164 lines
11 KiB
HTML
164 lines
11 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="reference" />
|
|
<meta name="DC.Title" content="IP address management strategy" />
|
|
<meta name="abstract" content="You should be familiar with your network IP address management strategy before configuring a PPP connection profile. This strategy will impact many of the decisions throughout the configuration process including your authentication strategy, security consideration and TCP/IP settings." />
|
|
<meta name="description" content="You should be familiar with your network IP address management strategy before configuring a PPP connection profile. This strategy will impact many of the decisions throughout the configuration process including your authentication strategy, security consideration and TCP/IP settings." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiyipcons.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzaiyipmgmtstrategy" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>IP address management strategy</title>
|
|
</head>
|
|
<body id="rzaiyipmgmtstrategy"><a name="rzaiyipmgmtstrategy"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">IP address management strategy</h1>
|
|
<div><p>You should be familiar with your network IP address management
|
|
strategy before configuring a PPP connection profile. This strategy will impact
|
|
many of the decisions throughout the configuration process including your
|
|
authentication strategy, security consideration and TCP/IP settings.</p>
|
|
<div class="section"><h4 class="sectiontitle">Originator connection profiles:</h4><p>Typically, the local
|
|
and remote IP addresses defined for an originator profile will be defined
|
|
as <dfn class="term">Assigned by remote system</dfn>. This allows the administrators
|
|
on the remote system to have control over the IP addresses that will be used
|
|
for the connection. Most all connections to Internet service providers (ISP)
|
|
will be defined this way, although many ISPs can offer fixed IP addresses
|
|
for an additional fee.</p>
|
|
</div>
|
|
<div class="section"><p>If you define fixed IP addresses for either the local or remote
|
|
IP address then you must be sure that the remote system is defined to accept
|
|
the IP addresses you have defined. One typical application is to define your
|
|
local IP address as a fixed IP address and the remote to be assigned by the
|
|
remote system. The system you are connecting can be defined the same way so
|
|
when you connect, the two systems will exchange IP addresses with each other
|
|
as a way to learn the IP address of the remote system. This might be useful
|
|
for one office calling another office for temporary connectivity.</p>
|
|
</div>
|
|
<div class="section"><p>Another consideration is if you want to enable IP Address Masquerading.
|
|
For example, if the iSeries™ server connects to the Internet through an
|
|
ISP, then this can allow an attached network behind the iSeries server
|
|
to also access the Internet. Basically the iSeries server hides the IP addresses
|
|
of the systems on the network behind the local IP address assigned by the
|
|
ISP, thus making all IP traffic appear to be from the iSeries server. There are also additional
|
|
routing considerations for both the systems on the LAN (to ensure their Internet
|
|
traffic is sent to the iSeries server) as well as the iSeries server
|
|
where you will need to enable the 'add remote system as the default route'
|
|
box.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Receiver connection profiles:</h4><p>Receiver connection
|
|
profiles have many more IP address considerations and options than the Originator
|
|
connection profile does. How you configure the IP addresses depends on the
|
|
IP address management plan for your network, your specific performance and
|
|
functional requirements for this connection, and the security plan. </p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Local IP addresses</h4><p>For a single receiver profile
|
|
you can define a unique IP address or use an existing local IP address on
|
|
your iSeries server.
|
|
This will become the IP address that will identify the iSeries server end of the PPP connection.
|
|
For receiver profiles defined to support multiple connections at the same
|
|
time, you must use an existing local IP address. If no previously existing
|
|
local IP addresses are present then you can create a Virtual IP address for
|
|
this purpose.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Remote IP addresses</h4><p>There are many options for assigning
|
|
remote IP addresses to PPP clients. The following options can be specified
|
|
on the TCP/IP page of the receiver connection profile. </p>
|
|
</div>
|
|
<div class="section"><div class="note"><span class="notetitle">Note:</span> If you want the remote system to be considered part of the
|
|
LAN, you should configure IP address routing, specify an IP address within
|
|
the IP address range for LAN attached systems, and verify that IP forwarding
|
|
has been enabled for both this connection profile and the iSeries system.</div>
|
|
</div>
|
|
<div class="section">
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. IP address assignment options for receiver profile
|
|
connections</caption><thead align="left"><tr><th valign="top" width="25.757575757575758%" id="d0e80">Option</th>
|
|
<th valign="top" width="74.24242424242425%" id="d0e82">Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" width="25.757575757575758%" headers="d0e80 ">Fixed IP address</td>
|
|
<td valign="top" width="74.24242424242425%" headers="d0e82 ">You define the single IP address that is to be given
|
|
to remote users when they dial in. This is a host only IP address (Subnet
|
|
mask is 255.255.255.255) and is only for single connection receiver profiles.</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25.757575757575758%" headers="d0e80 ">Address Pool</td>
|
|
<td valign="top" width="74.24242424242425%" headers="d0e82 ">You define the starting IP address and then a range
|
|
of how many additional IP addresses to define. Each user that connects will
|
|
then be given a unique IP address within the defined range. This is a host
|
|
only IP address (Subnet mask is 255.255.255.255) and is only for multiple
|
|
connection receiver profiles.</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25.757575757575758%" headers="d0e80 ">RADIUS</td>
|
|
<td valign="top" width="74.24242424242425%" headers="d0e82 ">The remote IP address and it's subnet mask will be determined
|
|
by the Radius server. This is only if the following is defined: <ul><li>Radius support for authentication and IP addressing has been enabled from
|
|
the Remote Access Server services configuration.</li>
|
|
<li>Authentication is enabled for the receiver connection profile and is defined
|
|
to be authenticated remotely by Radius.</li>
|
|
</ul>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25.757575757575758%" headers="d0e80 ">DHCP</td>
|
|
<td valign="top" width="74.24242424242425%" headers="d0e82 ">The remote IP address is determined by the DHCP server
|
|
directly or indirectly through DHCP relay. This is only if DHCP support
|
|
has been enabled from the Remote Access Server services configuration. This
|
|
is a host only IP address (Subnet mask is 255.255.255.255).</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25.757575757575758%" headers="d0e80 ">Based on remote system's user ID</td>
|
|
<td valign="top" width="74.24242424242425%" headers="d0e82 ">The remote IP address is determined by the user ID defined
|
|
for the remote system when it is authenticated. This allows the administrator
|
|
to assign different remote IP addresses (and their associated subnet masks)
|
|
to the user that dials in. This also allows additional routes to be defined
|
|
for each of these user IDs so you can tailor the environment to the known
|
|
remote user. Authentication must be enabled for this function to work properly.</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25.757575757575758%" headers="d0e80 ">Define additional IP addresses based on remote system's
|
|
user ID</td>
|
|
<td valign="top" width="74.24242424242425%" headers="d0e82 ">This option allows you to define IP addresses based
|
|
on the user ID of the remote system. This option is automatically selected
|
|
(and must be used) if the remote IP address assignment method is defined
|
|
as <strong>Based on remote system's user ID</strong>. This option is also allowed for
|
|
IP address assignment methods of Fixed IP address and Address Pool. When a
|
|
remote user connects to the iSeries server a search will be made to determine
|
|
if a remote IP address is defined specifically for this user. If it is then
|
|
that IP address, mask and set of possible routes will be used for the connection.
|
|
If the user is not defined then the IP address will default to the defined
|
|
Fixed IP address or the next Address Pool IP address.</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25.757575757575758%" headers="d0e80 ">Allow remote system to define it's own IP address</td>
|
|
<td valign="top" width="74.24242424242425%" headers="d0e82 ">This option allows a remote user to define their own
|
|
IP address if they negotiate to do so. If they do not negotiate to use their
|
|
own IP address then the remote IP address will be determined by the defined
|
|
remote IP address assignment method. This option is initially disabled and
|
|
careful consideration should be used before enabling it.</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25.757575757575758%" headers="d0e80 ">IP address routing</td>
|
|
<td valign="top" width="74.24242424242425%" headers="d0e82 ">The dial-up client and the iSeries must have IP address routing
|
|
properly configured if the client needs access to any IP addresses on the
|
|
LAN to which the iSeries belongs.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiyipcons.htm" title="PPP connections allow several different sets of options for managing IP addresses depending on the type of connection profile.">IP address handling</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |