Security Switch 6200 Hardware and Software Users Guides 10/100 2 4 6 8 10 12 14 10/100/1000 16 18 17 FIBER PACKET LINK FIBER PACKET LINK CONSOLE PWR 1 3 5 7 9 11 13 15 MGMT1 MGMT2 SYS HDD (max) 9800,8,N,1 December 2003
Copyright © 2003, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
Contents About this Guide Intended Audience ........................................................................................ v Conventions................................................................................................... v Related Documentation ............................................................................... vi Customer Support........................................................................................ vi 1 Introduction System Components .................
Configuring the Security Switch 6200 System Configuring System Parameters............................................................... 4-2 Configuring User Accounts ....................................................................... 4-5 Configuring the Network Time Protocol (NTP) ....................................... 4-6 Configuring Domain Name Resolution..................................................... 4-6 Configuring the Simple Network Management Protocol (SNMP) ..........
B Connector Pin Assignments C Regulatory Information Regulatory Standards Compliance .......................................................... CE marking for the EEA (European Economic Area) ........................ Safety .................................................................................................... Factory Approvals ................................................................................ EMI Compliance .........................................................................
3COM Security Switch 6200 Hardware and Software Users Guide
About this Guide This guide describes how to install and configure the 3COM Security Switch 6200 hardware and system software. The Security Switch 6200 is based on the 3COM system software and may be referred to as the system. Intended Audience This guide is intended for system integrators and other qualified service personnel responsible for installing, configuring, and managing the system.
About this Guide Related Documentation The following guides provide additional installation and configuration information for the system. Security Switch 6200 Product Release Notes Install Server Installation and Configuration Guide Security Switch 6200 Applications Guide Customer Support vi To obtain technical tips or support, refer to the Technical Support chapter of this guide.
Introduction The Security Switch 6200 is a high performance, turnkey security services switch that integrates best-in-class firewall, virtual private networks, intrusion detection, and content security engines. The system offers high port density, high availability, and simplicity of management in a compact, expandable form factor. The system is a Network Processor-based security platform that provide exceptional performance while maintaining flexibility for security application support.
Introduction • One serial console port. • Two redundant, hot-swappable power supplies. • Five expansion slots for optional VPN or other security acceleration cards. Chassis The chassis is front rack mountable, in a standard 19 inch rack. Figure 1-1 displays the 6200 system’s major components.
Introduction Management Options The system provides two system management options: • First time startup interview • Configuration Tool First Time Startup Interview The system uses a built in, easy to configure, interview tool (cos_interview) that allows you to quickly configure your system for basic operations. For further information on the startup interview, refer to the Interface Connections and First Time Start-Up chapter of this guide.
Introduction 1-4 3COM Security Switch 6200 Hardware and Software Users Guide
Installation This chapter describes the system installation, covering the following topics: • Pre-installation considerations • Chassis installation • Interface connections Before You Start ! WARNING: To ensure power connectivity, if you are using more than one power supply, be sure to use separate power sources. Before installing your system, be sure that the site’s environmental and space requirements allow optimal chassis access and operation.
Installation Site Requirements The system installation site should meet the following requirements: Requirement Description Operating Temperature 0 to 40 degrees C Shipment Check Relative Humidity 10% - 90%, non-condensing Minimum Ventilation 6 inches (15.2 cm) to the front, back, and sides of the chassis Service Clearance 30 inches (76.
Installation 2 4 6 8 10/10 0 10 12 1 14 16 3 5 7 9 11 13 15 17 FIB ER PACK ET LINK 10/10 0/100 0 18 FIBER PACK ET LINK PWR CONS OLE (max ) 98 00,8 ,N,1 MGM T1 MGM T2 SYS HDD Figure 2-1 3COM Security Switch 6200 Shipping Contents NOTE: 3COM recommends that you save the shipping containers in the event you need to send back one or more components.
Installation Additional Equipment • PC running RedHat Linux 6.2 or greater software. This software is used to support the Security Switch 6200 Graphical User Interface (GUI) and for hosting the Check Point™ FireWall-1® Management Server. • PC running WinNT4/Win2K software. This software is used for launching the Check Point FireWall-1 GUI and the system’s embedded WEB GUI. • Security applications licenses to activate installed software on the system.
Installation Terminal or PC A VT-100 terminal or a Personal Computer (PC) is required during installation. The terminal or PC is connected to the chassis’s craft port, allowing you to monitor start-up diagnostics and to configure the unit for remote management access. Chassis Rack Installation The chassis can be installed in the front or center of a standard 19” rack. Front Rack Mounting To install the chassis in the front of your rack: 1. Remove the center brackets (one on each side) from the system.
Installation Tabletop Mounting The system can be mounted on any desk or table top. To do this you first need to attach the four rubber feet, supplied with the system, to the bottom of the box. To do this, complete the following: 1. Turn the system over onto its top with the bottom facing up. 2. Locate the indented feet locators, as shown in the following figure. Place rubber feet here. 3. Peel backing off of the rubber feet and press them down firmly on the indents.
Interface Connections and First Time Start-Up This chapter describes the procedure for powering up the system for the first time.
Interface Connections and First Time Start-Up To connect to the serial connector use the DB9 serial connector located on the front panel of the system. NOTE: If you are connecting to the system Management Console using a terminal or PC, the serial port on the terminal or PC must be configured for 9600 baud, 8 data bits, 1 stop bit, no parity, and no flow control. Connecting a Terminal or PC to the System Front Serial Craft Port To connect a terminal or PC to the system front serial craft port: 1.
Interface Connections and First Time Start-Up Connecting Remotely To access the system remotely: 1. Connect one end of an RJ45-to-RJ45 cable into a remote access device. 2. Connect the other end into the Management port. Figure 3-2 shows the Management port module connected to a hub. Hub Figure 3-2 Connecting to the System Remotely 3. Power Connections Telnet to configure IP. CAUTION: To ensure power connectivity, if you are using more than one power supply, be sure to use separate power sources.
Interface Connections and First Time Start-Up 2. Attach the male end of the power cable into an AC power source. The system is powered up when power is applied to the power supplies. NOTE: If the system is powered up with one power supply or if one of the power supplies experiences a loss of power, an audible alarm sounds. To silence this sound, press the red button located on the left side of the primary power supply.
Interface Connections and First Time Start-Up POST Error Beep Codes The following tables list POST error beep codes. Before system video initialization, the BIOS and BMC use these beep codes to inform users on error conditions.
Interface Connections and First Time Start-Up 3-6 3COM Security Switch 6200 Hardware and Software Users Guide
Interface Connections and First Time Start-Up POST Memory Error 3-Beep Codes Beep Code Daignostic LED Decoder Debug port 80h error Codes Meanings G=Green, R=Red, A=Amber Hi Low 3 00h Off Off Off Off No memory was found in the system 3 01h Off Off Off G Memory mixed type detected. 3 02h Off Off G Off EDO is not supported. 3 03h Off Off G G First row memory test failure. 3 04h Off G Off Off Mismatched DIMMs in a row. 3 05h Off G Off G Base memory test failure.
Interface Connections and First Time Start-Up First Time Startup The system uses a built in, easy to configure, interview script that allows you to quickly configure your system for basic operations. Once you have completed this interview, you can use the system Configuration Tool to set additional parameters. The interview script is launched from the UNIX root prompt. To launch the interview script, complete the following.
Interface Connections and First Time Start-Up Please provide the date in "Mon DD YYYY" format, where Mon : month in the form Jan, Feb, etc. DD : day of month (1 - 31), YYYY: for example 2002 Enter the Date : 3. Define the Time Zone. Select a time zone based on the location of your system. The current Time Zone is “present-time-zone” Would you like to Modify the Time Zone [N]: y Select a continent or ocean.
Interface Connections and First Time Start-Up 4. Select a region.
Interface Connections and First Time Start-Up SNMP Communities ================ Community middle Address 10.1.1.22 Netmask 255.255.255.255 Access read-write Add the SNMP Communities [N]: 7. Configure the individual user accounts. Accounts Configuration ======================= This section allows you to change your “root” password. Additionally, you can set up accounts for users to log into once the Interview is complete.
Interface Connections and First Time Start-Up Enter choice.
Interface Connections and First Time Start-Up 11. Configure NTP to achieve time synchronization. Synchronizing the system’s clock with an accurate source is important for proper correlation of security events. The system uses the Network Time Protocol (NTP) to achieve time sychronization. The IP address of an NTP server must be specified. NTP Server ========== Add NTP Server [Y]: Enter NTP Server IP Address [0.0.0.
Interface Connections and First Time Start-Up 3-14 3COM Security Switch 6200 Hardware and Software Users Guide
Configuring the Security Switch 6200 System The system uses a menu driven configuration interface (cos_config) for configuration purposes. This tool supports adding, modifying, or deleting any of the system configuration parameters. This configuration interface is launched from the UNIX admin prompt. To launch this tool, complete the following: 1. Log into your system as admin. username: admin password: admin 2.
Configuring the Security Switch 6200 System Configuration ========= 1) System Parameters 2) User Accounts 3) Network Time Protocol (NTP) 4) Domain Name Service (DNS) 5) Simple Network Management Protocol (SNMP) 6) Physical Interfaces 7) Tap Interfaces 8) Network Interfaces 9) IP Aliases 10) Static Routes 11) Static ARP Entries 12) Virtual Router Redundancy Protocol (VRRP) X) Exit To begin your configuration, select the desired option from the main menu.
Configuring the Security Switch 6200 System 2. To change any of the system parameters enter y, or press the Return key to leave system parameters unchanged. Enter Enter Enter Enter Would 3. the the the the You System Host Name [hostname]: System Domain Name []: Time [15:28:40]: Date [Apr 07 2003]: Like to Modify the Time Zone [N]: To change the time zone enter y or press the Return key to leave system parameters unchanged. Select a time zone based on the location of your system.
Configuring the Security Switch 6200 System 4. Select a region.
Configuring the Security Switch 6200 System Configuring User Accounts Each system user is defined by the user’s name, password, and access level. Collectively, these properties define each user’s profile. Login access allows you to login into the unix shell, setting this to disabled allows you to only have WEB access. To configure individual user accounts: 1. Select Option 2 from the main menu.
Configuring the Security Switch 6200 System Configuring the Network Time Protocol (NTP) The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver or modem. It provides accuracies typically within a millisecond on LANs and up to a few tens of milliseconds on WANs relative to Coordinated Universal Time (UTC) through a Global Positioning Service (GPS) receiver, for example.
Configuring the Security Switch 6200 System 2) DNS Search Domains X) Exit Enter choice <1 - 2, X>[X]: 2 DNS Search Domains ================== Modify the DNS Domain Search List [eXit]: a Enter DNS Search Domain []: 3com.com DNS Search Domains ================== 3com.com Modify the DNS Domain Search List [eXit]: Domain Name Resolution Configuration ==================================== 1) DNS Servers 2) DNS Search Domains X) Exit Enter choice <1 - 2, X>[X]: 3.
Configuring the Security Switch 6200 System etc/snmp/snmp.local.conf)]: srhen@crossbeamsys.com Enter SNMP Location [Unknown (edit /etc/snmp/ snmpd.conf)]: Lab SNMP configuration ================== 1) SNMP Server 2) Communities 3) Trap Destinations X) Exit Enter choice <1 - 3, X>[X]: 1 SNMP Server =========== Enabled enabled Contact lab@3com.com Location The Lab Would You Like to Modify the SNMP Configuration [n]: 3.
Configuring the Security Switch 6200 System SNMP Communities ================ Community Address Netmask Access foobar 10.2.1.48 255.255.255.255 read-write Change the SNMP Communities [eXit]: a Enter Community Name []: public Enter IP Source Addresses [0.0.0.0/32]: 10.0.0.0/8 Enter Access Mode [read-only]: SNMP Communities ================ Community Address Netmask Access foobar 10.2.1.48 255.255.255.255 read-write public 10.0.0.0 255.0.0.
Configuring the Security Switch 6200 System SNMP Traps ========== Destination Port Type Version Community 10.2.1.48 162 trap SNMPv1 foobar Change the SNMP Trap Destinations [eXit]: 7. Enter the desired option or enter X to return to SNMP Configuration Menu. SNMP configuration ================== 1) 2) 3) X) 8. Configuring Physical Interfaces SNMP Server Communities Trap Destinations Exit Enter the desired option or enter X to return to the main menu.
Configuring the Security Switch 6200 System Interface MAC Address (Configured) Auto neg Duplex Speed fastethernet 14 (N) on half 10 fastethernet 15 (N) on half 10 fastethernet 16 (N) on half 10 gigabitethernet 17 (N) on half 10 gigabitethernet 18 (N) on half 10 Modify Physical Interface Parameters [n]: 2. Enter y to modify a physical interface or n to return to the main menu.
Configuring the Security Switch 6200 System MAC Address (Configured) Interface gigabitethernet 18 Auto Duplex Speed neg (N) on half 10 Modify Physical Interface Parameters [N]: 3. Configuring Tap Interfaces Enter y to modify additional physical interfaces or n to return to the main menu. Tap interfaces are used to copy the input and output packets from a physical interface prior to the processing by the firewall acceleration process.
Configuring the Security Switch 6200 System Configuring Network Interfaces A network interface associates an IP address with a physical connection and optionally a VLAN id. To configure network interfaces: 1. Select Option 8 from the main menu. IP Interfaces ============= Enabled Address Netmask Broadcast MTU management 1 192.168.10.6 255.255.255.0 192.168.10.255 1500 enabled 2. To add a network interface, select add from the main menu.
Configuring the Security Switch 6200 System IP Interfaces ============= Enabled Address Netmask Broadcast MTU management 1 192.168.10.6 255.255.255.0 192.168.10.25 1500 enabled 5 fastethernet 128.205.1.23 255.255.255.0 128.205.1.255 1500 1 enabled fastethernet vlan 100 255.255.255.0 128.205.2.255 1500 1 enabled 128.205.2.23 Modify the IP Interfaces [eXit]: 4.
Configuring the Security Switch 6200 System IP Aliases ========== Interface IP Address Netmask Broadcast fastethernet 1 128.205.1.24 255.255.0.0 128.205.255.255 fastethernet 1 128.205.1.24 255.255.0.0 128.205.1.255 Modify the IP Aliases [eXit]: a Enter Interface [fastethernet 1]: VLAN Interface [N]: y Enter VLAN ID <1 - 4095>: 100 Enter IP Address [0.0.0.0]: 128.205.2.24 Enter Network Mask [255.255.0.0]: 255.255.255.0 Enter Broadcast Address [128.205.2.
Configuring the Security Switch 6200 System Configuring Static Routes Static IP routes are user-defined routes that cause packets moving between a source and a destination to take a specific path. To configure Static Routes: 1. Select Option 10 from the main menu. Static Routes ============= Destination 2. Netmask Gateway Metric Enter the desired option to add, delete, or modify a static route or enter x to return to the main menu.
Configuring the Security Switch 6200 System Configuring Static ARP Entries You define static Address Resolution Protocol (ARP) entries by relating an IP address to a MAC address. To configure static ARP entries: 1. Select Option 11 from the main menu. Static ARP Entries ================== IP Address MAC Address 2. Enter the desired option to add, delete, or modify a static ARP entry or enter x to return to the main menu.
Configuring the Security Switch 6200 System Configuring the Virtual Router Redundancy Protocol (VRRP) The Virtual Router Redundancy Protocol (VRRP) dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to utilize the same virtual IP address. The system can be configured to run the VRRP protocol in conjunction with one or more other systems attached to a LAN.
Configuring the Security Switch 6200 System VRRP Configurations =================== 2. VRRP ID : 1 Enabled : disabled VRRP Interface : fastethernet 1 Enable VRRP MAC : disabled Preemption : disabled Priority : 100 Advertisement Interval (seconds) : 1 Group ID : 1 IP Addresses : 30.0.0.10 Enter the desired option to add, delete, or modify a VRRP entry or enter x to return to the main menu.
Configuring the Security Switch 6200 System Enter VRRP ID [0]: 2 Enable [disabled]: Enter Interface [management 0]: fastethernet 1 VLAN Interface [N]: y Enter VLAN ID <1 - 4095>: 100 Enable VRRP MAC [disabled]: enabled Enable Preemption [disabled]: Enter Priority [0]: 100 Enter Advertisement Interval (seconds) [1]: Enter Group ID [0]: 1 Enter IP Addresses Separated by Comma []: 30.0.0.
Configuring the Security Switch 6200 System Exiting from the Configuration Tool To exit from the system Configure Tool, select Option X from the main menu. Saving Your System Configuration To save your configuration, at the admin prompt, use the following command: Enter choice <1 - 12, X>[X]: X [admin@xxxxx bin]# ./cos_show_system -f /directory/ filename Where the directory specifies the directory where the file is located, and the filename is the actual configuration file.
Configuring the Security Switch 6200 System address="10.1.1.50" > PAGE 55Configuring the Security Switch 6200 System PAGE 56Configuring the Security Switch 6200 System ip_addr="128.205.1.
Configuring the Security Switch 6200 System > Restoring the system to Factory Default Settings To delete the current configuration and return the system to its factory defaults, use the following command at the admin prompt. Getting Help Within the Configuration Tool To receive help from within the system Configuration Tool, use the following command at the admin prompt. NOTE: The IP address of interface Management 1, telnet, and the default gateway are left in tact.
Configuring the Security Switch 6200 System 4-26 3COM Security Switch 6200 Hardware and Software Users Guide
Upgrading the System Software This chapter describes how to update your 3COM Security Switch 6200 system software. Upgrading the System Software If you are upgrading your system from a previously configured release, you do not need to use the full system software. Instead, you can use the software upgrade patch. NOTE: "upgradepack-ocode-A*-1.0.0-11-2.1.4-17.shar.gz" is the upgrade pack that will enable you to upgrade from 2.1.x to 2.1.4 (x = 0,1,2). To do this, complete the following: 1.
Upgrading the System Software 7. Once the above command completes, enter the following command at the root prompt: chmod 700 cos-upgradepack-ocode-AZZZ-Y.Y.Y-Y-X.X.XX.shar 8. Once the above command completes, enter the following command at the root prompt: ./cos-upgradepack-ocode-AZZZ-Y.Y.Y-Y-X.X.X-X.shar Answer "Y" when this command prompts you. NOTE: Once this action completes successfully, your system software is upgraded.
Upgrading the System Software Using the Safe Upgrade and Rollback Features Your system ships with two disk partitions, one partition is used for the current runtime (RP) version of software and the other partition is for the upgraded (UP) version of software. Each partition provides 20 Gigabytes of disk space. This chapter describes how to update your system software, and how to utilize these partitions. Using Multiple Versions of Software (Safe Upgrade) Upgrading from Version 2.
Upgrading the System Software Using the Safe Upgrade and Rollback Features /dev/ataraid/d0p2 14 79 530145 82 Linux swap /dev/ataraid/d0p5 80 882 6450097 83 Linux # / /dev/ataraid/d0p6 883 2070 9542609+ 83 Linux # /opt /dev/ataraid/d0p7 2071 2435 2931862 83 Linux # /var 4. Duplicate the above table for the dual boot by entering the letter “n” five times.
Upgrading the System Software Using the Safe Upgrade and Rollback Features Upgrading from Version 2.1 and Greater Newer versions of Version 2.1 and greater allow you to do a full copy of the Running Partition (RP) to an Upgrade Partition (UP) before actually upgrading your system software. To do this: 1. Make sure you are connected to the console. 2. Reboot your system into single user mode. To do this, at the root prompt, enter: init 1 3.
Upgrading the System Software Using the Safe Upgrade and Rollback Features Upgrading from Software to a UP While an RP is Operational (Rollback) Newer versions than 2.1 and greater allow you to install the system software to a UP while an RP is operational. This is done using /usr/os/sbin/install-cos. Install-cos can install to either part 1 or 2 of the disk. You can run install-cos while the system is booted from the install server or the system is running off the disk.
Technical Support 3Com provides easy access to technical support information through a variety of services. This chapter describes these services. Information contained in this chapter is correct at time of publication. For the most recent information, 3Com recommends that you access the 3Com Corporation World Wide Web site.
Technical Support 3Com Knowledgebase Web Services The 3Com Knowledgebase is a database of technical information to help you install, upgrade, configure, or support 3Com products. The Knowledgebase is updated daily with technical information discovered by 3Com technical support engineers. This complimentary service, which is available 24 hours a day, 7 days a week to 3Com customers and partners, is located on the 3Com Corporation World Wide Web site at: http://www.knowledgebase_3com.
Technical Support Support from 3Com If you are unable to obtain assistance from the 3Com online technical resources or from your network supplier, 3Com offers email and telephone technical support services. To find out more about your support options, email or call the 3Com technical support services at the location nearest you. Email Support Some 3Com regions offer an email support service. To access this service for your region, use the appropriate URL or email address from the list below.
Technical Support Telephone Support Numbers Country Asia, Pacific Rim Australia India Indonesia Malaysia New Zealand Pakistan Philippines Singapore S.
Technical Support Country Telephone Number Latin America From the Caribbean, Central and South America, call: Antigua Argentina Aruba Bahamas Barbados Belize Bermuda Bonaire Brazil Cayman Chile Colombia Costa Rica Curacao Ecuador Dominican Republic Guatemala Haiti Honduras Jamiaca Martinique Mexico Nicaragua Panama Paraguay Peru Puerto Rico Salvador Trinidad and Tobago Uruguay Venezuela Virgin Islands Country North America Telephone Number 1 800 876 3266 1 800 988 2112 0 810 444 3COM 1 800 998 2112 1 8
Technical Support Returning Products for Repair Before you send a product directly to 3Com for repair, you must first obtain an authorization number. Products sent to 3Com without authorization numbers will be returned to the sender unopened, at the sender's expense. You can obtain an authorization number (called an RMA) by entering the following URL into your Internet browser: http://www.3com.
Technical Support Country Telephone Number Fax Number Latin America Antigua Argentina Aruba Bahamas Barbados Belize Bermuda Bonaire Brazil Cayman Chile Colombia Costa Rica Curacao Ecuador Dominican Republic Guatemala Haiti Honduras Jamiaca Martinique Mexico Nicaragua Panama Paraguay Peru Puerto Rico Salvador Trinidad and Tobago Uruguay Venezuela Virgin Islands 1-800-988-2112 0-810-444-3COM 1-800-998-2112 1-800-998-2112 1-800-998-2112 52-5-201-0010 1-800-998-2112 1-800-998-2112 0800-13-3COM 1-800-998-211
Technical Support 7-8 3COM Security Switch 6200 Hardware and Software Users Guide
Technical Specifications A This appendix lists the physical, environmental, and power characteristics of the 3COM Security Switch 6200. Physical Characteristics Size (Inches): 3.5 H x 17.5 W x 25.
Technical Specifications A-2 3COM Security Switch 6200 Hardware and Software Users Guide
B Connector Pin Assignments This appendix describes the craft port pin assignments: The Craft port, located on the front of the system, uses a DB- 9 connector with the following pin identifications and associated signals.
Connector Pin Assignments B-2 3COM Security Switch 6200 Hardware and Software Users Guide
Regulatory Information C This appendix provides the following compliance statements: • Regulatory Standards Compliance • Radio Frequency Interference • VCCI Statement Regulatory Standards Compliance The following regulatory agencies have approved the 3COM Security Switch 6200 and have found it to be fully compliant with their environmental, safety, and emissions standards.
Regulatory Information EMI Compliance Radio Frequency Interference NOTE In accordance with FCC Part 15 Subpart B requirements, changes or modifications made to this equipment not expressly approved by 3COM Corporation could void the user’s authority to operate this equipment. The 3COM Security Switch 6200 is designed for Class A use only. Do not attempt to use this equipment in a domestic environment, which requires Class B distinction. The system may cause interference with domestic products.
