manualshive.com logo in svg

Nokia Network Voyager, Reference Manual

Introducing Nokia Network Voyager, an advanced networking solution for seamless connectivity. Enhance your understanding of its powerful features with the comprehensive Reference Manual available for FREE download at manualshive.com. Unlock its potential through this user-friendly manual packed with valuable insights and instructions for optimal usage.

Share
Download
background image

8

  Configuring Router Services

462

Voyager Reference Guide

The Authentication Method selected must be the same for all routers running 
VRRP on the shared media network.

Monitored Circuit

Running VRRP in a static routed environment can lead to a “black hole" 
failure scenario. If a link on the VRRP master fails, it may accept packets 
from an end host but be unable to forward them to destinations reached via the 
failed link. This creates an unnecessary black hole for those destinations if 
there is an alternate path available via the VRRP backup.

The VRRP monitored circuit feature allows the virtual router master election 
priority to be made dependent on the current state of the access link. With 
proper selection of base priority and dynamic priority update based on 
interface status, the virtual router forwarding responsibility can be made to 
gracefully failover due to interface failure on the master router.

In order to utilize the monitored circuit feature, you must select a virtual 
router address that does not match an interface address or any IP address 
allocated to a host. The ICMP redirect messages must be disabled as well.

You can select either monitored circuit mode or VRRP v.2.

Configuring VRRP Rules for Check Point NG

When you are using Check Point NG FP1 and FP2, you must define an 
explicit VRRP rule in the rulebase to allow VRRP Multicast packets to be 
accepted by the gateway. It is also possible to block the VRRP traffic with an 
explicitly defined rule.

Caution

The VRRP rule constructions used in Check Point FireWall-1 4.1 and 
earlier does not work with Check Point NG, and using these 
constructions could result in VRRP packets being dropped by the 
cleanup rule.

Summary of Contents for Network Voyager

Page 1: ...Voyager Reference Guide Part No N450820002 Rev A Published December 2003 ...

Page 2: ... as is and any express or implied warranties including but not limited to implied warranties of merchantability and fitness for a particular purpose are disclaimed In no event shall Nokia or its affiliates subsidiaries or suppliers be liable for any direct indirect incidental special exemplary or consequential damages including but not limited to procurement of substitute goods or services loss of...

Page 3: ...SA and Canada 1 512 437 7089 email ipsecurity na nokia com Europe Middle East and Africa Nokia House Summit Avenue Southwood Farnborough Hampshire GU14 ONG UK Tel UK 44 161 601 8908 Tel France 33 170 708 166 email ipsecurity emea nokia com Asia Pacific 438B Alexandra Road 07 00 Alexandra Technopark Singapore 119968 Tel 65 6588 3364 email ipsecurity apac nokia com Web Site https support nokia com E...

Page 4: ...4 Voyager Reference Guide ...

Page 5: ...faces 80 FDDI Interfaces 84 ISDN Interfaces 89 Token Ring Interfaces 121 Point to Point Link over ATM 128 IP over ATM IPoA 136 Serial V 35 and X 21 Interfaces 143 T1 with built in CSU DSU Interfaces 152 E1 with built in CSU DSU Interfaces 164 HSSI Interfaces 174 Unnumbered Interfaces 180 Cisco HDLC Protocol 188 Point to Point Protocol 189 Frame Relay Protocol 192 Loopback Interfaces 197 GRE Tunnel...

Page 6: ...n IPSO 343 Configuring Access Control Lists ACL 402 Configuring Access Control List Rules 407 Configuring Aggregation Classes 412 Configuring Queue Classes 415 Configuring ATM QoS 419 Configuring Common Open Policy Server 423 Configuring Transparent Mode 435 Configuring Router Services 449 Bootp Bootstrap Protocol Relay 451 IP Broadcast Helper 453 Router Discovery 456 VRRP Virtual Router Redundanc...

Page 7: ...Layer SSL 555 Authentication Authorization and Accounting AAA 560 Cryptographic Acceleration 583 IPsec Tunnels 587 Voyager Session Management 616 Configuring Fault Management 621 Fault Management Configuration 622 Configuring SNMP 627 Overview 628 Configuring SNMP v1 and v2 634 Interpreting SNMP Messages 643 SNMP v3 647 Configuring Asset Management 651 Asset Management Summary 651 Configuring IPv6...

Page 8: ...8 Voyager Reference Guide IPSO Process Management 671 IPSO Process Management 671 Glossary 675 Index 689 ...

Page 9: ...Operating System Nokia firewalls run Nokia IPSO a UNIX like operating system based on FreeBSD IPSO is customized to support Nokia s enhanced routing capabilities and Check Point s FireWall 1 firewall functionality and to harden network security Unnecessary features have been removed to minimize the need for UNIX system administration Ipsilon Routing Daemon IPSRD IPSRD is Nokia s routing software T...

Page 10: ...ork traffic and protocol performance Voyager also provides online documentation Voyager itself runs on a remote machine as a client application of the Nokia routing software and is HTML based Interface Overview This section describes how to configure network devices and assign IP addresses to them using Voyager Interface Types Nokia NAPs support the following interface types Note Consult the appro...

Page 11: ...onfiguring Network Devices Voyager displays network devices as physical interfaces A physical interface exists for each physical port on a network interface card NIC installed in the unit Physical interface names have the form type s slot p port where type is a prefix indicating the device type The interface name prefixes for each type are as follows Type Prefix Ethernet eth FDDI fddi ATM atm Seri...

Page 12: ...h time you configure an RFC1483 PVC for the device Serial T1 E1 and HSSI devices have one logical interface when they are running PPP or Cisco HDLC Serial T1 E1 and HSSI devices running point to point Frame Relay have a logical interface for each PVC configured on the port You also have the option of configuring an unnumbered interface for point to point interfaces Tunnels however cannot be config...

Page 13: ... exists for a device you can assign an IP address to it For Ethernet FDDI and Token Ring you must specify the interface s local IP address and the length in bits of the subnet mask for the subnet to which the device connects If you are running multiple subnets on the same physical network you can configure additional addresses and subnet masks on the single logical Physical Interface Logical Inter...

Page 14: ...s the source address of the IP packet Thus for a router to have an unnumbered interface it must have at least one IP address assigned to it The Nokia implementation of unnumbered interfaces does not support virtual links Indicators and Interface Status The configuration and status of removable interface devices are displayed Interfaces can be changed while they are offline The events their effects...

Page 15: ...twork Address Resolution Protocol ARP ARP allows a host to find the physical address of a target host on the same physical network using only the target s IP address ARP is a low level protocol that hides the underlying network physical addressing and permits assignment of an arbitrary IP address to every machine ARP is considered part of the physical network system and not as part of the internet...

Page 16: ...ocol Tunnels DVMRP tunnels encapsulate multicast packets using IP in IP encapsulation The encapsulated packets appear as unicast IP packets This technique allows two multicast routers to exchange multicast packets even when they are separated by routers that cannot forward multicast packets For each DVMRP tunnel you create you must provide the IP address of the interface that forms the local endpo...

Page 17: ...uting Protocols Nokia Routing Subsystem The Nokia routing subsystem Ipsilon Routing Daemon IPSRD is an essential part of your firewall IPSRD s role is to dynamically compute paths or routes to remote networks Routes are calculated by a routing protocol Besides providing routing protocols IPSRD also allows routes to be converted or redistributed between routing protocols Finally when there are mult...

Page 18: ...ltering and configuration Interior Routing Protocols IPSRD supports three IGPs RIP Routing Information Protocol IGRP Interior Gateway Routing Protocol and OSPF Open Shortest Path First Static routes and aggregate routes are also supported RIP RIP is a commonly used IGP There are two versions of RIP RIP version 1 and RIP version 2 Both versions are supported by IPSRD RIP uses a simple distance vect...

Page 19: ...test Path First is a modern link state routing protocol It fully supports non classful networks OSPF has a single 24 bit metric for each destination You can configure this metric to any desired value OSPF allows the AS to be broken up into areas Areas allow you to increase overall network stability and scalability At area boundaries routes can be aggregated to reduce the number of routes each fire...

Page 20: ...ewall s reachability information to its peer or neighbor firewalls BGP uses path attributes to provide more information about each route BGP maintains an AS path which includes the number of each AS that the route has transited Path attributes may also be used to distinguish between groups of routes to determine administrative preferences This allows greater flexibility in determining route prefer...

Page 21: ...packet forwarding by the originator of the aggregate route only by the receiver if it wishes A firewall receiving a packet which does not match one of the component routes that led to the generation of an aggregate route should respond with an ICMP network unreachable message This message prevents packets for unknown component routes from following a default route into another network where they w...

Page 22: ...ibuted between the protocols run on the firewall A metric is set for any redistributed route This metric is sent to the peer by certain protocols and may be used by the peer to choose a better route to a given destination Some routing protocols can associate a metric with a route when announcing the route A route filter can be used to explicitly list all the redistributed routes Redistributing Rou...

Page 23: ...ote If no redistribution policy is specified RIP and interface routes are redistributed into RIP and IGRP and interface routes are redistributed into IGRP If any policy is specified the defaults are overridden You must explicitly specify everything that should be redistributed RIP version 1 assumes that all subnets of the shared network have the same subnet mask so they are able to propagate only ...

Page 24: ... indirectly controls the redistribution of routes between protocols The syntax varies slightly per source protocol BGP routes may be specified by source AS RIP and IGRP routes may be redistributed by protocol source interface and or source gateway Both OSPF and OSPF ASE routes may be redistributed into other protocols All routes may be redistributed by AS path When BGP is configured all routes are...

Page 25: ...ening a Second Window to View Help Navigating in Voyager The following table explains the functions of the large blue buttons in Voyager Other buttons are described in the inline help for each page Note You can press buttons to produce a result when they have a dark shadow behind them Buttons without shadows such as those found in the Voyager Online Help instructions do not function they are only ...

Page 26: ...Takes you to the online help table of contents Doc Takes you to the online help table of contents Feedback Takes you to the documentation or Technical Assistance Center TAC feedback page Help Turns on contextual inline help for all elements of the page H Turns on contextual inline help for a specific element of the page Home Takes you to the home page Monitor Takes you to the monitor page main men...

Page 27: ...tton 4 Click the CLEAR DISK CACHE NOW button then click the OK button 5 Click the OK button or close the Preferences window Viewing Online Help Online help consists of procedures for common tasks you can perform with Voyager Note Buttons without shadows such as those found in the Voyager online help instructions do not function they are there only for illustration 1 Click the DOC button on the top...

Page 28: ...y definitions and related information related to that specific field or section appear in a separate window 2 Click the Close button on the Help window to close inline help Voyager Help Conventions Inline and online help use the following text conventions This Type of Text Means This italic text Introduces a word or phrase highlights an important term phrase or hypertext link indicates a field nam...

Page 29: ...online help in a new window 3 Using the right button middle button in UNIX of your mouse click the HELP ON button 4 Click OPEN LINK IN NEW BROWSER WINDOW Displays the inline text only help in a new window bracketed Indicates an argument that you or the software replaces with an appropriate value For example the command rm filename indicates that you should type rm followed by the filename of the f...

Page 30: ...2 How to Use Voyager 30 Voyager Reference Guide ...

Page 31: ...Voyager Reference Guide 31 3 Command Line Utility Files Chapter Contents CAMCONTROL FTP ID MAIL MTRACE NETSTAT PCCARDD PING SCP SSH SSHD SSH ADD SSH AGENT SSH KEYGEN TCPDUMP TELNET TFTPD TRACEROUTE ...

Page 32: ...3 Command Line Utility Files 32 Voyager Reference Guide ...

Page 33: ...storical Rate Shaping Bandwidth Statistics Displaying Interface Throughput Statistics Displaying Historical Interface Throughput Statistics Displaying Interface Linkstate Statistics Displaying Historical Interface Linkstate Statistics Displaying CPU Utilization Statistics Displaying Historical CPU Utilization Statistics Displaying Memory Utilization Statistics Displaying Historical Memory Utilizat...

Page 34: ... Commands Resolving and Preventing Full Log Buffers and Related Console Messages Dynamic Monitoring Dynamic and Static Monitoring Described The monitoring features in Voyager give you the ability to better maintain system performance and security You can also customize certain types of data collection to better help you manage and maintain system availability The following are some of the key feat...

Page 35: ...statistics Configuring Data Collection Events To configure data collection events follow these instructions 1 Click MONITOR on the home page 2 Click Monitor Report Configuration link 3 Optional Click the ON radio button to enable a particular data collection event The default is set to on 4 Optional Click the OFF radio button to disable a particular data collection event 5 Optional Enter the colle...

Page 36: ...it with an access control list for the name to appear as a choice in the Aggregation Class list See Traffic Management Creating an Aggregation Class and Creating an Access Control List in Voyager 5 In the TYPE OF RATESHAPING DATA field click the check box either next to PACKETS DELAYED or BYTES DELAYED 6 To select a format type for displaying the report in the SELECT FORMAT field click the button ...

Page 37: ...d time Note Data for the previous 7 days is available 6 In the SELECT AGGREGATES field click on the name of the Aggregation class for which you want to display a report or click on ALL AGGREGATES to display data for all configured aggregation classes Note You Must Configure An Aggregation Class And Associate It With An Access List For The Name To Appear As A Choice In The Aggregation Class Drop do...

Page 38: ...ons 1 Click MONITOR on the home page 2 Click the Interface Throughput link 3 In the SELECT REPORT TYPE field click the button next to HOURLY DAILY WEEKLY or MONTHLY The default is set to Daily 4 Select an interface name from the SELECT INTERFACE list or select ALL LOGICAL to display throughput data for all logical interfaces 5 In the Type of Throughput field click the check box next to PACKET THRO...

Page 39: ... Throughput link 3 In the SELECT REPORT TYPE field click the button next to DETAILED SEARCH 4 Enter a value for the date and time in the START DATE Edit Box The date defaults to the current date and time minus 10 minutes 5 Enter a value for the date and time in the END DATE Edit Box The date defaults to the current date and time Note Data for the previous 7 days is available 6 Select an interface ...

Page 40: ...Statistics To display interface linkstate statistics follow these instructions 1 Click MONITOR on the home page 2 Click the Interface Linkstate link 3 In the SELECT REPORT TYPE field click the button next to HOURLY DAILY WEEKLY or MONTHLY The default is set to Daily 4 Select an interface name from the SELECT INTERFACES FOR QUERY list or select ALL LOGICAL to display linkstate data for all logical ...

Page 41: ... a value for the date and time in the END DATE Edit Box The date defaults to the current date and time Note Data for the previous 7 days is available 6 Select an interface name from the SELECT INTERFACES FOR QUERY list or select ALL LOGICAL to display linkstate data for all logical interfaces 7 To select a format type for displaying the report in the SELECT FORMAT field click the button next to GR...

Page 42: ...AT field click the button next to GRAPHICAL VIEW or DELIMTED TEXT If you select DELIMITED TEXT click on the Delimiter drop down window and select either SEMI COLON COMMA or TAB Note The Graphical View displays information at the bottom of the page in a table and graph Delimited Text format displays the report as text in a new page from which you can download the information 5 Click VIEW REPORT or ...

Page 43: ...ON COMMA or TAB Note The Graphical View displays information at the bottom of the page in a table and graph Delimited Text format displays the report as text in a new page from which you can download the information 7 Click VIEW REPORT or APPLY to view interface throughput data for the period of time selected Displaying Memory Utilization Statistics To display memory utilization statistics follow ...

Page 44: ...stics for a specific period of time follow these instructions 1 Click MONITOR on the home page 2 Click the Memory Utilization link 3 In the SELECT REPORT TYPE field click the button next to DETAILED SEARCH 4 Enter a value for the date and time in the START DATE Edit Box The date defaults to the current date and time minus 10 minutes 5 Enter a value for the date and time in the END DATE Edit Box Th...

Page 45: ...e following pages allow you to display statistics to help you monitor the health of your system Useful System Statistics Interface Traffic Statistics Interface Queue Statistics VRRP Service Statistics To display the statistical information follow these instructions 1 Click MONITOR on the home page 2 Click the Link under System Health for which you want to obtain statistics Monitoring System Logs T...

Page 46: ...arch criteria to view specific system log activity To view a particular type or types of log activity click one or more items in the Log Type list On a management console running the Windows OS hold down the Crtl key while selecting multiple items Click APPLY to view messages The default is to display all types of system messages To select a a month for which display messages click on the Select M...

Page 47: ...default is to display activity for all users To view activity for a particular user only click the LOGIN LOGOUT INFO FOR USER drop down window and select the user for whom you want to view login and logout activity Click APPLY Management Activity Log The management activity log lets you view configuration changes The log includes a timestamp which provides the date and time when a configuration ch...

Page 48: ...mbers in the cluster Number Of Interfaces Number of interfaces on which clustering is enabled Network Networks on which clustering is enabled Cluster IP Address Cluster IP Address on each network The Cluster Member table contains the following information Member Id Node ID in the cluster IP Addr Primary IP address of the member Hostname Hostname of the node Platform Type of platform OS Release Ope...

Page 49: ...ls OSPF BGP RIP IGRP VRRP PIM DVMRP IGMP It also presents the routing daemon s information regarding the routing table via the Route link and interfaces via the Interfaces link To display routing information follow these instructions 1 Click MONITOR on the home page 2 Click the Routing Protocol link for which you want to obtain statistics Displaying Resource Settings This page displays system reso...

Page 50: ...ecisions Displaying Route Settings This page displays interface statistics 1 Click MONITOR on the home page Click the Route Settings link for the interface for which you want to obtain statistics Displaying Interface Settings This page displays interface statistics 1 Click MONITOR on the home page 2 Click the Interface Settings link for the interface for which you want to obtain statistics Display...

Page 51: ...oring section Displaying IPv6 Running States Use this page to monitor the IPv6 running state 1 Click Monitor on the home page 2 Click the IPv6 Monitor link to display IPv6 running state Displaying Routing Daemon Status iclid Obtain routing diagnostic information by creating a telnet session on the network application platform NAP and running iclid IPSRD Command Line Interface Daemon To display rou...

Page 52: ...gh when you resume scrolling by selecting any key you may lose a page of information At any point in iclid you can type to display possible command completions You can also abbreviate commands when there is no ambiguity The help command takes as arguments iclid commands and top level iclid categories it displays a brief summary of what the specified command will display The quit command returns co...

Page 53: ... for each BGP group detailed Detailed statistics on BGP groups summary A summary of statistics on BGP groups memory Lists BGP memory parameters and statistics neighbor peerid advertise Shows BGP neighbor statistics detailed Provides detailed information about BGP neighbors and is organized by neighbor address In the event of an excessively long list type q paths List of BGP paths in the event of a...

Page 54: ...ed AS to AS as number from proto Shows detailed redistribution data to the designated AS from the specified protocol statistics A table of peer parameters and statistics summary BGP summary bootpgw interface BOOTP relay state of interfaces enabled for BOOT protocols interface BOOTP relay state of specified interface stats Summary of BOOTP relay requests and replies received and made rec Summary of...

Page 55: ...eters route Shows state of DVMRP route parameters stats Statistical information about DVMRP packets sent and received including an error summary receive A summary of statistical information about received DVMRP packets transmit A summary of statistical information about transmitted DVMRP packets error A summary of DVMRP packets with errors igmp State of IGMP groups State of the IGMP groups maintai...

Page 56: ... received as well as an error summary inbound filter Lists inbound filters and data for all protocols interface Status and addresses of all configured interfaces krt Displays IPSRD core information memory Total memory usage in kbytes detailed Total memory usage as well as memory usage by each routing protocol ospf border routers Lists OSPF border routers and associated codes database area Provides...

Page 57: ...y Summary of OSPF database checksum Statistical data on the OSPF checksum database network Data on OSPF database network type Data on the state of firewall link parameters errors brief Provides basic data on OSPF errors dd OSPF dd errors hello OSPF hello errors ip OSPF interface protocol errors lsack OSPF ls acknowledge errors lsr OSPF lsr errors lsu A list of OSPF lsu errors proto OSPF protocol e...

Page 58: ...ts proto inbound filter Lists inbound filter data for the specified protocol redistribution Lists redistributions from all sources to the designated protocol redistribution from proto Lists redistributions from a specified protocol to another specified protocol redistribution Shows a comprehensive list of redistributions to various protocols and autonomous systems and includes detailed distributio...

Page 59: ...ata In the event of a long list abort by typing q aggregate Data on all aggregate routes by code letter bgp Data on BGP routes direct Data on direct routes igrp Data on IGRP routes ospf Data on OSPF routes rip Data on RIP routes static Data on static routes bgp Statistics on BGP routes aspath List of parameters and status of BGP AS path communities Status of BGP communities detailed Details of BGP...

Page 60: ...ve Inactive routes aggregate Inactive aggregate routes bgp Inactive BGP routes direct Inactive direct routes igrp Inactive IGRP routes ospf Inactive OSPF routes rip Inactive RIP routes static Inactive static routes ospf OSPF route data rip RIP route data static Static route data summary Displays the number of routes for each protocol version Operating system version information vrrp VRRP state inf...

Page 61: ...g trap messages The kernel module maintains a buffer of waiting log messages that it forwards through fwd to the management module The buffer is circular so that high logging volumes can cause buffer entries to be overwritten before they are interface VRRP interfaces and associated information stats VRRP transmission and reception statistics iclid Show Command Results show ospf Shows OSPF summary ...

Page 62: ...tical to do so Increase the size of the kernel module buffer Note To perform the following procedures use the zap or modzap utility which you can obtain from the Nokia Technical Assistance Center TAC refer to Resolution 1261 If you are using FireWall 1 4 1 do the following 1 Set the execute permissions by issuing an fwstop command 2 To confirm that you have sufficient resources to increase the buf...

Page 63: ...ing 1 Set the execute permissions by issuing a cpstop command 2 To confirm that you have sufficient resources to increase the buffer size issue the following command modzap n _fw_log_bufsize FWDIR boot modules fwmod o 0x200000 where 0x20000 indicates a buffer size of 2MB and the n option causes modzap to check the value at the symbol reported 3 A console message is displayed confirming the change ...

Page 64: ...isk space allocated for the FW 1 log message file 1 Move your log file s from the system hard drive to a server 2 Configure the relocated files using the Check Point management client GUI Smart Dashboard as follows a Select the Check Point gateway object you are configuring b Under Gateway Object Configuration select the Logs and Masters section and do the following Specify the amount of free disk...

Page 65: ...Ethernet Interface Changing the IP Address of an Ethernet Interface Ethernet Example Gigabit Ethernet Interfaces Configuring a Gigabit Ethernet Interface Changing the IP Address of a Gigabit Ethernet Interface Gigabit Ethernet Example Virtual LAN Interface Virtual LAN Description Configuring a VLAN Interface Defining the Maximum number of VLANs VLAN Example Topology FDDI Interfaces Configuring an ...

Page 66: ... a Token Ring Interface Token Ring Example Point to Point Link over ATM Configuring an ATM Interface Changing the VPI VCI of an ATM Interface Changing the IP Address of an ATM Interface Changing the IP MTU of an ATM Interface Removing an ATM Interface ATM Example Logical IP Subnets LIS over ATM Configuring an ATM Logical IP Subnet LIS Interface Changing the VPI VCIs of an ATM LIS Interface Changin...

Page 67: ...HSSI Interfaces Configuring an HSSI Interface for Cisco HDLC Configuring an HSSI Interface for PPP Configuring an HSSI Interface for Frame Relay Unnumbered Interfaces Unnumbered Interfaces Description Configuring an Unnumbered Interface Changing an Unnumbered Interface to a Numbered Interface Configuring a Static Route over an Unnumbered Interface Configuring OSPF over an Unnumbered Interface Conf...

Page 68: ...elay Interface Loopback Interfaces Adding an IP Address to a Loopback Interface Changing the IP Address of a Loopback Interface GRE Tunnels Creating a GRE Tunnel Changing the Local and or Remote Address or Local Remote Endpoint of a GRE Tunnel Changing IP TOS Value of a GRE Tunnel Removing a GRE Tunnel GRE Tunnel Example HA GRE Tunnels Description HA GRE Tunnel Example DVMRP Tunnels Creating a DVM...

Page 69: ... Entry Viewing and Deleting Dynamic ATM ARP Entries Ethernet Interfaces Configuring an Ethernet Interface 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example eth s2p1 4 Click the 10 MBIT SEC or the 100 MBIT SEC radio button in the PHYSICAL CONFIGURATION table LINK SPEED field to select the link speed N...

Page 70: ...he device in the NEW IP ADDRESS edit box 9 Enter the IP subnet mask length in the NEW MASK LENGTH edit box Click APPLY Each time you click APPLY the configured IP address and mask length are added to the table The entry fields remain blank to allow you to add more IP addresses To enter another IP address and IP subnet mask length repeat steps 8 9 10 Optional Change the interface s logical name to ...

Page 71: ...2p1 4 Click the 10 MBIT SEC or the 100 MBIT SEC radio button in the PHYSICAL CONFIGURATION table LINK SPEED field Click APPLY Note This setting must be the same for all hosts on the network to which the device connects To make your changes permanent click SAVE Changing the Duplex Setting of an Ethernet Interface Note If the duplex setting of an Ethernet interface is incorrect it may not receive da...

Page 72: ...Setting of an Ethernet Interface When Autoadvertise is enabled on an Ethernet interface the device advertises its configured speed and duplex setting using Ethernet negotiation 1 Click CONFIG on the Voyager home page 2 Click the Interfaces link 3 Click the Physical interface that you want to change in the Physical column Example eth s2p1 4 Click the ON or OFF radio button in the PHYSICAL CONFIGURA...

Page 73: ...ant to delete then click APPLY 5 To add the new IP address enter the IP address for the device in the NEW IP ADDRESS edit box 6 Enter the IP subnet mask length in the NEW MASK LENGTH edit box Click APPLY Each time you click APPLY the newly configured IP address and mask length are added to the table The entry fields remain blank to allow you to add more IP addresses To make your changes permanent ...

Page 74: ...he browser The figure below shows the network configuration for this example In a company s main office Nokia Platform A terminates a serial line to an Internet service provider running PPP with a keepalive value of 10 Nokia Platform A also provides internet access for a FDDI ring and a remote branch office connected via ATM PVC 93 Nokia Platform A Nokia Platform B atm s1p1c52 192 168 3 1 atm s2p1...

Page 75: ... MBIT SEC radio button 5 Click APPLY 6 Click eth s2p1c0 in the LOGICAL INTERFACES table to go to the Interface page 7 Enter 192 168 4 1 in the NEW IP ADDRESS edit box 8 Enter 24 in the NEW MASK LENGTH edit box 9 Click APPLY 10 Click the UP button to go the Interfaces page 11 Click the ON radio button for eth s2p1c0 12 Click APPLY 13 Click SAVE Gigabit Ethernet Interfaces Configuring a Gigabit Ethe...

Page 76: ...o go to the Interface page 5 Enter the IP address for the device in the NEW IP ADDRESS edit box 6 Enter the IP subnet mask length in the NEW MASK LENGTH edit box Click APPLY 7 Each time you click APPLY the configured IP address and mask length are added to the table The entry fields remain blank to allow you to add more IP addresses To enter another IP address and IP subnet mask length repeat step...

Page 77: ...e page 2 Click the Interfaces link 3 Click the logical interface link for which you want to change the IP address in the LOGICAL column of the Interface Configuration page Example eth s5p1c0 4 To remove the old IP address click the DELETE check box that corresponds to the address you want to delete then click APPLY 5 To add the new IP address enter the IP address for the device in the NEW IP ADDRE...

Page 78: ...g Voyager you must configure an IP address on one of the interfaces You can do this through the unit s console port during installation or by using the Lynx browser This allows a graphical browser such as Microsoft Internet Explorer or Netscape Navigator to access the unit through that interface You can use any graphical web browser to configure the other interfaces on the unit by entering the IP ...

Page 79: ... ring and a remote branch office connected via ATM The branch office contains Nokia Platform B which routes traffic between a local Gigabit Ethernet network and ATM It provides access to the main office Nokia Platform A Nokia Platform B atm s1p1c52 192 168 3 1 atm s2p1c93 192 168 3 2 ser s1p1c0 192 168 2 1 eth s2p1c0 192 168 4 1 24 192 168 4 xxx FDDI 192 168 1 xxx 192 168 1 1 24 fddi s3p1c0 192 16...

Page 80: ...o to the Interface page 7 Enter 192 168 4 1 in the NEW IP ADDRESS edit box 8 Enter 24 in the NEW MASK LENGTH edit box 9 Click APPLY 10 Click the UP button to go the Interface Configuration page 11 Click the ON radio button for eth s5p1c0 12 Click APPLY 13 Click SAVE Virtual LAN Interfaces Virtual LAN Description Nokia supports Virtual LAN VLAN interfaces on all supported ethernet interfaces The us...

Page 81: ...ully conformant IEEE 802 1Q tags The IEEE802 1Q standard defines the technology for virtual bridged networks The Nokia implementation is completely interoperable as a router not as a switch Configuring a VLAN Interface 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the link to the physical ethernet interface for which you want to enable a VLAN interface in the PHYSICAL field T...

Page 82: ...the ACTIVE field in the row for the logical interface Click APPLY and then click SAVE to make your change permanent Note You can assign multiple IP addresses to each logical VLAN interface Repeat steps 8 and 9 for each IP address you want to assign to the same VLAN logical interface Deleting a VLAN Interface 1 Click CONFIG on the home page 2 Click the INTERFACES link 3 Click the link for the physi...

Page 83: ...he topology below represents a fully redundant firewall with load sharing and VLAN Each Nokia appliance running Check Point FW 1 is configured with the Virtual Router Redundancy Protocol VRRP This protocol provides dynamic fail over of IP addresses from one router to another in the event of failure See VRRP Description for more information Each appliance is configured with Gigabit Ethernet and sup...

Page 84: ... Configuring an FDDI Interface 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column NOK CP FW 1 NOK CP FW 1 FW 1 sync switch switch Un tagged VLAN tagged Un tagged VLAN switch VLAN switch GSR GS Multiple VLANs on single cable gigabit Ethernet gigabit Ethernet gigabit Ethernet gigabit Ethernet VRRP pair VRRP pai...

Page 85: ...th in the NEW MASK LENGTH edit box then click APPLY Each time you click APPLY the configured IP address and mask length are added to the table The entry fields remain blank to allow you to add more IP addresses To enter another IP address and IP subnet mask length repeat steps 6 7 8 Optional Change the interface s logical name to a more meaningful one by typing the preferred name in the LOGICAL NA...

Page 86: ...ink 3 Click the physical interface link you want to change in the PHYSICAL column Example fddi s2p1 4 Click the FULL or HALF radio button in the PHYSICAL CONFIGURATION table DUPLEX field then click APPLY Note A device attached to a ring topology should be set to half duplex If the device is running in point to point mode the duplex setting should be set to full This setting must be the same for al...

Page 87: ... you want to delete then click APPLY 5 To add the new IP address enter the IP address for the device in the NEW IP ADDRESS edit box 6 Enter the subnet mask length in the NEW MASK LENGTH edit box then click APPLY Each time you click APPLY the new IP address and mask length are added to the table The entry fields remain blank to allow you to add more IP addresses To make your changes permanent click...

Page 88: ...owser The figure below shows the network configuration for this example In a company s main office Nokia Platform A terminates a serial line to an Internet service provider running PPP with a keepalive value of 10 Nokia Platform A also provides internet access for a FDDI ring and a remote branch office connected via ATM PVC 93 Nokia Platform A Nokia Platform B atm s1p1c52 192 168 3 1 atm s2p1c93 1...

Page 89: ...192 168 1 1 in the NEW IP ADDRESS edit box 8 Enter 24 in the NEW MASK LENGTH edit box 9 Click APPLY 10 Click the UP button to go the Interfaces page 11 Click the ON radio button for fddi s3p1c0 12 Click APPLY 13 Click SAVE ISDN Interfaces Integrated Services Digital Network is a system of digital phone connections that allows voice digital network services and video data to be transmitted simultan...

Page 90: ...aintain the ISDN call The logical interface comprises Data link encapsulation and addressing Call connection information such as call direction data rate and the number to call Authentication information such as names passwords and authentication method Bandwidth allocation for Multilink PPP After configuring the physical interface then creating and configuring the logical interfaces the Nokia Pla...

Page 91: ...hysical Interface 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example isdn s2p1 4 From the pull down menu in the SWITCH TYPE field in the PHYSICAL CONFIGURATION table select the service provider switch type that corresponds to the interface s network connection 5 In the LINE TOPOLOGY field in the PHYSI...

Page 92: ...pean ISDN switch types for example ETSI PowerUp ISDN TEI negotiation should occur when the router is powered on 10 Click APPLY 11 To make your changes permanent click SAVE Creating a Logical Interface To Configure an ISDN Logical Interface to Place Calls 1 Click CONFIG on the home page 2 Click the Interfaces link 3 In the PHYSICAL column click on the ISDN physical name interface link you want to c...

Page 93: ...he remote end of the connection in the REMOTE ADDRESS edit box in the INTERFACE INFORMATION table 9 Optional Enter a string comment in the DESCRIPTION edit box in the CONNECTION INFORMATION table to describe the purpose of the logical interface for example Connection to Sales Office 10 Click the OUTGOING Direction radio button in the CONNECTION INFORMATION table 11 Optional Enter the value for the...

Page 94: ... in the CONNECTION INFORMATION table The calling number and subaddress are inserted in a SETUP message when an outgoing call is made Note The AUTHENTICATION table entries which follow allow the user to manage the parameters used to authenticate both ends of the communication link 16 In the TO REMOTE HOST section of the AUTHENTICATION table in the NAME edit box enter the name that needs to be retur...

Page 95: ...ON table entries that follow allow the network administrator to manage the parameters that are used to determine when to add or remove an additional B channel only when using Multilink PPP 21 In the BANDWIDTH ALLOCATION table in the UTILIZATION LEVEL edit box enter a percentage bandwidth utilization level at which the additional B channel will be added or removed When the measured utilization of a...

Page 96: ...tilization level has been exceeded It will also cause the second B channel to be removed from operation immediately the measured utilization drops below the utilization level 23 Click APPLY 24 To make your changes permanent click SAVE For troubleshooting information see ISDN Troubleshooting To Configure an Interface to Receive Calls 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Cli...

Page 97: ...ble in the NAME edit box enter the name that needs to be returned to a remote host when it attempts to authenticate this host 12 In the TO REMOTE HOST section of the AUTHENTICATION table in the PASSWORD edit box enter the password to be returned to the remote host for PAP authentication or the secret used to generate the challenge response for CHAP authentication Note The TO REMOTE HOST informatio...

Page 98: ...ted by the network to filter calls using the calling number When an incoming call is received the calling number in the received SETUP message is checked against the incoming numbers configured on each logical interface The calling number is compared with each incoming call using the right most digits algorithm A number matches if the shortest string between the received calling number and the inc...

Page 99: ...he incoming call to be disconnected and an outgoing call attempted otherwise click the NO radio button to have the incoming call answered If Callback is set to Yes the Nokia Platform uses the number in the REMOTE NUMBER field on the logical interface to make the outgoing call 8 If Callback has been set to Yes enter the value for the timeout in the TIMEOUT field This is the amount of time in second...

Page 100: ...e 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example isdn s2p1 4 Select whether to run PPP or multilink PPP on the interface from the ENCAPSULATION edit box in the Create New Logical Interface section then click APPLY A new logical interface appears in the INTERFACE column 5 Click the logical interface name in the INTERFACE column o...

Page 101: ...p1 4 Find the logical interface you want to remove in the LOGICAL INTERFACES table and click the corresponding DELETE button then click APPLY 5 To make your changes permanent click SAVE Dial on Demand Routing Lists As ISDN connections attract charges to establish and maintain connections it can be advantageous to have only certain types of packets cause the connection to be set up It is also usefu...

Page 102: ...include traffic which configured in the DDR list with an ignore action If no packets that match an accept rule in the DDR list are transmitted in the configured idle time the connection is automatically disconnected A DDR list is created with a default rule that matches all packets The associated action is accept This action can be set to skip so that all unmatched packets are deemed uninteresting...

Page 103: ...DDR list in the CREATE NEW DDR LIST edit box then click APPLY The DDR list name DELETE check box and Add Interfaces drop down window will appear Only the default rule will display in the DDR list until you create your own rule 4 To make your changes permanent click SAVE Deleting a DDR List 1 Click CONFIG on the home page 2 Click the Dial on Demand Routing Configuration link under the Traffic Manag...

Page 104: ...u have created more rules you can add rules before other rules For example if you have four rules rules 1 2 3 and 4 you can place a new rule between rules 2 and 3 by checking the ADD RULE BEFORE check box on rule 3 5 To make your changes permanent click SAVE Modifying a Rule 1 Click CONFIG on the home page 2 Click the Dial on Demand Routing Configuration link under the Traffic Management section 3...

Page 105: ...page 2 Click the Dial on Demand Routing Configuration link under the Traffic Management section 3 Locate the DDR list that contains the rule you want to delete 4 Click the DELETE check box next to the rule that you want to delete then click APPLY 5 To make your changes permanent click SAVE Applying a DDR List to an Interface 1 Click CONFIG on the home page 2 Click the Dial on Demand Routing Config...

Page 106: ... RIP packets do not cause an ISDN connection to be established nor keep an active connection running RIP packets can however be exchanged over an established ISDN connection The DDR list will be added to the ISDN interface isdn s2p2c1 1 Click CONFIG on the home page 2 Click the Dial on Demand Routing Configuration link under the Traffic Management section 3 Enter NotRIP in the CREATE NEW DDR LIST ...

Page 107: ...figure shows the network configuration for the example explained below 206 226 5 1 eth s1p1 192 168 24 65 eth s3p1 206 226 15 1 206 226 5 2 206 226 5 3 192 168 24 66 192 168 24 67 isdn s4p1 00067 ISDN Cloud ISDN phone number 384020 206 226 15 2 isdn s2p1 ISDN phone number 38400 ...

Page 108: ...N interface are acceptable Therefore no configuration of the physical interface is required Configuring the IP330 to Place an Outgoing Call 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click isdn s2p1 in the PHYSICAL column of the table 4 Select PPP from the ENCAPSULATION edit box in the CREATE NEW LOGICAL INTERFACE table then click APPLY A new logical interface appears in the INT...

Page 109: ...he AUTHENTICATION table 15 Click APPLY 16 Click SAVE Configuring the IP650 to Handle an Incoming Call 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click isdn s4p1 in the PHYSICAL column of the table 4 Select PPP from the ENCAPSULATION edit box in the CREATE NEW LOGICAL INTERFACE table then click APPLY A new logical interface appears in the INTERFACE column of the LOGICAL INTERFACE...

Page 110: ...HENTICATION table 13 Click APPLY 14 Click the Incoming Numbers link 15 Enter 384000 in the NUMBER edit box under the Add Incoming Call Information section 16 Click APPLY 17 Click SAVE Sample Call Traces Traces for call setup between the Nokia Platforms are shown below The traces were produced by issuing the command tcpdump i interface on each machine Traffic was generated by doing a ping 206 226 1...

Page 111: ...11bb3b42dec57d1108c728e575 ecc22ddf0a06b3d0b1fe46687c970bb91fa4688d417bf72a0bca572c7e4e1 6 name 06 23 49 085729 O B1 response value dd379d2b5e692b6afef2bee361e32bca name User 06 23 49 094922 I B1 success 06 23 49 094969 O B1 ppp ipcp conf_req addr 06 23 49 097161 I B1 ppp ipcp conf_req addr 06 23 49 097194 O B1 ppp ipcp conf_ack addr 06 23 49 102159 I B1 ppp ipcp conf_ack addr 06 23 49 102200 O B1...

Page 112: ...ppp lcp conf_req mru authtype magicnum 15 10 09 434996 I B1 ppp lcp conf_ack mru authtype magicnum 15 10 12 420103 O B1 ppp lcp conf_req mru authtype magicnum 15 10 12 429646 I B1 ppp lcp conf_ack mru authtype magicnum 15 10 12 532897 I B1 ppp lcp conf_req mru magicnum 15 10 12 532943 O B1 ppp lcp conf_ack mru magicnum 15 10 12 533133 O B1 challenge value 0311bb3b42dec57d1108c728e575ecc22ddf0a06b3...

Page 113: ...ing to a particular level means all messages of this severity and higher will be sent to the message log For example if you set logging to Error all error messages will be sent to the message log ISDN logs messages for the following informational events ISDN layer 1 protocol activated deactivated Expiration of layer 1 layer 2 and layer 3 timers An outgoing call being attempted An incoming call bei...

Page 114: ...otocols and B channel traffic PPP multilink PPP and TCP IP protocols When running tcpdump on an ISDN interface if no options are given on the command line the following messages are decoded and displayed Q 931 messages PPP messages and the fields inside them any IP traffic on the B channels If e option is specified on the command line in addition to the above messages all Q 921 messages will also ...

Page 115: ...Private network serving local user 2 Public network serving local user 3 Transit network 4 Public network serving remote user 5 Private network serving remote user 7 International network A Network beyond internetworking point z1 Class of cause value z2 Value of cause value a1 Optional Diagnostic field that is always 8 a2 Optional Diagnostic field that is one of the following values 0 is Unknown 1...

Page 116: ...ed unassigned number Note 12 2 No route to specified transit network Transit network identity Note 11 3 No route to destination Note 12 6 Channel unacceptable 7 Call awarded and being delivered in an established channel 16 Normal call clearing Note 12 17 User busy 18 No user responding 19 No answer from user user alerted 21 Call rejected User supplied diagnostic Notes 4 12 22 Number changed 26 Non...

Page 117: ...ion discarded Discarded information element identifier s Note 6 44 Requested circuit channel not available Note 10 47 Resources unavailable or unspecified 49 Quality of service unavailable See ISDN Cause Values table 50 Requested facility not subscribed Facility identification Note 1 57 Bearer capability not authorized Note 3 58 Bearer capability not presently available Note 3 63 Service or option...

Page 118: ...e 79 Service or option not available or specified 81 Invalid call reference value 82 Identified channel does not exist Channel identity 83 A suspended call exists but call identity does not exist 84 Call identity in use 85 No call suspended 86 Call having the requested call identity has been cleared Clearing cause 88 Incompatible destination Incompatible parameter Note 2 91 Invalid transit network...

Page 119: ...tifier s is missing 97 Message type non existent or not implemented Message type 98 Message not compatible with call state or message type or not implemented Message type non existent 99 Information element non existent or not implemented Information element identifier s not implemented Notes 6 8 100 Invalid information element Information element identifier s contents Note 6 101 Message not compa...

Page 120: ...tion elements in the received message 7 The following coding applies Bit 8 extension bit Bits 7 through 5 spare Bits 4 through 1 according to Table 4 15 Q 931 octet 3 2 channel type in ITU T Q 931 specification 8 When only the locking shift information element is included and no variable length information element identifier follows it means that the codeset in the locking shift itself is not impl...

Page 121: ...e home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example tok s3p1 The physical interface setup page is displayed 4 In the RING SPEED column of the PHYSICAL CONFIGURATION table select the desired value 16 MBIT SEC or 4 MBIT SEC There is no default value Value Description 88 ITU T coding standard unrestricted digital information...

Page 122: ...gical interface name in the INTERFACE column of the LOGICAL INTERFACES table to go to the Interface page 9 Under the ACTIVE column of the Logical interfaces table select ON or OFF Default is ON This setting enables or disables the logical interface Use this switch to control access to the network or virtual circuit that corresponds to the logical interface 10 Click APPLY Click UP to return to the ...

Page 123: ...VE Deactivating a Token Ring Interface 1 Click CONFIG on the home page 2 Click the Interfaces link 3 In the ACTIVE column of the interface you want to deactivate select the OFF radio button 4 Click APPLY 5 Click SAVE Changing a Token Ring Interface 1 Click CONFIG on the home page 2 Click the Interfaces link 3 In the PHYSICAL column click the physical interface link you want to change If you want t...

Page 124: ...INSTEAD OF MULTICAST select ON or OFF Default is OFF e Under the ACTIVE column of the Logical interfaces table select ON or OFF Default is ON 5 Click APPLY Click UP to return to the interface configuration page 6 Optional If you want to change a logical interface link click the logical interface link you want to change in the LOGICAL column Example tok s3p1c0 The logical interface setup page appea...

Page 125: ...nx browser This allows a graphical browser such as Internet Explorer or Netscape Navigator to access the unit through that interface You can use any graphical web browser to configure the other interfaces on the unit by entering the IP address of the unit in the location field of the browser In a company s main office IP650 A terminates a serial line to an Internet service provider running PPP wit...

Page 126: ...he Interfaces link 3 Select tok s2p1 in the PHYSICAL column of the table Nokia Platform A Nokia Platform B tok s2p1c0 192 168 3 2 tok s1p1c0 192 168 3 1 ser s1p1c0 192 168 2 1 eth s2p1c0 192 168 4 1 24 192 168 4 xxx FDDI 192 168 1 xxx 192 168 1 1 24 192 168 3 4 192 168 3 5 fddi s3p1c0 192 168 2 93 Provider Server Server Optional Server Optional Token Ring MAU ...

Page 127: ...RING field select ON or OFF 7 In the SELECT USE BROADCAST INSTEAD OF MULTICAST select ON or OFF 8 Under the ACTIVE column of the Logical interfaces table select ON or OFF 9 Click APPLY Click UP to return to the interface configuration page 10 Click the logical interface link you want to configure in the LOGICAL column 11 In the NEW IP ADDRESS field enter the appropriate IP address 12 In the NEW MA...

Page 128: ...terface link you want to configure in the PHYSICAL column on the Interface Configuration page Example atm s2p1 This action takes you the Physical Interface page 4 Select SONET or SDH as the framing format in the PHYSICAL CONFIGURATION table Note SONET and SDH settings are available only if the ATM interface card supports them The setting should match the type of transmission network to which the i...

Page 129: ...the VPI VCI edit box Click APPLY A new logical interface appears in the INTERFACE column The new interface is turned on by default You can add more ATM logical interfaces by repeating this step 8 Click the logical interface name in the INTERFACE column of the LOGICAL INTERFACES table to go to the Logical Interface page 9 Enter the IP address for the local end of the PVC in the LOCAL ADDRESS edit b...

Page 130: ...hen create a new logical interface for the new PVC 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example atm s2p1 4 Find the ATM logical interface you wish to remove in the LOGICAL INTERFACES table and click the corresponding DELETE button Click APPLY The logical interface disappears from the list Any IP...

Page 131: ...rface s logical name to a more meaningful one by typing the preferred name in the LOGICAL NAME edit box Click APPLY 12 To make your changes permanent click SAVE Changing the IP Address of an ATM Interface Note Do not change the IP address you use in your browser to access Voyager If you do you can no longer access the network application platform unit with your browser 1 Click CONFIG on the home p...

Page 132: ...ter a number in the IP MTU edit box to configure the device s maximum length in bytes of IP packets transmitted on this interface Click APPLY Note The maximum packet size must match the MTU of the link partner Packets longer than the length you specify will be fragmented before transmission 5 To make your changes permanent click SAVE Removing an ATM Interface 1 Click CONFIG on the home page 2 Clic...

Page 133: ...application platform unit in an example network using Voyager Before you can configure interfaces using Voyager you must first configure an IP address on one of the interfaces You can do this through the unit console port during installation or by using the Lynx browser This allows a graphical browser such as Internet Explorer or Netscape Navigator to access the unit through that interface You can...

Page 134: ...ides internet access for a FDDI ring and a remote branch office connected via ATM PVC 93 The branch office contains Nokia Platform B which routes traffic between a local Fast Ethernet network and ATM PVC 52 It provides access to the main Nokia Platform A Nokia Platform B atm s1p1c52 192 168 3 1 atm s2p1c93 192 168 3 2 ser s1p1c0 192 168 2 1 eth s2p1c0 192 168 4 1 24 192 168 4 xxx FDDI 192 168 1 xx...

Page 135: ...of the interface in step 6 is something that depends on what other logical ATM interfaces there are You should find the newly created interface from the table before continuing 5 Click APPLY 6 Click atm s2p1c93 in the LOGICAL INTERFACES table to go to the Interface page 7 Enter 192 168 3 2 in the LOCAL ADDRESS edit box 8 Enter 192 168 3 1 in the REMOTE ADDRESS edit box 9 Click APPLY 10 Enter 9180 ...

Page 136: ...LOOP TIMING as the transmit clock choice in the PHYSICAL CONFIGURATION table Freerun uses the internal clock If two ATM interfaces are directly connected at least one of them must use the internal clock Loop timing derives the transmit clock from the recovered receive clock 6 Select the VPI VCI range in the VPI VCI RANGE CONFIGURATION selection box 7 Create a logical interface using the Create a n...

Page 137: ...GTH edit box 12 Enter a number in the IP MTU edit box to configure the device s maximum length in bytes of IP packets transmitted in this interface The default value and range depend on the hardware configuration The standard value is 9180 Click APPLY Note All hosts in the same LIS must use the same IP MTU in their interface to the LIS 13 Optional Change the interface s logical name to a more mean...

Page 138: ...ick CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example atm s2p1 You are taken to the Physical Interface page 4 Select the VPI VCI range in the VPI VCI RANGE CONFIGURATION selection box 5 Find the ATM logical interface you wish to reconfigure in the LOGICAL INTERFACES table and enter a new set of VPI VCIs in t...

Page 139: ...ink for which you want to change the IP address in the LOGICAL column Example atm s2p1c8 You are taken to the Logical Interface page 4 Enter the IP address for the interface in the IP ADDRESS edit box 5 Enter the IP subnet mask length in the MASK LENGTH edit box Click APPLY 6 To make your changes permanent click SAVE Changing the IP MTU of an ATM Interface 1 Click CONFIG on the home page 2 Click t...

Page 140: ...ou specify will be fragmented before transmission 5 To make your changes permanent click SAVE Removing an ATM Interface 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link in the PHYSICAL column on the Interface Configuration page Example atm s2p1 4 Find the ATM logical interface you want to remove in the LOGICAL INTERFACES table and click the correspond...

Page 141: ...form through that interface You can use any graphical web browser to configure the other interfaces on the unit by entering the IP address of the unit in the location field of the browser The figure below shows the network configuration for this example A company has five ethernet networks in three separate locations The networks are connected to each other using three routers that belong to the s...

Page 142: ...l Interface page 4 Create a logical interface using the Create a new LLC SNokia Platform RFC1483 interface section by selecting LIS in the TYPE selection box 5 Enter 42 53 in the VCI S edit box 6 Click APPLY 7 Click the newly created interface atm s2p1c0 in the LOGICAL INTERFACES table to reach the Logical Interface page 8 Enter 10 0 0 1 in the IP ADDRESS edit box 9 Enter 24 in the MASK LENGTH edi...

Page 143: ... system that does not provide a clock source Otherwise set the internal clock to OFF 5 If you turned the internal clock on enter a value in the INTERNAL CLOCK SPEED edit box If the device can generate only certain line rates and the configured line rate is not one of these values the device selects the next highest available line rate 6 Click the FULL DUPLEX or LOOPBACK radio button in the CHANNEL...

Page 144: ...page 10 Enter the IP address for the local end of the link in the LOCAL ADDRESS edit box 11 Enter the IP address of the remote end of the link in the REMOTE ADDRESS edit box Click APPLY 12 Optional Change the interface s logical name to a more meaningful one by typing the preferred name in the LOGICAL NAME edit box Click APPLY 13 Optional Add a comment to further define the logical interfaces func...

Page 145: ... the CHANNEL MODE field Full duplex is the normal mode of operation 7 Click the PPP radio button in the ENCAPSULATION field Click APPLY A logical interface appears in the LOGICAL INTERFACES table 8 Enter a number in the KEEPALIVE edit box to configure the PPP keepalive interval Click APPLY This value sets the interval in seconds between keepalive protocol message transmissions These messages are u...

Page 146: ...TERFACE column of the LOGICAL INTERFACES table to go to the Interface page 17 Enter the IP address for the local end of the link in the LOCAL ADDRESS edit box 18 Enter the IP address of the remote end of the link in the REMOTE ADDRESS edit box Click APPLY 19 Optional Change the interface s logical name to a more meaningful one by typing the preferred name in the LOGICAL NAME edit box Click APPLY 2...

Page 147: ...hest available line rate 6 Click the FULL DUPLEX or LOOPBACK radio button in the CHANNEL MODE field Full duplex is the normal mode of operation 7 Click the FRAME RELAY radio button in the ENCAPSULATION field Click APPLY 8 Enter a number in the KEEPALIVE edit box to configure the frame relay keepalive interval Click APPLY This value sets the interval in seconds between keepalive protocol message tr...

Page 148: ... Physical Interface page 13 Enter the DLCI number in the CREATE A NEW INTERFACE DLCI edit box Click APPLY A new logical interface appears in the INTERFACE column The DLCI number appears as the channel number in the logical interface name The new interface is turned on by default 14 Optional Enter another DLCI number in the DLCI edit box to configure another frame relay PVC Click APPLY Each time yo...

Page 149: ...form unit in an example network using Voyager Before you can configure the unit using Voyager you must first configure an IP address on one of the interfaces You can do this through the unit console port during installation or by using the Lynx browser This allows a graphical browser such as Internet Explorer or Netscape Navigator to access the unit through that interface You can use any graphical...

Page 150: ...ides internet access for a FDDI ring and a remote branch office connected via ATM PVC 93 The branch office contains Nokia Platform B which routes traffic between a local Fast Ethernet network and ATM PVC 52 It provides access to the main Nokia Platform A Nokia Platform B atm s1p1c52 192 168 3 1 atm s2p1c93 192 168 3 2 ser s1p1c0 192 168 2 1 eth s2p1c0 192 168 4 1 24 192 168 4 xxx FDDI 192 168 1 xx...

Page 151: ...p1c0 in the LOGICAL INTERFACES table to go to the Interface page 9 Enter 192 168 2 1 in the LOCAL ADDRESS edit box 10 Enter 192 168 2 93 in the REMOTE ADDRESS edit box 11 Click APPLY 12 Optional Change the interface s logical name to a more meaningful one by typing the preferred name in the LOGICAL NAME edit box Click APPLY 13 Optional Add a comment to further define the logical interfaces functio...

Page 152: ...t 1 544Mbps To configure slower speeds you must configure fractional T1 on the Advanced T1 CSU DSU Options page 5 Click the FULL DUPLEX or LOOPBACK radio button in the CHANNEL MODE field Full duplex is the normal mode of operation 6 Click the AMI or B8ZS radio button in the T1 ENCODING field to select the T1 encoding then click APPLY This setting must match the line encoding of the CSU DSU at the ...

Page 153: ...mat click ANSI or NONE in the FDL TYPE field to select the FDL type 10 Click the CISCO HDLC radio button in the ENCAPSULATION field Click APPLY A logical interface appears in the LOGICAL INTERFACES table 11 Enter a number in the KEEPALIVE edit box to configure the Cisco HDLC keepalive interval Click APPLY This value sets the interval in seconds between keepalive protocol message transmissions Thes...

Page 154: ...e LOGICAL NAME edit box Click APPLY 18 Optional Add a comment to further define the logical interfaces function in the COMMENTS edit box Click APPLY To make your changes permanent click SAVE Configuring a T1 Interface for PPP 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example ser s2p1 4 Optional Click...

Page 155: ... select the DS0 channel speed for the T1 line Some older trunk lines use the least significant bit of each DS0 channel in a T1 frame for switching equipment signaling T1 frames designed for data transfer can be set to not use the least significant bit of each DS0 channel This setting allows data to be sent over these trunk lines without corruption but at a reduced throughput This mode is called th...

Page 156: ...ptional Click the Advanced T1 CSU DSU Options link to select advanced T1 options The T1 CSU DSU Advanced Options page allows you to configure fractional T1 channels line build out values and other advanced settings for a T1 device The values you enter on this page depend on the subscription provided by your service provider 15 From the Advanced T1 CSU DSU Options page click the UP button to return...

Page 157: ...onal Add a comment to further define the logical interfaces function in the COMMENTS edit box Click APPLY To make your changes permanent click SAVE Configuring a T1 Interface for Frame Relay 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example ser s2p1 4 Optional Click ON or OFF in the INTERNAL CLOCK fi...

Page 158: ...n in the T1 CHANNEL SPEED field to select the DS0 channel speed for the T1 line Some older trunk lines use the least significant bit of each DS0 channel in a T1 frame for switching equipment signaling T1 frames designed for data transfer can be set to not use the least significant bit of each DS0 channel This setting allows data to be sent over these trunk lines without corruption but at a reduced...

Page 159: ...ield Click APPLY Sets the monitoring of the connection active status in the LMI status message 14 Optional Click the Advanced T1 CSU DSU Options link to select advanced T1 options The T1 CSU DSU Advanced Options page allows you to configure fractional T1 channels line build out values and other advanced settings for the T1 device The values you enter on this page are dependent on the subscription ...

Page 160: ... to configure another frame relay PVC Click APPLY Each time you click APPLY after entering a DLCI a new logical interface appears in the INTERFACE column The DLCI entry field remains blank to allow you to add more frame relay logical interfaces 20 Click the logical interface name in the INTERFACE column of the LOGICAL INTERFACES table to go to the Interface page 21 Enter the IP address for the loc...

Page 161: ... must first configure an IP address on one of the interfaces You can do this through the console port during installation or by using the Lynx browser This procedure allows a graphical browser such as Internet Explorer or Netscape Navigator to access the unit through that interface You can use any graphical web browser to configure the other interfaces on the unit by entering the IP address of the...

Page 162: ...64 Kbps channels Nokia Platform A also provides internet access for a FDDI ring and a remote branch office connected via ATM PVC 93 The branch office contains Nokia Platform B which routes traffic between a local Fast Ethernet network and ATM PVC 52 It provides access to the main Nokia Platform A Nokia Platform B atm s1p1c52 192 168 3 1 atm s2p1c93 192 168 3 2 ser s1p1c0 192 168 2 1 eth s2p1c0 192...

Page 163: ...ON field 8 Click APPLY 9 Enter 10 in the KEEPALIVE edit box 10 Click APPLY 11 Click ser s1p1c0 in the LOGICAL INTERFACES table to go to the Interface page 12 Enter 192 168 2 1 in the LOCAL ADDRESS edit box 13 Enter 192 168 2 93 in the REMOTE ADDRESS edit box 14 Click APPLY 15 Optional Change the interface s logical name to a more meaningful one by typing the preferred name in the LOGICAL NAME edit...

Page 164: ...nal clocking for E1 is fixed at 2 048 Mbits sec To configure slower speeds you must configure fractional E1 on the Advanced E1 CSU DSU Options page 5 Click the FULL DUPLEX or LOOPBACK radio button in the CHANNEL MODE field Full duplex is the normal mode of operation 6 Click the AMI or HDB3 radio button in the E1 ENCODING field to select the E1 encoding then click APPLY This setting must match the ...

Page 165: ...he E1 FRAMING field to E1 CHANNEL 0 FRAMING This value controls whether timeslot 16 is used in channel associated signaling CAS Setting this value to ON means that timeslot 16 cannot be used as a data channel See fractional settings on the Advanced E1 CSU DSU Options page 10 Click the CISCO HDLC radio button in the ENCAPSULATION field Click APPLY A logical interface appears in the LOGICAL INTERFAC...

Page 166: ...return to the physical interface page 14 Click the logical interface name in the INTERFACE column of the LOGICAL INTERFACES table to go to the Interface page 15 Enter the IP address for the local end of the link in the LOCAL ADDRESS edit box 16 Enter the IP address of the remote end of the link in the REMOTE ADDRESS edit box Click APPLY 17 Optional Change the interface s logical name to a more mea...

Page 167: ...2 048 Mbits sec To configure slower speeds you must configure fractional E1 on the Advanced E1 CSU DSU Options page 5 Click the FULL DUPLEX or LOOPBACK radio button in the CHANNEL MODE field Full duplex is the normal mode of operation 6 Click the AMI or HDB3 radio button in the E1 ENCODING field to select the E1 encoding Click APPLY This setting must match the line encoding of the CSU DSU at the o...

Page 168: ...ly if you have set the E1 FRAMING field to E1 CHANNEL 0 FRAMING This value controls whether timeslot 16 is used in channel associated signaling CAS Setting this value to ON means that timeslot 16 cannot be used as a data channel See fractional settings on the Advanced E1 CSU DSU Options page 10 Click the PPP radio button in the ENCAPSULATION field Click APPLY A logical interface appears in the LOG...

Page 169: ...e E1 CSU DSU Advanced Options page allows you to configure fractional E1 channels and other advanced settings for an E1 device The values you enter on this page depend on the subscription provided by your service provider 15 From the Advanced E1 CSU DSU Options page click the UP button to return to the physical interface page 16 Click the Advanced PPP Options link The PPP Advanced Options page app...

Page 170: ...urther define the logical interfaces function in the COMMENTS edit box Click APPLY To make your changes permanent click SAVE Note Try and ping the remote system from the command prompt If the remote system does not work contact your service provider to confirm the configuration Configuring an E1 Interface for Frame Relay 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physi...

Page 171: ...NG radio button in the E1 FRAMING field to select the E1 Framing format Use E1 framing to select whether timeslot 0 is used for exchanging signaling data 8 Click the ON or OFF radio button for the E1 CRC 4 FRAMING field Note This option appears only if you have set the E1 FRAMING field to E1 CHANNEL 0 FRAMING This button chooses the framing format for timeslot 0 ON means that CRC multiframe format...

Page 172: ... range is 0 255 The default is 10 Note This value must be identical to the keepalive value configured on the system at the other end of a point to point link or the link state will fluctuate 12 Click the DTE or DCE radio button in the INTERFACE TYPE field DTE is the usual operating mode when the device is connected to a frame relay switch 13 Click the ON or OFF radio button in the ACTIVE STATUS MO...

Page 173: ... number in the CREATE A NEW INTERFACE DLCI edit box Click APPLY A new logical interface appears in the INTERFACE column The DLCI number appears as the channel number in the logical interface name The new interface is turned on by default 19 Optional Enter another DLCI number in the DLCI edit box to configure another frame relay PVC Click APPLY Each time you click APPLY after entering a DLCI a new ...

Page 174: ... remote system does not work contact your service provider to confirm the configuration HSSI Interfaces Configuring an HSSI Interface for Cisco HDLC 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example ser s2p1 4 Optional Click the ON or OFF radio button in the PHYSICAL CONFIGURATION table INTERNAL CLOC...

Page 175: ...o HDLC keepalive interval Click APPLY This value sets the interval in seconds between keepalive protocol message transmissions These messages are used periodically to test for an active remote system Note This value must be identical to the keepalive value configured on the system at the other end of a point to point link or the link state will fluctuate 9 Click the logical interface name in the I...

Page 176: ...ck APPLY Set the internal clock to ON when you are connecting to a device or system that does not provide a clock source Otherwise set the internal clock to OFF 5 If you turned the internal clock on enter a value in the INTERNAL CLOCK SPEED edit box If the device can generate only certain line rates and the configured line rate is not one of these values the device selects the next highest availab...

Page 177: ... systems considers the link down 10 Click APPLY 11 Click the Advanced PPP Options link The PPP Advanced Options page appears 12 Click YES or NO in the NEGOTIATE MAGIC NUMBER field Clicking YES enables the interface to send a request to negotiate a magic number with a peer 13 Click YES or NO in the NEGOTIATE MAXIMUM RECEIVE UNIT field Clicking YES enables the interface to send a request to negotiat...

Page 178: ... the PHYSICAL column Example ser s2p1 4 Optional Click the ON or OFF radio button in the PHYSICAL CONFIGURATION table INTERNAL CLOCK field to set the internal clock on the HSSI device Click APPLY Set the internal clock to ON when you are connecting to a device or system that does not provide a clock source Otherwise set the internal clock to OFF 5 If you turned the internal clock on enter a value ...

Page 179: ...n in the INTERFACE TYPE field DTE is the usual operating mode when the device is connected to a Frame Relay switch 10 Click the ON or OFF radio button in the ACTIVE STATUS MONITOR field Sets the monitoring of the connection active status in the LMI status message 11 Optional Click the Advanced Frame Relay Options link to go to the Frame Relay Advanced Options page The Frame Relay Advanced Options ...

Page 180: ...in the INTERFACE column of the LOGICAL INTERFACES table to go to the Interface page 16 Enter the IP address for the local end of the PVC in the LOCAL ADDRESS edit box 17 Enter the IP address of the remote end of the PVC in the REMOTE ADDRESS edit box Click APPLY 18 Optional Change the interface s logical name to a more meaningful one by typing the preferred name in the LOGICAL NAME edit box Click ...

Page 181: ...umbered interface it must have at least one IP address assigned to it The Nokia implementation of Unnumbered Interfaces supports OSPF Open Shortest Path First and Static Routes only Virtual links are not supported Configuring an Unnumbered Interface 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the logical interface link you want to configure in the LOGICAL column Example atm...

Page 182: ... The PROXY INTERFACE drop down window shows only those interfaces that have been assigned addresses 7 Click APPLY Note You must choose a proxy interface for the unnumbered interface to function Note You cannot delete the only IP address of the proxy interface First select another proxy interface and then delete the IP address of the original proxy interface If the proxy interface has multiple IP a...

Page 183: ... the LOGICAL column Example atm s3p1c1 Note Only point to point interfaces can be configured as unnumbered interfaces Tunnels cannot be configured as unnumbered interfaces Note This interface must not be the next hop of a static route 4 Click the NO radio button in the UNNUMBERED INTERFACE field 5 Click APPLY 6 To your change permanent click SAVE Note You must now configure a numbered logical inte...

Page 184: ...atic route will take from the NEXT HOP TYPE drop down window Your options are NORMAL REJECT and BLACK HOLE The default is NORMAL 7 Select GATEWAY LOGICAL to specify the next hop gateway type from the GATEWAY TYPE drop down window Note You select an unnumbered logical interface as the next hop gateway when you do not know the IP address of the next hop gateway 8 Click APPLY 9 Click on the GATEWAY L...

Page 185: ...ck on the AREA drop down window next to the configured unnumbered interface and select BACKBONE 4 Click APPLY and then click SAVE to make your change permanent Note Because the unnumbered interface uses the selected proxy interface s IP address whenever you change this proxy interface OSPF adjacencies are re established Note Whenever you change the unnumbered serial interface s underlying encapsul...

Page 186: ...bered serial link Nokia Platform A has two OSPF areas configured Area 1 and Area 3 but it is not physically connected to the Backbone area Thus a virtual link is configured between Nokia Platform A and Nokia Platform C A virtual link is also configured between Nokia Platform B and Nokia Platform C because Nokia Platform B also is not physically connected to the Backbone area Both Nokia Platform B ...

Page 187: ...bered This link will fail because OSPF does not support a virtual link that uses an unnumbered interface on either end of the link See RFC 2328 for more information Any virtual link that uses OSPF must have an IP address configured on both ends Nokia Platform A Nokia Platform B Nokia Platform C Backbone Area 1 Area 2 Area 3 00044 Virtual Link Virtual Link 10 10 10 1 10 10 10 2 Unnumbered Serial Li...

Page 188: ...you want to configure in the PHYSICAL column Example ser s2p1 4 Enter a number in the KEEPALIVE edit box of the PHYSICAL CONFIGURATION table to configure the Cisco HDLC keepalive interval Click APPLY This value sets the interval in seconds between keepalive protocol message transmissions These messages are used periodically to test for an active remote system Note This value must be identical to t...

Page 189: ...ress in the LOGICAL column Example ser s2p1c0 4 Delete the address from the LOCAL ADDRESS edit box and from the REMOTE ADDRESS edit box Click APPLY This removes the old IP address pair 5 Enter the IP address of the local end of the connection in the LOCAL ADDRESS edit box and the IP address of the remote end of the connection in the REMOTE ADDRESS edit box Click APPLY This adds the new IP address ...

Page 190: ... the system at the other end of a point to point link or the link state fluctuates To make your changes permanent click SAVE Changing the Keepalive Maximum Failures in PPP 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to configure in the PHYSICAL column Example ser s2p1 4 Enter a number in the KEEPALIVE MAXIMUM FAILURES edit box of the PHY...

Page 191: ...link 3 Click the logical interface link for which you want to change the IP address in the LOGICAL column Example ser s2p1c0 4 Delete the address from the LOCAL ADDRESS edit box and from the REMOTE ADDRESS edit box Click APPLY This deletes the old IP address pair 5 Enter the IP address of the local end of the connection in the LOCAL ADDRESS edit box and the IP address of the remote end of the conn...

Page 192: ...ets the interval in seconds between keepalive protocol message transmissions These messages are used periodically to test for an active remote system Note This value must be identical to the keepalive value configured on the system at the other end of a point to point link or the link state fluctuates To make your changes permanent click SAVE Changing the DLCI in Frame Relay To move an IP address ...

Page 193: ...appears as the channel number in the logical interface name The new interface is turned on as default 7 Click the logical interface name to go the Interface page 8 Enter the IP address for the local end of the PVC in the LOCAL ADDRESS edit box 9 Enter the IP address of the remote end of the PVC in the REMOTE ADDRESS edit box Click APPLY 10 Optional Change the interface s logical name to a more mea...

Page 194: ...ay switch to which you are connected or to the subscription provided by your service provider 5 From the Frame Relay Advanced Options page click the UP button to return to the Physical Interface page To make your changes permanent click SAVE Changing the Interface Type in Frame Relay When connected to a Frame Relay switch or network the interface type is usually set to DTE You may need to change t...

Page 195: ...o point with another router 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link you want to change in the PHYSICAL column Example ser s2p2 4 Click the ON or OFF radio button in the ACTIVE STATUS MONITOR field Click APPLY To make your changes permanent click SAVE Changing the IP Address in Frame Relay Note Do not change the IP address you use in your brow...

Page 196: ...nd the IP address of the remote end of the connection in the REMOTE ADDRESS edit box Click APPLY This adds the new IP address pair To make your changes permanent click SAVE Removing a Frame Relay Interface 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the physical interface link in the PHYSICAL column on the Interface Configuration page Example ser s2p1 4 Find the logical int...

Page 197: ... 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the loopback logical interface link in the LOGICAL column loop0c0 4 To add an IP address enter the IP address for the device in the NEW IP ADDRESS edit box Click APPLY Each time you click APPLY the configured IP address appears in the table The entry fields remain blank to allow you to add more IP addresses To make your changes p...

Page 198: ...E tunnels encapsulate IP packets using Generic Routing Encapsulation GRE with no options The encapsulated packets appear as unicast IP packets GRE tunnels provide redundant configuration between two sites for high availability 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click Tunnels in the PHYSICAL column 4 Click the drop down window in the CREATE A NEW TUNNEL INTERFACE WITH ENC...

Page 199: ...oint must be one of the system s interface addresses and must be the remote endpoint configured for the GRE tunnel at the remote router 10 Enter the IP address of the remote interface the GRE tunnel is bound to in the REMOTE ENDPOINT edit box The remote endpoint must not be one of the system s interface addresses and must be the local endpoint configured for the GRE tunnel at the remote router 11 ...

Page 200: ...ur changes permanent click SAVE Changing the Local and or Remote Address or Local Remote Endpoint of a GRE Tunnel 1 Click CONFIG on the home page 2 Click the Interfaces link 3 In the LOGICAL column click the Logical Interface link for which you want to change the IP address Example tun0c1 4 Optional Enter the IP address of the local end of the GRE tunnel in the LOCAL ADDRESS edit box The local add...

Page 201: ...nent click SAVE Changing IP TOS Value of a GRE Tunnel 1 Click CONFIG on the home page 2 Click the Interfaces link 3 In the LOGICAL column click the Logical Interface link of the item for which you want to change the TOS Example tun0c1 4 Select a value from the TOS VALUE drop down window Click APPLY On GRE tunnels it is desirable to copy or specify the TOS bits when the router encapsulates the pack...

Page 202: ...changes permanent click SAVE Removing a GRE Tunnel 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click TUNNELS in the PHYSICAL column 4 Locate the tunnel logical interface you want to delete in the LOGICAL INTERFACES table and click the corresponding DELETE checkbox 5 Click APPLY The tunnel logical interface disappears from the list 6 To make your changes permanent click SAVE ...

Page 203: ... PHYSICAL column 4 Click the drop down window in the CREATE A NEW TUNNEL INTERFACE WITH ENCAPSULATION field and select GRE 5 Click APPLY 6 From the INTERFACE column on the Logical interfaces table select tun01 7 Enter 10 0 0 1 in the LOCAL ADDRESS edit box 8 Enter 10 0 0 2 in the REMOTE ADDRESS edit box Internet Remote PCs Site B Remote PCs Site A 192 68 23 0 24 10 0 0 2 10 0 0 1 VPN Tunnel 192 68...

Page 204: ...If the desired TOS value is not displayed in the drop down window select CUSTOM VALUE from the menu Click APPLY An entry field appears 12 Optional If you selected custom value from the TOS VALUE drop down window enter a value in the range of 0 255 Click APPLY 13 Optional Change the interface s logical name to a more meaningful one by typing the preferred name in the LOGICAL NAME edit box Click APP...

Page 205: ...nnel Example In our example we configure two way tunnels between IP Units 1 and 2 and IP Units 3 and 4 Since the steps required to configure a HA GRe tunnel are addressed in the appropriate sections of this reference guide they will not be ...

Page 206: ...iguration for this example Remote PCs Site A Remote PCs Site B VPN Tunnel VPN Tunnel 11 0 0 1 10 0 0 1 192 168 0 1 192 168 1 1 192 168 0 2 192 168 1 2 11 0 0 2 10 0 0 2 192 168 0 X 24 192 168 1 X 24 170 0 0 1 171 0 0 1 170 0 1 1 171 0 1 1 00002 Nokia Platform 1 Nokia Platform 2 Nokia Platform 3 Nokia Platform 4 Internet ...

Page 207: ...g from IP Unit 2 to IP Unit 1 Enter 10 0 0 2 in the LOCAL ADDRESS edit box Enter 10 0 0 1 in the REMOTE ADDRESS edit box Enter 171 0 0 1 in the LOCAL ENDPOINT edit box Enter 170 0 0 1 in the REMOTE ENDPOINT edit box c Configuring from IP Unit 3 to IP Unit 4 Enter 11 0 0 1 in the LOCAL ADDRESS edit box Enter 11 0 0 2 in the REMOTE ADDRESS edit box Enter 170 0 1 1 in the LOCAL ENDPOINT edit box Ente...

Page 208: ...as presented in the Creating a Virtual Router for an Interface s Addresses in VRRPv2 Use the following values to configure VRRP v2 IP Unit 1 Enable VRRP on 192 168 0 1 with 192 168 0 2 as a backup IP Unit 2 Enable VRRP on 192 168 1 1 with 192 168 1 2 as a backup IP Unit 3 Enable VRRP on 192 168 0 2 with 192 168 0 1 as a backup IP Unit 4 Enable VRRP on 192 168 1 2 with 192 168 1 1 as a backup 4 HA ...

Page 209: ...ITH ENCAPSULATION select DVMRP 5 Click APPLY Each time you select a tunnel encapsulation and click APPLY a new tunnel appears in the table 6 Click the logical interface name in the INTERFACE column of the Logical interfaces table this takes you to the interface page for the specified tunnel Example tun0c1 7 Enter the IP address of the local end of the DVMRP tunnel in the LOCAL ADDRESS edit box The...

Page 210: ...changes permanent click SAVE to make changes permanent Note Once the DVMRP tunnel interface has been created you should set all other DVMRP configuration parameters from the DVMRP page Changing the Local or Remote Addresses of a DVMRP Tunnel 1 Click CONFIG on the home page 2 Click the Interfaces link 3 In the LOGICAL column click the Logical Interface link on the tunnel that is to have the IP addr...

Page 211: ...ONFIG on the home page 2 Click the Interfaces link 3 Click TUNNELS in the PHYSICAL column 4 Locate the tunnel logical interface you want to delete in the LOGICAL INTERFACES table and click the corresponding DELETE radio button 5 Click APPLY The tunnel logical interface disappears from the list 6 To make your changes permanent click SAVE DVMRP Tunnel Example The example below contains one connectio...

Page 212: ...1 24 A DVMRP tunnel set up on Nokia Platform A points to 22 254 24 1 Initiate a voyager session to Nokia Platform A In this example we use Nokia Platform A as the starting point 2 Click CONFIG on the home page 3 Click the Interfaces link 4 Click TUNNELS in the PHYSICAL column 5 From the pulldown menu in the CREATE A NEW TUNNEL INTERFACE WITH ENCAPSULATION select DVMRP 00039 Nokia Platform B Nokia ...

Page 213: ...a more meaningful one by typing the preferred name in the LOGICAL NAME edit box 11 Click APPLY 12 To make your changes permanent click SAVE to make changes permanent Note Steps 17 through 21 require that you use the Routing Configuration page by first doing the following 13 Click CONFIG on the home page 14 Click the DVMRP link in the Routing configuration section 15 For each interface you want to ...

Page 214: ...on 3 Enter the keep time in seconds in the KEEP TIME field in the Global ARP Settings section Keep time specifies the time in seconds to keep resolved dynamic ARP entries If the entry is not referenced and not used by traffic after the given time elapses the entry is removed Otherwise a request is sent again to verify the MAC address The range of the Keep Time value is 1 to 86400 seconds with a de...

Page 215: ...P ADDRESS field in the Add a New Static ARP Entry section 4 In the same table enter the MAC address corresponding to the IP address in the MAC ADDRESS edit box 5 Click APPLY 6 To make your changes permanent click SAVE Adding a Proxy ARP Entry A proxy ARP entry makes this system respond to ARP requests for a given IP address received through any interface Proxy ARP entries will not be used by this ...

Page 216: ...the home page 2 Click the ARP link under the Interfaces section 3 Click the checkbox in the DELETE column next to the table entry you want to delete Click APPLY 4 To make your changes permanent click SAVE Viewing Dynamic ARP Entries 1 Click CONFIG on the home page 2 Click the ARP link under the Interfaces section 3 Click the Display or Remove Dynamic ARP Entries link Deleting Dynamic ARP Entries 1...

Page 217: ... GLOBAL INATMARP SETTINGS table Keep Time specifies time in seconds to keep resolved dynamic ATM ARP entries The range of Keep Time value is 1 900 seconds 15 minutes Timeout specifies an InATMARP request retransmission interval in seconds Voyager enforces that the timeout must be less than a third of Keep Time The Range of Timeout value is 1 300 with a default value of five seconds Retry Limit spe...

Page 218: ...entry section and enter the VPI VCI number of the corresponding PVC in the VPI VCI field The IP address has to belong to the subnet of the logical ATM interface and the VCI has to be one of those configured for the interface Note Whenever static ATM ARP entries are applied dynamic entries are no longer updated therefore new neighbors cannot be seen via a dynamic InATMARP mechanism 6 Click APPLY Th...

Page 219: ... ARP Entries 1 Click CONFIG on the home page 2 Click the Interfaces link 3 Click the logical ATM interface you want to configure in the LOGICAL column 4 Click the ATM ARP Entries link Dynamic ATM ARP entries appear in a table at the bottom of the page 5 Click the DELETE check box next to the dynamic ATM ARP entry you want to delete Click APPLY Note Deleting a dynamic entry triggers a transmission ...

Page 220: ...5 Configuring Interfaces 220 Voyager Reference Guide ...

Page 221: ...Description Configuring RIP Configuring RIP Timers Configuring Auto Summarization RIP Example PIM Protocol Independent Multicast PIM Description Configuring Dense Mode PIM PIM DM Disabling PIM Setting Advanced Options for Dense Mode PIM Optional Configuring Sparse Mode PIM PIM SM Configuring High Availability Mode Configuring this Router as a Candidate Bootstrap and Candidate Rendezvous Point ...

Page 222: ... Protocol DVMRP Description Configuring DVMRP IGMP Internet Group Management Protocol IGMP Description Configuring IGMP Static Routes Static Routes Description Configuring a Default Route Creating a Static Route Setting the Rank for Static Routes Configuring Multiple Static Routes Adding and Managing Static Routes Example Backup Static Routes Backup Static Routes Description Creating a Backup Stat...

Page 223: ...t Discriminator Example Changing the Local Preference Value Example BGP Confederation Example Route Reflector Example BGP Community Example EBGP Load Balancing Example Scenario 1 EBGP Load Balancing Example Scenario 2 Adjusting BGP Timers Example TCP MD5 Authentication Example BGP Route Dampening Example BGP Path Selection Redistributing Routes BGP Route Redistribution Example Redistributing RIP t...

Page 224: ...o areas Routing information passed between areas is summarized and allows significant potential reduction in routing traffic OSPF uses four different types of routes Intra area Inter area Type 1 external Type 2 external Intra area paths have destinations within the same area inter area paths have destinations in other OSPF areas and Autonomous System External ASE routes are routes to destinations ...

Page 225: ...s The currently supported authentication schemes are null simple password and MD5 Null authentication does not authenticate packets Simple password authentication uses a key of up to 8 characters MD5 authentication uses a key of up to 16 characters The simple password scheme provides little protection because the key is sent in the clear and it is possible to capture packets from the network and l...

Page 226: ...ace in that area that is not down Rather than redefine an ABR the the Nokia implementation includes in its routing calculation summary LSAs from all actively attached areas if the ABR does not have an active backbone connection means that the backbone is activley attached and includes at least one fully adjacent neighbor You do not need to configure this feature It functions automatically under ce...

Page 227: ...sallows the stub area entry point from advertising inter area routes and summaries 9 Optional For each summary you want to define a Enter the network prefix summary in the ADD NEW ADDRESS RANGE PREFIX edit box enter the length of the subnet mask in bits in the MASK LENGTH edit box b Click APPLY This is useful for decreasing the number of prefixes advertised into the backbone 10 Optional For each s...

Page 228: ... link for them to become adjacent c Enter a new cost metric in the OSPF COST edit box for each interface then click APPLY d Enter a new designated router priority 0 255 in the ELECTION PRIORITY edit box then click APPLY e Click the ON radio button to make the interface operate in PASSIVE mode then click APPLY f For simple authentication select SIMPLE with the pull down menu labeled AUTHTYPE then c...

Page 229: ...Platform B are on the backbone area Nokia Platform D is on the area 1 The routes in Area 0 are learned by Nokia Platform D when the area border router Nokia Platform C injects summary link state advertisements LSAs into Area 1 1 First configure the interfaces as in Configuring an Ethernet Interface 2 Initiate a Voyager session to Nokia Platform C 3 Click CONFIG on the home page Nokia Platform A No...

Page 230: ... then click APPLY 9 Click the 1 AREA in the drop down window for e2 then click APPLY 10 Click SAVE 11 Initiate a Voyager session to Nokia Platform D 12 Click CONFIG on the home page 13 Click the OSPF link in the Routing Configuration section 14 In the ADD NEW OSPF AREA edit box enter 1 then click APPLY 15 Click the 1 AREA in the drop down window for e3 then click APPLY 16 Click SAVE RIP Routing In...

Page 231: ... maximum number of hops in a RIP network is 15 as the protocol treats anything equal to or greater than 16 as unreachable RIP 2 RIP version 2 adds capabilities to RIP Some of the most notable RIP 2 enhancements follow Network Mask RIP 1assumes that all subnetworks of a given network have the same network mask It uses this assumption to calculate the network masks for all routes received This assum...

Page 232: ... 1 Network Mask RIP 1 derives the network mask of received networks and hosts from the network mask of the interface from which the packet was received If a received network or host is on the same natural network as the interface over which it was received and that network is subnetted the specified mask is more specific than the natural network mask then the subnet mask is applied to the destinat...

Page 233: ...me link and it is desired that they hear the routing updates Auto summarization You should set auto summarization in order to aggregate and redistribute non classful routes in RIP 1 Configuring RIP 1 Complete Configuring an Ethernet Interface for the interface 2 Click CONFIG on the home page 3 Click the RIP link in the Routing Configuration section 4 Click the ON radio button for each interface yo...

Page 234: ...HTYPE drop down window Enter the password in the PASSWORD edit box then click APPLY The password must be from 1 to 16 characters long For MD5 authentication select MD5 from the AUTHTYPE drop down window Enter the password in the MD5 KEY edit box then click APPLY 11 Optional If you have selected MD5 as your authentication type and want to ensure interoperability with Cisco routers running RIP MD5 a...

Page 235: ...e EXPIRE INTERVAL edit box then click APPLY 5 To make your changes permanent click SAVE Configuring Auto Summarization Auto summarization allows you to aggregate and redistribute non classful routes in RIP 1 Note Auto summarization applies only to RIP 1 1 Click CONFIG on the home page 2 Click the RIP link in the Routing Configuration section 3 To enable auto summarization click the ON radio button...

Page 236: ...onal Enter a new cost in the METRIC edit box for the eth s2p1c0 interface then click APPLY Enabling RIP 2 on an Interface RIP 2 implements new capabilities to RIP 1 authentication simple and MD5 and the ability to explicitly specify the network mask for each network in a packet Because of these new capabilities RIP 2 is recommended over RIP 1 1 First configure the interface as in Configuring an Et...

Page 237: ...m multicast forwarding It supports two different types of multipoint traffic distribution patterns dense and sparse Dense mode is most useful when Senders and receivers are in close proximity There are few senders and many receivers The volume of multicast traffic is high The stream of multicast traffic is constant Dense mode PIM resembles Distance Vector Multicast Routing Protocol DVMRP Like DVMR...

Page 238: ...ersion 2 Dense Mode Specification For Sparse Mode PIM see Protocol Independent Multicast Sparse Mode PIM SM Protocol Specification Configuring Dense Mode PIM PIM DM 1 Click CONFIG on the home page 2 Click on the PIM link in the Routing Configuration section 3 In the Interfaces section click the ON radio button s for each interface on which you want to run PIM Note There is no limit to the number o...

Page 239: ...ed on the basis of PIM Assert messages The router with the lowest cost based on unicast routing to reach the source of data traffic is elected as the router that forwards traffic In the case of a tie the router with the highest IP address is elected to forward traffic 7 Click APPLY and then click SAVE to make your change permanent Disabling PIM You can disable PIM on one or more interfaces you hav...

Page 240: ...hboring routers choose advertisement addresses that do not appear to be on a shared subnet all messages from the neighbor will be rejected A PIM router on a shared LAN must have at least one interface address with a subnet prefix shared by all neighboring PIM routers 6 Optional For each interface that is running PIM enter a new designated router priority in the DR ELECTION PRIORITY edit box The ro...

Page 241: ...e interval between sending join prune messages in the JOIN PRUNE INTERVAL edit box 13 In the General Timers section enter a value for the random delay join prune interval in seconds in the RANDOM DELAY JOIN PRUNE INTERVAL edit box This value represents the maximum interval between the time when the Reverse Path Forwarding neighbor changes and when a Join Prune message is sent 14 In the General Tim...

Page 242: ... 3 In the PIM INSTANCE MODE field click the ON radio button for sparse 4 Click APPLY 5 In the Interfaces section click the ON radio button s for each interface on which you want to run PIM Note There is no limit to the number of interfaces on which you can run PIM 6 Click APPLY 7 Optional For each interface that is running PIM enter the specified local address in the LOCAL ADDRESS edit box PIM wil...

Page 243: ... 1 Note To verify whether a PIM neighbor supports DR Election Priority use the following command which can be executed from iclid and cli show pim neighbor ip_address For neighbors that advertise a DR election priority value the following message appears in the summary DRPriorityCapable Yes 9 Click APPLY 10 To make your changes permanent click SAVE Configuring High Availability Mode Enable the Hig...

Page 244: ... s for each interface on which you want to run PIM Note There is no limit to the number of interfaces on which you can run PIM 8 Click APPLY 9 Optional For each interface that is running PIM enter the specified local address in the LOCAL ADDRESS edit box PIM will use this address to send advertisements on the interface This option is useful only when multiple addresses are configured on the interf...

Page 245: ...M neighbor supports DR Election Priority use the following command which can be executed from iclid and cli show pim neighbor ip_address For neighbors that advertise a DR election priority value the following message appears in the summary DRPriorityCapable Yes 11 Click APPLY 12 To make your changes permanent click SAVE Configuring this Router as a Candidate Bootstrap and Candidate Rendezvous Poin...

Page 246: ...default priority value is 0 Note The domain automatically elects a bootstrap router based on the assert rank preference values configured The Candidate bootstrap router with the highest preference value is elected the bootstrap router To break a tie the bootstrap candidate router with the highest IP address is elected the bootstrap router 8 In the Sparse Mode Rendezvous Point RP Configuration sect...

Page 247: ...mask length in the Mask length edit box Note If you do not configure a multicast address for the router it advertises as able to function as the rendezvous point for all multicast groups 224 4 10 Click APPLY 11 To make your changes permanent click SAVE Configuring a PIM SM Static Rendezvous Point 1 Click CONFIG on the home page 2 Click the PIM link in the Routing Configuration section 3 In the PIM...

Page 248: ...LY 9 Optional Enter the multicast group address and prefix length in the MULTICAST GROUP ADDRESS and MASK LENGTH EDIT boxes Click APPLY Note If you do not configure a multicast group address and prefix length for this Static Rendezvous Point it functions by default as the rendezvous point for all multicast groups 224 0 0 0 4 10 Click SAVE to make your changes permanent Setting Advanced Options for...

Page 249: ...ERTISEMENT INTERVAL edit box This value represents the interval between which Candidate Rendezvous Point routers send Candidate RP Advertisement messages 10 In the Sparse Mode Timers section enter a value for the shortest path tree threshold in kilobits per second in the THRESHOLD KPBS edit box Enter an IP address for the multicast group to which the SPT threshold applies in the MULTICAST GROUP ID...

Page 250: ...a value in seconds for the interval between sending join prune messages in the JOIN PRUNE INTERVAL edit box 17 Optional In the General Timers section enter a value for the random delay join prune interval in seconds in the RANDOM DELAY JOIN PRUNE INTERVAL edit box This value represents the maximum interval between the time when the Reverse Path Forwarding neighbor changes and when a Join Prune mes...

Page 251: ...ge 2 Click the PIM link in the Routing Configuration section 3 In the Sparse Mode Timers section to enable Cisco compatibility for register checksums click in the On radio button in the CISCO COMPATIBILITY REGISTER CHECKSUMS field Note You must enable this option if all the destination Candidate Rendezvous Point routers in your domain are Cisco routers 4 Click APPLY and then click SAVE to make you...

Page 252: ...de PIM PIM SM show pim bootstrap shows the IP address and state of the Bootstrap router show pim candidate rp shows the state of the Candidate Rendezvous Point state machine show pim joins shows PIM s view of the join prune G and S G state including RP for the group incoming and outgoing interface s interaction with the multicast forwarding cache and the presence of local members To view the equiv...

Page 253: ...ck SAVE to make your changes permanent The following trace options apply both to dense mode and sparse mode implementations Assert traces PIM assert messages Hello traces PIM router hello messages Join traces PIM join prune messages MFC traces calls to or from the multicast forwarding cache MRT traces PIM multicast routing table events Packets traces all PIM packets Trap Trace PIM trap messages Al...

Page 254: ...ng for load sharing Provides stability during topology changes due to new features This document provides background information and cites differences with other IGRP implementations A router running IGRP broadcasts routing updates at periodic intervals in addition to updates that are sent immediately in response to some type of topology change An update message includes the following information ...

Page 255: ... metrics attempt to physically characterize the path to a destination IGRP attempts to provide optimal routing IGRP has two packet types Request packet Update packet IGRP dynamically builds its routing table from information received in IGRP update messages On startup IGRP issues a request on all IGRP enabled interfaces If a system is configured to supply IGRP it hears the request and responds wit...

Page 256: ...uter is not heard from for 630 seconds all routes from that router are no longer announced that is after the initial 270 seconds such routes are advertised as unreachable This implementation of IGRP does not support all of the features listed in the specification The following is a list of non supported features Multiple type of service TOS routing Variance factor set only to a value of one Equal ...

Page 257: ...the route as unreachable In this latter case the route is actually not marked as unreachable until the next scheduled update cycle though this seems somewhat contradictory Specific Split Horizon This implementation does not implement specific split horizon Split horizon processing roughly means that routes learned from an interface are not advertised back out that same interface Specific split hor...

Page 258: ...rom the next hop interface is advertised in the appropriate IGRP update messages as exterior Note that a direct interface route is advertised only once Therefore a direct interface route that is marked exterior is not also advertised as interior or as system Aliased Interfaces When an interface has multiple addresses configured each address is treated as a distinct interface since it represents a ...

Page 259: ...oute should be advertised in an update Configuring IGRP Note IGRP configuration of an interface is available only if you are licensed for IGRP on your IP router See the Licenses link on the Configuration page 1 Complete Configuring an Ethernet Interface for the interface 2 Click CONFIG on the home page 3 Click the IGRP link in the Routing Configuration section 4 Enter the AS number in the AUTONOMO...

Page 260: ... section enter the new maximum hop count metric in the MAXIMUM HOP COUNT edit box then click APPLY This is used to prevent infinite looping 12 Optional In the Protocol section enter the new update interval metric in the UPDATE INTERVAL edit box then click APPLY This number determines how often route updates are sent out on all of the interfaces 13 Optional In the Protocol section enter the new inv...

Page 261: ...a bandwidth metric in the BANDWIDTH edit box for each interface then click APPLY 7 Required Enter a reliability metric in the RELIABILITY edit box for each interface then click APPLY 8 Required Enter the load metric in the LOAD edit box for each interface then click APPLY The load metric is a fraction of 255 9 Required Enter the MTU metric in the METRIC edit box for each interface then click APPLY...

Page 262: ...only saves packet transmissions on the leaf networks that do not contain group members Reverse Path Multicast RPM allows the leaf routers to prune the distribution tree to the minimum multicast distribution tree RPM minimizes packet transmissions by not forwarding datagrams along branches that do not lead to any group members Multicast capabilities are not always present in current Internet based ...

Page 263: ...ary addresses Supports ICLID wizards Supports the Monitoring template Correctly tracks the number of subordinate routers per route Voyager Interface Using Voyager you can configure the following options DVMRP interfaces New minimum time to live TTL threshold for each interface New cost metric for sending multicast packets for each interface Configuring DVMRP 1 Complete Configuring an Ethernet Inte...

Page 264: ...s information with other multicast routers The group membership reporting protocol includes two types of messages host membership query and host membership report IGMP messages are encapsulated in IP datagrams with an IP protocol number of 2 Protocol operation requires that a designated querier router be elected on each subnet and that it periodically multicast a host membership query to the all h...

Page 265: ...several seconds The unicast traceroute program allows the tracing of a path from one machine to another using mechanisms that already exist in IP Unfortunately no such mechanisms can be applied to IP multicast packets The key mechanism for unicast traceroute is the ICMP TTL exceeded message that is specifically precluded as a response to multicast packets The traceroute facility implemented within...

Page 266: ...GMP then click apply 5 Click the appropriate VERSION radio button to enable either version 1 or 2 then click APPLY 6 Optional Enter the loss robustness value in the LOSS ROBUSTNESS edit box then click APPLY 7 Optional Enter the query interval in the QUERY INTERVAL edit box then click APPLY 8 Optional Enter the query response interval in the QUERY RESPONSE INTERVAL edit box then click APPLY 9 Optio...

Page 267: ...t route Static routes consist of the following Destination Type Next hop gateway There are three types of static routes Normal A normal static route is one used to forward packets for a given destination in the direction indicated by the configured router Black Hole A black hole static route is a route that uses the loopback address as the next hop This route discards packets that match the route ...

Page 268: ...GATEWAY TYPE drop down window Note Gateway Address specifies the IP address of the gateway to which forwarding packets for each static route are sent This address must be that of a router that is directly connected to the system you are configuring Note Gateway Logical Name is valid only if the next hop gateway is an unnumbered interface and you do not know the IP address of the gateway 6 Click AP...

Page 269: ...t the gateway type of the next hop router from the GATEWAY TYPE drop down window Note Gateway Address specifies the IP address of the gateway to which forwarding packets for each static route are sent This address must be that of a router that is directly connected to the system you are configuring Note Gateway Logical Name is valid only if the next hop gateway is an unnumbered interface and you d...

Page 270: ... APPLY and then click SAVE to make your changes permanent Configuring Multiple Static Routes The implementation allows you to add and configure many static routes at the same time 1 Click CONFIG on the home page 2 Click the Static Routes link in the Routing Configuration section 3 In the QUICK ADD STATIC ROUTES field click the QUICK ADD NEXT HOP TYPE drop down window and select NORMAL REJECT or BL...

Page 271: ...ch entry you make for a static route Note You cannot configure a logical interface through the quick add static routes option 6 Click APPLY The newly configured additional static routes appear in the STATIC ROUTE field at the top of the Static Routes page Note The text box displays any entries that contain errors Error messages appear at the top of the page 7 Click SAVE to make your changes perman...

Page 272: ...ccess so we use static routes There are many areas where static routes apply such as in connections to the Internet across corporate WANs and creating routing boundaries between two routing domains Creating Removing Static Routes For the above example we create one static default route to the Internet through 192 168 22 1 22 and a static route across the Corporate WAN to the remote PC LAN across 1...

Page 273: ... Nokia Platform B has the default route with 192 168 22 1 as the nexthop in the routing tables Any packet not destined for the 192 168 22 0 22 net is directed towards 192 168 22 1 Creating a static route non default 1 Click CONFIG on the home page 2 Click the Static Routes link in the Routing Configuration section 3 In the NEW STATIC ROUTE edit box enter 192 168 24 0 4 In the MASK LENGTH edit box ...

Page 274: ...gateways that belong to the interface are deleted from the list of next hop selections Backup static routes are useful for default routes but they can be used for any static route Creating a Backup Static Route 1 Click CONFIG on the home page 2 Click the Static Routes link in the Routing Configuration section Note This example assumes that a static route has already been configured and the task is...

Page 275: ...P 2 on another interface the interface routes can be used to create an aggregate route of the class C that can then be redistributed into RIP This reduces the number of routes advertised using RIP Care must be taken when aggregating if there are holes in the route that is aggregated An aggregate route is created by first specifying the network address and mask length Second a set of contributing r...

Page 276: ... bits in the MASK LENGTH field then click APPLY The mask length is the prefix length that matches the IP address to form an aggregate to a single routing table entry 5 Scroll through the NEW CONTRIBUTING PROTOCOL list and click the protocol you want to use for the new aggregate route then click APPLY 6 Click the ON radio button in the CONTRIBUTE ALL ROUTES FROM protocol field 7 Optional If you wan...

Page 277: ...routing protocol as shown above Configure route aggregation of 192 168 24 0 24 from the OSPF side to the RIP side 1 Initiate a Voyager session to Nokia Platform A 2 Click CONFIG on the home page 3 Click the Route Aggregation link in the Routing Configuration section 4 Enter 192 168 24 0 in the PREFIX FOR NEW AGGREGATE edit box 5 Enter 24 in the MASK LENGTH edit box then click APPLY 00344 Nokia Pla...

Page 278: ...link in the Redistribute to RIP section 13 Click the ON radio button in the EXPORT ALL AGGREGATES INTO RIP field then click APPLY Note If the backbone is running OSPF as well aggregation can be done only by configuring the 192 168 24 0 network in a different OSPF Area Route Rank Route Rank Description The route rank is the value that the routing subsystem uses to order routes from different protoc...

Page 279: ... same route is contributed by more than one protocol the one with the lowest rank becomes the active route Some protocols BGP and aggregates allow for routes with the same rank To choose the active route in these cases a separate tie breaker is used This tie breaker is called LocalPref for BGP and weight for aggregates Rank Assignments A default rank is assigned to each protocol Rank values range ...

Page 280: ...ocol Rank Example When a destination network is learned from two different routing protocols for example RIP and OSPF a router must choose one protocol over another The figure below shows the network configuration for the example In the figure the top part of network is running OSPF and the bottom part of network is running RIP Nokia Platform D learns network 192 168 22 0 from 00337 Nokia Platform...

Page 281: ...r 40 in the RIP edit box then click APPLY This makes the OSPF route the preferred route If you wanted to have the RIP route be the preferred route type 40 for OSPF and 10 for RIP Setting Rank for Static Routes 1 Click CONFIG on the home page 2 Click the Static Routes link in the Routing Configuration section 3 Click on the Advanced Options link 4 Select the route for which you want to set the rank...

Page 282: ...sions Internal and External BGP supports two basic types of sessions between neighbors internal sometimes referred to as IBGP and external EBGP Internal sessions run between routers in the same autonomous systems while external sessions run between routers in different autonomous systems When sending routes to an external peer the local AS number is prepended to the AS path Routes received from an...

Page 283: ...appropriate adjustments to the next hop field to each peer This minimizes the computational load of running large numbers of peers in these types of groups BGP Path Attributes A path attribute is a list of AS numbers that a route has traversed in order to reach a destination BGP uses path attributes to provide more information about each route and to help prevent routing loops in an arbitrary topo...

Page 284: ...ple exit or entry points to the same neighboring autonomous system Used only on external links LOCAL_PREF Determines which external route should be taken and is included in all IBGP UPDATE messages The assigned BGP speaker sends this message to BGP speakers within its own autonomous system but not to neighboring autonomous systems Higher values of a LOCAL_PREF are preferred ATOMIC_AGGREGATE Specif...

Page 285: ...decision that a network is no longer reachable BGP Multi Exit Discriminator MED MED values are used to help external neighbors decide which of the available entry points into an AS are preferred A lower MED value is preferred over a higher MED value and breaks the tie between two or more preferred paths Note A BGP session does not accept MEDs from an external peer unless the Accept MED field is se...

Page 286: ... gateway B until all the interior gateways within the AS are ready to route traffic destined to these destinations using the correct exit border gateway B Interior routing should converge on the proper exit gateway before advertising routes that using the exit gateway to external peers If all routers in an AS are BGP speakers there is no need to have any interaction between BGP and an IGP In such ...

Page 287: ...etrics MED are 32 bit unsigned quantities they range from 0 to 4294967295 inclusive with 0 being the most desirable If the metric is specified as IGP any existing metric on the route is sent as the MED For example this allows OSPF costs to be redistributed as BGP MEDs If this capability is used any change in the metric causes the route to be re redistributed with the new MED or flap so it should b...

Page 288: ...to set append or modify the community of a route that controls which routing information is accepted preferred or distributed to other neighbors The following table displays some special community attributes that a BGP speaker can apply Refer to the communities documents RFCs 1997 and 1998 as of this writing for further details Community Attribute Description NO_EXPORT 0xFFFFFF01 Is not advertised...

Page 289: ...ters act as route reflectors for routers that are not part of the core group Two types of route reflection are supported By default all routes received by the route reflector come from a client are sent to all internal peers including the client s group but not the client If the no client reflect option is enabled routes received from a route reflection client are sent only to internal peers that ...

Page 290: ...typically a topologically close set of routers With confederations this is accomplished by subdividing the autonomous system into multiple smaller ASes that communicate among themselves The internal topology is hidden from the outside world this simply perceives the confederation to be one large AS Each distinct sub AS within a confederation is referred to as a routing domain RD Routing domains ar...

Page 291: ...ld is concerned the confederation ID is the AS number of the single large AS For this reason the confederation ID must be a globally unique normally assigned AS number Note Confederations should not be nested Please refer to the confederations specification document RFC 1965 as of this writing for further details AS1 has seven BGP speaking routers grouped under different routing domains RDI A RDI ...

Page 292: ...an EBGP peer session persists even in the event of an interface failure Using an address assigned to the loopback interface for the EBGP peering session ensures that the TCP connection stays up even if one of the links between them is down provided the peer s loopback address is reachable In addition EBGP multihop support can be used to balance the traffic among all links Caution Enabling multihop...

Page 293: ...te grows in proportion to each additional flap Once the threshold is reached the route is dampened or suppressed Suppressed routes are added back into the routing table once the penalty value is decreased and falls below the reuse threshold Route dampening can cause connectivity to appear to be lost to the outside world but maintained on your own network because route dampening is only applied to ...

Page 294: ... table is 76 bytes Inbound route entry in the BGP table is 20 bytes Outbound route entry in the BGP table is 24 bytes To calculate the amount of memory overhead on the routing daemon due to BGP peers calculate the memory required for all of the RIBs according to the following procedures Add this value to the base IPSRD size Inbound RIB Multiply the number of peers by the number of routes accepted ...

Page 295: ...r is 2 000 000 or 2MB 2 To calculate the local memory requirements multiply the number of routes accepted 50 000 by the size of each route entry in the local route table 76 bytes The answer is 4 000 000 or 4MB 3 To calculate the outbound memory requirements multiply the number of peers only one customer by the number routes advertised 2 000 Next multiply the resulting value by the size of each out...

Page 296: ...terface 2 Configure an internal routing protocol such as OSPF or configure a static route to connect the platforms within AS100 to each other For more information see Configuring OSPF or Creating a Static Route 3 Click CONFIG on the home page 4 Click the BGP link in the Routing Configuration section 5 Enter a router ID in the ROUTER ID edit box The default router ID is the address of the first int...

Page 297: ...e Configuring OSPF or Creating a Static Route 3 Click Config on the home page 4 Click the BGP link in the Routing Configuration section 5 Enter a router ID in the ROUTER ID edit box The defalt router ID is the address of the first interface An address on a loopback interface that is not the loopback address 127 0 0 1 is preferred 6 Enter 100 in the AS NUMBER edit box Note The steps below are optio...

Page 298: ...terface An address on a loopback interface that is not the loopback address 127 0 0 1 is preferred 6 Enter 100 in the AS NUMBER edit box 7 Enter 100 in the PEER AUTONOMOUS SYSTEM NUMBER edit box 8 Click INTERNAL in the PEER GROUP TYPE drop down window then click APPLY 9 Enter 172 17 10 1 in the ADD REMOTE PEER IP ADDRESS edit box then click APPLY Configuring Nokia Platform C as an IBGP Peer to Nok...

Page 299: ...in the PEER GROUP TYPE drop down window then click APPLY 5 Enter 170 17 10 2 in the ADD A NEW PEER edit box then click APPLY 6 Configure route redistribution policy as per example given Configuring EBGP on Nokia Platform D 1 Configure the interface as in Configuring an Ethernet Interface 2 Click CONFIG on the home page 3 Click the BGP link in the Routing Configuration section 4 Enter a router ID i...

Page 300: ... click APPLY 4 Enter 170 17 10 1 in the ADD A NEW PEER edit box then click APPLY 5 Configure route inbound policy according the BGP Route Inbound Policy Example 6 Configure route redistribution policy according to BGP Route Redistribution Example Verification To verify that you have configured BGP neighbors correctly run the following command in ICLID For more information on this command go to Dis...

Page 301: ...BLE COMMUNITIES field then click APPLY 3 Follow the steps described in the Configuring Route Inbound Policy on Nokia Platform D Based on an Autonomous System Number example 4 Enter the community ID or the name of one of the special attributes in the COMMUNITY ID SPECIAL COMMUNITY edit box then click APPLY 5 Click the ON button in the REDISTRIBUTE ALL ROUTES field or enter specific IP prefixes to r...

Page 302: ...uring Default MED for Nokia Platform D Configuring MED Values for all Peers of AS200 Configuring MED Values per External BGP for Nokia Platform D Configuring MED Values and Route Redistribution Policy on Nokia Platform D Configuring Default MED for Nokia Platform D 1 Click CONFIG on the home page 2 Click the BGP link in the Routing Configuration section 3 Configure EBGP peers in AS100 and AS200 ac...

Page 303: ...of AS4 with this MED value Note Setting an MED value for all peers under the local AS overwrites the default MED setting of the respective internal peers Configuring MED Values per External BGP for Nokia Platform D 1 Click CONFIG on the home page 2 Click the BGP link in the Routing Configuration section 3 Configure EBGP peers in AS100 and AS200 according to the BGP Neighbors Example 4 Click the pe...

Page 304: ...ing Configuration section 3 Configure EBGP peers in AS100 and AS200 according to the BGP Neighbors Example 4 Click the Route Redistribution link the Routing Configuration section 5 Click the BGP link in the Redistribute to BGP section 6 Enter 100 in MED edit box next to the ENABLE REDISTRIBUTE BGP ROUTES TO AS100 field 7 Enter necessary information for route redistribution according to the BGP MED...

Page 305: ...to set up two IBGP peers and how to configure routes learned using Nokia Platform A to have a higher local preference value over Nokia Platform B which has default local preference value of 100 1 Configure the interface as in Configuring an Ethernet Interface 2 Click the BGP link in the Routing Configuration section 3 Enter 100 in the AS NUMBER edit box then click APPLY Nokia Platform A Nokia Plat...

Page 306: ...nomous System Number link 5 Enter 512 or any unique number in the range of 512 1024 in the IMPORT ID edit box 6 Enter 100 in the AS edit box 7 Enter 200 in the LOCALPREF edit box 8 Click the ON radio button in the ENABLE IMPORT ALL ROUTES FROM BGP AS 200 field then click APPLY Configuring the Static Routes Required for an IBGP Session 9 Click the TOP button at the top of the configuration page 10 ...

Page 307: ...10 2 in the ROUTER ID edit box 4 Enter 100 in the AS NUMBER edit box 5 Enter 20 10 10 1 in the ADD REMOTE PEER IP ADDRESS edit box then click APPLY 6 Click the TOP button at the top of the configuration page 7 Click the Static Routes link in the Routing Configuration section 8 Enter 10 10 10 0 in the NEW STATIC ROUTE edit box 9 Enter 24 in the MASK LENGTH edit box 10 Enter 20 10 10 1 in the GATEWA...

Page 308: ...guration is done on Nokia Platform C 1 Set up the confederation and the routing domain identifier a Click CONFIG on the home page b Click the BGP link in the Routing Configuration section c Click the Advanced BGP Options link d Enter 65525 in the CONFEDERATION EDIT box e Enter 65528 in the ROUTING DOMAIN IDENTIFIER edit box then click APPLY Nokia Platform A Nokia Platform B Nokia Platform E 00333 ...

Page 309: ...t box then click APPLY 3 Create confederation group 65528 a Click CONFIG on the home page b Click the BGP link in the Routing Configuration section c Enter 65528 in the PEER AUTONOMOUS SYSTEM NUMBER edit box d Click CONFEDERATION in the PEER GROUP TYPE drop down window then click APPLY Define properties for the above group e Click the ON radio button in the ALL field f Click the ON radio button in...

Page 310: ...tribution a Click CONFIG on the home page b Click the Route Redistribution link in the Routing Configuration section c Click the BGP link in the Redistribute to BGP section d Click 65528 in the REDISTRIBUTE TO PEER AS drop down window e Click 65524 in the FROM AS drop down window then click APPLY f Click the ON radio button in the ENABLE REDISTRIBUTION OF ROUTES FROM AS 65524 INTO AS 65528 field t...

Page 311: ...a Platform D 1 Assign an AS number for this router a Click CONFIG on the home page b Click the BGP link in the Routing Configuration section c Enter 65526 in the AS NUMBER edit box then click APPLY 2 Create an external peer group a Click CONFIG on the home page b Click the BGP link in the Routing Configuration section c Click the Advanced BGP Options link d Enter 65525 in the PEER AUTONOMOUS SYSTE...

Page 312: ...the PEER AUTO AUTONOMOUS SYSTEM NUMBER edit box e Click INTERNAL in the PEER GROUP TYPE drop down window then click APPLY 5 Configure parameters for the group a Click CONFIG on the home page b Click the BGP link in the Routing Configuration section c Click the Advanced BGP Options link d Click the ON radio button in the ALL field This covers all IGP and static routes e Click the ON radio button in...

Page 313: ... the Routing Configuration section c Click the Based on Autonomous System Number link d Enter 512 in the IMPORT ID edit box and enter 65526 in the AS edit box then click APPLY e Click the ACCEPT radio button in the ALL BGP ROUTES FROM AS 65526 field then click APPLY f Enter 513 in the IMPORT ID edit box and enter 65525 in the AS edit box then click APPLY g Click the ACCEPT radio button in the ALL ...

Page 314: ...INTO AS 65525 field then click APPLY j Click SAVE to make your changes permanent BGP Community Example A BGP community is a group of destinations that share the same property However a community is not restricted to one network or AS Communities are used to simplify the BGP inbound and route redistribution policies Each community is identified by either an ID or one of these special community name...

Page 315: ...ing OSPF to BGP Example 2 Match the following ASes with the following community IDs AS 4 with community ID 1 4 1 AS 5 with community ID 2 5 2 AS with no export by entering the AS values in the AS edit box and the community IDs in the COMMUNITY ID SPECIAL COMMUNITY edit box then click APPLY Note Matching an AS with the no export option only matches those routes that have all of the above AS number ...

Page 316: ...nfigure load balancing for EBGP between two ASes over two parallel links This example consists of the following Enabling BGP function Configuring loopback addresses Adding static routes Configuring peers Configuring inbound and route redistribution policies In the following diagram Nokia Platform A is in autonomous system AS100 and Nokia Platform B is in autonomous system AS200 Nokia Platform A ha...

Page 317: ...5 6 7 8 in the NEW IP ADDRESS edit box and then click APPLY Platform A 1 Click the Static Routes link in the Routing Configuration section 2 Enter 5 6 7 8 in the NEW STATIC ROUTE edit box in order to reach the loopback address of Platform B 3 Enter 32 in the MASK LENGTH edit box then click APPLY 4 Enter 129 10 2 2 in the ADDITIONAL GATEWAY edit box then click APPLY 5 Enter 129 10 1 2 in the ADDITI...

Page 318: ...igure options for that peer 5 In the Nexthop field click the on button next to EBGP Multihop to enable the multihop option and then click APPLY 6 Optional Enter a value in the TTL edit box to set the number of hops over which the EBGP multihop session is established The default value is 64 and the range is 1 255 Click APPLY Platform B 1 Configure an EBGP peer on Platform B as in Configuring an Eth...

Page 319: ...EW IP ADDRESS edit box then click APPLY Platform B 1 Configure the interface as in Configuring an Ethernet Interface 2 Click the Interfaces link on the Configuration page 3 Click the logical address loopback link 4 Enter the 5 6 7 8 in the NEW IP ADDRESS edit box then click APPLY Platform A 1 Click the OSPF link in the Routing Configuration section 2 Click the backbone area in the drop down window...

Page 320: ...istribution policies 4 Click on the link for specific peer you configured in Step 1 This action takes you the page that lets you configure options for that peer 5 In the Nexthop field click the on button next to EBGP Multihop to enable the multihop option and then click APPLY 6 Optional Enter a value in the TTL edit box to set the number of hops over which the EBGP multihop session is established ...

Page 321: ...1 Configure a BGP neighbor as in the BGP Neighbors Example 2 Click the peer IP address link to configure peer specific parameters 3 Enter a value in seconds in the HOLDTIME edit box Holdtime indicates the maximum number of seconds that may elapse between the receipt of successive keepalive and or update messages by the sender before the peer is declared dead It must be either zero or at least 3 se...

Page 322: ...following 2 steps configure the EBGP peer for Nokia Platform B 6 Enter 200 in the PEER AUTONOMOUS SYSTEM NUMBER edit box 7 Click EXTERNAL in the PEER GROUP TYPE drop down window then click APPLY 8 The following steps configure an EBGP peer with MD5 authentication 9 Enter 10 10 10 2 in the ADD REMOTE PEER IP ADDRESS edit box then click APPLY 10 Click the 10 10 10 2 link to access the BGP peer confi...

Page 323: ...e following steps configure an EBGP peer with MD5 authentication 7 Enter 10 10 10 1 in the ADD REMOTE PEER IP ADDRESS edit box then click APPLY 8 Click the 10 10 10 1 link to access the BGP peer configuration page 9 Select MD5 as the authentication type from the AUTHTYPE drop down window then click APPLY 10 Enter the MD5 shared key test123 for example in the KEY edit box then click APPLY BGP Route...

Page 324: ...isplayed 5 Enter any changes in the edit boxes that correspond to the appropriate fields then click APPLY Verification To verify that you have configured route dampening correctly run the following command in ICLID For more information on this command go to Displaying Routing Protocol Information show route bgp suppressed Field Default Value Units of measurement Suppress above 3 Number of route fl...

Page 325: ...path with the largest local preference If the local preferences are the same prefer the route that has the shortest AS_path If all paths have the same AS_path length prefer the path with the lowest origin type Origin IGP EGP Incomplete If the origin codes are the same prefer the path with the lowest MED attribute If MED is not ignored If the paths have the same MED prefer the external path over th...

Page 326: ... prefix that is to be redistributed or excluded the prefix is matched against a filter The filter is composed of a single IP prefix and one of the following modifiers normal exact refines and range The default modifier is normal 1 Normal matches any route that is equal to or more specific than the given prefix 2 Exact matches a route only if it equals the IP address and mask length of the given pr...

Page 327: ...link in the Routing Configuration section 2 Click the BGP Routes based on AS link under the Redistribute to BGP section 3 Select 100 from the REDISTRIBUTE TO PEER AS drop down list 4 Select 4 from the FROM AS drop down list then click APPLY This enables route redistribution from AS 4 to AS 100 By default all routes that are excluded from being redistributed from AS 4 are redistributed to AS 100 No...

Page 328: ... the ACCEPT radio button next to ALL BGP AS 4 ROUTES INTO AS 100 field 2 Click APPLY Redistributing RIP to OSPF Example In this example Nokia Platform A is connected to a RIP network and is redistributing RIP routes to and from OSPF for the Nokia OSPF Backbone Nokia Platform D is connected to a subnet of Unix workstations that is running routed Note routed is a program that runs by default on most...

Page 329: ...ate Net RIP Router Routes are redistributed from the corporate RIP network to the Nokia OSPF network 00337 Nokia Platform B Nokia Platform A Nokia Platform D 26 69 30 26 66 30 Nokia Platform C 26 73 30 26 70 30 26 65 30 26 74 30 26 61 24 26 77 28 26 79 28 26 80 28 26 78 28 26 1 24 0 0 0 0 0 24 0 24 22 0 24 Nokia OSPF Backbone RIP to OSPF Border RIP Network UNIX Hosts with Routed Enabled Hub Corpor...

Page 330: ...u want to redistribute all routes click the ACCEPT radio button in the ALL RIP ROUTES INTO OSPF EXTERNAL field Optional To change the cost metric for RIP Routes into OSPF Externals Enter the new cost metric in the METRIC edit box then click APPLY 6 If you want to prevent 192 168 22 0 24 and other more specific routes from being redistributed into OSPF External define a route filter to restrict onl...

Page 331: ...to export all OSPF routes into RIP click the RESTRICT radio button and define a route filter to advertise only certain OSPF routes into RIP 7 Assume that Nokia Platform B has another interface not shown in the picture and that it has two additional OSPF routes 10 0 0 0 8 and 10 1 0 0 16 Assume that you want to exclude all routes that are strictly more specific than 10 0 0 0 8 that is we wish to pr...

Page 332: ...n link in the Routing Configuration section 3 Click the OSPF link in the Redistribute to BGP section 4 To redistribute OSPF routes into peer AS 100 select 100 from the REDISTRIBUTE TO PEER AS drop down window then click APPLY 5 Optional Enter the MED in the MED edit box then click APPLY 6 Optional Enter the local preference in the LOCALPREF edit box then click APPLY 00338 Nokia Platform B Nokia Pl...

Page 333: ... routing protocol with a specified rank or to exclude the prefix There are four different ways to specify the type of prefix matching that should be done for filter entries 1 Routes that exactly match the given prefix that is have the same network portion and prefix length 2 Routes that match more specific prefixes but do not include the given prefix For example if the filter is 10 8 then any netw...

Page 334: ...5 If you set ALL ROUTES to ACCEPT and click APPLY the RANK field is displayed In the RANK field you may specify the rank to a value all routes should have The range of values is 1 255 6 Enter the appropriate IP address and mask length in the NEW ROUTE TO FILTER and MASK LENGTH fields then click APPLY A NEW SET OF FIELDS IS DISPLAYED ADJACENT TO THE NEWLY ENTERED IP ADDRESS AND MASK LENGTH 7 Select...

Page 335: ...nd Policy on Nokia Platform D Based on an Autonomous System Number 1 Click CONFIG on the home page 2 Click the Inbound Route Filters link in the Routing Configuration section 3 Click the Based on Autonomous System Number link 4 Enter 512 in the IMPORT ID edit box Import ID specifies the order in which the import lists are applied to each route The range for filters based on AS numbers is from 512 ...

Page 336: ...ple of how to do this we assume we want to filter all routes that are strictly more specific than 10 0 0 0 8 In other words we allow all routes whose prefix is not 10 0 0 0 8 except for 10 0 0 0 8 itself but we exclude all routes that are more specific such as 10 0 0 0 9 and 10 128 0 0 9 2 To configure this filter we add 10 0 0 0 in NEW IP PREFIX TO IMPORT entry box and 8 in MASK LENGTH entry box ...

Page 337: ...ost likely complete An origin of EGP indicates the route was learned from an exterior routing protocol that does not support AS paths and the path is most likely incomplete When the path information is incomplete an origin of INCOMPLETE is used 7 Enter a new route filter In this example we assume we want to filter all routes that are strictly more specific than 10 0 0 0 8 In other words we allow a...

Page 338: ...xpression in the ASPATH REGULAR EXPRESSION edit box 3662 Select ANY from the ORIGIN pulldown window then click APPLY 2 To accept routes whose last autonomous system is 3662 enter this ASPATH regular expression in the ASPATH REGULAR EXPRESSION edit box 3662 Select ANY from the ORIGIN drop down window then click APPLY 3 To accept routes that originated from 2041 and whose last autonomous system is 7...

Page 339: ... a Cluster Managing a Cluster Synchronizing the Time on Cluster Nodes Configuring VPN 1 FireWall 1 for Clustering Clustering Example Three Nodes Clustering Example With a VPN Tunnel Redundant Topology Examples Configuring Access Control Lists Traffic Management Description Packet Filtering Description Traffic Shaping Description Traffic Queuing Description Creating an Access Control List Deleting ...

Page 340: ...n Aggregation Class Associating an Aggregation Class with a Rule Example Rate Shaping Configuring Queue Classes Queue Class Description Creating a New Queue Class Deleting a Queue Class Setting or Modifying Queue Class Configuration Values Associating a Queue Class with an Interface Example Expedited Forwarding Configuring ATM QoS ATM QoS Description Creating a New QoS Descriptor Deleting an ATM Q...

Page 341: ...ode Group Deleting an Interface from a Transparent Mode Group Enabling a Transparent Mode Group Disabling a Transparent Mode Group Enabling VRRP for a Transparent Mode Group Disabling VRRP for a Transparent Mode Group Monitoring Transparent Mode Groups Configuring Clustering in IPSO Overview This section describes IPSO s clustering feature and provides instructions for configuring clusters It incl...

Page 342: ...e of the remaining nodes IPSO clusters are also scalable with regard to VPN performance as you add nodes to a cluster the VPN throughput improves IPSO clusters support a variety of Check Point VPN 1 FireWall 1 NG features including Synchronizing state information between firewalls Firewall flows Network address translation VPN encryption Note All cluster nodes must run the same version of VPN 1 Fi...

Page 343: ...ernal network 192 168 1 0 with 192 168 2 10 as the gateway address The internal router needs a static route to the external network 192 168 2 0 with 192 168 1 10 as the gateway address Internet Firewall A Firewall B 192 168 1 0 192 168 2 0 Secondary Cluster Protocol Network 192 168 4 0 Cluster IP 192 168 4 10 Cluster ID 10 External Router Primary Cluster Protocol Network 192 168 3 0 Cluster IP 192...

Page 344: ...lets you easily set up automatic configuration of cluster nodes In this and similar diagrams switches and hubs are not shown for the sake of simplicity Cluster Management You can manage all the nodes of a cluster simultaneously by using Cluster Voyager This is a feature that lets you configure a cluster as a single virtual device You can make configuration changes once and have them take effect on...

Page 345: ...able it references the example cluster CCLI Cluster CLI A feature that lets you centrally manage all the nodes in a cluster as a single virtual system using one command line session Cluster administrator When you log into a Nokia appliance with the user name cadmin you log in as a cluster administrator If you are using a browser the system displays Cluster Voyager If you are using the command shel...

Page 346: ...Cluster MAC address A MAC address that the cluster protocol installs on all nodes Only the cluster master responds to ARP requests that routers send to cluster IP addresses The cluster MAC address makes the cluster appear as a single device at the OSI layer two level Cluster master The master node plays a central role in balancing the traffic among the cluster nodes The cluster determines which no...

Page 347: ...t interfaces can participate in a cluster Note These interfaces should be internal and Nokia also recommends that the cluster protocol networks be dedicated networks that is you should not use a network that carries production traffic to carry the cluster protocol traffic This is the configuration shown in the example cluster If you use VPN 1 FireWall 1 NG_AI the cluster protocol interfaces can al...

Page 348: ...rimary interface fails on the master all the other nodes must use the secondary protocol network to communicate with the master If the primary and secondary cluster protocol interface fails on a node the node is removed from the cluster If it is the master one of the remaining nodes becomes the new master Cluster Voyager A feature that lets you centrally manage all the nodes in a cluster as a sing...

Page 349: ...ers adjacent to the cluster either connected directly or through a switch or hub must be able to accept ARP replies that contain a multicast MAC address Switches connected directly to the cluster must be able to forward packets destined for a single multicast MAC address out multiple switch ports See Considerations for Clustering for more information about the requirements for routers and switches...

Page 350: ...ting that is no routing protocols can be enabled Devices that need to send traffic through a cluster must have a static route that uses the appropriate cluster IP address internal or external for the route s gateway address For example a router on the internal side of a cluster should use an internal cluster IP address as the gateway address If you use multicast mode adjacent devices either connec...

Page 351: ...okia recommends that you do not use hubs to connect a cluster to user data networks If possible use switches for these connections You can create multiple clusters in the same LAN or VLAN broadcast domain The clusters are distinguished by their cluster IDs For an example of how to create a fully redundant topology around an IPSO cluster see Redundant Topology Examples Other Considerations If a clu...

Page 352: ...are used only by IPSO cluster nodes You can prevent the cluster protocol messages from being spread across the production networks by connecting the networks with switches that use IGMP snooping IPSO sends out IGMP membership reports for the cluster protocol multicast group A switch using IGMP snooping will then forward cluster protocol messages only to group nodes that is the other cluster nodes ...

Page 353: ...O 3 7 but Nokia strongly recommends that you upgrade all the nodes of your IPSO 3 6 clusters to IPSO 3 7 IPSO supports a 3 6 master with 3 7 members to allow a cluster to remain in service during an upgrade To upgrade IPSO on cluster nodes and ensure that there is no interruption in service follow the steps below This procedure assumes that you are upgrading a three node cluster in which node C is...

Page 354: ...u cannot use Cluster Voyager or the CCLI until you create a password for the cadmin user on each of the cluster nodes After you upgrade IPSO on the cluster nodes perform the following procedure to create a password for the cadmin user on each of the nodes 1 Click CONFIG on the home page 2 Click Clustering Setup in the Traffic Management section The Clustering Setup Configuration page appears 3 Cli...

Page 355: ...N 1 FireWall 1 is not running on the node disable VPN 1 FireWall 1 monitoring before you make the cluster active so that the cluster can be initialized After the cluster is active enable the monitoring so that the cluster monitors the firewall and leaves the cluster if the firewall fails on the node 5 Specify whether SecuRemote clients will be able to access servers behind the cluster This step do...

Page 356: ...nd Configuring the Performance Rating for more information about these features You must also configure the VPN 1 FireWall 1 to work with the IPSO cluster Use the Check Point client application to add a gateway object for the Nokia appliance You also must create a gateway cluster object and add the gateway object to it Refer to the Check Point documentation and Configuring VPN 1 FireWall 1 for Clu...

Page 357: ...r protocol you must select at least two Ethernet interfaces One of the two must be an internal or external interface not a primary or secondary cluster interface The other interface must be the primary interface Note Nokia recommends that you select another interface as a secondary cluster protocol interface Remember that the primary and secondary cluster protocol networks should not carry any pro...

Page 358: ...y interfaces of all the cluster nodes must belong to the same network This network should not carry any other traffic 6 For the interface that will serve as the secondary cluster protocol interface for the node click the YES button in the Secondary Interface column The secondary interfaces of all the cluster nodes must belong to the same subnet This subnet should not carry any other traffic unless...

Page 359: ...uster that uses NAT observe the following guidelines when configuring the hash method on the cluster interfaces connected to the DMZ Web mail and authentication servers are often located in DMZs If you want to use NAT on the addresses in the DMZ set the hash method to NAT_INT If you do not want to use NAT on the addresses in the DMZ that is if you want to expose the real IP addresses used in the D...

Page 360: ... on the other cluster nodes before the rebooted node rejoins the cluster This prevents any issues that could result from the node attempting to handle traffic before VPN 1 FireWall 1 has synchronized The cold start interval is a time in seconds that the system waits before attempting to join the cluster so that VPN 1 FireWall 1 is able to synchronize first The system waits for this interval only i...

Page 361: ...Voyager To configure the cluster to support a tunnel perform the following procedure 1 In the NETWORK ADDRESS field under Add New VPN Tunnel enter the remote encryption domain IP address in dotted decimal format for example 192 168 50 0 2 In the MASK field enter the mask value as a number of bits The range is 8 to 32 3 In the TUNNEL END POINT field enter the IP unicast address of the remote encryp...

Page 362: ...hrough the cluster Traffic that passes through the cluster is NATed so that the source address of a packet is translated to one of the addresses in the IP pool of the cluster node that handles the connection To set up this configuration you would Configure the IP pools in VPN 1 FireWall 1 On the internal router VPN SecuRemote Traffic Firewall A IP Pool 10 1 2 0 24 Firewall B IP Pool 10 1 3 0 24 In...

Page 363: ...figuring IP Pools for more information For VPN 1 FireWall 1 NG with Application Intelligence and later Do not configure the IP pools in IPSO Configuring the pools in FireWall 1 is sufficient Configuring IP Pools To configure IP pools in Voyager follow this procedure 1 In the NETWORK ADDRESS field enter the network that the IP pool addresses will be assigned from If you were configuring firewall A ...

Page 364: ...red features from the master This occurs in either mode when the original master leaves the cluster for example if it is rebooted It can also occur in forwarding mode if you manually adjust the performance rating or if a system with a higher rating becomes joins the cluster See Configuring the Performance Rating for more information In addition to helping you make sure that all cluster nodes are c...

Page 365: ...y name com If a third node C joins the cluster and its domain name is foobar com before it joins foobar com is replaced by company name com during the joining process If you change the domain name on node C back to foobar com the domain name remains foobar com unless any of the following occurs node C leaves and rejoins the cluster node B becomes the master a cadmin user changes the domain name wh...

Page 366: ...ou have a two node cluster in which DNS is a shared feature but no domain name is configured on the master If a third system joins the cluster and its domain name is foobar com before it joins it retains that domain name after it joins Configuring Features for Sharing Follow these steps to ensure that the appropriate configuration settings are identical on each cluster node 1 After you create a cl...

Page 367: ... After You Create a Cluster Whenever you use Cluster Voyager or the CCLI you can remove features from the list of ones that are cluster sharable You can do this on any node However Nokia recommends that you avoid doing this You should set up the appropriate feature sharing when you create a cluster and then leave it unchanged If a feature is shared and you want to reconfigure it on all the cluster...

Page 368: ...e You receive error messages if the node does not meet these requirements Adding a Node to a Cluster It is very easy to add Nokia appliances to an existing cluster There are two methods you can use Joining automatic configuration This is the recommended method because The only tasks you must do on the joining systems are Configure interfaces with IP addresses in each of the networks the cluster wi...

Page 369: ...d manually add the system to the cluster by disabling its firewall monitoring Caution For security reasons you should never add a system that is not running VPN 1 FireWall 1 to a cluster that is in service This should only be done in a test environment Recommended Procedure Nokia recommends that you follow this general procedure when building a cluster 1 Fully configure the first cluster node and ...

Page 370: ...in each of the networks used by the cluster and activate the interfaces 3 Click TOP 4 Under Traffic Management Configuration click Clustering Setup to display the Clustering Setup Configuration page 5 Enter the ID of the existing cluster 6 Enter the password for the user cadmin in both password fields Note This must be the same password that you entered for cadmin when you created the cluster on t...

Page 371: ...sfully joins the cluster Voyager displays a number of new fields If the node does not successfully join the cluster you see a message indicating why Correct the problem and attempt the join again Managing a Cluster You can choose between two different approaches to making configuration changes on cluster nodes You can make changes that are implemented on all the nodes simultaneously To make change...

Page 372: ... Starting Cluster Voyager To start Cluster Voyager follow these steps 1 In your browser s address or URL field enter an IP address of a system that is participating in the cluster or the appropriate shared cluster IP address for example the internal cluster IP address If you enter a shared cluster IP address the master node responds 2 Enter the user name cadmin and the password for cadmin Note If ...

Page 373: ...ne of the cluster nodes ad admin using a command line session 2 Start the CLI by entering clish 3 Enter set user cadmin oldpass newpass new_password 4 Log out of the CLI by entering exit 5 Repeat step 1 through step 4 on the other cluster nodes 6 Log into Cluster Voyager using the new password Monitoring a cluster If you click MONITOR on the Cluster Voyager home page you see a number of links to p...

Page 374: ...ster receives all the packets for the cluster first so the performance of the master affects the performance of the whole cluster If a joining system has a higher rating than the other nodes it becomes the master If more than one system have the same performance rating the first system to join the cluster is the master In forwarding and multicast mode the cluster master takes the performance ratin...

Page 375: ...while logged in as admin or cadmin but the results are different When you log in as cadmin and use Cluster Voyager or the CCLI and change a setting of a shared feature the change is made on all the nodes For example if static routes are shared and you add a static route while logged in as cadmin the route is added to all the cluster nodes When you log in as admin and change a configuration setting...

Page 376: ...ter even if you did not share the feature when you created the cluster However systems that join the cluster later do not copy the configuration settings for that feature When you make changes to features that you removed from the list of join time shared features you see the following message This feature is not associated with cluster xxx Any changes made would be propagated to all the cluster n...

Page 377: ...r nodes in order It waits until each node has successfully rebooted and rejoined the cluster before rebooting the next node Once all the other nodes have rebooted and rejoined the originating node reboots itself Note The originating node is the node that you are logged into It might not be the cluster master The following is an illustration of this process in a three node cluster with nodes A B an...

Page 378: ... Safe Reboot Status Caution Do not log out of Cluster Voyager end your browser session or otherwise break your connection with the cluster while a cluster safe reboot is in progress Doing so causes the nodes that you are not logged into to leave the cluster If you logged into Cluster Voyager using a cluster IP address you are logged into the master If this occurs manually rejoin the systems to the...

Page 379: ...change the primary interface you must log into the node as admin You cannot use Cluster Voyager or the CCLI Note Any time you make a change to the cluster interface configuration the node leaves and attempts to rejoin the cluster 1 Log into the Voyager on the node as admin 2 Display the Clustering Setup Configuration page 3 To add an interface to the cluster click YES in the Select column Complete...

Page 380: ...g Setup Configuration page click DELETE Synchronizing the Time on Cluster Nodes You probably want to keep the times on the cluster nodes synchronized If you run Check Point s VPN 1 FireWall 1 be sure to do so to prevent problems with firewall synchronization To make sure that the time is synchronized on cluster nodes you must assign the same time zone to each node configure NTP so that each node g...

Page 381: ...c node to be the time server for the cluster If you configure NTP this way and the master node fails the other nodes will not get their time from another server This situation could lead to problems with firewall synchronization The most convenient way to set up NTP in a cluster is to use Cluster Voyager or the CCLI because you need to perform the configuration steps only one time instead of perfo...

Page 382: ...Make sure that the NTP MASTER choice is set to NO 6 Click APPLY All the cluster nodes will now learn their time from the time server you specified Using the master node as the NTP server To configure the cluster master as the NTP server do the following steps on the NTP configuration page 1 Log into Cluster Voyager 2 Under System Configuration click NTP 3 Enable NTP After you enable NTP you see yo...

Page 383: ...ds each node must have exactly the same set of packages as all the other nodes When you use Check Point s cpconfig program at the command line or through the Voyager interface to this program follow these guidelines You must install VPN 1 FireWall 1 as an enforcement module only on each node Do not install it as a management server and enforcement module After you choose to install VPN 1 FireWall ...

Page 384: ...rotocol network you can configure an accept all rule on the primary interfaces of the cluster nodes If you configure a rule on the cluster protocol network that does not accept all the traffic you must allow traffic to these interfaces on port 1111 This port is used for the cluster management traffic Create a Service object for TCP port 1111 If you are not using a dedicated network as the primary ...

Page 385: ...o occur on a dedicated network used only for this purpose avoid using a production network for firewall synchronization Do not use either of the cluster protocol networks for firewall synchronization traffic Note The firewall synchronization network should have bandwidth of at least 100 mbps If you are using VPN 1 FireWall 1 FP3 and are also using NAT Disable the automatic ARP option on the NAT ta...

Page 386: ...internal cluster interface and eth s2p1 is the external cluster interface 4 In the information about the internal and external cluster interfaces identify the cluster MAC addresses Look in that output for clustermac followed by a MAC address For example clustermac 1 50 5a a a 1 Firewall A eth s1p1 eth s2p1 Firewall B eth s2p1 eth s3p1 eth s3p1 Primary Cluster Protocol Network 192 168 1 0 192 168 2...

Page 387: ... shown in the example figure you would enter the cluster MAC address for interface eth s2p1 11 Click APPLY 12 To create a proxy ARP entry for the internal cluster IP address repeat steps step 8 through step 11 using the information for the internal cluster interface In the cluster shown in the example figure the internal cluster interface is eth s1p1 and its cluster IP address in 192 168 1 10 If Y...

Page 388: ...ization If you use a cluster protocol network for firewall synchronization Nokia recommends that you use the secondary cluster protocol network for this purpose Note The firewall synchronization network should have bandwidth of 100 mbps or greater Clustering Example Three Nodes This section presents an example that shows how easy it is to configure an IPSO cluster The following diagram illustrates...

Page 389: ...activate the interfaces 192 168 1 0 192 168 2 0 Secondary Cluster Protocol Network 192 168 4 0 Cluster IP 192 168 4 10 Cluster ID 10 External Router Primary Cluster Protocol Network 192 168 3 0 Cluster IP 192 168 3 10 1 1 1 1 Firewall B eth s1p1 eth s2p1 eth s3p1 eth s4p1 2 2 2 2 3 3 3 3 Firewall A eth s1p1 eth s3p1 eth s4p1 eth s2p1 Internal Cluster IP External Cluster IP 192 168 2 5 Internal Rou...

Page 390: ...ature 11 Configure the cluster interfaces a Click YES in the Select column of the Interfaces Configuration table for each appropriate interface b Enter each cluster IP address in the appropriate field For eth s1p1 enter 192 168 1 10 For eth s2p1 enter 192 168 2 10 For eth s3p1 enter 192 168 3 10 For eth s4p1 enter 192 168 4 10 Note The cluster IP address must be in the same subnet as the real IP a...

Page 391: ...ces with real IP addresses in each of the four networks shown in the example 22 Join nodes B and C to the cluster These nodes will copy the configuration information you entered on node A including the static routes to the internal and external networks Configuring the Internal and External Routers You would also need to perform the following tasks on the routers facing the cluster 1 Because the c...

Page 392: ...affic Management 394 Voyager Reference Guide On the external router configure a static route for 192 168 1 0 the internal network using the cluster IP 192 168 2 10 the external cluster IP address as the gateway address ...

Page 393: ...8 4 0 Cluster IP 192 168 4 10 Cluster ID 10 Primary Cluster Protocol Network 192 168 3 0 Cluster IP 192 168 3 10 1 1 1 1 Firewall B eth s1p1 eth s2p1 eth s3p1 eth s4p1 Firewall C eth s1p1 eth s2p1 eth s3p1 eth s4p1 2 2 2 2 3 3 3 3 Firewall A eth s1p1 eth s3p1 eth s4p1 eth s2p1 Internal Cluster IP 192 168 2 5 Internal Router 192 168 1 5 Remote Router VPN Tunnel Tunnel Endpoint External Cluster IP T...

Page 394: ...N Tunnel section of the Clustering Setup Configuration page enter 10 1 1 0 in the NETWORK ADDRESS field 4 In the MASK field enter 24 5 In the TUNNEL END POINT field enter 10 1 2 5 The end point that you configure here is the IP address on the remote router If the other end of the tunnel is also an IPSO cluster this address would be the external cluster IP address of the other cluster 6 Click APPLY...

Page 395: ...igure two of these networks If you do not configure a secondary cluster protocol network and the switch connecting the primary cluster protocol network fails the cluster dissolves To prevent this problem you can directly connect a cluster to at least two switches or hubs on each network that the cluster connects to excluding the Firewall A Firewall B Primary Cluster Protocol Network Internal Netwo...

Page 396: ...y address for this static route Depending on the specifics of this type of topology interface or system failures could lead to partial losses of connectivity For example if the internal cluster interface eth s1p1 of firewall A fails internal devices connected to the cluster to through switch 1 could lose their connection to the Firewall A Firewall B Switch 1 Switch 2 Internet DMZ eth s1p1 Cluster ...

Page 397: ...Voyager Reference Guide 399 cluster To avoid this possibility you could create a fully redundant topology similar the one shown in the following diagram ...

Page 398: ...0 Voyager Reference Guide Firewall A Firewall B Switch Switch DMZ Primary Cluster Protocol Network Secondary Cluster Protocol Network Switch Switch External Router Internal Router Internal Router Internal Network External Router Internet ...

Page 399: ... tools A queue class is used to implement an output scheduling discipline to prioritize traffic Logically the ACLs and the AGCs are placed inline to the forwarding path You can configure ACLs and AGCs to process all incoming traffic from one or more interfaces or to process all outgoing traffic from one or more interfaces IPSO supports ACLs for both IPv4 and IPv6 traffic Packet Filtering Descripti...

Page 400: ...rs You should associate the AGC with the shaping rule s of the ACL Traffic Queuing Description Traffic that is classified by an Access Control List ACL rule can be given preferential treatment according to RFC 2598 Higher priority traffic must be policed to prevent starvation of lower priority service traffic Traffic that conforms to the configured policing rate is marked with the Differentiated S...

Page 401: ...ntrol List to an Interface The Bypass option denotes that the entire packet stream flowing out of the selected interfaces should not be classified policied or marked Instead the output queue scheduler should use the supplied IP TOS as an output queue lookup Use the Bypass option to circumvent the classifier and policer for selected interfaces 1 Click CONFIG on the home page 2 IPSO supports both th...

Page 402: ...Y The Access Control List name disappears from the Access List Configuration page 4 To make your changes permanent click SAVE Applying an Access Control List to an Interface 1 Click CONFIG on the home page 2 IPSO supports both the IPv4 and IPv6 protocols a For IPv4 ACLs click the Access List Configuration link under the TRAFFIC MANAGEMENT section b For IPv6 ACLs click the IPv6 link This takes you ...

Page 403: ...ule whose action is set to prioritize is equivalent to setting the action to skip The new interface appears in the SELECTED INTERFACES section Note Only the default rule appears in the Access Control List until you create your own rule 6 To make your changes permanent click SAVE Removing an Access Control List from an Interface 1 Click CONFIG on the home page 2 IPSO supports both the IPv4 and IPv6...

Page 404: ...s separated into packet streams by the Access Control List The content and ordering of the rules is critical As packets are passed to an ACL the packet headers are compared against data in the rule in a top down fashion When a match is found the action associated with that rule is taken with no further scanning done for that packet The following actions can be associated with a rule that is config...

Page 405: ...fier QueueSpec Note The DSfield and QueueSpec field are used to mark and select the priority level Masks can be applied to most of these properties to allow wildcarding The source and destination port properties can be edited only when the IP protocol is UDP TCP or the keyword any All of these properties are used to match traffic The packets that match a rule whose action is set to prioritize are ...

Page 406: ...t 4 Click the ADD NEW RULE BEFORE check box Click APPLY This rule appears above the default rule After you create more rules you can add rules before other rules If you have four rules rules 1 2 3 and 4 you can place a new rule between rules 2 and 3 by checking the ADD RULE BEFORE check box on rule 3 To make your changes permanent click SAVE Modifying a Rule 1 Click CONFIG on the home page 2 IPSO ...

Page 407: ...rt Range only if the selected protocol is either any 6 TCP 17 or UDP Destination Port Range Note You can specify the Destination Port Range only if the selected protocol is either any 6 TCP 17 or UDP Protocol TCP Establishment flag When it is selected traffic matches this rule when it is part of the initial TCP handshake This option applies only to IPv4 ACLs Note You can specify the TCP Establishm...

Page 408: ...d only when the rule s action is set to prioritize To modify the Aggregation Class go to Associating an Aggregation Class with a Rule 4 Modify the values in one or more of the edit boxes or drop down window or de select a radio button Click APPLY 5 To make your changes permanent Click SAVE Deleting a Rule 1 Click CONFIG on the home page 2 IPSO supports both the IPv4 and IPv6 protocols a For IPv4 A...

Page 409: ...put You can configure an Aggregation Class with two parameters meanrate and burstsize The meanrate is the rate in kilobits per second kbps to which the traffic rate should be coerced when measured over a long interval The burstsize is the maximum number of bytes that can be transmitted over a short interval When you initially create an AGC a burst of traffic is conformant regardless of how quickly...

Page 410: ... Enter the burstsize in the BURSTSIZE BYTES edit box 6 Click APPLY The aggregation class you have just created appears in the EXISTING AGGREGATION CLASSES section 7 To make your changes permanent click SAVE Deleting an Aggregation Class 1 Click CONFIG on the home page 2 You can reach the Aggregation Class Configuration page in two ways Either click the Aggregation Class Configuration link under th...

Page 411: ...ppropriate Access Control List in the ACL NAME field This takes you to the page for that Access Control List 4 Select SHAPE or PRIORITIZE from the ACTION drop down window Click APPLY 5 Select an existing aggregation class from the AGGREGATION CLASS drop down window Click APPLY Note If there is no aggregation class listed you need to create an aggregation class Go to Creating an Aggregation Class N...

Page 412: ...warding EF and Best Effort BE queues The remaining queues can be assigned any name and QueueSpec you want The table below shows the values that correspond to these queue values When you configure an ACL rule to use the priority action you must configure an Aggregation Class AGC This AGC will function as a policer that is non conforming traffic will be dropped You should configure the AGCs so that ...

Page 413: ... CONFIG on the home page 2 You can reach the Queue Class Configuration page in two ways Either click the Queue Class Configuration link under the TRAFFIC MANAGEMENT section or click the IPv6 link and then click the Queue Class Configuration link under the TRAFFIC MANAGEMENT section 3 To create a new queue class enter its name in the CREATE A NEW QUEUE CLASS edit box The new queue class appears in ...

Page 414: ...TRAFFIC MANAGEMENT section 3 Enter a name for each queue you want to configure in the LOGICAL NAME edit box This name appears on the queue monitoring page 4 To modify an existing queue class in the EXISTING QUEUE CLASSES field click on the name of the queue class you want to edit Note Choose a name with no spaces that will allow you to identify the queue s purpose Note Each queue class can have up...

Page 415: ...an Interface 1 Click CONFIG on the home page 2 You can reach the Queue Class Configuration page in two ways Either click the Queue Class Configuration link under the TRAFFIC MANAGEMENT section or click the IPv6 link and then click the Queue Class Configuration link under the TRAFFIC MANAGEMENT section Click the Queue Class Configuration link under the TRAFFIC MANAGEMENT section 3 To associate a qu...

Page 416: ...r network applications with different requirements Unspecified Bit Rate UBR service does not make any traffic related guarantees It does not make any commitment regarding cell loss rate or cell transfer delay Constant Bit Rate CBR service provides continuously available bandwidth with guaranteed QoS The implementation supports CBR channels through a mechanism on an ATM network interface card NIC t...

Page 417: ...osed by the network Note The default ATM QoS Descriptor is set to unspecified bit rate this descriptor cannot be modified 4 Enter a value for the maximum cell rate to be used in the output direction on a CBR channel in the PEAK CELL RATE edit box The Peak Cell Rate is rounded down to a multiple of 64 kilobits sec One cell per second corresponds to 424 bits sec Note You can configure no more than 1...

Page 418: ...ptor disappears from the EXISTING QOS DESCRIPTORS field 6 Click SAVE to make your changes permanent If the ATM QoS Descriptor that you want to delete is associated with an existing PVC complete the steps below 1 Click CONFIG on the home page 2 Click Interfaces link 3 Click the appropriate ATM interface link in the PHYSICAL field 4 You are now in the physical interface page for the interface you se...

Page 419: ...in the physical interface page for the interface you selected Click the ATM QoS Configuration link You are now in the ATM QoS Configuration page for the physical interface you selected In the CONFIGURE A NEW PVC field enter the virtual path identifier virtual channel identifier VPI VCI of the permanent virtual channel PVC you want to configure in the VPI VCI edit box 5 In the CONFIGURE A NEW PVC f...

Page 420: ...to make your changes permanent Configuring Common Open Policy Server Common Open Policy Server Description The Common Open Policy Server COPS provides a standard for exchanging policy information in order to support dynamic Quality of Service QoS in an IP Internet Protocol network This information is exchanged between PDPs Policy Decision Points and PEPs Policy Enforcement Points The PDPs are netw...

Page 421: ...ction enter the name of the new client ID in the CREATE A NEW CLIENT ID edit box Click APPLY To view the new client ID click on the CLIENT ID drop down window The name of the new COPS client appears in a Client ID list in the COPS SECURITY CONFIGURATION section Note You can configure multiple client IDs Only one client ID can be active at a time 5 To configure a COPS client click on the CLIENT ID ...

Page 422: ...he COPS Security Configuration page for that client 5 In the SEQUENCE NUMBER edit box enter a value between 1 and 2147483647 to define the sequence number used for the COPS protocol Click APPLY 6 In the KEY ID field enter a value between 1 and 2147483647 in the SEND edit box to define the send key ID used for the COPS protocol 7 In the KEY field enter a string value of up to 64 characters in the e...

Page 423: ...t just to a single object 1 Click either CONFIG on the Voyager home page or the Traffic Management link on the home page 2 Click the COPS link in the Traffic Management section 3 In the INTERFACE ROLE COMBINATIONS section enter the name for a role in the edit box next to the appropriate logical interface name The role name can be up to 31 characters long Use alphanumeric characters the period hyph...

Page 424: ...nfiguration This configuration remains available if you reactivate the COPS client 1 Click either CONFIG on the Voyager home page or the Traffic Management link on the home page 2 Click the COPS link in the Traffic Management section 3 Click the STOP button in the COPS CLIENT field Click APPLY 4 Click SAVE to make your change permanent Changing the Client ID Associated with Specific Diffserv Confi...

Page 425: ...G on the Voyager home page or the Traffic Management link on the home page 2 Click the COPS link in the Traffic Management section 3 Click the Diffserv PIB link in the CONFIGURED COPS MODULE section This action takes you to the COPS Diffserv specific configuration page 4 Click the CLIENT ID drop down window in the DIFFSERV PIB SPECIFIC CONFIGURATION section and select either another existing clien...

Page 426: ...r the TRAFFIC MANAGEMENT section 3 To create the Access Control List enter its name in the CREATE A NEW ACCESS LIST edit box 4 Click APPLY 5 Click the ADD RULE BEFORE check box next to the last rule 6 Click APPLY 7 Enter tcp in the PROTOCOL edit box and enter 20 in both the SOURCE or DESTINATION PORT RANGE edit box 8 Click APPLY 9 Select SHAPE from the ACTION drop down window 10 Click APPLY Second...

Page 427: ...wn window 3 Click APPLY 4 Select ETH S2P1C0 from the ADD INTERFACES drop down window and select OUTPUT from the DIRECTION drop down window 5 Click APPLY 6 Click SAVE to make your changes permanent Example Expedited Forwarding This example illustrates the combined use of the Access Control List Traffic Conditioning and Queuing features This example demonstrates how to improve the response time to T...

Page 428: ...ts link under the SYSTEM CONFIGURATION section c Enter pre QoS in the SAVE CURRENT STATE TO NEW CONFIGURATION DATABASE edit box d Click APPLY and then click SAVE to make your change permanent 2 Create an Aggregation Class a Click CONFIG on the home page b Click on the Aggregation Class Configuration link under the TRAFFIC MANAGEMENT section c Enter wan_1_ef in the NAME edit box in the CREATE A NEW...

Page 429: ...rding queue is 6 4 Associate the wan_1_ef queue class with the appropriate interface a Click CONFIG on the home page b Click the Interfaces link c Click on SER S3P1 in the PHYSICAL column d In the QUEUE CONFIGURATION field select MAX THROUGHPUT from the QUEUE MODE drop down window e Click APPLY f In the QUEUE CONFIGURATION field select WAN_1_EF from the QUEUE CLASS drop down window g Click APPLY h...

Page 430: ...rom the ACTION drop down window and then click APPLY k Select WAN_1_EF from the AGGREGATION CLASS drop down window and then click APPLY l For Nokia Platform A enter 23 in the DESTINATION PORT RANGE edit box and for Nokia Platform B enter 23 in the SOURCE PORT RANGE edit box Note The telnet port number is 23 m Enter tcp in the Protocol edit box enter 0xB8 in the DSFIELD edit box and enter 6 in the ...

Page 431: ...sion to generate traffic and then check each Nokia Platform s interface statistics a Click CONFIG on the home page b Click on the Interfaces link c Click on the link for SER S3P1 in the PHYSICAL column d Click on the Interface Statistics link e Examine the statistics for input and output traffic and compare them to the statistics for Expedited Forwarding traffic 4 Start an ftp session to create he...

Page 432: ... a bridge The interfaces then forward traffic using layer 2 addressing Nokia s transparent mode supports only Ethernet 10 100 1000 Mbps For more information on configuring Ethernet see Configuring an Ethernet Interface Note Transparent mode support will not provide full fledged bridging functionality such as loop detection or spanning tree Note You cannot use transparent mode on a system that part...

Page 433: ...up on the same platform the groups must be visible to each other on the routing layer Layer 3 If you need routing then at least one interface in each group should have an IP address Receive Processing When a logical interface is configured for the transparent mode transparent mode address resolution protocols ARP and IP receive handlers replace the common ARP and IP receive handlers This enables t...

Page 434: ...irewall consists of ingress and egress processing This applies only to IP packets ARP packets are never delivered to the firewall Egress processing occurs when a packet returns from the firewall s ingress filtering the packet is delivered to the firewall again for egress filtering The packet is delivered with the interface index of the egress interface If it is a link multicast packet a copy of th...

Page 435: ...figuring of the VRRP virtual address As a VRRP master the node will perform transparent mode operations as previously described As a VRRP standby it will drop all packets except those with local destinations For more information on how to configure VRRP see VRRP Description Note Transport Mode Support is not supported in a cluster environment For more information on cluster configuration see Confi...

Page 436: ... done because addresses cannot be learned dynamically behind a firewall In the above example the network administrator of Network A wants Network B to have access to certain addresses behind the Nokia Platform with Network A Network B Internet Switch Switch 00327 Nokia Platform with Firewall X Y Z Firewall B Group M ISP ...

Page 437: ...ork B Encrypt The network administrator on Network B would also create a rule for encrypted traffic through Firewall B Note For information on how to create groups objects and rules on the firewall see your Check Point documentation that was included with your Nokia IPSO software package Example of Transparent Mode Functionality The following illustration shows a network connected to an internet s...

Page 438: ... to obtain new IP addresses or reconfigure addresses on the LAN Packet traffic continues to run at Layer 2 rather than at Layer 3 with a conventional firewall solution Example of Transparent Mode Configuration The following example illustrates a basic transparent mode configuration LAN Internet ISP Switch Switch 1 5 3 2 24 1 5 3 3 24 1 5 4 0 24 00294 LAN Internet ISP Switch Switch 1 5 3 2 24 1 5 3...

Page 439: ...e to associate with the transparent mode group In this case you would select the logical interfaces associated with IP address 1 5 3 3 24 Note A transparent mode group is disabled by default For that reason do not associate interfaces to a transparent mode group which are in use If you do you will lose connectivity to those interfaces Note An interface can be in at most one group Once you have ass...

Page 440: ...ou create a transparent mode group by first creating the group then adding the interfaces to the group See Adding an Interface to a Transparent Mode Group By default a transparent mode group stays disabled unless explicitly enabled In the disabled mode the transparent mode group will drop all packets received on or destined to the interfaces in that group See Enabling a Transparent Mode Group To c...

Page 441: ...ake your changes permanent Adding an Interface to a Transparent Mode Group This procedure describes how to add an interface to a transparent mode group Note When you make changes to a transparent mode group you must stop and restart the firewall 1 Click CONFIG on the home page 2 Click Transparent Mode in the Interface section 3 Click the link of the transparent mode group to which you would like t...

Page 442: ...ptional Repeat steps 4 and 5 if you would like to add other interfaces to the transparent mode group 7 Click SAVE to make your changes permanent Deleting an Interface from a Transparent Mode Group This procedure describes how to delete an interface from a transparent mode group Note When you make changes to a transparent mode group you must stop and restart the firewall 1 Click CONFIG on the home ...

Page 443: ...t enable the transparent mode group to start the operation of the group This procedure describes how to enable a transport mode group Note A transparent mode group must have at least one interface associated with it for you to enable the group 1 Click CONFIG on the home page 2 Click Transparent Mode in the Interface section 3 Click The YES radio button in the Enable column associated with the tran...

Page 444: ...tions as described in the section Transparent Mode Description As a VRRP standby it will drop all packets except those with local destinations For more information on configuring VRRP see VRRP Description Note Transparent Mode supports VRRP only with hubs or switches that support port mirroring This procedure describes how to enable VRRP for a transparent mode group 1 Click CONFIG on the home page...

Page 445: ...ransparent mode group to which you would like to disable VRRP 4 Click the NO radio button in the VRRP ENABLED table 5 Click APPLY 6 Click SAVE to make your changes permanent For more information on configuring VRRP see VRRP Description Monitoring Transparent Mode Groups This procedure describes how to monitor transparent mode groups 1 Click MONITOR on the home page 2 Click Transparent Mode Monitor...

Page 446: ...7 Configuring Traffic Management 448 Voyager Reference Guide ...

Page 447: ...lper IP Broadcast Helper Description Configuring IP Helper Services Enabling Forward Nonlocal Disabling IP Helper Services Router Discovery Router Discovery Overview Enabling Router Discovery Services Disabling Router Discovery Services VRRP Virtual Router Redundancy Protocol VRRP Description Configuring VRRP Rules for Check Point NG Sample Configurations Creating a Virtual Router for an Interface...

Page 448: ...uration Deleting Existing Monitored Circuit Configurations Simplified Configuration Deleting a Virtual Router in Monitored Circuit Mode Simplified Configuration Changing the Priority of a Virtual Router in Monitored Circuit Mode Simplified Configuration Changing the Hello Interval of a Virtual Router in Monitored Circuit Mode Simplified Configuration Changing the Priority Delta of All Backup Addre...

Page 449: ...l take its place It provides load balancing by allowing different servers to be configured for different interfaces instead of requiring all interfaces to be loaded from a single configuration server It allows more centralized management of the bootstrap loading of clients This becomes more important as the network becomes larger IPSO s implementation of Bootp Relay is compliant with RFC 951 RFC 1...

Page 450: ...enter an IP address in the PRIMARY IP edit box all Bootp requests received on the interface will be stamped with this gateway address This can be useful on interfaces with multiple IP addresses aliases Enabling Bootp Relay on an Interface 1 Click CONFIG on the home page 2 Click the Bootp Relay link in the Router Services section 3 Locate the interface on which you want to enable Bootp 4 Click the ...

Page 451: ...ed 4 Click the OFF radio button for the interface you want to disable 5 Click APPLY to disable the interface When you click the OFF button then the APPLY button the Bootp relay parameters no longer appear When you click the ON button in the BOOTP DHCP RELAY INTERFACES field then the APPLY button the Bootp relay parameters will appear again To make your changes permanent click SAVE IP Broadcast Hel...

Page 452: ...acket this is needed for the server to identify the network where the packet originated Note See RFC1542 section 4 for further information Configuring IP Helper Services 1 Click CONFIG on the home page 2 Click the IP Broadcast Helper link in the Router Services section 3 Click the ON radio button for each interface you want to support IP Helper service Click APPLY 4 Optional If you want to add a n...

Page 453: ...s that packets be generated by a source directly on the receiving interface to be eligible for relay 5 To disable the Forward Nonlocal feature if you have enabled it click the DISABLED radio button in the FORWARD NONLOCAL field 6 Click APPLY and then click SAVE to make your change permanent Disabling IP Helper Services 1 Click CONFIG on the home page 2 Click the IP Broadcast Helper link in the Rou...

Page 454: ...iscovery Server The Router Discovery Server runs on routers and announces their existence to hosts It does this by periodically multicasting or broadcasting a router advertisement to each interface on which it is enabled These advertisements contain a list of all the router addresses on a given interface and their preference for use as a default router Initially these router advertisements occur e...

Page 455: ...Discovery link in the Router Services section 3 Click the ON radio button for each interface you want to support router discovery service Click APPLY 4 Optional Enter the minimum advertisement interval for each enabled interface in the MINIMUM ADVERTISEMENT INTERVAL edit box Range Between 3 seconds and the value in the Maximum advertisement interval field Default 0 75 times the value in the Maximu...

Page 456: ...net You can also make an IP address ineligible as a default router address Click the INELIGIBLE radio button to remove an IP address as a possible default router address The default is ELIGIBLE Enter a value to indicate the level of preference for the IP address as a default router address in the edit box below the ELIGIBLE radio button The default is 0 Click APPLY Note This option applies to each...

Page 457: ...ult path without requiring configuration of dynamic routing or router discovery protocols on every end host Virtual Routers To back up a default router using VRRP a Virtual Router must be created for it A Virtual Router consists of a unique Virtual Router ID VRID and the default router s IP address es on the shared LAN The Virtual Router is created on the default router by specifying the router s ...

Page 458: ... reclaim responsibility for forwarding traffic sent to its own addresses But the failed router would assume responsibility for traffic sent to virtual addresses that are not its real interface addresses only if its priority is higher than the priority of the current master You specify priority when configuring a router to back up another Note The range of priority values you can specify is 1 254 W...

Page 459: ...ot authenticated This method should be used only in environments where there is minimal security risk and little chance for configuration errors e g two VRRP routers on a LAN Simple Text Password This authentication type means that VRRP protocol exchanges are authenticated by a simple clear text password This method is useful to protect against accidental misconfiguration of routers on a LAN It al...

Page 460: ... priority update based on interface status the virtual router forwarding responsibility can be made to gracefully failover due to interface failure on the master router In order to utilize the monitored circuit feature you must select a virtual router address that does not match an interface address or any IP address allocated to a host The ICMP redirect messages must be disabled as well You can s...

Page 461: ...he example below the gateway cluster object is designated fwcluster object Where cluster all ips is the Workstation object you created with all ips fwcluster object is the Gateway Cluster object mcast 224 0 0 18 is a Workstation object with the IP Address 224 0 0 18 and of the type Host Configuration Rules for Check Point NG FP2 and Later You can use either of the following methods to configure th...

Page 462: ... Simple Group object containing the firewall objects vrrp_ip_1 vrrp_ip_2 and vrrp_ip_3 are Node objects of type Host created for each internal and external VRRP IP address supported by the firewalls mcast 224 0 0 18 is a Node Host object with the IP address 224 0 0 18 Configuring Rules if You Are Using OSPF or DVMRP All of the solutions above are applicable for any multicast destination Source Des...

Page 463: ...each multicast destination IP address Alternatively you can create a Network object to represent all multicast network IP destinations using the following values Name MCAST NET IP 224 0 0 0 Netmask 240 0 0 0 Then you can use one rule for all multicast protocols you are willing to accept as shown below Source Destination Service Action cluster all ips fwcluster object MCAST NET vrrp igmp ospf dvmrp...

Page 464: ...tual Router 1 VRID 1 and the router on the right is the backup for Virtual Router 1 If the router on the left should fail the other router will take over Virtual Router 1 and its IP addresses and provide uninterrupted service for the hosts Note that in this example IP B is not backed up by the router on the left IP B is only used by the router on the right as its interface address In order to back...

Page 465: ...and its IP addresses In this example the router on the right will take over Virtual Router 1 as it has the higher priority If it should also fail at some later time the center router will take over Virtual Router 1 Default router service to the hosts is uninterrupted throughout Note that in this example IP B and IP C are not backed up by Virtual Router 1 These addresses are only used by the router...

Page 466: ... VRID 1 and the router on the right has its address configured as Virtual Router 2 Each router is also configured as a backup router of the other If either router should fail the other router will take over its virtual router and IP addresses and provide uninterrupted service to both default IP addresses for the hosts This has the effect of load balancing the outgoing traffic while also providing ...

Page 467: ...er a number for the VRID in the OWN VRID edit box Click APPLY Note This value is used by other routers on the LAN to back up this router s addresses It must not be used by any other routers on the LAN to configure VRRP for their own addresses 6 Optional Enter a number in the HELLO INTERVAL edit box Click APPLY 7 Click the NONE or SIMPLE radio button to select the authentication method to be used b...

Page 468: ... is still active with that IP address To configure the master router go to Creating a Virtual Router for an Interface s Addresses in VRRPv2 You can configure virtual routers to back up the addresses of other routers on a shared media network 1 Click CONFIG on the home page 2 Click the VRRP link in the Router Services section 3 Click the Advanced VRRP Configuration link 4 Click the VRRPV2 radio but...

Page 469: ... APPLY Note The IP address is the address of the default router this system will back up It must be in the same IP subnet as one of the addresses on this interface 9 Optional If the router you are backing up has more than one IP address repeat step 7 10 Optional Click the NONE or SIMPLE radio button to select the authentication method used by VRRP on this LAN Click APPLY Note The authentication ty...

Page 470: ...es section 3 Click the Advanced VRRP Configuration link 4 Enter a value in seconds in the COLDSTART DELAY edit box You can enter up to 3600 5 To disable Coldstart Delay enter 0 in the COLDSTART DELAY edit box This value is also the default 6 Click APPLY and then click SAVE to make your changes permanent Enabling Accept Connections to VRRP IPs This feature allows you to accept and respond to IP pac...

Page 471: ...lculates three bytes of the interface hardware MAC address to extend its range of uniqueness 1 Click CONFIG on the home page 2 Click the VRRP link in the Router Services section 3 Click the Advanced VRRP Configuration link 4 You can set the VMAC option for an interface on which you enable VRRP or Monitored Circuit a To enable VRRP click the VRRPV2 radio button next to the interface for which you w...

Page 472: ...rface s network 5 To set a VMAC address click the VMAC MODE drop down window and select either INTERFACE STATIC or EXTENDED VRRP is the default If you select STATIC you must enter the VMAC address that you want to use in the STATIC VMAC edit box Click APPLY and then click SAVE to make your changes permanent Note If you set the vmac mode to interface or static you will get syslog error messages whe...

Page 473: ... want to remove You can locate virtual router information by using the VRID value displayed in the ROUTER WITH VRID field a To locate a virtual router used to back up an interface s addresses find the matching VRID displayed in the OWN VRID field b To locate a virtual router used to back up another router s addresses find the matching VRID displayed in the ROUTER WITH VRID field 5 Click the OFF ra...

Page 474: ...ID field 5 To remove an IP address from the list click the OFF radio button that corresponds to the address Click APPLY 6 To add an IP address to the list enter the IP address in the BACK UP ADDRESS edit box Click APPLY Note The IP address is the address of the default router this system will back up It must be in the same IP subnet as one of the addresses on this interface To make your changes pe...

Page 475: ...outer The higher the number the higher the preference To make your changes permanent click SAVE Changing the Hello Interval of a Virtual Router in VRRPv2 1 Click CONFIG on the home page 2 Click the VRRP link in the Router Services section 3 Click the Advanced VRRP Configuration link 4 Locate the interface and virtual router with the hello interval you want to change a To locate a virtual router us...

Page 476: ...The value in this field must be the same for all routers running VRRP on this interface s LAN 6 If you selected SIMPLE enter the authentication password string in the PASSWORD edit box Click APPLY The value in this field must be the same for all routers running VRRP on this interface s LAN To make your changes permanent click SAVE Creating a Virtual Router in Monitored Circuit Mode Simplified Conf...

Page 477: ...o use the Lagacy Configuration method you must delete the existing monitored circuit configurations and then create new monitored circuit virtual routers with the Legacy Configuration For more information see Creating a Virtual Router in Monitored Circuit Mode Legacy Configuration 1 Click CONFIG on the home page 2 Click the VRRP link in the Router Services section 3 Enter the virtual router identi...

Page 478: ...ed starting with the base priority and subtracting the priority delta for each DOWN monitored interface This effective priority is the value actually used in the VRRP master election for the virtual router Because of the way effective priority is calculated the value of delta priority cannot exceed the value of Priority divided by the number of Backup Addresses configured for the virtual router If...

Page 479: ...nitored Circuit Mode Simplified Configuration 1 Click CONFIG on the home page 2 Click the VRRP link in the Router Services section 3 Locate the virtual router information using the VRID column Click the check box in the Delete column Click Apply To make your changes permanent click SAVE Changing the Priority of a Virtual Router in Monitored Circuit Mode Simplified Configuration The priority determ...

Page 480: ...er with the hello interval you want to change 4 Change the number in the HELLO INTERVAL edit box for the matching VRID Click APPLY The hello interval should be the same value on all systems with this virtual router configured To make your changes permanent click SAVE Changing the Priority Delta of All Backup Addresses in Monitored Circuit Mode Simplified Configuration 1 Click CONFIG on the home pa...

Page 481: ...s of the other routers change 1 Click CONFIG on the home page 2 Click the VRRP link in the Router Services section 3 Locate the backup address and virtual router with the IP address you want to change You can locate the virtual router information using the VRID column 4 To remove a backup address from the list click the Delete check box that corresponds to the address Click APPLY 5 To add an IP ad...

Page 482: ...cation method used by VRRP on this interface s LAN Click APPLY The value in this field must be the same for all routers running VRRP on this interface s LAN 5 If you selected SIMPLE enter the authentication password string in the PASSWORD edit box Click APPLY The value in this field must be the same for all routers running VRRP on this interface s LAN To make your changes permanent click SAVE Crea...

Page 483: ...ce of this router relative to the other routers configured to back up the virtual router The higher the number the higher the preference 8 Optional Enter a number in the HELLO INTERVAL edit box Click APPLY 9 Select the interface that you want to monitor from the MONITOR INTERFACE drop down window Click APPLY 10 Enter a number in the PRIORITY DELTA edit box Click APPLY Note You must select the inte...

Page 484: ...d statistics on all interfaces You can also view these statistics in ICLID Execute the following commands using ICLID For more information on these commands go to Displaying Routing Protocol Information show vrrp show vrrp interface show vrrp stat NTP NTP Description NTP is a protocol that allows you to synchronize to UTC time by querying a server with an accurate clock This is ideal for distribut...

Page 485: ...configured as a source of time information In this mode it is recommended that you keep the stratum value at its default 1 The stratum value tells how far away the NTP reference clock is from a valid time source Note The time server begins to provide time information 5 minutes after it is configured Features Setting the time manually Running NTP daemon in client mode using a specified set There sh...

Page 486: ...in the ADD NEW SERVER ADDRESS edit box Click APPLY The new server s IP address will now appear in the NTP SERVERS field By default this new server is enabled v3 is selected and the PREFER YES radio button is selected As you add other servers you may prefer them over the initial server you configured Note It is recommended that you use the default setting of v3 5 To add another new server repeat st...

Page 487: ...configured Note It is recommended that you use the default setting of v3 9 To add another new peer repeat step 8 The new peer s IP address will appear in the NTP PEERS field By default this new peer is enabled v3 is selected and the PREFER NO radio button is selected If you wish to prefer this peer over other peers click the PREFER YES radio button Click APPLY 10 To delete a peer click the corresp...

Page 488: ...8 Configuring Router Services 490 Voyager Reference Guide To make your changes permanent click SAVE ...

Page 489: ...ing Introduction to Disk Mirroring RAID Level 1 Creating a Mirror Set Deleting a Mirror Set Mail Relay Mail Relay Description Configuring Mail Relay Sending Mail System Failure Notification Setting System Failure Notification Time and Date Procedures Setting the System Time Static Host Procedures Adding a Static Host Deleting a Static Host System Logging System Logging ...

Page 490: ...a Configuration Set Deleting a Configuration Set Backing Up and Restoring Files Description of Creating Backup Files Creating a Backup File Manually Creating a Regularly Scheduled Backup File Transferring Backup Files to a Remote Server Restoring Files from Locally Stored Backup Files Restoring Files from Backup Files Stored on a Remote Server Deleting Locally Stored Backup Files Scheduling Jobs T...

Page 491: ...Click CONFIG on the home page 2 Click the DNS link in the System Configuration section 3 Enter the new domain name in the DOMAIN NAME edit box 4 Enter the IP address of the primary DNS in the PRIMARY NAME SERVER edit box then click APPLY 5 Optional Enter the IP address of the secondary DNS in the SECONDARY NAME SERVER edit box then click APPLY 6 Optional Enter the IP address of the tertiary DNS in...

Page 492: ...e hard disk drives are synchronized source hard disk drive is fully copied to the mirror hard disk drive all new data written to your source hard disk drive is also written to your mirror hard disk drive If your source hard disk drive fails your mirror hard disk drive will automatically replace your source hard disk drive without interrupting service on your appliance The source and mirror hard di...

Page 493: ...hich hard disk drive is the source and which hard disk drive is the mirror and that mirror syncing is in progress Note The sync percent value in the Mirror Set table indicates the percentage of sync zones that have been copied from the source disk to the mirror disk A sync zone is equivalent to contiguous disk sectors When all sync zones are copied to the mirror disk the sync percent value will re...

Page 494: ... sends the mail to the final recipient Mail relay can be used as an alerting mechanism when a Check Point FireWall 1 rule has been triggered It also can be used to e mail the system administrator the results of cron jobs Features Supported Presence of a mail client or Mail User Agent MUA that can be used interactively or from a script Presence of a sendmail like replacement that relays mail to a m...

Page 495: ...ername on the mail server to which mail addressed to admin or monitor is sent in the REMOTE USER edit box then click APPLY To make your changes permanent click SAVE Sending Mail This procedure describes how to send mail from the firewall 1 Log into the firewall using either your admin or monitor account 2 At the prompt type the mail command followed by a space and the username of the recipient mai...

Page 496: ...fication link in the System Configuration section 3 Click the ON radio button next to ENABLE FAILURE NOTIFICATION 4 Click APPLY 5 Enter the e mail address of the people who want to be notified in the event of a system failure and then click APPLY Examples of a system failure include crashing daemons snmpd ipsrd ifm xpand and a system reboot due to a fatal error In a system failure notification the...

Page 497: ...second s in the SECOND edit box the month in the MONTH edit box the day in the DAY edit box and the year in the YEAR edit box and then click APPLY To make your change permanent click SAVE Static Host Procedures Adding a Static Host This procedure describes how to add a static host entry 1 Click CONFIG on the home page 2 Click the Host Address Assignment link in the System Configuration section 3 E...

Page 498: ...ing This procedure describes how to set the system to accept unfiltered syslog messages from a remote machine 1 Click CONFIG on the home page 2 Click the System Logging link in the System Configuration section 3 Click the YES radio button to accept syslog messages To make your changes permanent click SAVE Remote System Logging This procedure describes how to send a syslog message to a remote machi...

Page 499: ...ne severity level Click APPLY The name of each severity level appears in LOG AT OR ABOVE SEVERITY field 5 To disable any of the severity levels click the NO radio button next to the name of the severity level you want to delete Click APPLY 6 To make your changes permanent click SAVE Setting the System Configuration Auditlog Use this feature to set the system to log transient and permanent configur...

Page 500: ...s the name of the file to which syslog messages for this feature are sent The default is var log messages To change the file enter the new file name in the DESTINATION LOG FILENAME edit box Note You must enter a destination file name to view log messages in the Management Activity Log The default destination file logs messages in the standard system log file To access the Management Activity Log p...

Page 501: ...boot button 1 Click CONFIG on the home page 2 Click the System Logging link in the System Configuration section 3 In the VOYAGER AUDITLOG field click the ENABLED button to have the system log all Apply and Save actions to Voyager 4 Click APPLY and then click SAVE to make your change permanent Note The Voyager AuditLog feature does not record any operations performed using the command line interfac...

Page 502: ...Apply and Save actions to Voyager 4 Click APPLY and then click SAVE to make your change permanent Hostname Procedure Changing the Hostname This procedure describes how to change the hostname system name of the firewall 1 Click CONFIG on the home page 2 Click the Change Hostname link in the System Configuration section 3 Enter the new hostname in the CHANGE IT TO field then click APPLY To make your...

Page 503: ...URATION DATABASE 4 Click APPLY The current configuration is saved in the new file and the file will appear in the list of database files on this page Subsequent configuration changes will be saved in the new file Creating a Factory Default Configuration Set This procedure describes how to create a new configuration database file that does not contain user configuration information 1 Click CONFIG o...

Page 504: ...figuration Set This procedure describes how to switch a currently active database 1 Click CONFIG on the home page 2 Click the Manage Configuration Sets link in the System Configuration section 3 Click the radio button in front of the database you want to use then click APPLY To make your changes permanent click SAVE Deleting a Configuration Set This procedure describes how to delete unwanted confi...

Page 505: ... can also choose to back up the home directories which are stored in the var admin and var monitor directories and the log files which are stored in the var logs directory Creating a Backup File Manually 1 Click CONFIG on the home page 2 Click the Configuration Backup and Restore link in the System Configuration section 3 In the MANUAL BACKUP field enter a file name for your backup file in the BAC...

Page 506: ...Y drop down window and select DAILY WEEKLY or MONTHLY to configure how often to perform a regular backup 4 Optional If you selected MONTHLY in the FREQUENCY drop down window click the DATE drop down window and select the date on which to schedule the monthly backup 5 Optional If you selected WEEKLY in the FREQUENCY drop down window click the DAY drop down window and select the day on which to sche...

Page 507: ...fields Note Nokia recommends that you back up GPLC config files 12 Click APPLY 13 To make your changes permanent click SAVE Transferring Backup Files to a Remote Server 1 Click CONFIG on the home page 2 Click the Configuration Backup and Restore link in the System Configuration section 3 In the REMOTE TRANSFER ARCHIVE FILE field enter the IP address of the FTP server in the FTP SITE edit box 4 In ...

Page 508: ...ackup file 8 Optional Click the YES button in the BACKUP LOG FILES field to include your log files in the backup file 9 Optional To include package files in your backup file Click the YES button next to the name of each package you want to back up in the BACKUP OPT field 10 Click either the MANUAL BACKUP FILE drop down window or the SCHEDULED BACKUP FILE drop down window to select the backup files...

Page 509: ...es as those of the backup file s from which you restore file s Warning Make sure that you have enough disk space available on your Nokia appliance before restoring files If you try to restore files and you do not have enough disk space you risk damaging the operating system 3 In the RESTORE FROM LOCAL field click either the Manual backup file drop down window or the Scheduled backup file window to...

Page 510: ...tem from backup files stored on a remote server You must first create backup files and then transfer the files to a remote server See Creating a Backup File Manually or Creating a Regularly Scheduled Backup File To store backup files on a remote server see Transferring Backup Files to a Remote Server 1 Click CONFIG on the home page 2 Click the Backup and Restore Configuration link in the System Co...

Page 511: ...RESTORE FROM REMOTE field enter the user name for connecting to the FTP server in the FTP USER edit box 6 In the RESTORE FROM REMOTE field enter the password for connecting to the FTP server in the FTP PASSWORD edit box 7 Click APPLY 8 A list of available files in the directory you specify appears Select the backup files you want to restore 9 Click APPLY and then click SAVE to make your changes pe...

Page 512: ...to execute in the JOB NAME edit box Use alphanumeric characters only and do not include spaces 4 Enter the name of the command you want the cron daemon to execute in the COMMAND name edit box The command can be any Unix command 5 To configure how often to execute the job click the REPEAT drop down window and select DAILY WEEKLY or MONTHLY Click APPLY 6 To configure the Timezone click the TIMEZONE ...

Page 513: ...peat steps 1 through 10 to add new scheduled jobs Deleting Scheduled Jobs 1 Click CONFIG on the home page 2 Click the Job Scheduler link in the SYSTEM CONFIGURATION section 3 In the SCHEDULED JOBS table click the DELETE button next to the name of each job you want to delete 4 Click APPLY and then click SAVE to make your changes permanent Managing IPSO Images TBD Add information about how Cluster V...

Page 514: ...adio button in front of the image you want to select 4 Click the TEST BOOT button activate the new image The system takes a few minutes to reboot Note The test image will run for five minutes and then revert to the original image if you do not complete this procedure 5 Click TOP 6 Click the Manage IPSO Images link in the System Configuration section 7 Optional Click the COMMIT TESTBOOT radio butto...

Page 515: ...o use Voyager to upgrade the IPSO image You can also upgrade the image from the command line See the latest version of IPSO Release Notes which is available on the Nokia customer support site https support nokia com for more information To upgrade the image from Voyager you must first install the image that is on the Nokia CD on an http server ftp server or file server 1 Click CONFIG on the home p...

Page 516: ...r the HTTP realm to which authentication is needed in the ENTER HTTP REALM FOR HTTP URLS ONLY edit box 5 Optional If the server on which the IPSO image is stored requires authentication enter the user name in the ENTER USER NAME edit box 6 Optional If the server on which the IPSO image is stored requires authentication enter the password in ENTER PASSWORD edit box 7 Specify whether you want the in...

Page 517: ...sts the new image for five minutes If you let the five minute test period expire without committing to the new image the system automatically reboots and reverts to the previous image A new page is displayed and you see a message telling you that the system will be rebooted Do not click anything on this page If you did not choose the test boot option the upgrade is complete after the appliance has...

Page 518: ...lick this link the cluster nodes are rebooted in a staggered manner The process is managed so that at least one node is always operational For example if you reboot a two node cluster one node restarts first The second node waits for the first node to restart successfully and rejoin the cluster before it reboots If the first node does not successfully rejoin the cluster the first node does not reb...

Page 519: ...ackage is downloaded to the local IPSO system After the download has completed the package appears in the UNPACK NEW PACKAGES field 9 Select the package in the UNPACK NEW PACKAGES field then click APPLY The package is unpacked into the local file system 10 Click the Click here to install upgrade file name link 11 Optional Click the YES radio button next to Display all packages then click APPLY if ...

Page 520: ...ckage you want to enable then click APPLY 4 Click SAVE Disabling Packages This procedure describes how to disable a package 1 Click CONFIG on the home page 2 Click the Manage Installed Packages link in the System Configuration section 3 Click the OFF radio button in front of the package you want to disable then click APPLY To make your changes permanent click SAVE Deleting Packages This procedure ...

Page 521: ...figuration is subject to the following It is only applicable to TCP It also sets the TCP MSS for packets generated by this system as well as packets it receives If a remote terminating node advertises an MSS higher than the MSS configured on this system this system will send packets that have the segment size configured with this feature For example if you set this value to 512 and a remote system...

Page 522: ...r and a 20 byte IP header which are included in the MTU To set the TCP MSS do the following 1 Click CONFIG on the home page 2 Click the Advanced System Tuning link in the System Configuration section 3 Enter the value you will use for your MSS The range for this value is 512 through 1500 and the default value is 1024 If you enter a value outside of this range an out of range error is generated 4 C...

Page 523: ...rd Procedures Changing Passwords Adding Users Removing a User Configuring S Key Using S Key Disabling S Key Changing the S Key Password Group Procedures Managing Groups Network Access Procedures Voyager Web Access FTP Access Telnet Access CLI Over HTTP CLI Over HTTPs Admin Network Login ...

Page 524: ...Secure Shell SSH Secure Shell Description Configuring SSH Configuring Advanced Secure Shell Server Options Configuring Secure Shell Authorized Keys Changing Secure Shell Key Pairs Managing User RSA and DSA Identities Tunneling HTTP Over SSH Secure Socket Layer SSL SSL Description Enabling SSL Voyager Web Access Generating a Certificate and Private Key Installing a Certificate and Private Key Troub...

Page 525: ...ion in IPSO IPsec Parameters Creating an IPsec Policy Creating an IPsec Tunnel Rule Transport Rule IPsec Tunnel Rule Example IPsec Transport Rule Example Changing the Local Remote Address or Local Remote Endpoint of an IPsec Tunnel Removing an IPsec Tunnel Voyager Session Management Voyager Session Management Description Enabling Voyager Session Management Disabling Voyager Session Management Logg...

Page 526: ...ick CONFIG on the home page 2 Click the Users link in the Security and Access Configuration section 3 In the ADD NEW USER USERNAME edit box enter name eight or fewer characters of the new user you want to add 4 In the ADD NEW USER UID edit box enter the numeric user s ID An admin account allows read write access privileges To create a new user with admin account privileges enter 0 for the Uid The ...

Page 527: ...he home page 2 Click the Users link in the Security and Access Configuration section 3 In the ADD NEW USER field click the OFF radio button next to the user s name to be removed 4 Click APPLY Note When a user is removed the user can no longer log in even though the user s home directory remains on the system If you want to remove the user s directory you must remove it by using the command line To...

Page 528: ...the CURRENT STANDARD password edit box 5 Pick a secret password for S Key that is between four and eight alphanumeric characters long and enter it in the S KEY SECRET PASSWORD edit box 6 Enter the S Key secret password again in the S KEY SECRET PASSWORD VERIFY edit box then click APPLY The sequence number and the seed appear The sequence number begins at 99 and goes backward after every subsequent...

Page 529: ...y calculator on your platform 5 Copy the S Key challenge into the S Key calculator on your local platform 6 Enter the S Key Secret Password The calculator returns the One Time Password for this session Note See the S Key calculator documentation for entering information 7 Copy the One Time Password into the telnet or ftp session Note The One Time Password is typically a string or strings containin...

Page 530: ...edit box then click APPLY 4 To enable the Monitor S Key click either the ALLOWED or REQUIRED radio button in the S KEY PASSWORD field then click APPLY To make your changes permanent click SAVE Group Procedures Managing Groups To manage a group 1 Click CONFIG on the home page 2 Click the Groups link in the Security and Access Configuration section 3 In the ADD NEW GROUP GROUP NAME edit box enter th...

Page 531: ...ess Procedures Voyager Web Access This procedure describes how to enable web access using Voyager 1 Click CONFIG on the home page 2 Click the Voyager Web Access link in the Security and Access Configuration section 3 The YES radio button in the ALLOW VOYAGER WEB ACCESS field is the default Note If you click the NO radio button you will have to use the Voyager command line utility to access your ne...

Page 532: ...in the ALLOW FTP ACCESS field then click APPLY 4 Enter the number of the port in which you want to receive FTP requests in the FTP PORT NUMBER edit box defaults to port 21 To make your changes permanent click SAVE Telnet Access This procedure describes enabling telnet access to the network application platform NAP 1 Click CONFIG on the home page 2 Click the Network Access and Services link in the ...

Page 533: ... CLI Over HTTPs This procedure describes enabling access to the command line interface over HTTPs 1 Click CONFIG on the home page 2 Click the Network Access and Services link in the Security and Access Configuration section 3 Click the YES radio button in the ALLOW CLI OVER HTTPS field then click APPLY To make your changes permanent click SAVE Admin Network Login This procedure describes enabling ...

Page 534: ... in the ALLOW COM2 LOGIN field then click APPLY To make your changes permanent click SAVE COM3 Login This procedure describes how to login from the COM3 port 1 Click CONFIG on the home page 2 Click the Network Access and Services link in the Security and Access Configuration section 3 Click the YES radio button in the ALLOW COM3 LOGIN field then click APPLY To make your changes permanent click SAV...

Page 535: ...ivity 7 Enter a value in minutes in the STATUS POLL INTERVAL field to configure the Modem Status monitor This value is the length of time in minutes between modem line status tests Once every interval the system tests that the modem is present and online If the modem is not detected or is offline a message is logged using syslog Setting the value to 0 disables the Modem Status monitor 8 Click the ...

Page 536: ... the length of time in minutes that a connected call on the modem can remain inactive that is no traffic is sent or received before the call is disconnected Setting the value to 0 disables the timer that is the call will never be disconnected due to inactivity 7 Enter a value in minutes in the STATUS POLL INTERVAL field to configure the Modem Status monitor This value is the length of time in minu...

Page 537: ...ALLOW COM4 PCMCIA LOGIN field Click Apply 4 Click the Modem Configuration link for the modem card The modem status field should read Modem Detected 5 In the INACTIVITY TIMEOUT edit box enter the time in minutes that an active call on the modem can remain inactive The default is 0 which disables the time and means that the call will never be disconnected because of inactivity 6 Optional To enable t...

Page 538: ... modem line status test 9 Enter the correct number in COUNTRY CODE edit box to select your country See the two tables below to determine the correct number The first table refers to the Ositech Five of Clubs PCMCIA modem card and the second table refers to the Ositech Five of Clubs II PCMCIA modem card Country Code for Ositech Five of Clubs Card Country 22 USA 20 Canada 1 Australia 2 Belgium 3 Den...

Page 539: ...nds 11 Norway 12 Portugal 13 Spain 14 Sweden 25 Switzerland 16 United Kingdom Country Code for Ositech Five of Clubs II Card Country B5 USA 20 Canada 09 Australia 0F Belgium 31 Denmark 3C Finland 3D France Country Code for Ositech Five of Clubs Card Country ...

Page 540: ...your changes permanent Note This feature is available on the IP500 series and IP700 series platforms only 42 Germany 46 Greece 57 Iceland 59 Italy 69 Luxembourg 7B The Netherlands 82 Norway B8 Portugal A0 Spain A5 Sweden A6 Switzerland B4 United Kingdom Country Code for Ositech Five of Clubs II Card Country ...

Page 541: ...E Discard Service Discard service discards any data it receives 1 Click CONFIG on the home page 2 Click the Network Access and Services link in the Security and Access Configuration section 3 Click the YES radio button in the ENABLE DISCARD SERVICE field then click APPLY To make your changes permanent click SAVE Chargen Service Chargen service sends data without regard to input The data sent is a ...

Page 542: ...es link in the Security and Access Configuration section 3 Click the YES radio button in the ENABLE DAYTIME SERVICE field then click APPLY To make your changes permanent click SAVE Time Service The time service sends back to the originating source a 32 bit number which is the time in seconds since midnight on January 1 1900 1 Click CONFIG on the home page 2 Click the Network Access and Services li...

Page 543: ...t of the packet the protocol encrypts and how each protocol authenticates SSHv1 authenticates with server and host keys while SSHv2 authenticates using only host keys Even though SSHv1 uses server and host key authentication SSHv2 is a more secure faster and more portable protocol In some cases SSHv1 may be more suitable because of your client software or your need to use the protocol s authentica...

Page 544: ...n the PERMIT ADMIN USER TO LOGIN field The default is Yes which allows the user to log in as admin using SSH 6 Click APPLY 7 Optional In the Configure Server Authentication of Users table click the YES radio button for each type of authentication you want to use Note You can authenticate SSH connections using public keys applies to RSA and DSA SSHv2 standard user password information rhosts files ...

Page 545: ... your changes permanent Note When you generate new keys you may need to change the configurations of each client or the clients may give you errors See your SSH client documentation for more information Configuring Advanced Secure Shell Server Options The advanced SSH Server Configuration page allows you to configure the Secure Shell SSH daemon settings access methods access filters and logging be...

Page 546: ...hose users and groups will be allowed or forbidden Group settings only apply to a user s primary group the Gid setting in the Voyager Password page For more information on configuring users and groups see Adding Users and Managing Groups Note You can use wild card characters when specifying multiple group or user names separated by spaces 7 Click APPLY 8 Click the radio button next to the choice y...

Page 547: ...APPLY 14 Optional In the Configure Server Protocol Details table select the method of encryption SSHv2 enter appropriate values in the edit boxes and click the radio button next to the choice you want to use in the SEND KEEPALIVES TO THE OTHER SIDE and PROTOCOL VERSION S fields The default settings are Yes and Both 1 and 2 in these fields respectively Note The default setting in the CIPHER TO USE ...

Page 548: ... Keys The Secure Shell SSH Authorized Keys feature gives you the ability to create clients that can access accounts on your system without using a password RSA v1 authentication and public key authentication To configure an authorized key you will need to have information about the clients keys For SSHv1 implementation you will need to enter the RSA key and such information as key size exponent an...

Page 549: ...orized Key RSA for protocol version 1 table Or If you are adding a RSA authorized key to be used in SSHv2 enter the RSA key in either OpenSSH format or SSHv2 format depending on your client and optional comment in the RSA for protocol version 2 table Or If you are adding a DSA authorized key to be used in SSHv2 enter the DSA key in either OpenSSH format or SSHv2 format depending on your client and...

Page 550: ... bits Values over 1024 bits will cause problems for some clients including those based on RSAREF 5 Click APPLY 6 Optional To generate an RSA host key to be used with SSHv2 select the key size listed in bits from the GENERATE NEW RSA V2 HOST KEY drop down list 7 Click APPLY 8 Optional To generate a DSA host key to be used with SSHv2 select the key size listed in bits from the GENERATE NEW DSA HOST ...

Page 551: ... field in the Generate New RSA v1 Identity for user name 6 Enter the passphrase in the ENTER PASSWORD field 7 Enter the password again to verify it 8 If you want to create an RSA identity to be used with SSHv2 select the key length in the GENERATE KEY OF SIZE field in the Generate New RSA v2 Identity for user name 9 Enter the passphrase in the ENTER PASSWORD field 10 Enter the password again to ve...

Page 552: ...L 8000 127 0 0 1 80 From a Windows terminal do the following Use the client to redirect port 8000 1 When opening a connection click on the Properties button 2 Select the Forward tab 3 Enter a new local port forwarding entry by clicking on new The source port should be 8000 The destination host should be 127 0 0 1 and the destination port should be 80 For security reasons the allow local connection...

Page 553: ...to do the following using Voyager Enable SSL Generate certificate and private key requests Install certificates and private keys Enabling SSL Voyager Web Access This procedure describes how to enable SSL web access and encryption using Voyager 1 Click CONFIG on the home page 2 Click the Voyager Web Access link in the Security and Access Configuration section 3 Click the YES radio button in the ALL...

Page 554: ...sl_server crt and var etc voyager_ssl_server key respectively The certificate and private key are for testing purposes only and do not provide a secure SSL connection You must generate a certificate and the private key associated with the certificate to create a secure connection using SSL See Generating a Certificate and Private Key later in this section Generating a Certificate and Private Key T...

Page 555: ... box 7 Optional Enter the name of your city in the LOCALITY NAME edit box 8 Enter the name of your state in the STATE OR PROVINCE NAME edit box 9 Enter the name of your organization in the ORGANIZATION NAME edit box If you are requesting a certificate from a certificate authority the certificate authority may require the official legal name of your organization 10 Optional Enter the name of your d...

Page 556: ... You will need to install the private key and the certificate you will receive from your certification authority See Installing a Certificate later in this section If you generated a self signed certificate a screen will appear containing a certificate New X 509 certificate and its associated private key New private key You must perform a cut and paste operation to move the certificate and the pri...

Page 557: ...essing Voyager if SSL is not configured correctly The following are some steps and suggestions on how to recover Voyager 1 Check that you are using the correct URL Once you have enabled SSL you must use https rather than http when connecting through your web browser 2 Use the Voyager command line utility if you want to turn off SSL and restart Voyager You can access this utility by logging onto yo...

Page 558: ...n Authorization and Accounting AAA Creating an AAA Configuration Use this procedure to create an AAA configuration for a new service A service is a name used by an application in invoking the Pluggable Authentication Module PAM Application Programming Interface API that is part of the AAA The PAM mechanism provides for authentication account management and session management algorithms that are co...

Page 559: ...permanent Creating a Service Module entry 1 Enter the name of the service in the NEW SERVICE edit box under the SERVICE MODULE CONFIGURATION table 2 In the PROFILE edit box under the SERVICE MODULE CONFIGURATION table enter either an existing PROFILE NAME from the SERVICE PROFILE table if the requirements of the service match one of the existing profiles or a unique profile name if the requirement...

Page 560: ...enter either an existing item from the SESSION PROFILE table if the service s requirements match one of the existing of the existing session profiles Leave the SESSION PROFILE edit box blank if the service s requirements do not include session services Creating an Authentication Profile 1 Enter the name of the authentication profile in the NEW AUTH PROFILE edit box under the AUTH PROFILE table mak...

Page 561: ... When the user requests a Voyager page this module is called to authenticate the user which in turn verifies the user name and password supplied during the Voyager login against the information in etc master passwd Then the module performs Lawful Interception Gateway processing to determine whether the user can access the indicated Voyager page PERMIT pam_permit so 1 0 This module does not do any ...

Page 562: ...The user provides the one time pass phrase which is used to authenticate the user using the password database SNMPD pam_snmpd_auth so 1 0 This module authenticates the SNMP packets from a user Management Station When a user is added in the system through Voyager a corresponding authentication and privacy key is created and kept in the usmUser database var ucd snmp snmpd conf When an SNMP packet is...

Page 563: ...en the service requires more than one Acct Profile For a description of the effect on result disposition and subsequent algorithm invocation represented by the list s items see Profile Controls TACPLUS pam_tacplus_auth so 1 0 This module is a client server authentication system that supports remote administrator login to Voyager and command line configuration and selected management functions The ...

Page 564: ...ble make sure that the name does not match any of the NAMES in the SESSION PROFILE table 2 Select the item in the TYPE drop down list that matches the service s requirements For a description of the session algorithms represented by the list s items see Session Profile Types Type Module Description PERMIT pam_permit so 1 0 This module returns PAM_SUCCESS when invoked UNIX pam_unix_acct so 1 0 This...

Page 565: ... SESSION PROFILE Note Modules in the MODULE column reside in the directory usr lib Profile Controls CONTROL values determine how the results of multiple authentication accounting or session algorithms are handled and when additional algorithms in a list are invoked Lists of algorithms are specified by defining multiple entries under the AUTH PROFILE ACCT PROFILE and SESSION PROFILE columns of a SE...

Page 566: ...nvoked sufficient If no previous algorithm has reported failure a result of success is reported immediately and no further algorithms are invoked a result of failure for this algorithm is discarded if a previous algorithm has reported failure or the result of this algorithm is failure the next algorithm is invoked optional A result of failure is ignored and a result of success is retained the next...

Page 567: ... authentication software system that supports remote access applications This service allows an organization to maintain user profiles in a centralized database that resides on an authentication server that can be shared by multiple remote access servers A host contacts a RADIUS server which Service Auth Mgmt Acct Mgmt Session Mgmt my_svc required PERMIT required PERMIT required PERMIT ip_source N...

Page 568: ...AL to determine the level of authentication to apply to a profile For more information see Profile Controls 6 Click APPLY and then click SAVE to make your changes permanent The name of the RADIUS authentication profile appears in the AUTH PROFILE table 7 You must now configure one or more servers to use in a single authentication profile In the AUTH PROFILE table click the Servers link in the row ...

Page 569: ...T edit box You must also configure this same value on your RADIUS server Enter a text string without a backslash See RFC 2865 for more information The RFC recommends that the shared secret be at least 16 characters long Some RADIUS servers limit the shared secret to 15 or 16 characters Consult the documentation for your RADIUS server 12 Optional Enter the number of seconds to wait for a response a...

Page 570: ...onfigure additional AAA RADIUS Authentication Servers only Configuring TACACS TACACS is an authentication mechanism by which a remote server that is not part of IPSO authenticates users checks passwords on behalf of the IPSO system TACACS encrypts transmitted passwords and other data for security In the IPSO 3 6 release TACACS is supported for authentication only and not for accounting Challenge r...

Page 571: ...ect TACPLUS as the type of service 5 Click the CONTROL drop down window and select REQUIRED REQUISITE SUFFICIENT or OPTIONAL to determine the level of authentication to apply to a profile For more information see Profile Controls 6 Click APPLY and then click SAVE to make your changes permanent The name of the TACACS authentication profile appears in the AUTH PROFILE table 7 You must now configure ...

Page 572: ... box You must also configure this same value on your TACACS server Enter a text string without a backslash 12 Optional Enter the number of seconds to wait for a response after contacting the server in the TIMEOUT edit box Depending on your client configuration if the client does not receive a response it retries the same server or attempts to contact another server The default value is 3 13 Click ...

Page 573: ...CS server you want to disable Note You must have at least one RADIUS or TACACS server configured to maintain RADIUS or TACACS service 5 Click APPLY and then click SAVE to make your changes permanent Changing an AAA Configuration Use this procedure to change an AAA configuration 1 Click CONFIG on the home page 2 Click the AAA link under Security and Access Configuration 3 Change one or more of the ...

Page 574: ...lumn of the SERVICE PROFILE table 2 Enter an authentication profile from the NAME column of the AUTH PROFILE table into the AUTH PROFILE edit box of the SERVICE PROFILE table If the requirements for the service do not match any of the entries in the AUTH PROFILE create a new Auth Profile using Creating an Authentication Profile and enter that name in the AUTH PROFILE edit box Note The algorithm is...

Page 575: ...screens below show an example of creating a service which has the requirement for multiple authentication algorithms Only the portion of the page that has changes is shown here Service Authentication Management my_svc requisite SKEY required SECURETTY ...

Page 576: ... which are out of order using Deleting an Item in a Service Profile Entry and add them in the desired order using this procedure To add a session profile 1 Enter the name of the profile in the SERVICE PROFILE edit box the name is shown in the PROFILE NAME column of the SERVICE PROFILE table 2 Enter an item from the NAME column of the SESSION PROFILE table into the SESSION PROFILE edit box of the S...

Page 577: ...e s Auth Profile name is in the NAME column make one or more of the following changes 1 Select a different item in the TYPE list that matches the service s new requirements For a description of the authentication algorithms represented by the list s items see Authentication Profile Types 2 Select a different item in the CONTROL list that matches the service s new requirements Values other than REQ...

Page 578: ...ect on result disposition and subsequent algorithm invocation represented by the list s items see Profile Controls Note The Server File field is unused Changing a Session Profile Configuration For the SESSION PROFILE table in the row where the service s Session Profile name is in the NAME column make one or more of the following changes 1 Select a different item in the TYPE list that matches the s...

Page 579: ...onfiguration 1 Click CONFIG on the home page 2 Click the AAA link under Security and Access Configuration 3 Delete one or more of the rows of a table by selecting the check box in the DELETE column of the table for that row Note An item may not be deleted if it is referenced by another item for example a SERVICE PROFILE may not be deleted if it is used in the PROFILE column of one of the rows in t...

Page 580: ...ion Phase 2 negotiates IPsec traffic parameters During phase 1 and phase 2 negotiations where public keys are validated and session keys are generated the central router processor CRP processes all of the packets Once IPsec finishes negotiating phase 2 the crypto acceleration card then encrypts and decrypts the packets secured by phase 2 negotiations giving you faster packet throughput in your ses...

Page 581: ...yption accelerator card remove the card while your network application platform is running and then reinsert it or insert another accelerator card on some appliances Under IPsec when you hot swap the card the ipsec policy manager daemon will continue to forward packets to the crypto acceleration card if phase 2 was not renegotiated If phase 2 was renegotiated then the CPU will handle the packets u...

Page 582: ...card manually when you enabling SecureXL the accelerator card is automatically enabled Note Do not manually enable the accelerator card if you intend to use SecureXL If you manually enable the card you cannot enable SecureXL until you disable the card Note You cannot enable the accelerator card before you install it The options in Voyager for enabling the card do not appear until it is installed T...

Page 583: ...to the configuration file saved on disk optional Enabling the accelerator card for an IPSO VPN 1 Start Nokia Network Voyager for your appliance 2 On the Voyager home page click Security and Access Configuration 3 Click IPSec 4 Scroll down and click IPSec Advanced Configuration 5 At Hardware Device Configuration click ON 6 Click APPLY to enable the card 7 Click SAVE to save this change to the confi...

Page 584: ...oes not offer encryption services For confidentiality purposes you need to use ESP An encapsulation security payload ESP that provides authentication and confidentiality through symmetric encryption and an optional anti replay service ESP does not include the IP header in the authentication confidentiality A protocol negotiation and key exchange protocol IKE for easier administration and automatic...

Page 585: ...re inserted between the IP header of the new packet and the original IP datagram The new header points to the tunnel endpoint and the original header points to the final destination of the datagram Tunnel mode offers the advantage of complete protection of the encapsulated datagram and the possibility to use private public address space Tunnel mode is meant to be used by routers gateways Hosts can...

Page 586: ...ault ESP providing the highest level of confidentiality is used in this release IP header ESP header Payload ESP trailer ESP auth New IP header AH Old IP header Payload New IP header ESP header Old IP header Payload ESP trailer ESP auth IP header ESP header Payload ESP trailer ESP auth Authenticated Encrypted 00127 New IP header AH Old IP header Authenticated Payload 00128 New IP header ESP header...

Page 587: ...hentication and encryption The gateway systems must authenticate themselves and choose session keys that will secure the traffic The exchange of this information leads to the creation of a Security Association SA An SA is a policy and set of keys used to protect a one way communication To secure bi directional communication between two hosts or two security gateways two SAs one in each direction a...

Page 588: ... identities The secure channel is called ISAKMP Security Association Unlike IPsec SAs ISAKMP SAs are bi directional and the same keys and algorithms protect inbound and outbound communications IKE parameters are negotiated as a unit and are termed a protection suite Mandatory IKE parameters are a Symmetric Encryption algorithm b Hash function c Authentication method pre shared key and X 509 certif...

Page 589: ...he above listed CA vendors for certificate signing services To use the X 509 certificates the IPsec system should follow these steps 1 Install the trusted CA certificates all including yours of all the peer IPsec systems 2 Make a certificate request with all the information required to identify the system such as your IP address a fully qualified domain name organization organization unit city sta...

Page 590: ...ation RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP RFC 2408 Internet Security Association and Key Management Protocol ISAKMP RFC 2409 The Internet Key Exchange IKE RFC 2411 IP Security Document Roadmap RFC 2412 The OAKLEY Key Determination Protocol RFC 2451 ESP CBC Mode Cipher Algorithms IPsec configuration in Voyager is based on three different IPsec objects proposals fil...

Page 591: ...shared Keys or X 509 Certificates and lifetime attributes Miscellaneous Tunnel Requirements IPsec tunnels are defined by local and remote tunnel addresses The tunnel will require a Policy to define what traffic will be encapsulated by the tunnel and what security to use in the encapsulation The traffic that matches filters associated to the policy will be encapsulated using tunnel addresses Polici...

Page 592: ...value depending on whether the device is working as a session initiator or responder If you create tunnels between an IPSO platform and non IPSO systems configure the non IPSO system so that the Phase 1 lifetime is five times the Phase 2 lifetime Set the encryption to 3DES and set the authentication so that it is the same as the Phase 2 algorithm Platforms IPsec is supported across all Nokia secur...

Page 593: ...oth devices See Putting It All Together in Creating an IPsec Policy IKE and PFS groups should match on both devices See Putting It All Together in Creating an IPsec Policy The IKE group is used by the Diffie Hellman key exchange during the establishment of Phase 1 ISAKMP SA Value options are 1 2 or 5 2 is the default value The PFS group is used by the Diffie Hellman key exchange in Phase 2 to cons...

Page 594: ...Next click on the IPsec link this takes you to the IPv6 IPsec General Configuration Page c If you are on the IPv4 General Configuration page and wish to move to the IPv6 General configuration page scroll down to the bottom of the page and click the IPv6 IPsec General Configuration link Note Application procedures are the same for both configuration page types The primary difference is the format o...

Page 595: ... that you want to control Enter the subnet address and the mask length in the ADDRESS and MASK LENGTH edit boxes Click APPLY Note Destination filters across multiple rules tunnel or transport should not overlap though source filters can overlap After clicking APPLY the new filter information is added to the Filters list If needed you can then define a protocol and or a port Defaults are assumed Re...

Page 596: ...cate 4 On the Certificate Addition page you have two choices If you have the PEM base64 encoded certificate select the PASTE THE PEM CERTIFICATE option If you know the URL to the certificate including the local file select the ENTER URL TO THE CERTIFICATE option 5 Click APPLY Note This action takes you to the next page asking for the PEM encoded certificate or the URL information of the certificat...

Page 597: ... trusted CA certificate that needs to be installed Note On successful completion you will see a green button under the CERTIFICATE FILE column The green button indicates the certificate file is present on the machine and it is also a link to view the installed certificate Device Certificates A device certificate will be used to identify a particular IPsec system Follow the steps below to enroll an...

Page 598: ...echanism to paste the PEM certificate request into the CA RA certificate enrollment page Note Some CAs do not expect the header BEGIN CERTIFICATE REQUEST and the footer END CERTIFICATE REQUEST lines in the text Alternatively you can copy the text in a file and send the file to the CA RA by FTP or some other file transfer mechanism that is supported Contact the CA for details 6 If you could success...

Page 599: ...ficate request the link on the main IPsec General Configuration still points to the certificate request page You can repeat steps 5 8 to install the certificate 10 If you ve finished all the steps you will see two green buttons You can click on the button under the CERTIFICATE column to view the certificate Advanced IPsec The following options are available through the IPsec Advanced Configuration...

Page 600: ...tion page Note Enabling this option may slow down forwarding of non IPsec packets LDAP servers IPSO IPsec implementation supports automatic CRL retrieval following the LDAPv2 3 protocol specification RFC 2251 To retrieve CRL automatically from the centralized directory enter the URL of the directory server Due to different implementations the internal configuration of the directory server may not ...

Page 601: ...t in the ENTER SHARED SECRET edit box Enter the secret again in the SHARED SECRET VERIFY edit box for verification Click APPLY If the secret has been entered correctly the red light of the SECRET STATUS field turns green after you click APPLY If you chose X 509 CERTIFICATES select the certificate name from the list of device certificates that identifies this machine 5 In the LIFETIME table if the ...

Page 602: ...RFACE option is displayed and you want to create a logical interface set the button to YES 5 Enter the IP address of the local end of the IPsec tunnel in the LOCAL ADDRESS edit box The local address must be one of the system s interface addresses and must be the remote endpoint configured for the IPsec tunnel at the remote gateway 6 Enter the IP address of the remote interface to which the IPsec t...

Page 603: ...ty of an end to end logical tunnel As a result the hello protocol modifies the link status of the logical interface If the connectivity of an unavailable tunnel is restored the hello protocol brings up the link 10 Optional If the hello protocol is active enter a value for the HELLO INTERVAL and DEAD INTERVAL edit boxes Click APPLY The HELLO INTERVAL edit box specifies the interval number of second...

Page 604: ...own menu in the DESTINATION FILTERS column select a filter name that corresponds to the destination of the traffic that will be protected by this policy Click APPLY Repeat this operation to add as many filters as necessary Click APPLY after each selection 15 Optional In the OPTIONS table select the option INCLUDE END POINTS IN THE FILTERS Click APPLY 16 To make your changes permanent click SAVE Tr...

Page 605: ...of the traffic that will be protected by this policy Click APPLY Repeat this operation to add as many filters as necessary Click APPLY after each selection Note Only filters that present a single host but no subnet should be selected as source filters Note If there are 40 or more source or destination filters they will not be displayed as a list on the Voyager page To view a filter that is not dis...

Page 606: ...ly below the rule section The link to more pages appears only after you create more than 10 transport rules IPsec Tunnel Rule Example The following steps provide directions on how to configure a sample IPsec tunnel The figure below shows the network configuration for this example Nokia Platform 1 Nokia Platform 2 192 68 22 0 24 192 68 23 0 24 192 68 26 74 30 192 68 26 65 30 00040 Internet IPsec Tu...

Page 607: ...H edit box Click APPLY The new entry appears in the Filters table 7 In the FILTERS table enter site_B as a new filter name in the NEW FILTER edit box Enter 192 68 23 0 in the ADDRESS edit box and 24 in the MASK LENGTH edit box Click APPLY Note In this example the authentication method will be a pre shared secret so no certificate needs to be selected 8 Optional Click the Ipsec Advanced Configurati...

Page 608: ...18 Enter 192 68 26 65 in the LOCAL ADDRESS edit box 19 Enter 192 68 26 74 in the REMOTE ADDRESS edit box Click APPLY 20 Click on the name in Tunnel Rules table The IPsec Tunnel ipsec_tunn page is displayed 21 Optional Activate HELLO PROTOCOL with the ON radio button Click APPLY The HELLO INTERVAL and DEAD INTERVAL edit boxes are displayed 22 Optional Enter 60 as a value in the HELLO INTERVAL edit ...

Page 609: ...tep 24 select SITE_B from the SOURCE FILTERS pulldown menu d Step 25 select SITE_A from the DESTINATION FILTERS pulldown menu IPsec Transport Rule Example The following steps provide directions on how to configure a sample IPsec authentication connection The figure below shows the network configuration for this example Configure Nokia Platform 1 IPSO 1 Click CONFIG on the home page of the Network ...

Page 610: ...R edit box Enter 192 68 26 74 in the ADDRESS edit box and 32 in the MASK LENGTH edit box Click APPLY Note In this example the authentication method will be a pre shared secret so no certificate needs to be selected 8 Optional Click the Ipsec Advanced Configuration link 9 Optional From the pulldown menu in the LOG LEVEL field select INFO Click APPLY 10 Optional Click the UP button 11 In the POLICIE...

Page 611: ... in the IPsec Transport Rules table 21 Select LOCAL from the SOURCE FILTERS pulldown menu 22 Select REMOTE from the DESTINATION FILTERS pulldown menu 23 Click APPLY 24 To make changes permanent click SAVE Configure PC1 You now need to set up PC1 Accomplish the same steps the were performed to configure Nokia Platform 1 IPSO with the following changes a Step 6 for the local filter enter 192 68 26 7...

Page 612: ...he remote end of the IPsec tunnel in the REMOTE ADDRESS edit box The remote address cannot be one of the system s interfaces and must be the same as the local address configured for the IPsec tunnel at the remote router 7 Click APPLY 8 To make your changes permanent click SAVE Removing an IPsec Tunnel Proposed New 1 Click CONFIG on the home page 2 Click the IPsec link The IPv4 IPsec General Config...

Page 613: ...creen You can view the history of logins and logouts in the system logs Session management is enabled by default You may disable this in which case you will be asked to login with a window that asks only for your user name and password To disable session management see Disabling Voyager Session Management Note Voyager uses cookies to keep track of HTTP sessions Voyager cookie based session managem...

Page 614: ... would like to enable the feature follow the procedure below 1 Click CONFIG on the home page 2 Click the Voyager Web Access link in the Security and Access Configuration section 3 Click YES in the ENABLE COOKIE BASED SESSION MANAGEMENT Field 4 Click APPLY A new login window will appear See Logging In with Exclusive Configuration Lock and Logging In without Exclusive Configuration Lock Disabling Vo...

Page 615: ... user will be able to change the system configuration Note Only users with read write access privileges are allowed to log in with exclusive configuration lock users with Uid 0 and Gid 0 1 At the login Enter your user name 2 Enter your user password 3 Click YES in the ACQUIRE EXCLUSIVE CONFIGURATION LOCK field This is the default 4 Click Login Note Enabling exclusive configuration lock in Voyager ...

Page 616: ...s are allowed to override an exclusive configuration lock users with Uid 0 and Gid 0 This procedure describes how to override a configuration lock 1 Click the Login with Advance Options link 2 Make sure that YES is selected in the Acquire Exclusive Configuration Lock field This is the default choice 3 Click YES in the OVERRIDE LOCKS ACQUIRED BY OTHER USERS field 4 Enter your user name 5 Enter your...

Page 617: ...interval expires To change the session timeouts follow the procedure below 1 Click CONFIG on the home page 2 Click the Voyager Web Access link in the Security and Access Configuration section 3 In the SESSION TIMEOUT IN MINUTES edit box enter the time in seconds The default is 20 minutes 4 Click APPLY ...

Page 618: ...10 Configuring Security and Access 620 Voyager Reference Guide ...

Page 619: ... Fault Management Description Enabling Fault Management Disabling Fault Management Configuring Alarm Log Enabling Automatic Shutdown Viewing Active Alarms Viewing Active Alarm Details Canceling an Active Alarm Viewing Logged Alarm Events Specifying Global Filtering Rules Enabling or Disabling Specific Alarms ...

Page 620: ...larms Alarms for the most part are features of third party applications that support alarm interfaces You will be able to do the following using Voyager Enable and disable alarm traps View configured and all permissible alarms Cancel and filter alarms Configure the alarm log Enabling Fault Management This procedure describes how to enable alarm traps and trap resends and set trap buffer configurat...

Page 621: ...e logged events 1 Click CONFIG 2 Click the General Configurations link under the Fault Management Configuration section 3 Optional If you want to stop logging alarms when the log is full select Halt in the LOG FULL ACTION drop down list The default is Wrap which erases the oldest alarm events to allow for new alarm events 4 Optional If you want to erase all events in the log and return Logging sel...

Page 622: ... default is Disabled 4 Click APPLY 5 Click SAVE to make your changes permanent Viewing Active Alarms This procedure describes how to view active alarms 1 Click CONFIG 2 Click the Current Alarm List link under the Fault Management Configuration section Viewing Active Alarm Details This procedure describes how to view the full details of a specific alarm 1 Click CONFIG 2 Click the Current Alarm List...

Page 623: ... trap will be listed under the Table of Active Alarms in the ALARM ID field 4 Click APPLY Viewing Logged Alarm Events This procedure describes how to view logged alarm events 1 Click CONFIG 2 Click the Alarm Log link under the Fault Management Configuration section Viewing Logged Alarm Event Details This procedure describes how to view logged alarm events 1 Click CONFIG 2 Click the Alarm Log link ...

Page 624: ... the IGNORE ALARMS AT OR BELOW drop down list Note Alarms with indeterminate severity will always be sent 4 Click APPLY 5 Click SAVE to make your changes permanent Enabling or Disabling Specific Alarms This procedure describes how to enable or disable specific alarms 1 Click CONFIG 2 Click the Alarm Filtering link under the Fault Management Configuration section 3 Under the List of Alarms click th...

Page 625: ... Strings Disabling Community Strings Sending SNMP Traps to a Network Management System Enabling SNMP Traps Setting the SNMP Trap Agent Address Entering SNMP Location and Contact Information Interpreting SNMP SNMP Error Messages Configuring SNMPv3 Adding a User based Security Model User Deleting a User based Security Model User Modifying a User based Security Model User Entry Changing a User based ...

Page 626: ...configure a read write community string to enable set SNMP v1 v2 and v3 For more information on SNMP v3 see Adding a User based Security Model User Note The Nokia implementation of SNMPv3 does not yet support SNMPv3 traps Other public and proprietary MIBs as follows MIB Source Function Rate Shape MIB proprietary Monitoring rate shaping statistics and configuration Monitoring system specific parame...

Page 627: ...information of TCP implementations EtherLike MIB RFC 1650 Generic objects for Ethernet like network interfaces Host Resources MIB RFC 1514 Provides information about the system such as hardware software processes CPU utilization disk utilization and so on IANAifType MIB Internet Assigned Numbers Authority Defines the IANAifType textual convention including the values of the ifType object defined i...

Page 628: ... trap is not supported by IPSO VRRP MIB RFC 2787 Provides dynamic fail over statistics RIP MIB RFC 1724 Describes RIP version 2 protocol SNMP Framework MIB RFC 2571 Outlines SNMP management architecture SNMP MPD MIB RFC 2572 Provides message processing and dispatching SNMP User based SM MIB RFC 2574 Provides management information definitions for SNMP User based Security Model SNMPv2 MIB RFC 1907 ...

Page 629: ...formati on and dialCtlPeerCallSetup traps are not supported by IPSO Entity MIB RFC 2737 Represents the multiple logical entities supported by a single SNMP agent The entConfigChange trap is not supported by IPSO Tunnel MIB RFC 2667 Provides statistics about IP tunnels UDP MIB RFC 2013 Provides statistics about UDP implementations Frame Relay DTE MIB RFC 2115 Keeps statistics and errors in one or m...

Page 630: ...LBCluster MIB proprietary Provides information about IPSO load balancing systems HWM MIB proprietary Contains hardware management information Note IPSO does not send the traps this MIB supports when the Nokia platform is used as an IP security device Nokia Common MIB OID Registration MIB proprietary Nokia Common NE Role MIB proprietary Nokia Enhanced SNMP Solution Suite Alarm IRP MIB proprietary N...

Page 631: ...an IP security device Nokia Enhanced SNMP Solution Suite PM Common Definition MIB proprietary Nokia Enhanced SNMP Solution Suite PM IRP MIB proprietary Note IPSO does not send traps supported by this MIB when the Nokia platform is used as an IP security device Nokia NE3S Registration MIB proprietary Nokia NTP MIB proprietary SNMPv2 CONF This MIB is not supported by IPSO by is included for those cu...

Page 632: ...ion Use Voyager to perform the following tasks Define and change one read only community string Define and change one read write community string Enable and disable the SNMP daemon Enable and disable USM users Modify USM user access privileges that is change permissions from read only to read write and vice versa Add or delete trap receivers Enable or disable the various traps Enter the location a...

Page 633: ...e necessary values 4 To disable the SNMP daemon click the NO radio button in the ENABLE SNMP DAEMON FIELD Click APPLY The configuration options disappear 5 To make your changes permanent click SAVE Setting an SNMP Agent Address 1 Click CONFIG on the home page 2 Click the SNMP link 3 To configure a specific IP address on which the agent responds to requests enter the valid IP address of a configure...

Page 634: ...he default 1 Click CONFIG on the home page 2 Click the SNMP VERSION drop down list and select either V1 V2 V3 or V3 ONLY Click APPLY The default is v1 v2 v3 Click SAVE to make your change permanent Note To enable specific SNMPv3 users click the Add USM Users link at the bottom of the SNMP voyager page which takes you to the voyager page that lets you configure users for SNMPv3 For more information...

Page 635: ...ONLY COMMUNITY STRINGS field Click APPLY 4 To disable a read write community string click the DISABLE box in the CURRENT READ WRITE COMMUNITY STRINGS field Click APPLY 5 Click SAVE to make your changes permanent Sending SNMP Traps to a Network Management System 1 Click CONFIG on the home page 2 Click the SNMP link 3 Enter the IP address or the hostname if DNS is set of a new receiver that will acc...

Page 636: ...apConfigurationFileChange and systemTrapConfigurationSaveChange traps are associated with the ipsoConfigGroup objects These objects include ipsoConfigIndex ipsoConfigFilePath ipsoConfigFileDateAndTime ipsoConfigLogSize ipsoConfigLogIndex and ipsoConfigLogDescr The systemTrapDiskMirrorSetCreate systemTrapDiskMirrorSetDelete systemTrapDiskMirrorSyncFailure and systemTrapDiskMirrorSyncSuccess traps a...

Page 637: ...ou want to enable the VRRPTrapNewMaster click the ON button next to the ENABLE VRRPTRAPNEWMASTER TRAPS field Click APPLY 7 Optional If you want to enable the VRRPTrapAuthFailure click the ON button next to the ENABLE VRRPTRAPAUTHFAILURE TRAPS field Click APPLY 8 Optional If you want to receive notification that a temporary change to the system configuration has occurred click the ON button next to...

Page 638: ...the ENABLE SYSTEMTRAPDISKFAILURE TRAPS field Click APPLY Note The systemTrapDiskFailure applies only the IP740 and IP530 Nokia platforms 14 Optional If you want to receive notification when a system disk mirror set is created click the ON button next to the ENABLE SYSTEMTRAPDISKMIRRORSETCREATE TRAPS field Click APPLY 15 Optional If you want to receive notification when a system disk mirror set is ...

Page 639: ...ptional If you want to receive notification when a fan fails click the ON button next to the ENABLE SYSTEMFANFAILURE traps Click APPLY This trap includes the fan index and is supported only on the IP530 and IP740 platforms 21 Optional If you want to receive notification when a power supply failure occurs because of high temperature click the ON button next to the ENABLE SYSTEMOVERTEMPERATURE traps...

Page 640: ...use the IP address of the first valid interface The Network Management System uses the agent address to identify the network element that generated the trap This address must belong to one of the interfaces 4 To make your changes permanent click SAVE Entering SNMP Location and Contact Information 1 Click CONFIG on the home page 2 Click the SNMP link 3 Optional In the SNMP LOCATION STRING field ent...

Page 641: ...fic problem The integer zero 0 means that no errors were detected When the error field is anything other than 0 the next field includes an error index value that identifies the variable or object in the variable bindings list that caused the error See the table below for the error status codes and their corresponding meanings Error Status Code Meaning 0 noError 1 tooBig 2 NoSuchName 3 BadValue 4 R...

Page 642: ... value identifies the variable or object in the variable bindings list that caused the error The first variable in the list has index 1 the second has index 2 and so on The next or fifth field is the variable bindings field It consists of a sequence of pairs the first is the identifier The second element is one the following five value unSpecified noSuchOjbect noSuchInstance and EndofMibView The t...

Page 643: ...t the object referred to by this object identifier noSuchInstance indicates that this object does not exist for this operation endOfMIBView indicates an attempt to reference an object identifier that is beyond the end of the MIB at the agent Value Field Set Description noSuchObject If a variable does not have an OBJECT IDENTIFIER prefix that exactly matches the prefix of any variable accessible by...

Page 644: ...returned The max repetitions field specifies the number of lexicographic successors to be returned for the remaining variables in the variable bindings list If at any point in the process a lexicographic successor does not exist the endofMibView value is returned with the name of the last lexicographic genErr If the processing of a variable fails for any other reason the responding entity returns ...

Page 645: ...ompatible with earlier versions of SNMP SNMPv3 defines a user based security mechanism that enables per message authentication and encryption See RFC 2574 for more information You must use Voyager to create USM user accounts SNMPv3 uses a default configuration to generate USM keys The Nokia implementation supports DES and MD5 authentication to automatically generate USM keys You only need to confi...

Page 646: ...ge is set to the home page 8 Optional To modify the shell enter the new shell path name in the SHELL edit box Consult the file etc shells for valid login shells 9 Optional To modify the default page enter the name of the new default page in the DEFAULT PAGE edit box 10 Enter the new user s password in the NEW PASSWORD edit box Leave the OLD PASSWORD edit box empty 11 Enter the same password that y...

Page 647: ...try change the user s password to one that has fewer than 8 characters but at least 6 characters long Enter the user s current password in the OLD PASSWORD edit box Enter a new password that is fewer than 8 characters long but at least 6 characters long in the NEW PASSWORD edit box Enter the same password that you entered in the NEW PASSWORD edit box in the NEW PASSWORD VERIFY edit box Click APPLY...

Page 648: ... the new value or name 4 Click APPLY and then click SAVE to make your changes permanent Changing a User based Security Model User Permissions This procedure describes how to change read and write permissions for a User based Security Model USM user 1 Click CONFIG on the home page 2 Click the SNMP link You are now on the SNMP page 3 Go the SNMPv3 USM USERS table Find the user for which you would li...

Page 649: ...es including hardware software and the operating system The hardware summary includes information about the CPU Disks Bios and motherboard including the serial number model number and capacity or date as appropriate The summary also displays the amount of memory on the appliance The Check Point FireWall summary lists information about the host and policy installed and the date on which the FireWal...

Page 650: ... on the system Viewing the Asset Management Summary 1 Click CONFIG on the home page 2 Click the Asset Management Summary link This action takes you to the asset management summary page 3 The page separates information into three tables Hardware FireWall Package Information and Operating System 4 Click the UP button to return to the main configuration page ...

Page 651: ...mpatibility Configuring IPv6 in IPv4 Tunnels Configuring IPv6 to IPv4 Configuring IPv6 over IPv4 Configuring IPv4 in IPv6 Tunnels Routing Configuration Configuring an IPv6 Default Route Creating an IPv6 Static Route Configuring RIPng Creating IPv6 Aggregate Routes Creating Redistributed Routes Redistributing Static Routes into RIPng Router Discovery Configuring ICMPv6 Router Discovery ...

Page 652: ...ities Simplified header format Improved support for extensions and options Flow labeling capability Plug and Play autoconfiguration The IPv6 implementation includes basic features specified in IPv6 RFCs and features that support IPv6 capable hosts in a network IPv6 includes a transition mechanism that allows users to adopt and deploy IPv6 in a highly diffuse way and provides direct interoperabilit...

Page 653: ...rt IPv6 TCP support IPv6 over IPv4 Tunnel RFC 2185 IPv6 over ethernet RFC 2464 IPv6 over FDDI RFC 2467 IPv6 over PPP RFC 2472 IPv6 over ATM RFC 2492 PVC only IPv6 over ARCNET RFC 2497 IPv6 over token ring RFC 2470 IPv6 over IPv4 RFC 2529 IPv6 to IPv4 Internet Draft Generic Packet Tunneling RFC 2473 IPv4 through IPv6 only RIPng for IPv6 Static Routes Route Aggregation Route Redistribution IPv6 inet...

Page 654: ...ick UP at the top of the page to take you back to the IPv6 Logical Interfaces page 7 To enable the IPv6 address click ON in the IPV6 ACTIVE field 8 Click APPLY and then click SAVE to make your change permanent Configuring Neighbor Discovery 1 Click CONFIG on the home page 2 Click the Neighbor Discovery link in the IPv6 section 3 In the GLOBAL NEIGHBOR DISCOVERY SETTINGS field enter the value for t...

Page 655: ...overy requests 7 In the PERMANENT NEIGHBOR DISCOVERY ENTRIES field enter the permanent IPv6 address for the permanent neighbor discovery destination in the NEW PERMANENT NEIGHBOR DISCOVERY ENTRY edit box 8 Click APPLY and then click SAVE to make your changes permanent 9 To flush current dynamic Neighbor Discovery entries click the FLUSH button in the DYNAMIC NEIGHBOR DISCOVERY ENTRIES field and th...

Page 656: ...or the Time to Live TTL for packets sent on the tunnel in the TIME TO LIVE edit box 8 Click APPLY and then click SAVE to make your changes permanent Configuring IPv6 to IPv4 This feature allows you to connect an IPv6 domain through IPv4 clouds without configuring a tunnel 1 Click CONFIG on the home page 2 Click the IPv6 to IPv4 link in the IPv6 section 3 In the ENABLE IPV6 TO IPV4 FIELD click the ...

Page 657: ...over IPv4 link in the IPv6 section 3 In the ENABLE IPV6 OVER IPV4 field click the YES Radio button 4 In the ACTIVE field just below the LOGICAL INTERFACE field click the ON radio button This value represents the pseudo interface that is associated with this feature It does not correspond to a specific physical device 5 Enter the IPv4 address of the local interface in the LOCAL IPV4 ADDRESS edit bo...

Page 658: ... sent on the tunnel can take to reach their destination in the HOP LIMIT edit box 6 Click APPLY and then click SAVE to make your changes permanent Configuring an IPv6 Default Route 1 Click CONFIG on the home page 1 Click the Static Routes link in the IPv6 section 2 To enable a default route click the ON radio button in the DEFAULT field and click APPLY 3 Enter the IPv6 address of the gateway route...

Page 659: ...te address for each packet to the destination is selected based on the nexthop algorithm that is configured 7 Click APPLY and then click SAVE to make your changes permanent Creating an IPv6 Static Route 1 Click CONFIG on the home page 2 Click the Static Routes link in the IPv6 section 3 Enter the IPv6 address prefix in the NEW STATIC ROUTE edit box 4 Enter the mask length number of bits in the MAS...

Page 660: ...gure as many as eight gateway addresses The nexthop gate address for each packet to the destination is selected based on the nexthop algorithm that is configured 10 Click APPLY and then click SAVE to make your changes permanent Routing Configuration Configuring RIPng 1 Click CONFIG on the home page 2 Click the RIPng link in the IPv6 section 3 To enable RIPng click the ON Radio button next to the l...

Page 661: ...he ON Radio Button in the CONTRIBUTE ALL ROUTES FROM PROTOCOL field 9 Optional If you want to specify an IPv6 prefix enter the IPv6 address and mask length in the edit boxes in the PREFIX FOR NEW CONTRIBUTING ROUTE FROM PROTOCOL field 10 Click APPLY and click SAVE to make your changes permanent Creating Redistributed Routes Redistributing Static Routes into RIPng 1 Click CONFIG on the home page 2 ...

Page 662: ...nk 4 To redistribute all currently valid aggregate routes into RIPng click the ON button in the REDISTRIBUTE ALL AGGREGATES INTO RIPNG field 5 Enter a value for the metric cost that the created RIPng routes will have in the METRIC edit box 6 Click APPLY and then click SAVE to make your changes permanent 7 To redistribute a specific aggregate route or routes into RIPng click the ON radio button nex...

Page 663: ...Discovery Configuring ICMPv6 Router Discovery The ICMPv6 Router Discovery Protocol allows hosts running an ICMPv6 router discovery client to locate neighboring routers dynamically as well as to learn prefixes and configuration parameters related to address autoconfiguration Nokia implements only the ICMPv6 router discovery server portion which means that the Nokia platform can advertise itself as ...

Page 664: ...ch unsolicited multicast ICMPv6 router advertisements are sent on the interface in the MAX ADV INTERVAL edit box Note Whenever an unsolicited advertisement is sent the timer is set to a value between the maximum advertisement interval and the minimum advertisement interval 10 Optional Enter a value in seconds for router advertisement packet s router lifetime field in the ROUTER LIFETIME edit box A...

Page 665: ...he length of time relative to the time the packet is sent that the prefix is valid for the purpose of on link determination 17 Optional Enter a value in seconds for the prefix information option s preferred lifetime field in the PREFIX PREFERRED LIFETIME edit box This value represents the length of time relative to the time the packet is sent that addresses generated by the prefix through stateles...

Page 666: ...ss Description Creating an Aggregation Class Deleting an Aggregation Class Associating an Aggregation Class with a Rule Queue Class Description Creating a New Queue Class Deleting a Queue Class Setting or Modifying Queue Class Configuration Values Associating a Queue Class with an Interface Security and Access Configuration Configuring IPv6 Network Access and Services Enabling FTP Access 1 To enab...

Page 667: ...er Reference Guide 669 Enabling Telnet Access 1 To enable Ipv6 Telnet Access click the YES radio button in the ALLOW IPV6 TELNET ACCESS field 2 Click APPLY and then click SAVE to make your changes permanent ...

Page 668: ...14 Configuring IPv6 670 Voyager Reference Guide ...

Page 669: ... IPSO Process Management Critical IPSO processes are monitored by the process monitor PM PM is responsible for Starting and stopping the processes under its control Automatically restarting the processes if they abnormally terminate The IPSO processes monitored by PM are listed in the following table In addition application package processes such as IFWD FWD CPRID might also be monitored by PM ...

Page 670: ... and implements the routing policy through a database ifm Interface management daemon This daemon sends and receives information to and from the kernel in order to verify the integrity of the interface configuration xntpd Network time protocol daemon This daemon sets and maintains a UNIX system time of day in compliance with Internet standard time servers monitord System monitor daemon This daemon...

Page 671: ...hen attempts to restart it If the process fails to start PM continues to try to restart it at regular intervals with each interval increasing by a factor of two for example 2 seconds 4 seconds 8 seconds 16 seconds and so on If PM fails to start the process after 900 seconds it stops trying Each unsuccessful attempt is logged in the system message log PM s process monitoring behavior is not user co...

Page 672: ...15 IPSO Process Management 674 Voyager Reference Guide ...

Page 673: ...ess of a node on the same network when it only knows the target s logical address ARP is used on a single network and is limited to hardware type broadcasting AS Autonomous System A group of networks and routers controlled by a single administrative authority An unique number identifying an Internet connected network that has routing policies distinct from upstream connections ATM Asynchronous Tra...

Page 674: ... of data flowing through a broader channel BGP Border Gateway Protocol An inter domain routing protocol for communications between a router in one autonomous system and routers in other autonomous systems CIDR Classless Inter domain Routing A routing technique that allows routers to group routes together to reduce the quantity of routing information carried by core routers CIDR uses a group of con...

Page 675: ...ion DES Data Encryption Standard A 56 bit U S National Bureau of Standard method of data encryption It s limited to 40 bits outside of U S DCE Data Communications Equipment Switching equipment that forms a packet switched network versus computers or terminals connected to the network See DTE DHCP Dynamic Host Configuration Protocol A protocol that is used to lessen the administrative burden of man...

Page 676: ...he IP addresses of networks in its autonomous systems to a router in another autonomous system Handles load balancing Firewall A system of hardware and software that enforces a boundary between two or more networks in accordance with a local security policy Nokia technology combines a firewall with a router FDDI Fiber Distributed Data Interface LAN technology for data transfer up to 100 Mbps on a ...

Page 677: ...al wireless transmission technique used in Europe and supported in North America for Personal Communication Service GSM uses 900 MHz and 1800 MHz in Europe In North America GSM uses 1900 MHz HDLC High level Data Link Control A popular ISO standard that is a bit oriented link layer protocol derived from Synchronous Data Link Control SDLC HDLC specifies a method of encapsulating data on synchronous ...

Page 678: ... Routing Information Protocol RIP is one IGP IGMP Internet Group Management Protocol Protocol that runs between hosts and their next hop multicast routers the mechanisms of the protocol allow a host to inform its local router that it wishes to receive transmissions addressed to a specific multicast group Based on group membership information learned from the IGMP a router is able to determine whic...

Page 679: ... by CCITT for private or public digital telephone networks where binary data such as graphics and digitized voice and data transmission pass over the same digital network that carries most telephone transmissions today ISDN provides 128 kbits bi directional data capacity LAPB Link Access Procedure Balanced Derived from HDLC a CCITT X 25 version of a bit oriented data link protocol LLC Logical Link...

Page 680: ... information about all resources managed by a network management system MIME Multipurpose Internet Mail Extensions An extension to Internet Email that provides the ability to transfer non textual data such as graphics audio video and fax images MTU Maximum Transfer Unit The largest frame length largest possible unit of data that may be sent on a given physical medium NAP Network Application Platfo...

Page 681: ...cover the broad range of enterprise network security technologies including authentication encryption content security networking infrastructure application software and managed service providers OSPF Open Shortest Path First Similar to RIP except that OSPF broadcasts when a new router is on the network or a route changes OSPF also considers factors such as line capacity delay and security restric...

Page 682: ...Internet Service Providers Allows dial up networks PPP is the successor to SLIP IP over Serial lines such as telephone circuits or RS 232 cables Protocol The rules of communication that describe how a computer responds when a message arrives and how a computer handles errors Protocols allow a computer communication discussion independent of the hardware PSN Packet switching Node Replaced Internet ...

Page 683: ...g tables by broadcasting their tables to their neighbors This makes RIP an insecure protocol inviting hackers to capture these frequent broadcasts Networks are then navigated using fewest hops possible RSA RSA is a public key or asymmetric encryption scheme invented by and named for 3 mathematicians Ron Rivest Adi Shamir and Len Adleman The theoretical background to RSA is that it s very difficult...

Page 684: ...hat transfers electronic mail from one machine to another SMTP specifies how two mail systems interact and the format of the messages they exchange SNMP Simple Network Management Protocol As a standard method of managing and monitoring network devices on a TCP IP based internet it allows network administrators to connect setup and maintain a network SSH Secure Shell A program to log into another c...

Page 685: ...s the IP datagram as the unit of information passed on a network IP includes the Internet Control Message Protocol TRPB Truncated Reverse Path Broadcasting An algorithm used by multicast routing protocols to determine the group memberships on each leaf of a subnetwork which avoids forwarding datagrams onto a leaf subnetwork that does not have a member of the destination group Prunes multicast dist...

Page 686: ...g Daemon IPSRD to configure interface hardware set routing protocols and routing policies and monitor routing traffic and protocol performance VPI VCI Virtual Path Identifier Virtual Circuit Identifier Two fields eight bit identifiers used in an Asynchronous Transfer Mode packet to distinguish a semi permanent connection destination VRRP Virtual Router Redundancy Protocol A means by which a router...

Page 687: ...ing a New Rule 409 Applying to an Interface 405 Creating 404 Deleting 405 Modifying a Rule 409 Removing 406 Rules 407 Access Control List Rules Configuring 407 Access Control Lists Configuring 402 Active Alarms 624 Canceling 625 Viewing Details 624 Aggregate Routes 20 Creating 276 Removing 276 Aggregation Class 412 Creating 413 Deleting 413 Aggregation Class Associating with a Rule 414 Aggregation...

Page 688: ...erface and a Virtual Channel 422 Auditlog Disabling 503 Authentication Methods 461 Profile Types 563 Authentication Profile Changing a Configuration 580 Creating 562 Authentication Authorization and Accounting AAA 560 Authentication MD5 293 Automatic Shutdown 624 B Backing Up and Restoring Files 507 Backup Files 507 513 Manually Creating 507 Regularly Scheduled 508 Restoring 510 511 512 Transferri...

Page 689: ...ce 174 Cisco Routers PIM SM Configuring Compatibility 251 CLI Over HTTP 535 CLI Over HTTPs 535 Cluster Management 346 Cluster Voyager 375 Clustering Active 370 Adding a node to a cluster 371 Changing Interface Configurations 382 Cluster Mode 359 Cluster Terminology 347 Cluster Voyager 375 Configuring 343 Configuring for NAT 386 Configuring in Voyager 392 Configuring VPN 1 FireWall 1 386 Creating a...

Page 690: ...14 Cryptographic Acceleration 583 Displaying States 51 Internet Key Exchange Protocol IKE 583 Monitoring 586 CSU DSU T1 Interfaces 152 D Data Collection Events Configuring 35 Date and Time 499 Daytime Service 544 DDR List Adding a New Rule 104 Applying to an Interface 105 Creating 103 Deleting 103 Removing from an Interface 106 Default Route Configuring 268 Deleting IPSO 517 Deleting Locally Store...

Page 691: ...elease 487 Not Supported 496 Supported 496 Files Backup and Restore 507 Files Restoring 510 511 Filtering Global 626 Filters Inbound Route 333 Forward Nonlocal IP Broadcast Helper 455 Frame Relay 192 Changing the Active Status Monitor Setting 195 Changing the DLCI 192 Changing the Interface Type 194 Changing the IP Address 195 Changing the Keepalive Interval 192 Changing the LMI Parameters in 193 ...

Page 692: ...rior Routes 258 IKE Cryptographic Acceleration 583 Images 517 Inbound Route Filters 333 Incoming Call Configuring the IP650 109 Indicators and Interface Status 14 Inline Help Viewing Dynamic for a Section or Field 28 Viewing for the Page 28 Interface Displaying Historical Linkstate Statistics 41 Displaying Historical Throughput Statistics 39 42 44 Displaying Linkstate Statistics 40 Unnumbered 181 ...

Page 693: ...e Upgrading 517 IPSO Images Deleting 517 Installing 517 Managing 515 Selecting 515 Testing 516 IPv4 in IPv6 Tunnels 660 IPv4 or IPv6 Choosing the General Configuration Page 597 IPv6 654 Configuring 653 Creating a Static Route 661 Creating an Aggregate Routes 663 Description 654 Displaying Running States 51 Interfaces 656 Logical Interfaces 656 Neighbor Discovery 656 Network Access and Services 668...

Page 694: ...g 497 Mail Sending 497 Management Activity Log 47 MED 302 Memory Size 294 Message Log Viewing 114 Mirror Set Creating 495 Deleting 495 Modem Configuration 536 538 539 Monitoring Dynamic and Static 34 Multi Exit Discrininator 302 Multiple Static Routes Configuring 270 N Network Access 533 Network Access Services 543 Network Devices Configuring 11 Notification System Failure 498 NTP 486 487 Configur...

Page 695: ...nterface 154 Configuring an E1 Interface 167 Configuring an HSSI Interface 176 Process Management 671 Protocol Independent Multicast 237 Q QoS Descriptor Creating 420 Queue Class 415 Configuration Values 417 Creating 416 Deleting 416 Queue Classes Configuring 415 R RADIUS Configuring 570 Rate Shaping Bandwidth Displaying 37 Report 36 Redistributed Routes 663 Redistributing Routes 22 BGP 22 OSPF 23...

Page 696: ...mation Protocol 230 Routing Protocol Displaying Information 49 Routing Protocols 18 Routing Subsystem 17 RSA and DSA Managing User Identities 553 Rule Deleting 105 411 Modifying 104 S S Key Configuring 529 Disabling 531 Using 530 S Key Password 532 Scheduled Jobs Configuring 514 Scheduled Jobs Deleting 515 Second Window Opening to View Help 29 Secure Shell 545 Authorized Keys 550 Changing Key Pair...

Page 697: ...BGP Session 306 Rank 270 281 Statistics Interface Linkstate 41 Interface Throughput 38 39 42 43 44 Subsystem Routing 17 System Displaying Status 50 System Configuration Auditlog Setting 501 System Configuration Auditlog Deleting 503 System Functions Configuring 491 System Health Monitoring 43 45 System Logging 500 Remote 500 System Logs Monitoring 45 System Resources Monitoring and Configuring 33 ...

Page 698: ...eting 649 Permissions 650 Users Adding 528 V V 35 143 Virtual LAN 80 Virtual Router Redundancy Protocol 459 VLAN 80 Configuring an Interface 81 Deleting an Interface 82 Example Topology 83 Maximum Number 83 Voyager Enabling Session Management 617 Help Conventions 28 How to Use 25 Navigating 25 Voyager Session Management 616 Disabling 617 Voyager Web Access 533 VPN Building on ESP 590 Configuring T...

Page 699: ...ity 460 Sample Configurations 466 Setting a Virtual MAC Address for a Virtual Router 473 Troubleshooting and Monitoring 486 Virtual Routers 459 VRRPv2 Configuration 475 476 477 478 VRRPv2 Creating a Virtual Router 469 470 VRRPv2 Removing a Virtual Router 474 X X 21 143 ...

Page 700: ...Index 702 Voyager Reference Guide ...

Reviews:

No comments

Related manuals for Network Voyager

NEC Versa 2730M Manual preview
Versa 2730M
Brand: NEC Pages: 4
National Instruments NI-DNET User Manual preview
NI-DNET
Brand: National Instruments Pages: 86
FARONICS INSIGHT - Manual preview
INSIGHT -
Brand: FARONICS Pages: 43
JVC GZ-MG77 - Camcorder - 2.2 MP Instructions Manual preview
GZ-MG77 - Camcorder - 2.2 MP
Brand: JVC Pages: 72
Acroprint TimeStation PC Quick Start Manual preview
TimeStation PC
Brand: Acroprint Pages: 2
Texas Instruments InterActive! Getting Started Manual preview
InterActive!
Brand: Texas Instruments Pages: 63
Intel 2521131 - Intel Wasp Motherboard Quick Start Manual preview
2521131 - Intel Wasp Motherboard
Brand: Intel Pages: 1
GRASS VALLEY AURORA PLAYOUT 7 Datasheet preview
AURORA PLAYOUT 7
Brand: GRASS VALLEY Pages: 4
GRASS VALLEY AURORA EDIT 7 Datasheet preview
AURORA EDIT 7
Brand: GRASS VALLEY Pages: 4
Tech Source RAPTOR 1000 - OPENWINDOWS FOR SOLARIS INSTALLATION-REFERENCE Installation And Reference Manual preview
RAPTOR 1000 - OPENWINDOWS FOR SOLARIS INSTALLATION-REFERENCE
Brand: Tech Source Pages: 68
ArcSoft SHOWBIZ 2 User Manual preview
SHOWBIZ 2
Brand: ArcSoft Pages: 99
Autodesk 057B1-41A111-1001 - AutoCAD LT 2010 User Manual preview
057B1-41A111-1001 - AutoCAD LT 2010
Brand: Autodesk Pages: 574
Key Curriculum Press Geometer's Sketchpad User Manual And Reference Manual preview
Geometer's Sketchpad
Brand: Key Curriculum Press Pages: 92
Sans Digital Web GUI RAID Management Tools Default Setting preview
Web GUI RAID Management Tools
Brand: Sans Digital Pages: 1
Adobe 65009626 - Soundbooth CS4 - PC Using Manual preview
65009626 - Soundbooth CS4 - PC
Brand: Adobe Pages: 102
Brother 1960C - IntelliFAX Color Inkjet Software User'S Manual preview
1960C - IntelliFAX Color Inkjet
Brand: Brother Pages: 155
Lenovo ThinkPad R61 Brochure preview
ThinkPad R61
Brand: Lenovo Pages: 4
Lenovo ThinkPad R61 Hardware Maintenance Manual preview
ThinkPad R61
Brand: Lenovo Pages: 254

Brands by name

Popular brands

Load more brands