Page 1
APPLICATION NOTE
Installing and Configuring the Management Interface Card
Introduction
This document describes how to install and configure the ANG-3000/7000 series
management interface card, an optional third Ethernet port (RJ-45) on the
ANG-3000/7000 series designed for a corporation’s management network
supporting SNMP, Telnet, Ping, HTTP(s) and ftp services. In large enterprises, the
management network is often reserved for the IT department’s discreet handling
of all corporate management functions. To understand how the ANG-3000/7000
series’s management interface can be used in your network, refer to the
illustration below.
NOTE
The management interface is configured through the Command Line
Interface (CLI) only.
Internet
Router
External
interface
HP OpenView
Management Network
Management
interface
Aurorean Network Gateway
Firewall
Web browser
Trus ted
interface
Corporate
network
Figure 1 Management Network Topology
AVN-AN-MGMT-R10 Page 1 of 14
Page 2
Installing the Management Interface Card Application Note
Installing and Configuringthe Management Interface Card
This application note provides step-by-step instructions to perform the following:
H Remove the ANG-3000/7000 series from the rack.
H Install the management interface card
H Replace the ANG-3000/7000 series in its rack and re-cable, including
connecting a cable from the management connector to the management
network.
H Configure the management interface by using the ircipaddr command
H Restrict access to selected IP services on the management interface by using
the ipsecSelector, ipsecRule, and ipsecSpd commands
NOTE
Refer to the application note: ANG Configuration Using the Command Line Interface
for more details about the irc and ipsec commands.
Installing the Management Interface Card
This section describes how to install the management interface card in the
ANG-3000/7000 series Network Gateway (shown in Figure 1 below).
Figure 2 ANG-3000/7000 series
Before You Begin
To start installation, you must access the inside of the ANG. If the ANG is mounted in
a relay-style rack, you can install the card, while the ANG is in the rack, if there is
enough space above the ANG (at least 12 inches of clearance) to open the ANG’s
cover. If there is not enough room you will have to remove the ANG from the rack.
ANG-7050
If the ANG is mounted with sliding rails, you can easily remove it from the rack.
Page 2 of 14 AVN-AN-MGMT-R10
Page 3
Application Note Installing the Management Interface Card
Installing and Configuring the Management Interface Card
Removing the ANG-3000/7000 series from the Rack
To remove the ANG-3000/7000 series from the rack, you must first gracefully shut it
down to avoid hard disk errors. Follow the instructions below:
1. On your desktop, click Start, select Programs and double-click Command
Prompt.
2. Telnet to your ANG. Type: telnet
press
ENTER.
3. Login (the default is
netadmin
4. Type your password (the default is
xxx.xxx.xxx.xxx
) and press ENTER.
netadmin
5. Login as superuser by typing su - and press
(your ANG IP address) and
) and press ENTER.
ENTER.
6. Type the default password welcome and press ENTER.
7. Save the ANG configuration and shut down all Enterasys services by typing
init 0 and press
ENTER.
8. Wait a couple minutes then power off the ANG by holding the power button in
for 4 seconds.
9. Remove the Ethernet cable connections.
10. Unfasten the two screws holding the ANG flanges to the rack as shown in
Figure 3.
11. Slide the ANG out of the rack as far as possible.
12. When the assembly locks, press the lock arm on both sides of the rails to
AVN-AN-MGMT-R10 Page 3 of 14
Remove screws
Figure 3 ANG Fastened to Rack
release the ANG as shown in Figure 4.
Page 4
Installing the Management Interface Card Application Note
Installing and Configuringthe Management Interface Card
Lock arm
Figure 4 Removing the ANG from the Rack
13. Remove the ANG from the rack.
Remove the Cover
Follow the instructions below to remove the cover, which is attached to the ANG by
one screw.
ANG-7000
Cover
mounting
screw
Power Status
Drive
Link
100Mbps
1
Link
100Mb
2
1. Remove the screw holding the cover to the ANG as shown in Figure 5.
Page 4 of 14 AVN-AN-MGMT-R10
Figure 5 Top Cover Mounting Screw Location
Page 5
Application Note Installing the Management Interface Card
Installing and Configuring the Management Interface Card
2. Slide the cover toward the rear of the ANG. It will move back about 1/2 inch.
Press your fingers in the three indents on the cover and apply pressure
toward the rear of the ANG. Refer to Figure 6.
Power Status
Drive
Link
100Mbps
1
Link
100Mb
2
Figure 6 Top Cover Screw Removed
3. From the rear of the ANG,lift the back edge ofthe cover.It will open as shown
in Figure 7.
Aurorean
Network Gateway
External Ethernet
Trusted Ethernet
AVN-AN-MGMT-R10 Page 5 of 14
Figure 7 Cover Removed
Page 6
Installing the Management Interface Card Application Note
Installing and Configuringthe Management Interface Card
Management Interface Card PCI Slot Location
The PCI slots, used to install upgrades, are located as shown in Figure 8.
Management card PCI slot
Card flange holding plate
mounting screws
Figure 8 Hardware PCI Slot Location
Removing the Card Holding Plate
To remove the card flange holding plate, remove the two screws as shown in Figure 8.
The blank inserts for both card locations are now accessible as shown in Figure 9.
Management card blank insert
Page 6 of 14 AVN-AN-MGMT-R10
Figure 9 Card Holding Plate Removed
Page 7
Application Note Installing the Management Interface Card
Installing and Configuring the Management Interface Card
Installing the Management Interface Card
Follow the steps below to install the management interface card (shown in Figure 10).
Figure 10 Management Card
1. Remove the Insert from the back of the ANG as shown in Figure 11.
NOTE
Note how this blank plate is mounted to the back of the ANG. The card flange
will be installed so that it replaces the blank insert.
Management PCI connector
Insert blank
Card flange holding plate
AVN-AN-MGMT-R10 Page 7 of 14
Figure 11 Management Card Insert Blank Removed
Page 8
Installing the Management Interface Card Application Note
Installing and Configuringthe Management Interface Card
2. Flipthemanagement card over so the component side of the card faces down
as show in Figure 12.
Figure 12 Orientation of Management Card for Installation
3. Remove the PCI riser from the unit.
4. Align the management card fingers with the connector as shown in Figure 13
and plug the card into the connector.
Figure 13 PCI Riser and Management Card
5. Align the PCI riser connector fingers with the PCI connector. Set the card
flange over the slots that will capture and hold it to the back of the ANG as
showninFigure14.
Page 8 of 14 AVN-AN-MGMT-R10
Page 9
Application Note Installing the Management Interface Card
Installing and Configuring the Management Interface Card
Figure 14 Aligning the Management Card flange with the PCI Connector
6. Insert the PCI riser into the PCI connector.
7. Replace the card flange holding plate with the two mounting screws.
This holding plate will capture the card flange and hold it securely against the
back of the ANG. Refer to Figure 15.
AVN-AN-MGMT-R10 Page 9 of 14
Figure 15 Management Card Installed
Page 10
Installing the Management Interface Card Application Note
Installing and Configuringthe Management Interface Card
Replace the Cover
In order to replace the cover, reverse the three steps in the section “Remove the
Cover” on page 4.
1. Setthe cover as shown inFigure 7. Placethe front of the cover about 1/2 inch
behind the front edge of the chassis.
2. Make sure the sides of the cover are inside the sides of the cabinet. The slots
on the cover fitover the mounting screw inserts on the side of the chassis and
allow the cover to seat itself on top of the chassis sides.
If the cover does not seat in the chassis sides, the slots are not aligned with the
screw inserts. Move the cover (back or forward) accordingly to allow the
cover to seat itself.
3. Push the cover forward until the screw holes align themselves. See Figure 5.
Re-install ANG-3000/7000 series In the Rack
Refer to the section “Removing the ANG-3000/7000 series from the Rack” on page 3,
and reverse the steps to re-install the ANG in the rack. Reconnect the Ethernet cables
to the back of the ANG.
The RJ-45 management interface connector location is show in Figure 16.
Management connector
Aurorean
Network Gateway
ExternalEthernet
Trusted Ethernet
Figure 16 Management Ethernet Connector Location
Page 10 of 14 AVN-AN-MGMT-R10
Page 11
Application Note Configuring the ANG-3000/7000 series Management Interface
Installing and Configuring the Management Interface Card
Configuring the ANG-3000/7000 series Management Interface
The management interface is configured on the Command Line Interface (CLI) using
the ircipaddr command. You set the IP address, subnet mask and default gateway
IP address just as you would set these parameters for the Trusted interface on the
ANG-3000/7000 series. To do so, perform the following steps:
1. On your desktop, click Start, select Programs and double-click Command
Prompt.
2. Telnet to your ANG. Type: telnet
press
ENTER.
xxx.xxx.xxx.xxx
(your ANG IP address) and
A Unix command prompt will display.
3. Login (the default is
4. Type your password (the default is
5. Change directory to the
netadmin
) and press ENTER.
netadmin
) and press ENTER.
irc directory. Type the followingand press ENTER:
cd /usr/indus/irc
6. Examine the ircipaddr command parameters below.
ircipaddr -n management -i <ANG IP address> -m
<ANG network mask> -g <ANG’s default gateway>
7. Issue the ircipaddr command by typing the following and pressing ENTER.
For example:
ircipaddr -n management -i 212.26.12.143 -m 255.255.255.0
-g 0.0.0.0
8. Enter the ircipaddr -L list command to verify the interface was set. Type
ircipaddr -L and press
ENTER.
Interface IP Address Subnet Mask Default Gateway
trusted 53.110.245.2 255.255.255.0 53.110.245.1
external 123.141.13.21 255.255.255.0 0.0.0.0
management 212.26.12.143 255.255.255.0 0.0.0.0
Configuring IP Security
To manage the IP traffic you will restrict access to, you must define the selector, rules,
and SPD. The SPD is the means by which the rules are bound to the management
interface.
For more detailed configuration information, refer to the Application Note: ANG
Configuration Using the Command Line Interface.
AVN-AN-MGMT-R10 Page 11 of 14
NOTE
Page 12
Configuring the ANG-3000/7000series Management Interface Application Note
Installing and Configuringthe Management Interface Card
To begin configuring IP services, change directory to: /usr/indus/ipsec
Defining the Selector
The following command applies rules to SNMP, TELNET, HTTPS and ICMP protocols
(and their associated port numbers) originating from a Class C, 192.168.100.0 network.
The HTTPS selector identifies the type of traffic that is used to manage the ANG with
the Web Config configuration utility. Note that the defined port number is 8080 rather
than the standard HTTPS port number of 443. This is an Enterasys ANG-specific
implementation; the underlying protocol and security remains standard SSL.
The configuration defines named selectors to reach the “local” interface from the
given “remote” network outside the interface. The combination of protocols and ports
define the IP service to which access is restricted. The specific “local” interface is
specified later when binding the corresponding rule to a particular physical interface
(that is, the management interface).
ipsecSelector -a -n SNMP -o physical -r 192.168.100.0/24 -p UDP -v 161 -w 0
ipsecSelector -a -n TELNET -o physical -r 192.168.100.0/24 -p TCP -v 23 -w 0
ipsecSelector -a -n HTTPS -o physical -r 192.168.100.0/24 -p TCP -v 8080 -w 0
ipsecSelector -a -n ICMP -o physical -r 192.168.100.0/24 -p ICMP
The command switches are defined as follows:
-a Adds a Selector
-n Defines the Selector name (SNMP, TELNET ,HTTP(S), ICMP, for example)
-o Sets the local address - virtual or physical (the address of the interface the selector is
applied to)
-r Specifies the remote address
-p Specifies the protocol (ANY, TCP, UDP, ICMP, GRE)
-v Sets the local port number (0 for any)
-w Sets the remote local port number (0 for any)
Defining the Rules
After the Selectors have been configured, you must define the rules the ANG will use
to perform a particular action on the selectors. The following command applies the
pass Rule to all selectors.
ipsecRule -a -n SNMP -s SNMP -w pass
ipsecRule -a -n TELNET -s TELNET -w pass
Page 12 of 14 AVN-AN-MGMT-R10
Page 13
Application Note Configuring the ANG-3000/7000 series Management Interface
Installing and Configuring the Management Interface Card
ipsecRule -a -n HTTPS -s HTTPS -w pass
ipsecRule -a -n ICMP -s ICMP -w pass
The command switches are defined as follows
-a Adds a Rule
-n Defines the Rule name
-s Specifies the Selector name
-w Defines the action taken on matchingpackets (Process, Drop or Pass)
:
Defining the SPD
After the Rules have been stipulated, you must bind the Rules to the management
interface of the ANG-3000/7000 series with a Security Policy Database (SPD).
The implicit rule is to drop all traffic and is applied at the end of the list of rules
defined in the SPD. The example below restricts SNMP, TELNET, HTTPS and ICMP
traffic to the Management Interface from the 192.168.100.0 network. Similar services
can be defined and applied to this or any other interface on the ANG.
The following command specifies the SPD:
ipsecSpd -a -n management -r 'SNMP;TELNET;HTTPS;ICMP'
The command switches are defined as follows
-a Adds an SPD entry
-n Specifies the Management Interfacename
-r Specifies the Rule name or a separated list of Rule names (with a semi-colon). Rules
are bracketed by quotations
:
Configuration is now complete.
AVN-AN-MGMT-R10 Page 13 of 14
Page 14
Technical Support Application Note
Installing and Configuringthe Management Interface Card
Technical Support
If you experience problems while installing the management interface card,
Enterasys Networks recommends that you first contact your network
administrator or corporate help desk. Using the diagnostic tools provided by
Aurorean equipment at the corporate site, they can help you isolate and resolve
most connection problems.
When you contact your network administrator or corporate help desk, please
have the following information available:
H The version of the Aurorean Network Gateway system software you are
running. Detailed information can be obtained by telnetting to the ANG,
changing directory to /usr/indus, typing version.txt and pressing
Enter. The current Aurorean Virtual Network release number and name,
patch and build numbers will display.
H Details about any recent configuration changes or new applications you
may have installed, if applicable.
Contacting Enterasys Networks
For more information about Enterasys Networks, consult the following table:
U.S. Office
Address 35 Industrial Way
Phone 1-877-641-7400
Fax (603) 337-2211
Internet http://www.enterasys.com
Sales 1-877-641-7400
Support Call the Enterasys GTAC at
Please include your name, title, company, and phone number in all correspondence.
Enterasys Networks offers 7x24 customer support by calling 1-800-872-8440 or by
sending E-mail to support@enterasys.com.
Aurorean Network Gateway ©2001 Enterasys Networks. All rights reserved. This publication contains
information that is the property of Enterasys Networks. Information in this publication is subject to change
without notice. Enterasys Networks assumes no responsibility for errors or omissions in this publication or
for the use of this material.
The Enterasys Networks logo is a trademark of Enterasys Networks.
Rochester, NH 03866
www.enterasys.com
1-800-872-8440 or email us at
support@enterasys.com
Microsoft, MS, and MS-DOS are registered trademarks and Windows, Windows 95, Windows 98, Windows
NT, Windows 2000 Professional and Windows Millennium are trademarks of Microsoft Corporation in the
USA and other countries.
Other trademarks, trade names, and copyrights used in this publication belong to their respective owners.
Page 14 of 14 AVN-AN-MGMT-R10
Loading...