Terminal access features

Figure 2 shows a typical terminal access implementation.

The principle of source IP address binding is to configure an IP address on a stable interface (the loopback interface or dialer interface is recommended) and use this address as the source IP address of the upstream TCP connection from the router through IP unnumbered configuration.

If an FEP runs, the IP address of the router connected to the FEP needs to be authenticated. Therefore, when the dial-up backup function is used in a wide area network (WAN), if the primary link fails, the router begins to use the backup interface. In that case, the IP address of the router is changed, and the authentication fails if source IP address binding is not implemented. To avoid such failures, configure source IP address binding on the router to use a fixed IP address to establish a TCP connection with the FEP.

For security or some other reason, you may need to hide the actual IP address used in the upstream TCP connection on the router, and use another IP address. In that case, you must also configure source IP address binding.

Make sure the FEP and the router’s IP address are reachable to each other.

The terminal menu allows you to bring up the menu interface by pressing the menu hotkey at the terminal. The menu interface displays the services provided by each VTY on the terminal. By entering a service option, you can switch to the corresponding service display. The menu interface displays:

             TTY ACCESS SYSTEM
                   VERSION 3.0

           1. SELECT VTY(0):chuxu
           2. SELECT VTY(1):duigong
           0. QUIT


           INPUT YOUR CHOICE:

When the following events happen, this feature enables the terminal to display an error message, and you can press any key to return to the menu interface:

• An invalid menu option is entered.

• The FEP providing the service you select is unreachable.

• A connection is terminated.

The characteristics of banking services require each bank branch to provide services such as deposit and corporate services. However, a terminal at an outlet can process only one type of service. To solve this problem, the terminal access feature of the router implements the VTY switching function, enabling a terminal to process multiple services at the same time and to dynamically switch between the services.

In terminal access, each terminal is logically divided into eight virtual type terminals (VTYs), each of which can be configured to correspond to a service (also known as an application). The operator can press the VTY switching menu hotkey to bring up the VTY switching menu and select a VTY to dynamically switch between different services. In addition, the VTY switching feature provides the screen saving function. When an operator switches from service 1 to service 2, the operating interface of service 1 is automatically saved. When the operator switches from service 2 back to service 1, the original operating interface is automatically restored. If the original operating interface is lost due to a fault, the operator can use the terminal redrawing function to recover it.

You can set the VTY redrawing hotkey on the router. When a terminal does not display the normal terminal interface for some reasons (for example, illegible characters appear after the terminal is turned off and then turned on), pressing the terminal redrawing hotkey can restore the normal terminal interface.

If the idle connection timeout function is enabled and no data is transmitted between the initiator and receiver within the idle connection timeout period, the initiator and receiver are automatically disconnected from each other.

As shown in Figure 2, the terminal access program running on the router connected to the terminal enables the terminals to access the FEPs. The terminals are connected to the router through asynchronous serial interfaces. The router numbers all the terminals. On the other side, the router connects to multiple FEPs over the network. Each FEP runs multiple applications. Terminal access universally numbers all the applications, regardless of whether these applications are running on the same FEP or on multiple FEPs. With the numbering of the terminals and the applications and the special processing through the router, the mappings between terminals and banking services are established to implement fixed terminal numbering.

Due to the extensive use of terminal access in banking systems, the requirements of data security become higher and higher. The terminal access data encryption function can be used to encrypt the data transmitted between the router and FEPs to improve data security.

As shown in Figure 3, data is transmitted in ciphertext between Router A and the FEP. Router A and the FEP that runs the program ttyd/ccbtelnetd/sshd are responsible for data encryption and decryption. At present, the supported encryption algorithms are as follows:

• Advanced encryption standard (AES) encryption is supported by TTY terminal access.

• AES and RC4 encryption are supported by ETelnet terminal access.

• RSA and DSA encryption are supported by SSH terminal access.

  Figure 3: Data encryption procedure between router and FEP

  

You can enable this function and configure the automatic link establishment time in terminal template view. When the terminal is in the "OK" state (meaning the physical connection is normal), the initiator automatically establishes a TCP connection to the receiver after the specified period. If the automatic link establishment function is disabled on the terminal, you must manually establish a link. In this mode, the initiator establishes a TCP connection to the receiver only when the operator enters a character on the terminal.

You can enable the function and configure the automatic teardown time for the terminal in terminal template view. When the terminal device and the initiator are disconnected from each other, the terminal enters the "down" state. After a specified period of time, the initiator automatically tears down the TCP connection to the receiver. The TCP connection always remains active if the automatic link teardown function is disabled.

In TTY one-to-one access, each terminal communicates with the FEP (TTY) through a TCP connection to achieve optimum communication quality and highest communication speed under various link states. You can use this mode to achieve high communication speed on low-speed links by adjusting parameters. This mode can also meet the need for frequent and massive printing.

The initiator generally sends some unsolicited information, such as menus and link establishment information, to the terminal. To meet different language needs, the prompt information can be displayed in either English or Chinese (the default).

Screen saving is implemented in the following ways:

• A terminal can display the saved screen contents after receiving specific control characters from a router.

• A FEP can send the saved screen contents to a terminal when the screen is switched or redrawn on the terminal.

• A router can send the saved screen contents to the terminal upon receiving control characters for switching or redrawing the screen from a terminal.

The screen saving function of a terminal, FEP, or router varies. The screen saving function of a router supports Telnet, ETelnet, and SSH. With this function enabled, a router sends the saved screen contents to a terminal at startup, or when you select an item of the menu, switch between VTYs, or press the terminal redrawing hotkey.

Only TTY supports screen saving.

Some types of terminals provide the screen saving function, enabling the terminals to switch to the corresponding screen upon receiving the specified screen code, such as \E!10Q. When you perform VTY service fast switching, the router sends a screen code to the terminal, which switches to the corresponding operation interface after saving the current operation interface. To save the screens of multiple VTYs, you must set different screen codes for these VTYs and make sure the number of screen codes supported by the terminal is greater than the number of configured VTYs. Note that this function needs terminal support. In addition, the screen codes that can be identified vary with terminal types and the number of supported screen codes may also be different.

The terminal screen display size determines the maximum lines and columns of characters that the screen can display. By default, a terminal screen can display up to 24 lines (screen height) and up to 80 characters in each line (columns or screen width). You can set the terminal screen display size to meet different service requirements.

Terminal data read blocking means that, if the router has not sent data received from the terminal successfully, the router stops receiving data from the terminal until all the data is successfully sent. Generally, enable this function only when the transmission rate between the router and the FEP is less than that between the router and the terminal.

In case the terminal fails to communicate with the receiver, you can press the terminal reset hotkey on the terminal to cause the initiating router to disconnect and then re-establish the TCP connection with the receiver.

You can configure the terminal test hotkey on the router. By pressing the test hotkey on the terminal, you can test the connectivity between the terminal and the router and the TCP connectivity between the terminal and the FEP.

When data send delay is configured on the router, upon receiving data from the terminal, the router does not send the data to the FEP until the specified period elapses. This allows the information collected within the specified period to be sent together, which increases bandwidth utilization.

Terminal access allows you to perform two types of buffer parameter configuration operations: TCP buffer and terminal buffer. TCP buffer is used to store the data exchanged between the sender and receiver. Terminal buffer is used to store the data exchanged between the sender and the terminal.

You can set some parameters of TCP connection, including the receive buffer size, send buffer size, non-delay attribute, keepalive interval and transmission times.

You can set parameters for the terminal buffer, including whether to clear the buffer before receiving data, receive buffer size, send buffer threshold, and the maximum size of data to be sent to the terminal at one time.

When an RTC client needs to initiate a connection to an RTC server, it first initiates a connection to the RTC server that corresponds to the VTY with the lowest number. If the number of connection failures exceeds the threshold, the RTC client initiates a connection to the RTC server that corresponds to the VTY with the second lowest number.

If the RTC server is configured to switch between VTYs based on priority (the lower the VTY number, the higher the priority) and the VTY number corresponding to a new connection request is less than the VTY number corresponding to the existing connection, the RTC server tears down the existing connection and begins to use the new connection for communication. If the RTC server is not configured to perform VTY switching based on priority and a connection is already established, the RTC server will ignore any new connection request.

The RTC server can perform password authentication on RTC clients to enhance security. Authentication succeeds only when the passwords configured on the RTC server and the RTC client match.

Terminal access supports VPNs. That is, some of the terminals connected to the router can be grouped in one VPN domain and some other in another VPN domain. This allows a terminal to access the FEP or remote router that is in the same VPN domain as the terminal.

In practice, some users need to use the FEP to perform necessary authentication on the connected router to enhance data security. Two authentication modes are supported: character string-based authentication and MAC-based authentication.

In character string-based authentication, which is similar to password authentication, the same authentication character string is configured on the FEP and the router. To establish a connection with the FEP, the router sends the authentication character string to the FEP, and the FEP checks whether the authentication strings match. If yes, the authentication succeeds. If not, the authentication fails and the connection attempt fails.

The difference between MAC-based authentication and character string-based authentication is that the MAC addresses configured on the FEP and the router are the same. This MAC address is the MAC address of an interface on the router (You can specify the MAC address with a command).

Some terminal devices, such as radars, need to share data between each other. RTC terminal access provides many-to-one relay forwarding based on TCP. Routers connecting these terminals are connected to one relay server, which copies and forwards data between routers.

This mode is mainly applied to voice transmission. TCP RTC transparent transmission has a certain forwarding delay, and is not suitable for voice communications. Because the voice service does not require high reliability, voice data can be transmitted through UDP. This mode provides one-to-one transmission in synchronous mode, but does not support asynchronous mode.

Access devices send flow control character strings received from terminals to the FEP. If the FEP receives a packet that contains both the flow control characters 0x13 to enable flow control, and 0x11 to disable flow control, the FEP enables flow control but does not disable it. As a result, the FEP stops sending data to the corresponding terminal, and the display pauses until you disable flow control by pressing the shortcut key. To prevent this issue, configure the device to filter flow control characters out of the data received from terminals and to perform flow control by itself.

In TCP RTC many-to-one or TCP one-to-one transparent transmission mode, the RTC server complies with RFC 896 to use the Nagle algorithm to prevent network congestions caused by a large number of TCP packets. However, this algorithm also causes time delay during TCP packet transmission for application programs, especially for interactive ones. The RTC server allows you to disable the Nagle algorithm by setting the TCP_NODELAY option.