Nokia IPSO 4.0 User Manual

Download

Page 1

Nokia Network Voyager

for IPSO 4.0

Reference Guide

Part No. N451818001 Rev A

Published October 2005

Page 2

RESTRICTED RIGHTS LEGEND

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR52.227-19.

IMPORTANT NOTE TO USERS

This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS

Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

050110

Nokia Contact Information Corporate Headquarters

Web Site http://www.nokia.com Telephone 1-888-477-4566 or

1-650-625-2000

2 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 3

Fax 1-650-691-2170 Mail

Address

Regional Contact Information

Nokia Inc. 313 Fairchild Drive Mountain View, California 94043-2215 USA

Americas Nokia Inc.

Europe, Middle East, and Africa

Asia-Pacific 438B Alexandra Road

Nokia Customer Support

Web Site: https://support.nokia.com/ Email: tac.support@nokia.com Americas Europe Voice: 1-888-361-5030 or

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666 Asia-Pacific Voice: +65-67232999 Fax: +65-67232897

313 Fairchild Drive Mountain View, CA 94043-2215 USA

Nokia House, Summit Avenue Southwood, Farnborough Hampshire GU14 ONG UK

#07-00 Alexandra Technopark Singapore 119968

1-613-271-6721

Te l: 1-877-997-9199 Outside USA and Canada: +1 512-437-7089 email: info.ipnetworking_americas@nokia.com

Tel: UK: +44 161 601 8908 Tel: France: +33 170 708 166 email: info.ipnetworking_emea@nokia.com

Tel: +65 6588 3364 email: info.ipnetworking_apac@nokia.com

Voice: +44 (0) 125-286-8900

050602

Nokia Network Voyager for IPSO 4.0 Reference Guide 3

Page 4

4 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 5

About the Nokia Network Voyager Reference Guide . . . . . . . . .19

Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1 About Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Software Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Logging In to Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Logging Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Obtaining a Configuration Lock. . . . . . . . . . . . . . . . . . . . . . . . . . 25

Navigating in Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Reloading Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Accessing Documentation and Help . . . . . . . . . . . . . . . . . . . . . . 26

Viewing Hardware and Software Information for Your System . . . 28

2 Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

IP2250 Management Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configuring Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configuring IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Interface Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 5

Page 6

Configuring Tunnel Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Ethernet Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Configuring Ethernet Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . 34

Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Managing Link Aggregation Using SNMP. . . . . . . . . . . . . . . . . . 36

Configuring Switches for Link Aggregation . . . . . . . . . . . . . . . . . 36

Static Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Link Aggregation on the IP2250 . . . . . . . . . . . . . . . . . . . . . . . . . 37

Configuring Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Gigabit Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Point-to-Point Over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring MSS Clamping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Virtual LAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

FDDI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

ISDN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configuring Calling Line-Identification Screening . . . . . . . . . . . . 56

Dial-on-Demand Routing (DDR) Lists. . . . . . . . . . . . . . . . . . . . . 58

ISDN Network Configuration Example . . . . . . . . . . . . . . . . . . . . 61

ISDN Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Token Ring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Token Ring Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Point-to-Point Link over ATM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

ATM Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

IP over ATM (IPoA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

IPoA Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Serial (V.35 and X.21) Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . 83

Serial Interface Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

T1(with Built-In CSU/DSU) Interfaces . . . . . . . . . . . . . . . . . . . . . . 88

T1 Interface Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

E1 (with Built-In CSU/DSU) Interfaces. . . . . . . . . . . . . . . . . . . . . . 96

HSSI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

6 No kia Network Voyager IPSO 4.0 Reference Guide

Page 7

Configuring Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . 107

Configuring OSPF over Unnumbered Interface . . . . . . . . . . . . 110

OSPF over Unnumbered Interfaces Using Virtual Links. . . . . . 110

Cisco HDLC Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Point-to-Point Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Frame Relay Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Loopback Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Configuring GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

GRE Tunnel Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

High Availability GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . 122

HA GRE Tunnel Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

DVMRP Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

DVMRP Tunnel Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

ARP Table Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Configuring ARP for ATM Interfaces . . . . . . . . . . . . . . . . . . . . . . 130

Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Transparent Mode Processing Details . . . . . . . . . . . . . . . . . . . 133

Configuring Transparent Mode in VPN Environments . . . . . . . 134

Example of Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . 135

Configuring Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . 136

Monitoring Transparent Mode Groups . . . . . . . . . . . . . . . . . . . 139

Transparent Mode and Check Point NGX . . . . . . . . . . . . . . . . 139

Virtual Tunnel Interfaces (FWVPN) for Route-Based VPN . . . . . 140

Creating Virtual Tunnel Interfaces. . . . . . . . . . . . . . . . . . . . . . . 142

3 Configuring System Functions . . . . . . . . . . . . . . . . . . . . . . . . 145

Configuring DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Configuring DHCP Client Interfaces . . . . . . . . . . . . . . . . . . . . . 146

DHCP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Configuring the DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . 147

DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 7

Page 8

Changing DHCP Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Adding DHCP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Enabling or Disabling DHCP Address Pools. . . . . . . . . . . . . . . 150

Assigning a Fixed-IP Address to a Client . . . . . . . . . . . . . . . . . 150

Creating DHCP Client Templates . . . . . . . . . . . . . . . . . . . . . . . 151

Configuring Dynamic Domain Name System Service. . . . . . . . 153

Configuring the Domain Name Service . . . . . . . . . . . . . . . . . . . . 154

Configuring Disk Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Using an Optional Disk (Flash-Based Systems Only) . . . . . . . . . 155

Mail Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

System Failure Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Configuring Mail Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Sending Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Setting the System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Configuring Host Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Configuring Logging on Disk-Based Systems. . . . . . . . . . . . . . 160

Configuring Logging on Flash-Based Systems. . . . . . . . . . . . . 161

Configuring Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Remote Core Dump Server on Flash-Based Systems. . . . . . . . . 165

Changing the Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Managing Configuration Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Scheduling Jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Backing Up and Restoring Files. . . . . . . . . . . . . . . . . . . . . . . . . . 168

Creating Backup Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Transferring Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Restoring Files from Locally Stored Backup Files. . . . . . . . . . . 172

Managing Nokia IPSO Images. . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Changing Current Image. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Deleting Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Installing New Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Testing a New Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Upgrading Nokia IPSO Images for a Cluster. . . . . . . . . . . . . . . 176

8 No kia Network Voyager IPSO 4.0 Reference Guide

Page 9

Downgrading Nokia IPSO Images. . . . . . . . . . . . . . . . . . . . . . . 176

Configuring Monitor Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Managing Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Installing and Enabling Packages . . . . . . . . . . . . . . . . . . . . . . . 178

Advanced System Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Tuning the TCP/IP Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Router Alert IP Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

4 Virtual Router Redundancy Protocol (VRRP) . . . . . . . . . . . . . 183

VRRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

How VRRP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Understanding Monitored-Circuit VRRP. . . . . . . . . . . . . . . . . . . . 186

Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Selecting Configuration Parameters . . . . . . . . . . . . . . . . . . . . . 187

Before you Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Configuring Monitored-Circuit VRRP. . . . . . . . . . . . . . . . . . . . . 192

Configuring VRRPv2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Configuring Check Point NGX for VRRP . . . . . . . . . . . . . . . . . . . 197

Configuring VRRP Rules for Check Point NGX . . . . . . . . . . . . 199

Link Aggregation (IP2250 Systems Only) . . . . . . . . . . . . . . . . . 201

Monitoring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Monitoring the Firewall State. . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Troubleshooting VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

General Configuration Considerations . . . . . . . . . . . . . . . . . . . 203

Firewall Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Switched Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

5 Configuring Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

IP Clustering Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Using Flash-Based Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Example Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Cluster Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 9

Page 10

Cluster Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Clustering Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Considerations for Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . 214

If You Do Not Use a Dedicated Primary Cluster

Protocol Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Upgrading IPSO in a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

For All Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Upgrading from IPSO 3.7 or Later. . . . . . . . . . . . . . . . . . . . . . . 218

Upgrading from IPSO 3.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Creating and Configuring a Cluster . . . . . . . . . . . . . . . . . . . . . . . 220

Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Creating a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Selecting the Cluster Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Configuring the Work Assignment Method . . . . . . . . . . . . . . . . 221

Configuring an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Configuring Firewall Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . 223

Supporting Non-Check Point Gateways and Clients. . . . . . . . . 223

Configuring Join-Time Shared Features . . . . . . . . . . . . . . . . . . 226

Making the Cluster Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Adding a Node to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Recommended Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Joining a System to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Managing a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Using Cluster Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Synchronizing the Time on Cluster Nodes . . . . . . . . . . . . . . . . 239

Configuring NGX for Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Clustering Example (Three Nodes) . . . . . . . . . . . . . . . . . . . . . . . 243

Configuring the Cluster in Voyager . . . . . . . . . . . . . . . . . . . . . . 244

Configuring the Internal and External Routers . . . . . . . . . . . . . 245

Clustering Example With Non-Check Point VPN . . . . . . . . . . . 246

10 Nokia Network Voyager IPSO 4.0 Reference Guide

Page 11

6 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

SNMP Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

SNMP Proxy Support for Check Point MIB . . . . . . . . . . . . . . . . . 252

Using the Check Point MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Using cpsnmp_start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Enabling SNMP and Selecting the Version . . . . . . . . . . . . . . . . . 254

Configuring the System for SNMP . . . . . . . . . . . . . . . . . . . . . . . . 255

Setting an Agent Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Interpreting Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Request Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Managing SNMP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

7 Configuring IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

IPv6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

IPv6 and IPv4 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Configuring IPv6 in IPv4 Tunnels . . . . . . . . . . . . . . . . . . . . . . . 270

Configuring IPv6 to IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Configuring IPv6 over IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Configuring IPv4 in IPv6 Tunnels . . . . . . . . . . . . . . . . . . . . . . . 272

Configuring an IPv6 Default or Static Route . . . . . . . . . . . . . . . 272

Routing Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Configuring OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Configuring RIPng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Creating IPv6 Aggregate Routes. . . . . . . . . . . . . . . . . . . . . . . . 273

Creating Redistributed Routes . . . . . . . . . . . . . . . . . . . . . . . . . 274

Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Configuring ICMPv6 Router Discovery . . . . . . . . . . . . . . . . . . . 275

VRRP for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Configuring VRRP for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Creating a Virtual Router for an IPv6 Interface

Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 1 1

Page 12

Using VRRPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Creating a Virtual Router to Back Up Another VRRP

Router Addresses Using VRRPv3 . . . . . . . . . . . . . . . . . . . . . 278

Monitoring the Firewall State. . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Setting a Virtual MAC Address for a Virtual Router. . . . . . . . . . 280

Changing the IP Address List of a Virtual Router in VRRPv3. . 281

Removing a Virtual Router in VRRPv3 . . . . . . . . . . . . . . . . . . . 281

Creating a Virtual Router in Monitored Circuit Mode for IPv6. . 282 Setting Interface Dependencies for a Monitored Circuit

Virtual Router for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Changing the List of Addresses in a Monitored Circuit

Virtual Router for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Traffic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Security and Access Configuration . . . . . . . . . . . . . . . . . . . . . . . 285

8 Managing Security and Access . . . . . . . . . . . . . . . . . . . . . . . . 287

Managing Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Managing User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Adding and Deleting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Managing and Using S/Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Managing Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Role-Based Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Managing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Assigning Roles and Access Mechanisms to Users. . . . . . . . . 295

Creating Cluster Administrator Users . . . . . . . . . . . . . . . . . . . . 296

Configuring Network Access and Services . . . . . . . . . . . . . . . . . 297

Configuring a Modem on COM2, COM3, or COM4. . . . . . . . . . 298

Configuring Nokia Network Voyager Access . . . . . . . . . . . . . . . . 300

Configuring Basic Nokia Network Voyager Options . . . . . . . . . 301

Generating and Installing SSL/TLS Certificates . . . . . . . . . . . . 302

Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Initial SSH Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Configuring Advanced Options for SSH . . . . . . . . . . . . . . . . . . 306

12 Nokia Network Voyager IPSO 4.0 Reference Guide

Page 13

Configuring Secure Shell Authorized Keys . . . . . . . . . . . . . . . . 308

Changing Secure Shell Key Pairs. . . . . . . . . . . . . . . . . . . . . . . 309

Managing User RSA and DSA Identities. . . . . . . . . . . . . . . . . . 310

Tunneling HTTP Over SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Network Voyager Session Management . . . . . . . . . . . . . . . . . . . 311

Enabling Enabling or Disabling Session Management . . . . . . . 312

Configuring Session Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . 312

Authentication, Authorization, and Accounting (AAA) . . . . . . . . . 313

Creating an AAA Configuration. . . . . . . . . . . . . . . . . . . . . . . . . 313

Configuring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Deleting an AAA Authentication Server Configuration . . . . . . . 322

Changing an AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . 323

Deleting an AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 327

Encryption Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Enabling Encryption Accelerator Cards. . . . . . . . . . . . . . . . . . . 328

Monitoring Cryptographic Acceleration . . . . . . . . . . . . . . . . . . . 328

IPSec Tunnels (IPSO Implementation) . . . . . . . . . . . . . . . . . . . . 328

Using PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

IPSec Implementation in IPSO . . . . . . . . . . . . . . . . . . . . . . . . . 332

IPSec Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Creating an IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Creating an IPSec Tunnel Rule. . . . . . . . . . . . . . . . . . . . . . . . . 341

Transport Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

IPSec Tunnel Rule Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

IPSec Transport Rule Example. . . . . . . . . . . . . . . . . . . . . . . . . 346

Changing the Local/Remote Address or Local/Remote

Endpoint of an IPSec Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . 348

Removing an IPSec Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Miscellaneous Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . 349

9 Configuring Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Routing Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 1 3

Page 14

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Route Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Types of Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Area Border Routers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

High Availability Support for OSPF . . . . . . . . . . . . . . . . . . . . . . 355

Configuring OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

RIP 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

RIP 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Virtual IP Address Support for VRRP . . . . . . . . . . . . . . . . . . . . 366

Configuring RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Configuring RIP Timers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

Configuring Auto-Summarization . . . . . . . . . . . . . . . . . . . . . . . 369

RIP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

PIM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Configuring Virtual IP Support for VRRP. . . . . . . . . . . . . . . . . . 371

PIM Support for IP Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Configuring Dense-Mode PIM. . . . . . . . . . . . . . . . . . . . . . . . . . 373

Disabling PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Setting Advanced Options for Dense-Mode PIM (Optional) . . . 375

Configuring Sparse-Mode PIM . . . . . . . . . . . . . . . . . . . . . . . . . 376

Configuring High-Availability Mode . . . . . . . . . . . . . . . . . . . . . . 377

Configuring this Router as a Candidate Bootstrap and

Candidate Rendezvous Point. . . . . . . . . . . . . . . . . . . . . . . . . 379

Configuring a PIM-SM Static Rendezvous Point. . . . . . . . . . . . 380

Setting Advanced Options for Sparse-Mode PIM (Optional). . . 381

Debugging PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

IGRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Generation of Exterior Routes. . . . . . . . . . . . . . . . . . . . . . . . . . 387

Aliased Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

IGRP Aggregation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

14 Nokia Network Voyager IPSO 4.0 Reference Guide

Page 15

Configuring IGRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Configuring DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Configuring DVMRP Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Adding and Managing Static Routes Example . . . . . . . . . . . . . 397

Backup Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Route Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Route Aggregation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Route Rank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Rank Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Routing Protocol Rank Example . . . . . . . . . . . . . . . . . . . . . . . . 402

BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Support for BGP-4++. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

BGP Sessions (Internal and External). . . . . . . . . . . . . . . . . . . . 404

BGP Path Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

BGP Multi-Exit Discriminator. . . . . . . . . . . . . . . . . . . . . . . . . . . 406

BGP Interactions with IGPs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Inbound BGP Route Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Redistributing Routes to BGP . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Route Reflection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Confederations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

EBGP Multihop Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Route Dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

TCP MD5 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

BGP Support for Virtual IP for VRRP . . . . . . . . . . . . . . . . . . . . 412

BGP Support for IP Clustering . . . . . . . . . . . . . . . . . . . . . . . . . 413

BGP Memory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

BGP Neighbors Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Path Filtering Based on Communities Example . . . . . . . . . . . . 418

Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 1 5

Page 16

BGP Multi Exit Discriminator Example . . . . . . . . . . . . . . . . . . . 419

Changing the Local Preference Value Example . . . . . . . . . . . . 421

BGP Confederation Example . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Route Reflector Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

BGP Community Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

EBGP Load Balancing Example: Scenario #1 . . . . . . . . . . . . . 430

EBGP Load Balancing Example: Scenario #2 . . . . . . . . . . . . . 432

Adjusting BGP Timers Example . . . . . . . . . . . . . . . . . . . . . . . . 433

TCP MD5 Authentication Example . . . . . . . . . . . . . . . . . . . . . . 434

BGP Route Dampening Example . . . . . . . . . . . . . . . . . . . . . . . 435

BGP Path Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

BGP-4++ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

Route Redistribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Redistributing Routes to BGP . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Redistributing Routes to RIP and IGRP . . . . . . . . . . . . . . . . . . 440

Redistributing OSPF to BGP Example . . . . . . . . . . . . . . . . . . . 443

Redistributing Routes with OSPF . . . . . . . . . . . . . . . . . . . . . . . 444

Inbound Route Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

BGP Route Inbound Policy Example. . . . . . . . . . . . . . . . . . . . . 446

BGP AS Path Filtering Example . . . . . . . . . . . . . . . . . . . . . . . . 448

10 Configuring Traffic Management . . . . . . . . . . . . . . . . . . . . . . . 449

Traffic Management Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Packet Filtering Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Traffic Shaping Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Traffic Queuing Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Configuring Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . 450

Configuring ACL Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Modifying a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Configuring Aggregation Classes. . . . . . . . . . . . . . . . . . . . . . . . . 455

Configuring Queue Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Configuring ATM QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Configuring Common Open Policy Server. . . . . . . . . . . . . . . . . . 461

16 Nokia Network Voyager IPSO 4.0 Reference Guide

Page 17

Configuring a COPS Client ID and Policy Decision Point . . . . . 462

Configuring Security Parameters for a COPS Client ID . . . . . . 462

Assigning Roles to Specific Interfaces . . . . . . . . . . . . . . . . . . . 463

Activating and Deactivating the COPS Client . . . . . . . . . . . . . . 464

Changing the Client ID Associated with Specific Diffserv

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Deleting a Client ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Example: Rate Shaping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Example: Expedited Forwarding . . . . . . . . . . . . . . . . . . . . . . . . 466

11 Configuring Router Services . . . . . . . . . . . . . . . . . . . . . . . . . . 469

BOOTP/DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Configuring BOOTP/DHCP Relay. . . . . . . . . . . . . . . . . . . . . . . 470

IP Broadcast Helper. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Router Discovery Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Configuring Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Configuring NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

12 Monitoring System Configuration and Hardware . . . . . . . . . . 479

Viewing System Utilization Statistics . . . . . . . . . . . . . . . . . . . . . . 479

CPU-Memory Live Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Disk and Swap Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

Monitoring Process Utilization. . . . . . . . . . . . . . . . . . . . . . . . . . 480

IPSO Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Generating Monitor Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Monitoring System Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Monitoring System Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Viewing Cluster Status and Members . . . . . . . . . . . . . . . . . . . . . 485

Viewing Routing Protocol Information . . . . . . . . . . . . . . . . . . . . . 486

Displaying the Kernel Forwarding Table . . . . . . . . . . . . . . . . . . 486

Displaying Route Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 1 7

Page 18

Displaying Interface Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Hardware Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Using the iclid Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

iclid Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

Preventing Full Log Buffers and Related Console Messages . . . 494

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

18 Nokia Network Voyager IPSO 4.0 Reference Guide

Page 19

About the Nokia Network Voyager Reference Guide

This guide provides information about how to configure and monitor Nokia IPSO systems. This guide provides conceptual information about system features and instructions on how to perform tasks using Nokia Network Voyager, the Web-based interface for IPSO. All of the tasks that you perform with Network Voyager you can also perform with the command-line interface (CLI), allowing you to choose the interface you are most comfortable with. For information specific to the CLI, see the CLI Reference Guide for Nokia IPSO.

This guide is intended for experienced network administrators who configure and manage Nokia IP security platforms. It assumes a working knowledge of networking and TCP/IP protocol principals and some experience with UNIX-based systems.

This guide is organized into the following chapters:

 Chapter 1, “About Network Voyager” describes the IPSO operating

system, Nokia Network Voyager, how to use Network Voyager, and how to access documentation and help pages.

 Chapter 2, “Configuring Interfaces” describes how to configure and

monitor interfaces.

 Chapter 3, “Configuring System Functions” describes how to configure

basic system functions such as DHCP, DNS, disk mirroring, mail relay, system failure notification, system time, host entries, system logging, and

Nokia Network Voyager for IPSO 4.0 Reference Guide 19

Page 20

About the Nokia Network Voyager Reference Guide

the hostname . It also describes how to save configuration sets, schedule jobs, backup and restore files, manage and upgrade system images, reboot the system, manage packages, and advanced system tuning.

 Chapter 4, “Virtual Router Redundancy Protocol (VRRP)” describes how

to provides dynamic failover of IP addresses using VRRP.

 Chapter 5, “Configuring Clustering” describes how to provide fault

tolerance and dynamic load balancing using clustering.

 Chapter 6, “Configuring SNMP” describes how to configure Simple

Network Management Protocol (SNMP), the protocol used to exchange management information between network devi ces.

 Chapter 7, “Configuring IPv6” describes how to configure features that

use the IPv6 protocol.

 Chapter 8, “Managing Security and Access” desribes how to manage

passwords, user accounts and groups, assign privileges using role-based administration, and how to configure network access, services, and Network Voyager session management. It also describes how to configure AAA for a new service, encryption acceleration, and virtual tunnel interfaces (VTI), which support Check Point route-based VPN..

 Chapter 9, “Configuring Routing” describes the IPSO routing subsystem,

how to configure the various routing protocols that are supporte d, route aggregation, and route redistribution.

 Chapter 10, “Configuring Traffic Management” describes traffic

management functionality, including access control lists and aggregation classes.

 Chapter 11, “Configuring Router Services” describes how to enable your

system to forward broadcast traffic by enabling the IP Broadcast Helper, forward BOOTP/DHCP traffic by enabling BOOTP relay, how to enable router discovery, and how to configure for Network Time Protocol (NTP).

 Chapter 12, “Monitoring System Configuration and Hardware” provides

information on monitoring your system.

20 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 21

Conventions This Guide Uses

The following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.

Notices

Caution

Cautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.

Note

Notes provide information of special interest or recommendations.

Conventions This Guide Uses

Text Conventions

Table 1 describes the text conventions this guide uses.

Table 1 Text Conventions

Convention Description

monospace font

bold monospace font

Key names Keys that you press simultaneously are linked by a plus

Nokia Network Voyager for IPSO 4.0 Reference Guide 21

Indicates command syntax, or represents computer or screen output, for example:

Log error 12453

Indicates text you enter or type, for example:

# configure nat

sign (+): Press Ctrl + Alt + Del.

Page 22

About the Nokia Network Voyager Reference Guide

Table 1 Text Conventions (continued)

Convention Description

Menu commands Menu commands are separated by a greater than sign (>):

Choose File > Open.

Italics

• Emphasizes a point or denotes new terms at the place where they are defined in the text.

• Indicates an external book title reference.

• Indicates a variable in a command:

delete interface if_name

Menu Items

Menu items in procedures are separated by the greater than sign. For example, click Backup and Restore under Configuration > System

Configuration indicates that you first click Configuration to expand the menu if necessary, then click System Configuration, and finally click the Backup and Restore link.

1 About Network Voyager

This chapter provides an overview of Network Voyager, the Web-based interface that you can use to manage Nokia IPSO systems.

Nokia Network Voyager is a Web-based interface that you can use to manage IPSO systems from any authorized location. Network Voyager comes packaged with the IPSO operating system software and is accessed from a client using a browser.

You can also use the command-line interface (CLI) to perform all of the tasks that you can perform when you use Network Voyager, which allows you to choose the interface you are most comfortable with. For information about the CLI, see the CLI Reference Guide.

Software Overview

Nokia firewalls function with the help of several software components:

 Operating System—Nokia IPSO is a UNIX-like operating system based on FreeBSD.

IPSO is customized to support Nokia’s enhanced routing capabilities and Check Point’s FireWall-1 firewall functionality, and to "harden" network security. Unnecessary features have been removed to minimize the need for UNIX system administration.

 Ipsilon Routing Daemon (IPSRD)—IPSRD is Nokia’s routing software. The routing

policy implemented by IPSRD resides in a database. Network Voyager (see below) configures and maintains the routing software and database.

 Check Point FireWall-1—FireWall-1 consists of two major components: (1) the Firewall

module, which runs on the Nokia firewall and implements the security policy, and (2) the Management module, which runs either on the Nokia firewall or on another workstation. Use the Management Module to define and maintain the security policy.

 Network V oyager—Network Voyager communicates with the routing software to configure

interfaces and routing protocols, to manage routing policy for the firewall, and to monitor network traffic and protocol performance. Network Voyager also provides on line documentation. Network Voyager itself runs on a remote machine as a client application of the Nokia routing software and is HTML based.

Nokia Network Voyager for IPSO 4.0 Reference Guide 23

Page 24

Logging In to Network Voyager

When you log in to Network Voyager, the navigation tree you see depends on the role or roles assigned to you. If the roles assigned to your user account do not include access to a feature, you will not see a link to the feature in the tree. If they have read-only access to a feature, you will see a link and be able to access the page, but all the controls will be disabled. For more information on role-based administration, see “Role-Based Administration” on page 293.

Note

The system logs messages about both successful and unsuccessful attempts by users to log in. These are stored in the /var/log/messages file.

To open Nokia Network Voyager

1. Open a Web browser on a computer with network connectivity to the IPSO system.

2. In the Location or Address text box, enter the IP address of the initial interface you

configured for the appliance. You are prompted to enter a username and password. If this is the first login, enter the Admin

username and the password you entered when you performed the initial configuration.

For information about initial configuration, see the Getting S tarted Guide and Release Notes for IPSO.

Note

If the login screen does not appear, you might not have a physical network connection between the host and your appliance, or you might have a network routing pro blem. Confirm the information you entered during the initial configuration and check that all cables are firmly connected.

Logging Off

When you are finished with your Network Voyager session, or if you need to log in to a new session, log out by clicking Log Off at the top of the Network Voyager window.

Note

The Log Off link does not appear if you disabled session management. For information about session management, see “Network Voyager Session Management” on page 311.

You can select to log in with or without an exclusive lock on configuration changes. For more information, see “Obtaining a Configuration Lock” on page 25.

24 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 25

Obtaining a Configuration Lock

When you log in with exclusive configuration lock, no other user will be able to change the system configuration. Only users with read/write access privileges are allowed to log in with exclusive configuration lock.

If you acquire a configuration lock and then close your browser without logging out, the lock remains in effect until the session time-out elapses or someone manually overrides the lock. For instructions about how to override a configuration lock, see “To override a configuration lock.”

Users who have one or more read/write access privileges (as defined by the administrator under role-based administration) acquire configuration locks unless they uncheck the Acquire Exclusive Configuration Lock check box when they log in. However, their read/write access is limited to the features assigned by the administrator even though the configuration lock is in effect for all features.

To log in with exclusive configuration lock

1. At the login, enter your user name.

2. Enter your password.

3. Check the Acquire Exclusive Configuration Lock check box. This is the default.

4. Click Log In.

Note

Enabling the exclusive configuration lock in Network Voyager prevents you or other users from using the CLI to configure the system while your browser session is active.

To log in without exclusive configuration lock

1. At the login, enter your user name.

2. Enter your password.

3. Uncheck the Acquire Exclusive Configuration Lock check box.

4. Click Log In.

To override a configuration lock

Note

Only users with read/write access privileges are allowed to override an exclusive configuration lock.

1. From the login page, click Log In with Advanced Options.

2. Verify that the Acquire Exclusive Configuration Lock check box is checked. This is the

default choice.

3. Check the Override Locks Acquired by Other Users check box.

Nokia Network Voyager for IPSO 4.0 Reference Guide 25

Page 26

4. Enter your user name and password.

5. Click Log In.

Navigating in Network Voyager

The following table explains the functions of the buttons in Network Voyager. Other buttons are described in the inline help for each page.

Button Description

Apply Applies the settings on the current page (and any deferred applies from other pages) to

the current (running) configuration file in memory. Feedback Takes you to the documentation or Technical Assistance Center (TAC) feedback page. Help Displays help for all elements of the page. Reset Routing Restarts the routing daemon. Save Saves the current (running) configuration fi le to disk.

Avoid using your browser’s Back and Forward buttons while in Network Voyager. The browser caches the HTML page information; therefore, using Back and Forward may not display the latest configuration and diagnostic information as you move from page to page.

Reloading Pages

If the pages seem to have outdated information, you can use the Reload button on the browser to update it. You can also clear memory and disk cache with the following procedure.

To clear the memory and disk cache

1. Select Network Preferences from the Options menu in Netscape.

2. Select Cache in the Preferences window.

3. Click the Clear Memory Cache Now button, then click OK.

4. Click Clear Disk Cache Now, then click OK.

5. Click OK or close the Preferences window.

Accessing Documentation and Help

You can access the Nokia Network Voyager Reference Guide for IPSO, the CLI Reference Guide, and Network Voyager online help from links within the Network Voyager interface.

26 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 27

This guide, the Nokia Network Voyager Reference Guide for IPSO, is the comprehensive reference source for IPSO administration and using the Network Voyager interface. You can access this guide and the CLI Reference Guide from the following locations:

 Network Voyager interface—Click the Documentation link in the tree view.  Nokia support site (https://support.nokia.com).  On the software CD that might have been delivered with your appliance. If you have a CD,

the documentation is located in the doc folder.

Inline help supplies context sensitive information for Network Voyager. T o access inline help for a Network Voyager page, navigate to that page and click Help. Text-only definitions and related information on fields, buttons, and sections appear in a separate window.

Inline and online help use the following text conventions.

Type of Text Description

italic text Introduces a word or phrase, highlights an important term, phrase, or hypertext link,

indicates a field name, system message, or document title. typewriter text Indicates a UNIX command, program, file name, or path name. bold typewriter text Indicates text to be entered verbatim by you.

Represents the name of a key on the keyboard, of a button displayed on your

screen, or of a button or switch on the hardware. For example, press the R

key.

ETURN

<bracketed> Indicates an argument that you or the software replaces with an appropriate value.

For example, the command rm <filename> indicates that you should type rm

followed by the filename of the file to be removed.

LinkText

- OR - Indicates an exclusive choice between two items.

Indicates a hypertext link.

You can preserve the current page content in your browser and start another browser window to display the inline or online help text by using the following procedure.

To open a new window to view help

1. Right-click the Doc button.

2. Click Open Link in New Browser Window.

Displays the online help in a new window.

3. Right-click the Help On button.

4. Click Open Link in New Browser Window.

Displays the inline (text-only) help in a new window.

Nokia Network Voyager for IPSO 4.0 Reference Guide 27

Page 28

Viewing Hardware and Software Information for Your System

The asset management summary page provides a summary of all system resources, including hardware, software and the operating system. The hardware summary includes information about the CPU, Disks, BIOS, and motherboard, including the serial number, model number, and capacity, or date, as appropriate. The summary also displays the amount of memory on the appliance.

The Check Point FireWall summary lists information about the host and policy installed and the date on which the FireWall policy was installed. The summary also describes which version of the FireWall is running and license information.

The operating system summary lists which software release and version of that release is running on the system.

To view the asset management summary

1. Click Asset Management under Configuration in the tree view.

The asset management summary page appears.

2. The page separates information into three tables: Hardware, FireWall Package Informa tion,

and Operating System.

3. Click the Up button to return to the main configuration page.

28 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 29

2 Configuring Interfaces

This chapter describes configuring and monitoring the various types of interfaces supported by Nokia IP security platforms, aggregating Ethernet ports, configuring GRE and DVMRP tunnels, using transparent mode to allow your IPSO appliance to behave like a Layer 2 device, and other topics related to physical and logical interfaces.

Interface Overview

Nokia IPSO support the following interface types.

 Ethernet/Fast Ethernet  Gigabit Ethernet  FDDI  ATM (RFC1483 PVCs only)  Serial (V.35 and X.21) running PPP, point-to-point Frame Relay, or Cisco HDLC  T1/E1 running PPP, Frame Relay, or Cisco HDLC  HSSI running PPP, point-to-point Frame Relay, or Cisco HDLC  VPN Tunneling  Token Ring  Unnumbered Interface  ISDN

Note

For information on what types of interfaces your appliance model supports, see your hardware installation guide.

You can configure these interfaces with IP addresses. You also can assign additional IP addresses to the loopback, FDDI, and Ethernet interfaces. All interface types support IP multicast.

Nokia Network Voyager for IPSO 4.0 Reference Guide 29

Page 30

IP2250 Management Ports

The Ethernet management ports on IP2250 systems are designed to be used for the following purposes:

 Managing the appliance  Firewall synchronization traffic  IP cluster protocol traffic  Connection to a log server

Caution

The management ports are not suitable for forwarding production data traffic. Do not use them for this purpose.

Configuring Network Devices

Network Voyager displays network devices as physical interfaces. A physical interface exists for each physical port on a network interface card (NIC) installed in the appliance. Physical interface names have the form:

where:

is a prefix indicating the device type. is the number of the slot the device occupies in the appliance. is the port number of the NIC. The first port on a NIC is port one. For example, a

two-port Ethernet NIC in slot 2 is represented by two physical interfaces:

eth-s2p2

The following table lists the interface-name prefixes for each type.

Type Prefix

Ethernet FDDI ATM Serial

T1/E1

HSSI

eth

fddi

atm

ser

eth-s2p1

and

Token Ring

30 Nokia Network Voyager for IPSO 4.0 Reference Guide

tok

Page 31

Type Prefix

ISDN

isdn

The loopback interface also has a physical interface named Use Network Voyager to set attributes of interfaces. For example, line speed and duplex mode

are attributes of an Ethernet physical interface. Each communications port has exactly one physical interface.

Configuring IP Addresses

Logical interfaces are created for a device's physical interface. You assign an IP address to logical interfaces and then route to the IP address. Ethernet, FDDI, and Token Ring devices have one logical interface.

For ATM devices, you create a new logical interface each time you configure an RFC1483 PVC for the device. Serial, T1/E1, and HSSI devices have one logical interface when they are running PPP or Cisco HDLC. Serial, T1/E1, and HSSI devices running point-to-point Frame Relay have a logical interface for each PVC configured on the port. You also have the option of configuring an unnumbered interface for point-to-point interfaces. Tunnels, however, cannot be configured as unnumbered interfaces.

Logical interfaces, by default, are named after the physical interface for which they are created. If you wish, you can override this default name with a more descriptive or familiar name. You can also associate a comment with the logical interface as a further way to define its relationship in the network. Default logical interface names have the form:

loop0

where

is the channel number of the logical interface.

and

<port>

have the same values as the corresponding physical interface.

For logical interfaces created automatically, the channel number is always zero. For logical interfaces created manually, the channel number is the identifier of the virtual circuit (VC) for which the interface is created (for example, the ATM VCI or the Frame Relay DLCI).

Physical Interface Logical Interface

Default Cisco HDLC PPP Frame Relay

Ethernet One ( FDDI One (c0) ATM One per VCI (

)

Nokia Network Voyager for IPSO 4.0 Reference Guide 31

Page 32

Physical Interface Logical Interface

Default Cisco HDLC PPP Frame Relay

Serial (X.21 or V .35)

T1/E1 One ( HSSI One ( Token Ring One (c0) ISDN One (

For example, the logical interface of a physical interface logical interfaces for PVCs 17 and 24 on an ATM NIC in slot 3 are called

atm-s3p1c24

respectively.

One (c0)One (

)One (

eth-s2p1

) One per DLCI (c#)

)

is called

eth-s2p1c0

atm-s3p1c17

. The

and

Once a logical interface exists for a device, you can assign an IP address to it. For Ethernet, FDDI, and Token Ring, you must specify the interface's local IP address and the length (in bits) of the subnet mask for the subnet to which the device connects.

If you are running multiple subnets on the same physical network, you can configure additional addresses and subnet masks on the single logical interface connected to that network. Y ou do not need to create additional logical interfaces to run multiple subnets on a single physical network.

For point-to-point media, such as ATM, serial, or HSSI, you can either assign IP addresses or configure an unnumbered interface. When assigning IP addresses you must specify the IP address of the local interface and the IP address of the remote system's point-to-point interface.

You can add only one local/destination IP address pair to a point-to-point logical interface. To assign IP addresses to multiple VCs, you must create a logical interface for each VC. IP subnets are not supported on point-to-point interfaces.

Whenever an unnumbered interface generates a packet, it uses the address of the interface that the user has specified as the source address of the IP packet. Thus, for a router to have an unnumbered interface, it must have at least one IP address assigned to it. The Nokia implementation of unnumbered interfaces does not support virtual links.

Note

If you make changes to IP addresses or delete interfaces, the firewall sometimes does not learn of the changes when you get the topology . If you get the topo logy and your changes to interfaces are not shown, stop and restart the firewall.

Interface Status

The configuration and status of removable-interface devices are displayed. Interfaces can be changed while they are offline. Table 2 describes the interface status indicators.

32 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 33

Table 2 Interface Status Indicators

Indicator Description

None If no color indication is displayed, the physical interface is disabled. To enable the interface,

click on the physical interface name to go to its configuration page.

Blue The device corresponding to this physical interface has been removed from the system, but

its configuration remains. To delete its configuration, click on the physical interface name to go to its configuration page.

Red The physical interface is enabled, but the device does not detect a connection to the

network.

Green The physical interface is ready for use. It is enabled and connected to the network.

Events that can affect the status of interfaces:

 If you hot-insert a device (not power down the unit first), it appears in the lists of interfaces

immediately (after a page refresh) on the configuration pages.

 If you hot-pull a device, and no configuration exists for it, it disappears from the lists of

interfaces immediately.

 If you hot-pull a device, and it had a configuration, its configuration details continue to be

displayed and can be changed even after a reboot.

 Hotswapped interfaces that are fully seated in a router’s chassis are represented in the

ifTable (MIB-II), ipsoCardTable (IP440-IPSO-System-MIB), and the hrNetworkTable (Host-Resources-MIB).

 Unwanted configurations of absent devices can be deleted, which removes the physical and

logical interfaces from all interface lists.

Configuring Tunnel Interfaces

Tunnel interfaces are used to encapsulate protocols inside IP packets. Use tunneling to:

 Send network protocols over IP networks that don’t support them.  Encapsulate and encrypt private data to send over a public IP network.

Create a tunnel logical interface by specifying an encapsulation type. Use Network Voyager to set the encapsulation type. Network Voyager supports two encapsulation types, DVMRP and GRE.

The tunnel logical interface name has the form:

tun0c<chan>

where

<chan>

Nokia Network Voyager for IPSO 4.0 Reference Guide 33

(channel number) is an instantiation identifier.

Page 34

Ethernet Interfaces

You can configure a number of parameters for each Ethernet interface, including the following:

 Enable (make active) or disable the interface.  Change the IP address for the interface.  Change the speed and duplex mode.

Configuring Ethernet Interfaces

Table 3 describes the configuration settings for an Ethernet interface.

Table 3 Physical Interface Configuration Parameters

Parameter Description

Active Select On to enable the interface, select Off to disable the interface.

These selections appear on both the main Interface Configuration page and the pages for each individual interface.

Link Trap Click On or Off to enable or disable the linkup/linkdown traps for the interface.

Default is On for all physical interfaces.

Link Speed Select 100 Mbit/sec or 10 Mbit/sec.

This setting must be the same for all hosts on the network to which the device connects.

Duplex Mode Select Full or Half.

This setting must be the same for all hosts on the network to which the device connects.

Autoadvertise Click on or off to enable or disable autoadvertise.

If turned on, the device advertises its configured speed and duplicity by using Ethernet negotiation.

Link recognition delay

Queue mode For more information, see “Configuring Queue Classes” on page 457. IP address &

Mask length

Specify how many seconds a link must be stable before the interface is declared up. Default is 6; range is 1-255.

You can add multiple IP addresses.

Note

Do not change the IP address you use in your browser to access Network Voyager. If you do, you can no longer access the IP security platform with your Network Voyager browser.

34 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 35

Table 3 Physical Interface Configuration Parameters

Parameter Description

Logical name Use this to enter a more meaningful name for the interface. Comments (Optional) This field is displayed on the main Interface Configuration and the Logical

Interface pages. Use it to add a description that you might find useful in identifying

the logical interface.

To configure an Ethernet interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the name of the physical interface you want to configure.

Example:

eth-s2p1

3. Specify the configuration parameters for speed add duplex mode.

4. Click Apply.

5. Click the logical interface name in the Logical Interfaces table.

The Logical Interface page is displayed.

6. Enter the IP address and mask length.

7. Click Apply.

Each IP addresses and mask length that you add are added to the table when you click Apply. The entry fields return to blank to allow you to add more IP addresses.

Use the delete check box to delete IP addresses from the table.

8. (Optional) Change the interface logical name to a more meaningful name by typing the

preferred name in the Logical name text box.

9. Click Apply.

10. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box. Click Apply.

11. Click Up to go to the Interface Configuration page.

12. Click On button that corresponds to the logical interface you configured.

Click Apply. The Ethernet interface is now available for IP traffic and routing.

13. To make your changes permanent, click Save.

Link Aggregation

Nokia IPSO appliances allow you to aggregate (combine) Ethernet ports so that they function as one logical port. You get the benefits of greater bandwidth per logical interface and load

Nokia Network Voyager for IPSO 4.0 Reference Guide 35

Page 36

balancing across the ports. For example, you can aggregate two 10/100 mbps ports so they function like a single port with a theoretical bandwidth of 200 mbps, and you can aggregate two Gigabit Ethernet ports so they function like a single port with a theoretical bandwidth of 2000 mbps. If you have only 10/100 interfaces and need a faster link but can’t or don’t want to use Gigabit Ethernet, you can use link aggregation to achieve faster throughput with the interfaces you already have.

Another benefit of link aggregation is redundancy—if one of the physical links in an aggregation group fails, the traffic is redistributed to the remaining physical links and the aggregation group continues to function. IPSO distributes the outbound IP traffic across the physical links using the source and destination IP addresses. It uses the source and destination MAC addresses to distribute non-IP traffic.

You can aggregate as many as four ports in one aggregation group, and you can have as many as eight aggregation groups on one appliance.

You can hot swap NICs that hav e ports participating in an aggregation group. If the group has ports on other NICs, the traffic is distributed to those ports and the aggregation group continues to function when you remove a NIC in this manner. If you reinsert the NIC, the appropriate ports rejoin the aggregation group and resume forwarding traffic automatically.

Managing Link Aggregation Using SNMP

Nokia IPSO systems use a proprietary SNMP MIB to manage link aggregation. To incorporate link aggregation into your SNMP-based management, perform the following tasks:

 Copy the file NOKIA-IPSO-LINKAGGREGATION-MIB .txt to your management system.

This file is located at /etc/snmp/mibs/.

 In Network Voyager or the IPSO CLI, enable the following traps:

 Enable lamemberActive traps  Enable lamemberInactive traps

Note

IPSO does not use the standard IEEE8023-LAG-MIB to support link aggregation.

Configuring Switches for Link Aggregation

Observe the following considerations when you configure a switch to support link aggregation in combination with a Nokia appliance:

 You must configure the appropriate switch ports to use static link aggregation. (On Cisco

switches, this means you must enable EtherChannel.) That is, if you aggregate four ports into one group on your Nokia appliance, the four switch ports that they con nect to must static link aggregation.

36 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 37

 When you assign switch ports to an EtherChannel group, set the channel mode to on to

force the ports to form a channel without using the Link Aggregation Control Protocol (LACP) or Port Aggregation Protocol (PAgP).

 If your switch supports it, configure the aggregated ports to distribute the traffic using

source and destination IP addresses.

 If your switch can only distribute traffic based on source or destination MAC addresses,

configure it to use the source MAC addresses. If it uses the destination MAC address to distribute the load, all the traffic flowing from the switch to the IPSO system over the aggregated link is sent to the primary port of the aggregation group.

 You must configure the switch ports to have the same physical characteristics (link speed,

duplicity, autoadvertise/autonegotiation setting, and so on) as the corresponding aggregated ports on the Nokia system.

 On Cisco switches, trunking must be enabled if you create more than one tagged VLAN on

an aggregated link. (You can configure as many as 1015 VLANs for an IPSO system.).

 If you use IOS on a Cisco switch, trunking is enabled automatically.  If you run CatOS on a Cisco switch, use the following command to configure VLAN

trunking on the EtherChannel:

set trunk ports nonegotiate dot1q vlans

Static Link Aggregation

The IPSO implementation of link aggregation complies with the IEEE 802.3ad standard for static link aggregation. Nokia has also tested IPSO link aggregation with the following Cisco Catalyst switches:

 6500 Series  3550 Series  2950 Series

IPSO does not support LACP, which is used for dynamic link aggregation.

Link Aggregation on the IP2250

This section describes aspects of link aggregation that are specific to the IP2250 appliance.

Firewall Synchronization Traffic

If you configure two IP2250 appliances in a VRRP pair or IP Cluster and run NGX on them, Nokia recommends that you aggregate two of the built-in 10/100 Ethernet management ports to create a 200 Mbps logical link and configure NGX to use this network for firewall synchronization traffic. If you use a single 100 Mbps connection for synchronization, connection information might not be properly synchronized when the appliance is handles a large number of connections.

Nokia Network Voyager for IPSO 4.0 Reference Guide 37

Page 38

Note

Use Ethernet crossover cables to connect the management port s that you aggr egate. Using a switch or a hub can result in incomplete synchronization.

Because you should use crossover cables for these connections, you should not configure more than two IP2250 appliances in a VRRP group or IP cluster.

If you use aggregated ports for firewall synchronization traffic a

nd delete a port from the

aggregation group but do not delete the group itself, be sure to delete the corres po nd i ng port on the other IP2250 system. If you delete a port on one system only and that port remains physically and logically enabled, the other system will continue to send traffic to the deleted port. This traffic will not be received, and firewall synchronization will therefore be incomplete.

Caution

Do not use ports on IP2250 ADP I/O cards for firewall synchronization traffic. Doing so can cause connections to be dropped in the event that there is a failover to a backup router.

Configuring the Remaining Management Ports

If you are using IP clustering, follow these guidelines when you configure the remaining built-in Ethernet management ports:

 Use one of the management ports exclusively for the primary cluster protocol network.  Use a separate management port for the following purposes, if necessary:

 management connection  log server connection  secondary cluster protocol network

 Use a switch or hub to connect these ports. Do not use crossover cables to connect any

interfaces other than those used for firewall synchronization.

Caution

The management ports are not suita ble for forwarding production data traffic—do not use them for this purpose.

Production Traffic (ADP I/O Ports Only)

You can aggregate the ports on ADP format IP2250 I/O cards and use the aggregated links for traffic other than firewall synchronization. If you aggregate ports on IP2250 I/O cards, observe the following guidelines:

 You can connect the aggregated ports using a switch, hu b, or crossover cable.  Do not include ports on different I/O cards in the same aggregation group.

38 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 39

 Do not combine any of the built-in 10/100 Ethernet management ports with ports on an I/O

card to form an aggregation group.

Caution

Do not use the management ports of an IP2250 for production traffic, regardless of whether the ports are aggregated.

Configuring Link Aggregation

To set up link aggregation in Network Voyager

1. Physically configure the interfaces.

2. Create the aggregation group.

3. Logically configure the aggregation group.

These steps are explained in the following sections.

Physical Interface Configuration

To set up link aggregation in Network Voyager, you first configure the physical interfaces that you will aggregate.

Note

Make sure that the physical configurations (link speed, duplicity, autoadvertise setting, and so on) are identical for all the interfaces that will participate in a given group. These settings must match the settings for the switch ports that the interfaces are connected to.

When you aggregate an interface, any logical configuration information is deleted. Be careful not to aggregate the interface that you use for your management connection because doing so breaks your HTTP connection to the appliance. Should this occur, you can restore HTTP connectivity by using one of the following approaches:

 Connect to another configured port and use Network Voyager to reconfigure the

management port.

 Use the IPSO CLI over a console connection to reconfigure the management port.

Because the management port is now part of an aggrega tio n group, Network Voyager and the CLI identify it using the format

aexxx

, in which

xxx

is the group ID.

To physically configure the interfaces you will aggregate

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click a link for one of the physical interfaces that you will aggregate.

Be careful not to select a port that you are using for a management connection.

3. Configure the physical configuration to the settings you want.

Nokia Network Voyager for IPSO 4.0 Reference Guide 39

Page 40

4. Click Apply

5. Click Save to make the changes permanent.

6. Perform step 2 through step 5 again to configure the other interfaces identically.

Group Configuration

Once the physical interfaces are configured, you need to create and configure link aggregation groups.

On appliances other than the IP2250, you can put ports on different LAN interface cards in the same aggregation group. For example, you can include a port on a card in slot 1 and a port on a card in slot 2 in the same group. On the IP2250, do not include ports on different IO cards in the same aggregation group.

If you use VRRP and VPN-1 NG with appliances other than the IP2250, you can run firewall synchronization traffic over an aggregated link, regardless of which ports participate in the link. On the IP2250, do not run this traffic over an aggregated link that is made up of ports on an interface card.

To configure link aggregation groups

1. Click Link Aggregation under Configuration > Interface Configuration in the tree view.

2. In the New Group ID field, enter a numeric value that will identify the group of aggregrated

interfaces.

3. Click Apply.

An entry for the new group appears under Existing Link Aggregation Groups.

4. Use the Primary Port pull-down menu to select a port for the aggregation group.

The menu shows the physical names of the interfaces that correspond to the available Ethernet ports. For example, eth1 corresponds to the first built-in Ethernet port, and eth-s5p1 corresponds to port 1 on the NIC in slot 5. Be careful not to select a port that you are using for a management connection.

5. Click Apply.

The entry for the aggregation group indicates that the MAC address for the interface you selected is used as the MAC address for all the interfaces in the group.

6. Add a port to the group by selecting another interface from the Add Port menu.

Caution

Do not include ports on different IP2250 I/O cards in the same aggregation group. This configuration is not supported.

7. Click Apply. Note that Network Voyager’s display of the aggregated bandwidth does not reflect whether any

of the ports are physically up or logically active.

40 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 41

Logical Configuration

When you have completed the aggregation group, you must configure it with an IP address and so on. Navigate to the Interfaces Configuration page and click the logical name of the group. Network Voyager shows the logical name in the format of a group with the ID 100 is

ae100c0

If you create a link aggregation group but do not add any interfaces to it, the logical name of the group does not appear on the Interfaces Configuration page. You cannot configure an aggregation group with logical information until you have added an interface to the group.

Deleting Aggregation Groups

To delete an aggregation group, you must first remove all the ports from th e grou p. To remove a port from an aggregation group, click Delete next to the appropriate port and click Apply. Click Save to make the change permanent.

You cannot remove the primary port from an aggregation group unless the other ports have been removed, but you can remove all the ports simultaneously. You can simultaneously remove all the ports and delete the group by clicking all the Delete checkboxes and then clicking Apply. Click Save to make the change permanent.

Gigabit Ethernet Interfaces

aexxxc0

. For example, the logical name

You can configure the parameters listed in Table 4 for each Gigabit Ethernet interface. For information on how to complete the configuration of an Gigabit Ethernet interface, see “To

configure an Ethernet interface” on page 35.

Table 4 Gigabit Ethernet Interface Parameters

Parameter Description

Active Select On to enable the interface, select Off to disable the interface.

These selections appear on both the main Interface Configuration page and the pages for each individual interface.

Link Trap Click On or Off to enable or disable the linkup/linkdown traps for the interface.

Default is On for all physical interfaces.

Flow Control You can implement flow control to reduce receiving-buffer overflows, which can

cause received packets to be dropped, and to allow local control of network congestion levels. With the flow control On, the Gigabit Ethernet card can send flow-control packets and respond to received packets.

Default is Off.

Link Recognition Delay

Specify how many seconds a link must be stable before the interface is declared up.

Default is 6; range is 1-255.

Nokia Network Voyager for IPSO 4.0 Reference Guide 41

Page 42

Table 4 Gigabit Ethernet Interface Parameters

Parameter Description

MTU The maximum length of frames, in bytes, that can be transmitted over this device.

This value limits the MTU of any network protocols that use this device. This option appears only for NICs that have the capability of transmitting jumbo frames.

Default is 1500; range is 1500-16,000.

Note

On the IP2250, the range is 1500-9600.

IP Address & Mask Length

You can add multiple IP addresses.

Note

Do not change the IP address you use in your browser to access Network Voyager . If you do, you can no longer access the IP security platform with your Network browser.

Logical Name Use this to enter a more meaningful name for the interface. Comments (Optional) This field is displa yed on the main Interface Configuration and the

Logical Interface pages. Use it to add a description that you might find useful in identifying the logical interface.

Note

Link speed is fixed and duplex mode is set to full at all times for Gigabit Ethernet interfaces.

To configure a Gigabit Ethernet interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure. Example:

eth-s5p1.

3. Set flow control to On.

4. Click Apply.

5. Click the name of the logical interface in the logical interfaces table.

The Logical Interface page is displayed.

6. (Optional) T o increase the maximum length of frames, in bytes, that can be transmitted over

this device, enter a value for MTU. The default is 1500.

7. Enter the IP address and subnet mask length for the device in the appropriate text fields.

8. Enter the IP address and mask length.

Click Apply.

42 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 43

Each IP addresses and mask length that you add are added to the table when you click Apply. The entry fields return to blank to allow you to add more IP addresses.

Use the delete check box to delete IP addresses from the table.

9. (Optional) Change the interface logical name to a more meaningful name by typing the

preferred name in the Logical name text box. Click Apply.

10. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box. Click Apply.

11. Click Up to go to the Interface Configuration page.

12. Click On button that corresponds to the logical interface you configured.

Click Apply. The Gigabit Ethernet interface is now available for IP traffic and routing.

13. To make your changes permanent, click Save.

Point-to-Point Over Ethernet

Point-to-Point Over Ethernet (PPPoE) for IPSO provides you with the ability to create multiple point-to-point connections from your Ethernet network to your ISP. Configuration is simple and your network can be connected over a bridging device such as a DSL modem.

Configuring PPPoE

To configure PPPoE

1. Click Interfaces under Interface Configuration in the tree view.

2. Click the pppoe0 link.

The PPPoE physical interface page is displayed.

Note

The PPPoE physical interface and the associated link trap is on by default. If you wish to change either setting, click the appropriate setting next to the feature you wish to enable or disable and click Apply.

3. Click PPPOE Profile Link.

The PPPOE Profile Configuration page is displayed. Here you can create PPPoE profiles, change profiles, and view existing profiles on your system.

4. Enter a name for the profile and, optionally, a description.

Nokia Network Voyager for IPSO 4.0 Reference Guide 43

Page 44

5. In the Ethernet Interface drop-down box, select the Ethernet interface you wish to associate

with the PPPoE logical interface in the.

6. In the Mode drop-down box, select a connection mode.

7. In the Timeout text-box, enter a time in seconds.

8. (Optional) In the Peername text-box, enter the name of the PPPoE server.

Note

If you use the Peername field, only the PPPoE server named in the field will be allowed to connect to the system.

9. In the MTU text-box, enter the maximum byte size to be transmitted. The default is 1492

bytes.

10. Enter a value in the MSS Clamping text box if end devices connected to this interface are

experiencing connectivity problems with specific destinations. See “Configuring MSS

Clamping” for more information.

11. In the Authentication Type drop-down box, select an authentication type. If you selected

PAP or CHAP, you must enter a user name in the Username text box and a password in the Password text box.

12. Click Apply

13. Click Save to make your changes permanent.

To create more configuration profiles, repeat these steps.

14. Display the Interface Configuration page.

15. Click the link for the physical PPPoE interface.

16. Chose a configuration profile you created in the preceding steps from the Create a new

interface with PPPoE profile drop-down box.

17. Click Apply.

18. Click the lin for the logical interface you wish to configure.

This takes you to the Logical interface page.

19. In the Interface type drop-down box, select an interface type.

 If you select Static Interface, you must provide the IP address of the logical interface in

the Local Address text box and the IP address of remote point-to-point interface in the Remote Address text box.

 If you select Unnumbered, the proxy interface should be a logical interface of the

physical interface that is associated the PPPoE profile.

 If you select Dynamic, the Local Address should be the IP address of the logical

interface. The Remote Address should be the name of the logical interface.

44 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 45

Note

The PPPoE logical interface is on by default and the associated link trap is disabled by default. If you wish to change either setting, click the appropriate setting next to the feature you wish to enable or disable and click Apply.

20. Click Apply.

21. Click Save to make your changes permanent.

To create PPPoE logical interfaces

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the pppoe0 link.

3. In the Create a new interface with PPPoE profile, select a profile name.

4. Click Apply.

5. Click Save to make your changes permanent.

To delete PPPoE logical interfaces

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the pppoe0 link.

3. Click Delete in the Logical interfaces box associated with the PPPoE profile to delete.

4. Click Apply.

5. Click Save to make your changes permanent.

To change configuration profiles

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the pppoe0 link.

3. Click the name of the PPPoE profile in the PPPoE Profile field.

4. Make changes to the profile as needed. See (link to Configuring PPPoE steps 8 through 15.)

5. Click Apply.

6. Click Save to make your changes permanent.

To delete configuration profiles

You must first delete the configuration profile interface before you can delete a configuration profile. For more information, see “To delete PPPoE logical interfaces.”

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the Interfaces link.

3. Click the pppoe0 link.

4. Click the PPPoE Profile link.

Nokia Network Voyager for IPSO 4.0 Reference Guide 45

Page 46

5. Click Delete.

6. Click Apply.

Configuring MSS Clamping

When end devices use path MTU discovery, it can cause connectivity problems when their connections pass through PPPoE interfaces. Use the MSS Clamping field to prevent these problems by reducing the maximum segment size (MSS) that is advertised across the outgoing link.

IPSO advertises the value in this field as the MSS for packets that transit this interface. If a connected device (such as a host system) advertises a greater MSS, IPSO advertises the value in this field instead of the value advertised by the device. There is no default value for the MSS Clamping field. If you do not enter a value, the MSS advertised by end devices is always advertised across the link.

If hosts connected to this interface experience connectivity problems with some destinations, use this field to restrict the MSS that they can advertise. Entering a value of 1452 will probably solve any such problems.

See RFC 2923 for more information about how path MTU discovery that can cause connectivity problems.

Virtual LAN Interfaces

Nokia IPSO supports virtual LAN (VLAN) interfaces on all supported Ethernet interfaces. VLAN interfaces lets you configure subnets with a secure private link to Check Point FW-1/ VPN-1 with the existing topology. VLAN enables the multiplexing of Ethernet traffic into channels on a single cable.

The Nokia implementation of VLAN supports adding a logical interface with a VLAN ID to a physical interface. In a VLAN packet, the OSI Layer 2 header, or MAC header, contains four more bytes than the typical Ethernet header for a total of 18 bytes. When traffic arrives at the physical interface, the system examines it for the VLAN layer-two header and accepts and forwards the traffic if a VLAN logical interface is configured. If the traffic that arrives at the physical interface does not have a VLAN header, it is directed to the channel 0, or untagged, interface. In the Nokia implementation, the untagged channel-0 interface drops VLAN packets that are sent to the subnets on that interface.

Outgoing traffic from a VLAN interface is tagged with the VLAN header. The Nokia appliance can receive and generate fully conformant IEEE 802.1Q tags. The IEEE802.1Q standard defines the technology for virtual bridged networks. The Nokia implementation is completely interoperable as a router, not as a switch.

IPSO supports a maximum of 1015 VLAN interfaces. However, if you do not explicitly configure the system to support this number (in the Maximum Number of VLANs Allowed text box), the default maximum is 950 VLAN interfaces.This is system limit and not limited to specific interface.

46 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 47

To configure a VLAN Interface

1. Click Interfaces under Interface Configuration in the tree view.

2. Click the link to the physical Ethernet interface for which you want to enable a VLAN

interface. The physical interface page for that interface is displayed.

3. Enter a value to identify the VLAN interface in the Create a new VLAN ID text box.

The range is 2 to 4094. The values 0 and 4095 are reserved by the IEEE standard. VLAN ID 1 is reserved by convention. There is no default.

4. Click Apply.

The new logical interface for the VLAN appears in the Logical Interfaces field with the name eth-sXpYcZ, where X is the slot number, Y is the physical port number and Z is the channel number. The channel numbers increment starting with 1 with each VLAN ID that you create.

5. Click Save to make your changes permanent.

Repeat steps 2 through 4 for each VLAN interface to create.

6. To assign an IP address to the new logical VLAN interface, click the link for the logical

interface in the Interface field of the Logical Interfaces table. Enter the IP address in the New IP address text box. Enter the mask length in the New mask length text box.

7. Click Apply.

8. Click Save to make your changes permanent.

The new logical interface appears as active on the interface configuration page. Click Up to view that page. (Optional) To disable the interface, click off in the Active field in the row for the logical interface.

9. Click Apply.

10. Click Save to make your change permanent.

Note

You can assign multiple IP addresses to each logical VLAN interface.

To delete a VLAN Interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the link for the physical interface for which to delete a VLAN interface in the Physical

field. This action takes you to the physical interface page for the interface.

3. In the Logical Interface table, click Delete in the row for the logical VLAN interface to

delete.

4. Click Apply.

Nokia Network Voyager for IPSO 4.0 Reference Guide 47

Page 48

5. Click Save to make your change permanent.

The entry for the logical VLAN interface disappears from the Logical Interfaces table.

To define the maximum number of VLANs

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Enter a number in the Maximum Number of VLANs Allowed text box.

The maximum value is 1015.

3. Click Apply.

4. Click Save to make your change permanent.

VLAN Example Topology

The following topology represents a fully redundant firewall with load sharing and VLAN. Each Nokia appliance running Check Point FW-1 is configured with the Virtual Router Redundancy Protocol (VRRP). This protocol provides dynamic failover of IP addresses from one router to another in the event of failure. For more information see VRRP Description. Each appliance is configured with Gigabit Ethernet and supports multiple VLANs on a single cable. The appliances receive and forward VLAN-tagged traffic to subnets configured for VLAN, creating a secure private network. In addition, the appliances are configured to create VLAN-tagged messages for output.

GSR

Multiple VLANs on

single cable

gigabit

switch

Ethernet

gigabit

Ethernet

Un tagged VLAN tagged Un tagged

VRRP

pair

NOK/CP

FW-1

sync

NOK/CP

FW-1

VRRP

pair

gigabit

Ethernet

gigabit

Ethernet

VLAN switch

00203

48 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 49

FDDI Interfaces

To configure an FDDI Interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link you want to configure in the Physical column.

Example:

3. Click Full or Half in the Physical Configuration table Duplex field.

4. Click Apply.

Note

Set device attached to a ring topology to half duplex. If the device is running in point-to-

point mode, set the duplex setting to full. This setting must be the same for all hosts on the network to which the device connects.

5. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

6. Enter the IP address for the device in the New IP address text box.

7. Enter the subnet mask length in the New mask length text box.

Click Apply. Each time you click Apply, the configured IP address and mask length are added to the table.

The entry fields remain blank to allow you to add more IP addresses. To enter another IP address and IP subnet mask length, repeat steps 6 through 7.

8. (Optional) Change the interface’s logical name to a more meaningful one by typing the

preferred name in the Logical name text box.

fddi-s2p1

9. Click Apply.

10. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box. Click Apply.

11. Click Up to go the Interface Configuration page.

12. Click On button that corresponds to the logical interface you configured.

Click Apply. The FDDI interface is now available for IP traffic and routing.

13. Click Save to make your changes permanent.

Nokia Network Voyager for IPSO 4.0 Reference Guide 49

Page 50

To change the duplex setting of an FDDI interface

Note

If the duplex setting of an FDDI interface is incorrect, it might not receive data, or it might receive duplicates of the data it sends.

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to change in the Physical column.

Example: fddi-s2p1

3. Click Full or Half in the Physical Configuration table Duplex field.

4. Click Apply.

Note

Set device attached to a ring topology to half duplex. If the device is running in point-topoint mode, set the duplex setting to full. This setting must be the same for all hosts on the network to which the device connects.

5. Click Save to make your changes permanent.

To change the IP address of an FDDI interface

Note

Do not change the IP address you use in your browser to access Network Voyager. If you do, you can no longer access the IP security platform device with your browser.

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the logical interface link for which to change the IP address in the Logical column.

Example: fddi-s2p1c0

3. To remove the old IP address, click the delete check box that corresponds to the address to

delete.

4. Click Apply.

5. To add the new IP address, enter the IP address for the device in the New IP address text

box.

6. Enter the subnet mask length in the New mask length text box.

7. Click Apply.

Each time you click Apply, the new IP address and mask length are added to the table. The entry fields remain blank to allow you to add more IP addresses.

8. Click Save to make your changes permanent.

50 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 51

ISDN Interfaces

Integrated Services Digital Network (ISDN) is a system of digital phone connections that allows voice, digital network services, and video data to be transmitted simultaneously using end-toend digital connectivity.

The Nokia IP security platform offers support for an ISDN Basic Rate Interface (BRI) physical interface. The ISDN BRI comprises one 16 Kbps D-channel for signalling and control, and two 64 Kbps B-channels for information transfer. Nokia’s physical interface is certified to conform to the European Telecommunications Standards Institute (ETSI) ISDN standard.

The physical interface is the manageable representation of the physical connection to ISDN. One physical interface is visible in Network Voyager for every ISDN BRI card in the Nokia appliance chassis. The physical interface enables management of the parameters specific to each ISDN connection. The physical interface permits enabling or disabling of the ISDN connection and is the entity under which logical interfaces are created.

The logical interface is the logical communication end point. It contains all information used to set up and maintain the ISDN call. The logical interface includes:

 Data link encapsulation and addressing  Call connection information such as call direction, data rate, and the number to call  Authentication information such as names, passwords, and authentication method  Bandwidth allocation for Multilink PPP

After configuring the physical interface, then creating and configuring the logical interfaces, the Nokia appliance is ready to make and accept ISDN calls. Detailed information on how to create and configure ISDN interfaces begins in “To configure an ISDN physical interface.”

The ISDN interface supports the following features.

 Port—ISDN Basic Rate S/T interface with RJ45 connector  ISDN signaling—ETSI EURO-ISDN (ETS 300 102)  B-channel protocols—IETF PPP (RFC 1661 and 1662); IETF Multilink PPP (RFC 1990)  Security—PAP (RFC 1334), CHAP (RFC 1994), and ISDN Caller ID  Dial-on-demand routing—you can configure the ISDN interface so that only certain types

of traffic establish and maintain an ISDN connection. Circuits are automatically removed if they are not required.

 Dynamic bandwidth allocation—you can configure the ISDN interface to add or remove

additional bandwidth as the traffic requires it.

 Multiple destination support—you can configure the ISDN interface to connect to two

different destinations simultaneously.

 Dial-in support—you can configure the ISDN interface to accept incoming calls from

remote sites.

To configure an ISDN physical interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column.

Nokia Network Voyager for IPSO 4.0 Reference Guide 51

Page 52

Example: isdn-s2p1

3. In the Switch Type pull-down menu, in the Physical Configuration table, select the service

provider-switch type that corresponds to the interface network conn ection.

4. In the Line Topology field in the Physical Configuration table, click Point-to-Point or

MultiPoint to describe the connection type of the interface.

5. Click Automatic or Manual in the TEI Option (terminal-endpoint identifier) field in the

Physical Configuration table. Generally, automatic TEIs are used with multipoint connections, while fixed TEIs are used

in point-to-point configurations.

6. Click Apply.

7. (Optional) If you selected Manual as the TEI option, enter the TEI assigned to the ISDN

interface in the TEI field.

8. In the Physical Configuration table, click First-Call or PowerUp in the TEI Assign field to

specify when the ISDN Layer 2 (TEI) negotiation to occur.

 First-Call—ISDN TEI negotiation should occur when the first ISDN call is placed or

received.

The first-call option is mainly used in European ISDN switch types (for example, ETSI).

 PowerUp—ISDN TEI negotiation should occur when the router is powered on.

9. Click Apply.

10. Click Save to make your changes permanent.

To configure an ISDN logical interface to place calls

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. In the Physical column, click on the ISDN physical-name interface link to configure.

Example:

isdn-s2p1

3. In using the Encapsulation text box in the Create new Logical Interface table, select whether

to run PPP or multilink PPP on the interface.

4. Click Apply.

A newly created logical interface appears in the Interface column of the Logical Interfaces table.

5. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

6. If the interface should be unnumbered, perform steps a and b. If the interface should be

numbered, skip to step 7. In unnumbered mode the interface does not have its own unique IP address—the address of

another interface is used.

a. Click Yes next to Unnumbered interface. b. Click Apply.

52 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 53

c. Use the Proxy interface pull-down menu to select the logical interface from which the

address for this interface is taken.

7. Enter the IP address for the local end of the connection in the Local address text box in the

Interface Information table. You must enter a valid IP address. IPSO does not support dynamically assigned IP addresses

for ISDN interfaces. Do not enter 0.0.0.0.

8. Enter the IP address of the remote end of the connection in the Remote address text box in

the Interface Information table.

9. (Optional) Enter a string comment in the Description text box in the Connection Information

table to describe the purpose of the logical interface, for example, Connection to Sales Office.

10. Click Outgoing in the Connection Information table.

11. (Optional) Enter the value for the idle timeout in the Idle Time text box in the Connection

Information table. This time entry defines the time in seconds that an active B-channel can be idle before it is

disconnected. A value of zero indicates that the active B-channel will never disconnect. The range is 0 to 99999. The default value is 120.

12. (Optional) Enter the value for the minimum call time in the Minimum Call Time text box in

the Connection Information table. This entry defines the minimum number of seconds a call must be connected before it can be

disconnected by an idle timeout. A value of 0 indicates that the call can be disconnected immediately upon expiration of the idle timer. If the se rvice pro vider ha s a minim um charge for each call, Nokia recommends the minimum call time be set to this value. The range is 0 to 99999. The default value is 120.

13. Click the 64 Kbps or 56 Kbps radio button in the Rate field in the Connection Information

table to set the data rate for outgoing calls.

14. Enter values for a remote number and subaddress in the Remote Number and (optional)

Remote Sub Number text boxes in the Connection Information table.

15. (Optional) Enter values for a calling number and subaddress in the Calling Number and

Calling Sub Number text boxes in the Connection Information table. The calling number and subaddress are inserted in a SETUP message when an outgoing call

is made.

Note

The Authentication table entries, which follow, allow the user to manage the parameters used to authenticate both ends of the communication link.

16. In the To Remote Host section of the Authentication table, in the Name text box, enter the

name that needs to be returned to a remote host when it attempts to authenticate this host.

Nokia Network Voyager for IPSO 4.0 Reference Guide 53

Page 54

17. In the To Remote Host section of the Authentication table, in the Password text box, enter

the password to be returned to the remote host for PAP authentication, or the secret used to generate the challenge response for CHAP authentication.

Note

The To Remote Host information must be the same as the From Remote Host information (or its equivalent) at the remote end of the link.

18. In the From Remote Host section of the Authentication table select the authentication

method used to authenticate the remote host.

19. In the From Remote Host section of the Authentication table, in the Name text box, enter the

name that will be returned from the remote host when this host attempts to authenticate the remote host.

20. In the From Remote Host section of the Authentication table, in the Password text box, enter

a password to be returned by the remote host for PAP authentication, or the secret used to validate the challenge response for CHAP authentication.

Note

The From Remote Host information must be the same as the To Remote Host information (or its equivalent) at the remote end of the link.

Note

The Bandwidth Allocation table entries that follow allow the network administrator to manage the parameters that are used to determi ne when to add or remove a n additional B-channel only when using Multilink PPP.

21. In the Bandwidth Allocation table, in the Utilization Level text box, enter a percentage

bandwidth use level at which the additional B-channel is added or removed. When the measured use of an outgoing B-channel exceeds the utilization level threshold for

a period greater than the use period, the second B-channel is brought into operation. When the outgoing B-channel use falls below the use level for a period greater than the value of the use period, the second B-channel is removed from operation.

A use level of zero means that the second B-channel is never brought into operation. To bring the second B-channel into operation quickly , set the use level to a low number, such as one.

22. In the Bandwidth Allocation table, in the Utilization Period text box, enter the use period.

This value specifies the number of seconds the outgoing B-channel use must remain above the use level before a second channel is brought into operation. When a second B-channel has been added, this value specifies the number of seconds that the use of the outgoing Bchannel must be below the use level before the second B-channel is removed from operation.

54 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 55

A use period set to zero will cause the second B-channel to be brought into operation immediately; the utilization level has been exceeded. It will also cause the second B-channel to be removed from operation; immediately the measured utilization drops below the use level.

23. Click Apply.

24. Click Save to make your changes permanent.

For troubleshooting information, see “ISDN Troubleshooting.”

To configure an ISDN interface to receive calls

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface to configure in the Physical column.

Example: isdn-s2p1

3. Select whether to run PPP or multilink PPP on the interface from the Encapsulation text box

in the Create New Logical Interface table; then click Apply. A new logical interface appears in the Interface column of the Logical Interfaces table.

4. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

5. Enter the IP address for the local end of the connection in the Local address text box in the

Interface Information table.

6. Enter the IP address of the remote end of the connection in the Remote address text box in

the Interface Information table.

7. Click Incoming in the Connection Information table.

8. Click Apply.

9. To configure the list of incoming numbers with permission to call into this interface, click

the Incoming Numbers link.

Note

If no incoming call numbers are configured, all incoming calls will be accepted.

10. In the To Remote Host section of the Authentication table, in the Name text box, enter the

name to be returned to a remote host when it attempts to authenticate this host.

11. In the To Remote Host section of the Authentication table, in the Password text box, enter

the password to be returned to the remote host for PAP authentication, or the secret used to generate the challenge response for CHAP authentication.

Note

The To Remote Host information must be the same as the From Remote Host information (or its equivalent) at the remote end of the link .

Nokia Network Voyager for IPSO 4.0 Reference Guide 55

Page 56

12. In the From Remote Host section of the Authentication table select the authentication

method used to authenticate the remote host.

13. In the From Remote Host section of the Authentication table, in the Name text box, enter the

name that is returned from the remote host when this host attempts to authenticate the remote host.

14. In the From Remote Host section of the Authentication table, in the Password text box, enter

a password to be returned by the remote host for PAP authentication, or the secret used to validate the challenge response for CHAP authentication.

Note

The From Remote Host information must be the same as the To Remote Host information (or its equivalent) at the remote end of the link.

15. Click Save to make your changes permanent. For troubleshooting information, see “ISDN Troubleshooting.”

Configuring Calling Line-Identification Screening

You can filter incoming calls to the Nokia appliance by using the calling number in the received SETUP message. The network must support Calling Line Identification (CLID) to filter calls by using the calling number.

When an incoming call is received, the calling number in the received SETUP message is checked against the incoming numbers configured on each logical interface. The calling number is compared with each incoming call using the right-most-digits algorithm. A number matches if the shortest string between the received calling number and the incoming number is the same. For example, if the calling number received was 345 and the logical interface has an incoming number of 12345, then this is deemed a match.

The call is answered on the interface that is configured with the incoming number with the highest number of matching digits. If no matching incoming number is found, the call is rejected.

If no incoming numbers are configured on an interface, any incoming call is deemed a match. Detailed information on how to add and delete incoming numbers to the logical interface

follows.

To add an incoming number

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link in the Physical column.

Example: isdn-s2p1

3. Click the logical interface link in the Logical Interfaces table.

4. Click the Incoming Numbers link.

56 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 57

In the Number text box, enter the telephone number on which to accep t incoming calls. An x is used to represent a wild-card character.

5. Click Apply.

6. Click Yes in the Callback field for the incoming call to be disconnected, and an outgoing call

attempted; otherwise, click No to have the incoming call answered. If Callback is set to Yes, the Nokia appliance uses the number in the Remote Number field

on the logical interface to make the outgoing call.

7. If Callback is set to Yes, enter the value for the timeout in the timeout field.

This is the amount of time (in seconds) that the Nokia appliance waits before placing a call back to the remote system. The range is 0 to 999. The default is 15.

8. Click Apply.

9. Click Save to make your changes permanent.

For troubleshooting information, see “ISDN Troubleshooting.”

To remove an incoming number

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link in the Physical column.

Example: isdn-s2p1

3. Click the logical interface link in the Logical Interfaces table.

4. Click the Incoming Numbers link.

5. Find the incoming number to remove in the Numbers table, click its corresponding Delete

button, and then click Apply.

6. Click Save to make your changes permanent.

To configure an interface to place and receive calls

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column.

Example: isdn-s2p1

3. Select whether to run PPP or multilink PPP on the interface from the Encapsulation text box

in the Create New Logical Interface section.

4. Click Apply.

A new logical interface appears in the Interface column.

5. Click the logical interface name in the Interface column of the Logical interfaces table to go

to the Interface page.

6. Enter the IP address for the local end of the connection in the Local address text box.

7. Enter the IP address of the remote end of the connection in the Remote address text box.

8. Click Both Direction.

Nokia Network Voyager for IPSO 4.0 Reference Guide 57

Page 58

9. Click Apply.

Note

Follow steps 8 through 21 in “To configure an ISDN logical interface to place calls” to set the information for outgoing calls. For more information about how to set up incoming numbers see “To add an incoming

number”.

10. Click Save to make your changes permanent. For troubleshooting information, see “ISDN Troubleshooting.”

Dial-on-Demand Routing (DDR) Lists

As ISDN connections attract charges to establish and maintain connections, it is useful to have only certain types of packets cause the connection to be set up. It is also useful to have timers determine how long the connection should be maintained in the absence of these packets.

A Dial-on-Demand Routing (DDR) list is used to determine the packets that should bring up and maintain an ISDN connection. This section explains how to configure DDR lists for ISDN interfaces.

A DDR list is composed of one or more rules that are used to determine if a packet is interesting. Interesting packets are those that establish and maintain a connection. Each rule has a set of values used to match a packet and an action to take when a match occurs.

The following are the possible actions:

 Accept—this is an interesting packet.  Ignore—this is not an interesting packet.  Skip—this rule is ignored.

When a packet matches a rule in the DDR list with an accept action, that packet is regarded as interesting. An interesting packet causes the ISDN interface to set up a call by using the is passed over the interface. The traffic passed could include traffic, which configured in the DDR list, with an ignore action. If no packets that match an accept rule in the DDR list are transmitted in the configured idle time, the connection is automatically disconnected. A DDR list is created with a default rule that matches all packets. The associated action is accept. This action can be set to skip so that all unmatched packets are deemed uninteresting.

Note

Setting a rule to skip effectively turns the rule off.

It is important to understand the difference between Access lists and DDR lists and how the two interoperate. When a packet is sent over an interface, any Access list applied to that interface is checked first. If the packet matches any rule in the Access list, the associated action is taken. Therefore, if the packet matched a rule in the Access list that had an associated action of drop,

58 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 59

the packet is never sent over the ISDN interface. After the packet is checked against the Access list, the DDR list applied to the interface (if any) is then checked.

Note

A DDR list, therefore, only affects which packets will cause a connection to be established and maintained. If no DDR list is applied to an ISDN interface, all traffic received by the interface is deemed interesting.

To create a DDR list

1. Click Dial on Demand Routing under Configuration > Traffic Management in the tree view.

2. Enter a name for the DDR list in the Create New DDR List text box.

3. Click Apply.

The DDR list name, Delete check box, and Add Interfaces drop-down window will appear. Only the default rule will display in the DDR list until you create your own rule.

4. Click Save to make your changes permanent.

To delete a DDR list

1. Click Dial on Demand Routing under Configuration > Traffic Management in the tree view.

2. Click the Delete check box next to the DDR list name to delete; then click Apply.

The DDR list name disappears from the DDR List Configuration page.

3. To make your changes permanent, click Save.

To add a new rule to a DDR list

1. Click Dial on Demand Routing under Configuration > Traffic Management in the tree view.

2. Locate the DDR list to which you want to add the new rule.

3. Click the Add New Rule Before check box.

4. Click Apply.

The new rule appears above the default rule.

Note

When you create more rules, you can add rules before other rules. For example, if you have four rules—rules 1, 2, 3, and 4—you can place a new rule between rules 2 and 3 by checking the Add Rule Before check box on rule 3.

5. Click Save to make your changes permanent.

Nokia Network Voyager for IPSO 4.0 Reference Guide 59

Page 60

To modify a rule

1. Click Dial on Demand Routing under Configuration > Traffic Management in the tree view.

2. Locate the DDR list that contains the rule to modify.

You can modify the following items:

 Action  Source IP address  Source mask length  Destination IP address  Destination mask length  Source port range—you can specify the source port range only if the selected protocol is

either “any,” “6,” “TCP,” “17,” or “UDP.”

 Destination port range— you can specify the destination port range only if the selected

protocol is either “any,” “6,” “TCP,” “17,” or “UDP.”

 Protocol

3. Modify the values in one or more of the text boxes or drop-down window or deselect a

button. Click Apply.

4. Click Save to make your changes permanent.

To apply or remove a DDR list to/from an interface

1. Click Dial on Demand Routing under Configuration > Traffic Management in the tree view.

2. Locate the appropriate DDR list.

3. T o apply a DDR list to the interface, select the appropriate interface from the Add Interfaces

drop-down window and click Apply. The new interface appears in the Selected Interfaces section.

4. To remove a DDR list from an interface, click the Delete check box next to the interface

under the Selected Interfaces section and click Apply. The interface disappears from the Selected Interfaces section.

5. Click Save to make your changes permanent.

Example DDR List

The following example illustrates how to configure a DDR list so that RIP packets do not cause an ISDN connection to be established nor keep an active connection running. RIP packets can, however, be exchanged over an established ISDN connection.

The DDR list is added to the isdn-s2p2c1 ISDN interface.

1. Click Dial on Demand Routing under Configuration > Traffic Management in the tree view.

2. Enter NotRIP in the Create New DDR List text box.

60 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 61

3. Click Apply.

4. Under the Existing rules for NotRIP table, click the Add New Rule Before check box.

5. Click Apply.

6. Enter

520 in the Dest Port Range text box in the Existing rules for NotRIP table.

7. Select ignore from the Action drop-down window in the Existing rules for NotRIP table.

8. Select isdn-s2p1c1 from the Add Interfaces drop-down window.

9. Click Apply.

10. Click Save.

ISDN Network Configuration Example

The following figure shows the network configuration for the example described below.

eth-s1p1

206.226.5.1

ISDN phone

number 384020

isdn-s4p1

206.226.15.1

ISDN Cloud

206.226.5.2

206.226.5.3

ISDN phone

number 38400

206.226.15.2 isdn-s2p1

eth-s3p1

192.168.24.65

192.168.24.66

192.168.24.67

00067

A Nokia IP330 Security Platform at a remote branch office connects to a Nokia IP650 Security Platform in a company’s main office through ISDN by using PPP.

Considering the nature of the traffic being transmitted and the charging rates on an ISDN network, the ISDN interface on the Nokia IP330 in this example has its minimum-call timer set to four minutes and its idle timer set to one minute. The Nokia IP330 is configured to send a username and password to the main office.

The Nokia IP650 is configured so that only incoming calls that originate from the Nokia IP330 is answered. The PPP connection is in this example, the default values for the ISDN interface are acceptable. Therefore, no configuration of the physical interface is required.

Nokia Network Voyager for IPSO 4.0 Reference Guide 61

Page 62

To configure the IP330 to place an outgoing call

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click isdn-s2p1 in the Physical column of the table.

3. Select PPP from the Encapsulation text box in the Create New Logical Interface table.

Click Apply. A new logical interface appears in the Interface column of the Logical Interfaces table.

4. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

5. Enter

6. Enter

206.226.15.2 in the Local Address text box in the Interface Information table.

206.226.15.1 in the Remote Address text box in the Interface Information table.

7. In the Connection Information table, enter Main Office in the Description text box so that

the connection is easily identified.

8. Check Outgoing.

9. Enter

10. Enter

11. Enter the number

60 in the Idle Time text box in the Connection Information table. 240 in the Minimum Call Time text box in the Connection Information table.

384020 in the Remote Number text box in the Connection Information

table.

12. Enter

User in the Name text box under the To Remote Host heading in the Authentication

table.

13. Enter Password in the Password text box under the To Remote Host heading in the

Authentication table.

14. Click Apply.

15. Click Save.

To configure the IP650 to handle an incoming call

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click isdn-s4p1 in the Physical column of the table.

3. Select PPP from the Encapsulation text box in the Create New Logical Interface table.

4. Click Apply.

A new logical interface appears in the Interface column of the Logical Interfaces table.

5. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

6. Enter

7. Enter 2

206.226.15.1 in the Local Address text box in the Interface Information table.

06.226.15.2 in the Remote Address text box in the Interface Information table.

8. In the Connection Interface table, enter Remote Office in the Description text box so that the

connection is easily identified.

62 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 63

9. Click Incoming.

10. Select CHAP as the authentication method in the Authentication table.

11. Enter User in the Name text box under the From Remote Host section in the Authentication

table.

12. Enter Password in the Password text box under the From Remote Host section in the

Authentication table.

13. Click Apply.

14. Click the Incoming Numbers link.

15. Enter

384000 in the Number text box under the Add Incoming Call Information section.

16. Click Apply.

17. Click Save.

Sample Call Traces

Sample traces for call setup between the Nokia IP Security platform follow. The traces were produced by issuing the following command on each device: “ Traffic was generated by doing a “

Note

To display the negotiated PPP values, run the tcpdump command with the -v switch.

ping 206.226.15.1

” on the Nokia IP330.

tcpdump -i <interface>

.”

Nokia Network Voyager for IPSO 4.0 Reference Guide 63

Page 64

The trace for connecting a call from the Nokia IP330 is:

06:23:45.186511 O > PD=8 CR=23(Orig) SETUP:Bc:88 90. CalledNb:80 33 38 34 30 32 30.SendComp: 06:23:45.255708 I < PD=8 CR=23(Dest) CALL-PROC:ChanId:89. 06:23:45.796351 I < PD=8 CR=23(Dest) ALERT: 06:23:45.832848 I < PD=8 CR=23(Dest) CONN:DateTime:60 06 0c 05 2d. 06:23:45.833274 O B1: ppp-lcp: conf_req(mru, magicnum) 06:23:45.971476 I B1: ppp-lcp: conf_req(mru, authtype, magicnum) 06:23:45.971525 O B1: ppp-lcp: conf_ack(mru, authtype, magicnum) 06:23:48.966175 I B1: ppp-lcp: conf_req(mru, authtype, magicnum) 06:23:48.966217 O B1: ppp-lcp: conf_ack(mru, authtype, magicnum) 06:23:49.070050 O B1: ppp-lcp: conf_req(mru, magicnum) 06:23:49.078165 I B1: ppp-lcp: conf_ack(mru, magicnum) 06:23:49.085662 I B1: challenge, value=0311bb3b42dec57d1108c728e575 ecc22ddf0a06b3d0b1fe46687c970bb91fa4688d417bf72a0bca572c7e4e16, name= 06:23:49.085729 O B1: response, value=dd379d2b5e692b6afef2bee361e32bca, name=User 06:23:49.094922 I B1: success 06:23:49.094969 O B1: ppp-ipcp: conf_req (addr) 06:23:49.097161 I B1: ppp-ipcp: conf_req (addr) 06:23:49.097194 O B1: ppp-ipcp: conf_ack (addr) 06:23:49.102159 I B1: ppp-ipcp: conf_ack (addr) 06:23:49.102200 O B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 06:23:49.102224 O B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 06:23:49.102241 O B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 06:23:49.102257 O B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 06:23:49.128295 I B1: 206.226.15.1 > 206.226.15.2: icmp: echo reply 06:23:49.139918 I B1: 206.226.15.1 > 206.226.15.2: icmp: echo reply 06:23:49.151558 I B1: 206.226.15.1 > 206.226.15.2: icmp: echo reply 06:23:49.163297 I B1: 206.226.15.1 > 206.226.15.2: icmp: echo reply 06:23:49.220161 O B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 06:23:49.246309 I B1: 206.226.15.1 > 206.226.15.2: icmp: echo reply

The trace for receiving an incoming on IP650 follows:

15:10:09.141877 I < PD=8 CR=36(Orig) SETUP:SendComp:Bc:88

90.ChanId:89.CallingNb:00 83 33 38 34 30 30 30.CalledNb:80 33 38 34 30 32

30. 15:10:09.186313 O > PD=8 CR=36(Dest) CONN: 15:10:09.250372 I < PD=8 CR=36(Orig) CONN ACK: 15:10:09.425571 O B1: ppp-lcp: conf_req(mru, authtype, magicnum) 15:10:09.434996 I B1: ppp-lcp: conf_ack(mru, authtype, magicnum) 15:10:12.420103 O B1: ppp-lcp: conf_req(mru, authtype, magicnum) 15:10:12.429646 I B1: ppp-lcp: conf_ack(mru, authtype, magicnum) 15:10:12.532897 I B1: ppp-lcp: conf_req(mru, magicnum) 15:10:12.532943 O B1: ppp-lcp: conf_ack(mru, magicnum) 15:10:12.533133 O B1:

challenge,value=0311bb3b42dec57d1108c728e575ecc22ddf0a06b3d0b1fe46687c9

64 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 65

70bb91fa4688d417bf72a0bca572c7e4e16, name=15:10:12.549898 I

B1:response,value=dd379d2b5e692b6afef2bee361e32bca, name=User 15:10:12.549968 O B1: success 15:10:12.550039 O B1: ppp-ipcp: conf_req (addr) 15:10:12.557258 I B1: ppp-ipcp: conf_req (addr) 15:10:12.557300 O B1: ppp-ipcp: conf_ack (addr) 15:10:12.559629 I B1: ppp-ipcp: conf_ack (addr) 15:10:12.573896 I B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 15:10:12.574017 O B1: 206.226.15.1 > 206.226.15.2: icmp: echo reply

ISDN Troubleshooting

Logging

ISDN sends messages to the system message log. Whether a message is sent to the log or not depends on the logging setting of the ISDN interface. Log messages are of one of the following levels of severity.

 Error—an error condition occurred  Warning—a warning condition  Informational—a normal event of note

Setting a logging to a particular level means all messages of this severity and higher are sent to the message log. For example, if you set logging to Error, all error messages are sent to the message log.

ISDN logs messages for the following informational events:

 ISDN Layer 1 protocol activated or deactivated  Expiration of Layer 1, Layer 2, and Layer 3 timers  An attempted outgoing call  An incoming call being received  A call being connected  A call being disconnected

To set level of messages logged

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column.

Example: isdn-s2p1

3. From the pull-down menu in the Logging field, select the level of messages for ISDN to log.

All messages of this level and below are sent to the message log.

To view the message log

1. Click Monitor on the home page.

2. Click the View Message Log link under the System logs heading.

Nokia Network Voyager for IPSO 4.0 Reference Guide 65

Page 66

The most recent system log messages appear.

Tracing

You can use the tcpdump utility to trace ISDN D-channel traffic (Q.921 and Q.931 protocols) and B-channel traffic (PPP/multilink PPP and TCP/IP protocols).

When running tcpdump on an ISDN interface, if no options are given on the command line, the following messages are decoded and displayed:

 Q.931 messages  PPP messages and the fields inside them  Any IP traffic on the B-channels

If -e option is specified on the command line, in addition to the preceding messages, all Q.921 messages are also decoded and displayed.

If the -v option is used, Q.931 messages are displayed. Also the fields in all PPP messages and their values are displayed in an extended format.

To trace ISDN traffic using tcpdump

1. Create a telnet session and log in to the firewall.

2. Enter

tcpdump -i <isdn-interface>

Troubleshooting Cause Codes

Use the following debug commands to display the ISDN cause code fields in the following table: i=0xy1y2z1z2a1a2

Table 5 ISDN Cause Code Fields

Cause Code Description

y1 8 - ITU-T standard coding y2 0 - User

1 - Private network serving local user 2 - Public network serving local user 3 - Transit network 4 - Public network serving remote user 5 - Private network serving remote user 7 - International network A - Network beyond Internetworking point

66 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 67

Table 5 ISDN Cause Code Fields

Cause Code Description

z1 Class of cause value z2 Value of cause value a1 (Optional) Diagnostic field that is always 8. a2 (Optional) Diagnostic field that is one of the following values: 0 is

Unknown, 1 is Permanent, and 2 is Transient

ISDN Cause Values

Descriptions of the cause-value field of the cause-information element are shown in the following ISDN cause value table. Cause-value numbers are not consecutive.

Table 6 Cause Values

Cause Cause Description Diagnostics

1 Unallocated (unassigned) number Note 12 2 No route to specified transit network Transit-network identity (Note 11) 3 No route to destination Note 12 6 Channel unacceptable 7 Call awarded and being delivered in an

established channel 16 Normal call clearing Note 12 17 User busy 18 No user responding 19 No answer from user (user alerted) 21 Call rejected User-supplied diagnostic (Notes 4 & 12) 22 Number changed 26 Non-selected user clearing 27 Designation out of order 28 Invalid number format 29 Facility rejected Facility identification (Note 1)

Nokia Network Voyager for IPSO 4.0 Reference Guide 67

Page 68

Table 6 Cause Values

Cause Cause Description Diagnostics

30 Response to STATUS ENQUIRY 31 Normal, unspecified 34 No circuit or channel available Note 10 38 Network out of order 41 Temporary failure 42 Switching-equipment congestion 43 Access information discarded Discarded information-element identifier(s)

(Note 6) 44 Requested circuit / channel not available Note 10 47 Resources unavailable or unspecified 49 Quality of service unavailable. See ISDN Cause Values table. 50 Requested facility not subscribed Facility identification (Note 1) 57 Bearer capability not authorized Note 3 58 Bearer capability not presently available Note 3 63 Service or option not available or specified Note 3 65 Bearer capability not implemented Note 3 66 Channel type not implemented Channel Type (Note 7) 69 Requested facility not implemented Facility Identification (Note 1) 70 Only restricted digital-information bearer is

available 79 Service or option not available or specified 81 Invalid call-reference value 82 Identified channel does not exist Channel identity 83 A suspended call exists, but call identity does not

exist 84 Call identity in use 85 No call suspended

68 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 69

Table 6 Cause Values

Cause Cause Description Diagnostics

86 Call having the requested-call identity has been

cleared 88 Incompatible destination Incompatible parameter (Note 2) 91 Invalid transit-network selection 95 Invalid message, unspecified 96 Mandatory information element is missing

Information element identifiers 97 Message type non-existent or not implemented Message type 98 Message not compatible with call state or

message type or not implemented 99 Information-element non-existent or not

implemented 100 Invalid-information element Information-element identifiers contents

101 Message not compatible with call Message type state 102 Recovery on timer expires Timer number (Note 9)

Clearing cause

Information-element identifiers is missing

Message type non-existent

Information-element identifiers not implemented (Notes 6 & 8)

(Note 6)

111 Protocol error, unspecified 127 Internetworking, unspecified

Notes for Table 6:

 Note 1—The coding of facility identification is network dependent.  Note 2—Incompatible parameter is composed of incompatible information element

identifier.

 Note 3—The format of the diagnostic field for cause 57, 58, and 65 is shown in the ITU-T

Q.931 specification.

 Note 4—User-supplied diagnostic field is encoded according to the user specification,

subject to the maximum length of the cause-information element. The coding of usersupplied diagnostics should be made in such a way that it does not conflict with the coding described in Table B-2.

 Note 5—New destination is formatted as the called-party number information element,

including information element identifier. Transit network selection might also be included.

Nokia Network Voyager for IPSO 4.0 Reference Guide 69

Page 70

 Note 6—Locking and non-locking shift procedures described in the ITU-T Q.931

specification apply. In principle, information element identifiers are in the same order as the information elements in the received message.

 Note 7—The following coding applies:

Bit 8, extension bit Bits 7 through 5, spare Bits 4 through 1, according to Table 4-15/Q.931 octet 3.2, channel type in ITU-T Q.931

specification.

 Note 8—When only the locking shift-information element is included and no variable length

information-element identifier follows, it means that the codeset in the locking shift itself is not implemented.

 Note 9—The timer number is coded in IA5 characters.

The following coding is used in each octet: Bit 8, Spare “0” Bits 7 through 1, IA5 character

 Note 10—Examples of the cause values to be used for various busy or congested conditions

appear in Annex J of the ITU-T Q.931 specification.

 Note 11—The diagnostic field contains the entire transit network selection or network-

specific facilities information element, as applicable.

 Note 12—For the coding that is used, see ISDN Cause Codes table.

ISDN Bearer-Capable Values

The ISDN bearer-capability values that display in the SETUP packet using the tracing tcpdump command follows:

0x8890 for 64 Kbps or 0x218F for 56 Kbps

Value Description

88 ITU-T coding standard; unrestricted digital information 90 Circui t mode, 64 Kbps 21 Layer 1, V.110 / X.30 8F Synchronous, no in-band negotiation, 56 Kpbs

70 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 71

Token Ring Interfaces

To configure a Token Ring interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column.

Example:

tok-s3p1

The physical interface setup page appears.

3. In the Ring Speed column of the Physical configuration table, select the desired value: 16

Mbit/sec or 4 Mbit/sec. There is no default value.

4. In the MTU field, enter the desired value.

The minimum for both ring speeds is 560. The maximum MTU for 4 Mbs is 4442, and the maximum MTU for 16 Mbs is 17792.

5. In the Allow Source routes (Multi-Ring) field, select On or Off.

Default is On. This feature specifies whether or not to support source routes.

6. In the Select Use Broadcast instead of Multicast field, select On or Off.

Default is Off. This option specifies the mapping of an IP multicast address. When the option is on, it maps a multicast address to an all-ring broadcast address: [

ff:ff:ff:ff:ff:ff]. When the option is off, it maps a multicast IP address to an IEEE-

assigned IP multicast group address: [noncanonical form:

c0:00:00:04:00:00].

7. Click the logical interface name in the Interface column of the Logical interfaces table to go

to the Interface page.

8. In the Active column of the Logical interfaces table, select On or Off.

Default is On. This setting enables or disables the logical interface. Use this switch to control access to the network or virtual circuit that corresponds to the logical interface.

9. Click Apply.

Click Up to return to the interface configuration page.

10. Click the logical interface link to configure in the Logical column.

Example: tok-s3p1c0 The logical interface setup page appears.

11. Enter the IP address for the device in the New IP address text box.

12. Enter the IP subnet mask length in the New Mask Length text box.

Click Apply. Each time you click Apply, the configured IP address and mask length are added to the table.

The entry fields remain blank to allow you to add more IP addresses.

Nokia Network Voyager for IPSO 4.0 Reference Guide 71

Page 72

13. (Optional) Change the interfaces logical name to a more meaningful name by typing the

preferred name in the Logical name text box. Click Apply.

14. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box. Click Apply.

15. Click Save to make your changes permanent.

To deactivate a Token Ring interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. In the Active column of the interface to deactivate, click off.

3. Click Apply.

4. Click Save to make your changes permanent.

To change a Token Ring interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. In the Physical column, click the physical interface link to change. Example:

tok-s3p1.

To change only the properties of a logical interface, proceed to Step 6. The Physical Interface Setup page appears.

3. Perform the following procedures to make the desired changes.

If no change is desired, skip this step. a. In the Ring Speed column of the Physical configuration table, select the desired value: 16

Mbit/sec or 4 Mbit/sec. There is no default value.

b. In the MTU field, enter the desired value. The minimum for both ring speeds is 560. The

maximum MTU for 4 Mbs is 4442, and the maximum MTU for 16 Mbs is 17792.

c. In the Allow Source routes (Multi-Ring) field, select On or Off. Default is On. d. In the Select Use Broadcast instead of Multicast, select On or Off. Default is Off. e. In the Active column of the Logical interfaces table, select On or Off. Default is On.

4. Click Apply.

5. Click Up to return to the interface configuration page.

6. (Optional) To change a logical interface link, click the logical interface link to change in the

Logical column. Example:

tok-s3p1c0

The Logical Interface setup page appears.

7. Perform the following procedures to make the desired changes.

72 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 73

If no change is desired, skip the step. a. To change the IP address, enter the appropriate IP address in the New IP address field,.

There is no default.

b. In the New mask length field, enter the appropriate value. The range is 8 to 30, and there

is no default.

c. To delete an IP address, click the Delete box.

Note

Changing an IP address and deleting an IP address at the same time prevents multiple addresses from being assigned to a single interface.

8. Click Apply.

9. Click Save.

Token Ring Example

This section describes how you might use Network Voyager to configure the interfaces of your IP security platform in an example network.

In a company’s main office, IP650 A terminates a serial line to an Internet service provider, running PPP with a keepalive value of 10.

IP650 A also provides Internet access for an FDDI ring and a remote branch office connected a with Token Ring.

The branch office contains IP650 B, which routes traffic between a local fast Ethernet network and a Token Ring. IP650 B provides access to the main office and the Internet. This example configures the Token Ring interface on IP650 A.

Nokia Network Voyager for IPSO 4.0 Reference Guide 73

Page 74

The following figure shows the network configuration for this example.

Provider

(192.168.2.93)

ser-s1p1c0 (192.168.2.1)

Nokia Platform A

tok-s2p1c0 (192.168.3.2)

Token Ring

MAU

Server

(Optional)

tok-s1p1c0 (192.168.3.1)

Nokia Platform B

eth-s2p1c0 (192.168.4.1/24)

192.168.4.xxx

Server

00038

Server

FDDI

192.168.1.xxx

fddi-s3p1c0

(192.168.1.1/24)

192.168.3.4 192.168.3.5

Server

(Optional)

Server

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Select tok-s2p1 in the Physical column of the table.

3. Set the desired value in the Ring Speed column of the Physical configuration table.

Note

This setting must be the same for all hosts on the network to which the device co nnects.

4. Enter the desired MTU value.

5. In the Allow Source routes (Multi-Ring) field, select On or Off.

6. In the Select Use Broadcast instead of Multicast, select On or Off.

7. Under the Active column of the Logical interfaces table, select On or Off.

8. Click Apply.

Click Up to return to the interface configuration page.

9. Click the logical interface link to configure in the Logical column.

74 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 75

10. In the New IP Address field, enter the appropriate IP address.

11. In the New Mask Length field, enter the appropriate value.

12. Click Apply.

13. Click Save.

Point-to-Point Link over ATM

To configure an ATM interface

Note

You cannot configure an ATM interface with an IP address until a t least one log ical inter face is created for the interface.

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column on the Interface

Configuration page. Example:

atm-s2p1

The Physical Interface page is displayed.

3. Select SONET or SDH as the framing format in the Physical Configuration table.

Note

SONET and SDH settings are available only if the ATM interface card supports them.

The setting should match the type of transmission network to which the interface is connected.

4. Select Freerun or Loop Timing as the transmit clock choice in the Physical Configuration

table.

Note

The Transmit Clock settings are available only if the ATM interface card supports them.

Freerun uses the internal clock. If two ATM interfaces are directly connected, at least one of them must use the internal clock.

Loop timing derives the transmit clock from the recovered receive clock

5. Select the VPI/VCI range in the VPI/VCI Range Configuration list box.

6. Select point-to-point in the Type list box in the Create a new LLC/SNokia Platform

RFC1483 interface section. Enter the VPI/VCI number in the VPI/VCI text box.

Nokia Network Voyager for IPSO 4.0 Reference Guide 75

Page 76

7. Click Apply.

A new logical interface appears in the Interface column. The new interface is on by default. You can add more ATM logical interfaces by repeating this action.

8. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Logical Interface page.

9. Enter the IP address for the local end of the PVC in the Local Address text box.

10. Enter the IP address of the remote end of the PVC in the Remote Address text box.

Click Apply.

11. Enter a number in the IP MTU text box to configure the device’ s maximum length (in bytes)

of IP packets transmitted in this interface. Click Apply. The default value is 1500.

Note

The maximum packet size must match the MTU of the link partner.

12. (Optional) Change the interfaces logical name to a more meaningful name by typing the

preferred name in the Logical Name text box.

13. Click Apply.

14. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box.

15. Click Apply.

16. Click Save to make your changes permanent.

To change the VPI/VCI of an ATM interface

Note

To move an IP address from one PVC to another, you must first delete the logical interface for the old PVC, then create a new logical interface for the new PVC.

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column.

Example:

atm-s2p1

3. Find the ATM logical interface you wish to remove in the Logical Interfaces table and click

the corresponding Delete button.

4. Click Apply.

The logical interface disappears from the list. Any IP addresses configured on this interface are also removed.

5. Select the VPI/VCI range in the VPI/VCI Range Configuration selection box.

76 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 77

6. Select point-to-point in the Type selection box in the Create a new LLC/SNokia Platform

RFC1483 interface section. Enter the VPI/VCI number in the VPI/VCI text box.

7. Click Apply.

A new logical interface appears in the Interface column. The new interface is turned on by default.

8. Click the logical interface name in the Interface column of the Logical Interfaces table to go

the Interface page.

9. Enter the IP address for the local end of the PVC in the Local Address text box.

10. Enter the IP address of the remote end of the PVC in the Remote Address text box.

11. Click Apply.

12. (Optional) Enter the desired value in the IP MTU text box.

13. Click Apply.

14. (Optional) Change the interface’s logical name to a more meaningful one by typing the

preferred name in the Logical Name text box.

15. Click Apply.

16. Click Save to make your changes permanent.

To change the IP Address of an ATM interface

Note

Do not change the IP address you use in your browser to access Network Voyager. If you do, you can no longer access the IP security platform (unit) with your browser.

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the logical interface link for which to change the IP address in the Logical column.

Example:

atm-s2p1c8

3. Delete the current addresses from the Local Address and Remote Address text boxes, and

replace with new address entries. Click Apply. The original MTU value is retained.

4. Click Save to make your changes permanent

To change the IP MTU of an ATM interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. In the Logical column, click the Logical interfaces link for the item on which to change the

IP address. Example:

atm-s2p1

3. Enter a number in the IP MTU text box to configure the device’s maximum length (in bytes)

of IP packets transmitted on this interface.

Nokia Network Voyager for IPSO 4.0 Reference Guide 77

Page 78

Note

The maximum packet size must match the MTU of the link partner. Packets longer than the length you specify are fragmented before tr an sm issio n .

4. Click Apply.

5. Click Save to make your changes permanent.

ATM Example

This section describes how you might configure the interfaces of your IP security platform in an example network, using Network Voyager.

The following figure shows the network configuration for this example.

Provider

(192.168.2.93)

ser-s1p1c0 (192.168.2.1)

Nokia Platform A

atm-s2p1c93 (192.168.3.2)

ATM

Switch

atm-s1p1c52 (192.168.3.1)

Nokia Platform B

eth-s2p1c0 (192.168.4.1/24)

192.168.4.xxx

00037

Server

FDDI

192.168.1.xxx

fddi-s3p1c0

(192.168.1.1/24)

Server Server

In a company’s main office, Nokia Platform A terminates a serial line to an Internet service provider, running PPP with a keepalive value of 10.

Nokia Platform A also provides Internet access for an FDDI ring and a remote branch office connected through ATM PVC 93.

The branch office contains Nokia Platform B, which routes traffic between a local fast Ethernet network and ATM PVC 52. It provides access to the main office and the Internet.

78 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 79

To configure the ATM interface on Nokia Platform A

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Select atm-s2p1 in the Physical column of the table.

3. Enter 93 in the VCI text box in the Create a new LLC/SNokia Platform RFC1483 interface

section. The channel number of the interface is no longer the VCI number but an automatically

allocated number. Therefore, the logical name of the interface in step 6 is something that depends on what other logical ATM interfaces there are. Find the newly created interface from the table before you continue.

4. Click Apply.

5. Click atm-s2p1c93 in the Logical Interfaces table. The Interface page is displayed.

6. Enter

7. Enter

192.168.3.2 in the Local Address text box.

192.168.3.1 in the Remote Address text box.

8. Click Apply

9. Enter

9180 in the IP MTU text box.

10. Click Apply.

11. Click Save.

Note

The steps for configuring the ATM interface on Nokia Platform B are the same except that you should set the to 52 when you create the logical interface and reverse the IP addresses should be reversed.

IP over ATM (IPoA)

To configure an ATM logical IP subnet (LIS) interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column. Example:

atm-s2p1

The Physical Interface page is displayed.

3. Select SONET or SDH as the framing format in the Physical Configuration table.

The setting should match the type of transmission network to which the interface is connected.

4. Select Freerun or Loop Timing as the transmit clock choice in the Physical Configuration

table. Freerun uses the internal clock. If two ATM interfaces are directly connected, at least one of

them must use the internal clock.

Nokia Network Voyager for IPSO 4.0 Reference Guide 79

Page 80

Loop timing derives the transmit clock from the recovered receive clock.

5. Select the VPI/VCI range in the VPI/VCI Range Configuration list box.

6. Create a logical interface with the Create a new LLC/SNokia Platform RFC1483 interface

section by selecting LIS in the Type list box and entering the set of VPI/VCI numbers that the interface in the VPI/VCI text box will use.

The set of VPI/VCIs can be given as a comma-separated list of VPI/VCIs or VPI/VCI ranges such as 1/42, 1/48, 1/50 to 60.

7. Click Apply.

A new logical interface appears in the Interface column. The new interface is on by default. You can create multiple logical interfaces by repeating steps 6 through 7.

8. Click the logical interface name in the Interface column of the Logical Interfaces table to

reach the Logical Interface page.

9. Enter the IP address of the interface in the IP Address text box.

10. Enter the IP subnet mask length in the Mask Length text box.

11. Enter a number in the IP MTU text box to configure the device’ s maximum length (in bytes)

of IP packets transmitted in this interface. The default value and range depend on the hardware configuration. The standard value is

9180. Click Apply.

Note

All hosts in the same LIS must use the same IP MTU in their interface to the LIS.

12. (Optional) Change the interfaces logical name to a more meaningful one by typing the

preferred name in the Logical name text box. Click Apply.

13. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box.

14. Click Apply.

15. Click Save to make your changes permanent.

To change the VPI/VCIs of an ATM LIS Interface

Note

Do not change the VCI address of the connection you are using. If you do, you can no longer access the IP security platform with your browser.

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column. Example:

80 Nokia Network Voyager for IPSO 4.0 Reference Guide

atm-s2p1.

Page 81

The Physical Interface page appears.

3. Select the VPI/VCI range in the VPI/VCI Range Configuration list box.

4. Find the ATM logical interface to reconfigure in the Logical Interfaces table and enter a new

set of VPI/VCIs in the VPI/VCI field.

5. Click Apply.

6. Click Save to make your changes permanent.

To change the IP Address of an ATM LIS interface

Note

Do not change the IP address you use in your browser to access Network Voyager. If you do, you can no longer access the IP security platform with your browser.

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the logical interface link for which to change the IP address in the Logical column.

Example:

atm-s2p1c8

The Logical Interface page appears.

3. Enter the IP address for the interface in the IP Address text box.

4. Enter the IP subnet mask length in the Mask Length text box.

5. Click Apply.

6. Click Save to make your changes permanent.

To change the IP MTU of an ATM interface

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. In the Logical column, click the Logical interface link for the item on which to change the IP

MTU. Example:

atm-s2p1c8.

3. Enter a number in the IP MTU text box to configure the devices maximum length (in bytes)

of IP packets transmitted on this interface.

Note

All hosts in the same LIS must use the same IP MTU in their interface to the LIS.

Packets longer than the length you specify are fragmented before transmission.

4. Click Apply.

5. Click Save to make your changes permanent.

Nokia Network Voyager for IPSO 4.0 Reference Guide 81

Page 82

IPoA Example

This section describes how you might configure the interfaces of your IP security platform in an example network, using Network Voyager.

The following figure shows the network configuration for this example.

eth-s1p1c0

Nokia Platform A

atm-s2p1c0 (10.0.0.1/24)

PVC 42 to Nokia Platform B PVC 53 to Nokia Platform C

ATM

Switch

atm-s3p1c0 (10.0.0.3/24)atm-s3p1c0 (10.0.0.2/24)

Nokia Platform CNokia Platform B

eth-s1p1c0 eth-s2p2c0 eth-s1p1c0 eth-s2p2c0

00125

A company has five Ethernet networks in three separate locations. The networks are connecte d to each other with three routers that belong to the same logical IP subnet over ATM. This example configures the A TM interface on Nokia Platform A. The interface is connected to Nokia Platform B through ATM PVC 42 and to Nokia Platform C through ATM PNC 53. Nokia Platform B and Nokia Platform C are connected to each other through an A TM PVC; their ATM interfaces have already configured.

To configure the ATM interface on Nokia Platform A

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column. Example:

atm-s2p1.

The Physical Interface page appears.

3. Create a logical interface in the Create a new LLC/SNokia Platform RFC1483 interface

section by selecting LIS in the Type list box.

4. Enter

42,53 in the VCI(s) text box.

5. Click Apply.

6. Click the newly created interface (atm-s2p1c0) in the Logical Interfaces table to reach the

Logical Interface page.

7. Enter

10.0.0.1 in the IP Address text box.

8. Enter

82 Nokia Network Voyager for IPSO 4.0 Reference Guide

24 in the Mask Length text box.

Page 83

9. Click Apply.

10. (Optional) Change the interfaces logical name to a more meaningful name by typing the

preferred name in the Logical name text box. Click Apply.

11. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box.

12. Click Apply.

13. Click Save.

Serial (V.35 and X.21) Interfaces

To configure a serial interface for Cisco HDLC

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column.

Example:

3. (Optional) Click On or Off in the Physical configuration table Internal Clock field to set the

internal clock on the serial device. Set the internal clock to On when you are connecting to a device or system that does not

provide a clock source. Otherwise, set the internal clock to Off.

4. Click Apply.

5. If you turned the internal clock on, enter a value in the Internal clock speed text box.

If the device can generate only certain line rates, and the configured line rate is not one of these values, the device selects the next highest available line rate.

6. Click Full Duplex or Loopback in the Channel Mode field.

Full duplex is the normal mode of operation.

7. Click Cisco HDLC in the Encapsulation field.

8. Click Apply.

A logical interface appears in the Logical Interfaces table.

9. Enter a number in the Keepalive text box to configure the Cisco HDLC keepalive interval.

Click Apply. This value sets the interval, in seconds, between keepalive protocol message transmissions.

These messages are used periodically to test for an active remote system.

ser-s2p1

Note

This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates.

Nokia Network Voyager for IPSO 4.0 Reference Guide 83

Page 84

10. Click the logical interface name in the Interface column of the Logical interfaces table.

The Interface page appears.

11. Enter the IP address for the local end of the link in the Local address text box.

12. Enter the IP address of the remote end of the link in the Remote address text box.

Click Apply.

13. (Optional) Change the interfaces logical name to a more meaningful name by typing the

preferred name in the Logical name text box. Click Apply.

14. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box. Click Apply.

15. Click Save to make your changes permanent.

To configure a Serial Interface for PPP

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column. Example:

ser-s2p1.

3. (Optional) Click On or Off in the Physical configuration table Internal Clock field to set the

internal clock on the serial device. Click Apply. Set the internal clock to On when you are connecting to a device or system that does not

provide a clock source. Otherwise, set the internal clock to Off.

4. If you turned the internal clock on, enter a value in the Internal clock speed text box.

If the device can generate only certain line rates, and the configured line rate is not one of these values, the device selects the next highest available line rate.

5. Click Full Duplex or Loopback in the Channel Mode field.

Full duplex is the normal mode of operation.

6. Click the PPP radio button in the Encapsulation field.

7. Click Apply.

A logical interface appears in the Logical Interfaces table.

8. Enter a number in the Keepalive text box to configure the PPP keepalive interval.

This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system.

Note

This value must be identical to the keepalive valu e configured on the system at the o ther end of a point-to-point link, or the link state fluctuates.

84 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 85

9. Click Apply.

10. Enter a number in the Keepalive maximum failures text box.

This value sets the number of times a remote system can fail to send a keepalive protocol message within a keepalive interval before the systems considers the link down.

11. Click Apply.

12. Click the Advanced PPP Options link.

The PPP Advanced Options page appears.

13. Click Yes or No in the Negotiate Magic Number field.

Clicking Yes enables the interface to send a request to negotiate a magic number with a peer.

14. Click Yes or No in the Negotiate Maximum Receive Unit field.

Clicking Yes enables the interface to send a request to negotiate an MRU with a peer.

15. Click Apply.

16. Click Up to return to the Physical Interface page.

17. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

18. Enter the IP address for the local end of the link in the Local address text box.

19. Enter the IP address of the remote end of the link in the Remote address text box. Click

Apply.

20. (Optional) Change the interfaces logical name to a more meaningful name by typing the

preferred name in the Logical name text box. Click Apply.

21. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box. Click Apply.

22. To make your changes permanent, click Save.

To configure a serial interface for frame relay

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column. Example:

ser-s2p1.

3. (Optional) Click On or Off in the Physical configuration table Internal Clock field to set the

internal clock on the serial device. Set the internal clock to On when you are connecting to a device or system that does not

provide a clock source. Otherwise, set the internal clock to Off.

4. Click Apply.

5. If you turned the internal clock on, enter a value in the Internal clock speed text box.

If the device can generate only certain line rates, and the configured line rate is not one of these values, the device selects the next highest available line rate.

Nokia Network Voyager for IPSO 4.0 Reference Guide 85

Page 86

6. Click Full Duplex or Loopback radio in the Channel Mode field.

Full duplex is the normal mode of operation.

7. Click the Frame relay radio button in the Encapsulation field.

8. Click Apply.

9. Enter a number in the Keepalive text box to configure the frame relay keepalive interval.

This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system.

Note

This value must be identical to the keepalive valu e configured on the system at the o ther end of a point-to-point link, or the link state fluctuates.

10. Click Apply.

11. Click DTE or DCE in the Interface Type field.

DTE is the usual operating mode when the device is connected to a Frame Relay switch.

12. Click On or Off in the Active Status Monitor field.

This actions sets the monitoring of the connection-active status in the LMI status message.

13. (Optional) Click the Advanced Frame Relay Options link to go to the Frame Relay

Advanced Options page.

The Frame Relay Advanced Options page allows you to configure frame relay protocol and LMI parameters for this device.

Note

The values you enter depend on the settings of the frame relay switch to which you are connected or to the subscription provided by your service provider.

14. From the Frame Relay Advanced Options page, click Up to return to the Physical Interface

page.

15. Enter the DLCI number in the Create a new interface DLCI text box.

16. Click Apply.

A new logical interface appears in the Interface column. The DLCI number appears as the channel number in the logical interface name. The new interface is on by default.

17. (Optional) Enter another DLCI number in the DLCI text box to configure another frame

relay PVC.

18. Click Apply.

Each time you click Apply after you enter a DLCI, a new logical interface appears in the Interface column. The DLCI entry field remains blank to allow you to add more frame relay logical interfaces.

86 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 87

19. Click the logical interface name in the Interface column of the Logical interfaces table to go

the Interface page.

20. Enter the IP address for the local end of the PVC in the Local address text box.

21. Enter the IP address of the remote end of the PVC in the Remote address text box.

Click Apply.

22. (Optional) Change the interfaces logical name to a more meaningful name by typing the

preferred name in the Logical name text box.

23. Click Apply.

24. Click Save to make your changes permanent.

Serial Interface Example

This section describes how you might configure the interfaces of your IP security platform in an example network, using Network Voyager.

The following figure shows the network configuration for this example.

Provider

(192.168.2.93)

ser-s1p1c0 (192.168.2.1)

Nokia Platform A

atm-s2p1c93 (192.168.3.2)

ATM

Switch

atm-s1p1c52 (192.168.3.1)

Nokia Platform B

eth-s2p1c0 (192.168.4.1/24)

192.168.4.xxx

00037

Server

FDDI

192.168.1.xxx

fddi-s3p1c0

(192.168.1.1/24)

Server Server

In a company’s main office, Nokia Platform A terminates a serial line to an Internet service provider, running PPP with a keepalive value of 10.

Nokia Platform A also provides Internet access for a FDDI ring and a remote branch office connected through ATM PVC 93.

Nokia Network Voyager for IPSO 4.0 Reference Guide 87

Page 88

The branch office contains Nok ia Platfo rm B, which routes traffic between a local Fast Ethernet network and ATM PVC 52. It provides access to the main office and the Internet.

To configure the serial interface on Nokia Platform A

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Select ser-s1p1 in the Physical column of the table.

3. Click PPP in the Encapsulation field.

4. Click Apply.

5. Enter

6. Click Apply.

7. Click ser-s1p1c0 in the logical interfaces table to go to the Interface page.

8. Enter

9. Enter

10. Click Apply.

11. (Optional) Change the interfaces logical name to a more meaningful name by typing the

12. Click Apply.

13. (Optional) Add a comment to further define the logical interfaces function in the Comments

14. Click Apply.

15. Click the Up button to go to the Interfaces page.

16. Click the On radio button for ser-s1p1c0.

17. Click Apply.

18. Click Save.

10 in the Keepalive text box.

192.168.2.1 in the Local address text box.

192.168.2.93 in the Remote address text box.

preferred name in the Logical name text box.

text box.

T1(with Built-In CSU/DSU) Interfaces

To configure a T1 Interface for Cisco HDLC

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the interface link to configure in the Physical column. Example:

3. (Optional) Click On or Off in the Internal Clock field to set the internal clock on the T1

device. If you are connecting to a device or system that does not provide a clock source, set Internal

Clock to On; otherwise, set it to Off. Internal clocking for T1 is fixed at 1.544 Mbps. To configure slower speeds, you must configure fractional T1 on the Advanced T1 CSU/DSU Options page.

88 Nokia Network Voyager for IPSO 4.0 Reference Guide

ser-s2p1.

Page 89

4. Click Apply.

5. Click the Full Duplex or Loopback radio button in the Channel Mode field.

Full duplex is the normal mode of operation.

6. Click AMI or B8ZS in the T1 Encoding field to select the T1 encoding.

This setting must match the line encoding of the CSU/DSU at the other end of the point-topoint link.

7. Click Apply.

8. Click Superframe (D4) or Extended SF in the T1 Framing field to select the T1 Framing

format. Use T1 framing to divide the data stream into 64 Kbps channels and to synchronize with the

remote CSU/DSU. This setting must match the frame format that the CSU/DSU uses at the other end of the point-to-point link.

9. Click Apply.

10. Click 64bps or 56bps in the T1 Channel Speed field to select the DS0 channel speed for the

T1 line. Some older trunk lines use the least-significant bit of each DS0 channel in a T1 frame for

switching-equipment signaling. T1 frames designed for data transfer can be set to not use the least-significant bit of each DS0 channel. This setting allows data to be sent over these trunk lines without corruption but at a reduced throughput. This mode is called the 56 Kbps mode because each DS0 channel now has an effective throughput of 56 Kbps instead of 64 Kbps. All T1 functions still work in the 56 Kbps mode, including all framing modes and fractional T1 configurations.

11. If you selected Extended SF as the T1 Framing format, click ANSI or None in the FDL Type

field to select the FDL type.

12. Click Cisco HDLC in the Encapsulation field.

13. Click Apply.

A logical interface appears in the Logical interfaces table.

14. Enter a number in the Keepalive text box to configure the Cisco HDLC keepalive interval.

Click Apply. This value sets the interval, in seconds, between keepalive protocol message transmissions.

These messages are used periodically to test for an active remote system.

Note

This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates.

15. (Optional) Click the Advanced T1 CSU/DSU Options link to select advanced T1 options.

Nokia Network Voyager for IPSO 4.0 Reference Guide 89

Page 90

The T1 CSU/DSU Advanced Options page allows you to configure fractional T1 channels, line build-out values and other advanced settings for the T1 device. The values you enter on this page are dependent on the subscription provided by your service provider.

16. From the Advanced T1 CSU/DSU Options page, click Up to return to the physical interface

page.

17. Click the logical interface name in the Interface column of the Logical interfaces table to go

to the Interface page.

18. Enter the IP address for the local end of the link in the Local address text box.

19. Enter the IP address of the remote end of the link in the Remote address text box.

Click Apply.

20. (Optional) Change the interfaces logical name to a more meaningful name by typing the

preferred name in the Logical name text box. Click Apply.

21. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box.

22. Click Apply.

23. Click Save to make your changes permanent.

To configure a T1 Interface for PPP

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the interface link to configure in the Physical column. Example:

ser-s2p1.

3. (Optional) Click On or Off in the Internal Clock field to set the internal clock on the T1

device. When you connect to a device or system that does not provide a clock source, set Internal

Clock to On; otherwise, set it to Off. Internal clocking for T1 is fixed at 1.544 Mbps. To configure slower speeds, you must configure fractional T1 on the Advanced T1 CSU/DSU Options page.

4. Click Apply.

5. Click Full Duplex or Loopback in the Channel Mode field.

Full duplex is the normal mode of operation.

6. Click AMI or B8ZS in the T1 Encoding field to select the T1 encoding.

This setting must match the line encoding of the CSU/DSU at the other end of the point-topoint link.

7. Click Apply.

8. Click Superframe (D4) or Extended SF in the T1 Framing field to select the T1 Framing

format.

90 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 91

Use T1 framing to divide the data stream into 64 Kbps channels and to synchronize with the remote CSU/DSU. This setting must match the frame format used by the CSU/DSU at the other end of the point-to-point link.

9. Click Apply.

10. Click 64bps or 56bps in the T1 Channel Speed field to select the DS0 channel speed for the

T1 line. Some older trunk lines use the least-significant bit of each DS0 channel in a T1 frame for

11. If you selected Extended SF as the T1 Framing format, click ANSI or None in the FDL Type

field to select the FDL type.

12. Click the PPP in the Encapsulation field.

13. Click Apply.

A logical interface appears in the Logical Interfaces table.

14. Enter a number in the Keepalive text box to configure the PPP keepalive interval.

This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system.

Note

This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates.

15. Click Apply.

16. Enter a number in the Keepalive maximum failures text box.

This value sets the number of times a remote system may fail to send a keepalive protocol message within a keepalive interval before the systems considers the link down.

17. Click Apply.

18. (Optional) Click the Advanced T1 CSU/DSU Options link to select advanced T1 options.

The T1 CSU/DSU Advanced Options page allows you to configure fractional T1 channels, line build-out values, and other advanced settings for a T1 device. The values you enter on this page depend on the subscription provided by your service provider.

19. From the Advanced T1 CSU/DSU Options page, click Up to return to the physical interface

page.

20. Click the Advanced PPP Options link.

The PPP Advanced Options page appears.

Nokia Network Voyager for IPSO 4.0 Reference Guide 91

Page 92

21. Click Yes or No in the Negotiate Magic Number field.

Clicking Yes enables the interface to send a request to negotiate a magic number with a peer.

22. Click Yes or No in the Negotiate Maximum Receive Unit field.

Clicking Yes enables the interface to send a request to negotiate an MRU with a peer.

23. Click Apply.

24. Click Up to return to the Physical Interface page.

25. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

26. Enter the IP address for the local end of the link in the Local address text box.

27. Enter the IP address of the remote end of the link in the Remote address box.

Click Apply.

28. (Optional) Change the interfaces logical name to a more meaningful name by typing the

preferred name in the Logical name text box.

29. Click Apply.

30. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box.

31. Click Apply.

32. Click Save to make your changes permanent.

To configure a T1 interface for frame relay

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column. Example:

ser-s2p1.

3. (Optional) Click On or Off in the Internal Clock field to set the internal clock on the T1

device. If you’re connecting to a device or system that does not provide a clock source, set Internal

Clock to On; otherwise, set it to Off. Internal clocking for T1 is fixed at 1.544 Mbps. To configure slower speeds, you must configure fractional T1 on the Advanced T1 CSU/DSU Options page.

4. Click Apply.

5. Click Full Duplex or Loopback in the Channel Mode field.

Full duplex is the normal mode of operation.

6. Click the AMI or B8ZS radio button in the T1 Encoding field to select the T1 encoding.

Click Apply. This setting must match the line encoding of the CSU/DSU at the other end of the point-to-

point link.

7. Click Superframe (D4) or Extended SF radio button in the T1 Framing field to select the T1

Framing format.

92 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 93

Use T1 framing to divide the data stream into 64Kbps channels and to synchronize with the remote CSU/DSU. This setting must match the frame format used by the CSU/DSU at the other end of the point-to-point link.

8. Click Apply.

9. Click 64bps or 56bps in the T1 Channel Speed field to select the DS0 channel speed for the

T1 line. Some older trunk lines use the least-significant bit of each DS0 channel in a T1 frame for

10. If you selected Extended SF as the T1 Framing format, click ANSI or None in the FDL T ype

field to select the FDL type.

11. Click Frame relay in the Encapsulation field.

12. Click Apply.

13. Enter a number in the Keepalive text box to configure the frame relay keepalive interval.

This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system.

Note

This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates.

14. Click Apply.

15. Click DTE or DCE in the Interface Type field.

DTE is the usual operating mode when the device is connected to a Frame Relay switch.

16. Click On or Off in the Active Status Monitor field.

Sets the monitoring of the connection-active status in the LMI status message.

17. Click Apply.

18. (Optional) Click Advanced T1 CSU/DSU Options link to select advanced T1 options.

The T1 CSU/DSU Advanced Options page allows you to configure fractional T1 channels, line build-out values and other advanced settings for the T1 device. The values you enter on this page depend the subscription provided by your service provider.

19. From the Advanced T1 CSU/DSU Options page, click Up to return to the physical interface

page.

20. (Optional) Click the Advanced Frame Relay Options link to go to the Frame Relay

Advanced Options page.

Nokia Network Voyager for IPSO 4.0 Reference Guide 93

Page 94

The Frame Relay Advanced Options page allows you to configure frame relay protocol and LMI parameters for this device.

Note

The values you enter depend on the settings of the frame relay switch to which you are connected or to the subscription provided by your service provider.

21. From the Frame Relay Advanced Options page, click Up to return to the Physical Interface

page.

22. Enter the DLCI number in the Create a new interface DLCI text box.

23. Click Apply.

A new logical interface appears in the Interface column. The DLCI number appears as the channel number in the logical interface name. The new interface is on by default.

24. (Optional) Enter another DLCI number in the DLCI text box to configure another frame

relay PVC.

25. Click Apply.

Each time you click Apply after entering a DLCI, a new logical interface appears in the Interface column. The DLCI entry field remains blank to allow you to add more frame relay logical interfaces.

26. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

27. Enter the IP address for the local end of the PVC in the Local address text box.

28. Enter the IP address of the remote end of the PVC in the Remote address text box.

29. Click Apply.

30. (Optional) Change the interface’s logical name to a more meaningful one by typing the

preferred name in the Logical name text box.

31. Click Apply.

32. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box.

33. Click Apply.

34. Click Save to make your changes permanent.

T1 Interface Example

This section describes how you might use Network Voyage r to configure the interfaces of your IP security platform in an example network.

94 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 95

The following figure shows the network configuration for this example.

Provider

(192.168.2.93)

ser-s1p1c0 (192.168.2.1)

Nokia Platform A

atm-s2p1c93 (192.168.3.2)

ATM

Switch

atm-s1p1c52 (192.168.3.1)

Nokia Platform B

eth-s2p1c0 (192.168.4.1/24)

192.168.4.xxx

00037

Server

FDDI

192.168.1.xxx

fddi-s3p1c0

(192.168.1.1/24)

Server Server

In a company’s main office, Nokia Platform A terminates a T1 line to an Internet service provider, running PPP with a keepalive value of 10. The T1 line uses B8ZS line encoding, Extended Super Frame, T1 framing, and 64 Kbps channels.

Nokia Platform A also provides Internet access for an FDDI ring and a remote branch office connected through ATM PVC 93.

The branch office contains Nokia Platform B, which routes traffic between a local fast Ethernet network and ATM PVC 52. It provides access to the main office and the Internet.

To configure the serial interface on Nokia Platform A

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the link.

3. Select ser-s1p1 in the Physical column of the table.

4. Click B8ZS in the T1 Encoding field.

5. Click Extended SF in the T1 Framing field.

6. Click 64 Kbps in the T1 Channel Speed field.

7. Click PPP in the Encapsulation field.

8. Click Apply.

9. Enter

Nokia Network Voyager for IPSO 4.0 Reference Guide 95

10 in the Keepalive text box.

Page 96

10. Click Apply.

11. Click ser-s1p1c0 in the logical interfaces table to go to the Interface page.

12. Enter

13. Enter

14. Click Apply.

15. (Optional) Change the interfaces logical name to a more meaningful name by typing the

16. (Optional) Add a comment to further define the logical interfaces function in the Comments

17. Click Up to go to the Interfaces page.

18. Click On for ser-s1p1c0.

19. Click Apply.

20. Click Save.

192.168.2.1 in the Local address text box.

192.168.2.93 in the Remote address text box.

preferred name in the Logical name text box. Click Apply.

text box. Click Apply.

E1 (with Built-In CSU/DSU) Interfaces

To configure an E1 interface for Cisco HDLC

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column. Example:

3. (Optional) Click On or Off in the Internal Clock field to set the internal clock on the E1

device. Click Apply. If you are connecting to a device or system that does not provide a clock source, set Internal

Clock to On; otherwise, set it to Off. Internal clocking for E1 is fixed at 2.048 Mbps/sec. To configure slower speeds, you must configure fractional E1 on the Advanced E1 CSU/DSU Options page.

4. Click Full Duplex or Loopback in the Channel Mode field.

Full duplex is the normal mode of operation.

5. Click AMI or HDB3 in the E1 Encoding field to select the E1 encoding.

Click Apply. This setting must match the line encoding of the CSU/DSU at the other end of the point-to-

point link.

6. Click E1 (channel 0 framing) or No Framing in the E1 Framing field to select the E1

framing format.

ser-s2p1.

96 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 97

Use E1 framing to select whether timeslot-0 is used for exchanging signaling data.

7. Click On or Off for the E1 CRC-4 Framing field.

Note

This option appears only if you set the E1 Framing field to E1 (channel 0 framing).

This option chooses the framing format for timeslot-0. On means that CRC-multiframe format is used; the information is protected by CRC-4. Off means that double-frame format is used. This setting must match the setting of the CSU/DSU at the other end of the link.

8. Click On or Off for the E1 Timeslot-16 Framing.

Click Apply.

Note

This option appears only if you set the E1 Framing field to E1 (channel 0 framing).

This option controls whether timeslot-16 is used in channel associated signaling (CAS). Setting this value to On means that timeslot-16 cannot be used as a data channel. See fractional settings on the Advanced E1 CSU/DSU Options page.

9. Click Cisco HDLC in the Encapsulation field.

Click Apply. A logical interface appears in the Logical Interfaces table.

10. Enter a number in the Keepalive text box to configure the Cisco HDLC keepalive interval.

Click Apply. This value sets the interval, in seconds, between keepalive protocol message transmissions.

These messages are used periodically to test for an active remote system. The range is 0-

255. The default is 10.

Note

This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates.

11. (Optional) Click the Advanced E1 CSU/DSU Options link to select advanced E1 options.

The E1 CSU/DSU Advanced Options page allows you to configure fractional E1 channels and other advanced settings for the E1 device. The values you enter on this page depend on the subscription provided by your service provider.

12. From the Advanced E1 CSU/DSU Options page, click Up to return to the physical interface

page.

13. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

Nokia Network Voyager for IPSO 4.0 Reference Guide 97

Page 98

14. Enter the IP address for the local end of the link in the Local Address text box.

15. Enter the IP address of the remote end of the link in the Remote Address text box.

Click Apply.

16. (Optional) Change the interface’s logical name to a more meaningful one by typing the

preferred name in the Logical name text box. Click Apply.

17. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box. Click Apply.

18. Click Save to make your changes permanent.

Note

Try to ping the remote system from the command prompt. If the remote system does not work, contact your service provider to confirm the configuration.

To configure an E1 interface for PPP

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the physical interface link to configure in the Physical column. Example:

ser-s2p1.

3. (Optional) Click On or Off in the Internal Clock field to set the internal clock on the E1

device. Click Apply. If you’re connecting to a device or system that does not provide a clock source, set Internal

Clock to On; otherwise, set it to Off. Internal clocking for E1 is fixed at 2.048 Mbits/sec. To configure slower speeds, you must configure fractional E1 on the Advanced E1 CSU/DSU Options page.

4. Click Full Duplex or Loopback in the Channel Mode field.

Full duplex is the normal mode of operation.

5. Click AMI or HDB3 in the E1 Encoding field to select the E1 encoding.

Click Apply. This setting must match the line encoding of the CSU/DSU at the other end of the point-to-

point link.

6. Click E1 (channel 0 framing) or No Framing in the E1 Framing field to select the E1

Framing format. Use E1 framing to select whether timeslot-0 is used for exchanging signaling data.

7. Click On or Off for the E1 CRC-4 Framing field.

98 Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 99

Note

This option appears only if you have set the E1 Framing field to E1 (channel 0 framing).

This button chooses the framing format for timeslot-0. On means that CRC-multiframe format is used; the information is protected by CRC-4. Off means that double-frame format is used. This setting must match the setting of the CSU/DSU at the other end of the link.

8. Click On or Off for the E1 Timeslot-16 Framing.

Click Apply.

Note

This option appears only if you set the E1 Framing field to E1 (channel 0 framing).

This value controls whether timeslot-16 is used in channel associated signaling (CAS). Setting this value to On means

that timeslot-16 cannot be used as a data channel. See

fractional settings on the Advanced E1 CSU/DSU Options page.

9. Click PPP in the Encapsulation field.

Click Apply. A logical interface appears in the Logical Interfaces table.

10. Enter a number in the Keepalive text box to configure the PPP keepalive interval.

Click Apply. This value sets the interval, in seconds, between keepalive protocol message transmissions.

These messages are used periodically to test for an active remote system. The range is 0-

255. The default is 5.

Note

This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates.

11. Enter a number in the Keepalive Maximum Failures text box.

This value sets the number of times a remote system may fail to send a keepalive protocol message within a keepalive interval before the systems consider the link down. The range is a positive integer. The default is 30.

12. Click Apply.

13. (Optional) Click the Advanced E1 CSU/DSU Options link to select advanced E1 options.

The E1 CSU/DSU Advanced Options page allows you to configure fractional E1 channels and other advanced settings for an E1 device. The values you enter on this page depend on the subscription provided by your service provider.

Nokia Network Voyager for IPSO 4.0 Reference Guide 99

Page 100

14. From the Advanced E1 CSU/DSU Options page, click Up to return to the physical interface

page.

15. Click the Advanced PPP Options link.

The PPP Advanced Options page appears.

16. Click Yes or No in the Negotiate Magic Number field.

Clicking Yes enables the interface to send a request to negotiate a magic number with a peer.

17. Click Yes or No in the Negotiate Maximum Receive Unit field.

Clicking Yes enables the interface to send a request to negotiate an MRU with a peer.

18. Click Apply.

19. Click Up to return to the Physical Interface page.

20. Click the logical interface name in the Interface column of the Logical Interfaces table to go

to the Interface page.

21. Enter the IP address for the local end of the link in the Local Address text box.

22. Enter the IP address of the remote end of the link in the Remote Address text box.

Click Apply.

23. (Optional) Change the interface’s logical name to a more meaningful one by typing the

preferred name in the Logical name text box. Click Apply.

24. (Optional) Add a comment to further define the logical interfaces function in the Comments

text box. Click Apply.

25. Click Save to make your changes permanent.

Note

Try to ping the remote system from the command prompt. If the remote system does not work, contact your service provider to confirm the configuration.

To configure an E1 interface for frame relay

1. Click Interfaces under Configuration > Interface Configuration in the tree view.

2. Click the interface link to configure in the Physical column. Example:

ser-s2p1.

3. (Optional) Click On or Off in the Internal Clock field to set the internal clock on the E1

device. Click Apply. If you’re connecting to a device or system that does not provide a clock source, set Internal

Clock to On; otherwise, set it to Off. Internal clocking for E1 is fixed at 2.048 Mbits/sec. To configure slower speeds, you must configure fractional E1 on the Advanced E1 CSU/DSU Options page.

100 Nokia Network Voyager for IPSO 4.0 Reference Guide

Nokia IPSO 4.0 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

About the Nokia Network Voyager Reference Guide

Conventions This Guide Uses

Notices

Text Conventions

Menu Items

Related Documentation

1 About Network Voyager

Software Overview

Logging In to Network Voyager

Logging Off

Obtaining a Configuration Lock

Navigating in Network Voyager

Reloading Pages

Accessing Documentation and Help

Viewing Hardware and Software Information for Your System

2 Configuring Interfaces

Interface Overview

IP2250 Management Ports

Configuring Network Devices

Configuring IP Addresses

Interface Status

Configuring Tunnel Interfaces

Ethernet Interfaces

Configuring Ethernet Interfaces

Link Aggregation

Managing Link Aggregation Using SNMP

Configuring Switches for Link Aggregation

Static Link Aggregation

Link Aggregation on the IP2250

Configuring Link Aggregation

Gigabit Ethernet Interfaces

Point-to-Point Over Ethernet

Configuring PPPoE

Configuring MSS Clamping

Virtual LAN Interfaces

FDDI Interfaces

ISDN Interfaces

Configuring Calling Line-Identification Screening

Dial-on-Demand Routing (DDR) Lists

ISDN Network Configuration Example

ISDN Troubleshooting

Token Ring Interfaces

Token Ring Example

Point-to-Point Link over ATM

ATM Example

IP over ATM (IPoA)

IPoA Example

Serial (V.35 and X.21) Interfaces

Serial Interface Example

T1(with Built-In CSU/DSU) Interfaces

T1 Interface Example

E1 (with Built-In CSU/DSU) Interfaces