Nokia Network Voyager for IPSO 4.0 Reference Guide Part No.
COPYRIGHT ©2005 Nokia. All rights reserved. Rights reserved under the copyright laws of the United States. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Fax 1-650-691-2170 Mail Address Nokia Inc. 313 Fairchild Drive Mountain View, California 94043-2215 USA Regional Contact Information Americas Tel: 1-877-997-9199 Nokia Inc. Outside USA and Canada: +1 512-437-7089 313 Fairchild Drive Mountain View, CA 94043-2215 email: info.ipnetworking_americas@nokia.com USA Nokia House, Summit Avenue Europe, Middle East, Southwood, Farnborough Hampshire GU14 ONG UK and Africa Tel: UK: +44 161 601 8908 Tel: France: +33 170 708 166 email: info.ipnetworking_emea@nokia.
Nokia Network Voyager for IPSO 4.
Contents About the Nokia Network Voyager Reference Guide . . . . . . . . .19 Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configuring Ethernet Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . 34 Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Managing Link Aggregation Using SNMP . . . . . . . . . . . . . . . . . . 36 Configuring Switches for Link Aggregation . . . . . . . . . . . . . .
Configuring Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . Configuring OSPF over Unnumbered Interface . . . . . . . . . . . . OSPF over Unnumbered Interfaces Using Virtual Links . . . . . . Cisco HDLC Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Point-to-Point Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Frame Relay Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loopback Interfaces . . . . . . . . . .
Changing DHCP Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding DHCP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling or Disabling DHCP Address Pools . . . . . . . . . . . . . . . Assigning a Fixed-IP Address to a Client . . . . . . . . . . . . . . . . . Creating DHCP Client Templates . . . . . . . . . . . . . . . . . . . . . . . Configuring Dynamic Domain Name System Service . . . . . . . . Configuring the Domain Name Service . . . . . . . . . . . . . . . .
Downgrading Nokia IPSO Images. . . . . . . . . . . . . . . . . . . . . . . Configuring Monitor Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing and Enabling Packages . . . . . . . . . . . . . . . . . . . . . . . Advanced System Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tuning the TCP/IP Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cluster Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clustering Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Considerations for Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . If You Do Not Use a Dedicated Primary Cluster Protocol Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrading IPSO in a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . For All Upgrades . . . . . . . . . . . . .
6 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP Proxy Support for Check Point MIB . . . . . . . . . . . . . . . . . Using the Check Point MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using cpsnmp_start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling SNMP and Selecting the Version . . . . . . . . . . . . . . . . .
Using VRRPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a Virtual Router to Back Up Another VRRP Router Addresses Using VRRPv3 . . . . . . . . . . . . . . . . . . . . . Monitoring the Firewall State. . . . . . . . . . . . . . . . . . . . . . . . . . . Setting a Virtual MAC Address for a Virtual Router. . . . . . . . . . Changing the IP Address List of a Virtual Router in VRRPv3 . . Removing a Virtual Router in VRRPv3 . . . . . . . . . . . . . . . . . . .
Configuring Secure Shell Authorized Keys . . . . . . . . . . . . . . . . Changing Secure Shell Key Pairs . . . . . . . . . . . . . . . . . . . . . . . Managing User RSA and DSA Identities. . . . . . . . . . . . . . . . . . Tunneling HTTP Over SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Voyager Session Management . . . . . . . . . . . . . . . . . . . Enabling Enabling or Disabling Session Management . . . . . . . Configuring Session Timeouts . . . . . . . . . . . . . . . . . . . . . .
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Area Border Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . High Availability Support for OSPF . . . . . . . . . . . . .
Configuring IGRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring DVMRP Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . .
BGP Multi Exit Discriminator Example . . . . . . . . . . . . . . . . . . . Changing the Local Preference Value Example . . . . . . . . . . . . BGP Confederation Example . . . . . . . . . . . . . . . . . . . . . . . . . . Route Reflector Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BGP Community Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . EBGP Load Balancing Example: Scenario #1 . . . . . . . . . . . . . EBGP Load Balancing Example: Scenario #2 . . . . . . . . . . .
Configuring a COPS Client ID and Policy Decision Point . . . . . Configuring Security Parameters for a COPS Client ID . . . . . . Assigning Roles to Specific Interfaces . . . . . . . . . . . . . . . . . . . Activating and Deactivating the COPS Client . . . . . . . . . . . . . . Changing the Client ID Associated with Specific Diffserv Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting a Client ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying Interface Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the iclid Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iclid Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preventing Full Log Buffers and Related Console Messages . . . 487 487 488 488 494 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About the Nokia Network Voyager Reference Guide This guide provides information about how to configure and monitor Nokia IPSO systems. This guide provides conceptual information about system features and instructions on how to perform tasks using Nokia Network Voyager, the Web-based interface for IPSO. All of the tasks that you perform with Network Voyager you can also perform with the command-line interface (CLI), allowing you to choose the interface you are most comfortable with.
About the Nokia Network Voyager Reference Guide 20 the hostname . It also describes how to save configuration sets, schedule jobs, backup and restore files, manage and upgrade system images, reboot the system, manage packages, and advanced system tuning. Chapter 4, “Virtual Router Redundancy Protocol (VRRP)” describes how to provides dynamic failover of IP addresses using VRRP.
Conventions This Guide Uses Conventions This Guide Uses The following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions. Notices Caution Cautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service. Note Notes provide information of special interest or recommendations. Text Conventions Table 1 describes the text conventions this guide uses.
About the Nokia Network Voyager Reference Guide Table 1 Text Conventions (continued) Convention Description Menu commands Menu commands are separated by a greater than sign (>): Choose File > Open. Italics • Emphasizes a point or denotes new terms at the place where they are defined in the text. • Indicates an external book title reference. • Indicates a variable in a command: delete interface if_name Menu Items Menu items in procedures are separated by the greater than sign.
1 About Network Voyager This chapter provides an overview of Network Voyager, the Web-based interface that you can use to manage Nokia IPSO systems. Nokia Network Voyager is a Web-based interface that you can use to manage IPSO systems from any authorized location. Network Voyager comes packaged with the IPSO operating system software and is accessed from a client using a browser.
1 Logging In to Network Voyager When you log in to Network Voyager, the navigation tree you see depends on the role or roles assigned to you. If the roles assigned to your user account do not include access to a feature, you will not see a link to the feature in the tree. If they have read-only access to a feature, you will see a link and be able to access the page, but all the controls will be disabled. For more information on role-based administration, see “Role-Based Administration” on page 293.
Obtaining a Configuration Lock When you log in with exclusive configuration lock, no other user will be able to change the system configuration. Only users with read/write access privileges are allowed to log in with exclusive configuration lock. If you acquire a configuration lock and then close your browser without logging out, the lock remains in effect until the session time-out elapses or someone manually overrides the lock.
1 4. Enter your user name and password. 5. Click Log In. Navigating in Network Voyager The following table explains the functions of the buttons in Network Voyager. Other buttons are described in the inline help for each page. Button Description Apply Applies the settings on the current page (and any deferred applies from other pages) to the current (running) configuration file in memory. Feedback Takes you to the documentation or Technical Assistance Center (TAC) feedback page.
This guide, the Nokia Network Voyager Reference Guide for IPSO, is the comprehensive reference source for IPSO administration and using the Network Voyager interface. You can access this guide and the CLI Reference Guide from the following locations: Network Voyager interface—Click the Documentation link in the tree view. Nokia support site (https://support.nokia.com). On the software CD that might have been delivered with your appliance.
1 Viewing Hardware and Software Information for Your System The asset management summary page provides a summary of all system resources, including hardware, software and the operating system. The hardware summary includes information about the CPU, Disks, BIOS, and motherboard, including the serial number, model number, and capacity, or date, as appropriate. The summary also displays the amount of memory on the appliance.
2 Configuring Interfaces This chapter describes configuring and monitoring the various types of interfaces supported by Nokia IP security platforms, aggregating Ethernet ports, configuring GRE and DVMRP tunnels, using transparent mode to allow your IPSO appliance to behave like a Layer 2 device, and other topics related to physical and logical interfaces. Interface Overview Nokia IPSO support the following interface types.
2 IP2250 Management Ports The Ethernet management ports on IP2250 systems are designed to be used for the following purposes: Managing the appliance Firewall synchronization traffic IP cluster protocol traffic Connection to a log server Caution The management ports are not suitable for forwarding production data traffic. Do not use them for this purpose. Configuring Network Devices Network Voyager displays network devices as physical interfaces.
Type Prefix ISDN isdn The loopback interface also has a physical interface named loop0. Use Network Voyager to set attributes of interfaces. For example, line speed and duplex mode are attributes of an Ethernet physical interface. Each communications port has exactly one physical interface. Configuring IP Addresses Logical interfaces are created for a device's physical interface. You assign an IP address to logical interfaces and then route to the IP address.
2 Physical Interface Logical Interface Default Cisco HDLC PPP Frame Relay Serial (X.21 or V.35) One (c0) One (c0) One per DLCI (c#) T1/E1 One (c0) One (c0) One per DLCI (c#) HSSI One (c0) One (c0) One per DLCI (c#) Token Ring ISDN One (c0) One (c#) For example, the logical interface of a physical interface eth-s2p1 is called eth-s2p1c0. The logical interfaces for PVCs 17 and 24 on an ATM NIC in slot 3 are called atm-s3p1c17 and atm-s3p1c24 respectively.
Table 2 Interface Status Indicators Indicator Description None If no color indication is displayed, the physical interface is disabled. To enable the interface, click on the physical interface name to go to its configuration page. Blue The device corresponding to this physical interface has been removed from the system, but its configuration remains. To delete its configuration, click on the physical interface name to go to its configuration page.
2 Ethernet Interfaces You can configure a number of parameters for each Ethernet interface, including the following: Enable (make active) or disable the interface. Change the IP address for the interface. Change the speed and duplex mode. Configuring Ethernet Interfaces Table 3 describes the configuration settings for an Ethernet interface. Table 3 Physical Interface Configuration Parameters Parameter Description Active Select On to enable the interface, select Off to disable the interface.
Table 3 Physical Interface Configuration Parameters Parameter Description Logical name Use this to enter a more meaningful name for the interface. Comments (Optional) This field is displayed on the main Interface Configuration and the Logical Interface pages. Use it to add a description that you might find useful in identifying the logical interface. To configure an Ethernet interface 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2.
2 balancing across the ports. For example, you can aggregate two 10/100 mbps ports so they function like a single port with a theoretical bandwidth of 200 mbps, and you can aggregate two Gigabit Ethernet ports so they function like a single port with a theoretical bandwidth of 2000 mbps. If you have only 10/100 interfaces and need a faster link but can’t or don’t want to use Gigabit Ethernet, you can use link aggregation to achieve faster throughput with the interfaces you already have.
When you assign switch ports to an EtherChannel group, set the channel mode to on to force the ports to form a channel without using the Link Aggregation Control Protocol (LACP) or Port Aggregation Protocol (PAgP). If your switch supports it, configure the aggregated ports to distribute the traffic using source and destination IP addresses. If your switch can only distribute traffic based on source or destination MAC addresses, configure it to use the source MAC addresses.
2 Note Use Ethernet crossover cables to connect the management ports that you aggregate. Using a switch or a hub can result in incomplete synchronization. Because you should use crossover cables for these connections, you should not configure more than two IP2250 appliances in a VRRP group or IP cluster.
Do not combine any of the built-in 10/100 Ethernet management ports with ports on an I/O card to form an aggregation group. Caution Do not use the management ports of an IP2250 for production traffic, regardless of whether the ports are aggregated. Configuring Link Aggregation To set up link aggregation in Network Voyager 1. Physically configure the interfaces. 2. Create the aggregation group. 3. Logically configure the aggregation group. These steps are explained in the following sections.
2 4. Click Apply 5. Click Save to make the changes permanent. 6. Perform step 2 through step 5 again to configure the other interfaces identically. Group Configuration Once the physical interfaces are configured, you need to create and configure link aggregation groups. On appliances other than the IP2250, you can put ports on different LAN interface cards in the same aggregation group. For example, you can include a port on a card in slot 1 and a port on a card in slot 2 in the same group.
Logical Configuration When you have completed the aggregation group, you must configure it with an IP address and so on. Navigate to the Interfaces Configuration page and click the logical name of the group. Network Voyager shows the logical name in the format aexxxc0. For example, the logical name of a group with the ID 100 is ae100c0. If you create a link aggregation group but do not add any interfaces to it, the logical name of the group does not appear on the Interfaces Configuration page.
2 Table 4 Gigabit Ethernet Interface Parameters Parameter Description MTU The maximum length of frames, in bytes, that can be transmitted over this device. This value limits the MTU of any network protocols that use this device. This option appears only for NICs that have the capability of transmitting jumbo frames. Default is 1500; range is 1500-16,000. Note On the IP2250, the range is 1500-9600. IP Address & Mask Length You can add multiple IP addresses.
Each IP addresses and mask length that you add are added to the table when you click Apply. The entry fields return to blank to allow you to add more IP addresses. Use the delete check box to delete IP addresses from the table. 9. (Optional) Change the interface logical name to a more meaningful name by typing the preferred name in the Logical name text box. Click Apply. 10. (Optional) Add a comment to further define the logical interfaces function in the Comments text box. Click Apply. 11.
2 5. In the Ethernet Interface drop-down box, select the Ethernet interface you wish to associate with the PPPoE logical interface in the. 6. In the Mode drop-down box, select a connection mode. 7. In the Timeout text-box, enter a time in seconds. 8. (Optional) In the Peername text-box, enter the name of the PPPoE server. Note If you use the Peername field, only the PPPoE server named in the field will be allowed to connect to the system. 9.
Note The PPPoE logical interface is on by default and the associated link trap is disabled by default. If you wish to change either setting, click the appropriate setting next to the feature you wish to enable or disable and click Apply. 20. Click Apply. 21. Click Save to make your changes permanent. To create PPPoE logical interfaces 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the pppoe0 link. 3.
2 5. Click Delete. 6. Click Apply. Configuring MSS Clamping When end devices use path MTU discovery, it can cause connectivity problems when their connections pass through PPPoE interfaces. Use the MSS Clamping field to prevent these problems by reducing the maximum segment size (MSS) that is advertised across the outgoing link. IPSO advertises the value in this field as the MSS for packets that transit this interface.
To configure a VLAN Interface 1. Click Interfaces under Interface Configuration in the tree view. 2. Click the link to the physical Ethernet interface for which you want to enable a VLAN interface. The physical interface page for that interface is displayed. 3. Enter a value to identify the VLAN interface in the Create a new VLAN ID text box. The range is 2 to 4094. The values 0 and 4095 are reserved by the IEEE standard. VLAN ID 1 is reserved by convention. There is no default. 4. Click Apply.
2 5. Click Save to make your change permanent. The entry for the logical VLAN interface disappears from the Logical Interfaces table. To define the maximum number of VLANs 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Enter a number in the Maximum Number of VLANs Allowed text box. The maximum value is 1015. 3. Click Apply. 4. Click Save to make your change permanent.
FDDI Interfaces To configure an FDDI Interface 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the physical interface link you want to configure in the Physical column. Example: fddi-s2p1 3. Click Full or Half in the Physical Configuration table Duplex field. 4. Click Apply. Note Set device attached to a ring topology to half duplex. If the device is running in point-topoint mode, set the duplex setting to full.
2 To change the duplex setting of an FDDI interface Note If the duplex setting of an FDDI interface is incorrect, it might not receive data, or it might receive duplicates of the data it sends. 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the physical interface link to change in the Physical column. Example: fddi-s2p1 3. Click Full or Half in the Physical Configuration table Duplex field. 4. Click Apply.
ISDN Interfaces Integrated Services Digital Network (ISDN) is a system of digital phone connections that allows voice, digital network services, and video data to be transmitted simultaneously using end-toend digital connectivity. The Nokia IP security platform offers support for an ISDN Basic Rate Interface (BRI) physical interface. The ISDN BRI comprises one 16 Kbps D-channel for signalling and control, and two 64 Kbps B-channels for information transfer.
2 Example: isdn-s2p1 3. In the Switch Type pull-down menu, in the Physical Configuration table, select the service provider-switch type that corresponds to the interface network connection. 4. In the Line Topology field in the Physical Configuration table, click Point-to-Point or MultiPoint to describe the connection type of the interface. 5. Click Automatic or Manual in the TEI Option (terminal-endpoint identifier) field in the Physical Configuration table.
c. Use the Proxy interface pull-down menu to select the logical interface from which the address for this interface is taken. 7. Enter the IP address for the local end of the connection in the Local address text box in the Interface Information table. You must enter a valid IP address. IPSO does not support dynamically assigned IP addresses for ISDN interfaces. Do not enter 0.0.0.0. 8. Enter the IP address of the remote end of the connection in the Remote address text box in the Interface Information table.
2 17. In the To Remote Host section of the Authentication table, in the Password text box, enter the password to be returned to the remote host for PAP authentication, or the secret used to generate the challenge response for CHAP authentication. Note The To Remote Host information must be the same as the From Remote Host information (or its equivalent) at the remote end of the link. 18.
A use period set to zero will cause the second B-channel to be brought into operation immediately; the utilization level has been exceeded. It will also cause the second B-channel to be removed from operation; immediately the measured utilization drops below the use level. 23. Click Apply. 24. Click Save to make your changes permanent. For troubleshooting information, see “ISDN Troubleshooting.” To configure an ISDN interface to receive calls 1.
2 12. In the From Remote Host section of the Authentication table select the authentication method used to authenticate the remote host. 13. In the From Remote Host section of the Authentication table, in the Name text box, enter the name that is returned from the remote host when this host attempts to authenticate the remote host. 14.
In the Number text box, enter the telephone number on which to accept incoming calls. An x is used to represent a wild-card character. 5. Click Apply. 6. Click Yes in the Callback field for the incoming call to be disconnected, and an outgoing call attempted; otherwise, click No to have the incoming call answered. If Callback is set to Yes, the Nokia appliance uses the number in the Remote Number field on the logical interface to make the outgoing call. 7.
2 9. Click Apply. Note Follow steps 8 through 21 in “To configure an ISDN logical interface to place calls” to set the information for outgoing calls. For more information about how to set up incoming numbers see “To add an incoming number”. 10. Click Save to make your changes permanent. For troubleshooting information, see “ISDN Troubleshooting.
the packet is never sent over the ISDN interface. After the packet is checked against the Access list, the DDR list applied to the interface (if any) is then checked. Note A DDR list, therefore, only affects which packets will cause a connection to be established and maintained. If no DDR list is applied to an ISDN interface, all traffic received by the interface is deemed interesting. To create a DDR list 1. Click Dial on Demand Routing under Configuration > Traffic Management in the tree view. 2.
2 To modify a rule 1. Click Dial on Demand Routing under Configuration > Traffic Management in the tree view. 2. Locate the DDR list that contains the rule to modify. You can modify the following items: Action Source IP address Source mask length Destination IP address Destination mask length Source port range—you can specify the source port range only if the selected protocol is either “any,” “6,” “TCP,” “17,” or “UDP.
3. Click Apply. 4. Under the Existing rules for NotRIP table, click the Add New Rule Before check box. 5. Click Apply. 6. Enter 520 in the Dest Port Range text box in the Existing rules for NotRIP table. 7. Select ignore from the Action drop-down window in the Existing rules for NotRIP table. 8. Select isdn-s2p1c1 from the Add Interfaces drop-down window. 9. Click Apply. 10. Click Save. ISDN Network Configuration Example The following figure shows the network configuration for the example described below.
2 To configure the IP330 to place an outgoing call 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click isdn-s2p1 in the Physical column of the table. 3. Select PPP from the Encapsulation text box in the Create New Logical Interface table. Click Apply. A new logical interface appears in the Interface column of the Logical Interfaces table. 4. Click the logical interface name in the Interface column of the Logical Interfaces table to go to the Interface page. 5.
9. Click Incoming. 10. Select CHAP as the authentication method in the Authentication table. 11. Enter User in the Name text box under the From Remote Host section in the Authentication table. 12. Enter Password in the Password text box under the From Remote Host section in the Authentication table. 13. Click Apply. 14. Click the Incoming Numbers link. 15. Enter 384000 in the Number text box under the Add Incoming Call Information section. 16. Click Apply. 17. Click Save.
2 The trace for connecting a call from the Nokia IP330 is: 06:23:45.186511 O > PD=8 CR=23(Orig) SETUP:Bc:88 90. CalledNb:80 33 38 34 30 32 30.SendComp: 06:23:45.255708 I < PD=8 CR=23(Dest) CALL-PROC:ChanId:89. 06:23:45.796351 I < PD=8 CR=23(Dest) ALERT: 06:23:45.832848 I < PD=8 CR=23(Dest) CONN:DateTime:60 06 0c 05 2d. 06:23:45.833274 O B1: ppp-lcp: conf_req(mru, magicnum) 06:23:45.971476 I B1: ppp-lcp: conf_req(mru, authtype, magicnum) 06:23:45.
70bb91fa4688d417bf72a0bca572c7e4e16, name=15:10:12.549898 I B1:response,value=dd379d2b5e692b6afef2bee361e32bca, name=User 15:10:12.549968 O B1: success 15:10:12.550039 O B1: ppp-ipcp: conf_req (addr) 15:10:12.557258 I B1: ppp-ipcp: conf_req (addr) 15:10:12.557300 O B1: ppp-ipcp: conf_ack (addr) 15:10:12.559629 I B1: ppp-ipcp: conf_ack (addr) 15:10:12.573896 I B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 15:10:12.574017 O B1: 206.226.15.1 > 206.226.15.
2 The most recent system log messages appear. Tracing You can use the tcpdump utility to trace ISDN D-channel traffic (Q.921 and Q.931 protocols) and B-channel traffic (PPP/multilink PPP and TCP/IP protocols). When running tcpdump on an ISDN interface, if no options are given on the command line, the following messages are decoded and displayed: Q.
Table 5 ISDN Cause Code Fields Cause Code Description z1 Class of cause value z2 Value of cause value a1 (Optional) Diagnostic field that is always 8. a2 (Optional) Diagnostic field that is one of the following values: 0 is Unknown, 1 is Permanent, and 2 is Transient ISDN Cause Values Descriptions of the cause-value field of the cause-information element are shown in the following ISDN cause value table. Cause-value numbers are not consecutive.
2 Table 6 Cause Values Cause Cause Description 68 Diagnostics 30 Response to STATUS ENQUIRY 31 Normal, unspecified 34 No circuit or channel available 38 Network out of order 41 Temporary failure 42 Switching-equipment congestion 43 Access information discarded Discarded information-element identifier(s) (Note 6) 44 Requested circuit / channel not available Note 10 47 Resources unavailable or unspecified 49 Quality of service unavailable. See ISDN Cause Values table.
Table 6 Cause Values Cause Cause Description Diagnostics 86 Call having the requested-call identity has been cleared Clearing cause 88 Incompatible destination Incompatible parameter (Note 2) 91 Invalid transit-network selection 95 Invalid message, unspecified 96 Mandatory information element is missing Information element identifiers Information-element identifiers is missing 97 Message type non-existent or not implemented Message type 98 Message not compatible with call state or message
2 Note 6—Locking and non-locking shift procedures described in the ITU-T Q.931 specification apply. In principle, information element identifiers are in the same order as the information elements in the received message. Note 7—The following coding applies: Bit 8, extension bit Bits 7 through 5, spare Bits 4 through 1, according to Table 4-15/Q.931 octet 3.2, channel type in ITU-T Q.931 specification.
Token Ring Interfaces To configure a Token Ring interface 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the physical interface link to configure in the Physical column. Example: tok-s3p1 The physical interface setup page appears. 3. In the Ring Speed column of the Physical configuration table, select the desired value: 16 Mbit/sec or 4 Mbit/sec. There is no default value. 4. In the MTU field, enter the desired value. The minimum for both ring speeds is 560.
2 13. (Optional) Change the interfaces logical name to a more meaningful name by typing the preferred name in the Logical name text box. Click Apply. 14. (Optional) Add a comment to further define the logical interfaces function in the Comments text box. Click Apply. 15. Click Save to make your changes permanent. To deactivate a Token Ring interface 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. In the Active column of the interface to deactivate, click off. 3.
If no change is desired, skip the step. a. To change the IP address, enter the appropriate IP address in the New IP address field,. There is no default. b. In the New mask length field, enter the appropriate value. The range is 8 to 30, and there is no default. c. To delete an IP address, click the Delete box. Note Changing an IP address and deleting an IP address at the same time prevents multiple addresses from being assigned to a single interface. 8. Click Apply. 9. Click Save.
2 The following figure shows the network configuration for this example. Provider (192.168.2.93) ser-s1p1c0 (192.168.2.1) fddi-s3p1c0 FDDI 192.168.1.xxx Nokia Platform A (192.168.1.1/24) tok-s2p1c0 (192.168.3.2) Server 192.168.3.4 Token Ring MAU 192.168.3.5 Server (Optional) Server (Optional) tok-s1p1c0 (192.168.3.1) Nokia Platform B eth-s2p1c0 (192.168.4.1/24) 192.168.4.xxx Server Server 00038 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2.
10. In the New IP Address field, enter the appropriate IP address. 11. In the New Mask Length field, enter the appropriate value. 12. Click Apply. 13. Click Save. Point-to-Point Link over ATM To configure an ATM interface Note You cannot configure an ATM interface with an IP address until at least one logical interface is created for the interface. 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2.
2 7. Click Apply. A new logical interface appears in the Interface column. The new interface is on by default. You can add more ATM logical interfaces by repeating this action. 8. Click the logical interface name in the Interface column of the Logical Interfaces table to go to the Logical Interface page. 9. Enter the IP address for the local end of the PVC in the Local Address text box. 10. Enter the IP address of the remote end of the PVC in the Remote Address text box. Click Apply. 11.
6. Select point-to-point in the Type selection box in the Create a new LLC/SNokia Platform RFC1483 interface section. Enter the VPI/VCI number in the VPI/VCI text box. 7. Click Apply. A new logical interface appears in the Interface column. The new interface is turned on by default. 8. Click the logical interface name in the Interface column of the Logical Interfaces table to go the Interface page. 9. Enter the IP address for the local end of the PVC in the Local Address text box. 10.
2 Note The maximum packet size must match the MTU of the link partner. Packets longer than the length you specify are fragmented before transmission. 4. Click Apply. 5. Click Save to make your changes permanent. ATM Example This section describes how you might configure the interfaces of your IP security platform in an example network, using Network Voyager. The following figure shows the network configuration for this example. Provider (192.168.2.93) FDDI 192.168.1.xxx Server ser-s1p1c0 (192.168.2.
To configure the ATM interface on Nokia Platform A 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Select atm-s2p1 in the Physical column of the table. 3. Enter 93 in the VCI text box in the Create a new LLC/SNokia Platform RFC1483 interface section. The channel number of the interface is no longer the VCI number but an automatically allocated number.
2 Loop timing derives the transmit clock from the recovered receive clock. 5. Select the VPI/VCI range in the VPI/VCI Range Configuration list box. 6. Create a logical interface with the Create a new LLC/SNokia Platform RFC1483 interface section by selecting LIS in the Type list box and entering the set of VPI/VCI numbers that the interface in the VPI/VCI text box will use. The set of VPI/VCIs can be given as a comma-separated list of VPI/VCIs or VPI/VCI ranges such as 1/42, 1/48, 1/50 to 60. 7.
The Physical Interface page appears. 3. Select the VPI/VCI range in the VPI/VCI Range Configuration list box. 4. Find the ATM logical interface to reconfigure in the Logical Interfaces table and enter a new set of VPI/VCIs in the VPI/VCI field. 5. Click Apply. 6. Click Save to make your changes permanent. To change the IP Address of an ATM LIS interface Note Do not change the IP address you use in your browser to access Network Voyager.
2 IPoA Example This section describes how you might configure the interfaces of your IP security platform in an example network, using Network Voyager. The following figure shows the network configuration for this example. eth-s1p1c0 Nokia Platform A atm-s2p1c0 (10.0.0.1/24) PVC 42 to Nokia Platform B PVC 53 to Nokia Platform C ATM Switch atm-s3p1c0 (10.0.0.2/24) Nokia Platform B eth-s1p1c0 eth-s2p2c0 eth-s1p1c0 atm-s3p1c0 (10.0.0.
9. Click Apply. 10. (Optional) Change the interfaces logical name to a more meaningful name by typing the preferred name in the Logical name text box. Click Apply. 11. (Optional) Add a comment to further define the logical interfaces function in the Comments text box. 12. Click Apply. 13. Click Save. Serial (V.35 and X.21) Interfaces To configure a serial interface for Cisco HDLC 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2.
2 10. Click the logical interface name in the Interface column of the Logical interfaces table. The Interface page appears. 11. Enter the IP address for the local end of the link in the Local address text box. 12. Enter the IP address of the remote end of the link in the Remote address text box. Click Apply. 13. (Optional) Change the interfaces logical name to a more meaningful name by typing the preferred name in the Logical name text box. Click Apply. 14.
9. Click Apply. 10. Enter a number in the Keepalive maximum failures text box. This value sets the number of times a remote system can fail to send a keepalive protocol message within a keepalive interval before the systems considers the link down. 11. Click Apply. 12. Click the Advanced PPP Options link. The PPP Advanced Options page appears. 13. Click Yes or No in the Negotiate Magic Number field. Clicking Yes enables the interface to send a request to negotiate a magic number with a peer. 14.
2 6. Click Full Duplex or Loopback radio in the Channel Mode field. Full duplex is the normal mode of operation. 7. Click the Frame relay radio button in the Encapsulation field. 8. Click Apply. 9. Enter a number in the Keepalive text box to configure the frame relay keepalive interval. This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system.
19. Click the logical interface name in the Interface column of the Logical interfaces table to go the Interface page. 20. Enter the IP address for the local end of the PVC in the Local address text box. 21. Enter the IP address of the remote end of the PVC in the Remote address text box. Click Apply. 22. (Optional) Change the interfaces logical name to a more meaningful name by typing the preferred name in the Logical name text box. 23. Click Apply. 24. Click Save to make your changes permanent.
2 The branch office contains Nokia Platform B, which routes traffic between a local Fast Ethernet network and ATM PVC 52. It provides access to the main office and the Internet. To configure the serial interface on Nokia Platform A 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Select ser-s1p1 in the Physical column of the table. 3. Click PPP in the Encapsulation field. 4. Click Apply. 5. Enter 10 in the Keepalive text box. 6. Click Apply. 7.
4. Click Apply. 5. Click the Full Duplex or Loopback radio button in the Channel Mode field. Full duplex is the normal mode of operation. 6. Click AMI or B8ZS in the T1 Encoding field to select the T1 encoding. This setting must match the line encoding of the CSU/DSU at the other end of the point-topoint link. 7. Click Apply. 8. Click Superframe (D4) or Extended SF in the T1 Framing field to select the T1 Framing format.
2 The T1 CSU/DSU Advanced Options page allows you to configure fractional T1 channels, line build-out values and other advanced settings for the T1 device. The values you enter on this page are dependent on the subscription provided by your service provider. 16. From the Advanced T1 CSU/DSU Options page, click Up to return to the physical interface page. 17. Click the logical interface name in the Interface column of the Logical interfaces table to go to the Interface page. 18.
Use T1 framing to divide the data stream into 64 Kbps channels and to synchronize with the remote CSU/DSU. This setting must match the frame format used by the CSU/DSU at the other end of the point-to-point link. 9. Click Apply. 10. Click 64bps or 56bps in the T1 Channel Speed field to select the DS0 channel speed for the T1 line. Some older trunk lines use the least-significant bit of each DS0 channel in a T1 frame for switching-equipment signaling.
2 21. Click Yes or No in the Negotiate Magic Number field. Clicking Yes enables the interface to send a request to negotiate a magic number with a peer. 22. Click Yes or No in the Negotiate Maximum Receive Unit field. Clicking Yes enables the interface to send a request to negotiate an MRU with a peer. 23. Click Apply. 24. Click Up to return to the Physical Interface page. 25. Click the logical interface name in the Interface column of the Logical Interfaces table to go to the Interface page. 26.
Use T1 framing to divide the data stream into 64Kbps channels and to synchronize with the remote CSU/DSU. This setting must match the frame format used by the CSU/DSU at the other end of the point-to-point link. 8. Click Apply. 9. Click 64bps or 56bps in the T1 Channel Speed field to select the DS0 channel speed for the T1 line. Some older trunk lines use the least-significant bit of each DS0 channel in a T1 frame for switching-equipment signaling.
2 The Frame Relay Advanced Options page allows you to configure frame relay protocol and LMI parameters for this device. Note The values you enter depend on the settings of the frame relay switch to which you are connected or to the subscription provided by your service provider. 21. From the Frame Relay Advanced Options page, click Up to return to the Physical Interface page. 22. Enter the DLCI number in the Create a new interface DLCI text box. 23. Click Apply.
The following figure shows the network configuration for this example. Provider (192.168.2.93) FDDI 192.168.1.xxx ser-s1p1c0 (192.168.2.1) fddi-s3p1c0 Nokia Platform A atm-s2p1c93 (192.168.3.2) (192.168.1.1/24) Server ATM Switch atm-s1p1c52 (192.168.3.1) Nokia Platform B eth-s2p1c0 (192.168.4.1/24) 192.168.4.xxx Server Server 00037 In a company’s main office, Nokia Platform A terminates a T1 line to an Internet service provider, running PPP with a keepalive value of 10.
2 10. Click Apply. 11. Click ser-s1p1c0 in the logical interfaces table to go to the Interface page. 12. Enter 192.168.2.1 in the Local address text box. 13. Enter 192.168.2.93 in the Remote address text box. 14. Click Apply. 15. (Optional) Change the interfaces logical name to a more meaningful name by typing the preferred name in the Logical name text box. Click Apply. 16. (Optional) Add a comment to further define the logical interfaces function in the Comments text box. Click Apply. 17.
Use E1 framing to select whether timeslot-0 is used for exchanging signaling data. 7. Click On or Off for the E1 CRC-4 Framing field. Note This option appears only if you set the E1 Framing field to E1 (channel 0 framing). This option chooses the framing format for timeslot-0. On means that CRC-multiframe format is used; the information is protected by CRC-4. Off means that double-frame format is used. This setting must match the setting of the CSU/DSU at the other end of the link. 8.
2 14. Enter the IP address for the local end of the link in the Local Address text box. 15. Enter the IP address of the remote end of the link in the Remote Address text box. Click Apply. 16. (Optional) Change the interface’s logical name to a more meaningful one by typing the preferred name in the Logical name text box. Click Apply. 17. (Optional) Add a comment to further define the logical interfaces function in the Comments text box. Click Apply. 18. Click Save to make your changes permanent.
Note This option appears only if you have set the E1 Framing field to E1 (channel 0 framing). This button chooses the framing format for timeslot-0. On means that CRC-multiframe format is used; the information is protected by CRC-4. Off means that double-frame format is used. This setting must match the setting of the CSU/DSU at the other end of the link. 8. Click On or Off for the E1 Timeslot-16 Framing. Click Apply. Note This option appears only if you set the E1 Framing field to E1 (channel 0 framing).
2 14. From the Advanced E1 CSU/DSU Options page, click Up to return to the physical interface page. 15. Click the Advanced PPP Options link. The PPP Advanced Options page appears. 16. Click Yes or No in the Negotiate Magic Number field. Clicking Yes enables the interface to send a request to negotiate a magic number with a peer. 17. Click Yes or No in the Negotiate Maximum Receive Unit field. Clicking Yes enables the interface to send a request to negotiate an MRU with a peer. 18. Click Apply. 19.
4. Click Full Duplex or Loopback in the Channel Mode field. Full duplex is the normal mode of operation. 5. Click AMI or HDB3 in the E1 Encoding field to select the E1 encoding. Click Apply. This setting must match the line encoding of the CSU/DSU at the other end of the point-topoint link. 6. Click E1 (channel 0 framing) or No Framing in the E1 Framing field to select the E1 Framing format. Use E1 framing to select whether timeslot-0 is used for exchanging signaling data. 7.
2 DTE is the usual operating mode when the device is connected to a frame relay switch. 12. Click On or Off in the Active Status Monitor field. Click Apply. This value sets the monitoring of the connection-active status in the LMI status message. 13. (Optional) Click the Advanced E1 CSU/DSU Options link to select advanced E1 options. The E1 CSU/DSU Advanced Options page allows you to configure fractional E1 channels and other advanced settings for the E1 device.
Click Apply. 23. (Optional) Add a comment to further define the logical interfaces function in the Comments text box. Click Apply. 24. Click Save to make your changes permanent. Note Try to ping the remote system from the command prompt. If the remote system does not work, contact your service provider to confirm the configuration. HSSI Interfaces To configure an HSSI interface for Cisco HDLC 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2.
2 8. Click the logical interface name in the Interface column of the Logical interfaces table to go to the Interface page. 9. Enter the IP address for the local end of the link in the Local address text box. 10. Enter the IP address of the remote end of the link in the Remote address text box. Click Apply. 11. (Optional) Change the interface’s logical name to a more meaningful one by typing the preferred name in the Logical name text box. Click Apply. 12.
Note This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates. 8. Enter a number in the Keepalive maximum failures text box to configure the PPP keepalive maximum failures. This value sets the number of times a remote system may fail to send a keepalive protocol message within a keepalive interval before the systems considers the link down. Click Apply. 9. Click the Advanced PPP Options link.
2 Set the internal clock to On when you are connecting to a device or system that does not provide a clock source. Otherwise, set the internal clock to Off. 4. If you turned the internal clock on, enter a value in the Internal clock speed text box. If the device can generate only certain line rates, and the configured line rate is not one of these values, the device selects the next highest available line rate. 5. Click Full Duplex or Loopback in the Channel Mode field.
Click Apply. Each time you click Apply after entering a DLCI, a new logical interface appears in the Interface column. The DLCI entry field remains blank to allow you to add more frame relay logical interfaces. 14. Click the logical interface name in the Interface column of the Logical Interfaces table to go to the Interface page. 15. Enter the IP address for the local end of the PVC in the Local address text box. 16. Enter the IP address of the remote end of the PVC in the Remote address text box.
2 Note Only point-to-point interfaces can be configured as unnumbered interfaces. Tunnels cannot be configured as unnumbered interfaces. 3. Click Yes in the Unnumbered Interface field. 4. Click Apply. Note If that interface was associated with either a local or remote address or both, they are automatically deleted. Note You do not see local and remote address configuration fields for unnumbered interfaces. The proxy interface field replaces those fields.
Note Only point-to-point interfaces can be configured as unnumbered interfaces. Tunnels cannot be configured as unnumbered interfaces. Note This interface must not be the next hop of a static route. 3. Click No in the Unnumbered Interface field. Click Apply. 4. Click Save to make your change permanent. Note You must now configure a numbered logical interface. To configure a static route over an unnumbered interface 1. Complete “To configure an unnumbered interface” for the interface. 1.
2 Configuring OSPF over Unnumbered Interface The following graphic represents an example configuration for running OSPF over an unnumbered interface. Area 2 Nokia Platform A Area 1 Unnumbered Serial Link Backbone Nokia Platform B 00043 1. Configure the interfaces on Nokia Platform A and Nokia Platform B as in “To configure an unnumbered interface.” 2. For each Nokia Platform, configure an OSPF area as in “Configuring OSPF.” 3.
connected to the backbone area. Both Nokia Platform B and Nokia Platform C are configured with IP addresses (10.10.10.2 and 101.10.10.1 respectively). Area 1 Host PC Host PC Nokia Platform A Virtual Link Nokia Platform C Unnumbered Serial Link Backbone Area 3 10.10.10.1 Virtual Link 10.10.10.2 Nokia Platform B Host PC Host PC Area 2 00044 The interfaces that comprise the virtual link between Nokia Platform A and Nokia Platform C are both configured as unnumbered.
2 Click Apply. This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system. Note This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates. 4. To make your changes permanent, click Save. To change the IP address in Cisco HDLC Note Do not change the IP address you use in your browser to access Network Voyager.
Note This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates. 4. Click Save to make your changes permanent. To change the keepalive maximum failures in PPP 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the physical interface link to configure in the Physical column. Example: ser-s2p1. 3.
2 Frame Relay Protocol To change the keepalive interval in frame relay 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the physical interface link to configure in the Physical column. Example: ser-s2p1. 3. Enter a number in the Keepalive text box to configure the Frame Relay keepalive interval. Click Apply. This value sets the interval, in seconds, between keepalive protocol message transmissions.
9. (Optional) Change the interface’s logical name to a more meaningful one by typing the preferred name in the Logical name text box. Click Apply. 10. (Optional) Add a comment to further define the logical interfaces function in the Comments text box. Click Apply. 11. To make your changes permanent, click Save. To change the LMI parameters in frame relay 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2.
2 To change the active status monitor setting in frame relay When connected to a Frame Relay switch or network, the interface type is usually set to DTE. You may need to change the interface type to DCE if it is connected point-to-point with another router. 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the physical interface link to change in the Physical column. Example: ser-s2p2 3. Click on or off in the Active Status Monitor field. Click Apply. 4.
Loopback Interfaces By default, the loopback interface has 127.0.0.1 configured as its IP address. Locally originated packets sent to this interface are sent back to the originating process. You might want to assign an address to the loopback interface that is the same as the OSPF firewall ID, or is the termination point of a BGP session. This allows firewall adjacencies to stay up even if the outbound interface is down.
2 GRE Tunnels GRE tunnels encapsulate IP packets by using Generic Routing Encapsulation (GRE) with no options. The encapsulated packets appear as unicast IP packets. GRE tunnels provide redundant configuration between two sites for high availability. For each GRE tunnel you create, you must assign a local and remote IP address. You also must provide the local and remote endpoint addresses of the interface to which this tunnel is bound.
On means that all packets that egress through the tunnel will exit through the outgoing interface (local endpoint). If the local endpoint link fails, traffic does not egress through the tunnel.You might use this setting to prevent possible routing loops. Off means that packets that egress through the tunnel can be routed through any interface. Use this setting to allow the system to use a different interface in case the local endpoint link fails.
2 4. (Optional) Enter the IP address of the remote end of the GRE tunnel in the Remote address text box. The remote address cannot be one of the systems interface addresses and must be the local address configured for the GRE tunnel at the remote router. 5. (Optional) Enter the IP address of the local interface the GRE tunnel is bound to in the Local endpoint text box.
GRE Tunnel Example The following steps provide directions on how to configure a sample GRE tunnel. The following figure below shows the network configuration for this example. Internet 192.68.26.65/30 Nokia Platform 192.68.22.0/24 10.0.0.1 192.68.26.74/30 VPN Tunnel 10.0.0.2 Remote PCs Site A Nokia Platform 192.68.23.0/24 Remote PCs Site B 00001 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click Tunnels in the Physical column. 3.
2 Click Apply. An entry field appears. 11. (Optional) If you selected custom value from the TOS value drop-down window, enter a value in the range of 0-255. 12. Click Apply. 13. (Optional) Change the interface’s logical name to a more meaningful one by typing the preferred name in the Logical name text box. Click Apply. 14. (Optional) Add a comment to further define the logical interfaces function in the Comments text box. Click Apply. 15. Click Save.
of this reference guide, they are not individually repeated here. The following figure shows the network configuration for this example. Remote PCs Site A 192.168.0.X/24 192.168.0.2 192.168.0.1 Nokia Platform 1 170.0.0.1 170.0.1.1 10.0.0.1 11.0.0.1 Internet VPN Tunnel 10.0.0.2 Nokia Platform 2 Nokia Platform 3 171.0.0.1 VPN Tunnel 171.0.1.1 192.168.1.1 11.0.0.2 Nokia Platform 4 192.168.1.2 192.168.1.
2 Enter 170.0.0.1 in the Local endpoint text box. Enter 171.0.0.1 in the Remote endpoint text box. b. Configuring from IP Unit 2 to IP Unit 1: Enter 10.0.0.2 in the Local address text box. Enter 10.0.0.1 in the Remote address text box. Enter 171.0.0.1 in the Local endpoint text box. Enter 170.0.0.1 in the Remote endpoint text box. c. Configuring from IP Unit 3 to IP Unit 4: Enter 11.0.0.1 in the Local address text box. Enter 11.0.0.2 in the Remote address text box. Enter 170.0.1.
DVMRP Tunnels DVMRP (Distance Vector Multicast Routing Protocol) tunnels encapsulate multicast packets IP unicast packets. This technique allows two multicast routers to exchange multicast packets even when they are separated by routers that cannot forward multicast packets.
2 Note When the DVMRP tunnel interface is created, set all other DVMRP configuration parameters from the DVMRP page. To change the local or remote addresses of a DVMRP tunnel 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. In the Logical column, click the Logical Interface link on the tunnel that is to have the IP address changed. Example: tun0c1 3. (Optional) Enter the IP address of the local end of the DVMRP tunnel in the Local Address text box.
A router forwards Multicast traffic to an adjacent router only if that router has a client that accepts multicast traffic. Nokia IP security platforms require Distance Vector Multicast Routing Protocol (DVMRP) to be enabled on the interfaces to which you forward multicast traffic. 26.66/30 Nokia Platform B 26.69/30 26.70/30 Nokia Platform C 26.73/30 26.65/30 26.74/30 Nokia Platform A Nokia Platform D 22.1/24 24.0/24 DVMRP Tunnel endpoint from ISP 192.168.22.254/24 to 22.1/24 22.
2 9. Click Apply. 10. Click Save to make changes permanent. Note Steps 17 through 21 require that you use the Routing Configuration page by first completing steps 13 through 16. 11. Click DVMRP under Configuration > Routing in the tree view. 12. For each interface to configure for DVMRP, click On for the interface. 13. Click Apply. 14. (Optional) Define the time-to-live (TTL) threshold for the multicast datagram.
The Retry Limit specifies the number of times to retry ARP requests until holding off requests for 20 seconds. Retry requests occur at a rate of up to once per second. The range of retry limit is 1 to 100 and the default value is 3. 4. If your network configuration requires it, click the button to enable the appliance to accept multicast ARP replies. Enable this feature if this system is connected to an IPSO cluster.
2 Note In VRRP configurations, configuring proxy ARP using static NAT addresses and interface MAC addresses is not supported. To delete a static ARP entry 1. Click ARP under Configuration > Interface Configuration in the tree view. 2. Click the checkbox in the Delete column next to the table entry to delete. Click Apply. 3. Click Save to make your changes permanent. To view dynamic ARP entries 1. Click ARP under Configuration > Interface Configuration in the tree view. 2.
Retry Limit specifies the number of times to retry InATMARP requests after which the Holdoff Timer is started. The range of Retry Limit value is 1 to 100 with a default value of 5. Holdoff Time specifies time, in seconds, to hold off InATMARP requests after the maximum number of retries. The range of Holdoff Time value is 1 to 900 seconds (15 minutes), with a default value of 60 seconds (one minute). 3. Click Apply. 4. Click Save to make your changes permanent. To add a static ATM ARP entry 1.
2 3. Click the ATM ARP Entries link. Dynamic ATM ARP entries appear in a table at the bottom of the page. 4. Click the Delete check box next to the dynamic ATM ARP entry to delete. Click Apply. Note Deleting a dynamic entry triggers a transmission of an InATMARP request on the PVC. If the remote end responds and its IP address is not changed, a new dynamic ATM ARP entry identical to the deleted one appears in the table immediately.
Transparent Mode Processing Details When you configure transparent mode, it is added to the IPSO kernel as a module situated between the layer 2 and the upper protocol layers. When a logical interface is configured for the transparent mode, transparent mode Address Resolution Protocols (ARP) and IP receive handlers replace the common ARP and IP receive handlers.
2 Configuring Transparent Mode in VPN Environments To configure transparent mode in a virtual private network environment, you must create a range or group of addresses that will be protected behind the IP address on the bridge. This must be done because addresses cannot be learned dynamically behind a firewall.
Note For information on how to create groups, objects, and rules on the firewall, see your Check Point documentation that was included with your Nokia IPSO software package. Example of Transparent Mode The following illustration shows a network connected to an Internet service provider (ISP) through a switch. In this configuration, all addressing to the local area network (LAN) is done at Layer 2. ISP 1.5.3.2/24 Internet LAN Switch 1.5.2.
2 To configure transparent mode in the preceding network configuration 1. Click Transparent Mode under Configuration > Interface Configuration in the tree view. 2. Enter any positive integer (an integer greater than 0) in the edit box, for example 100 and click Apply. 3. Click the link of the transparent mode group you created. It will appear as XMG with the number you entered in step 3, for example XMG 100. 4.
Note In the disabled mode, the transparent mode group drops all packets received on or destined to the interfaces in that group. Because transparent mode groups are disabled by default, do not associate interfaces to a transparent mode group that is in use or you will lose connectivity to those interfaces. If you have more than one transparent mode group on the same platform, the groups must be visible to each other on the routing layer (Layer 3).
2 To add or remove an interface to/from a transparent mode group 1. Click Transparent Mode under Configuration > Interface Configuration in the tree view. 2. Click the link of the appropriate transparent mode group. 3. To add an interface to the transparent mode group, select it from the Add Interface dropdown box. Note Because transparent mode groups are disabled by default, do not associate interfaces to a transparent mode group that is in use. If you do, you will lose connectivity to those interfaces.
Enabling or Disabling VRRP for a Transparent Mode Group If you are enabling VRRP on a VRRP master, the node will perform transparent mode operations as described in the section, “Transparent Mode” on page 132. As a VRRP standby, it will drop all packets except those with local destinations. For more information on configuring VRRP, see “Configuring VRRP” on page 186 To enable or disable VRRP for a transparent mode group 1.
2 To add nodes configured for transparent mode to a cluster using SmartDashboard 1. Create a gateway object for each of the VRRP nodes. 2. Define the topology for each gateway object. Make sure that transparent mode is properly configured with the address ranges to the external and internal networks correctly defined. 3. Create the cluster object. 4. Add each gateway to the cluster object using the Add Gateway to Cluster button.
VTIs appear in Nokia Network Voyager as unnumbered interfaces and are given logical names in the form tun0cn. You configure static or dynamic routes on VTIs the same way you configure them on other unnumbered interfaces. The dynamic routing protocols supported on VTIs are BGP4 and OSPFv2. Nokia Network Voyager for IPSO 4.
2 VRRP Support VRRP HA mode is supported for OSPFv2 over virtual tunnels. Only active-passive mode is supported: that is, only one gateway can have the master state. Because a VTI is an unnumbered interface, you cannot configure a virtual IP address on it. To run in VRRP mode across the tunnel, OSPF instead detects the presence of one or more VRRP virtual IP addresses on the system.
Note If both domain-based VPN and route-based VPN are configured, then domain-based VPN takes priority. Configuring a VTI does not override the domain-based VPN. The only way to configure no VPN domain is to create an empty VPN domain group. 3. Create a VPN community and add both gateways to that community. 4. Create a security policy rule and install the policy on both gateways. Nokia Network Voyager for IPSO 4.
2 To create the virtual tunnel interface 1. In Network Voyager navigation tree, select Configuration > Interface Configuration > FWVPN tunnel. 2. Enter the name of the peer gateway in the Peer GW Object Name field. Use the same name you assigned the gateway when you created it in the SmartDashboard. 3. From the drop-down list, select the proxy interface.
3 Configuring System Functions This chapter describes how to configure many basic system functions. Configuring DHCP Dynamic Host Configuration Protocol (DHCP) for Nokia IPSO provides complete DHCP client and DHCP server capabilities for your Nokia appliance. DHCP gives you the ability to provide network configuration parameters, through a server, to clients which need the parameters to operate on a network.
3 Configuring DHCP Client Interfaces To configure the DHCP client interface 1. Click DHCP under Configuration > System Configuration in the tree view. 2. Click the logical interface in the DHCP Interface Configuration table to be configured. Note The logical interface must be enabled. It is enabled if the link-state indicator is green. For more information on how to configure Ethernet interfaces see “Ethernet Interfaces” on page 34. 3. (Optional) Enter a unique name in the Client ID text box.
6. Click Save to make your changes permanent. Configuring the DHCP Server To configure the DHCP server process 1. Click DHCP under Configuration > System Configuration in the tree view. 2. Click Server in the DHCP Service Selection box. 3. Click Apply. Note You must configure an Ethernet interface and enter the subnet address and the subnet mask length on which the interface is listening in the Subnet text box (see steps 6 and 7) before you enable the DHCP Server Process.
3 12. (Optional) Enter a path for clients to get additional configuration options in the Extensions Path text box. Note You must configure the TFTP option to use the Extension Path option since clients will use TFTP to transfer the configuration options from the server. 13. (Optional) Enter the root path where diskless clients mount a network file system (NFS) in the Root Filename text box. 14. Enter the IP address of the default router clients will use in the Router text box. 15.
Note You must configure an Ethernet interface and enter the subnet address and the subnet mask length on which the interface is listening before you enable the DHCP Server Process. See “Configuring the DHCP Server” on page 147, steps 5, 6, and 7. For more information on how to configure Ethernet interfaces, see “Ethernet Interfaces” on page 34. 4. Click Enable in the DHCP Server Process box. 5. Click Apply. 6. Click Save to make your changes permanent. To disable the DHCP server process 1.
3 Note Make sure that Enabled is selected in the State field. This is the default selection. Note If you are configuring a large number of VLANs, you might experience a delay in having IP addresses assigned to VLAN interfaces. 4. Click Apply. 5. Click Save to maker you changes permanent. Enabling or Disabling DHCP Address Pools To enable and existing IP address pool 1. Click DHCP under Configuration > System Configuration in the tree view. 2.
7. (Optional) Enter the file name where diskless clients will find the boot file in the File Name text box. 8. (Optional) Enter a path for clients to get additional configuration options in the Extensions Path text box. Note You must configure the TFTP option to use the Extension Path option since clients will use TFTP to transfer the configuration options from the server. 9. (Optional) Enter the root path where diskless clients mount a network file system (NFS) in the Root Filename text box. 10.
3 because you will only have to enter IP address information when you configure subnets or fixedip entries. 1. Click DHCP under Configuration > System Configuration in the tree view. 2. Click the Template for adding new client entries link. 3. (Optional) Enter the Trivial File Transfer Protocol (TFTP) server clients will use in the TFTP text box. 4. (Optional) Enter a path for clients to get additional configuration options in the Extensions Path text box.
Configuring Dynamic Domain Name System Service DDNS gives you the ability to configure your DHCP server to automatically update DNS servers on your network. To configure Dynamic Domain Name System (DDNS) 1. Click DHCP under Configuration > System Configuration in the tree view. 2. Click the DDNS Configuration link. 3. Check that enable is selected. 4. Select a style in the Update Style box. 5. Enter a key name in the Key Name text box and click the enable button next to the name. 6.
3 Configuring the Domain Name Service IPSO uses the Domain Name Service (DNS) to translate host names into IP addresses. To enable DNS lookups, you must specify the primary DNS server for your system; you can also specify secondary and tertiary DNS servers. When resolving hostnames, the system consults the primary name server first, followed by the secondary and tertiary name servers if a failure or time-out occurs. To configure DNS 1. Click DNS under Configuration > System Configuration in the tree view.
Note The source hard disk drive and the mirror hard disk drive should have identical geometries. You can view hard-disk drive geometry in the Drivers Information table. 3. Click Apply. Text at the top of the Network Voyager window with a message indicates a mirror set was created, numbers indicates which hard disk drive is the source and which hard disk drive is the mirror, and that mirror synchronization is in progress.
3 To install and configure PC card flash memory 1. Insert the card into one of the PC card slots in the front of the system. Make sure that the card is fully inserted. 2. Click Optional Disk under Configuration >System Configuration. Network Voyager displays information about the card you inserted. If you do not see this information, verify that the card has at least one gigabyte of storage and is fully inserted into the slot. 3. Select the card in the Choose column. 4.
Presence of a sendmail-like replacement that relays mail to a mail hub by using SMTP Ability to specify the default recipient on the mail hub IPSO does not support the following mail relay features: Support for incoming email Support for mail transfer protocols other than outbound SMTP.
3 Sending Mail To send mail from the firewall 1. Log in to the firewall as either the admin or monitor user. 2. At the prompt, type the mail command, followed by a space, and the username of the recipient: mail username@hostname 3. Type the subject of your message at the subject prompt; then press Enter. 4. Type your message; then press Enter. 5. When you finish typing your message, type a period on an empty line; then press Enter. Your message is sent.
To set system time once 1. Click Time under Configuration > System Configuration in the tree view. 2. Select the appropriate time zone in the Time Zone list box. By default, the time zone is set to GMT. 3. Either set the time manually or specify a time server: a. To set the date and time manually, enter the time and date units to change. You do not need to fill in all fields; blank fields default to their existing values. Specify hours in 24hour format. b.
3 To delete a static host 1. Click Host Address under Configuration > System Configuration in the tree view. 2. Select Off next to the host to delete. 3. Click Apply. 4. Click Save to make your changes permanent. Configuring System Logging System logging is configured differently on flash-based (diskless) and disk-based systems. Configuring Logging on Disk-Based Systems This section describes how to configure system logging on disk-based appliances.
storage or to reduce the risk of losing log information if you run out of disk space on your IPSO appliance. You might also choose to send all of the logs from multiple computers to one centralized log server, possibly one that is configured for high availability. You can select the severity levels of messages to send to remote devices. To configure your system to send syslog messages to a remote system, use the following procedure. To send syslog messages to a remote system 1.
3 Caution When you insert a PC card into a flash-based appliance and select the card as an optional disk, any existing data on the card is erased. If you remove a PC card that contains log files and want to permanently store the data, insert the card into a PC or other computer and save the data to that system before reinserting the card into a Nokia flash-based (diskless) appliance.
there are 256 messages in the buffer, the messages are transferred to the remote server and the buffer is cleared. 6. Use the Flush Frequency option as an additional control for saving messages. When the Flush Frequency interval expires, log messages are transferred to the remote server and the log buffer is cleared regardless of how many messages are in the buffer. 7. Click Apply. 8. Click Save to make your changes permanent.
3 To set logging of all Network Voyager Apply and Save actions 1. Click System Logging under Configuration > System Configuration in the tree view. 2. In the Voyager Audit Log field, select Enabled or Disabled. 3. Click Apply. 4. Click Save to make your change permanent. The Voyager Audit Log feature does not record any operations performed using the commandline interface (CLI). To log configuration changes made using either Network Voyager and the CLI, enable the system configuration audit log.
click the Management Activity Log link in the System Logs section. For more information, see “Monitoring System Logs.” Remote Core Dump Server on Flash-Based Systems Application core files are stored in memory in the directory /var/tmp/. When the file system is 95% filled, flash-based (diskless) systems delete older core files to make room for newer ones. You can configure flash-based systems to transfer the core files to a remote server so that older files are retained.
3 5. Click Apply. 6. Click Save to make your changes permanent. Changing the Hostname You set the hostname during initial configuration. To identify the hostname (system name) of your security platform, click Hostname under Configuration > System Configuration in the tree view. The hostname is also displayed in each page header. Note Host address assignments must match an IP address. You can change the hostname at any time using the following procedure. To change the hostname 1.
To create a factory default configuration file 1. Click Configuration Sets under Configuration > System Configuration in the tree view. 2. Enter a name for the new file in the Create a New Factory Default Configuration field. 3. Click Apply. The new file appears in the list of database files on this page, but it is not selected as the current configuration database. The factory default configuration has not been loaded.
3 4. Select the Timezone under which you want to schedule the job, either Local or Universal, from the drop-down list. 5. Select the frequency (Daily, Weekly, or Monthly) with which you want the job to execute from the Repeat drop-down list. 6. Click Apply. 7. Under Execution Detail, specify the time the job will execute. 8. To receive mail regarding your scheduled jobs, enter your email address in the Email Address text box. Note Click Mail Relay to verify that a mail server is configured. 9. Click Apply.
Creating Backup Files You can create a backup file manually at any time (see “To create a backup file manually,” below), or configure the system to run scheduled backups automatically (see “To configure scheduled backups” on page 170). By default, the backup file contains everything in the following directories: configuration (/config) cron (/var/cron) etc (/var/etc) IPSec files (/var/etc/IPSec) Note Export versions of Nokia IPSO do not include IPSec files.
3 To configure scheduled backups 1. Click Backup and Restore under Configuration > System Configuration in the tree view. 2. In the Scheduled Backup field, click the Frequency drop-down list and select Daily, Weekly, or Monthly to configure how often to perform a regular backup. Additional text boxes appear in the Configure Scheduled Backup section. 3. Select times and dates for the scheduled backup from the drop-down lists. For a daily backup, select the hour and minute.
To configure automatic transfers of archive files to a remote server 1. Click Backup and Restore under Configuration > System Configuration in the tree view. 2. Under Automatic Transfer of Archive File, select a file transfer protocol, either TFTP or FTP. If you choose FTP, make sure that your server accepts anonymous FTP logins. You cannot use non-anonymous FTP logins to automatically transfer backup files.
3 Restoring Files from Locally Stored Backup Files To restore files to the system, you must first create backup files as described in “Creating Backup Files” on page 169. You can restore either from files stored locally or from files stored on a remote machine. Caution Restoring from a backup file overwrites your existing files. To restore files 1. Verify that the following prerequisites are met: Enough disk space is available on your platform.
b. Click Apply. c. A list of available files in the directory you specify appears. Select the backup files you want to restore. 5. Click Apply. Repeat the previous two steps for each file you want to restore. 6. Do not click Save. Ignore any Unsaved changes will be lost messages. 7. Click Reboot and wait for the system to reboot. Note You must reboot your system after restoring from backup files. Managing Nokia IPSO Images An IPSO image is the operating system kernel and binary files that run the system.
3 Note Flash-based systems can store a maximum of two Nokia IPSO images. To delete an Nokia IPSO image 1. Click Manage Images under Configuration > System Configuration > Images in the tree view. 2. Click Delete IPSO Images. 3. Click the delete button next to the image you want to delete. 4. Click Apply. 5. To make your changes permanent, click Save. Installing New Images When you upgrade the image, the system configuration and installed packages are retained.
b. (Optional) If the HTTP site on which the Nokia IPSO image is stored requires authentication, enter the HTTP realm to which authentication is needed. c. (Optional) If the server on which the Nokia IPSO image is stored requires authentication, enter the user name and password. 3. Specify whether to de-activate installed packages (such as VPN-1/FireWall-1 packages) after the system is rebooted with the new image. 4. Click Apply.
3 Note When you click Test Boot, the system tests the new image for five minutes. If you let the five-minute test period expire without committing to the new image, the system automatically reboots and reverts to the previous image. A new page appears, and you see a message telling you that the system will be rebooted. Do not click anything on this page. 5. If you did not choose the test boot option, the upgrade is complete after the appliance reboots. You do not need to do anything else.
Only when you are downgrading to a version that was never on your appliance is the connectivity information from the already installed IPSO version carried over to the less recent version that you are installing.
3 You can configure the options for monitor reports according to your networking and reporting requirements. Table 7 shows the parameters that you can configure for monitor reports. Table 7 Monitor Report Parameters Parameter Description Collection Interval Specifies, in seconds, how often the data is collected. Range: 60 - 2100000. Default: 60 On/Off You can enable or disable each data collection event. By default, all events are enabled.
CheckPoint VPN-1 Pro/Express NGX R60 CheckPoint CPinfo If your platform runs NG with Application Intelligence (R55) for IPSO 3.8, the only packages you can install are: Check Point VPN-1 NG with Application Intelligence (R55) for IPSO 3.8 (or later) Check Point SVN Foundation NG with Application Intelligence (R55) for IPSO 3.8 Check Point Policy Server NG with Application Intelligence (R55) for IPSO 3.8 CheckPoint CPinfo NG with Application Intelligence (R55) for IPSO 3.
3 12. (Optional) Click the button of the package from which you want to upgrade under Choose one of the following packages to upgrade from. 13. Click Apply. 14. Click Save to make your changes permanent. To enable or disable a package 1. Click Manage Packages under Configuration > System Configuration > Packages in the tree view. 2. Click On or Off next to the package you want to enable or disable. 3. Click Apply. 4. Click Save. To delete a package 1.
Only the remote terminating node responds to the MSS value you set; that is, intermediate nodes do not respond. Generally, however, intermediate notes can handle 1500-byte MTUs. Your system advertises the MSS value you set, and remote terminated nodes respond by sending segments in packets that do not exceed your advertised value. This segment size your system advertises should be 40 bytes less than the smallest MTU between your system and the outgoing interface.
3 182 Nokia Network Voyager for IPSO 4.
4 Virtual Router Redundancy Protocol (VRRP) This chapter describes the Nokia IPSO implementation of VRRP and how to configure it on your system. VRRP Overview Virtual Router Redundancy Protocol (VRRP) provides dynamic failover of IP addresses from one router to another in the event of failure. VRRP is defined in RFC 3768. The Nokia implementation of VRRP includes all of the features described in RFC 3768, plus the additional feature of monitored circuit, described below. Nokia supports VRRP for IPv6.
4 Nokia provides support for OSPF, BGP, RIP, and PIM (both sparse and dense mode) to advertise the virtual IP address of the VRRP virtual router. You must use monitored-circuit VRRP, not VRRPv2, to configure virtual IP support for a dynamic routing protocol. You must also enable the Accept Connections to VRRP IPs option. Note IPSO also supports OSPF over VPN tunnels that terminates at a VRRP group. Only activepassive VRRP configurations are supported, active-active configurations are not.
Figure 2 VRRP Configuration with Internal and External VRIDs Internet Public Network VRID 1 Master Backup 200.10.10.1 Platform A 200.10.10.2 Platform B 192.168.2.1 192.168.2.2 Backup VRID 2 Master Internal Network 00497 In this example, Platform A acts as the master for both VRID 1 and VRID 2 while Platform B acts as the backup for both VRID 1 and VRID 2. You can configure several platforms to be part of multiple VRIDs while they simultaneously back up each other, as shown in Figure 3.
4 Understanding Monitored-Circuit VRRP The Nokia implementation of VRRP includes additional functionality called monitored circuit. Monitored-circuit VRRP eliminates the black holes caused by asymmetric routes that can be created if only one interface on the master fails (as opposed to the entire box failing). IPSO does this by releasing priority over all of the VRRP-configured interfaces to allow the backup to take over entirely.
Use this method only if you do not have an extra IP address to use for monitored-circuit VRRP. For more information see “Configuring VRRPv2”. Selecting Configuration Parameters Before you begin, plan your implementation by deciding how you want to set the following configuration parameters.
4 which to skew the Master_Down_Interval) is calculated as Skew_time = ( (256 - Priority) / 256) ). You can configure your VRID to specify one platform as the established master by assigning it a higher priority, or you can assign equivalent priority to all platforms. If you specify an established master by assigning it a higher priority, the original master recovers control after a failover event and it takes back control of the VRID.
Priority Delta Choose a value for the priority delta that ensures that the priority delta subtracted from the priority results in an effective priority that is lower than that of the backup routers (in case an interface fails). You might find it useful to use a standard priority delta throughout your VRRP configurations to keep your configurations simple and easy to understand. This parameter applies only to monitored-circuit VRRP, not to VRRPv2.
4 VMAC Mode For each VRID, a virtual MAC (VMAC) address is assigned to the backup address. The VMAC address is included in all VRRP packet transmissions as the source MAC address; the physical MAC address is not used. When you configure a VRID, you specify which mode IPSO uses to select the VMAC address. You can use any of the modes for Virtual LAN deployments, which forward traffic based on the VLAN address and destination MAC address. VRRP—The default mode.
Before you Begin Before you begin, consider your hardware and configuration. Are all backup routers able to handle the traffic they will receive if the master fails? Will you implement load-sharing? There are two global settings for VRRP as described in the following table. Table 8 Global VRRP Settings Parameter Description Accept Connections to VRRP IPs The VRRP protocol specifies NOT to accept or respond to IP packets destined to an adopted VRRP IP address.
4 Table 9 VRRP Configuration Parameters Parameter Description Priority Delta Choose a value that will ensure that when an interface fails, the priority delta subtracted from the priority results in an effective priority that is lower than that of all of the backup routers. Nokia recommends you use a standard priority delta, such as 10, to simplify your configuration. For more information, see “Priority Delta”. Hello Interval Range is 1 to 255; default setting is 1 second.
configuration. You do not have to separately specify settings for each interface. For more information, see “Configuring Monitored-Circuit VRRP using the Simplified Method”. Full method—Use this method if you are working with a system on which VRRP has already been configured using this method, or if you want control over the configuration of each individual interface.
4 8. Click Apply. 9. Click Save to make your changes permanent. 10. Log on to each backup appliance in turn and repeat step 2 through step 5. Make sure you use the same values for VRID, hello interval, authentication method, and backup address for all nodes in the VRID. 11. If you are using Check Point NGX, completely configure VRRP on each platform and make sure the firewall has begun synchronization before you put the VRRP group in service.
Table 10 Additional VRRP Parameters Used in Full Method Parameter Description Preempt mode Preempt mode is enabled by default. Check disabled to specify that this router will not fail over to a router with higher priority. Use this setting if you want to reduce the number of transitions. For example, if you disable preempt mode on a backup and the master fails over to it, then when the master becomes active again, the virtual router will not fail back to it.
4 5. Enter the value you want to use to identify the virtual router and click Apply. Additional fields appear. 6. Enter values for the configuration parameters for the virtual router. Most of these parameters are the same as those used in the simplified configuration method described in Table 9. The additional parameters displayed on this page are specific to the full configuration method—Preempt mode, Monitor interface, and Auto-deactivation—and are described Table 10. 7. Click Apply. 8.
3. In the row for the interface you want to configure, select the VRRPv2 radio button in the Mode column. 4. Click Submit. Text boxes for Own VRID and Backup Router with VRID appear. 5. Configure the router as a master or a backup by doing one of the following. If you want to configure this router as the master for a VRRP group, enter the VRID for the virtual router in the Own VRID text box.
4 When you use the Check Point cpconfig program (at the command line or using Network Voyager), follow these guidelines: Install Check Point NGX as an enforcement module only on each node. Do not install Check Point NGX as a management server and enforcement module. After you choose to install Check Point NGX as an enforcement module, you are asked if you want to install a Check Point clustering product.
tunnels do not fail over correctly. If the encryption/authentication algorithm is supported in the master and not supported by the backup and you do not use NAT, tunnels fail over correctly, but they are not accelerated after failover. If you use sequence validation in VPN-1 NGX, you should be aware that in the event of a failover, sequence validation is disabled for connections that are transferred to another node. Sequence validation is enabled for connections that are created after the failover.
4 Source Destination Service Action cluster-all-ips fwcluster-object mcast-224.0.0.18 vrrp igmp Accept Note The object for VRRP is not the same as the gateway cluster object for HA. Accordingly, in this example, the gateway cluster object is designated fwcluster-object. Where: cluster-all-ips is the Workstation object you created with all IPs. fwcluster-object is the Gateway Cluster object. mcast-224.0.0.18 is a Workstation object with the IP address 224.0.0.18 and of the type host.
Source Destination Service Action cluster-all-ips fwcluster-object MCAST.NET vrrp igmp ospf dvmrp Accept Link Aggregation (IP2250 Systems Only) IP2250 appliances allow you to aggregate the built-in 10/100 mbps Ethernet ports so that they function as one logical port with higher bandwidth. These appliances offer link aggregation to accommodate firewall synchronization traffic in VRRP configurations.
4 Master—Forwarding IP packets addressed to the virtual router. Backup—Eligible to become master and monitoring the state of the current master. Initialize—Inactive; waiting for startup event. Note If a virtual router is in initialize state for longer than 20 seconds, this typically indicates that you have a configuration problem, such as a virtual IP address that is not valid. Check your VRRP configuration.
Monitoring the Firewall State By default, IPSO monitors the state of the firewall and responds appropriately. If a VRRP master detects that the firewall is not ready to handle traffic or is not functioning properly, the master fails over to a backup system. If all the firewalls on all the systems in the VRRP group are not ready to forward traffic, no traffic will be forwarded. To enable or disable Monitor Firewall state 1. Click VRRP under Configuration > High Availability in the tree view. 2.
4 If you are testing monitored-circuit VRRP by pulling an interface, and the other interfaces do not release their IP addresses, check that the priority delta is large enough that the effective priority is lower than the master router.
Switched Environments Monitored-Circuit VRRP in Switched Environments When you use monitored-circuit VRRP, some Ethernet switches might not recognize the VRRP MAC address after a transition from the master to a backup. This is because many switches cache the MAC address associated with the Ethernet device attached to a port and when the transition occurs to a backup router, the MAC address for the virtual router appears to shift to another port.
4 206 Nokia Network Voyager for IPSO 4.
5 Configuring Clustering This chapter describes IPSO’s clustering feature and provides instructions for configuring clusters. It includes information about upgrading from IPSO 3.6 to IPSO 3.7 or later if you have a cluster configured with IPSO 3.6, and it also presents information about how to configure Check Point’s NGX to work with an IPSO cluster. IP Clustering Description IPSO lets you create firewall/VPN clusters that provide fault tolerance and dynamic load balancing.
5 You can create IP clusters by combining flash-based platforms other than the IP2250 with diskbased or different flash-based models. For example, the following combinations are valid: flash-based IP1260, disk-based IP1260, IP380 two flash-based IP1260 platforms IP385, IP380, IP265 This list provides examples only. There are many other combinations that you can use to create clusters. Example Cluster The following diagram shows a cluster with two nodes, firewall A and firewall B.
The external router needs a static route to the internal network (192.168.1.0) with 192.168.2.10 as the gateway address. The internal router needs a static route to the external network (192.168.2.0) with 192.168.1.10 as the gateway address. The IP addresses shown in boldface are cluster IP addresses, addresses shared by multiple interfaces in the cluster. IPSO uses the cluster protocol networks shown in the diagram for cluster synchronization and cluster management traffic.
5 This diagram illustrates the difference. Cluster is Managed as Single Virtual Device by cadmin User Firewall A Firewall B Individual Nodes are Managed by admin User Any changes you make in Voyager or Cluster Voyager are immediately reflected in the CLI and CCLI. The reverse is also true—settings made in the CLI or CCLI are immediately reflected in Voyager or Cluster Voyager. Cluster Terminology This section explains the terms used in IPSO clustering.When applicable, it references the example cluster.
192.168.3.10 is the cluster IP address of the primary cluster interface. 192.168.4.10 is the cluster IP address of the secondary cluster interface. Cluster MAC address: A MAC address that the cluster protocol installs on all nodes. Only the cluster master responds to ARP requests that routers send to cluster IP addresses. The cluster MAC address makes the cluster appear as a single device at the OSI layer two level.
5 using different switches). This configuration is preferable to using separate VLANs on one switch to separate them and is the configuration shown in the example cluster. If you do not use a dedicated network as the primary network—that is, if the primary network also carries data traffic, see “If You Do Not Use a Dedicated Primary Cluster Protocol Network” and “Configuring NGX for Clustering” for configuration information.
In multicast mode each cluster node receives every packet sent to the cluster and decides whether to process it based on information it receives from the master node. If the node decides not to process the packet (because another node is processing it), it drops the packet. This mode usually offers better throughput because it uses the bandwidth of the production networks more efficiently. Multicast mode uses multicast MAC addresses for each of the nodes.
5 Do not use this mode if you use PIM in the cluster. Caution Avoid changing the cluster mode while a cluster is in service. If you change the cluster mode of a single node, the node leaves the cluster. If you change the mode on all the nodes (using Cluster Voyager or the CCLI), the cluster dissolves and reforms and is out of service temporarily. Considerations for Clustering Note For information about the requirements for using NGX in an IPSO cluster, see “Configuring NGX for Clustering.
change ARP global parameters” in the information about configuring interfaces for instructions about how to configure a Nokia appliance to accept these replies. Note If there is no router between the cluster and host systems (PCs or workstations), the hosts must be able to accept ARP replies with multicast MAC addresses. You can avoid this requirement by adding a static ARP entry to each host that includes the cluster IP address and multicast MAC address of the internal cluster interface.
5 between the nodes with different MTU values.To prevent this problem, make sure that the MTU values are the same on all cluster nodes with Gigabit Ethernet interfaces. Clustering IP2250 Platforms If you use IP2250 platforms to make a cluster, observe the following guidelines: Do not combine an IP2250 with any other model in a cluster. That is, the other platform must also be an IP2250.
dropped in the event that there is a failover. The ADP I/O ports should be used for production traffic. You can aggregate the ports on ADP I/O cards and use the aggregated links for production traffic. If you aggregate ports on ADP I/O cards, observe the following guidelines: You can connect the aggregated ports using a switch, hub, or crossover cable. Do not include ports on different ADP I/O cards in the same aggregation group.
5 For All Upgrades When upgrading a cluster, make sure that all the nodes run the same versions of IPSO (and NGX, when appropriate). If you are upgrading both IPSO and NGX, you should first upgrade IPSO on all the nodes and then upgrade NGX. This approach provides the best continuity of service during the upgrade process. Upgrading from IPSO 3.7 or Later If you want to upgrade a cluster from IPSO 3.
Note You should upgrade the master last. 1. Upgrade node A and restart it. B and C continue to function as a 3.6 cluster. Node A (running the later version of IPSO) rejoins the cluster as a member. 2. Upgrade node B and restart it. Node C continues to function as a 3.6 cluster. Node B (running the later version of IPSO) rejoins the cluster as a member. 3. Make sure that nodes A and B have successfully restarted and rejoined the cluster.
5 6. Repeat this procedure on each of the other nodes that you upgraded from IPSO 3.6. You can now manage the cluster using Cluster Voyager or the CCLI. Creating and Configuring a Cluster Configuration Overview To create and configure a cluster 1. Create a cluster on the first node. 2. Select the cluster mode. 3. Configure the cluster interfaces. 4. Enable or disable firewall monitoring, as appropriate: If NGX is running on the node, enable NGX monitoring before you make the cluster active.
4. Enter a password for the user cadmin. The password must have at least six characters. Note You must use the same password on each node that you add to the cluster. This is also the password that you use to log into Cluster Voyager or the CCLI. 5. Enter the password for cadmin again (for verification). 6. Click Apply. 7. Click Manually Configure IPSO Cluster. Configure the cluster as explained in the following sections.
5 Sequence Verifier. Worm Catcher Delayed notification of connections Security servers IP pools (with non-Check Point gateways or clients). See “Supporting Non-Check Point Gateways and Clients” for related information. If any of the requirements for static work assignment apply to your cluster, you should use this setting.
The secondary interfaces of all the cluster nodes must belong to the same subnet. This subnet should not carry any other traffic unless you use it to carry firewall synchronization traffic. (See “Configuring NGX for Clustering” for information about selecting the firewall synchronization network.) Secondary interfaces are optional. 6. If you are using multicast with IGMP mode and do not want to use the default IP multicast group address, enter a new address in the range 239.0.0.0 to 239.255.255.255. 7.
5 Configuring VPN Tunnels If you want the cluster to support VPN tunnels in which non-Check Point gateways participate, you must configure the tunnels in Voyager (on the Clustering Setup Configuration page) as well as in NGX. Perform the following procedure: 1. In the Network Address field under Add New VPN Tunnel, enter the remote encryption domain IP address in dotted-decimal format (for example, 192.168.50.0). 2. In the Mask field, enter the mask value as a number of bits. The range is 8 to 32. 3.
VPN but not want to route unencrypted traffic through the cluster. For this purpose, you can use a configuration similar to the one shown in the following diagram: Internal Router Primary Cluster Protocol Network 192.168.3.0 Internal Cluster IP Address 192.168.1.0 192.168.1.10 192.168.1.2 192.168.1.10 192.168.3.1 IP Pool: 10.1.2.0/24 Firewall A 192.168.1.3 192.168.3.2 IP Pool: 10.1.3.0/24 192.168.1.
5 cluster interfaces (192.168.1.2 and 192.168.1.3) as gateway addresses. In the example network, the internal router has the following static routes: route: 10.1.2.0/24, gateway: 192.168.1.10 route: 10.1.3.0/24, gateway: 192.168.1.10 Configuring IP pools in Cluster Voyager If you want to use IP pools with a VPN in which a non-Check Point gateway participates, you must configure the pools in IPSO as well as in NGX.
In addition to helping you make sure that all cluster nodes are configured consistently, using this feature makes the configuration process easier and faster. The list of shared features should be specified only when you set up a cluster. Once the cluster is operational, you should avoid changing which features are cluster sharable. The basic approach to follow is: 1. Configure the first node. 2. Join the other systems to the first node so that they all copy the shared settings from the same source.
5 because of join-time sharing, you can reload the desired configuration on C from the saved configuration file. See “Managing Configuration Sets” for information about saving and loading configuration files. If node C becomes the master in the previous example, then its settings for join-time shared features are copied to the other nodes. For example, foobar.com would replace companyname.com on nodes A and B.
After You Create a Cluster Whenever you use Cluster Voyager (or the CCLI), you can remove features from the list of ones that are cluster sharable. You can do this on any node. However, Nokia recommends that you avoid doing this. You should set up the appropriate feature sharing when you create a cluster and then leave it unchanged. If a feature is shared and you want to reconfigure it on all the cluster nodes, use Cluster Voyager or the CCLI.
5 Manual configuration. If you use this method, you must supply more information so that the system can join the cluster. Manually adding nodes is very similar to the process of creating a cluster configuration on the first node, and you must make sure to enter the appropriate settings identically to how you entered them on the first node. If you add a node manually, do not make any changes under Join-Time Shared Feature Configuration.
Joining a System to a Cluster To join a system to a cluster, perform this simple procedure: 1. Display the Interface Configuration page. 2. Configure interfaces with IP addresses in each of the networks used by the cluster and activate the interfaces. 3. Click Top. 4. Under Traffic Management Configuration, click Clustering Setup to display the Clustering Setup Configuration page. 5. Enter the ID of the existing cluster. 6. Enter the password for the user cadmin in both password fields.
5 You can make changes that are implemented on all the nodes simultaneously. To make changes in this way, you use Cluster Voyager or the CCLI. (See the IPSO CLI Reference Guide for information about using the CCLI.) Note Nokia recommends that you use Cluster Voyager or the CCLI to change cluster settings or to make changes to join-time shared features. You can make configuration changes on individual nodes.
Someone else is logged into Cluster Voyager or the CCLI and has acquired an exclusive configuration lock If someone else has acquired an exclusive configuration lock when you attempt to log in and acquire a lock, Voyager will display a “permission denied” message and ask you to log in again. If you want to break the lock acquired by the other user, see “Obtaining a Configuration Lock” on page 25 for more information.
5 Cluster Voyager or the CCLI are also implemented on node B. (You can log into all nodes as cadmin because this user is created automatically on each node.) Note If you assign the Clustering feature to a user with the role type System, that user can configure clustering on individual nodes but cannot use Cluster Voyager or the CCLI. See “Role-Based Administration” on page 293 for more information about creating and assigning roles.
performance rating to force a particular node to be the master (which will also have the effect of giving that node a larger share of work). To change the performance rating, enter a number in the Performance Rating field (the range of values is 0 through 65535), then click Apply and Save.
5 Note Nokia recommends that you do not make changes to cluster settings or join-time shared features on individual nodes—use Cluster Voyager or the CCLI to make these changes. This will help you ensure that all the nodes are configured consistently. When you log in as a cluster administrator and change a setting of a join-time shared feature, the change is made across the cluster even if you did not share the feature when you created the cluster.
If you specify an invalid FTP server or an invalid path to a valid server as the source of the image, Cluster Voyager does not respond with an error message and displays the following messages instead: New Image installation in progress Please don't perform a cluster reboot until all nodes have finished the upgrade. If IPSO does not also display additional messages indicating that the download is proceeding (there might be a short delay), the FTP information might be incorrect.
5 The following is an illustration of this process in a three node cluster with nodes A, B, and C, in which C is the originating node. 1. If the node A restarts successfully and rejoins the cluster, node B restarts. If node A does not reboot and rejoin the cluster successfully, the cluster reboot process is halted and the remaining two nodes continue functioning. You should investigate and resolve the problem that prevented node A from restarting and rejoining the cluster. 2.
Changing Cluster Interface Configurations If you want to change the cluster interface configuration of a node—for example, if you want to change the primary interface—you must log into the node as a system user. You cannot use Cluster Voyager or the CCLI. Note Any time you make a change to the cluster interface configuration, the node leaves and attempts to rejoin the cluster. 1. Log into the Voyager on the node as a system user. 2. Display the Clustering Setup Configuration page. 3.
5 Configuring NTP There are two approaches to configuring NTP in a cluster: Using a device outside the cluster as the NTP server. In this case you use the IP address of the server when configuring NTP on the cluster nodes. Using the cluster master node as the NTP server. In this case you use one of the cluster IP addresses when configuring NTP on the cluster nodes. If the master node fails and another node becomes the master, the new master becomes the time server.
Using the Master Node as the NTP Server To configure the cluster master as the NTP server, do the following steps on the NTP configuration page: 1. Log into Cluster Voyager. 2. Display the NTP Configuration page. 3. Enable NTP. After you enable NTP, you see, you see additional options. 4. Enter one the cluster IP addresses under NTP Servers. The cluster IP addresses are the addresses that are shared by the interfaces participating in the cluster. 5. Make sure that the NTP Master choice is set to Yes. 6.
5 Configure state synchronization: Enable state synchronization and configure interfaces for it. The interfaces that you configure for state synchronization should not be part of a VLAN or have more than one IP address assigned to them. Enable antispoofing on all the interfaces in the cluster, including those used for firewall synchronization and cluster synchronization.
To enable sequence validation in the Check Point management application and IPSO, follow these steps: a. On the main Configuration page in Nokia Network Voyager, click Advanced System Tuning (in the System Configuration section). b. On the Advanced System Tuning page, click the button to enable sequence validation. c. Enable sequence validation in the Check Point management application. d. Push the new policy to the IPSO appliance.
5 Configuring the Cluster in Voyager 1. Using Voyager, log into node A. 2. Display the Interface Configuration page. 3. Configure interfaces with IP addresses in each of the networks shown in the example and activate the interfaces. For example, the IP address for interface eth-s1p1 would be 192.168.1.1. 4. Click Top. 5. Under Traffic Management Configuration, click Clustering Setup to display the Clustering Setup Configuration page. 6. Enter ID 10 for the cluster. 7. Enter a password for cadmin twice. 8.
17. Click Save. 18. Configure static routes from this node to the internal and external networks using 192.168.1.5 and 192.168.2.5 as gateway addresses (next hops). 19. On nodes B and C, configure interfaces with real IP addresses in each of the four networks shown in the example. 20. Join nodes B and C to the cluster. These nodes will copy the configuration information you entered on node A, including the static routes to the internal and external networks.
5 Clustering Example With Non-Check Point VPN This section presents an example that shows how easy it is to configure an IPSO cluster to support a VPN with a non-Check Point gateway. The following diagram illustrates the example configuration: Internal Router Primary Cluster Protocol Network:192.168.3.0 Cluster IP: 192.168.3.10 192.168.1.5 192.168.1.0 Internal Cluster IP 192.168.1.10 192.168.1.10 .1 eth-s1p1 Cluster (ID 10) .1 .2 eth-s3p1 eth-s1p1 Firewall A eth-s2p1 192.168.1.10 .2 .
4. In the Add New VPN Tunnel section, enter 10.1.1.0 in the Network Address field. 5. In the Mask field, enter 24. 6. In the Tunnel End Point field, enter 10.1.2.5. 7. Click Apply. 8. Click Save. 9. Configure the same tunnel in NGX. For more information, see “Configuring NGX for Clustering” and the Check Point documentation. Nokia Network Voyager for IPSO 4.
5 248 Nokia Network Voyager for IPSO 4.
6 Configuring SNMP This chapter describes the Nokia IPSO implementation of Simple Network Management Protocol (SNMP) and how to configure it on your system. SNMP Overview The Simple Network Management Protocol (SNMP) is the Internet standard protocol used to exchange management information between network devices. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network.
6 250 MIB Source Function Rate-Shape MIB proprietary Monitoring rate-shaping statistics and configuration. Monitoring system-specific parameters. IPSO System MIB proprietary Defines the system MIB for IPSO. The IPSO chassis temperature, fan group, and power-supply group function only on certain firewalls. IPSO Registration MIB proprietary Defines the object ID (OID) prefixes. OID Registration MIB proprietary Defines the object ID (OID) prefixes.
MIB Source Function SNMPv2 TC RFC 854 Defines textual conventions for various values reported in OIDs and Traps. Dial-Control MIB RFC 2128 Describes peer information for demand access and other kinds of interfaces. Note: The dialCtlPeerCallInformation and dialCtlPeerCallSetup traps are not supported by IPSO. Entity MIB RFC 2737 Represents the multiple logical entities that a a single SNMP agent supports. IPSO does not support the entConfigChange trap is not supported by IPSO.
6 MIB Source Function Nokia Enhanced SNMP Solution Suite PM IRP MIB proprietary Note: IPSO does not send traps that this MIB supports when the Nokia platform is used as an IP security device. Nokia NE3S Registration MIB proprietary Nokia Link Aggregation MIB proprietary Nokia NTP MIB proprietary SNMPv2-CONF Contains the traps required for managing link aggregation. IPSO does not support this MIB but it is included for those customers who need it to enable their management tools.
Using the Check Point MIB You must use the Check Point version of the Check Point MIB (CP-MIB) text file in $FWDIR/ lib/snmp of your network management tool. Do not use the CheckPoint-MIB.txt included in releases before Nokia IPSO 3.7. Whenever IPSO SNMPd is started or restarted, it searches for the CheckPoint-MIB.txt.
6 SNMP query operations. In this case, you might have to delete the FloodGate package from your system. Enabling SNMP and Selecting the Version The SNMP daemon is enabled by default. If you choose to use SNMP, configure it according to your security requirements. At minimum, you must change the default community string to something other than public. You should also select SNMPv3, rather than the default v1/v2/v3, if your management station supports it.
Note If you select the Disable checkbox all community strings are disabled and SNMPv1 and v2 do not function. This has the same effect as selecting only SNMPv3 in the previous step. 6. (Optional). Set a read-write community string. Caution Set a read-write community string only if you have reason to enable set operations, only if you enabled SNMPv3 (not v1/v2/v3), and if your network is secure. 7. Click Apply. 8. Click Save to make your changes permanent.
6 Note If no agent addresses are specified, the SNMP protocol responds to requests from all interfaces. Configuring Traps Managed devices use trap messages to report events to the network management station (NMS). When certain types of events occur, the platform sends a trap to the management station. Traps are defined in text files located in the /etc/snmp/mibs directory: System traps are defined in the Nokia-IPSO-System-MIB. The ifLinkUpDown trap is defined in the IF-MIB.
Table 12 Types of SNMP Traps Type of Trap Description lamemberActive Supplies notification when a port is added to a link aggregation group. lamemberInactive Supplies notification when a port is removed from a link aggregation group. Authorization Supplies notification when an SNMP operation is not properly authenticated. Although all implementation of SNMPv2 must be capable of generating this trap, the snmpEnableAuthenTraps object indicates whether this trap is generated.
6 Table 12 Types of SNMP Traps Type of Trap Description systemTrapDiskMirrorSyncFailure Supplies notification when a system disk mirror set fails during syncing. Note: The disk mirror traps are supported only on systems where disk mirroring is supported. clusterMemberReject Supplies notification when a member request to join a cluster is rejected. clusterMemberJoin Supplies notification when a member node joins the cluster.
Configuring Trap Receivers You must specify the management station that accepts traps from your appliance, and the community string used on your management station (receiver) to control access. To configure trap receivers 1. Choose SNMP under Configuration in the tree view. 2. Enter the IP address (or the hostname if DNS is set) of a receiver in the Add New Trap Receiver text field. 3. Enter the community string for the specified receiver in the Community String for new Trap Receiver field. 4.
6 4. Click Save to make your changes permanent. Configuring Location and Contact Information The settings for location and contact information provide information to the management system about where your device is located and who to contact about it. Set the location and contact strings when you perform the initial configuration for SNMP on your system. To configure location and contact information 1. Choose SNMP under Configuration in the tree view. 2.
Error status code Meaning 9 Error status code Meaning wrongEncoding Note You might not see the codes. The SNMP manager or utility interprets the codes and displays and logs the appropriate message. The subsequent, or fourth field, contains the error index when the error-status field is nonzero, that is, when the error-status field returns a value other than zero, which indicates that an error occurred.
6 Value Field Set Description genErr If the processing of a variable fails for any other reason, the responding entity returns genErr and a value in the error-index field that is the index of the problem object in the variable-bindings field. tooBig If the size of the message that encapsulates the generated response PDU exceeds a local limitation or the maximum message size of the request’s source party, then the response PDU is discarded and a new response PDU is constructed.
and encryption, but you can employ them independently by specifying one or the other with your SNMP manager requests. The IPSO system responds accordingly. Note Nokia systems do not protect traps with authentication or encryption. Request Messages You must configure your SNMP manager to specify the security you want.
6 To view existing SNMP users, click SNMP under Configuration > System Configuration in the tree view and click Manage SNMP Users. Alternatively, you can click the Manage SNMP User Access link located on the Configuration > Security and Access > Users page. The admin user or a user with privileges for the SNMP feature can modify the security level, authentication pass phrase, and privacy pass phrase for existing SNMP users, and create or delete SNMP users.
To delete a USM user 1. Click SNMP under Configuration in the tree view. 2. Click Manage USM Users at the bottom of the page. The Manage SNMP Users page appears. 3. Select the appropriate Delete check box. 4. Click Apply. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.
6 266 Nokia Network Voyager for IPSO 4.
7 Configuring IPv6 This chapter describes the IPv6 features supported by Nokia IPSO and how to configure them on your system. IPv6 Overview IPv6 is the next generation IP protocol and is expected to replace IPv4, the current IP protocol. The Internet Engineering Task Force (IETF) formally began to work on the new protocol in 1994.
7 IPv6 over IPv4 Tunnel (RFC 2185) IPv6 over Ethernet (RFC 2464) IPv6 over FDDI (RFC 2467) IPv6 over PPP (RFC 2472) IPv6 over ATM (RFC 2492, PVC only) IPv6 over ARCNET (RFC 2497) IPv6 over Token Ring (RFC 2470) IPv6 over IPv4 (RFC 2529) IPv6 to IPv4 (Internet Draft) Generic Packet Tunneling (RFC 2473, IPv4 through IPv6 only) RIPng for IPv6 Static Routes Route Aggregation Route Redistribution IPv6 inetd IPv6 telnet client and server IPv6 FTP client and server Utilities (p
To delete an IPv6 address 1. Click IPv6 Interfaces under Configuration > System Configuration > IPv6 Configuration in the tree view. 2. Click the logical interface link to configure in the Logical column for which you want to delete an IPv6 address. Example: eth-s1p1c0 3. Check the delete box next to the IPv6 address you want to delete. 4. Click Apply. 5. Click Save to make your changes permanent. To disable IPv6 on an interface 1.
7 represents the number of times to retry Duplicate Address Detection Neighbor Discovery requests. 6. In the Permanent Neighbor Discovery Entries field, enter the permanent IPv6 address for the permanent neighbor discovery destination in the New Permanent Neighbor Discovery Entry text box. 7. Click Apply. 8. Click Save to make your changes permanent. 9. To flush current dynamic Neighbor Discovery entries, click Flush in the Dynamic Neighbor Discovery Entries field. 10. Click Apply.
Configuring IPv6 to IPv4 This feature allows you to connect an IPv6 domain through IPv4 clouds without configuring a tunnel. To configure IPv6 to IPv4 1. Click IPv6 to IPv4 under Configuration > System Configuration > IPv6 Configuration in the tree view. 2. In the Enable IPv6 to IPv4 field, click Yes. 3. In the Active field, just below the Logical Interface field, click On to enable the logical interface. This value represents the pseudo-interface that is associated with this feature.
7 6. Click Apply. 7. Click Save to make your changes permanent. Configuring IPv4 in IPv6 Tunnels This feature allows you to set up a point-to-point link to permit traffic from IPv4 domains to travel through IPv6 domains. To configure IPv4 in IPv6 tunnels 1. Click IPv6 in IPv4 Tunnels under Configuration > System Configuration > IPv6 Configuration in the tree view. 2. Enter the IPv6 address of the local tunnel endpoint in the Local IPv6 Address text box. 3.
6. To specify the order in which next hops are selected, enter a value from one to eight in the Preference text box. The lower the value the more preferred the link. The next preferred value is selected as the next hop only when an interface fails. A nonreachable link is not selected as the next hop. The preference option also supports equal-cost multipath routing. For each preference value, you can configure as many as eight gateway addresses.
7 5. Scroll through the New Contributing Protocol List click the protocol you want to use for the new aggregate route. 6. Click Apply. 7. Click Save to make your changes permanent. 8. Click On in the Contribute All Routes from field. 9. (Optional) To specify an IPv6 prefix, enter the IPv6 address and mask length in the text boxes in the Prefix for New Contributing Route from field. 10. Click Apply, and click Save to make your changes permanent.
6. To redistribute a specific aggregate route or routes into RIPng, click On next to the IPv6 interface for the aggregate route to redistribute into RIPng. 7. Enter a value in the Metric text box for the metric cost that the created RIPng route will have. 8. Click Apply. 9. Click Save to make your changes permanent. Redistributing Interface Routes into RIPng 1. Click IPv6 Route Redistribution under Configuration > System Configuration > IPv6 Configuration > Routing Configuration in the tree view. 2.
7 more information about configuring VRRP for IPv6 interfaces, see “Configuring VRRP for IPv6.” 1. Click ICMPv6 Router Discovery under Configuration > System Configuration > IPv6 Configuration > Router Services in the tree view. 2. To enable ICMPv6 router discovery, click On next to the interface on which you want to run the protocol. 3. Click Apply. 4. (Optional) To enable the managed address configuration flag in the router advertisement packet, click Yes in the Managed Config Flag field.
14. (Optional) To specify that the IPv6 prefix can be used for autonomous address configuration, click Yes in the Autonomous Flag field. 15. (Optional) Enter a value (in seconds) in the Prefix Valid Lifetime text box for the prefix information options valid lifetime field. This value represents the length of time—relative to the time the packet is sent—that the prefix is valid for the purpose of on-link determination. 16.
7 the new master begins to send out router discovery advertisements. For more information about configuring Router Discovery for IPv6 interfaces, see “Configuring ICMPv6 Router Discovery.” Creating a Virtual Router for an IPv6 Interface Using VRRPv3 You must configure a virtual router on an interface to enable other routers to back up its addresses. 1. Click VRRP for IPv6 under Configuration > System Configuration > IPv6 Configuration > Router Services in the tree view. 2.
Use this procedure to configure virtual routers to back up the addresses of other routers on a shared media network. 1. Click VRRP for IPv6 under Configuration > System Configuration > IPv6 Configuration > Router Services in the tree view. 2. Click VRRPv3 button next to the interface for which to enable VRRP. 3. Click Apply. 4. In the Backup Router with VRID text box, enter a value of from 1 to 255 to specify a virtual ID for the virtual router used to back up the IP addresses of another system.
7 This option does not affect the functioning of your system if a firewall is not installed. 1. Click VRRP for IPv6 under Configuration > System Configuration > IPv6 Configuration > Router Services in the tree view. 2. Click Enabled in the Monitor Firewall State field. 3. To disable this option, if you have enabled it, click Disabled. The default is Enabled. 4. Click Apply, and then click Save to make your changes permanent.
Enter the IP address you want to assign to the virtual router back up in the Backup Address edit box. Click Apply. Note The IP address(es) associated with the monitored circuit virtual router must not match the real IP address of any host or router on the network of the interface. 3. To set a VMAC address, click the VMAC Mode drop-down list and select either Interface, Static, or Extended. VRRP is the default.
7 Failover of the default router no longer occurs. When you disable a virtual router, you must first remove the VRRP configuration for that virtual router from all of the backup routers. You must not delete the virtual router on the default router first, as it stops sending VRRP advertisements. This results in the backup routers assuming that the default router has failed, and one of the backup routers automatically adopts the backup address of the default router.
configured. The default is 100 centiseconds, that is, 1 second. 5. (Optional) Click Disabled next to Preempt Mode if you do not want virtual router with a higher priority to preempt the current master router and become the new master. The default is Enabled, which means that a virtual router with a higher priority than the current master preempts the master and becomes the new master router. 6.
7 resulting in the effective priority value. This effective priority value of the virtual router is used to determine the election of the VRRP master router. Note You must enter a priority delta value for each interface you select to monitor. If you do not enter a priority delta value, Network Voyager displays an error message. 4. Click Apply. 5. Repeat steps 4 and 5 for each interface you want to monitor. 6.
Security and Access Configuration To enable FTP, TFTP, or Telnet access 1. Click Network Access Services under Configuration > System Configuration > IPv6 Configuration > Security and Access Configuration in the tree view. 2. Select Yes next to the types of access you want to allow for IPv6—FTP, Telnet, and TFTP. 3. Click Apply. 4. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.
7 286 Nokia Network Voyager for IPSO 4.
8 Managing Security and Access This chapter desribes how to manage passwords, user accounts, and groups, how to assign privileges using role-based administration, and how to configure network access, services, and Network Voyager session management. It also describes how to configure AAA for a new service, encryption acceleration, and virtual tunnel interfaces (VTI) which support Check Point route-based VPN.
8 To change another user’s password 1. Log in as a user who has read/write permissions for the Users feature. Note Admin users or any user with the User feature assigned to them can change a user’s password without providing the existing password. 2. Click Manage User under Configuration > Security and Access > Users in the tree view. 3. In the table for the user whose password you want to change, enter the new password in the New Password and in the Confirm New Password text boxes. 4. Click Apply. 5.
After you create a new user, go to Role-Based Administration > Assign Role to Users to grant the user additional access privileges. For more information, see “Role-Based Administration” on page 293. Table 14 describes the attributes associated with each user account. Table 14 User Account Attributes Attribute Description Name Name used to identify the user. Range: 1-32 characters User ID Unique ID number for the user account. The system will not allow you to create a user with a duplicate User ID.
8 To add a user 1. Click Users under Configuration > Security and Access Configuration in the tree view. 2. In the Add New User section, enter the name of the user, a unique user ID, and the home directory for the new user. The home directory must be /var/emhome/. Note You must complete all fields (Username, UID, and Home Directory). If you do not complete these fields, an error message appears that says “not all fields are complete”. 3. Click Apply. An entry for the new user appears on the page.
To configure S/Key 1. Click Users under Configuration > Security and Access Configuration in the tree view. 2. Enable the Admin S/Key or Monitor S/Key by selecting either the Allowed or Required radio buttons. Disabled—S/Key passwords are turned off and cannot be used. Allowed—the user can use either a standard text password or an S/Key one-time password. Required—only S/Key one-time passwords are allowed for connecting through Telnet or FTP. 3. Click Apply.
8 The server also returns a prompt for a password. 4. Copy the S/Key sequence number and seed into the S/Key calculator on your platform. 5. Copy the S/Key challenge into the S/Key calculator on your local platform. 6. Enter the S/Key Secret Password. The calculator returns the OTP for this session. Note For more help on how to enter S/Key information, see your S/Key calculator documentation. 7. Copy the OTP into the Telnet or FTP session. Disabling S/Key To disable S/Key 1.
Control who can log in through SSH. For most other functions that are generally associated with groups, use the role-based administration feature, described in “Role-Based Administration” on page 293. To add or edit a group 1. Click Groups under Configuration > Security and Access Configuration in the tree view.. 2. Under Add Group Name, enter the name (eight or fewer characters) of the new group and a group ID number. The group ID must be unique. Suggested values are between 101 and 65000.
8 Managing Roles To view a list of existing roles on your system, click Manage Roles under Configuration > Security and Access >Role Based Administration in the tree view. The following roles are predefined on the system: adminRole—Gives the user read/write access to every feature on the system. monitorRole—Gives the user read-only access to every feature on the system.
4. Add features by moving them to the RW (Read/Write) or RO (Read Only) columns, depending on the permission level you want to give to this role. Remove the features by moving them back to the Available column. Press Shift-click to select a range of features, or Ctrl-click to select multiple features one at a time. Note If you assign the Clustering feature to a user with the role type System, that user can configure clustering on individual nodes but cannot use Cluster Voyager or the CCLI. 5. Click Apply.
8 3. Assign roles to or remove them for the user by selecting them and clicking Assign or Remove. Use Shift-click to select a range of roles, or Ctrl-click to select multiple roles at a time. Note You cannot change the roles assigned to the Admin, Cluster Admin, or Monitor users. 4. If you assign a cluster role to a user, you must also assign them the domain value that matches the appropriate cluster ID. 5. Click Apply. 6. Click Save to make your changes permanent.
Configuring Network Access and Services Table 15 lists the options that you can configure for network access. Table 15 Network Access Configuration Options Option Description FTP Access Enable or disable FTP access to this appliance. You can use FTP access to obtain configuration files from the appliance. FTP access is disabled by default. You should only enable it when it is specifically required due to the security vulnerabilities inherent in FTP.
8 Table 16 Network Services Service Description Daytime The daytime service sends the current date and time as a character string without regard to the input. Time The time service sends back to the originating source the time, in seconds, since midnight January 1, 1900. This value is sent as a binary number, not a human-readable string. To enable network access options and services 1. Click Network Access and Services under Configuration > Security and Access in the tree view. 2.
Table 17 Modem Configuration Parameters Parameter Description Dialback Number If you enabled modem dialback, enter a value in the Dialback Number field. The dialback feature uses this number to back an authenticated user (for example, 408 555 0093). If dialback is disabled, ignore this value. Country Code Applies only to COM4. The country setting for the modem sets parameters in the modem to comply with standards of the specified country. To configure a modem on COM2, COM3, or COM4 1.
8 Table 18 Country Codes for Ositech Five of Clubs Card Code Country Code Country Code Country 1 Australia 17 Greece 12 Portugal 2 Belgium 99 Iceland 13 Spain 20 Canada 7 Ireland 14 Sweden 3 Denmark 8 Italy 25 Switzerland 4 Finland 9 Luxembourg 16 United Kingdom 5 France 10 Netherlands 22 United States 6 Germany 11 Norway Table 19 lists the country codes that you select from when entering the code for an Ositech Five of Clubs II or III card in step 7 of the pre
Configuring Basic Nokia Network Voyager Options You can configure the following options for Nokia Network Voyager access: Allow Network Voyager access (enabled by default) Enable session management (enabled by default) Specify a Network Voyager SSL/TLS port number Require encryption Note Changes to some of these settings might make Network Voyager unusable. You can use the CLI set voyager commands to regain access. To configure Web access for Nokia Network Voyager 1.
8 Generating and Installing SSL/TLS Certificates IPSO uses the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol to secure connections over the Internet from the Nokia Network Voyager client to the IPSO system. SSL/ TLS, the industry standard for secure Web connections, gives you a secure way to connect to Network Voyager.
domain name (FQDN) for your platform: for example, www.ship.wwwidgets.com. If you are generating a certificate signing request for a CA, that CA might impose a different standard. g. (Optional) In the Email Address field, enter the email address to use to contact the person responsible for this system or for its certificate. 5. Select one of the following: Certificate Signing Request (CSR) Select this option if you are requesting a certificate from a certification authority. Self-Signed X.
8 5. If you entered a passphrase when you generated the certificate and private key, you must enter the passphrase in the Passphrase field. 6. Click Submit. Troubleshooting SSL/TLS Configuration You might have trouble accessing Nokia Network Voyager if SSL/TLS is not configured correctly. If you have trouble accessing Network Voyager, try the following remedies. Check that you are using the correct URL.
You should use SSH, instead of utilities such as Telnet or rlogin that are not secure, to connect to the system. You can also tunnel HTTP over SSH to use Network Voyager to securely manage your platform. To use SSH, you must obtain an SSH client for the other end of the connection. SSH clients are available for a number of platforms. Some are free while others are commercial.
8 can permit any combination of these methods. In all cases the default is Yes, except for rhost and rhost with RSA authentication. The rhost authentication is insecure and Nokia does not recommended using it. 7. Click Apply 8. (Optional) In the Configure Server Protocol Details field, click the version of SSH to be used. The default is both 1 and 2. 9. (Optional) To generate an RSA v1 host key (use with SSHv1), select the key size, listed in bits, from the Generate New RSA v1 Host Key drop-down list. 10.
3. Click Apply. 4. (Optional) In the Configure Server Access Control table, enter the group and user names in the appropriate text boxes. You can use wild card characters when you specify multiple group or user names separated by spaces. Note If you specify users or groups, only those users and groups are allowed or forbidden. Group settings only apply to a user’s primary group—the GID setting in the Voyager Password page.
8 13. Click Apply. 14. (Optional) In the Configure Service Details field, click the choices and enter appropriate values in the text boxes. Field Name Default Value Allow remote connections to forward ports No Ignore user’s own known_hosts file No Ignore .rhosts and .shosts files Yes Time (seconds) before regenerating server key 3600 seconds Login grace time (sec) 600 seconds Max unauthenticated connections 10 15. Click Apply. 16.
To configure authorized keys 1. Click SSH Authorized Keys under Configuration > Security and Access > Secure Shell (SSH) in the tree view. Note If you previously configured authorized keys for user accounts, the information appears in the View/Delete Per-User Authorized Keys table. To delete the authorized key for each user click the Delete check box. 2. Select the user name from the Username drop-down list. 3. Complete the following, depending on the authorized key you are adding.
8 4. (Optional) To generate an RSA host key (to use with SSHv2), select the key size, listed in bits, from the Generate New RSA v2 Host Key drop-down list. 5. Click Apply. 6. (Optional) To generate a DSA host key (to use with SSHv2), select the key size, listed in bits, from the Generate New DSA Host Key drop-down list. The recommend value is 1024 bits. 7. Click Apply. 8. Click Save to make your changes permanent.
Tunneling HTTP Over SSH To tunnel HTTP over SSH 1. Generate a key. 2. Put authorized public keys on the system. 3. Log in and redirect a port on your platform to the remote platform. Depending on what type of terminal you are using complete the following. From a UNIX terminal—Use the -L option to redirect a port to port 80 on the remote platform. The following example redirects port 8000. At the shell prompt, type: ssh -l admin Nokia Platform.corp.com -L 8000:127.0.0.
8 Note Network Voyager uses cookies to keep track of HTTP sessions. Network Voyager cookie based session management does not store user names or passwords in any form in the cookies. You should continue to access Network Voyager from a secure workstation. For information about configuration locks and instructions about how to override a configuration lock, see “Obtaining a Configuration Lock” on page 25.
Authentication, Authorization, and Accounting (AAA) Creating an AAA Configuration Use this procedure to create an AAA configuration for a new service. A service is a name that is used by an application uses to invoking the Pluggable Authentication Module (PAM) Application Programming Interface (API) that is part of the AAA. The PAM mechanism provides for authentication, account management and session management algorithms that are contained in shared modules.
8 Creating a Service Module Entry To create a service module entry 1. Enter the name of the service in the New Service text box under the Service Module Configuration table. 2. In the Profile text box under the Service Module Configuration table, enter either an existing Profile Name from the Service Profile table, if the requirements of the service match one of the existing profiles, or a unique profile name, if the requirements of the service do not match any of the existing profiles.
For a description of the authentication algorithms that the list items represent, see “Authentication Profile Types.” 3. Select the item in the Control drop-down list that matches the service requirements. Values other than required are effective only when the service requires more than one Auth. Profile. For a description of the effect on result disposition and subsequent algorithm invocation that the list items represent, see “Profile Controls.” Note The Server/File field is unused.
8 Type Module Description SKEY pam_skey_auth.so.1.0 Implements the S/Key algorithm. The user provides the one-time pass phrase, which is used to authenticate the user by using the password database. SNMPD pam_snmpd_auth.so.1.0 Authenticates the SNMP packets from a user (Management Station). When an SNMP user is added in the system through Network Voyager, a corresponding authentication and privacy key is created and kept in the usmUser database, /var/ucd-snmp/snmpd.conf.
Accounting Profile Types The following table describes the account management algorithms that are represented by the values in the Type drop-down lists under Acct. Profile. Type Module PERMIT pam_permit.so.1.0 UNIX Description Returns PAM_SUCCESS when invoked. pam_unix_acct.so.1.0 Provides the basic UNIX accounting mechanism by checking if the password is still valid. If the password is expired for some reason, this module logs in appropriate messages.
8 Note Modules in the Module column reside in the /usr/lib directory. Profile Controls Control values determine how the results of multiple authentication, accounting, or session algorithms are handled and when additional algorithms in a list are invoked. Specifies lists of algorithms by defining multiple entries under the Auth. Profile, Acct. Profile, and Session Profile columns of a Service Profile. The following table describes these effects for algorithm invocation not at the end of the list.
Service Auth. Mgmt. Acct. Mgmt. Session Mgmt. my_svc required: PERMIT required: PERMIT required: PERMIT ip_source: NONE The screens following graphic shows an example of creating a new service. Configuring RADIUS RADIUS, or remote authentication dial-in user service, is a client and server-based authentication software system that supports remote-access applications.
8 4. Click the Control drop-down list and select required, requisite, sufficient, optional or NOKIA-SERVER-AUTH-SUFFICIENT to determine the level of authentication to apply to a profile. For more information, see “Profile Controls.” 5. Click Apply, and then click Save to make your changes permanent. The name of the RADIUS authentication profile appears in the Auth. Profile table. 6. You must now configure one or more servers to use in a single authentication profile. In the Auth.
If all the attempts do not make a reliable connection within the timeout period, the client stops trying to contact the RADIUS server. The default is 3. Note The maximum tries value includes the first attempt. For example, a value of 3 means the client makes two additional attempts to contact the RADIUS server after the first attempt. 13. Click Apply, and then click Save to make your changes permanent. Repeat steps 1 through 14 to configure additional RADIUS authentication profiles.
8 5. Click Apply, and then click Save to make your changes permanent. The name of the TACACS+ authentication profile appears in the Auth. Profile table. 6. You must now configure one or more servers to use in a single authentication profile. In the Auth. Profile table, click the Servers link in the row for the TACACS+ authorization profile you configured. This action takes you to the AAA TACACS+ Authorization Servers Configuration page. 7. In the TACACS+ Servers for Auth.
This action takes you to the page for AAA RADIUS or TACACS+ Authentication Servers Configuration. 3. In the RADIUS or TACACS+ Servers For Auth. Profile table, check the Delete check box next to the row for the RADIUS or TACACS+ server to disable. Note You must have at least one RADIUS or TACACS+ server configured to maintain RADIUS or TACACS+ service. 4. Click Apply, and then click Save to make your changes permanent. Changing an AAA Configuration To change an AAA configuration 1.
8 Note The algorithm is added to the end of the list. The order of algorithms in the list is the order that they are invoked. To change the order, delete the algorithms which are out of order by using “Deleting an Item in a Service Profile Entry,” and add them in the desired order using this procedure. Creating a Stacked Service Module When you create a service, the requirement for multiple authentication algorithms is as follows.
To add an accounting profile 1. Enter the name of the profile in the Service Profile text box; the name is shown in the Profile Name column of the Service Profile table. 2. Enter an item from the Name column of the Acct. Profile table into the Acct. Profile text box of the Service Profile table. If the requirements for the service do not match any of the entries in the Acct. Profile table, create a new Acct. Profile by using Creating an Accounting Profile and enter that new name in the Acct.
8 Select a different item in the Type list that matches the new requirements of the service. For a description of the authentication algorithms that the list items represent, see Authentication Profile Types. Select a different item in the Control list that matches the new requirements of the service. Values other than required are effective only when the service requires more than one Auth. Profile.
Deleting an Item in a Service Profile Entry Highlight one of the entries in the lists under the Auth Profile, Acct Profile or Session Profile column in the Service Profile table for the entry you want to change. Select the Delete check box of the same entry. Deleting an AAA Configuration To delete an AAA configuration 1. Click AAA under Configuration > Security and Access in the tree view. 2.
8 Enabling Encryption Accelerator Cards If you do not intend to use SecureXL, you must manually enable the encryption accelerator card after you install it. If you enable SecureXL, the encryption accelerator card is automatically enabled—you do not need to perform any other software task to activate the card. Note You cannot enable the card before you install it. The options in Network Voyager for enabling the card do not appear until it is installed.
An encapsulation security payload (ESP) that provides authentication and confidentiality through symmetric encryption, and an optional anti-replay service. ESP does not include the IP header in the authentication/confidentiality. A protocol negotiation and key exchange protocol (IKE) for easier administration and automatic secure connections. IKE introduces two negotiations. Phase 1 negotiation authenticates both peers and sets up the security for the Phase 2 negotiation.
8 In tunnel mode, the original IP datagram is placed inside a new datagram, and AH or ESP are inserted between the IP header of the new packet and the original IP datagram. The new header points to the tunnel endpoint, and the original header points to the final destination of the datagram. Tunnel mode offers the advantage of complete protection of the encapsulated datagram and the possibility to use private or public address space. Tunnel mode is meant to be used by routers—gateways.
way communication. To secure bidirectional communication between two hosts or two security gateways, two SAs (one in each direction) are required. Processing the IPSec traffic is largely a question of local implementation on the IPSec system and is not a standardization subject. However, some guidelines are defined to ensure interoperability between multivendor IPSec systems.
8 exchange must take place during Quick Mode. Consequently, the two peers generate a new Diffie-Hellman key pair. Using PKI For Phase 1 negotiation of IKE, the IPSec systems can use X.509 certificates for authentication. X.509 certificates are issued by Certificate Authorities (CA). IPSO IPSec implementation supports Entrust VPN connector and Verisign IPSec on site services. Contact any of the listed CA vendors for certificate signing services. To use the X.
Table 20 IPSec RFCs RFC Description RFC 2406 IP Encapsulating Security Payload (ESP) Supports algorithms: 3DES, DES, and Blowfish for encryption and SHA-1 and MD5 for authentication.
8 Note Native IPSO IPSec tunnels cannot coexist in the same machine with Check Point IPSec software. Before you use IPSO IPSec software, ensure that no Check Point software is running. Likewise, before you use Check Point IPSec software, ensure that no IPSO IPSec software is running. You can create IPSec tunnel rules with or without a logical interface for all IPSO platforms except the IP3000 series. For the IP3000 series platform, you must create a logical interface with each tunnel rule.
Some IPSec systems require that the SA lifetimes (seconds, as well as megabytes) match on both devices. See “Putting It All Together” in “Creating an IPSec Policy” for more information. IKE and PFS groups should match on both devices. See “Putting It All Together” in “Creating an IPSec Policy” for more information. The Diffie-Hellman key exchange uses the IKE group during the establishment of Phase 1 ISAKMP SA. Value options are 1, 2, or 5; 2 is the default value.
8 Proposal and Filters 1. Under the Proposals table, enter a name for a new proposal in the New Proposal text box. Click either ESP or AH. Note If you click AH, the Encryption Alg (algorithm) must always be set to NONE. If this is not done, an error message appears when you click Apply. 2. From the drop-down list in the Authentication Alg and Encryption Alg fields, select the necessary algorithms. Click Apply. 3.
3. Click on the new link with the same name that you entered in Step 1. This action takes you to the IPSec Certificate Addition page for that specific certificate. 4. On the Certificate Addition page, you have two choices: If you have the PEM (base64) encoded certificate, select the Paste the PEM Certificate option. If you know the URL to the certificate (including the local file), select the Enter URL to the Certificate option. 5. Click Apply.
8 To enroll and install a device certificate 1. Under the Device Certificates table, enter a name in the New Certificate text box, then click Apply. 2. An Apply Successful message appears and the name of the CA you just entered appears in the Device Certificates table. 3. Click on the new link with the same name that you entered in step 1. This action takes you to the IPSec Certificate Enrollment page for that named item. 4. Enter all the fields on the page that identifies the IPSec system and click Apply.
you can click on the link with the Certificate name in the IPSec General Configuration page to install the certificate. 10. If you chose Will do it later to make the certificate request, the link on the main IPSec General Configuration still points to the certificate request page. You can repeat steps 5 through 8 to install the certificate. 11. If you finished all the steps, two green buttons appear. You can click on the button under the Certificate column to view the certificate.
8 Putting It All Together To complete creating an IPSec policy 1. Under the Policies table, enter a name for a new policy in the New Policy text box, then click Apply. An Apply Successful message appears and the policy name appears in the Policies table. 2. Click on the policy name in the Policies table. The IPSec Policy Configuration page for the name appears. 3. Under the Linked Proposals table, from the drop-down list in the Add a Proposal field, select the name of the proposal to use in this policy.
below the policy section. The link to more pages appears only after you create more than 10 policies. Creating an IPSec Tunnel Rule To create an IPSec tunnel rule 1. Click IPSec under Configuration > Security and Access in the tree view. 2. Click the IPSec link. 3. Under the IPSec Tunnel Rules heading, enter a name in the New Tunnel text box. 4. If the Create a logical interface option appears and you want to create a logical interface, set the button to Yes. 5.
8 The hello protocol determines the connectivity of an end-to-end logical tunnel. As a result, the hello protocol modifies the link status of the logical interface. If the connectivity of an unavailable tunnel is restored, the hello protocol brings up the link. 10. (Optional) If the hello protocol is active, enter a value for the Hello Interval and Dead Interval text boxes, then click Apply.
The new entry appears in the IPSec Transport Rules table. 4. (Optional) To change the policy entry without changing the name of the associated transport rule, perform the following steps: a. Click in the blank square next to the current policy entry. Click Apply. The policy name is removed. b. Under the Policy column, select a policy option from the drop-down list and click Apply. The new policy is entered without changing the associated transport rule. 5.
8 IPSec Tunnel Rule Example The following steps tell how to configure a sample IPSec tunnel. The following figure below shows the network configuration for this example. Internet IPsec Tunnel 192.68.26.65/30 Nokia Platform 1 192.68.26.74/30 Nokia Platform 2 192.68.22.0/24 192.68.23.0/24 Remote PCs Site A Remote PCs Site B 00040 To configure Nokia Platform 1 1. Click IPSec under Configuration > Security and Access in the tree view. 2.
8. (Optional) From the drop-down list in the Log Level field, select Info. Click Apply. 9. (Optional) Click Up. 10. In the Policies table, enter rule_1 as the name for a new policy in the New Policy text box. Click Apply. 11. In the policies table, click on rule_1. The corresponding Configuring Policy page appears to complete the missing parameters of the policy. 12. Select MD5-DES from the Add a Proposal drop-down list. Enter 1 in the Priority text box. 13.
8 Configure Nokia Platform 2 Now set up network application platform 2 (Nokia Platform 2). Perform the same steps that you performed to configure Nokia Platform 1, with the following changes. 1. Step 18; enter 192.68.26.74 in the Local Address text box. 2. Step 19; enter 192.68.26.65 in the Remote Address text box. 3. Step 24; select SITE_B from the Source Filters drop-down list. 4. Step 25; select SITE_A from the Destination Filters drop-down list.
Note In this example, the authentication method is a preshared secret, so you do not need to select a certificate. 7. (Optional) Click the IPSec Advanced Configuration link. 8. (Optional) From the drop-down list in the Log Level field, select Info. Click Apply. 9. (Optional) Click Up. 10. In the Policies table, enter rule_2 as the name for a new policy in the New Policy text box. Click Apply. 11. In the policies table, click on rule_2.
8 Configure PC1 You now need to set up PC1. Perform the same steps that you performed to configure Nokia Platform 1 (IPSO), with the following changes. 1. Step 6; for the local filter, enter 192.68.26.74 in the Address text box. 2. Step 7; for the remote filter, enter 192.68.26.65 in the Address text box. Changing the Local/Remote Address or Local/Remote Endpoint of an IPSec Tunnel 1. Click IPSec under Configuration > Security and Access in the tree view. 2.
Miscellaneous Security Settings The Miscellaneous Security Settings page under Configuration > Security and Access allows you to change the handling of TCP packets. The default behavior is for IPSO to drop TCP packets that have both SYN and FIN bits set. This behaviour addresses a CERT advisory. For more information on that advisory, go to http://www.kb.cert.org/vul/id/464133. You must change the default configuration if you want your Nokia platform to accept packets that have both the SYN and FIN bits set.
8 350 Nokia Network Voyager for IPSO 4.
9 Configuring Routing This chapter describes the IPSO routing subsystem, how to configure the various routing protocols that are supported, route aggregation, and route redistribution. Routing Overview The Nokia routing subsystem, Ipsilon Scalable Routing Daemon (IPSRD), is an essential part of your firewall. IPSRD’s role is to dynamically compute paths or routes to remote networks. Routes are calculated by a routing protocol.
9 RIP RIP is a commonly used IGP. RIP version 1 is described in RFC 1058, and RIP version 2 is described in RFC 1723. IPSRD supports these version, as well as RIPng, which supports IPv6 interfaces. RIP uses a simple distance vector algorithm called Bellman Ford to calculate routes. In RIP, each destination has a cost or metric value, which is based solely on the number of hops between the calculating firewall and the given destination.
BGP is also a path-vector routing protocol, which limits the distribution of a firewall’s reachability information to its peer or neighbor firewalls. BGP uses path attributes to provide more information about each route. BGP maintains an AS path, which includes the number of each AS that the route has transited. Path attributes may also be used to distinguish between groups of routes to determine administrative preferences.
9 IPSO supports OSPFv2, which supports IPv4 addressing, and OSPFv3, which supports IPv6 addressing. Types of Areas Routers using OSPF send packets called Link State Advertisements (LSA) to all routers in an area. Areas are smaller groups within the AS that you can design to limit the flooding of an LSA to all routers. LSAs do not leave the area from which they originated, thus increasing efficiency and saving network bandwidth.
Area Border Routers Routers called Area Border Routers (ABR) have interfaces to multiple areas. ABRs compact the topological information for an area and transmit it to the backbone area. Nokia supports the implementation of ABR behavior as outlined in the Internet draft of the Internet Engineering Task Force (IETF). The definition of an ABR in the OSPF specification as outlined in RFC 2026 does not require a router with multiple attached areas to have a backbone connection.
9 IPSO also supports OSPF over VPN tunnels that terminates at a VRRP group. Only activepassive VRRP configurations are supported, active-active configurations are not. Clustering IPSO supports OSPF in a cluster. Each member of a cluster runs OSPF tasks, but only the master changes the state and sends OSPF messages to the external routers. For more information on IP Clustering, see “IP Clustering Description.” Note IPSO does not support OSPFv3 in an IP cluster.
Configuring OSPF Areas and Global Settings Table 21 lists the parameters for areas and global settings that you use when configuring OSPF on your system. As you add areas, each is displayed with its own configuration parameters under the Areas section. Table 21 OSPF Area Configuration Parameters Parameter Description Add New Address Range You can configure any area with any number of address ranges.
9 Table 23 NSSA (Not So Stubby Area) Parameters Parameter Description Translator Role Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties.
To configure OSPF 1. Complete “Ethernet Interfaces” for the interface and assign an IP address to the interface. 2. Click OSPF under Configuration > Routing Configuration in the tree view. 3. Enter the router ID in the Router ID text box. 4. If you want to define additional OSPF areas besides the backbone area: a. Enter each name in the Add New OSPF Area text field and click Apply. b. Select an Area Type—Normal, Stub, or NSSA. For more information, see “Types of Areas” on page 354. c.
9 Hello interval—Length of time, in seconds, between hello packets that the router sends on the interface. For a given link, this field must be the same on all routers or adjacencies do not form. Default: 30. Dead interval—Number of seconds after the router stops receiving hello packets that it declares the neighbor is down. Typically, the value of this field should be four times that of the hello interval. For a given link, this value must be the same on all routers, or adjacencies do not form.
Table 24 Global Settings for OSPF Parameter Description RFC1583 Compatibility This implementation of OSPF is based on RFC2178, which fixed some looping problems in an earlier specification of OSPF. If your implementation is running in an environment with OSPF implementations based on RFC1583 or earlier, enable RFC 1583 compatibility to ensure backwards compatibility. SPF Delay Specifies the time in seconds the system will wait to recalculate the OSPF routing table after a change in topology.
9 Configuring OSPF Interfaces Table 25 lists the parameters for interfaces that you use when configuring OSPF on your platform. Table 25 Configuration Parameters for OSPF Interfaces 362 Parameter Description Area The drop-down list displays all of the areas configured and enabled on your platform. An entry for the backbone area is displayed even if it is disabled. An OSPF area defines a group of routers running OSPF that have the complete topology information of the given area.
Table 25 Configuration Parameters for OSPF Interfaces Parameter Description Election priority Specifies the priority for becoming the designated router (DR) on this link. When two routers attached to a network both attempt to become a designated router, the one with the highest priority wins. If there is a current DR on the link, it remains the DR regardless of the configured priority.
9 2. (Optional) Change any configuration parameters for the interface, then click Apply. Note The hello interval, dead interval, and authentication method must be the same for all routers on the link. 3. To make your changes permanent, click Save. Configuring OSPF Example This example consists of the following: Enabling OSPF with backbone area (Area 0) on one interface Enabling OSPF on Area 1 on another interface Summarizing and aggregating the 192.168.24.
5. In the Add New OSPF Area text box, enter 1; then click Apply. 6. In the Add new address range: prefix text box for the backbone area, enter 192.168.24.0. 7. In the Mask Length text box, enter 24; then click Apply. 8. Click 1 area in the drop-down list for e2; then click Apply. 9. Click Save. 10. Initiate a Network Voyager session to Nokia Platform D. 11. Click Config on the home page. 12. Click the OSPF link in the Routing Configuration section. 13.
9 Authentication RIP 2 packets also can contain one of two types of authentication methods that can be used to verify the validity of the supplied routing data. The first method is a simple password in which an authentication key of up to 16 characters is included in the packet. If this password does not match what is expected, the packet is discarded. This method provides very little security, as it is possible to learn the authentication key by watching RIP packets.
Note Nokia also provides support for BGP, OSPF, and PIM, both Sparse-Mode and Dense-Mode, to advertise the virtual IP address of the VRRP virtual router, beginning with IPSO 3.8. Note You must use Monitored Circuit mode when configuring virtual IP support for any dynamic routing protocol, including RIP. Do not use VRRPv2 when configuring virtual IP support for any dynamic routing protocol.
9 5. (Optional) Enter a new cost in the Metric text box for each interface; then click Apply. 6. (Optional) To configure the interface to not accept updates, click on the on radio button in the Accept updates field; then click Apply. 7. (Optional) If you want to configure the interface to not send updates, click on in the Send updates field; then click Apply. 8. (Optional) If you selected RIP 2 for an interface, make sure that Multicast is turned on for that interface; then click Apply.
Note By default, the update interval is set to 30 seconds and the expire interval is set to 180 seconds. 1. Click RIP under Configuration > Routing Configuration in the tree view. 2. To modify the update interval, enter the new update interval in the Update Interval text box; then click Apply. 3. To modify the expire interval enter the new expire interval in the Expire Interval text box; then click Apply. 4. To make your changes permanent, click Save.
9 Enabling RIP 2 on an Interface RIP 2 implements new capabilities to RIP 1: authentication—simple and MD5—and the ability to explicitly specify the network mask for each network in a packet. Because of these new capabilities, Nokia recommends RIP 2 over RIP 1. 1. First configure the interface as in “Ethernet Interfaces.” 2. Click RIP under Configuration > Routing Configuration in the tree view. 3. Click on for the eth-s2p1c0 interface; then click Apply. 4.
For Sparse-Mode PIM, see Protocol-Independent Multicast—Sparse Mode (PIM-SM): Protocol Specification (Revised). Configuring Virtual IP Support for VRRP The virtual IP option lets you configure either a PIM sparse-mode or PIM dense-mode interface to advertise the VRRP virtual IP address if the router transitions to become VRRP master after a failover.
9 Note The generation ID included in all PIM hello messages does not change when IP clustering is used, regardless of whether and how many times PIM is re-enabled. When IP clustering is implemented, the generation ID is based on the cluster IP address so that all members advertise the same address. The generation ID included in PIM hello messages of all cluster nodes does not change unless the cluster IP address is changed.
designated router, it does not generated such a join message, but it propagates these join messages when sent by another router. Configuring Check Point VPN-1 Pro/Express To configure Check Point VPN-1 Pro/Express with IP clustering and either PIM-SM or PIMDM, make sure you: 1. Use Check Point SmartDashboard to create and configure the cluster gateway object. For more information on how to configure the cluster gateway object, see “Configuring NGX for Clustering” on page 241. 2.
9 4. (Optional) To configure this interface to use the VRRP virtual IP address, in the Virtual address field, click On. Note You must use Monitored Circuit mode when configuring virtual IP support for densemode PIM. Do not use VRRPv2 when configuring virtual IP support for dense-mode PIM. 5. Click Apply. 6. (Optional) For each interface that is running PIM, enter the specified local address in the Local Address text box. PIM uses this address to send advertisements on the interface.
3. Click Apply; then click Save to make your change permanent. Setting Advanced Options for Dense-Mode PIM (Optional) 1. Click PIM under Configuration > Routing Configuration in the tree view. 2. In the Interfaces section, click On for each interface on which to run PIM. Note The number of interfaces on which you can run PIM is unlimited. 3. Click Apply, and then click Save to make your changes permanent. 4.
9 The value represents the number of times per second at which the designated router sends assert messages. The upper limit is 10,000 assert messages per second. 11. In the General Timers section, enter a value (in seconds) for the interval between sending join or prune messages in the Join/Prune Interval text box. 12. In the General Timers section, enter a value for the random delay join or prune interval (in seconds) in the Random Delay Join/Prune Interval text box.
6. (Optional) To configure this interface to use the VRRP virtual IP address, in the Virtual address field, click On. Note You must use Monitored Circuit mode when configuring virtual IP support for sparsemode PIM. Do not use VRRPv2 when configuring virtual IP support for sparse-mode PIM. 7. Click Apply. 8. (Optional) For each interface that is running PIM, enter the specified local address in the Local Address text box. PIM uses this address to send advertisements on the interface.
9 all PIM-enabled interfaces become unavailable and remain in that state until all interfaces are back up. Beginning with IPSO 3.8, you can configure either a PIM-SM or a PIM-DM interface to advertise the VRRP virtual IP address if the router transitions to become VRRP master after a failover. If you enable this option, you do not need to enable HA mode. For more information about the VRRP virtual IP address option, see “VRRP.” Note The HA mode applies only to sparse-mode PIM.
Note To verify whether a PIM neighbor supports DR Election Priority, use the following command, which you can executed from iclid and CLI: show pim neighbor For neighbors that advertise a DR election priority value, the following message appears in the summary: DRPriorityCapable Yes. 10. Click Apply. 11. To make your changes permanent, click Save. Configuring this Router as a Candidate Bootstrap and Candidate Rendezvous Point 1.
9 7. In the Sparse Mode Rendezvous Point (RP) Configuration section, to enable this router as a Candidate Rendezvous Point: a. Click On in the Candidate RP Router field. b. (Optional) Enter the local address of the Candidate Rendezvous Point router in the Local Address field. This router sends Candidate Rendezvous Point messages. Configure an address for the Candidate Rendezvous Point to select the local address used in candidate-RP-advertisements sent to the elected bootstrap router.
Note Static Rendezvous Point configuration overrides rendezvous point (RP) information received from other RP-dissemination mechanisms, such as bootstrap routers. 7. Enter the IP address of the router to configure as the static rendezvous point in the RP Address text box. Click Apply. 8. (Optional) Enter the multicast group address and prefix length in the Multicast group address and Mask length text boxes. Click Apply.
9 9. In the Sparse Mode Timers section, enter a value for the shortest path tree threshold (in kilobits per second) in the Threshold (kpbs) text box. Enter an IP address for the multicast group to which the SPT threshold applies in the Multicast Group ID text box. Enter the mask length for the group multicast address in the Mask Length edit box.
Note Assert rank values must be the same for all routers on a multiaccess LAN that are running the same protocol. 19. Click Apply. 20. (Optional) The checksum of the PIM register messages is calculated without including the multicast payload. Earlier releases of the Cisco IOS calculate the checksum by including the multicast payload.
9 Command Shows show pim joins PIM’s view of the join-prune (*, G and S, G) state, including RP for the group, incoming, and outgoing interface(s), interaction with the multicast forwarding cache and the presence of local members. To view the equivalent information for dense-mode PIM, use the show mfc cache command. show pim rps The active RP-set, including the RP addresses, their type (or source of information about them) and the groups for which they are configured to act as RP.
Graft—Traces graft and graft acknowledgment packets IGRP The Inter-Gateway Routing Protocol (IGRP) is a widely used interior gateway protocol (IGP). Like RIP, IGRP is an implementation of a distance-vector, or Bellman-Ford, routing protocol for local networks. As specified, IGRP modifies the basic Bellman-Ford algorithm in three ways: Uses a vector of metrics. Allows for multiple paths to a single destination, thus allowing for load sharing.
9 Request packet Update packet IGRP dynamically builds its routing table from information received in IGRP update messages. On startup, IGRP issues a request on all IGRP-enabled interfaces. If a system is configured to supply IGRP, it hears the request and responds with an update message based on the current routing database. IGRP processes update messages differently depending on whether or not holddowns are enabled.
Valid Neighbors— packets that have a source address from a non-local network are ignored. You cannot disable this behavior. Duplicate Entries in an Update—if an update message contains duplicate new paths, holddowns are enabled, and if each of the duplicate composite metrics differ by more than 10 percent, the route is not put in holddown. The path with the best metric is installed. Other implementations treat each duplicate path as if it arrived in separate update messages.
9 Aliased Interfaces When an interface has multiple addresses configured, each address is treated as a distinct interface since it represents a logical subnet. Such a configuration implies that an update is sent for each IGRP-configured address. In the configuration syntax, you can specify a particular address of an interface on which to run IGRP as opposed to the complete interface (all addresses of the interface).
8. (Optional) In the Protocol section, enter a new delay multiplier in the K2 (delay multiplier) text box; then click Apply. K2 is used to globally influence delay over bandwidth. 9. (Optional) In the Protocol section, click No in the Holddown field; then click Apply. This action disables the global route holddown parameter. 10. (Optional) In the Protocol section, enter the new maximum hop count metric in the Maximum hop count text box; then click Apply. This option is used to prevent infinite looping. 11.
9 The load metric is a fraction of 255. 8. (Required) Enter the MTU metric in the metric text box for each interface; then click Apply. A larger MTU reduces the IGRP cost. 9. Click on for eth-s1p1c0; then click Apply. DVMRP The Distance Vector Multicast Routing Protocol (DVMRP) is a distance vector protocol that calculates a source-rooted multicast distribution tree and provides routing of IP multicast datagrams over an IP internetwork.
Monitoring template Tracks the number of subordinate routers per route. Using Network Voyager, you can configure the following options: DVMRP interfaces New minimum time to live (TTL) threshold for each interface New cost metric for sending multicast packets for each interface Configuring DVMRP 1. Complete “Ethernet Interfaces” for the interface. 2. Click DVMRP under Configuration > Routing Configuration in the tree view. 3.
9 6. (Optional) Enter a value between 20 and 4000 in the Route expiration time text box to set the interval, in seconds, after which a route that has not been refreshed is placed in the route hold-down queue. The default is 140 seconds. 7. (Optional) Enter a value between 0 and 8000 in the Route hold-down period text box to set the interval, in seconds, for which an expired route is kept in the hold-down queue before it is deleted from the route database.
implemented within IPSRD conforms to the traceroute facility for IP multicast draft specification. The IPSO implementation of IGMP supports the following features.
9 Note A router configured for IGMP version 2 can interoperate with hosts running either IGMP version 1 or version 2. Nokia recommends that you use version 1 only on networks that include multicast routers that are not upgraded to IGMP version 2. 6. (Optional) Enter the loss robustness value in the Loss robustness text box; then click Apply. The range is 1 to 255, and the default is 2. 7. (Optional) Enter the query interval in the Query interval text box; then click Apply.
Normal—A normal static route is one used to forward packets for a given destination in the direction indicated by the configured router. Black hole—A black hole static route is a route that uses the loopback address as the next hop. This route discards packets that match the route for a given destination. Reject—A reject static route is a route that uses the loopback address as the next hop.
9 4. Click Apply, and then click Save to make your changes permanent. To add and configure many static routes at the same time 1. Click Static Routes under Configuration > Routing Configuration in the tree view. 2. In the Quick-add static routes field, click the Quick-add next hop type drop-down list, and select Normal, Reject, or Black hole. The default is Normal. For more information on static route types, see “Static Routes” on page 394. 3.
Adding and Managing Static Routes Example The figure below shows the network configuration for the example. Nokia Platform B 26.66/30 Nokia Platform C Corporate WAN 26.69/30 26.70/30 Static Routes OSPF 26.73/30 OSPF 26.74/30 24.45/30 Nokia Platform A Nokia Platform D 24.0/24 26.2/24 Default Static Routes 22.1/22 Network Prefix: 192.168.0.
9 3. In the Mask Length text box enter 24. 4. In the Gateway text box enter 192.168.26.70. 5. Click Apply. If you have configured OSPF or RIP on your remote office network, you now have connectivity to the Internet. To disable a static route 1. Click Static Routes under Configuration > Routing Configuration in the tree view. 2. Click off for the route you want to disable 3. Click Apply.
advertises. The aggregates are activated by contributing routes. For example, if a router has many interface routes subnetted from a class C and is running RIP 2 on another interface, the interface routes can be used to create an aggregate route (of the class C) that can then be redistributed into RIP. Creating an aggregate route reduces the number of routes advertised using RIP. You must take care must be taken when aggregating if the route that is aggregated contains holes.
9 Route Aggregation Example The figure below shows the network configuration for the example. 24.46/30 Nokia Platform B 24.49/30 24.50/30 Nokia Platform C Backbone Area all routers are running OSPF Network Prefix: 192.168.0.0 24.53/30 24.54/30 Nokia Platform D 24.45/30 Nokia Platform A 26.2/24 Advertise 192.168.24.0 26.1/24 Backbone running RIPv1 00344 In the preceding figure Nokia Platform B, Nokia Platform C, and Nokia Platform D are running OSPF with the backbone area.
Note If the backbone is running OSPF as well, you can enable aggregation only by configuring the 192.168.24.0 network in a different OSPF Area. Route Rank The route rank is the value that the routing subsystem uses to order routes from different protocols to the same destination. You cannot use rank to control the selection of routes within a dynamic interior gateway protocol (IGP); this is accomplished automatically by the protocol and is based on the protocol metric.
9 Preference of Default OSPF AS external routes 150 BGP routes 170 To set route rank 1. Click Routing Options under Configuration > Routing Configuration in the tree view. 2. Enter the route rank for each protocol; then click Apply. These numbers do not generally need to be changed from their defaults. Be careful when you modify these numbers; strange routing behavior might occur as a result of arbitrary changes to these numbers. 3. To make your changes permanent, click Save.
To configure the routing preferences 1. Click Routing Options under Configuration > Routing Configuration in the tree view. 2. Enter 10 in the OSPF edit box. 3. Enter 40 in the RIP edit box; then click Apply. This configuration makes the OSPF route the preferred route. To make the RIP route be the preferred route, enter 40 for OSPF and 10 for RIP. BGP Border Gateway Protocol (BGP) is an inter-AS protocol, meaning that it can be deployed within and between autonomous systems (AS).
9 IPv4 unicast and IPv6 unicast For peering to be established, the routers must share a capability. If your system is exchanging IPv4 routes over IPv6 or vice versa, use route map commands to set nexthop to match the family of the routes being exchanged. If they do not match, the routes will not be active. Note Do not use the route redistribution and inbound filter pages of Network Voyager to configure routing policies for BGP-4++. Instead use the route map commands in the CLI.
loops in an arbitrary topology. You can also use path attributes to determine administrative preferences. BGP collapses routes with similar path attributes into a single update for advertisement. Routes that are received in a single update are readvertised in a single update. The churn caused by the loss of a neighbor is minimized, and the initial advertisement sent during peer establishment is maximally compressed. BGP does not read information that the kernel forms message by message.
9 attachment or made a policy decision to prefer another route to a network destination. Route withdrawals are sent when a router makes a new local decision that a network is no longer reachable. BGP Multi-Exit Discriminator Multi-exit Discriminator (MED) values are used to help external neighbors decide which of the available entry points into an AS are preferred. A lower MED value is preferred over a higher MED value and breaks the tie between two or more preferred paths.
Inbound BGP Route Filters BGP routes can be filtered, or redistributed by AS number or AS path regular expression, or both. BGP stores rejected routes in the routing table with a negative preference. A negative preference prevents a route from becoming active and prevents it from being installed in the forwarding table or being redistributed to other protocols. This behavior eliminates the need to break and re-establish a session upon reconfiguration if importation policy is changed.
9 distributed to other neighbors. The following table displays some special community attributes that a BGP speaker can apply. Community attribute Description NO_EXPORT (0xFFFFFF01) Not advertised outside a BGP confederation boundary. A stand-alone autonomous system that is not part of a confederation should be considered a confederation itself. NO_ADVERTISE (0xFFFFFF02) Not advertised to other BGP peers. NO_EXPORT_SUBCONFED(0xFFFFFF03) Not advertised to external BGP peers.
No special configuration is required on the route reflection clients. From a client perspective, a route reflector is a normal IBGP peer. Any BGP version 4 speaker should be able to be a reflector client. for further details, refer to the route reflection specification document (RFC 2796 as of this writing).
9 For further details, refer to the confederations specification document (RFC 1965 as of this writing). AS1 RDI A AS2 RDI B CBGP EBGP CBGP RDI C 00329 AS1 has seven BGP-speaking routers grouped under different routing domains: RDI A, RDI B, and RDI C. Instead of having a full-mesh connection among all seven routers, you can have a full-meshed connection within just one routing domain. EBGP Multihop Support Connections between BGP speakers of different ASes are referred to as EBGP connections.
Caution Enabling multihop BGP connections is dangerous because BGP speakers might establish a BGP connection through a third-party AS. This can violate policy considerations and introduce forwarding loops. AS1 Nokia Platform A Loopback Address AS2 EBGP Nokia Platform B Loopback Address 00330 Router A and Router B are connected by two parallel serial links.
9 The TCP MD5 option allows BGP to protect itself against the introduction of spoofed TCP segments into the connection stream. To spoof a connection using MD5 signed sessions, the attacker not only has to guess TCP sequence numbers, but also the password included in the MD5 digest. Note TCP MD5 authentication is not available for BGP session over IPv6. BGP Support for Virtual IP for VRRP The Nokia IPSO implementation of BGP supports advertising the virtual IP address of the VRRP virtual router.
6. For the specific external or routing group, enter an IP address in the Local address text box. Note You must configure a local IP address for the specific external or routing group for virtual IP for VRRP support to function. 7. Click On in the Virtual Address field to enable virtual IP for VRRP support. 8. Click Apply. 9. Click Save to make your changes permanent. BGP Support for IP Clustering Nokia IPSO supports BGP in IP clusters.
9 Memory Size Base IPSRD is approximately 2 MB Route entry in the local route table is 76 bytes Inbound route entry in the BGP table is 20 bytes Outbound route entry in the BGP table is 24 bytes To calculate the amount of memory overhead on the routing daemon because of BGP peers, calculate the memory required for all of the RIBs according to the following procedures. Add the result to the base IPSRD size. Inbound RIB: Multiply the number of peers by the number of routes accepted.
Note Make sure that IPSRD is not swapping memory. Look at the memory sizes occupied by user-level daemons like Check Point, ifm , xpand , etc. To find out how much memory IPSRD occupies, run the following command: ps -auxww | grep ipsrd The fourth column labeled, %MEM, displays the percentage of memory that IPSRD occupies. BGP Neighbors Example BGP has two types: internal and external.
9 8. Enter 10.50.10.2 in the Add remote peer IP address edit box; then click Apply. 9. Configure an inbound route filter for AS 100 according to “BGP Route Inbound Policy Example” on page 446 To configure IBGP on Nokia Platform B 1. Configure the interface as in “Configuring an Ethernet Interface”. 2. Configure an internal routing protocol such as OSPF or configure a static route to connect the platforms in AS100 to each other.
11. Enter 10.50.10.1 in the Add remote peer IP address text box 12. Click Apply. To configure Nokia Platform A as an IBGP peer to Nokia Platform C 1. Click Config on the home page. 2. Click the BGP link in the Routing Configuration section. 3. Enter 170.20.1.1 in the Add remote peer IP address text box 4. Click Apply. To configure EBGP on Nokia Platform A 1. Configure the interface on Nokia Platform A as in “Ethernet Interfaces.” 2. Click BGP under Configuration > Routing Configuration in the tree view. 3.
9 6. Click External in the Peer group type drop-down window; then click Apply. 7. Enter 129.10.21.1 in the Add remote peer IP address text box; then click Apply. 8. Configure route inbound policy according to “BGP Route Inbound Policy Example.” 9. Configure route redistribution policy according to “Redistributing Routes to BGP” on page 407 10. Configure an inbound route filter according to “BGP Route Inbound Policy Example.” To configuring EBGP on Nokia Platform E 1.
3. Follow the steps described in the “To configure route inbound policy on Nokia Platform D based on an autonomous system number” example. 4. Enter the community ID or the name of one of the special attributes in the Community ID/ Special community text box, then click Apply. 5.
9 To configure MED Values for all peers of AS200 1. Click BGP under Configuration > Routing Configuration in the tree view. 2. Configure EBGP peers in AS100 and AS200 according to the “BGP Neighbors Example.” 3. Click Advanced BGP Options link on the main BGP page. This action takes you to the Advanced Options for BGP page. 4. Go to the configuration section for the AS4 routing group. Enter 100 in the MED text box for the AS4 routing group.
5. Enter 100 in MED edit box next to the Enable redistribute bgp routes to AS100 field. 6. Enter necessary information for route redistribution according to the “BGP Multi Exit Discriminator Example”; then click Apply. 7. Click Save to make your changes permanent. Setting an MED value along with route redistribution policy allows Nokia Platform D to redistribute all routes to AS100 with an MED value set to 100.
9 To configure an IBGP peer for Nokia Platform B 1. Enter 100 in the Peer Autonomous System Number text box. 2. Click Internal in the Peer Group type drop-down list; then click Apply. 3. Enter 20.10.10.2 in the Add Remote Peer IP Address text box; then click Apply. To set the local preference value for an IBGP peer 1. Click Up to take you back to the main Config page for Network Voyager. Click the Inbound Route Filters link in the Routing Configuration section. 2. Click Based on Autonomous System Number. 3.
BGP Confederation Example AS65527 Confed 65525 AS65528 Confed 65525 Nokia Platform A AS65525 Nokia Platform D .1 .1 192.168.45 192.168.35 .2 .2 Nokia Platform B .2 .2 Nokia Platform C 192.168.40 192.168.30 AS65524 Confed 65525 Nokia Platform E .1 .1 To external AS 00333 In the above diagram, all the routers belong to the same Confederation 65525.
9 f. Click On in the All Interfaces field; then click Apply. g. Enter 192.168.40.1 in the Add a new peer text box; then click Apply. 3. Create confederation group 65528. a. Click BGP under Configuration > Routing Configuration in the tree view. b. Enter 65528 in the Peer Autonomous System Number text box. c. Click Confederation in the Peer Group Type drop-down list; then click Apply. Define properties for the above group. d. Click on in the all field. e.
2. Create confederation group 65524. a. Click BGP under Configuration > Routing Configuration in the tree view. b. Click the Advanced BGP Options link. c. Enter 65524 in the Peer Autonomous System Number text box. d. Click Confederation in the Peer Group Type drop-down list; then click Apply. Define properties for the above group. e. Click On in the All field. f. Click On in the All Interfaces field; then click Apply. g. Enter 192.168.30.1 in the Add a new peer text box; then click Apply. 3.
9 Route Reflector Example This example shows configuration for setting up route reflection for BGP. Route reflection is used with IBGP speaking routers that are not fully meshed. AS65525 Nokia Platform A .2 AS65526 Nokia Platform B 192.168.10 EBGP .1 .1 Route reflector .1 192.168.20 192.168.30 IBGP .2 Client Nokia Platform C Client .
d. Select Internal in the Peer group type drop-down list; then click Apply. 5. Configure parameters for the group. a. Click BGP under Configuration > Routing Configuration in the tree view. b. Click Advanced BGP Options. c. Click On in the All field. This option covers all IGP and static routes. d. Click On in the All Interfaces field; then click Apply. 6. Enter the peer information. a. Click BGP under Configuration > Routing Configuration in the tree view. b. Click the Advanced BGP Options link. c.
9 4. Enter 65526 in the Peer Autonomous System Number text box. 5. Click Internal in the Peer Group Type drop-down list; then click Apply. 6. Enter 192.168.30.1 in the Add remote peer IP address text box; then click Apply. 7. Click Save to make your changes permanent. Configuring BGP Route Inbound Policy on Platform B 1. Click Inbound Route Filters under Configuration > Routing in the tree view. 2. Click the Based on Autonomous System Number link. 3.
Communities are used to simplify the BGP inbound and route redistribution policies. Each community is identified by either an ID or one of the following special community names: no export, no advertise, no subconfed, or none. Note Specify the community ID and the AS number in order to generate a unique AS numbercommunity ID combination. To restrict incoming routes based on their community values, see “Path Filtering Based on Communities Example.
9 EBGP Load Balancing Example: Scenario #1 Loopback interfaces are used to configure load balancing for EBGP between two ASes over two parallel links. This example consists of the following: Enabling BGP function Configuring loopback addresses Adding static routes Configuring peers Configuring inbound and route redistribution policies In the following diagram: Nokia Platform A is in autonomous system AS100, and Nokia Platform B is in autonomous system AS200.
4. Enter 129.10.2.2 in the Additional Gateway edit box; then click Apply. 5. Enter 129.10.1.2 in the Additional Gateway edit box; then click Apply. Configuring a Static Route on Platform B 1. Click Static Routes under Configuration > Routing in the tree view. 2. Enter 1.2.3.4 in the New static route text box to reach the loopback address of Platform A. 3. Enter 32 in the Mask length text box; then click Apply. 4. Enter 129.10.2.1 in the Additional Gateway edit box; then click Apply. 5. Enter 129.10.1.
9 EBGP Load Balancing Example: Scenario #2 Configuring a Loopback Address on Platform A 1. Configure the interface as in “Ethernet Interfaces.” 2. Click Interfaces under Configuration > Interface Configuration in the tree view. 3. Click the Logical Address Loopback link. 4. Enter 1.2.3.4 in the New IP Address text box; then click Apply. Configuring a Loopback Address on Platform B 1. Configure the interface as in “Ethernet Interfaces.” 2.
5. In the Nexthop field, click on next to EBGP Multihop to enable the multihop option; then click Apply. 6. (Optional) Enter a value in the TTL text box to set the number of hops over which the EBGP multihop session is established. The default value is 64 and the range is 1 to 255. Click Apply. Configuring an EBGP Peer on Platform B 1. Configure an EBGP peer on Nokia Platform B as in “Ethernet Interfaces.” 2. Enter 5.6.7.8 as the local address on the main BGP configuration page. 3.
9 The default value is 60 seconds. 5. To make your changes permanent, click Save. TCP MD5 Authentication Example AS100 Nokia Platform A 10.10.10.1/24 EBGP 10.10.10.2/24 AS200 Nokia Platform B 00336 Configuring TCP MD5 Authentication on Nokia Platform A 1. Configure the interface as in “Ethernet Interfaces.” 2. Click BGP under Configuration > Routing in the tree view. The following two steps enable BGP function on Nokia Platform A. 3. Enter 10.10.10.
6. Click External in the Peer group type drop-down list; then click Apply. The following steps configure an EBGP peer with MD5 authentication 7. Enter 10.10.10.1 in the Add remote peer ip address text box; then click Apply. 8. Click the 10.10.10.1 link to access the BGP peer configuration page. 9. Select MD5 as the authentication type from the AuthType drop-down list; then click Apply. 10. Enter the MD5 shared key (test123 for example) in the Key edit box; then click Apply.
9 Verification To verify that you have configured route dampening correctly, run the following command in iclid.: show route bgp suppressed For more information on this command, see “Viewing Routing Protocol Information.” BGP Path Selection The following rules will help you understand how BGP selects paths: If the path specifies a next hop that is inaccessible, drop the update. Prefer the path with the lowest weight.
To configure configure a BGP4 session over IPv6 transport 1. Determine whether Router 1 and Router 2 are directly connected. a. If Router 1 and Router 2 are directly connected, use IPv6 addresses of the interface through which they are connected. If they are directly connected, you can use their link-local addresses for BGP peering.
9 4. On Router 1, use this route map by executing the following CLI command to send both IPv4 and IPv6 unicast routes to AS 2. set bgp external remote-as 2 export-routemap advertise_to_as2 preference 1 family inet-and-inet6 Note The actual routes sent will be based on the match conditions of the route map. 5. On Router 2, configure a routemap called accept_from_as2 to accept incomming IPv4 and IPv6 routes advertised by router 1. (BGP by default does not accept incomming routes.) 6.
Refines—Matches a route only if it is more specific than the given prefix. Range—Matches any route whose IP address equals the given prefix’s IP address and whose mask length falls within the specified mask length range. A sample route redistribution examples follow. Note The Route Redistribution link contains over thirty possible route redistribution options. The redistribute_list specifies the source of a set of routes based on parameters such as the protocol from which the source has been learned.
9 BGP Route Redistribution Example Route redistribution allows you to redistribute routes from one autonomous system into another autonomous system. AS100 Nokia Platform A AS200 Nokia Platform B Nokia Platform C EBGP AS4 EBGP Nokia Platform D 00339 To configure BGP route redistribution on Nokia Platform D 1. Click Route Redistribution under Configuration > Routing in the tree view. 2. Click BGP Routes Based on AS under the Redistribute to BGP section. 3.
Protocol Interface Gateway If more than one parameter is specified, they are processed from most general (protocol) to most specific (gateway). It is not possible to set metrics for redistributing RIP routes into RIP or for redistributing IGRP routes into IGRP. Attempts to do this are silently ignored. It is also not possible to set the metrics for redistributing routes into IGRP.
9 categorized as a stub network, meaning that a particular subnet does not send RIP routing updates. 26.66/30 Nokia Platform B 26.69/30 26.70/30 Nokia Platform C 26.73/30 26.65/30 26.74/30 Nokia Platform A Nokia Platform D Nokia OSPF Backbone 26.61/24 26.77/28 RIP to OSPF Border 26.78/28 Hub 26.1/24 0.0.0.0/0 24.0/24 22.0/24 RIP Network UNIX Hosts with Routed Enabled Corporate Net 26.79/28 26.
5. To prevent 192.168.22.0/24 and other more specific routes from being redistributed into OSPF External, define a route filter to restrict only this route as follows: a. To configure this filter, enter 192.168.22.0 in the New IP prefix to redistribute text box, and 24 in Mask length text box. Click Apply. b. Select Normal in the Match Type drop-down list. This specifies to prefer routes that are equal to or more specific than 192.168.22.0/24. c. Click Apply. The filter is fully configured.
9 Nokia Platform E of AS 100 and Nokia Platform A of AS 4 are participating in an EBGP session. Nokia Platform F of AS 200 and Nokia Platform D of AS 4 are also participating in an EBGP session. AS4 26.66/30 Nokia Platform B 26.69/30 26.70/30 Nokia Platform C 26.73/30 26.65/30 26.74/30 Nokia Platform A Nokia Platform D Nokia OSPF Backbone 26.61/24 26.77/28 EBGP EBGP AS100 AS200 26.77/28 26.1/24 Nokia Platform E Nokia Platform F 00338 To redistribute OSPF to BGP through Nokia Platform A 1.
Inbound Route Filters Inbound route filters allow a network administrator to restrict or constrain the set of routes accepted by a given routing protocol. The filters let an operator include or exclude ranges of prefixes from the routes that are accepted into RIP, IGRP, OSPF and BGP. These filters are configured in the same way as the filters for route redistribution. Note You can also use route maps to specify inbound route filters. You can define route maps only using CLI commands.
9 5. Enter the appropriate IP address and mask length in the New Route to Filter and Mask Length fields; then click Apply. A new set of fields is displayed adjacent to the newly entered IP address and mask length. 6. Click On or Off to enable or disable filtering of this route. 7. From the Match Type field drop-down list, select Normal, Exact, Refines, or Range. 8. In the Action field, click Accept or Restrict to determine what to do with the routes that match the given filter. 9.
Note By default, all routes originating from the configures ASes are accepted. You can accept or reject all routes from a particular AS by enabling the accept or restrict option next to the All BGP routes from AS field. 1. You also can accept or reject particular routes from AS 100 by specifying a route filter. Route filters are specified as shown in the Route Redistribution section. Assume that you want to filter all routes that are strictly more specific than 10.0.0.0/8.
9 7. To configure this filter, enter 10.0.0.0 in New IP prefix to import edit box, and 8 in Mask length edit box; then click Apply. 8. Select Refines in the Match type drop-down list. This specifies routes that are strictly more specific than 10.0.0.0/8. 9. Finally, click Restrict in the Action field. This specifies to discard the routes that match this prefix. 10. Click Apply. The filter is fully configured. BGP AS Path Filtering Example BGP updates restrict the routes a router learns or advertises.
10 Configuring Traffic Management This chapter describes traffic management functionality, including access control lists and aggregation classes. Traffic Management Overview Traffic management functionality allows packet streams to be filtered, shaped, or prioritized. The prioritization mechanisms conform to RFC 2598, the Expedited Forwarding specification of the IETF DiffServ Working Group. Traffic is separated into discrete streams, or classified, through an Access Control List (ACL).
10 by adding delay to packets that must wait for more tokens to arrive in the bucket. When more bursts arrive than can be accommodated by the shaping queue, then that traffic is dropped. Both outgoing and incoming traffic streams can be shaped. To configure a shaper, see “Configuring ACL Rules” on page 452. Select shape as the action for one or more rules. See “To create an Aggregation Class” on page 456 for information about creating AGC meters.
To create or delete an ACL 1. Depending on whether you are using IPv4 or IPv6, click the following link. a. For IPv4 ACLs, click Access List under Configuration > Traffic Management in the tree view. b. For IPv6 ACLs, click IPv6 Access List under Configuration > IPv6 Configuration > Traffic Management in the tree view. 2. To create an ACL, enter a name for the ACL in the Create a New Access List edit box and click Apply.
10 4. To remove an ACL from an interface: a. Select Delete for the appropriate interface in the Selected Interfaces table b. Click Apply. The interface disappears from the Selected Interfaces section. 5. To make your changes permanent, click Save. Configuring ACL Rules An Access Control List (ACL) is a container for a set of rules, and traffic is separated into packet streams by the ACL. The content and ordering of the rules is critical.
Note The DSfield and QueueSpec field are used to mark and select the priority level. Masks can be applied to most of these properties to allow wildcarding. The source and destination port properties can be edited only when the IP protocol is UDP, TCP, or the keyword "any." All of these properties are used to match traffic. The packets that match a rule whose action is set to "prioritize" are marked with the corresponding DSfield and sent to the queue set by QueueSpec field.
10 Table 27 ACL Rule Attributes Attribute Description Action A rule action can be one of the following six actions: • Accept—Forward this traffic stream. • Drop—Silently drop all traffic belonging to this stream. • Reject—Drop all traffic in this stream and attempt to deliver an ICMP error to the source. • Skip—Skip this rule proceed to next. • Shape—Coerce the throughput of this traffic according to a set of parameters given by an aggregation class.
Table 27 ACL Rule Attributes Attribute Description DSfield Specifies the DiffServ codepoint with which to mark traffic which matches this rule. RFC 791 states that the least significant two bits of the DiffServ codepoint are unused. Thus, the least significant two bits for any value of the DSfield that you enter in the ACL rule will be reset to 0. For example, if you enter 0xA3, it will be reset to 0xA0 and the corresponding packets will be marked as 0xA0 and not 0xA3.
10 To create an Aggregation Class 1. Depending on whether you are using IPv4 or IPv6, click the following link. a. For IPv4 ACLs, click Aggregation Class under Configuration > Traffic Management in the tree view. b. For IPv6 ACLs, click IPv6 Aggregation Class under Configuration > IPv6 Configuration > Traffic Management in the tree view. 2. Enter the following in the Create a New Aggregation Class section: A name for the aggregation class in the Name edit box.
Note A rule treats traffic as if it were configured for "skip," if the traffic matches a rule whose action has been set to "prioritize" or "shape" and no Aggregation Class is configured. 6. Click Apply. 7. Click Save to make your changes permanent. Configuring Queue Classes Queue classes are used to instantiate a framework, or template, for output queue schedulers. Like Access Control Lists (ACLs) they are created and configured and then associated with an interface.
10 To create or delete a queue class 1. Depending on whether you are using IPv4 or IPv6, click the following link. a. For IPv4 ACLs, click Queue Class under Configuration > Traffic Management in the tree view. b. For IPv6 ACLs, click IPv6 Queue Class under Configuration > IPv6 Configuration > Traffic Management in the tree view. 2. To create a new queue class, enter its name in the Create a New Queue Class edit box and click Apply. The new queue class appears in the Existing Queue Classes field. 3.
To associate a queue class with an interface 1. Depending on whether you are using IPv4 or IPv6, click the following link. a. For IPv4 ACLs, click Queue Class under Configuration > Traffic Management in the tree view. b. For IPv6 ACLs, click IPv6 Queue Class under Configuration > IPv6 Configuration > Traffic Management in the tree view. 2. In the List of Available Physical Interfaces table, click the name physical interface with which you wish to associate a queue class.
10 Note The default ATM QoS Descriptor is set to unspecified bit rate (UBR) and cannot be modified. 3. Enter a value for the maximum cell rate to be used in the output direction on a CBR channel in the Peak Cell Rate edit box. The Peak Cell Rate is rounded down to a multiple of 64 kilobits/sec. One cell per second corresponds to 424 bits/sec. Note You can configure no more than 100 CBR channels per interface. The sum of the Peak Cell Rate of all the CBR channels on an interface cannot exceed 146Mbs. 4.
6. Click the ATM QoS Descriptors link. 7. In the Existing ATM QoS Descriptors field, click the Delete check box next to the name of the ATM QoS Descriptor that you want to delete. 8. Click Apply. The ATM QoS Descriptor disappears from the Existing QoS Descriptors field. 9. Click Save to make your changes permanent. To associate an ATM QoS Descriptor with an interface and a virtual channel 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2.
10 (Policy Enforcement Points). The PDPs are network-based servers that decide which types of traffic (such as voice or video) receive priority treatment. The PEPs are routers that implement the decisions made by the PDPs. In the Nokia implementation, the Nokia platform functions as a PEP. Configuring a COPS Client ID and Policy Decision Point You must configure at least one COPS Client ID and a corresponding policy decision point, that is, policy server, for the COPS Policy Module to function. 1.
4. In the Sequence Number edit box, enter a value between 1 and 2147483647 to define the sequence number used for the COPS protocol. Click Apply. 5. In the Key ID field, enter a value between 1 and 2147483647 in the Send edit box to define the send key ID used for the COPS protocol. 6. In the Key field, enter a string value of up to 64 characters in the edit box next to the Send Key ID value. This value defines the key used for the COPS protocol. Use alphanumeric characters only. Click Apply. 7.
10 Activating and Deactivating the COPS Client You must activate the COPS client to implement the COPS module you configure. You can deactivate the COPS client to halt the COPS module implementation. 1. Click COPS under Configuration > Traffic Management in the tree view. 2. Click the Start button in the COPS client field to activate the COPS client; click the Stop button to deactivate the COPS client. 3. Click Apply. 4. Click Save make your change permanent.
4. In the COPS security configuration section, click the Delete check box next to the name of the client ID you want to delete. 5. Click Apply. 6. Click Save to make your change permanent. Example: Rate Shaping The following example shows you how to limit ftp data traffic to 100 kilobits per second (kbps) with a 5000 byte burstsize on output interface eth-s2p1c0. First, you create an Access Control List. 1. Click Access List under Configuration > Traffic Management in the tree view. 2.
10 5. Click Apply. 6. Click Save to make your changes permanent. Example: Expedited Forwarding This example illustrates the combined use of the Access Control List, Traffic Conditioning, and Queuing features. This example demonstrates how to improve the response time to Telnet sessions between client and server systems over a private WAN connection within a corporate intranet as shown in the diagram below.
Note The queue specifier associated with expedited forwarding queue is 6. 4. Associate the wan_1_ef queue class with the appropriate interface. a. Click Interfaces under Configuration > Interface Configuration in the tree view. b. Click on ser-s3p1 in the Physical column. c. In the Queue Configuration field, select Max Throughput from the Queue Mode dropdown window. d. Click Apply. e. In the Queue Configuration field, select wan_1_ef from the Queue Class drop-down window. f. Click Apply. g.
10 Note 0xB8 is the IETF differentiated-services codepoint (in hexadecimal) for expedited forwarding traffic. m. Click Apply, and then click Save to make your changes permanent. To test the configuration 1. Start a telnet session between the client and server. 2. Check the statistics on Nokia Platform A and Nokia Platform B a. Click Interfaces under Configuration > Interface Configuration in the tree view. b. Click on the link for ser-s3p1 in the Physical column. c. Click on the Interface Statistics link.
11 Configuring Router Services This chapter describes how to enable your system to forward broadcast traffic by enabling the IP Broadcast Helper, forward BOOTP/DHCP traffic by enabling BOOTP relay, how to enable router discovery, and how to configure for Network Time Protocol (NTP). A Nokia appliance, like any routing device, does not forward broadcast traffic outside its broadcast domain as per ethernet standards.
11 Configuring BOOTP/DHCP Relay You can use Network Voyager to enable BOOTP Relay on each interface. If the interface is enabled for relay, you can set up a number of servers to which to forward BOOTP requests. Enter a new IP address in the New Server text box for each server. To delete a server, turn it off.
To disable BOOTP relay on an interface 1. Click BOOTP Relay under Configuration > Router Services in the tree view. 2. Select Off for the interface on which you want to disable BOOTP. 3. Click Apply to disable the interface. When you click off, then apply, the BOOTP relay parameters (primary IP, wait time, and new server) disappear, however the parameters are still stored in the system. If you select On, then Apply, these parameters reappear. 4. Click Save to make your changes permanent.
11 Table 29 IP Broadcast helper configuration parameters Parameter Description UDP Port Specifies a new UDP service to be forwarded by an interface. Client UDP packets with the specified UDP port number will be forwarded to the configured server(s). Server address Specifies the servers defined for forwarding for the interface and UDP service. To configure the relaying of broadcast UDP packets on your system, use the following procedure. To configure IP broadcast helper 1.
Note Only the server portion of the Router Discovery Protocol is supported. IPSO implements only the ICMP router discovery server portion, which means that a Nokia router can advertise itself as a candidate default router, but it will not adopt a default router using the router discovery protocol. The ICMP Router Discovery Service provides a mechanism for hosts attached to a multicast or broadcast network to discover the IP addresses of their neighboring routers.
11 Table 30 Router discover configuration parameters Parameter Description Router Discovery Interface On/Off Specifies whether ICMP router discovery is running on the interface. When you select On and click Apply, configuration options for the interface appear. Min. Advertise Interval Specifies the minimum time (in seconds) allowed between sending unsolicited broadcast or multicast ICMP Router Advertisements on the interface. Range: Between 3 seconds and the value of Maximum Advertisement Interval.
Advertisement Lifetime 5. (Optional) For each IP address on the interface, you can specify the following parameters, described in Table 30. Advertise Address Preference 6. Click Apply. 7. Click Save to make your changes permanent. To disable router discovery services 1. Click Router Discovery under Configuration > Router Services in the tree view. 2. Click Off for each interface to disable support for router discovery service. 3. Click Apply. 4. Click Save to make your changes permanent.
11 Configuring NTP You can enable or disable NTP on your system; when NTP is active the local clock is synchronized as configured and hosts will be able to set their time through this machine. To set the time manually, see “Setting the System Time” on page 158. To configure NTP 1. Click NTP under Configuration > Router Services in the tree view. 2. Click Yes in the Enable NTP field. 3. Click Apply. The NTP configuration page appears. 4.
10. (Optional) Enable the NTP reference clock by clicking Yes in the NTP Master field. Note Only enable the NTP reference clock if you cannot reach an NTP server. 11. Click Apply. The Stratum and Clock source fields appear. By default, the Stratum value is 1, and the Clock source is set to Local Clock. Nokia recommends that you keep these defaults. 12. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.
11 478 Nokia Network Voyager for IPSO 4.
12 Monitoring System Configuration and Hardware This chapter provides information on monitoring your system.You can use Network Voyager to monitor many aspects of your IP security platform in order to better maintain performance and security. You can, for example, monitor state information for each interface, view the contents of IP routing tables, and generate reports on events such as throughput, bandwidth utilization, and link states over specific periods of time.
12 Disk and Swap Space The Disk and Swap Space Utilization page shows system resources use, including disk and swap space use. This page retrieves the updated disk and swap space use every 20 seconds. For each file system, you can monitor the number of kilobytes used and available, the percentage of disk space being used, the number of inodes used and free, and the location where it is mounted. The inode is the internal identifier for a file and a limited number are available in a partition.
IPSO Process Management When you are troubleshooting any system, it is helpful to have an understanding of the daemons, or system processes, that are operating in the background. The process monitor (PM) monitors critical Nokia IPSO processes. The PM is responsible for: Starting and stopping the processes under its control Automatically restarting the processes if they terminate abnormally The Nokia IPSO processes that the PM monitors are listed in the following table.
12 Generating Monitor Reports You can generate reports of data collection events. To generate a report, click the link for the appropriate report under Monitor > Reports in the tree view. For information on configuring monitor reports, see “Configuring Monitor Reports” on page 177. The administrator can configure how often the data is collected, whether each data collection event is enabled or disabled, and how many hours worth of collected data are stored on the system.
To display reports 1. Click the name of the report under Monitor > Reports in the tree view. 2. Under Select Report Type, select one of the following: Hourly—Hourly report with a 1-hour display up to a maximum of 7 interval day data. Daily—Daily report with 1-day display interval up to a maximum of 35 day data. Weekly—Weekly report with 7-day display interval up to a maximum of 52 weeks. Monthly—Monthly report with 1-month display interval up to a maximum of 60 months.
12 Real Memory Used—The percentage of the real memory being used. Disk Capacity—The percentage of the disk space being used. Interface Traffic Statistics—For each physical and logical interface, shows the current state, input and output bytes, input and output errors. For logical interfaces, also shows the type of device or virtual circuit accessed through the logical interface (for example, Ethernet, ATM, FDDI).
Web Server Access Log—Shows information about accesses to the Network Voyager interface using HTTP or HTTPS. Messages include IP Address from which the local host did an http access to the system, user, date, time, and HTTP access command. Web Server Error Log—Shows error messages from the HTTPD Error Log File, including date and time the error occurred, transaction (type of log message), location, and contents of log message. User Login/Logout Activity—Shows login and logout activity for users.
12 Time Since Join—Time since node joined the cluster. Work Assigned (%)—Percentage of work load assigned to this node. Note If your cluster is not initialized, the Cluster Monitor page contains a link to the Cluster Configuration page, which enables you to configure cluster parameters for this node. Viewing Routing Protocol Information To view statistical information for routing protocols, click the appropriate link under Monitor > Routing Protocols.
For IPv6, click IPv6 Route Monitor under Monitor > IPv6 Monitor. Displaying Interface Settings To view the interface settings for your system, click Route under Monitor > Routing Protocols in the tree view. Hardware Monitoring You can use Network Voyager to monitor the following hardware elements. Watchdog timer—Monitors the kernel to detect system hangs. If it detects a hang, it reboots the system.
12 Using the iclid Tool Obtain routing diagnostic information by creating a telnet session on the IP security platform and running iclid (IPSRD command-line interface daemon). To display routing daemon status using iclid 1. Create a Telnet session and log into the firewall. 2. Type iclid The prompt changes (to ) to indicate that you can now enter iclid commands. iclid Commands Command Description ? or Shows all possible command completions. help Displays help information.
bgp Provides a BGP summary. errors A table of BGP errors. groups A table of parameters and data for each BGP group. detailed Detailed statistics on BGP groups. summary A summary of statistics on BGP groups. memory neighbor Lists BGP memory parameters and statistics. advertise Shows BGP neighbor statistics. detailed Provides detailed information about BGP neighbors and is organized by neighbor address. In the event of an excessively long list, type q.
12 Element Category rep Summary of BOOTP relay replies made. Subcategory Description dvmrp Element Summary of DVMRP state. interface Interface-specific state of DVMRP for each DVMRP-enabled interface. neighbor routes State of DVMRP neighbor route. neighbors Interface state of DVMRP neighbor parameters. route Shows state of DVMRP route parameters. stats Statistical information about DVMRP packets sent and received, including an error summary.
Element Category Subcategory memory Description Total memory usage in kilobytes. detailed Element Category ospf border routers database errors Total memory use as well as memory use by each routing protocol. Subcategory Lists OSPF border routers and associated codes. area Provides statistical data on OSPF database area. database summary A database summary of the OSPF firewall. router Statistical data on firewall link states as well as link connections.
12 stats A comprehensive list of OSPF interface statistics. neighbor Lists OSPF neighbors and associated parameters. packets Lists received and transmitted OSPF packets. Element Category inbound filter Lists inbound filter data for the specified protocol. redistribution Lists redistributions from all sources to the designated protocol. redistribution from Lists redistributions from a specified protocol to another specified protocol.
igrp Data on IGRP routes. ospf Data on OSPF routes. rip Data on RIP routes. static Data on static routes. bgp Element Statistics on BGP routes. aspath List of parameters and status of BGP AS path. communities Status of BGP communities. detailed Details of BGP routes. metrics Status of BGP metrics. suppressed List and status of suppressed BGP routes. direct Directly connected routes and their status. igrp Displays IGRP routes. inactive Inactive routes.
12 vrrp VRRP state information. interface VRRP interfaces and associated information. stats VRRP transmission and reception statistics. The following table shows examples of the iclid show command. iclid show command Shows show ospf OSPF summary information. show ospf neighbor (s o n) OSPF neighbor information. show route All routes. show route bgp 127 Only BGP routes that start with 127. show b? All possible command completions for show b.
Note To perform the following procedures, use the zap or modzap utility. You can obtain these utilities from the Nokia Technical Assistance Center (TAC)—refer to Resolution 1261. If you are using FireWall-1 4.1 1. Set the execute permissions by issuing an fwstop command. 2. To confirm that you have sufficient resources to increase the buffer size, issue the following command: # ./modzap -n _fw_logalloc $FWDIR/boot/modules/fwmod.
12 Note If the message indicates that you have insufficient resources to accommodate a larger buffer size, take appropriate actions and try this procedure again. For further information, contact Nokia Technical Assistance Center (TAC). 4. After you verify that the change is appropriate, issue the same command without the -n option: modzap _fw_log_bufsize $FWDIR/boot/modules/fwmod.o 0x200000 A confirmation message is displayed, which you can safely ignore. 5. Reboot the system.
Index A AAA account profile 316 authentication profile 314 configuring new service 313 service module entry 314 service profile 314 session profile 317 ABR (area border router) 355 Accept Connections to VRRP IPs option 191 access control list (ACL) 452 access control lists 449 adding rule to 453 configuring 450 configuring rules 452 DSfield 450 modifying rules 453 rule attributes 454 VRRP 204 access mechanisms assigning to users 295 described 293 account profile, AAA 316 active route 401 active status moni
backup files default contents 169 manually creating 169 restoring from local 172 transferring 170 backup state, VRRP 202 backups cancelling scheduled 170 scheduling 170 bandwidth utilization 482 Bellman Ford algorithm 352 Bellman-Ford algorithm 385 best effort queue level 457 BGP capability 403 communities 407 community example 428 confederation example 423 confederations 409 described 403 external session (EBGP) 404 importing 407 in clusters 214 interactions with IGPs 406 internal session (IBGP) 404 LocalP
overview 207 PIM 214 static routes 214 three node example 243 transparent mode 132, 215 upgrading images 217 clusters activating 229 adding nodes 229 administrator 210 administrators 233 configuring 220 configuring interfaces 222 configuring NTP 240 creating 220 deleting configurations 239 failure interval 234 firewall monitoring 223 installing IPSO Images 236 joining 229 managing 209, 231 managing interface configurations 239 monitoring 234 multiple 215 network types 215 performance rating 234 rebooting 23
daytime service 298 DDNS 153 DDR lists 58 applying to interface 60 rules 60 default route configuring 395 deleting IP address, VRRP considerations 193 dense mode described 370 in clusters 371 DES authentication 264 DHCP 469 address ranges 149 configuring 145 configuring client interfaces 146 configuring server 148 enabling client process 146 firewall rules 145 server process 147 dial-control MIB 251 dial-on-demand routing lists 58 disabling router discovery 475 static route 398 discard service 297 disk cach
fan sensors, monitoring 487 FDDI changing duplex setting 50 changing IP address 50 FIN bits 349 firewall monitoring configuring in cluster 223 firewall policies VRRP 204 firewall state, monitoring for VRRP 203 FireWall-1 23 Forward button 26 forwarding broadcast traffic 469 forwarding mode 213 forwarding table viewing 486 frame relay changing active status monitor setting 116 changing LMI parameters 115 changing the DLCI 114 changing the interface type 115 changing the keepalive interval 114 configuring E1
tunneling over SSH 311 HTTP daemon error message log 304 HTTPD error log file 485 process 481 I IANAifType MIB 250 ICLID description 351 iclid commands 488 displaying status 488 help 488 ICMP router discovery protocol 472 ICMPv6 router discovery 275 IF MIB 250 ifLinkUpDown trap 256 ifm process 481 IFWD process 481 IGMP cluster membership reports 217 described 392 multicast mode 213 IGP 365 IGRP configuring 388 overview 352, 385 redistributing routes to 440 iInterface throughput report 482 IKE 329 images ch
IP pools 224 IP source routing 304 IP spoofing 304 IP2250 clustering guidelines 216 link aggregation 37, 201 management ports 30 transparent mode 132 with clustering 207 IPoA 79 IPSec transport mode 329 tunnel mode 329 IPSec tunnels overview 328 requirements 333 Ipsilon Routing Daemon (IPSRD) description 351 overview 23 IPSO managing images managing 173 overview 23 registration MIB 250 system MIB 250 IPSO images installing in cluster 236 upgrading in clusters 217 IPSRD 351 described 23 ipsrd process 481 IPS
overview 354 M MAC address VRRP 190 mail relay configuring 157 description 156 features 156 sending mail 158 management ports 30, 216 master state, VRRP 202 MD5 authentication 264 MED 406 memory viewing 28 memory cache, clearing 26 memory utilization report 482 configuring 177 menu items, Voyager 22 message log 484 MIBs list of 249 mirror set 154 modem configuring 298 dialback 298 inactivity timeout 298 status 298 status poll interval 298 types 299 Monitor Firewall State option 191 monitor interface parame
not-so-stubby areas 354 NSSA configuration parameters 358 defined 354 NTP configuring 476 description 475 NTP MIB 252 on clusters 240 O OID registration MIB 250 Open Shortest Path First (OSPF) configuring 109 opening Voyager 24 operating system (IPSO) 23 optional disks configuring logging to 163 installing 155 logging to 156 removing 156 Ositech Five of Clubs 299 OSPF area configuration parameters 357 configuring interfaces 362 global settings 357, 361 in clusters 214 OSPFv3 273 over unnumbered interfaces
process monitor 481 Q queue class 449, 450 queue classes associating with interfaces 459 configuring 457 creating 458 queue mode 34 QueueSpec 452, 455 R RADIUS 319 RAID 154 rate shaping example 465 rate-shape MIB 250 rate-shaping bandwidth report 482 configuring 177 RDI (routing domain identifier) 409 rebooting cluster 237 redistributin routes to IGRP 440 to RIP 440 redistributing IGRP 440 RIP 440 redistributing routes described 438 inbound route filters 445 to BGP 439 to OSPF 444 refreshing pages 26 reje
viewing settings 486 routing configuring 351 configuring ranks 402 creating a default route 395 DDR lists 58 default protocol rank 401 disabling a static route 398 features 390 IGRP 388 OSPF 109, 356 routing daemon (iclid) commands 488 displaying status 488 help 488 routing domain 409 routing information bases 413 Routing Information Protocol (RIP) redistributing 440 routing protocols displaying statistics 486 RPF algorithm 390 RSA user identities 310 RSA host keys generating 306 RSS (Resident Set Size) 480
troubleshooting 304 viewing certificate and private key 304 states, virtual router 201 static host deleting 160 static mode VMAC 190 static routes backup 398 description 394 disabling 398 example 397 in clusters 214 stub area defined 354 swap space utilization 479, 480 SYN bits 349 synchronization zone 155 sysContact configuring 252 sysLocation configuring 252 system logs monitoring 484 system message log 484 system processes list of 481 system resources monitoring 479 viewing summary 28 system roles 295 sy
UDP packets forwarding 471 UDP ports IP Broadcast Helper 472 unit types MIB 250 unnumbered interfaces 107 OSPF 110 users adding 290 attributes of 289 default 288 default privileges for new 293 group ID 289 home directory 289 ID 289 managing accounts of 288 name 289 removing 290 removing directories 290 shell 289 SSH privileges 307 viewing list of 288 viewing user activity 485 USM described 262 V V.
VSZ 480 VTI 140 W watchdog timer 487 WCHAN (wait channel) 480 web servers access log 485 wheel group 292 X X.21 configuring for Cisco HDLC 83 configuring for frame relay 85 example 87 interfaces 83 xntpd process 481 xpand process 481 Index - 510 Nokia Network Voyager for IPSO 4.
