NokiaメーカーIPSO 4.0の使用説明書/サービス説明書
ページ先へ移動 of 510
Nokia Network V oyager for IPSO 4.0 Reference Guide Part No. N451818001 Rev A Published October 2005.
2 Nokia Network Voyager for IPSO 4.0 Referenc e Gu ide COPYRIGHT ©2005 Nokia. All rights reserved. Rights reserved under the copyright laws of the United S tates.
Nokia N etwork Voyager fo r IPSO 4.0 Refer ence Guide 3 Regional Contact Information Nokia Customer Support Fax 1-650-691-2170 Mail Address Nokia Inc. 313 Fairchild Drive Mountain View , California 94043-2215 USA Americas Nokia Inc.
4 Nokia Network Voyager for IPSO 4.0 Referenc e Gu ide.
Nokia Networ k Voya ger IPSO 4.0 Referenc e Guide 5 Content s About the Nokia Network Voyager Reference Guide . . . . . . . . . 19 Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Notices . . . . . . . . . . . . .
6 Nokia Network Voyager IPSO 4.0 Reference Guide Configuring Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Configuring Ethernet Interfaces.
Nokia Networ k Voya ger IPSO 4.0 Referenc e Guide 7 Configuring Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . 107 Configuring OSPF over Unnumbered Interface . . . . . . . . . . . . 110 OSPF over Unnumbered In terfaces Using Virtual Links .
8 Nokia Network Voyager IPSO 4.0 Reference Guide Changing DHCP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Adding DHCP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Enabling or Disabling DHCP Address Pools .
Nokia Networ k Voya ger IPSO 4.0 Referenc e Guide 9 Downgrading Nokia IPSO Images. . . . . . . . . . . . . . . . . . . . . . . 176 Configuring Monitor Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Managing Packages . . . . . . . .
10 Nokia Network Voyager IPSO 4.0 Reference Gu id e Cluster Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Clustering Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Considerations for Clustering .
Nokia Networ k Voya ger IPSO 4.0 Referenc e Guide 11 6 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 SNMP Proxy Support for Check Point MIB .
12 Nokia Network Voyager IPSO 4.0 Reference Gu id e Using VRRPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Creating a Virtual Router to Back Up Another VRRP Router Addresses Using VRRPv3 . . . . . . . . . . . . . . . .
Nokia Networ k Voya ger IPSO 4.0 Referenc e Guide 13 Configuring Secure Shell Authorized Keys . . . . . . . . . . . . . . . . 308 Changing Secure Sh ell Key Pairs . . . . . . . . . . . . . . . . . . . . . . . 309 Managing User RSA and DSA Identities .
14 Nokia Network Voyager IPSO 4.0 Reference Gu id e Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 OSPF . . . .
Nokia Networ k Voya ger IPSO 4.0 Referenc e Guide 15 Configuring IGRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Configuring DVMRP .
16 Nokia Network Voyager IPSO 4.0 Reference Gu id e BGP Multi Exit Discriminator Example . . . . . . . . . . . . . . . . . . . 419 Changing the Local Preference Valu e Example . . . . . . . . . . . . 421 BGP Confederation Example . . . . . . . . . . .
Nokia Networ k Voya ger IPSO 4.0 Referenc e Guide 17 Configuring a COPS Client ID and Po licy Decision Point . . . . . 462 Configuring Security Parameters for a COPS Client ID . . . . . . 462 Assigning Roles to Specific Interfaces . . . . . . . . . . .
18 Nokia Network Voyager IPSO 4.0 Reference Gu id e Displaying Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Hardware Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Using the iclid Tool .
Nokia N etwork Voyager fo r IPSO 4.0 Refer ence Guide 19 About the Nokia Network V oyager Reference Guide This guide provides information about how to configure and monitor Nokia IPSO systems.
About the Nokia Network Voyager Reference Guide 20 Nokia Network Voy ager for IPSO 4.0 Reference Guide the hostname . It also describes how to save configuration sets, schedule jobs, backup and restore files, manage and upgrade system images, reboot the system, manage packages, and advanced system tuning.
Conventions This Guide Uses Nokia N etwork Voyager fo r IPSO 4.0 Refer ence Guide 21 Conventions This Guide Uses The following sections describe the co nventions this guide uses, including notices, text conventions, and command-line conventions.
About the Nokia Network Voyager Reference Guide 22 Nokia Network Voy ager for IPSO 4.0 Reference Guide Menu Items Menu items in procedures are sepa rated by the greater than sign.
Nokia Network Voyager for IPSO 4.0 Reference Guide 23 1 About Network V oyager This chapter provides an overview of Network V oyager , the W eb-based interface that you can use to manage Nokia IPSO systems. Nokia Network V o yager is a W eb-b ased interface that you can use to manage IPSO systems from any authorized location.
1 24 Nokia Network Voyager for IPSO 4.0 Reference Guide Logging In to Network V oyager When you log in to Network V oyager , the navigation tree you see depends on the role or ro les assigned to you. If the roles assigned to your us er account do not includ e access to a feature, you will not see a link to the feature in the tree.
Nokia Network Voyager for IPSO 4.0 Reference G uide 25 Obt aining a Configuration Lock When you log in with exclusive confi guration lock, no other user will be able to change the system configuration. Only users with read/wr ite access privileges are allowed to log in with exclusive configuration lock.
1 26 Nokia Network Voyager for IPSO 4.0 Reference Guide 4. Enter your user name and password. 5. Click Log In. Navigating in Network V oyager The following table explains the functions of th e buttons in Network V oyager . Other buttons are described in the inline help for each page.
Nokia Network Voyager for IPSO 4.0 Reference G uide 27 This guide, the Nokia Network V oyager Refer ence Guide for IPSO , is the comprehensive reference source for IPSO ad ministration and using the Netw ork V oyager interface.
1 28 Nokia Network Voyager for IPSO 4.0 Reference Guide V iewing Hardware and Software Information for Y our System The asset management summary pa ge provides a summary of all system resources, including hardware, software and the operating system .
Nokia Network Voyager for IPSO 4.0 Reference Guide 29 2 Configuring Interfaces This chapter describes configuring and monitoring the various types of interfaces supported by Nokia IP security platform.
2 30 Nokia Network Voyager for IPSO 4.0 Reference Guide IP2250 Management Port s The Ethernet management ports on IP2 250 system s are designed to be used for the following purposes: Managing the .
Nokia Network Voyager for IPSO 4.0 Reference G uide 31 The loopback interface also has a physical interfa ce name d loop0 . Use Network V oyager to set attributes of interfa ces. For example, line speed and duplex mode are attributes of an Ethernet physical inte rface.
2 32 Nokia Network Voyager for IPSO 4.0 Reference Guide For example, the logical inte rface of a physical interface eth-s2p1 is called eth-s2p1c0 . The logical interfaces for PVCs 17 and 24 on an A TM NIC in slot 3 are called atm-s3p1c17 and atm-s3p1c24 respectively .
Nokia Network Voyager for IPSO 4.0 Reference G uide 33 Events that can affect the status of interfaces: If you hot-insert a device (not power down the unit first), it appea rs in the lists of interfaces immediately (after a page refre sh) on the configuration pages.
2 34 Nokia Network Voyager for IPSO 4.0 Reference Guide Ethernet Interfaces Y ou can configure a number of parameters for ea ch Ethernet interface, including the following: Enable (make active) or disable the interface. Change the IP address for the interface.
Nokia Network Voyager for IPSO 4.0 Reference G uide 35 T o configure an Ethernet interface 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view . 2. Click the name of the physical interface you want to co nfigure. Example: eth-s2p1 3.
2 36 Nokia Network Voyager for IPSO 4.0 Reference Guide balancing across the ports. For example, you can aggregate two 10/100 mbps ports so they function like a single port with a theoretical ba ndwidth of 200 mbps, and y ou can aggregate two Gigabit Ethernet ports so they function like a single port with a theoretical bandwidth of 2000 mbps.
Nokia Network Voyager for IPSO 4.0 Reference G uide 37 When you assign switch p orts to an EtherChannel group, set the channel mode to on to force the ports to form a ch annel without using the Link Aggregation Control Protocol (LACP) or Port Aggregation Protocol (P AgP).
2 38 Nokia Network Voyager for IPSO 4.0 Reference Guide Note Use Ethernet crossover cables to con nect the manage ment port s tha t you aggr egate. Using a switch or a hub can result in incomple te synchronization.
Nokia Network Voyager for IPSO 4.0 Reference G uide 39 Do not combine any o f the built-in 10/100 Ethernet managemen t ports with ports on an I/O card to form an aggregation grou p. Caution Do not use the management port s of an IP2250 for productio n traffic, regardless of whether the por ts are aggregated.
2 40 Nokia Network Voyager for IPSO 4.0 Reference Guide 4. Click Apply 5. Click Save to make the changes permane nt. 6. Perform step 2 through step 5 again to configure the other interfaces identically . Group Configuration Once the physical interfaces are configured, you need to create and configure link aggregation groups.
Nokia Network Voyager for IPSO 4.0 Reference G uide 41 Logical Configuration When you have completed the aggregation group, yo u must configure it wit h an IP address and so on. Navigate to the Interfaces Configuration page and cl ick the logical name of the gr oup.
2 42 Nokia Network Voyager for IPSO 4.0 Reference Guide Note Link speed is fixed an d duple x mo d e is set to full at all times for Gigabit Ethernet interfaces. T o configure a Gigabit Ethernet interface 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 43 Each IP addresses and mask length that you add are added to the table when you click Apply . The entry fields return to blank to allow you to add more IP addresses. Use the delete check box to dele te IP addresses from the table.
2 44 Nokia Network Voyager for IPSO 4.0 Reference Guide 5. In the Ethernet Interface drop-down box, select the Ethernet interface you wish to associate with the PPPoE logical interface in the. 6. In the Mode drop-do wn box, select a connection mode. 7.
Nokia Network Voyager for IPSO 4.0 Reference G uide 45 Note The PPPoE logical interface is on by default and the associated link trap is disabled by default. If you wish to change either setting , click the appropriate setting next to the feature you wish to enable or disable and click Apply .
2 46 Nokia Network Voyager for IPSO 4.0 Reference Guide 5. Click Delete. 6. Click Apply . Configuring MSS Clamping When end devices use path MTU discovery , it can cause connectivity problems when their connections pass through PPPoE interfaces.
Nokia Network Voyager for IPSO 4.0 Reference G uide 47 T o configure a VLAN Interface 1. Click Interfaces under Interface Co nfiguration in the tree view . 2. Click the link to the physical Ethernet interface for which you want to enable a VLAN interface.
2 48 Nokia Network Voyager for IPSO 4.0 Reference Guide 5. Click Save to make your change perman en t. The entry for the logical VLAN interface disappears from the Logical Interfaces table. T o define the maximum number of VLANs 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 49 FDDI Interfaces T o configure an FDDI Interface 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view . 2. Click the physical interface link yo u want to configure in the Physical column.
2 50 Nokia Network Voyager for IPSO 4.0 Reference Guide T o change the duplex setting of an FDDI interface Note If the duplex setting of an FDDI interface is in correct, it might not rece ive data, or it might receive duplicates of the dat a it sends.
Nokia Network Voyager for IPSO 4.0 Reference G uide 51 ISDN Interfaces Integrated Services Digital Network (ISDN) is a sy stem of dig ital phone connections that allows voice, digital network services, and video data to be transmitte d simultaneously using end-to- end digital connectivity .
2 52 Nokia Network Voyager for IPSO 4.0 Reference Guide Example: isdn-s2p1 3. In the Switch T ype pull-down menu, in the Phys ical Configuration table, select the service provider-switch type that corresponds to the interface network co nnection.
Nokia Network Voyager for IPSO 4.0 Reference G uide 53 c. Use the Proxy interface pull-down menu to select the logical inte rface from which the address for this interface is taken. 7. Enter the IP address for the local end of the connection in the Local address text box in the Interface Information table.
2 54 Nokia Network Voyager for IPSO 4.0 Reference Guide 17. In the T o Remote Host section of the Authentication table, in the Password t ext box, enter the password to be returned to the remote host for P AP authentication, or the secret used to generate the challeng e respon se for CHAP authentication.
Nokia Network Voyager for IPSO 4.0 Reference G uide 55 A use period set to zero will cause the second B-channel to be brought into operation immediately; the utilization level has been exce eded. It will also caus e the second B-channel to be removed from operation; immediately the measured u tilization drops below the use level.
2 56 Nokia Network Voyager for IPSO 4.0 Reference Guide 12. In th e From Remote Host section of the Authen tication table select the authentication method used to authen ticate the remote host.
Nokia Network Voyager for IPSO 4.0 Reference G uide 57 In the Number text box, enter the t elephone number on wh ich to accept incoming cal ls. An x is used to repre sent a wild-card charac ter .
2 58 Nokia Network Voyager for IPSO 4.0 Reference Guide 9. Click Apply . Note Follow step s 8 through 21 i n “T o configure an ISDN logical interface to place calls” to set the information for outgoing calls. For more informati on about how to set up incoming numbers see “T o add an incoming number” .
Nokia Network Voyager for IPSO 4.0 Reference G uide 59 the packet is never sent over the ISDN interface. After the packet is checke d against the Access list, the DDR list applied to the interface (if any) is then checked. Note A DDR list, therefore, on ly affect s which p ackets will cause a connection to be established and maintained.
2 60 Nokia Network Voyager for IPSO 4.0 Reference Guide T o modify a rule 1. Click Dial on Demand Routin g under Configur ation > T raffic Management in the tr ee view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 61 3. Click Apply . 4. Under the Existing rules for No tRIP table, click the Add New Rul e Before check box. 5. Click Apply . 6. Enter 520 in the Dest Port Range text box in the Existing rules for NotRIP table.
2 62 Nokia Network Voyager for IPSO 4.0 Reference Guide T o configure the IP330 to place an outgoing call 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view . 2. Click isdn-s2p1 in the Phys ical column of the table.
Nokia Network Voyager for IPSO 4.0 Reference G uide 63 9. Click Incoming. 10. Select CHAP as the authentication method i n the Authentication table. 11 . Enter User in the Name text box unde r the Fr om Remote Host section in the Authentication table.
2 64 Nokia Network Voyager for IPSO 4.0 Reference Guide The trace for connecting a call from the Nokia IP330 is: 06:23:45.186511 O > PD=8 CR= 23(Orig) SETUP:Bc:88 90. CalledNb:80 33 38 34 30 32 3 0.SendComp: 06:23:45.255708 I < PD=8 CR= 23(Dest) CALL-PROC:ChanId:89.
Nokia Network Voyager for IPSO 4.0 Reference G uide 65 70bb91fa4688d417bf72a0bca572 c7e4e16, name=15:10:12.549898 I B1:response,value=dd379d2b5e 692b6afef2bee361e32bca, name=User 15:10:12.549968 O B1: succes s 15:10:12.550039 O B1: ppp-ip cp: conf_req (addr) 15:10:12.
2 66 Nokia Network Voyager for IPSO 4.0 Reference Guide The most recent system log messages appear . T racing Y ou can use the tcpdump utility to trace ISDN D-channel traf fic (Q.921 and Q.931 protocols) and B-channel traf fic (PPP/multilink PPP and TCP/IP protocols).
Nokia Network Voyager for IPSO 4.0 Reference G uide 67 ISDN Cause V alues Descriptions of the cause-value field of th e cause-information element are shown in the following ISDN cause value table. Cause-value numbers are not consecutive. z1 Class of cause value z2 V a lue of cause value a1 (Optional) Diagnostic field that is always 8.
2 68 Nokia Network Voyager for IPSO 4.0 Reference Guide 30 Response to ST A TUS ENQUIR Y 31 Normal, unspecified 34 No circuit or channel available Note 10 38 Network out of order 41 T emporary failure.
Nokia Network Voyager for IPSO 4.0 Reference G uide 69 Notes for Ta b l e 6 : Note 1 —The coding of facility identification is network dependent. Note 2 —Incompatible parameter is composed of incompatible in formation el ement identifier .
2 70 Nokia Network Voyager for IPSO 4.0 Reference Guide Note 6 —Locking and non-locki ng sh ift pro cedures described in the ITU-T Q.931 specification apply . In principle, information element identifiers are in the same order as the information elements in the received message.
Nokia Network Voyager for IPSO 4.0 Reference G uide 71 T oken Ring Interfaces T o configure a T oken Ring interface 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view . 2. Click the physical interface link to configure in the Physical column.
2 72 Nokia Network Voyager for IPSO 4.0 Reference Guide 13. (Optional) Change th e interfaces logical name to a more meaningful name by typing the preferred name in the Logical na me text box. Click Apply . 14. (Optional) Add a comment to further define th e logical interfaces func tion in the Comments text box.
Nokia Network Voyager for IPSO 4.0 Reference G uide 73 If no change is desired, skip the step. a. T o change the IP address, enter the appropri ate IP address in the New IP address field,. There is no default. b. In the New mask length field, enter the approp riate value.
2 74 Nokia Network Voyager for IPSO 4.0 Reference Guide The following figu re shows the network config uration for this example. 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view . 2. Select tok-s2p1 in the Physical column of the table.
Nokia Network Voyager for IPSO 4.0 Reference G uide 75 10. In the New IP Address field, enter the appropriate IP address. 11 . In the New Mask Length field, enter the appropriate value.
2 76 Nokia Network Voyager for IPSO 4.0 Reference Guide 7. Click Apply . A new logical interface appears in the Interface column. The new interfa ce is on by default.
Nokia Network Voyager for IPSO 4.0 Reference G uide 77 6. Select point-to-point in the T ype selection box in the Create a new LLC/SNokia Platform RFC1483 interface section. Enter the VPI/ VCI number in the VPI/VCI text box. 7. Click Apply . A new logical interface appears in the Interface column.
2 78 Nokia Network Voyager for IPSO 4.0 Reference Guide Note The maximum p acket size must match the MTU of the link partne r . Packets longer than the length you specif y are fragmented bef or e tran sm issio n . 4. Click Apply . 5. Click Save to make your changes pe rmanent.
Nokia Network Voyager for IPSO 4.0 Reference G uide 79 T o configure the A TM interface on Nokia Platform A 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view . 2. Select atm-s2p1 in the Phys ical column of the table.
2 80 Nokia Network Voyager for IPSO 4.0 Reference Guide Loop timing derives the tran smit clock from the recovered receive clock. 5. Select the VPI/VCI range in the VP I/VCI Range Configuration list box.
Nokia Network Voyager for IPSO 4.0 Reference G uide 81 The Physical Interface page appears. 3. Select the VPI/VCI range in the VPI/VCI Range Configuration list box. 4. Find the A TM logical interface to re configure in the Logical Interfaces ta ble and enter a new set of VPI/VCIs in the VPI/VCI field.
2 82 Nokia Network Voyager for IPSO 4.0 Reference Guide IPoA Example This section describes how you might configure the in terfaces of your IP security platform in an example network, using Network V oyager . The following figu re shows the network config uration for this example.
Nokia Network Voyager for IPSO 4.0 Reference G uide 83 9. Click Apply . 10. (Optional) Change th e interfaces logical name to a more meaningful name by typin g the preferred name in the Logical na me text box. Click Apply . 11 . (Optional) Add a comment to further define th e logical interfaces func tion in the Comments text box.
2 84 Nokia Network Voyager for IPSO 4.0 Reference Guide 10. Click the logical interface name in the Inte rface column of the Logical interfaces table. The Interface page appears. 11 . Enter the IP address for the local end of the link in the Local address text box.
Nokia Network Voyager for IPSO 4.0 Reference G uide 85 9. Click Apply . 10. Enter a number in the Ke epa live maximum failures text box. This value sets the number of times a remote system can fail to send a keepalive protocol message within a keepalive interval befo re the systems c onside r s the link down.
2 86 Nokia Network Voyager for IPSO 4.0 Reference Guide 6. Click Full Duplex or L oopback radio in the Channel M ode field. Full duplex is the normal mode of operation. 7. Click the Frame relay radio button in the Encapsulation field. 8. Click Apply .
Nokia Network Voyager for IPSO 4.0 Reference G uide 87 19. Click the logical interface name in the Interface column of the Logical interfaces ta ble to go the Interface page. 20. Enter the IP address for the local end of the PVC in the Loca l address te xt box.
2 88 Nokia Network Voyager for IPSO 4.0 Reference Guide The branch of fic e co ntains Nok ia Platfo rm B, whic h routes traffic between a local Fast Ethernet network and A TM PVC 52. It provides access to the main office and the Internet. T o configure the serial interface on Nokia Pl atform A 1.
Nokia Network Voyager for IPSO 4.0 Reference G uide 89 4. Click Apply . 5. Click the Full Duplex or Loopback ra dio button in the Channel Mode field. Full duplex is the normal mode of operation. 6. Click AMI or B8ZS in th e T1 Encoding field to select the T1 encoding.
2 90 Nokia Network Voyager for IPSO 4.0 Reference Guide The T1 CSU/DSU Advanced Options page allows you to configure fractional T1 channels, line build-out values and other advanced settings for the T1 device. Th e values you enter on this page are dependent on the subs cription provided by your service provider .
Nokia Network Voyager for IPSO 4.0 Reference G uide 91 Use T1 framing to divide the data stream into 64 Kbps channels and to synchronize with the remote CSU/DSU. This setting must match the frame format used by the CSU/DSU at the other end of the point-to-point link.
2 92 Nokia Network Voyager for IPSO 4.0 Reference Guide 21. Click Y es or No in the Negotiate Magic Number field. Clicking Y es enables the interface to send a requ est to negotia te a magic number with a peer . 22. Click Y es or No in the Negotiate Maximum Receive Unit field.
Nokia Network Voyager for IPSO 4.0 Reference G uide 93 Use T1 framing to divide the data stream into 64Kb ps channels a nd to synchronize with the remote CSU/DSU. This setting must match the frame format used by the CSU/DSU at the other end of the point-to-point link.
2 94 Nokia Network Voyager for IPSO 4.0 Reference Guide The Frame Relay Ad vanced Options page allows you to configure frame relay protocol and LMI parameters for this device. Note The values you enter depend on the settin gs of the frame relay switch to which you are connected or to the subscription provided by your service provider .
Nokia Network Voyager for IPSO 4.0 Reference G uide 95 The following figu re shows the network config uration for this example. In a company’ s main office, Nokia Platform A te rminates a T1 line to an Internet service provider , running PPP with a keepal ive value of 10.
2 96 Nokia Network Voyager for IPSO 4.0 Reference Guide 10. Click Apply . 11 . Click ser -s1p1c0 in the l ogical interfaces table to go to the Interface page. 12. Enter 192.168.2.1 in the Local address text box. 13. Enter 192.168.2.93 in the Remote address text box.
Nokia Network Voyager for IPSO 4.0 Reference G uide 97 Use E1 framing to select whether timeslot-0 is used for exchanging signaling data. 7. Click On or Of f for th e E1 CRC-4 Framing field. Note This option appears only if you set the E1 Framing field to E1 (channel 0 framing).
2 98 Nokia Network Voyager for IPSO 4.0 Reference Guide 14. Enter the IP address for the local end of the link in the Local Address text box. 15. Enter the IP address of the remote end of the link in the Remote Address text box.
Nokia Network Voyager for IPSO 4.0 Reference G uide 99 Note This option appears only if you have set th e E1 Framing field to E1 (channel 0 framing). This button chooses the frami ng format for timeslot-0. On means that CRC-multiframe format is used; the informatio n is protected by CRC-4.
2 100 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 14. From the Advanced E1 CSU/DSU Options page, click Up to return to the physical interface page. 15. Click the Advanced PPP Options link. The PPP Advanced Options page appears. 16. Click Y es or No in the Negotiate Magic Number field.
Nokia Network Voyager for IPSO 4.0 Reference G uide 101 4. Click Full Duplex or Loopback in the Channel Mode field. Full duplex is the normal mode of operation.
2 102 Nokia Network Voyager for IPSO 4.0 Refe rence Guide DTE is the usual operating mode when the device is connected to a frame re la y switch. 12. Click On or Of f in the Active Status Monitor field. Click Apply . This value sets the monitoring of the connection-active status in the LMI status message.
Nokia Network Voyager for IPSO 4.0 Reference G uide 103 Click Apply . 23. (Optional) Add a comment to further define th e logical interfaces func tion in the Comments text box. Click Apply . 24. Click Save to make y our changes permanent. Note T ry to ping the remote system from the comm and prompt.
2 104 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 8. Click the logical interface name in the Interface column of the Logical interfaces table to go to the Interface page. 9. Enter the IP address for the local end of the link in the Local address text box.
Nokia Network Voyager for IPSO 4.0 Reference G uide 105 Note This value must be identical to the keep alive value configured on th e system at the other end of a point-to-point link, or the link state fluctuates. 8. Enter a number in the Keepaliv e maximum failures text box to configure the PPP keepalive maximum failures.
2 106 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Set the internal clock to On when you are connecting to a device or system that does not provide a clock source. Otherwise, set the internal clock to Off. 4. If you turned the internal clock on, enter a value in the Internal clock speed text box.
Nokia Network Voyager for IPSO 4.0 Reference G uide 107 Click Apply . Each time you click Appl y after entering a DLCI, a new logical interface appears in the Interface column. The DLCI entry field remains blank to allow you to add more frame relay logical interfaces.
2 108 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note Only point-to-point interfaces can be co n figured as unnumbered interfaces. T unnels cannot be configured as unnum bered interfaces. 3. Click Y es in the Unnumb ered Interface field. 4. Click Apply .
Nokia Network Voyager for IPSO 4.0 Reference G uide 109 Note Only point-to-point interfaces can be conf ig ured as unnumbered interfaces. T u nnels cannot be configured as unnum bered interfaces. Note This interface must not be th e next hop of a st atic r oute.
2 110 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring OSPF over Unnumbered Interface The following graphic represents an exampl e configur ation for running OSPF over an unnumbered interface. 1. Configure the interfaces on Nokia Platfo rm A and Nokia Platform B as in “T o configure an unnumber ed interface.
Nokia Network Voyager for IPSO 4.0 Reference G uide 111 connected to the backbone area. Both Nokia Plat form B and Nokia Platform C are configured with IP addresses (10.10.10.2 and 101.10.10.1 respectively). The interfaces that comprise th e virtual link between Nokia Platfo rm A and Nokia Platform C are both configured as unnumber ed.
2 112 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Click Apply . This value sets the interval, in seconds, between keepalive protocol message trans missions.
Nokia Network Voyager for IPSO 4.0 Reference G uide 113 Note This value must be identical to the keep alive value configured on th e system at the other end of a point-to-point link, or the link state fluctuates. 4. Click Save to make your changes permanent.
2 114 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Frame Relay Protocol T o change the keep alive interval in frame re lay 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view . 2. Click the physical interface link to conf igure in the Physical colu mn.
Nokia Network Voyager for IPSO 4.0 Reference G uide 115 9. (Optional) Change the interface’ s logical name to a mo re meaningful one by typi ng the preferred name in the Logical na me text box. Click Apply . 10. (Optional) Add a comment to further define th e logical interfaces func tion in the Comments text box.
2 116 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o change the active st atus monitor setting in frame relay When connected to a Frame Relay switch or networ k, the interface type is usually set to DTE. Y ou may need to change the interfa ce type to DCE if it is connect ed point-to-point with another router .
Nokia Network Voyager for IPSO 4.0 Reference G uide 117 Loopback Interfaces By default, the loopback interface has 127.0.0.1 co nfigured as its IP address.
2 118 Nokia Network Voyager for IPSO 4.0 Refe rence Guide GRE T unnels GRE tunnels encapsulate IP packets by using Generic Routing Encaps ulation (GRE) with no options. The encapsulated packets appear as uni cast IP pac kets. GRE tunnels provide redundant configuration between two sites for high availability .
Nokia Network Voyager for IPSO 4.0 Reference G uide 119 On means that all packets th at egress through the tunnel will exit through the outgoing interface (local endpoint). If the local endp oint link fails, traf fic does not egress through the tunnel.
2 120 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. (Optional) Enter the IP address of the remote end of the GRE tunnel in the Remote address text box. The remote address cannot be one of the syst ems interface addresses and must be the local address configured for the GRE tunnel at the remote router .
Nokia Network Voyager for IPSO 4.0 Reference G uide 121 GRE T unnel Example The following steps pro vide directions on how to configure a sample GRE tunnel. Th e following figure below shows the network confi guration for this example. 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view .
2 122 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Click Apply . An entry field appears. 11 . (Optional) If you selected cu stom value fro m the T OS value drop-do wn window , enter a value in the range of 0 -255.
Nokia Network Voyager for IPSO 4.0 Reference G uide 123 of this reference guide, they ar e not individually repeated here . The following figure shows the network configuration for this example. Note Y ou must complete step 1 in th e following procedur e before you continue to o ther steps.
2 124 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Enter 170.0.0.1 in the Local end point text box. Enter 171.0.0.1 in the Remote endpoin t text box. b. Configuring from IP Unit 2 to IP Unit 1: Enter 10.0.0.2 in the Local address text box. Enter 10.
Nokia Network Voyager for IPSO 4.0 Reference G uide 125 DVMRP T unnels DVMRP (Distance V ector Multicast Routing Protocol) tunnels encapsulate multicast packets IP unicast packets. This technique allows two multi cast routers to exchange multicast packets even when they are separated by routers that cannot forward multicast packets.
2 126 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note When the DVMRP tunnel inte rface is created, set all other DVMRP configuration parameter s from the DVMRP p age. T o change the local or remote addresses of a DVMRP t unnel 1. Click Interfaces under Configuration > Inte rface Configuration in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 127 A router forwards Multicast traffic to an adjacent router only if that router has a client that accepts multicast traffic. Nokia IP security platforms require Distance V e ctor Multicast Routing Protocol (DVMRP) to be enabled on the inte rfaces to which you forward multicast traffic.
2 128 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 9. Click Apply . 10. Click Save to make changes permanent. Note St ep s 17 through 21 requi re that yo u us e the Rout in g Co nfiguration page by firs t completing steps 13 throug h 16. 11 . Click DVMRP under Configuration > Routing in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 129 The Retry Limit specifies the number of tim es to retry ARP requests until ho lding off requests for 20 seconds. Retry reques ts occur at a rate of up to once per seco nd. The range of retry limit is 1 to 100 and the defaul t value is 3.
2 130 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note In VRRP config urations, co nfiguring pro xy ARP using static NA T addresses an d interface MAC addresses is not supported. T o delete a st atic ARP entry 1. Click ARP under Configuration > Interfa ce Configuration in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 131 Retry Limit specifies the number of times to retry InA TMARP requests after which the Holdoff T imer is started.
2 132 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 3. Click the A TM ARP Entries link. Dynamic A TM ARP entries appear in a table at the bottom of the page. 4. Click the Delete check box next to the dynamic A TM ARP entry to delete. Click Apply .
Nokia Network Voyager for IPSO 4.0 Reference G uide 133 T ransp arent Mode Processing Det ails When you configure transparent mode, it is added to the IPSO kernel as a module situated between the layer 2 and the upper protocol layers.
2 134 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring T ransp arent Mode in VPN Environment s T o configure transparent mode in a virtual priva t e network environmen t, yo u must create a range or group of addresses that will be protected behi nd the IP address on the bridge.
Nokia Network Voyager for IPSO 4.0 Reference G uide 135 Note For information on how to create group s, objects, and rules on the firewall, see yo ur Check Point document ation that was included with your Nokia IPSO software package.
2 136 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o configure transpa rent mode in the preceding network configuration 1. Click T ransparent Mode under Configuration > Interface Configuration in the tree view . 2. Enter any positive integer (an integer greater than 0) in the edit box, for example 100 and click Apply .
Nokia Network Voyager for IPSO 4.0 Reference G uide 137 Note In the disabled m ode, the tran sp arent mode group drop s all p acket s received on or d estined to the interfaces in that gr oup.
2 138 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o add or remove an interface to/from a transp arent mode group 1. Click T ransparent Mode under Configuration > Interface Configuration in the tree view . 2. Click the link of the appropriate transparent mode group.
Nokia Network Voyager for IPSO 4.0 Reference G uide 139 Enabling or Disabling VRRP for a T ransparent Mode Group If you are enabling VRRP on a VRRP master , the node will perform transparent mode operations as describ ed in the s ection, “T ransparent Mode” on page 132.
2 140 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o add nodes configured for transp arent mode to a cluster using SmartDashboard 1. Create a gateway object for each of the VRRP nodes.
Nokia Network Voyager for IPSO 4.0 Reference G uide 141 VTIs appear in Nokia Network V oyager as unnumb ered interfaces and are given lo gical names in the form tun0c n . Y ou configure static or dy namic routes on VTIs the same way yo u configure them on other unnumbere d interfaces.
2 142 Nokia Network Voyager for IPSO 4.0 Refe rence Guide VRRP Support VRRP HA mode is supported fo r OSPFv2 over virtual tunnels. Only active-passive mode is supported: that is, only one gateway can have the master state. Because a VTI is an unnumbered interface, you ca nnot configure a virtual IP address on it.
Nokia Network Voyager for IPSO 4.0 Reference G uide 143 Note If both domain-based VPN and route- ba sed VPN are configured, then domai n-based VPN takes p riority . Configuring a VTI does not override the domain-based VPN. The only way to configure no VPN domain is to create an empty VPN domain group.
2 144 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o create the virtual tunnel interface 1. In Network V oya ger navigation tree , select Configuration > Interface Configuration > FWVPN tunnel. 2. Enter the name of the peer gateway in the Peer GW Object Name field.
Nokia Network Voyager for IPSO 4.0 Reference Guide 145 3 Configuring System Functions This chapter describes how to config ure many basic sys te m functions. Configuring DHCP Dynamic Host Configu ration Protocol (DHCP) fo r Nokia IPSO provides comple te DHCP client and DHCP server capabilities for you r Nokia appliance.
3 146 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring DHCP Client Interfaces T o configure the DHCP client interface 1. Click DHCP under Configuration > Syst em Configuration in the tree view . 2. Click the logical interface in the DHCP Inte rface Configuration table to be configured.
Nokia Network Voyager for IPSO 4.0 Reference G uide 147 6. Click Save to make your changes permanent. Configuring the DHCP Server T o configure the DHCP server process 1. Click DHCP under Configuration > Syst em Configuration in the tree view . 2. Click Server in the DHCP Service Selection box.
3 148 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 12. (Optional) Enter a path for cli ents to get add itional configuration options in the Extensions Path text box. Note Y ou must configure the TFTP option to us e the Extension Path option since clients will use TFTP to tr ansfer the configuration options from the server .
Nokia Network Voyager for IPSO 4.0 Reference G uide 149 Note Y ou must configure an Ethernet inter face an d enter the subnet address and the subnet mask length on which the interface is listening befor e you enable the DHCP Server Process. See “Configuring the DHCP Se rver” on page 147, step s 5, 6, and 7.
3 150 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note Make sure that Enabled is se lected in the S tate field. Th is is the default selection. Note If you are configuring a lar ge numbe r of VLANs, you migh t experience a delay in having IP addresses a ssigned to VLAN interface s.
Nokia Network Voyager for IPSO 4.0 Reference G uide 151 7. (Optional) Enter the file name where diskless clie nts will find the boot file in the F ile Name text box. 8. (Optional) Enter a path for clients to get add itional configuration optio ns in the Extensions Path text box.
3 152 Nokia Network Voyager for IPSO 4.0 Refe rence Guide because you will only have to ente r IP address information when yo u configure subnets or fixed- ip entries. 1. Click DHCP under Configuration > Syst em Configuration in the tree view . 2. Click the T emplate for adding new client entries link.
Nokia Network Voyager for IPSO 4.0 Reference G uide 153 Configuring Dynamic Domain Name System Service DDNS gives you the ability to co nfigure your DHCP server to automatically update DNS servers on your network. T o configure Dynamic Domain Name System (DDNS) 1.
3 154 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring the Domain Name Service IPSO uses the Domain Name Service (DNS) to tran slate host names into IP addresses. T o ena ble DNS lookups, you must specify the primary DNS se rver for your system; you can also specify secondary and tertiary DNS servers.
Nokia Network Voyager for IPSO 4.0 Reference G uide 155 Note The source hard disk drive and the mirror ha rd disk drive should have identical geometries.
3 156 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o inst all and configure PC card flash memory 1. Insert the card into one of the PC ca rd slots in the front of the system. Make sure that the card is fully inserted. 2. Click Optional Disk under Config uration >System Configuration.
Nokia Network Voyager for IPSO 4.0 Reference G uide 157 Presence of a sendmail-like replacement that relays mail to a mail hub by using SMTP Ability to specify the defaul t recipient on the ma.
3 158 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Sending Mail T o send mail from the firewall 1. Log in to the firewall as either the admin or monitor user . 2. At the prompt, type the mail command, follo wed by a space, and the username of the recipient: mail username@hostname 3.
Nokia Network Voyager for IPSO 4.0 Reference G uide 159 T o set system time once 1. Click T ime under Configuration > System Configuration in the tree view . 2. Select the appropriate time zone in the T ime Zone list box. By default, the time zone is set to GMT .
3 160 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o delete a st atic host 1. Click Host Address under Config uration > System Configuration in the tree view . 2. Select Off next to the host to delete. 3. Click Apply . 4. Click Save to make your changes pe rmanent.
Nokia Network Voyager for IPSO 4.0 Reference G uide 161 storage or to reduce the ri sk of losing lo g in formation if y ou run out of disk space on your IPSO appliance. Y ou might also choose to send all of the logs from multiple computers to one centralized log server , possibly on e that is configured for high availability .
3 162 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Caution When you inse rt a PC card into a flash- based applian ce and select the card as an optional disk, any existing dat a on the card is erased.
Nokia Network Voyager for IPSO 4.0 Reference G uide 163 there are 256 messages in the buffer , the messag es are transferred to the remote server and the buf fer is cleared. 6. Use the Flush Frequency option as an ad ditional control for saving messages.
3 164 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o set logging of all Network V oyager Apply and Save actions 1. Click System Logging under Configuration > System Configuration in the tree view . 2. In the V oyager Audit Log field, select Ena bled or Disabled.
Nokia Network Voyager for IPSO 4.0 Reference G uide 165 click the Management Activity Log link in the System Logs section. For more information, see “Monitoring System Logs.” Remote Core Dump Server on Flash-Based Systems Application co re files are sto red in memory in the directory /var/t mp/.
3 166 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 5. Click Apply . 6. Click Save to make your changes pe rmanent. Changing the Hostname Y ou set the hostname during in itial configuration. T o identify the hostname (system name) of your security platform, click Hos tname under Co nfiguration > System Configuration in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 167 T o create a factory default configuration file 1. Click Configuration Sets unde r Configuration > System Conf iguration in the tree view . 2. Enter a name for the new file in t he Create a New Factory Default Config uration field.
3 168 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. Select the T imezone under which yo u want to schedule the job, either Local or Universal, from the drop-down list. 5. Select the frequency (Daily , W eekly , or Monthl y) with which you want the job to execute from the Repeat drop -down list.
Nokia Network Voyager for IPSO 4.0 Reference G uide 169 Creating Backup Files Y ou can create a backup file manually at any time (see “T o create a backup file manually ,” below), or configure the system to ru n scheduled backups automatically (see “T o configure scheduled backups” on page 170).
3 170 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o configure scheduled backup s 1. Click Backup and Restore under Configuratio n > System Configuration in the tree view . 2. In the Scheduled Backup field, click the Freq uency drop-down list and select Daily , W eekly , or Monthly to configure ho w often to perform a regular backup .
Nokia Network Voyager for IPSO 4.0 Reference G uide 171 T o configure automatic transfers of archive files to a remote server 1. Click Backup and Restore under Configuration > System Configuration in the tree view . 2. Under Automatic T ransfer of Archive File, select a file transfer protocol, either TFTP or FTP .
3 172 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Restoring Files from Locally S tored Backup Files T o restore files to the system, you must first create backup files as described in “Creating Backup Files” on page 169. Y ou can restore either from files stored locall y or from files stored on a remote machine.
Nokia Network Voyager for IPSO 4.0 Reference G uide 173 b. Click Apply . c. A list of available files in the directory you specify appears. Select the backup files you want to restore. 5. Click Apply . Repeat the previous two steps for each file you want to restore.
3 174 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note Flash-based systems can store a maximum of two Nokia IPSO images. T o delete an Nokia IPSO image 1. Click Manage Images under Configuration > Sy stem Configuration > Im ages in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 175 b. (Optional) If the HTTP site on which the Nokia IPSO image is stored requires authentication, enter the HTTP realm to which authentication is needed. c. (Optional) If the server on which the Nokia IP SO image is stored requires authentication, enter the user name and password.
3 176 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note When you click T est Boot, the system tests th e new ima ge for five mi nutes. If you let the five-minute test period ex pire without co mmitting to the new ima ge, the system automatically reboot s and reverts to the previou s image.
Nokia Network Voyager for IPSO 4.0 Reference G uide 177 Only when you are downgrad ing to a version that was never o n your appliance is the connectivity information from the already installed IPSO version carried over to the less recent version that you are installin g.
3 178 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Y ou can configure the options for monitor rep orts according to your networking and rep orting requirements.
Nokia Network Voyager for IPSO 4.0 Reference G uide 179 CheckPoint VPN-1 Pro/Express NGX R60 CheckPoint CPinfo If your platform runs NG with Application Inte lligence (R55) for IPSO 3.8, the only packages you can install are: Check Point VPN-1 NG with Application Intelligence (R55) for IPSO 3.
3 180 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 12. (Optional) Click the button of the package from which you want to upgrade under Choose one of the following packages to upgrade fr om . 13. Click Apply . 14. Click Save to make your changes perman en t.
Nokia Network Voyager for IPSO 4.0 Reference G uide 181 Only the remote terminating node responds to the MSS value yo u set; that is, intermediate nodes do not respond.
3 182 Nokia Network Voyager for IPSO 4.0 Refe rence Guide.
Nokia Network Voyager for IPSO 4.0 Reference Guide 183 4 V irtual Router Redundancy Protocol (VRRP) This chapter describes the Nokia IPSO implemen tation of VRRP and how to configure it on your system.
4 184 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Nokia provides support for OSPF , BGP , RIP , and PIM (both sparse and dense mode) to advertise the virtual IP address of the VRRP virtu al ro uter . Y ou must use monitored-circuit VRRP , not VRRPv2, to configure virtual IP support for a dyn amic routing protocol.
Nokia Network Voyager for IPSO 4.0 Reference G uide 185 Figure 2 VRRP Configuration with Internal and External VRIDs In this example, Platform A acts as the master for both VRID 1 and VRID 2 while Platform B acts as the backup for both VRID 1 and VRID 2.
4 186 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Underst anding Monitored-Circuit VRRP The Nokia implementation of VRRP includes additional functiona lity called monitored circuit.
Nokia Network Voyager for IPSO 4.0 Reference G uide 187 Use this method only if y ou do not have an extra IP address to use for mon itored-circuit VRRP .
4 188 Nokia Network Voyager for IPSO 4.0 Refe rence Guide which to skew the Master _Down_Inte rval) is calcula ted as Skew_time = ( (256 - Priority) / 256) ) . Y ou can configure your VRID to specify one platform as the established master by assig ning it a higher priority , or you can assign equivalent priority to all platforms.
Nokia Network Voyager for IPSO 4.0 Reference G uide 189 Priority Delt a Choose a value for the priority delta that ensure s that the priority delta subtracted from the priority results in an effective priority that is lower than that of the backup routers (in case an interface fails).
4 190 Nokia Network Voyager for IPSO 4.0 Refe rence Guide VMAC Mode For each VRID, a virtual MAC (V MAC) address is assigned to the backup address. The VMAC address is included in all VRRP packet transmissions as the so urce MAC address; the physic al MAC address is not used.
Nokia Network Voyager for IPSO 4.0 Reference G uide 191 Before you Begin Before you begin, consider y our hardware and configuration. Are all backup routers able to handle the traf fic they will receive if the master fails? W ill you implement load-sharing? There are two global settings for VRRP as described in the following table.
4 192 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note Y ou set values for priority delta and backup add ress only when config uring moni tored-cir cuit VRRP . These parame te rs are not applicable to VRRPv2. Complete these additional step s before you configure VRRP .
Nokia Network Voyager for IPSO 4.0 Reference G uide 193 configuration. Y ou do not have to separately specify settings for eac h interface. For more information, see “Configuring Monitored-Circuit V RRP using the Simplified Method” .
4 194 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 8. Click Apply . 9. Click Save to make your changes pe rmanent. 10. Log on to each backup appliance in turn and repeat step 2 through step 5. Make sure you use the same values for VRID , hello interval, auth entication method, and backup address for all no des in the VRID.
Nokia Network Voyager for IPSO 4.0 Reference G uide 195 Note Y ou cannot change the backup add ress from one interface to anoth er interface while a platform is in t he master state.
4 196 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 5. Enter the value you want to use to iden tify the virtual router and click Apply . Additional fields appear .
Nokia Network Voyager for IPSO 4.0 Reference G uide 197 3. In the row for the interface yo u want to configure, select the VRRPv2 r adio button in the Mode column. 4. Click Submit. T ext boxes for Own VRID and Back up Router with VRID appear . 5. Configure the router as a master or a backup by doing one of the following.
4 198 Nokia Network Voyager for IPSO 4.0 Refe rence Guide When you use the Check Point cpconfig prog ram (at the command line or usi ng Network V oyager), follow these guidelines: Install Check Point NGX as an en forcement module only on each node.
Nokia Network Voyager for IPSO 4.0 Reference G uide 199 tunnels do not fail over cor re ctly . If the en cr ypt i on /a u then tica tio n alg o rith m is supp or ted in the master and not suppor te d by the backup and you do not use NA T , tunnels fail over correctly , but they are no t accelerated after failover .
4 200 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note The object for VRRP is not the same as the ga teway cluster object fo r HA. Accordingly , in this example, the gateway cl uster object is designated fwcluster-object . Where: cluster-all-ips is the W orkstation object you created with all IPs.
Nokia Network Voyager for IPSO 4.0 Reference G uide 201 Link Aggregation (IP2250 Systems Only) IP2250 appliances allow you to aggregate the built-in 10/100 mbps Ether net ports so that they function as one logical port with higher bandwi dth.
4 202 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Master —Forwarding IP packets addressed to the virtual router . Backup —Eligible to become master and monito ring the state of the current master . Initialize —Inactive; waiting for startup event.
Nokia Network Voyager for IPSO 4.0 Reference G uide 203 Monitoring the Firewall St ate By default, IPSO monitors the state of the fire wall and responds appropriately . If a VRRP master detects that the firewall is not re ady to handle traffic or is not functioning properly , the master fails over to a backup system.
4 204 Nokia Network Voyager for IPSO 4.0 Refe rence Guide If you are testing monitored-ci rcuit VRRP by pulling an inte rface, and the other interfaces do not release their IP addresses, check that the priority delta is large enough that the effective priority is lower than the master router .
Nokia Network Voyager for IPSO 4.0 Reference G uide 205 Switched Environment s Monitored-Circuit VRRP in Switched Environment s When you use monito red-circuit VRRP , some Ethernet switches might not recogn ize the VRRP MAC address after a transition from the master to a backup.
4 206 Nokia Network Voyager for IPSO 4.0 Refe rence Guide.
Nokia Network Voyager for IPSO 4.0 Reference Guide 207 5 Configuring Clustering This chapter describes IPSO’ s clustering featur e and provides instruc tions for configuring clusters. It includes information about upgrading from IP SO 3.6 to IPS O 3.
5 208 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Y ou can create IP clusters by combining flash-b ased platforms other than the IP2250 with disk- based or different flash-based models.
Nokia Network Voyager for IPSO 4.0 Reference G uide 209 The external router needs a static route to the internal networ k (192.168.1.0) with 192.168.2.10 as the gateway address. The internal ro uter needs a static route to the external network (192.
5 210 Nokia Network Voyager for IPSO 4.0 Refe rence Guide This diagram illustrates the dif ference. Any changes you make in V oyager or Clu ster V o yager are immediately reflected in the CLI and CCLI. The reverse is also true—settings made in the CLI or CCLI are immediately reflected in V oyager or Clus ter V oya ger .
Nokia Network Voyager for IPSO 4.0 Reference G uide 211 192.168.3.10 is the cluster IP addr ess of the primary cluster interface. 192.168.4.10 is the cluster IP addr ess of the secondary cluster interfa ce. Cluster MAC address: A MAC address that the cluster protoc ol installs on all nodes.
5 212 Nokia Network Voyager for IPSO 4.0 Refe rence Guide using different switches). This configuration is preferable to using separate VLANs on one switch to separate them an d is the configuratio n shown in the exampl e cluster .
Nokia Network Voyager for IPSO 4.0 Reference G uide 213 In multicast mode each cluster node receives every packet sent to the cluster and decides whether to process it based on information it receives from the master node. If the node decides not to process the pack et (beca use another node is pr ocessing it), it drops the packet.
5 214 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Do not use this mode if you use PIM in the cluster . Caution Avoid changin g the cluster mode while a cluster is in service. If you change the cluste r mode of a single node, the nod e leaves the cluster .
Nokia Network Voyager for IPSO 4.0 Reference G uide 215 change ARP global parameters” in the information about configuring interfaces for instructions about how to configure a Nokia appliance to accept these replies.
5 216 Nokia Network Voyager for IPSO 4.0 Refe rence Guide between the nodes with different MTU values.T o prevent this problem, make sure that the MTU values are the same on all cluster n odes with Gigabit Ethernet interfaces.
Nokia Network Voyager for IPSO 4.0 Reference G uide 217 dropped in the event that th ere is a failover . The ADP I/ O ports should be used for production traffic. Y ou can aggregate the ports on ADP I/O cards and use the aggregated links for production traffic.
5 218 Nokia Network Voyager for IPSO 4.0 Refe rence Guide For All Upgrades When upgrading a cluster , make sure that all the nodes run the same versions of IPSO (and NGX, when appropriate). If you ar e upgrading bot h IPSO and NGX, you should first upgrade IPSO on all the nodes and then upgrade NGX.
Nokia Network Voyager for IPSO 4.0 Reference G uide 219 Note Y ou should upgrade the master last. 1. Upgrade node A and restart it. B and C continue to function as a 3.6 cluster . Node A (running the later version of IPSO) rejoins the cluster as a member .
5 220 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 6. Repeat this procedure on each of the other nodes that you upgraded from IPSO 3.6. Y ou can now manage the cluster using Cluster V oyager or the CCL I. Creating and Configuring a Cluster Configuration Overview T o create and configure a cluster 1.
Nokia Network Voyager for IPSO 4.0 Reference G uide 221 4. Enter a pas sword for the user ca dmin. The password must have at least six characters. Note Y ou must use the same p asswor d on ea ch nod e tha t you add to th e cluster . This is also the password th at you use to log into Cluster V oyager or the CCLI.
5 222 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Sequence V erifier . Wo r m C a t c h e r Delayed notification of connections Security servers IP pools (with non-Check Poin t gateways or clients). See “Supporting Non-Check Point Gateways and Clients” for related information.
Nokia Network Voyager for IPSO 4.0 Reference G uide 223 The secondary interfaces of all the cluster no des must belong to the same subnet. This subnet should not carry any other traffic unl ess you use it to carry firewall synchronization traffic.
5 224 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring VPN T unnels If you want the cluster to support VPN tunnels in which non-Check Point gateways participate, you must configure the tunnels in V oyager (on the Clustering Setup Configuration page) as well as in NGX.
Nokia Network Voyager for IPSO 4.0 Reference G uide 225 VPN but not want to route unencrypted traf fic through the cluster . For this purpose, you can use a configuration similar to the one shown in t.
5 226 Nokia Network Voyager for IPSO 4.0 Refe rence Guide cluster interfaces (192.168.1.2 and 192.168. 1.3) as gateway addre sses. In the example network, the internal router has the following static routes: route: 10.1.2.0/24, g ateway: 192.168.1.
Nokia Network Voyager for IPSO 4.0 Reference G uide 227 In addition to h elping you make sure that all cluster nodes are co nfigured consiste ntly , using this feature makes the configuration process easier and faster . The list of shared features should be specified only when you set up a cluster .
5 228 Nokia Network Voyager for IPSO 4.0 Refe rence Guide because of join-time sharing, you can reload the desired configuration on C from the saved configuration file. See “Managing Co nfig uration Sets” for information abou t saving and loading configuration files.
Nokia Network Voyager for IPSO 4.0 Reference G uide 229 After Y ou Create a Cluster Whenever you use Cluster V oyager (or the CCLI), you can rem ove features from the list of ones that are cluster sharable . Y ou can do this on any node. However , Nokia recommends that you avoid doing this.
5 230 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Manual configuration. If you use th is method, you must supply more in formation so that the system can join the cluster .
Nokia Network Voyager for IPSO 4.0 Reference G uide 231 Joining a System to a Cluster T o join a system to a cluster , perform this simple procedure: 1. Display the Interface Configuration page. 2. Configure interfaces with IP addresses in each of the networks used by the cluster and activate the interfaces.
5 232 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Y ou can make changes that are implemented on all the nodes simultaneou sly . T o make changes in this way , you use Clus ter V oyager or the CCLI. (See the IPSO CLI Refer ence Guide for information abou t using the CCLI.
Nokia Network Voyager for IPSO 4.0 Reference G uide 233 Someone else is logged into Cluster V oyager or the CCL I and has acquired an exclusive configuration lock If someone else has acquired an e.
5 234 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Cluster V oyager or the CCLI are als o implemented on node B. (Y ou can log into all nodes as cadmin because this user is created automatically on each node.
Nokia Network Voyager for IPSO 4.0 Reference G uide 235 performance rating to force a particular node to be the master (which will also have the ef fect of giving that node a lar ger share of work). T o change the performance rating, enter a number in the Performance Rating field (the range of values is 0 throu gh 65535), then click Apply and Save.
5 236 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note Nokia recommends that you do not make change s to cluster settings or join-time shared features on individual nodes—use Clu ster V oyager or the CCLI to make these changes. This will help you ensure that all the nodes are configur ed consistently .
Nokia Network Voyager for IPSO 4.0 Reference G uide 237 If you specify an invalid FTP server or an invalid path to a valid server as the source of the image, Cluster V oyage r does not respond with an.
5 238 Nokia Network Voyager for IPSO 4.0 Refe rence Guide The following is an illust ration of this process in a three node cl uster with nodes A, B, and C, in which C is the originating node. 1. If the node A restarts successfully and rejoins the cluster , node B restarts.
Nokia Network Voyager for IPSO 4.0 Reference G uide 239 Changing Cluster Inte rface Configurations If you want to change the cluster interface config uration of a node—for ex ample, if y ou wan t to change the primary interface—you must log into the node as a system user .
5 240 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring NTP There are two approaches to c onfiguring NTP in a cluster: Using a device outside the cluster as the NTP server . In this case you use the IP address of the ser ver when configuring NTP on the cluster nodes.
Nokia Network Voyager for IPSO 4.0 Reference G uide 241 Using the Master Node as the NTP Server T o configure the cluster master as the NTP server, do the following steps on the NTP configuration page: 1. Log into Cluster V oyager . 2. Display the NTP Configuration page.
5 242 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configure state synchronization: Enable state synchronization and configure interfaces for it. The interfaces that you configure for state sync hronization shou ld not be part of a VLAN or have more than one IP address assigned to them.
Nokia Network Voyager for IPSO 4.0 Reference G uide 243 T o enable sequence validation in the Chec k Po int management appli cation and IPSO, follow these steps: a. On the main Configuration pa ge in Nokia Network V oyager , click Advanced System T uning (in the Sy stem Configuration section).
5 244 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring the Cluster in V oyager 1. Using V oyager , log into node A. 2. Display the Interface Configuration page. 3. Configure interfaces with IP addresses in each of the networks shown in the example and activate the interfaces.
Nokia Network Voyager for IPSO 4.0 Reference G uide 245 17. Click Save. 18. Configure static routes from this node to the internal and external networks using 192.168.1.5 and 192.168.2.5 as gateway addresses (next hops). 19. On nodes B and C, configure interfaces with real IP addresses in each of the four networks shown in the example.
5 246 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Clustering Example With Non-Check Point VPN This section presents an example that shows how easy it is to configure an IPSO cluster to support a VPN with a non-Check Point gateway .
Nokia Network Voyager for IPSO 4.0 Reference G uide 247 4. In the Add New VPN T unnel section, enter 10.1.1.0 in the Network Addres s field. 5. In the Mask field, enter 24. 6. In the T unnel End Point field, enter 10.1.2.5. 7. Click Apply . 8. Click Save.
5 248 Nokia Network Voyager for IPSO 4.0 Refe rence Guide.
Nokia Network Voyager for IPSO 4.0 Reference Guide 249 6 Configuring SNMP This chapter describes the Nokia IPSO impl ementation of Simple Network Management Protocol (SNMP) and how to con figure it on your sy stem.
6 250 Nokia Network Voyager for IPSO 4.0 Refe rence Guide MIB Source Function Rate-Shape MIB propriet ary Moni toring rate-shaping stat istics and configuration. Monitoring system-specific parameters. IPSO System MIB prop rietary D efines the system MIB for IPSO.
Nokia Network Voyager for IPSO 4.0 Reference G uide 251 SNMPv2 TC RFC 854 Defines textual conventions for various value s reported in OIDs and Trap s. Dial-Control MIB RFC 2128 Describes peer information for demand access an d other kinds of interfaces.
6 252 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Both the proprietary MI Bs and the public MIBs are supplied with the system. T o view more detailed information about the MIBs, see the /etc/snmp/mibs directory . Note The SNMPv2-CONF MIB resides in the /etc/sn mp/mibs/unsupported dir ecto ry .
Nokia Network Voyager for IPSO 4.0 Reference G uide 253 Using the Check Point MIB Y ou must use the Check Point version of the Ch eck Point MIB (CP-MIB) text file in $FWDIR/ lib/snmp of your network management tool. Do not use the CheckPoint-MIB.txt included in releases before Nokia IPSO 3.
6 254 Nokia Network Voyager for IPSO 4.0 Refe rence Guide SNMP query operations. In this case, you mig ht have to delete the FloodGat e package fro m your system. Enabling SNMP and Selecting the V ersion The SNMP daemon is enabled by default. If yo u choose to use SNMP , configure it according to your security requirements.
Nokia Network Voyager for IPSO 4.0 Reference G uide 255 Note If you select the Disable checkbo x all com munity string s ar e di sable d a nd SNMPv1 and v2 do not function. This has the same ef fect as selecting only SNMPv3 in the previous step. 6. (Optional).
6 256 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note If no agent addresses are specified, the SNMP protocol resp ond s to requests from all interfaces. Configuring T rap s Managed devices use t rap messages to report events to the network management station (NMS).
Nokia Network Voyager for IPSO 4.0 Reference G uide 257 lamemberActive Supplies notification when a port is ad ded to a link aggrega tion group. lamemberInactive Supplies notification w hen a port is re moved from a link aggregation gr oup. Authorization Supplies notif ication when an SNMP opera tion is not properly authenticated.
6 258 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o configure traps, specif y the following information: The location of the trap recei ver (manag ement station). See “Configuring T rap Receivers” on page 259. Which types of traps to enable.
Nokia Network Voyager for IPSO 4.0 Reference G uide 259 Configuring T rap Receivers Y ou must specify the management station that accepts traps from your appliance, and the community string used on your manageme nt station (receiver) to control access.
6 260 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. Click Save to make your changes pe rmanent. Configuring Location an d Cont act Information The settings for location and cont act information provid e information to the management system about where your device is loca ted and who to contact about it.
Nokia Network Voyager for IPSO 4.0 Reference G uide 261 Note Y ou might not see the codes. The SNMP manager or utility interprets the codes and displays and logs th e appropr iate mess age.
6 262 Nokia Network Voyager for IPSO 4.0 Refe rence Guide GetNextRequest The only values that can be returned as the second element in the varia ble-bindings field to a GetNextReque st when an error -status code occurs are unSp ecified or endOfMib V iew .
Nokia Network Voyager for IPSO 4.0 Reference G uide 263 and encryption, but you ca n em ploy them independently by spec ifyin g one or the other with your SNMP manager requests. The I PSO system responds accordingly . Note Nokia system s do not prot ect traps wi th authentication or encryption.
6 264 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o view existing SNMP users, click SNMP under Configuration > System Configuration in the tree view and click Manage SNMP Users. Altern atively , you can click the Manage SNMP User Access link located on the Configuration > Security and Access > Users page.
Nokia Network Voyager for IPSO 4.0 Reference G uide 265 T o delete a USM user 1. Click SNMP under Configuration in the t ree view . 2. Click Manage USM Users at the bottom of the page. The Manage SNMP Users page appears. 3. Select the appropriate Delete check box.
6 266 Nokia Network Voyager for IPSO 4.0 Refe rence Guide.
Nokia Network Voyager for IPSO 4.0 Reference Guide 267 7 Configuring IPv6 This chapter describes the IPv6 features suppor ted by Nokia IPSO and how t o configure them on your system. IPv6 Overview IPv6 is the next generation IP proto co l and is expected to replace IPv4, th e current IP protocol.
7 268 Nokia Network Voyager for IPSO 4.0 Refe rence Guide IPv6 over IPv4 T unnel (RFC 2185) IPv6 over Ethernet (RFC 2464) IPv6 over FDDI (RFC 2467) IPv6 over PPP (RFC 2472) IPv6 ov.
Nokia Network Voyager for IPSO 4.0 Reference G uide 269 T o delete an IPv6 address 1. Click IPv6 Interfaces under Configuration > Sy stem Configuration > IPv6 Configuration in the tree view . 2. Click the logical interface link to configure in the Logical column for which you want to delete an IPv6 address.
7 270 Nokia Network Voyager for IPSO 4.0 Refe rence Guide represents the number of times to retry Dupl icate Address Detection Neighbor Discovery requests.
Nokia Network Voyager for IPSO 4.0 Reference G uide 271 Configuring IPv6 to IPv4 This feature allows you to co nnect an IPv6 domain throug h IPv4 clouds without configurin g a tunnel. T o configure IPv6 to IPv4 1. Click IPv6 to IPv4 und er Configuration > System Configuration > IPv6 Config uration in the tree view .
7 272 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 6. Click Apply . 7. Click Save to make your changes pe rmanent. Configuring IPv4 in IPv6 T unnels This feature allows you to set up a point-to-point link to pe rmit traffic from IPv4 domains to travel through IPv6 do mains.
Nokia Network Voyager for IPSO 4.0 Reference G uide 273 6. T o specify the order in which next hops are se lected, enter a value from one to eight in the Preference text box. The lower the value the more preferred the link. The next preferred value is selected as the next hop onl y when an interface fails.
7 274 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 5. Scroll through the New Contribu ting Protocol List click th e protocol y ou want to use for the new aggregate route. 6. Click Apply . 7. Click Save to make your changes pe rmanent. 8. Click On in the Contribute All Routes from <Protocol> field.
Nokia Network Voyager for IPSO 4.0 Reference G uide 275 6. T o redistribute a spec ific aggregate route or ro utes into RIPng, click On next to the IPv6 interface for the aggregate route to redistribute into RIP ng. 7. Enter a value in the Metric text box for the metric cost that the created RIPng route will have.
7 276 Nokia Network Voyager for IPSO 4.0 Refe rence Guide more information about configurin g VRRP for IPv6 interfaces, see “Configuring VRRP for IPv6.” 1. Click ICMPv6 Router Discovery u nder Configuration > System Configuration > IPv6 Configuration > Router Serv ices in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 277 14. (Optional) T o specify that the IPv6 pref ix can be used for autonomous address configuration, click Y es in the Autonomous Fl ag field. 15. (Optional) Enter a value (in seconds) in the Pr efix V alid Lifetime text box for the prefix information options valid lifetime field.
7 278 Nokia Network Voyager for IPSO 4.0 Refe rence Guide the new master begins to sen d out router disc overy advertisements. For more information about configuring Router Discovery for IPv6 interfaces, see “Configuring ICMPv6 Ro uter Discovery .
Nokia Network Voyager for IPSO 4.0 Reference G uide 279 Use this procedure to configure virtual routers to back up the addresses of other routers on a shared media network. 1. Click VRRP for IPv6 under Configuration > System Configuration > IPv6 Configuration > Router Services in the tree view .
7 280 Nokia Network Voyager for IPSO 4.0 Refe rence Guide This option does not affect the functioning of your system if a firewall is not installed. 1. Click VRRP for IPv6 under Configur ation > System Configuration > IPv6 Configuration > Router Serv ices in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 281 Enter the IP address you want to assign to the virtual router back up in the Backup Address edit box. Click Apply . Note The IP address(es) associated with the monito red circuit virtual router must not match the real IP address of any host or r outer on the network of the interface.
7 282 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Failover of the default router no longer occurs. When you disab le a virtual router , you must first remove the VRRP configuratio n for that virtual router fro m all of the backup routers.
Nokia Network Voyager for IPSO 4.0 Reference G uide 283 configured. The default is 100 centisecon ds , that is, 1 second. 5. (Optional) Click Disabled n ext to Preempt Mode if you do not want virtual router with a higher priority to preempt the current master router and become the ne w mas ter .
7 284 Nokia Network Voyager for IPSO 4.0 Refe rence Guide resulting in the ef fective priority value. T his effective priority value of the virtual router is used to determine the election of th e VRRP master rout er . Note Y ou must enter a priority delt a value for each interface you select to monitor .
Nokia Network Voyager for IPSO 4.0 Reference G uide 285 Security and Access Configuration T o enable FTP , TFTP , or T elnet access 1. Click Network Access Services under Co nfiguration > System Configuration > IPv6 Configuration > Security and Access Configuration in the tree view .
7 286 Nokia Network Voyager for IPSO 4.0 Refe rence Guide.
Nokia Network Voyager for IPSO 4.0 Reference Guide 287 8 Managing Security and Access This chapter desribes how to manage passwords, user accounts, and groups, how to assign privileges using role-based administration, and ho w to configure network access, services, and Network V oyager session management.
8 288 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o change another user ’ s p assword 1. Log in as a user who has read/write permissions for the Users feature. Note Admin users or any user with the User feature assigned to them can change a user’s password without providin g th e ex isting password.
Nokia Network Voyager for IPSO 4.0 Reference G uide 289 After you create a new user , go to Role-Base d Ad ministrati on > Assign Role to Users to grant the user additional access privileges. For more information, see “Role-Based Administration” on page 293 .
8 290 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o add a user 1. Click Users under Configuration > Security and Access Configuration in the tree view . 2. In the Add New User section, en ter the name of the user , a unique user ID, and the home directory for the new user .
Nokia Network Voyager for IPSO 4.0 Reference G uide 291 T o configure S/Key 1. Click Users under Configuration > Security and Access Configuration in the tree view . 2. Enable the Admin S/Key or Monitor S/Key by selecting either the Allowed or Required radio buttons.
8 292 Nokia Network Voyager for IPSO 4.0 Refe rence Guide The server also returns a prompt for a password. 4. Copy the S/Key sequence number and seed into the S/Key calculator on your platfo rm. 5. Copy the S/Key challenge into the S/Key calculator on your local platform.
Nokia Network Voyager for IPSO 4.0 Reference G uide 293 Control who can log in through SSH. For most other functions that are generally associated with groups, use the role-based administration feature, described in “Role-Based Administration” on page 293.
8 294 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Managing Roles T o view a list of existing roles on your system, click Manage Roles under Configuration > Security and Access >Role Based Administration in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 295 4. Add features by moving them to the R W (Rea d/W rite) or RO (Read Only) columns, depending on the permission level yo u want to give to this role. Remove the features by moving them back to the A vailable column.
8 296 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 3. Assign roles to or remove them for the user by selecting them and clicking Assign or Remove. Use Shift-click to select a range of roles, or Ctrl-click to select multiple roles at a time. Note Y ou cannot change the roles assigne d to the Admin, Cluster Admin, or Monitor users.
Nokia Network Voyager for IPSO 4.0 Reference G uide 297 Configuring Network Access and Services Ta b l e 1 5 lists the options that you can configure for network acc ess. Ta b l e 1 6 lists the service s you can enable on the appliance or for the cluster .
8 298 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o enable network access options and services 1. Click Network Access and Services under Configuration > Security and Access in the tree view . 2. Select the Y es radio button for the access op tions and services you want to enable.
Nokia Network Voyager for IPSO 4.0 Reference G uide 299 T o configure a modem on COM2, COM3, or COM4 1. Click Network Access and Services under Conf iguration > Se curity and Acc ess in the tree view . 2. Click Modem Configuration next to the appropriate serial port.
8 300 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Ta b l e 1 9 lists the country codes that you sele ct from wh en entering the code for an Ositech Five of Clubs II or III card in step 7 of the preced ing procedure.
Nokia Network Voyager for IPSO 4.0 Reference G uide 301 Configuring Basic Nokia Network V oyager Options Y ou can configure the following options for Nokia Network V oya ger access: Allow Network .
8 302 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Generating and Inst alling SSL/TLS Certificates IPSO uses the Secure Sockets Layer/T ranspor t Layer Security (SSL/TLS) protocol to secure connections over the Internet from the Nokia Ne twork V oyager client to the IPSO system.
Nokia Network Voyager for IPSO 4.0 Reference G uide 303 domain name (FQDN ) for your platform: fo r example, www .ship.wwwidgets.com. If you are generating a certificate signing request fo r a CA, that CA might impose a different standard.
8 304 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 5. If you entered a passphrase when you generate d the certificate and private key , you must enter the passphrase in the Passphrase field.
Nokia Network Voyager for IPSO 4.0 Reference G uide 305 Y ou should use SSH, instead of utilities such as T elnet or rlogin that are not secure, to connect to the system . Y ou can also tunnel HTTP over SSH to use Network V oyage r to securely manage your platform.
8 306 Nokia Network Voyager for IPSO 4.0 Refe rence Guide can permit any combination of these methods. In all cases the default is Y es, except for rhost and rhost with RSA au thentication . The rhost authe ntication is insecure and Nokia does not recommended using it.
Nokia Network Voyager for IPSO 4.0 Reference G uide 307 3. Click Apply . 4. (Optional) In the Configur e Server Acce ss Contr o l table, enter the group and user nam es in the appropriate text boxes . Y ou can use wild card characters when you spec ify multiple group or user names separated by spaces.
8 308 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 13. Click Apply . 14. (Optional) In the Configur e Service Details fie ld, click the choices and enter appropriate values in the text boxes.
Nokia Network Voyager for IPSO 4.0 Reference G uide 309 T o configure authorized keys 1. Click SSH Authorized Keys under Config uration > Security and Access > Secure Shell (SSH) in the tree view .
8 310 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. (Optional) T o generate an RSA host key (to us e with SSHv2), select the key size , listed in bits, from the Generate New RS A v2 Host Key drop-down list.
Nokia Network Voyager for IPSO 4.0 Reference G uide 311 T unneling HTTP Over SSH T o tunnel HTTP over SSH 1. Generate a key . 2. Put authorized public keys on the system. 3. Log in and redirect a port on your platform to th e remote platfo rm. Depending on what type of terminal you are usin g complete the following.
8 312 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note Network V oyager uses cookies to keep track of HTTP sessions. Network V oyager cookie based session management does n ot store user names or passwords in any form in the cookies. Y ou should continue to access Network V oyager from a secu re worksta tion.
Nokia Network Voyager for IPSO 4.0 Reference G uide 313 Authentication, Authorization, and Accounting (AAA) Creating an AAA Configuration Use this procedure to crea te an AAA configuration for a new service.
8 314 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Creating a Service Module Entry T o create a service module entry 1. Enter the name of the service in the New Service text bo x under the Service Module Configuration table.
Nokia Network Voyager for IPSO 4.0 Reference G uide 315 For a description of the authentication algor ithms that the list items represent, see “Authentication Pr ofile T ypes.” 3. Select the item in the Control drop-down list that matches the service requirements.
8 316 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Creating an Accounting Pro file T o create an account profile 1. Enter the name of the accounting profile in th e New Acct. Profile text box under the Acct. Profile table; make sure that the name does not match any of the Nam es in the Acct.
Nokia Network Voyager for IPSO 4.0 Reference G uide 317 Accounting Profile T ypes The following table describes the account manageme nt algorithms that are represented by the values in the T ype drop-down lists unde r Acct. Profile. Note Modules in the Module column reside in the /usr/lib directory .
8 318 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note Modules in the Module column resid e in the /usr/lib directory . Profile Controls Control values determine how the results of multiple authentica t ion, ac counting, or session algorithms are handled and when additional algor ithms in a list are invoked.
Nokia Network Voyager for IPSO 4.0 Reference G uide 319 The screens following graphic shows an example of creating a new service. Configuring RADIUS RADIUS, or remote authentication dial-in us er service, is a client and server-based authentication software system th at supports remote-access appli cations.
8 320 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. Click the Control drop-down list and select required, requisite, sufficient, optional or NOKIA-SER VER-AUTH-SUFFICIENT to determine the level of authentication to apply to a profile. For more information, see “Profile Controls.
Nokia Network Voyager for IPSO 4.0 Reference G uide 321 If all the attempts do not make a reliable conn ec tio n within t he timeout period, the client stops trying to contact the RADIUS server . The default is 3. Note The maximum tries value include s the first attempt.
8 322 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 5. Click Apply , and then click Save to make your chan ges permanent. The name o f the T ACACS+ au thent ication profile appears in the Auth. Profile table. 6. Y ou must now config ure on e or more servers to use in a single authentication profile.
Nokia Network Voyager for IPSO 4.0 Reference G uide 323 This action takes you to the page for AAA RAD IUS or T ACACS+ A uthentication Servers Configuration. 3. In the RADIUS or T ACACS+ Servers For Auth. Profile table, check the Delete check box next to the row for the RADIUS or T ACACS+ server to disable.
8 324 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note The algorit hm is added t o the end of the list. The order of algorithms in the list is th e order that they a re invoked.
Nokia Network Voyager for IPSO 4.0 Reference G uide 325 T o add an accounting profile 1. Enter the name of the profile in the Service Profile text box; th e name is shown in the Profile Name column of the Service Profile table. 2. Enter an item from the Name column of the Acct.
8 326 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Select a different item i n the T ype list that matches the new requirements of the service. For a description of the authentication algor ithms that the list items represent, see Authentication Profile T ypes.
Nokia Network Voyager for IPSO 4.0 Reference G uide 327 Deleting an Item in a Service Profile Entry Highlight one of the entries in the lists under the Auth Profile, Acct Profile or Session Profile column in the Service Profile ta ble for the entry you want to change.
8 328 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Enabling Encryption Accelerator Cards If you do not intend to use SecureXL, y ou must ma nually enable the encryption accelerator card after you install it.
Nokia Network Voyager for IPSO 4.0 Reference G uide 329 An encapsulation security payload (ESP) that provides auth entication and confidentiality through symmetric encryption, and an optional anti-replay ser vice. ESP does not include the IP header in the auth entication/confidentiality .
8 330 Nokia Network Voyager for IPSO 4.0 Refe rence Guide In tunnel mode, the original IP datagram is placed inside a new datagram, and AH or ESP are inserted between the IP header of the new packet and the original IP datagram. The new header points to the tunnel en dpoint, and the original header poin ts to the final destination of t he datagram.
Nokia Network Voyager for IPSO 4.0 Reference G uide 331 way communication. T o secure bidirectional comm unication between two hosts or two security gateways, two SAs (one in eac h dire ction) are required. Processing the IPSec t raf fic is largely a questio n of local implementatio n on the IPSec system and is not a standardization subject.
8 332 Nokia Network Voyager for IPSO 4.0 Refe rence Guide exchange must take place during Quick Mode . Consequently , the two pe ers generate a new Diffie-Hellman key pair . Using PKI For Phase 1 negotiation of IKE, the IPSec systems can use X.509 certificat es for authentication.
Nokia Network Voyager for IPSO 4.0 Reference G uide 333 The IPSec configura tion in Network V oyager is based on three IPSec objects: proposals, filters, and policies.
8 334 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note Native IPSO IPSec tunnels cannot coexist in the same machine with Check Point IPSec software. Be fore you use IPSO IPSec softw are, ensure that no Check Point software is running. Likewise, before you use Check Point IPSec software, ensure that no IPSO IPSec software is runn ing .
Nokia Network Voyager for IPSO 4.0 Reference G uide 335 Some IPSec systems require that the SA lifetim es (seconds, as well as me gabytes) match on both devices. See “Putting It All T ogether” in “Creating an IPSec Policy” for more information.
8 336 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Proposal and Filters 1. Under the Proposals table, enter a name for a new proposal in the New Proposal text box. Click either ESP or AH. Note If you click AH, the Encryption Alg (algorithm) must always be set to NONE.
Nokia Network Voyager for IPSO 4.0 Reference G uide 337 3. Click on the new link with the sa me name that you entered in Step 1. This action takes you to the IPSec Certificate Addition page for that specific certificate.
8 338 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o enroll and inst all a device certificate 1. Under the Device Certificates table, enter a name in the New Certificate text box, then click Apply . 2. An Apply Successful message appe ars and the name of the CA you just entered appears in the Device Certificates table.
Nokia Network Voyager for IPSO 4.0 Reference G uide 339 you can click on the link with the Ce rtif icat e name in the IPSec General Configuration page to install the certificate. 10. If you chose W ill do it later to make the cer tificate request, the link on the main IPSec General Configuration still points to the certificate request page.
8 340 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Putting It All T ogether T o complete creating an IPSec policy 1. Under the Policies table, enter a name for a new policy in th e New Policy text box, then click Apply . An Apply Successful message appe ars and the policy name appears in the Policies table.
Nokia Network Voyager for IPSO 4.0 Reference G uide 341 below the policy section. The link to more p ages appears on ly after you create more th an 10 policies. Creating an IPSec T unnel Rule T o create an IPSec tunnel rule 1. Click IPSec under Configuration > Security and Access in the tree view .
8 342 Nokia Network Voyager for IPSO 4.0 Refe rence Guide The hello protocol determines the connectivity of an end-to-e nd logical tunnel. As a result, the hello protocol modifies the link status of the logical interface. If the connectivity of an unavailable tunnel is restored, the hello protocol brings up the link .
Nokia Network Voyager for IPSO 4.0 Reference G uide 343 The new entry appears in the IPSec T ransport Rules table. 4. (Optional) T o change the policy entry without ch anging the name of th e associated transport rule, perform the following steps: a. Click in the blank square next to the current policy entry .
8 344 Nokia Network Voyager for IPSO 4.0 Refe rence Guide IPSec T unnel Rule Example The following steps tell how to configure a samp le IPSec tunnel. The following figure below shows the network config ur ation for this example. T o configure Nokia Platform 1 1.
Nokia Network Voyager for IPSO 4.0 Reference G uide 345 8. (Optional) From the drop-down list in the Log Level field, select Info. Click Apply . 9. (Optional) Click Up. 10. In the Policies table, enter rule_1 as the name for a new policy in the New Policy text box.
8 346 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configure Nokia Platform 2 Now set up network application platform 2 (Nokia Platform 2). Perform the same steps that you performed to configure Nokia Platfo rm 1, with the following changes. 1.
Nokia Network Voyager for IPSO 4.0 Reference G uide 347 Note In this example, the authen tication me th od is a preshar ed secret, so you do not ne ed to select a certificate. 7. (Optional) Click the IPSec Ad vanced Configuration link. 8. (Optional) From the drop-down list in the Log Level field, select Info.
8 348 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configure PC1 Y ou now ne ed to set up PC1. Perform the sa me steps that you perform ed to configure Nokia Platform 1 (IPSO), with the following changes. 1. Step 6; for the local filter , enter 192.
Nokia Network Voyager for IPSO 4.0 Reference G uide 349 Miscellaneous Security Settings The Miscellaneous Security Settings page unde r Configuration > Secur ity and Access allows you to change the handling of TCP packets. Th e default b ehavior is for IPSO to drop TCP packets that have both SYN and FIN bits set.
8 350 Nokia Network Voyager for IPSO 4.0 Refe rence Guide.
Nokia Network Voyager for IPSO 4.0 Reference Guide 351 9 Configuring Routing This chapter describes the IPSO routing subs yste m, how to configure the various rou ting protocols that are supporte d, route aggregation, and route red i stribu tion.
9 352 Nokia Network Voyager for IPSO 4.0 Refe rence Guide RIP RIP is a commonly used IGP . RIP version 1 is described in RFC 1058, and RIP version 2 is described in RFC 1723. IPSRD supports these ve rsion, as well as RIPng, which supports IPv6 interfaces.
Nokia Network Voyager for IPSO 4.0 Reference G uide 353 BGP is also a path-vector routing protocol, which limits the distribution of a f irewall’ s reachability information to its peer or neighbor firewalls. BGP us es path attributes to provide more information about ea ch route.
9 354 Nokia Network Voyager for IPSO 4.0 Refe rence Guide IPSO supports OSPF v2, which supports IPv4 ad dressing, and OSPFv3, wh ich supports IPv6 addressing. T ypes of Areas Routers using OSPF send packets called Link Stat e Advertisements (LSA) to all routers in an area.
Nokia Network Voyager for IPSO 4.0 Reference G uide 355 Area Border Routers Routers called Ar ea Bor der Routers (ABR) have interfaces to multip le areas.
9 356 Nokia Network Voyager for IPSO 4.0 Refe rence Guide IPSO also supports OSPF over VPN tunnels that terminates at a VRRP group. Only active- passive VRRP configurations ar e su pported, active-active config uratio ns are not. Clustering IPSO supports OSPF in a cluster .
Nokia Network Voyager for IPSO 4.0 Reference G uide 357 Configuring OSPF Area s and Global Settings Ta b l e 2 1 lists the parameters for areas and global settings that you use when configuring OSPF on your system. As you add area s, each is displayed with its own configuration parame ters under the Areas section.
9 358 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o configure OSPF , use the following procedure . T able 23 NSSA (Not So Stubby Area) Pa rameters Parameter Description T ranslator Role Spec ifies whether this NSSA border rout er will unconditionally translate T ype-7 LSAs into T ype-5 LSAs.
Nokia Network Voyager for IPSO 4.0 Reference G uide 359 T o configure OSPF 1. Complete “Ethernet Interfaces” for the interface and assign an IP address to the interface. 2. Click OSPF under Config ur ation > Routing Configuration in the tree view .
9 360 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Hello interval —Length of time, in seconds, between hello packets that the router sends on the interface. For a given link, this field must be the same on all routers or adjacencie s do not form.
Nokia Network Voyager for IPSO 4.0 Reference G uide 361 T able 24 Global Settings for OSPF Parameter Description RFC1583 Compatibility This implementation of OSPF is based on RFC2178, which fixed some looping problems in an earlier sp ecification of OSPF .
9 362 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring OSPF Interfaces Ta b l e 2 5 lists the parameters for interfaces that you use when configuring OS PF on your platform.
Nokia Network Voyager for IPSO 4.0 Reference G uide 363 T o configure an OSPF interface 1. Assign the appropriate area to each interface by selecting the OSPF area that this interface participates in from the Area drop-down lis t for the interface, then click Apply .
9 364 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 2. (Optional) Change any con figuration parame ters for the interface , then cl ic k Apply . Note The hello interval, d ead interval, and authent ication method must be the same for all routers on the link.
Nokia Network Voyager for IPSO 4.0 Reference G uide 365 5. In the Add New OSPF Area text box, enter 1 ; then click Apply . 6. In the Add new ad dress rang e: p ref ix text box for th e backbon e area, enter 192.16 8.24.0. 7. In the Mask Length text box, enter 24 ; then click Apply .
9 366 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Authentication RIP 2 packets also can contain one of two types of authentication methods that can be used to verify the validity of th e supplied routing data. The first method is a simple pass word in which an auth entication key of up to 16 characters is included in the packet.
Nokia Network Voyager for IPSO 4.0 Reference G uide 367 Note Nokia also provides support for BGP , OSPF , and PIM, both Sp arse-Mode an d Dense-Mode, to advertise the virtual IP address of th e VRRP virtual router , beginning with IPSO 3.
9 368 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 5. (Optional) Enter a new cost in the Metric te xt box for each interface; then click Apply . 6. (Optional) T o configure the interface to not a ccept upda tes, click on the on radio button in the Accept updates fiel d; then click Apply .
Nokia Network Voyager for IPSO 4.0 Reference G uide 369 Note By default, t he update int erval is set to 3 0 seconds and the expir e interval is s et to 180 seconds.
9 370 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Enabling RIP 2 on an Interface RIP 2 implements new capabilities to RIP 1: authentication—simple and MD5—and the ability to explicitly specify the network mask for e ach network in a packet.
Nokia Network Voyager for IPSO 4.0 Reference G uide 371 For Sparse-Mode PIM, see Protoc ol-Independen t Multicast —Sparse Mod e (PIM-SM) : Protocol Specification (Revised).
9 372 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note The generation ID included in all PIM hello messages does not change whe n IP clustering is used, regard le ss of wh et he r an d ho w ma n y time s PIM is re-e na b led .
Nokia Network Voyager for IPSO 4.0 Reference G uide 373 designated router , it does not generated such a join message, but it pro pagates these join messages when sent by anothe r router . Configuring Check Point VPN-1 Pro/Express T o configure Check Point VPN-1 Pro/Express with IP clustering and either PIM-SM or PIM- DM, make sure you: 1.
9 374 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. (Optional) T o configure this interface to use the VRRP virtual IP address, in the V irtua l address field, click On. Note Y ou must use Monitored Ci rcuit mode when configuring virtual IP supp ort for dense- mode PIM.
Nokia Network Voyager for IPSO 4.0 Reference G uide 375 3. Click Apply; then click Save to make your change permanent. Setting Advanced Options for Dense-Mode PIM (Optional) 1. Click PIM under Configuration > Routin g Configuration in the tree view .
9 376 Nokia Network Voyager for IPSO 4.0 Refe rence Guide The value represents the number of times per se cond at which the designated router sends assert messages.
Nokia Network Voyager for IPSO 4.0 Reference G uide 377 6. (Optional) T o configure this interface to use the VRRP virtual IP address, in the V irtua l address field, click On. Note Y ou must use Monitored Circ uit mode when co nfiguring virtual IP support for sp arse- mode PIM.
9 378 Nokia Network Voyager for IPSO 4.0 Refe rence Guide all PIM-enabled interfaces become unavailable an d remain in that state until all interfaces are back up.
Nokia Network Voyager for IPSO 4.0 Reference G uide 379 Note T o verify whether a PIM neighbor supp orts DR Election Priority , use the following command, which you can executed from iclid and CLI: sh.
9 380 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 7. In the Sparse Mode Rendezvou s Point (RP) Configuration section, to enable this router as a Candidate Rendezvous Point: a. Click On in the Candidate RP Router field. b. (Optional) Enter the local address of the Cand idate Rendezvous Point router in the Local Address field.
Nokia Network Voyager for IPSO 4.0 Reference G uide 381 Note S tatic Rendezvous Point configuration over rides rendezvous point (RP) infor mation received from other RP-dissemination mechanisms, such as boot strap routers. 7. Enter the IP address of the router to config ure as the static rendezvous point in the RP Address text box.
9 382 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 9. In the Sparse Mode T imers sec tion, enter a value for the shortest path tree threshold (in kilobits per second) in the Threshold (kpbs) text box. Enter an IP address for the multicast group to which the SP T threshold applies in the Multicast Group ID text box.
Nokia Network Voyager for IPSO 4.0 Reference G uide 383 Note Assert rank values must be the same fo r all routers on a multiaccess LAN that are running the same protocol. 19. Click Apply . 20. (Optional) The checksum of the PIM register messages is calculated without including the multicast payload.
9 384 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o log information about errors and event s. 1. Click Routing Options under Config uration > Routing Configuration in the tree view . 2. In the T race Options section, click on the Ad d Option drop-down window in the PIM field.
Nokia Network Voyager for IPSO 4.0 Reference G uide 385 Graft —T races graft and graft acknowledgment packets IGRP The Inter-Gateway Routing Pr otocol ( IGRP ) is a widely us ed interior gateway protocol (IGP). Like RIP , IGRP is an implementation of a distan ce-vector , o r Bellman-Ford, routing prot ocol for local networks.
9 386 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Request pack et Update packet IGRP dynamically builds its routing table from in formation received in IGRP update messages. On startup, IGRP issues a request on all IGRP-e nabled interfaces.
Nokia Network Voyager for IPSO 4.0 Reference G uide 387 V alid Neighbors— packets that have a source address from a non-local network are ignored.
9 388 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Aliased Interfaces When an interface has multiple addresses config ured, e ach address is treated as a distinct interface since it represents a logical subnet. Such a configuration implies that an update is sent for each IGRP-configured address .
Nokia Network Voyager for IPSO 4.0 Reference G uide 389 8. (Optional) In the Protocol section, enter a new delay multiplier in th e K2 (delay multiplier) text box; then click Apply . K2 is used to globally influence delay over bandwidth. 9. (Optional) In the Proto col section, click No in the Holddo wn field; then click Apply .
9 390 Nokia Network Voyager for IPSO 4.0 Refe rence Guide The load metric is a fraction of 255. 8. (Required) Enter the MTU metric in the metric text box for each inte rfa ce; then click Apply . A lar ger MTU reduces th e IGRP cost. 9. Click on for eth-s1p1 c0; then click Apply .
Nokia Network Voyager for IPSO 4.0 Reference G uide 391 Monitoring template T racks the number of subordinate routers per route. Using Network V oyager , you can config ure the following optio.
9 392 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 6. (Optional) Enter a value betwee n 20 and 4000 in t he Route expiration time text box to set the interval, in seconds, after wh ich a route that has not been re freshed is placed in the route hold-down queue.
Nokia Network Voyager for IPSO 4.0 Reference G uide 393 implemented within IP SRD conforms to the traceroute facility for IP multicast draft specification.
9 394 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note A router configured for IGMP ver s ion 2 can in te rope rate with host s running either IGMP version 1 or version 2. Nokia recommends that you use version 1 only on networks tha t include multicast routers that ar e not upgraded to IGMP version 2.
Nokia Network Voyager for IPSO 4.0 Reference G uide 395 Normal —A normal static route is one used to fo rward packets for a given destination in the direction indicated by the configured router . Black hole —A black hole static route is a route that uses the loopback address as the next hop.
9 396 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. Click Apply , and then click Save to make your chan ges permanent. T o add and configure many st atic routes at the same time 1. Click Static Routes under Configuration > Routing Configuration in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 397 Adding and Managing S t atic Routes Example The figure below shows the networ k configuration for the example. In this example, Nokia Platform A is connected to the Internet, with no routing occurring on the interface connected to the Internet (no OSPF or BGP).
9 398 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 3. In the Mask Length text box enter 24. 4. In the Gateway text box enter 192.168 .26.70. 5. Click Apply . If you have configured OSPF o r RIP on your remote office network, you n ow have connectivity to the Internet.
Nokia Network Voyager for IPSO 4.0 Reference G uide 399 advertises. The aggregates are activate d by cont ributing routes. For e xample, if a router has many interface routes subnetted from a class C .
9 400 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Route Aggregation Example The figure below shows the n etwor k configuration for the example. In the preceding figure Nokia Platform B, Noki a Platform C, and Nokia Platform D are running OSPF with the backbone area.
Nokia Network Voyager for IPSO 4.0 Reference G uide 401 Note If the backbone is running OSPF as well, yo u can enable aggregation only by co nfigu ring the 192.168.24.0 network in a d ifferent OSPF Are a. Route Rank The r oute rank is the value that the ro uting subsystem uses to o rder routes from different protocols to the same destination.
9 402 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o set route rank 1. Click Routing Options under Config uration > Routing Configuration in the tree view . 2. Enter the route rank for each proto col; then click Apply . These numbers do not generally need to be changed from their defau lts.
Nokia Network Voyager for IPSO 4.0 Reference G uide 403 T o configure the routing preferences 1. Click Routing Options under Configuration > Routing Conf iguration in the tree view . 2. Enter 10 in the OSPF edit box. 3. Enter 40 in the RIP edit box; then click Apply .
9 404 Nokia Network Voyager for IPSO 4.0 Refe rence Guide IPv4 unicast and IPv6 unicast For peering to be established, th e routers must share a capability . If your system is exchanging IPv4 routes over IP v6 or vice versa, use route map commands to set nexthop to match the family o f the routes bein g exchange d.
Nokia Network Voyager for IPSO 4.0 Reference G uide 405 loops in an arbitrary topology . Y ou can also us e path attributes to determine administrative preferences. BGP collapses routes with similar path attributes into a single update for advertise ment.
9 406 Nokia Network Voyager for IPSO 4.0 Refe rence Guide attachment or made a policy decisio n to prefer another route to a networ k destination. Route withdrawals are sent when a router makes a new local decision that a network is no longer reachable.
Nokia Network Voyager for IPSO 4.0 Reference G uide 407 Inbound BGP Route Filters BGP routes can be filtered, or redistributed by AS number or AS path regular expression, or both. BGP stores rejected routes in the routing table w ith a negative pref erence.
9 408 Nokia Network Voyager for IPSO 4.0 Refe rence Guide distributed to other neighbors. The following ta ble displays some spec ial community attributes that a BGP speaker ca n apply . For further details, refer to the commun ities documents, RFCs 1997 and 1998.
Nokia Network Voyager for IPSO 4.0 Reference G uide 409 No special configuration is requir ed on the route reflection clients. From a client perspective, a route reflector is a normal IBGP peer . Any BG P version 4 speaker should be able to be a reflector client.
9 410 Nokia Network Voyager for IPSO 4.0 Refe rence Guide For further details, refer to the confederations specification do cument (RFC 1965 as of this writing). AS1 has seven BGP-speaking routers grouped unde r different routing domains: RDI A, RDI B, and RDI C.
Nokia Network Voyager for IPSO 4.0 Reference G uide 411 Caution Enabling multihop BGP connections is dangerous because BGP speakers might establish a BGP co nnection through a third-p arty AS. This can violate policy considerations and introduce forward ing loops.
9 412 Nokia Network Voyager for IPSO 4.0 Refe rence Guide The TCP MD5 option allows BGP to protect its elf against the intro duction of spoofed TCP segments into the connection stream. T o spoo f a connection using MD5 signed sessions, the attacker not only has to guess TCP sequence numb ers, but also the passw ord included in the MD5 digest.
Nokia Network Voyager for IPSO 4.0 Reference G uide 413 6. For the specific external or ro uting group, enter an IP address in the Local address text box. Note Y ou must configure a local IP address for the sp ecific external or routing grou p for virtual IP for VRRP support to function.
9 414 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Memory Size Base IPSRD is approximately 2 MB Route entry in the local route table is 76 bytes Inbound route entry in the BGP table.
Nokia Network Voyager for IPSO 4.0 Reference G uide 415 Note Make sure th at IPSRD is not swapping mem ory . Look at t he memory size s occupied by user-level daem on s like Ch ec k Poin t, ifm , xpand , et c.
9 416 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 8. Enter 10.50.10.2 in the Add remote peer IP address edit box; then click Apply . 9. Configure an inbound route f ilter for AS 100 according to “BGP Route Inboun d Policy Example” on page 446 T o configure IBGP on Nokia Platform B 1.
Nokia Network Voyager for IPSO 4.0 Reference G uide 417 11 . Enter 10.50.10.1 in the Add remote peer IP address text box 12. Click Apply . T o configure Nokia Platform A as an IBGP peer to Nokia Platform C 1. Click Config on the home page. 2. Click the BGP link in the Ro uting Configuration section.
9 418 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 6. Click External in the Peer g roup type drop -down window; then click Apply . 7. Enter 129.10.21.1 in the Add remote peer IP a ddress text box; then click Apply . 8. Configure route inboun d p olicy according to “BGP Route Inbound Policy Example.
Nokia Network Voyager for IPSO 4.0 Reference G uide 419 3. Follow the steps described in the “T o configure route inbou nd po licy on Nokia Platform D based on an autonomous system number” example. 4. Enter the community ID or the name of one of the spec ial a ttributes in the Community ID/ Special community text box, then click Apply .
9 420 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o configure MED V alues for all peers of AS200 1. Click BGP under Configuration > Routi ng Configuration in the tree view . 2. Configure EBGP peers in AS10 0 and AS200 according to the “BGP Neighbors Example.
Nokia Network Voyager for IPSO 4.0 Reference G uide 421 5. Enter 100 in MED edit bo x next to the Enable redistri bute bgp routes to AS100 field. 6. Enter necessary information for rout e redistribution according to the “BGP Multi Exit Discriminato r Example” ; then click Apply .
9 422 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o configure an IBGP peer for Nokia Platform B 1. Enter 100 in the Peer Autonomous Syst em Number text box. 2. Click Internal in the Peer Group ty pe drop-down list; then click Apply . 3. Enter 20.
Nokia Network Voyager for IPSO 4.0 Reference G uide 423 BGP Confederation Example In the above diagram, all the routers belong t o the same Confederation 65525.
9 424 Nokia Network Voyager for IPSO 4.0 Refe rence Guide f. Click On in the All Interfaces field; then click Apply . g. Enter 192.168.40.1 in the Add a new peer text bo x; then click Apply . 3. Create confederation group 6552 8. a. Click BGP under Configuration > Routi ng Configuration i n the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 425 2. Create confederation group 6552 4. a. Click BGP under Configuration > Routi ng Configuration i n the tree view . b. Click the Advanced BGP Options link. c. Enter 65524 in the Peer Autono mous System Number text bo x.
9 426 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Route Reflector Example This example shows configuration for setting up route reflection for BGP .
Nokia Network Voyager for IPSO 4.0 Reference G uide 427 d. Select Internal in the Peer group type drop-down list; then click Apply . 5. Configure parameters for the group. a. Click BGP under Configuration > Routi ng Configuration i n the tree view .
9 428 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. Enter 65526 in the Peer Autonomous System Number text box. 5. Click Internal in the Peer Group T y pe drop-down list; then click Apply . 6. Enter 192.168.30.1 in the Add remote peer IP address text box; then click Apply .
Nokia Network Voyager for IPSO 4.0 Reference G uide 429 Communities are used to simplify the BGP inbound and route redi stribution policies. Each community is identified by either an ID or one of the following special community names: no export, no advertise, no subconfed , or none.
9 430 Nokia Network Voyager for IPSO 4.0 Refe rence Guide EBGP Load Balancing Example: Scenario #1 Loopback interfaces are used to configure load balancing for EB GP between two ASes over two parallel links.
Nokia Network Voyager for IPSO 4.0 Reference G uide 431 4. Enter 129.10.2.2 in the Additional Gateway ed it box; then click Apply . 5. Enter 129.10.1.2 in the Additional Gateway edit box; then click Apply . Configuring a S t atic Ro ute on Platform B 1.
9 432 Nokia Network Voyager for IPSO 4.0 Refe rence Guide EBGP Load Balancing Example: Scenario #2 Configuring a Loopback Address on Platform A 1. Configure the interface as in “Ethernet Interfaces.” 2. Click Interfaces under Configuration > Inte rface Configuration in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 433 5. In the Nexthop field, click on next to EBGP Multihop to enable th e multihop option; then click Apply . 6. (Optional) Enter a value in the TTL text box to set the number of ho ps over which the EBGP multihop session is established.
9 434 Nokia Network Voyager for IPSO 4.0 Refe rence Guide The default value is 60 sec onds. 5. T o make your changes permanent, clic k Save. TCP MD5 Authentication Example Configuring TCP MD5 Authentica tion on Nokia Platform A 1. Configure the interface as in “Ethernet Interfaces.
Nokia Network Voyager for IPSO 4.0 Reference G uide 435 6. Click External in the Peer group t ype drop-down list; then click Apply . The following steps co nfig ure an EB GP peer with MD5 authentication 7. Enter 10.10.10.1 in the Ad d remote peer ip address text box; t hen click Apply .
9 436 Nokia Network Voyager for IPSO 4.0 Refe rence Guide V erification T o verify that yo u h ave configured route da mpening correctly , run the following command in iclid.: s how route bgp suppressed For more information on this command, see “V iewing Routing Protocol Information.
Nokia Network Voyager for IPSO 4.0 Reference G uide 437 T o configure configure a BGP4 session over IPv6 transport 1. Determine whether Route r 1 and Router 2 are directly conn ected. a. If Router 1 and Router 2 are directly connected, use IPv6 addresses of the interface through which they are connected.
9 438 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. On Router 1, use this route map by executing the following CLI comman d to send both IPv4 and IPv6 unicast route s to AS 2.
Nokia Network Voyager for IPSO 4.0 Reference G uide 439 Refines —Matches a route only if it is more specific than the given prefix. Range —Matches any route whose IP address equals the given prefix’ s IP address and whose mask length falls within the specified mask length range.
9 440 Nokia Network Voyager for IPSO 4.0 Refe rence Guide BGP Route Redistribution Example Route redistribu tion allows you to redistribute routes from one autonomous system into anot her autonomous system. T o configure BGP route redistribution on Nokia Platform D 1.
Nokia Network Voyager for IPSO 4.0 Reference G uide 441 Protocol Interface Gateway If more than one parameter is specified, they are processed from most genera l (protocol) to most specific (gateway). It is not possible to set metrics for redistributin g RIP routes into RIP or for redistributing IGRP routes into IGRP .
9 442 Nokia Network Voyager for IPSO 4.0 Refe rence Guide categorized as a stub network, mea ning that a particular subne t does not send RIP routing updates.
Nokia Network Voyager for IPSO 4.0 Reference G uide 443 5. T o prevent 192.168.22.0/24 an d other more specific routes from being redistribut ed into OSPF External, define a route filter to restrict only this route as follows: a. T o configure this filter , enter 192.
9 444 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Nokia Platform E of AS 100 and Noki a Platform A of AS 4 are participating in an EBGP session. Nokia Platform F of AS 200 and Nokia Plat form D of AS 4 are also participating in an EBGP session.
Nokia Network Voyager for IPSO 4.0 Reference G uide 445 Inbound Route Filters Inbound route filters allow a network administrato r to restrict or constrain the set of routes accepted by a given routing protocol. The filters let an operator include or exclude ranges of prefixes from the routes that ar e accepted into RIP , IGRP , OS PF and BGP .
9 446 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 5. Enter the appropriate IP addre ss and mask length in the Ne w Route to Fil ter and Mask Length fields; then click Apply . A new set of fields is displayed adjacent to the newly entered IP address and mask length.
Nokia Network Voyager for IPSO 4.0 Reference G uide 447 Note By default, all routes originating from the configur es ASes are accepted. Y ou can accept or reject all routes from a particul a r AS by enabling the accept or restrict option next to the All BGP routes from AS field.
9 448 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 7. T o configure this filter , enter 10.0.0.0 in New IP prefix to impo rt edit box, and 8 in Mask length edit box; then click Apply . 8. Select Refines in the Match type drop-down list. This specifies routes that are stric tly more specific than 10.
Nokia Network Voyager for IPSO 4.0 Reference Guide 449 10 Configuring T raf fic Management This chapter describes traffic management fu nctionality , including a ccess control lists and aggregation classes. T raffic Management Overview T raf fic management functionality allows packet st reams to be filtered, sh aped, or prioritized.
10 450 Nokia Network Voyager for IPSO 4.0 Refe rence Guide by adding delay to packe ts th at must wait for more tokens to arrive in th e bucket. When more bursts arrive than can b e accommodate d by the shap ing queue, then that traf fic is drop ped. Both outgoing and inc oming traf fic streams can be shaped.
Nokia Network Voyager for IPSO 4.0 Reference G uide 451 T o create or delete an ACL 1. Depending on whether you are usin g IPv4 or IPv6, click the following link. a. For IPv4 ACLs, click Access List unde r Conf iguration > T raf fic Management in the tree view .
10 452 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 4. T o remove an ACL from an interface: a. Select Delete for the appropriate inte rface in the Selected Interfaces table b. Click Apply . The interface disappears from th e Selected Interfaces section.
Nokia Network Voyager for IPSO 4.0 Reference G uide 453 Note The DSfield and QueueSpec field are used to mar k and select the priority level. Masks can be applied to most of these prop erties to allow wildca rding. The so urce and destination po rt properties can be edite d only when the IP protocol is UDP , TCP , or th e keyword "any .
10 454 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T able 27 ACL Rule Attributes Attribute Description Action A rule action can be one of the following six actions: • Accept—Forward this traffic stream. • Drop—Silently drop all traffic belonging to this stream.
Nokia Network Voyager for IPSO 4.0 Reference G uide 455 Configuring Aggregation Classes An Aggregation Class (AGC) is used to determ ine whether the traffic stream meets certain throughput goals. T raffic that meets these goals is conformant; traf fic that does not meet these goals is non-conformant.
10 456 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o create an Aggregation Class 1. Depending on whether you are usin g IPv4 or IPv6, click the following link. a. For IPv4 ACLs, click Aggregation Class unde r Configuration > Traf fic Management in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 457 Note A rule treats traffic as if it were configur ed for "skip, " if the traffic matches a rule whos e action has been set to "prioritize" or "sh ape " and no Aggregation Class is configured.
10 458 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o create or delete a queue class 1. Depending on whether you are usin g IPv4 or IPv6, click the following link. a. For IPv4 ACLs, click Queue Class under Configuration > T raffic Management in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 459 T o associate a queue class with an interface 1. Depending on whether you are usin g IPv4 or IPv6, click the following link. a. For IPv4 ACLs, click Queue Class under Co nfiguration > T raffic Management in the tree view .
10 460 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note The default A TM QoS Descriptor is set to unspecified bit rate (UBR) and can not be modified. 3. Enter a value for the maximum ce ll rate to be used in the output direction on a CBR channel in the Peak Cell Rate edit box.
Nokia Network Voyager for IPSO 4.0 Reference G uide 461 6. Click the A T M QoS Descriptors link. 7. In the Existing A TM QoS Descriptors field, clic k the Delete check box next to the name of the A TM QoS Descriptor that you want to delete. 8. Click Apply .
10 462 Nokia Network Voyager for IPSO 4.0 Refe rence Guide (Policy Enforcement Points). Th e PDPs are network-based servers that decide which types of traffic (such as voice or video) receive priority treatment. The PEPs are routers that implement the decisions made by the PDPs.
Nokia Network Voyager for IPSO 4.0 Reference G uide 463 4. In the Sequence Number edit box, enter a valu e between 1 and 21474 83647 to define the sequence number us ed for the COPS protocol. Click App l y . 5. In the Key ID field, enter a va lue between 1 and 214748364 7 in the Send edit box to define the send key ID used for the CO PS protocol.
10 464 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Activating and Deactivating the COPS Client Y ou must activate the COPS client to impl ement the COPS module you configure. Y o u can deactivate the COPS client to ha lt the COPS module implementation.
Nokia Network Voyager for IPSO 4.0 Reference G uide 465 4. In the COPS security configuration section, clic k the Delete check box next to the name of the client ID you want to delet e.
10 466 Nokia Network Voyager for IPSO 4.0 Refe rence Guide 5. Click Apply . 6. Click Save to make your changes pe rmanent. Example: Expedited Forwarding This example illustrates the combined use of the Access Control List, T raffic Conditioning, and Queuing features.
Nokia Network Voyager for IPSO 4.0 Reference G uide 467 Note The queue specifier associated with expe dited forwarding queu e is 6. 4. Associate the wan_1_ef queue clas s with the appropriate interface. a. Click Interfaces under Configuration > Inte rface Configuration in the tree view .
10 468 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note 0xB8 is the IETF dif ferentiated-services codepoint (in hexadecimal) for exped i ted forwarding tr affic. m. Click Apply , and then click Save to make your chan ges permanent. T o test the configuration 1.
Nokia Network Voyager for IPSO 4.0 Reference Guide 469 11 Configuring Router Services This chapter describes how to enable your system to forward broadcast traf fic by enabling the IP Broadcast Helper , forward BOOTP/DHCP traf fic by enabling BOOTP relay , how to enable router discovery , and how to config ure for Network T ime Protocol (NTP).
11 470 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring BOOTP/DHCP Relay Y ou can use Network V oyager to enable B OOTP Relay on each interface. If the interface is enabled for relay , you can set up a number of serve rs to which to forward BOOTP reques ts.
Nokia Network Voyager for IPSO 4.0 Reference G uide 471 T o disable BOOTP relay on an interface 1. Click BOOTP Relay under Configuration > Router Services in the tree view . 2. Select Off for the interface on which you want to disable BOOTP . 3. Click Apply to disable the interface.
11 472 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o configure the relaying of broadcast UDP packets on your system, use the following procedure. T o configure IP broadcast helper 1. Click IP Broadcast Helper under Configura tion > Route r Services in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 473 Note Only the server portion of the Router Discove ry Protocol is supported. IPSO implements only the ICMP router discovery server portio n, whi.
11 474 Nokia Network Voyager for IPSO 4.0 Refe rence Guide T o configure the router discovery services on your system, use th e following proced ure . T o enable router discovery services 1. Click Router Discovery under Configuration > Router Services in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 475 Advertisement Lifetime 5. (Optional) For each IP ad dress on the interfa ce, you can specify the following parameters, described in Ta b l e 3 0 . Advertise Address Preference 6. Click Apply .
11 476 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Configuring NTP Y ou can enable or disable NTP on your syst em; when NTP is active the local clock is synchronized as configured and hosts will be able to set th eir time through this machine.
Nokia Network Voyager for IPSO 4.0 Reference G uide 477 10. (Optional) Enable the NTP reference clock by clicking Y es in the NTP Master field. Note Only enable the NTP reference clock if you cannot r each an NTP server . 11 . Click Apply . The Stratum and Clock source fields appear .
11 478 Nokia Network Voyager for IPSO 4.0 Refe rence Guide.
Nokia Network Voyager for IPSO 4.0 Reference Guide 479 12 Monitoring System Configuration and Hardware This chapter provides informatio n o n monitoring your system.Y ou can use Network V oyager to monitor many aspects of your IP security platfo rm in order to better maintain performance and security .
12 480 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Disk and Swap Sp ace The Disk and Swap Space Utilization page shows sy stem resources use, in cluding disk and swap space use. This page retrieves the updated disk and swap space us e every 20 seconds.
Nokia Network Voyager for IPSO 4.0 Reference G uide 481 IPSO Process Management When you are troubleshoo ting any system, it is helpful to have an unde rstanding of the daemons, or system processes, that are operating in the background. The process monitor (PM) monitors critical No kia IPSO processes.
12 482 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Generating Monitor Report s Y ou can generate reports of data collection even ts. T o generate a report , click the link for the appropriate report un de r Monitor > Reports in the tree view .
Nokia Network Voyager for IPSO 4.0 Reference G uide 483 T o display reports 1. Click the name of the report un der Monitor > Reports in the tree view . 2. Under Select Report T ype, select one of the following: Hourly —Hourly report with a 1-hour di splay up to a maximum of 7 interval day data.
12 484 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Real Memory Used—The percentage of the real memory being used. Disk Capacity—The percentage of the disk space being used. Interface T raffic S tatistics —For each physical and logical interface, shows the current state, input and output bytes, input and output errors .
Nokia Network Voyager for IPSO 4.0 Reference G uide 485 W eb Server Access Log —Shows information about acces ses to the Network V oyager interface using HTTP or HTTPS. Messages incl ude IP Address from which the local host did an http access to the system, user , da te, time, and HTTP acces s command.
12 486 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Time Since Join —T ime since node joined the cluster . W ork Assigned (%) —Percent age of work load assigned to this node.
Nokia Network Voyager for IPSO 4.0 Reference G uide 487 For IPv6, click IPv6 Route Monitor under Monitor > IPv6 Monitor . Displaying Interface Settings T o view the interface settings for your system, click Route under Monitor > Routing Protocols in the tree view .
12 488 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Using the iclid T ool Obtain routing diagnostic inform ation by creating a telnet session on the IP security platform and running iclid (IPSRD command-line interface daemon). T o display routing daemon st atus using iclid 1.
Nokia Network Voyager for IPSO 4.0 Reference G uide 489 bgp Provides a BGP summary . errors A table of BGP errors. groups A table of p arameters and data for each BGP group. detailed Det ailed statistics on BGP groups. summary A summary of st atistics on BGP groups.
12 490 Nokia Network Voyager for IPSO 4.0 Refe rence Guide rep Sum mary of BOOTP relay replies made. Element Category S ubcategor y Description dvmrp Summary of DVMRP state. interface Interface-spe cific state of DVMRP for each DVMRP-enabled interface.
Nokia Network Voyager for IPSO 4.0 Reference G uide 491 Element Category Subcategory De scription memory T otal memory usage in kilobytes. detailed T o tal memory use as well as memory use by each routin g protocol. Element Category Subcategory De scription ospf border routers L ists OSPF border routers and associated codes.
12 492 Nokia Network Voyager for IPSO 4.0 Refe rence Guide stats A comprehensive list of OSPF interface statistics. neighbor Lists OSPF neighbors and associated parameters.
Nokia Network Voyager for IPSO 4.0 Reference G uide 493 igrp Data on IGRP routes. ospf Data on OSPF routes. rip Dat a on RIP routes. static Data on static routes. bgp S tatistics on BGP routes. aspath List of parameters and st atus of BGP AS path. communities S tatus of BGP communities.
12 494 Nokia Network Voyager for IPSO 4.0 Refe rence Guide The following table shows examples of the iclid show command. Preventing Full Log Buffers and Related Console Messages When a significant amo.
Nokia Network Voyager for IPSO 4.0 Reference G uide 495 Note T o perform the following proced ures, use the zap or modzap utility . Y ou can obtain these utilities from the Nokia T echnical Assistance Center (T AC)—refer to Resolution 1261. If you are using FireW all-1 4.
12 496 Nokia Network Voyager for IPSO 4.0 Refe rence Guide Note If the message indicates th at you have insuf f icient resources to accommodate a larger buffer size, take appro priate ac tions and try t his proced ure again. F or further information, cont act Nokia T echnical Assist ance Center (T AC).
Nokia Network Voyager for IPSO 4.0 Refere nce Guide Ind ex - 497 Index A AAA account profile 316 authentication profile 314 configuring new se rvice 313 service module entry 314 service profile 314 se.
Index - 49 8 Nok ia Networ k Voyage r for IPSO 4.0 Reference Guide backup files default contents 169 manually creating 169 restoring from loca l 172 transferrin g 170 backup state, VRRP 202 backups ca.
Nokia Network Voyager for IPSO 4.0 Reference Guide Index - 499 overview 207 PIM 214 static routes 214 three node example 243 transparent mod e 132, 215 upgrading images 217 clusters activating 229 add.
Index - 50 0 Nok ia Networ k Voyage r for IPSO 4.0 Reference Guide daytime service 298 DDNS 153 DDR lists 58 applying to interface 60 rules 60 default route configuring 395 deleting IP address, VRRP c.
Nokia Network Voyager for IPSO 4.0 Reference Guide Index - 501 fan sensors, monitoring 487 FDDI changing dupl ex setting 50 changing IP add ress 50 FIN bits 349 firewall monitoring configuring in clus.
Index - 50 2 Nok ia Networ k Voyage r for IPSO 4.0 Reference Guide tunneling over SSH 311 HTTP daemon error message log 304 HTTPD error log file 485 process 481 I IANAifType MIB 250 ICLID description .
Nokia Network Voyager for IPSO 4.0 Reference Guide Index - 503 IP pools 224 IP source routing 304 IP spoofing 304 IP2250 clustering guidelines 216 link aggregation 37, 201 management p orts 30 transpa.
Index - 50 4 Nok ia Networ k Voyage r for IPSO 4.0 Reference Guide overview 354 M MAC address VRRP 190 mail relay configuring 157 description 156 features 156 sending mail 158 management ports 30, 216.
Nokia Network Voyager for IPSO 4.0 Reference Guide Index - 505 not-so-stubby areas 354 NSSA configuration param eters 358 defined 354 NTP configuring 476 description 475 NTP MIB 252 on clusters 240 O .
Index - 50 6 Nok ia Networ k Voyage r for IPSO 4.0 Reference Guide process monitor 481 Q queue class 449, 450 queue classes associating with interfaces 459 configuring 457 creating 458 queue mode 34 Q.
Nokia Network Voyager for IPSO 4.0 Reference Guide Index - 507 viewing settings 486 routing configuring 351 configuring ranks 402 creating a defa ult route 395 DDR lists 58 default prot oc ol rank 401.
Index - 50 8 Nok ia Networ k Voyage r for IPSO 4.0 Reference Guide troubles hooting 304 viewing certificate and private key 304 states, virtu al router 201 static host deleting 160 static mode VMAC 19.
Nokia Network Voyager for IPSO 4.0 Reference Guide Index - 509 UDP packets forwarding 471 UDP ports IP Broadc ast Helper 472 unit types MIB 250 unnumbered inte rfaces 107 OSPF 110 users adding 290 att.
Index - 51 0 Nok ia Networ k Voyage r for IPSO 4.0 Reference Guide VSZ 480 VTI 140 W watchdog t imer 487 WCHAN (wait channel) 480 web servers access log 485 wheel group 292 X X.
デバイスNokia IPSO 4.0の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
Nokia IPSO 4.0をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはNokia IPSO 4.0の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。Nokia IPSO 4.0の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。Nokia IPSO 4.0で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
Nokia IPSO 4.0を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はNokia IPSO 4.0の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、Nokia IPSO 4.0に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちNokia IPSO 4.0デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。