports are by default all con\
figured as RJ serial Console Server ports. However 
Port 1 can be configured to be the Local Console/Modem port for an ext\
ernal modem to be attached.   
						

							74
Chapter 5: Firewall, Failover and Out-of-Band
5.1.1 Configure dial-in PPP
To enable dial-in PPP access on the Console Server modem port/ internal m\
odem:
 
• Select the System: Dial menu option and the port to be configured (Serial DB9 Port or Internal Modem Port)
Note: The Console Server’s console/modem serial port is set by default to\
 115200 baud, No parity, 8 data bits and 1 stop bit, 
with software (Xon-Xoff) flow control enabled. You can modify the baud rate and flow control using the Management Console. 
You can further configure the console/modem port settings by editing /etc/mgetty.config files as described in Chapter 14.
• Select the Baud Rate and Flow Control that will communicate with the modem 
• Check the Enable Dial-In Access box
• Enter the User name and Password to be used for the dial-in PPP link
• In the Remote Address field, enter the IP address to be assigned to the dial-in client. You can select any address for the 
Remote IP Address. However, it and the Local IP Address must both be in the same network range (e\
.g. 200.100.1.12 
and 200.100.1.67) 
• In the Local Address field, enter the IP address for the Dial-In PPP Server. This is the IP address that will be used by the 
remote client to access Console Server once the modem connection is esta\
blished. Again, you can select any address for 
the Local IP Address but both must be in the same network range as the R\
emote IP Address 
• The Default Route option enables the dialed PPP connection to become the default route fo\
r the Console Server 
• The Custom Modem Initialization option allows a custom AT string modem initialization string to be entered (e.g. 
AT&C1&D3&K3)
• Then select the Authentication Type to be applied to the dial-in connection. The Console Server uses authen\
tication to 
challenge Administrators who dial-in to the Console Server. (For dial-in access, the username and password received from 
the dial-in client are verified against the local authentication datab\
ase stored on the Console Server). The Administrator 
must also have their client computer configured to use the selected au\
thentication scheme. Select PA P CHAP 
MSCHAPv2 or None and click Apply    
						

							75
None  With this selection, no username or password authentication is required f\
or dial-in access. This is not 
recommended.
PA P   Password Authentication Protocol (PAP) is the usual method of user authentication used on the internet: 
sending a username and password to a server where they are compared with\
 a table of authorized users. Whilst 
most common, PAP is the least secure of the authentication options.
CHAP  Challenge-Handshake Authentication Protocol (CHAP) is used to verify a\
 user's name and password for PPP 
Internet connections. It is more secure than PAP, the other main authentication protocol.
MSCHAPv2 Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is auth\
entication for PPP connections 
between a computer using a Microsoft Windows operating system and a network access server. It is more 
secure than PAP or CHAP, and is the only option that also supports data encryption
•  Console Servers all support dial-back for additional security. This is configured per-user in Serial & Network: Users & 
Groups  Edit. Check the Enable Dial-Back box and enter the phone number to be called to re-establish an OoB link \
once a dial-in connection has been logged
5.1.2  Using SDT Connector client for dial-in
Administrators can use their SDT Connector client to set up secure OoB d\
ial-in access to all their remote Console Servers. 
With a point and click you can initiate a dial-up connection. Refer to Ch\
apter 6.5.
5.1.3 Set up Windows XP/ 2003/Vista/7 client for dial-in
• Open Network Connections in Control Panel and click the New Connection Wizard 
• Select Connect to the Internet and click Next
• On the Getting Ready screen select Set Up My Connection Manually and click Next
• On the Internet Connection screen select Connect Using a Dial-Up Modem and click Next
• Enter a Connection Name (any name you choose) and the dial-up Phone Number that will connect thru to the Console 
Server modem 
 
Chapter 5: Firewall, Failover and Out-of-Band  
						

							76
• Enter the PPP User Name and Password for have set up for the Console Server
5.1.4  Set up earlier Windows clients for dial-in
• For Windows 2000, the PPP client set up procedure is the same as above, excep\
t you get to the Dial-Up Networking 
Folder by clicking the Start button and selecting Settings. Then click Network and Dial-up Connections and click 
Make New Connection
• Similarly, for Windows 98, you double-click My Computer on the Desktop, then open Dial-Up Networking and double 
click Make New Connection and proceed as above
5.1.5  Set up Linux clients for dial-in
The online tutorial http://www.yolinux.com/TUTORIALS/LinuxTutorialPPP.html presents a selection of methods for establishing a 
dial up PPP connection: 
• Command line PPP and manual configuration (which works with any Linux\
 distribution)
• Using the Linuxconf configuration tool (for Red Hat compatible distributions). This con\
figures the scripts ifup/ifdown to start 
and stop a PPP connection
• Using the Gnome control panel configuration tool  -
• WVDIAL and the Redhat "Dialup configuration tool" 
• GUI dial program X-isp. Download/Installation/Configuration 
Note: For all PPP clients:
• Set the PPP link up with TCP/IP as the only protocol enabled 
• Specify that the Server will assign IP address and do DNS
• Do not set up the Console Server PPP link as the default for Internet co\
nnection
Chapter 5: Firewall, Failover and Out-of-Band  
						

							77
5.2 OoB Broadband Access 
The B096-048/032/016 Console Server Management Switch has a second Ether\
net network port that can be configured for 
alternate and OoB (out-of-band) broadband access. With two active broadband access paths to the Console Server, in the 
event you are unable to access through the primary management network, y\
ou may still have access through the alternate 
broadband path (e.g. a T1 link).
• On the System: IP menu, select Management L AN Interface and configure the IP Address, Subnet Mask, Gateway 
and DNS with the access settings that relate to the alternate link
• Ensure that when configuring the principal Network Interface connection, you set the Failover Interface to None
 
5.3   Broadband Ethernet Failover 
The second Ethernet port on the B096-048/032/016 Console Server Manageme\
nt Switch can also be configured for failover 
to ensure transparent high availability. 
Chapter 5: Firewall, Failover and Out-of-Band
• When configuring the principal network connection on the System: IP Network Interface menu, select Management 
L AN (eth1) as the Failover Interface to be used when a fault has been detected with main Network  Interface (\
eth0)  
						

							78
• Specify the Probe Addresses of two sites (the Primary and Secondary) that the B096-048/032/016 is to ping to 
determine if Network (eth0) is still operational 
• Then configure Management L AN Interface (eth1) with the same IP setting that you used for the main Network 
Interface (eth0) to ensure transparent redundancy
In this mode, Network 2 (eth1) is available as the transparent back-up\
 port to Network 1 (eth0) for accessing the 
management network. Network 2 will automatically and transparently take \
over the work of Network 1, in the event Network 1 
becomes unavailable for any reason. 
By default, the Console Server supports automatic failure-recovery back \
to the original state prior to failover.  The Console 
Server continually pings probe addresses whilst in original and failover\
 states. The original state will automatically be set as  
a priority and re-established following three successful pings of the pr\
obe addresses during failover.  The failover state will be 
removed once the original state has been re-established.
Chapter 5: Firewall, Failover and Out-of-Band
5.4 Dial-Out Access
The internal or externally attached modem on the Console Servers can be \
set up either
 o in Failover mode, where a dial-out connection is only established in event of a ping failure, or 
 o with the dial-out connection always on 
In both of the above cases, in the event of a disruption in the dial-out\
 connection, the Console Server will endeavor to re-
establish the connection. 
5.4.1  Always-on dial-out 
The Console Server modem can be configured for out-dial to be always o\
n, with a permanent external dial-up ppp connection. 
• Select the System: Dial menu option and check Enable Dial-Out to allow outgoing modem communications
• Select the Baud Rate and Flow Control that will communicate with the modem 
• In the Dial-Out Settings - Always On Out-of-Band field enter the access details for the remote PPP server to be called
Override DNS is available for PPP Devices such as modems.  Override DNS allows the us\
e of alternate DNS servers from 
those provided by your ISP.  For example, an alternative DNS may be required for OpenDNS used for cont\
ent filtering.
• To enable Override DNS, check the Override returned DNS Servers box.  Enter the IP of the DNS \
servers into the spaces 
provided.  
						

							79
5.4.2 Dial-Out Failover
The Console Servers can also be configured for dial-out failover— s\
o a dial-out PPP connection is automatically set up in the 
event of a disruption in the principal management network:
• When configuring the principal network connection in System: IP, specify Internal Modem (or the Dial Serial DB9 if 
using an external modem on the Console port) as the Failover Interface to be used when a fault has been detected with 
Network1 (eth0) 
• Specify the Probe Addresses of two sites (the Primary and Secondary) that the Console Server is to ping to determine 
if Network1 is still operational
• Select the System: Dial menu option and the port to be configured (Serial DB9 Port or Internal Modem Port)
• Select the Baud Rate and Flow Control that will communicate with the modem 
Note: You can further configure the console/modem port (e.g. to include modem init strings) by editing /etc/mgetty.config 
files as described in Chapter 13. 
• Check the Enable Dial-Out Access box and enter the access details for the remote PPP server to be called\
Note: Both SSH and HTTPS access is enabled for dial-out failover, do the administrator can SSH (or HTTPS) connect to the 
console server (and its Managed Devices) and fix the problem
Override DNS is available for PPP Devices such as modems.  Override DNS allows the u\
se of alternate DNS servers from 
those provided by your ISP.  For example, an alternative DNS may be required for OpenDNS used for cont\
ent filtering.
• To enable Override DNS, check the Override returned DNS Servers box.  Enter the IP of the DNS servers into the 
spaces provided
Note: By default, the Console Server supports automatic failure-recovery bac\
k to the original state prior to failover. The 
Console Server continually pings probe addresses whilst in original and \
failover states. The original state will automatically be 
set as a priority and reestablished following three successful pings of \
the probe addresses during failover.  The failover state 
will be removed once the original state has been re-established.
Chapter 5: Firewall, Failover and Out-of-Band  
						

							80
Chapter 5: Firewall, Failover and Out-of-Band
5.5 Firewall & Forwarding 
Console Servers provide basic firewalled routing, NAT (Network Address Translation), packet filtering and port forwarding 
support on all network interfaces.
 
5.5.1  Configuring network forwarding and IP masquerading
To use a Console Server as an Internet or external network gateway requir\
es establishing an external network connection and 
then setting up forwarding and masquerading.
Note: Network forwarding allows the network packets on one network interface (i.e. LAN1/ eth0)\
 to be forwarded to another 
network interface (i.e. LAN2/eth1 or dial-out/cellular) so that locall\
y networked devices can connect to IP through the Console 
Server to devices on remote networks. IP masquerading is used to allow all the devices on your local private network to hide 
behind and share the one public IP address when connecting to a public n\
etwork. This type of translation is only used for 
connections originating within the private network destined for the outs\
ide public network, and each outbound connection is 
maintained by using a different source IP port number.
By default, all Console Server models are configured so that they will\
 not route traffic between networks. To use the Console 
Server as an Internet or external network gateway, forwarding must be enabled so that traffic can be routed from the in\
ternal 
network to the Internet/external network:
• Navigate to the System: Firewall page, and then click on the Forwarding &Masquerading tab