How it Works
Nokia
Loading...
IPSO 4.0
User Manual
510 pgs2.89 Mb1
Table of contents
Loading...

Nokia IPSO 4.0 User Manual

Nokia Network Voyager
for IPSO 4.0
Reference Guide
Part No. N451818001 Rev A
Published October 2005
COPYRIGHT
©2005 Nokia. All rights reserved. Rights reserved under the copyright laws of the United States.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR52.227-19.
IMPORTANT NOTE TO USERS
This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.
Nokia reserves the right to make changes without further notice to any products herein.
TRADEMARKS
Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.
050110
Nokia Contact Information Corporate Headquarters
Web Site http://www.nokia.com Telephone 1-888-477-4566 or
1-650-625-2000
2 Nokia Network Voyager for IPSO 4.0 Reference Guide
Fax 1-650-691-2170 Mail
Address
Regional Contact Information
Nokia Inc. 313 Fairchild Drive Mountain View, California 94043-2215 USA
Americas Nokia Inc.
Europe, Middle East, and Africa
Asia-Pacific 438B Alexandra Road
Nokia Customer Support
Web Site: https://support.nokia.com/ Email: tac.support@nokia.com Americas Europe Voice: 1-888-361-5030 or
Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666 Asia-Pacific Voice: +65-67232999 Fax: +65-67232897
313 Fairchild Drive Mountain View, CA 94043-2215 USA
Nokia House, Summit Avenue Southwood, Farnborough Hampshire GU14 ONG UK
#07-00 Alexandra Technopark Singapore 119968
1-613-271-6721
Te l: 1-877-997-9199 Outside USA and Canada: +1 512-437-7089 email: info.ipnetworking_americas@nokia.com
Tel: UK: +44 161 601 8908 Tel: France: +33 170 708 166 email: info.ipnetworking_emea@nokia.com
Tel: +65 6588 3364 email: info.ipnetworking_apac@nokia.com
Voice: +44 (0) 125-286-8900
050602
Nokia Network Voyager for IPSO 4.0 Reference Guide 3
4 Nokia Network Voyager for IPSO 4.0 Reference Guide

Contents

About the Nokia Network Voyager Reference Guide . . . . . . . . .19
Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1 About Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Software Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Logging In to Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Logging Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Obtaining a Configuration Lock. . . . . . . . . . . . . . . . . . . . . . . . . . 25
Navigating in Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Reloading Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Accessing Documentation and Help . . . . . . . . . . . . . . . . . . . . . . 26
Viewing Hardware and Software Information for Your System . . . 28
2 Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
IP2250 Management Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configuring Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configuring IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Interface Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 5
Configuring Tunnel Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Ethernet Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Configuring Ethernet Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . 34
Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Managing Link Aggregation Using SNMP. . . . . . . . . . . . . . . . . . 36
Configuring Switches for Link Aggregation . . . . . . . . . . . . . . . . . 36
Static Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Link Aggregation on the IP2250 . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configuring Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Gigabit Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Point-to-Point Over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Configuring PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Configuring MSS Clamping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Virtual LAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
FDDI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
ISDN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configuring Calling Line-Identification Screening . . . . . . . . . . . . 56
Dial-on-Demand Routing (DDR) Lists. . . . . . . . . . . . . . . . . . . . . 58
ISDN Network Configuration Example . . . . . . . . . . . . . . . . . . . . 61
ISDN Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Token Ring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Token Ring Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Point-to-Point Link over ATM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
ATM Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
IP over ATM (IPoA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
IPoA Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Serial (V.35 and X.21) Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . 83
Serial Interface Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
T1(with Built-In CSU/DSU) Interfaces . . . . . . . . . . . . . . . . . . . . . . 88
T1 Interface Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
E1 (with Built-In CSU/DSU) Interfaces. . . . . . . . . . . . . . . . . . . . . . 96
HSSI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6 No kia Network Voyager IPSO 4.0 Reference Guide
Configuring Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . 107
Configuring OSPF over Unnumbered Interface . . . . . . . . . . . . 110
OSPF over Unnumbered Interfaces Using Virtual Links. . . . . . 110
Cisco HDLC Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Point-to-Point Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Frame Relay Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Loopback Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Configuring GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
GRE Tunnel Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
High Availability GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . 122
HA GRE Tunnel Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
DVMRP Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
DVMRP Tunnel Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
ARP Table Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configuring ARP for ATM Interfaces . . . . . . . . . . . . . . . . . . . . . . 130
Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Transparent Mode Processing Details . . . . . . . . . . . . . . . . . . . 133
Configuring Transparent Mode in VPN Environments . . . . . . . 134
Example of Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . 135
Configuring Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . 136
Monitoring Transparent Mode Groups . . . . . . . . . . . . . . . . . . . 139
Transparent Mode and Check Point NGX . . . . . . . . . . . . . . . . 139
Virtual Tunnel Interfaces (FWVPN) for Route-Based VPN . . . . . 140
Creating Virtual Tunnel Interfaces. . . . . . . . . . . . . . . . . . . . . . . 142
3 Configuring System Functions . . . . . . . . . . . . . . . . . . . . . . . . 145
Configuring DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Configuring DHCP Client Interfaces . . . . . . . . . . . . . . . . . . . . . 146
DHCP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Configuring the DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . 147
DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 7
Changing DHCP Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Adding DHCP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Enabling or Disabling DHCP Address Pools. . . . . . . . . . . . . . . 150
Assigning a Fixed-IP Address to a Client . . . . . . . . . . . . . . . . . 150
Creating DHCP Client Templates . . . . . . . . . . . . . . . . . . . . . . . 151
Configuring Dynamic Domain Name System Service. . . . . . . . 153
Configuring the Domain Name Service . . . . . . . . . . . . . . . . . . . . 154
Configuring Disk Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Using an Optional Disk (Flash-Based Systems Only) . . . . . . . . . 155
Mail Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
System Failure Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring Mail Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Sending Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Setting the System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Configuring Host Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Configuring Logging on Disk-Based Systems. . . . . . . . . . . . . . 160
Configuring Logging on Flash-Based Systems. . . . . . . . . . . . . 161
Configuring Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Remote Core Dump Server on Flash-Based Systems. . . . . . . . . 165
Changing the Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Managing Configuration Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Scheduling Jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Backing Up and Restoring Files. . . . . . . . . . . . . . . . . . . . . . . . . . 168
Creating Backup Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Transferring Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Restoring Files from Locally Stored Backup Files. . . . . . . . . . . 172
Managing Nokia IPSO Images. . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Changing Current Image. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Deleting Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Installing New Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Testing a New Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Upgrading Nokia IPSO Images for a Cluster. . . . . . . . . . . . . . . 176
8 No kia Network Voyager IPSO 4.0 Reference Guide
Downgrading Nokia IPSO Images. . . . . . . . . . . . . . . . . . . . . . . 176
Configuring Monitor Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Managing Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Installing and Enabling Packages . . . . . . . . . . . . . . . . . . . . . . . 178
Advanced System Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Tuning the TCP/IP Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Router Alert IP Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
4 Virtual Router Redundancy Protocol (VRRP) . . . . . . . . . . . . . 183
VRRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
How VRRP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Understanding Monitored-Circuit VRRP. . . . . . . . . . . . . . . . . . . . 186
Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Selecting Configuration Parameters . . . . . . . . . . . . . . . . . . . . . 187
Before you Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Configuring Monitored-Circuit VRRP. . . . . . . . . . . . . . . . . . . . . 192
Configuring VRRPv2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Configuring Check Point NGX for VRRP . . . . . . . . . . . . . . . . . . . 197
Configuring VRRP Rules for Check Point NGX . . . . . . . . . . . . 199
Link Aggregation (IP2250 Systems Only) . . . . . . . . . . . . . . . . . 201
Monitoring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Monitoring the Firewall State. . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Troubleshooting VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
General Configuration Considerations . . . . . . . . . . . . . . . . . . . 203
Firewall Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Switched Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
5 Configuring Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
IP Clustering Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Using Flash-Based Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Example Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Cluster Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 9
Cluster Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Clustering Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Considerations for Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . 214
If You Do Not Use a Dedicated Primary Cluster
Protocol Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Upgrading IPSO in a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
For All Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Upgrading from IPSO 3.7 or Later. . . . . . . . . . . . . . . . . . . . . . . 218
Upgrading from IPSO 3.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Creating and Configuring a Cluster . . . . . . . . . . . . . . . . . . . . . . . 220
Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Creating a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Selecting the Cluster Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Configuring the Work Assignment Method . . . . . . . . . . . . . . . . 221
Configuring an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Configuring Firewall Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . 223
Supporting Non-Check Point Gateways and Clients. . . . . . . . . 223
Configuring Join-Time Shared Features . . . . . . . . . . . . . . . . . . 226
Making the Cluster Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Adding a Node to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Recommended Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Joining a System to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Managing a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Using Cluster Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Synchronizing the Time on Cluster Nodes . . . . . . . . . . . . . . . . 239
Configuring NGX for Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Clustering Example (Three Nodes) . . . . . . . . . . . . . . . . . . . . . . . 243
Configuring the Cluster in Voyager . . . . . . . . . . . . . . . . . . . . . . 244
Configuring the Internal and External Routers . . . . . . . . . . . . . 245
Clustering Example With Non-Check Point VPN . . . . . . . . . . . 246
10 Nokia Network Voyager IPSO 4.0 Reference Guide
6 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
SNMP Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
SNMP Proxy Support for Check Point MIB . . . . . . . . . . . . . . . . . 252
Using the Check Point MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Using cpsnmp_start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Enabling SNMP and Selecting the Version . . . . . . . . . . . . . . . . . 254
Configuring the System for SNMP . . . . . . . . . . . . . . . . . . . . . . . . 255
Setting an Agent Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Interpreting Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Request Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Managing SNMP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
7 Configuring IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
IPv6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
IPv6 and IPv4 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Configuring IPv6 in IPv4 Tunnels . . . . . . . . . . . . . . . . . . . . . . . 270
Configuring IPv6 to IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring IPv6 over IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring IPv4 in IPv6 Tunnels . . . . . . . . . . . . . . . . . . . . . . . 272
Configuring an IPv6 Default or Static Route . . . . . . . . . . . . . . . 272
Routing Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring RIPng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Creating IPv6 Aggregate Routes. . . . . . . . . . . . . . . . . . . . . . . . 273
Creating Redistributed Routes . . . . . . . . . . . . . . . . . . . . . . . . . 274
Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Configuring ICMPv6 Router Discovery . . . . . . . . . . . . . . . . . . . 275
VRRP for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Configuring VRRP for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Creating a Virtual Router for an IPv6 Interface
Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 1 1
Using VRRPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Creating a Virtual Router to Back Up Another VRRP
Router Addresses Using VRRPv3 . . . . . . . . . . . . . . . . . . . . . 278
Monitoring the Firewall State. . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Setting a Virtual MAC Address for a Virtual Router. . . . . . . . . . 280
Changing the IP Address List of a Virtual Router in VRRPv3. . 281
Removing a Virtual Router in VRRPv3 . . . . . . . . . . . . . . . . . . . 281
Creating a Virtual Router in Monitored Circuit Mode for IPv6. . 282 Setting Interface Dependencies for a Monitored Circuit
Virtual Router for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Changing the List of Addresses in a Monitored Circuit
Virtual Router for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Traffic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Security and Access Configuration . . . . . . . . . . . . . . . . . . . . . . . 285
8 Managing Security and Access . . . . . . . . . . . . . . . . . . . . . . . . 287
Managing Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Managing User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Adding and Deleting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Managing and Using S/Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Managing Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Role-Based Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Managing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Assigning Roles and Access Mechanisms to Users. . . . . . . . . 295
Creating Cluster Administrator Users . . . . . . . . . . . . . . . . . . . . 296
Configuring Network Access and Services . . . . . . . . . . . . . . . . . 297
Configuring a Modem on COM2, COM3, or COM4. . . . . . . . . . 298
Configuring Nokia Network Voyager Access . . . . . . . . . . . . . . . . 300
Configuring Basic Nokia Network Voyager Options . . . . . . . . . 301
Generating and Installing SSL/TLS Certificates . . . . . . . . . . . . 302
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Initial SSH Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Configuring Advanced Options for SSH . . . . . . . . . . . . . . . . . . 306
12 Nokia Network Voyager IPSO 4.0 Reference Guide
Configuring Secure Shell Authorized Keys . . . . . . . . . . . . . . . . 308
Changing Secure Shell Key Pairs. . . . . . . . . . . . . . . . . . . . . . . 309
Managing User RSA and DSA Identities. . . . . . . . . . . . . . . . . . 310
Tunneling HTTP Over SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Network Voyager Session Management . . . . . . . . . . . . . . . . . . . 311
Enabling Enabling or Disabling Session Management . . . . . . . 312
Configuring Session Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . 312
Authentication, Authorization, and Accounting (AAA) . . . . . . . . . 313
Creating an AAA Configuration. . . . . . . . . . . . . . . . . . . . . . . . . 313
Configuring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Deleting an AAA Authentication Server Configuration . . . . . . . 322
Changing an AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . 323
Deleting an AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 327
Encryption Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Enabling Encryption Accelerator Cards. . . . . . . . . . . . . . . . . . . 328
Monitoring Cryptographic Acceleration . . . . . . . . . . . . . . . . . . . 328
IPSec Tunnels (IPSO Implementation) . . . . . . . . . . . . . . . . . . . . 328
Using PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
IPSec Implementation in IPSO . . . . . . . . . . . . . . . . . . . . . . . . . 332
IPSec Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Creating an IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Creating an IPSec Tunnel Rule. . . . . . . . . . . . . . . . . . . . . . . . . 341
Transport Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
IPSec Tunnel Rule Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
IPSec Transport Rule Example. . . . . . . . . . . . . . . . . . . . . . . . . 346
Changing the Local/Remote Address or Local/Remote
Endpoint of an IPSec Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . 348
Removing an IPSec Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Miscellaneous Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . 349
9 Configuring Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Routing Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 1 3
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Route Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Types of Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Area Border Routers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
High Availability Support for OSPF . . . . . . . . . . . . . . . . . . . . . . 355
Configuring OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
RIP 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
RIP 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Virtual IP Address Support for VRRP . . . . . . . . . . . . . . . . . . . . 366
Configuring RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Configuring RIP Timers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Configuring Auto-Summarization . . . . . . . . . . . . . . . . . . . . . . . 369
RIP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
PIM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Configuring Virtual IP Support for VRRP. . . . . . . . . . . . . . . . . . 371
PIM Support for IP Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Configuring Dense-Mode PIM. . . . . . . . . . . . . . . . . . . . . . . . . . 373
Disabling PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Setting Advanced Options for Dense-Mode PIM (Optional) . . . 375
Configuring Sparse-Mode PIM . . . . . . . . . . . . . . . . . . . . . . . . . 376
Configuring High-Availability Mode . . . . . . . . . . . . . . . . . . . . . . 377
Configuring this Router as a Candidate Bootstrap and
Candidate Rendezvous Point. . . . . . . . . . . . . . . . . . . . . . . . . 379
Configuring a PIM-SM Static Rendezvous Point. . . . . . . . . . . . 380
Setting Advanced Options for Sparse-Mode PIM (Optional). . . 381
Debugging PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
IGRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Generation of Exterior Routes. . . . . . . . . . . . . . . . . . . . . . . . . . 387
Aliased Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
IGRP Aggregation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
14 Nokia Network Voyager IPSO 4.0 Reference Guide
Configuring IGRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Configuring DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Configuring DVMRP Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Adding and Managing Static Routes Example . . . . . . . . . . . . . 397
Backup Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Route Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Route Aggregation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Route Rank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Rank Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Routing Protocol Rank Example . . . . . . . . . . . . . . . . . . . . . . . . 402
BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Support for BGP-4++. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
BGP Sessions (Internal and External). . . . . . . . . . . . . . . . . . . . 404
BGP Path Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
BGP Multi-Exit Discriminator. . . . . . . . . . . . . . . . . . . . . . . . . . . 406
BGP Interactions with IGPs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Inbound BGP Route Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Redistributing Routes to BGP . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Route Reflection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Confederations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
EBGP Multihop Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Route Dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
TCP MD5 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
BGP Support for Virtual IP for VRRP . . . . . . . . . . . . . . . . . . . . 412
BGP Support for IP Clustering . . . . . . . . . . . . . . . . . . . . . . . . . 413
BGP Memory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
BGP Neighbors Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Path Filtering Based on Communities Example . . . . . . . . . . . . 418
Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 1 5
BGP Multi Exit Discriminator Example . . . . . . . . . . . . . . . . . . . 419
Changing the Local Preference Value Example . . . . . . . . . . . . 421
BGP Confederation Example . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Route Reflector Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
BGP Community Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
EBGP Load Balancing Example: Scenario #1 . . . . . . . . . . . . . 430
EBGP Load Balancing Example: Scenario #2 . . . . . . . . . . . . . 432
Adjusting BGP Timers Example . . . . . . . . . . . . . . . . . . . . . . . . 433
TCP MD5 Authentication Example . . . . . . . . . . . . . . . . . . . . . . 434
BGP Route Dampening Example . . . . . . . . . . . . . . . . . . . . . . . 435
BGP Path Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
BGP-4++ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Route Redistribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Redistributing Routes to BGP . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Redistributing Routes to RIP and IGRP . . . . . . . . . . . . . . . . . . 440
Redistributing OSPF to BGP Example . . . . . . . . . . . . . . . . . . . 443
Redistributing Routes with OSPF . . . . . . . . . . . . . . . . . . . . . . . 444
Inbound Route Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
BGP Route Inbound Policy Example. . . . . . . . . . . . . . . . . . . . . 446
BGP AS Path Filtering Example . . . . . . . . . . . . . . . . . . . . . . . . 448
10 Configuring Traffic Management . . . . . . . . . . . . . . . . . . . . . . . 449
Traffic Management Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Packet Filtering Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Traffic Shaping Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Traffic Queuing Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Configuring Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . 450
Configuring ACL Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Modifying a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Configuring Aggregation Classes. . . . . . . . . . . . . . . . . . . . . . . . . 455
Configuring Queue Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Configuring ATM QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Configuring Common Open Policy Server. . . . . . . . . . . . . . . . . . 461
16 Nokia Network Voyager IPSO 4.0 Reference Guide
Configuring a COPS Client ID and Policy Decision Point . . . . . 462
Configuring Security Parameters for a COPS Client ID . . . . . . 462
Assigning Roles to Specific Interfaces . . . . . . . . . . . . . . . . . . . 463
Activating and Deactivating the COPS Client . . . . . . . . . . . . . . 464
Changing the Client ID Associated with Specific Diffserv
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Deleting a Client ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Example: Rate Shaping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Example: Expedited Forwarding . . . . . . . . . . . . . . . . . . . . . . . . 466
11 Configuring Router Services . . . . . . . . . . . . . . . . . . . . . . . . . . 469
BOOTP/DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Configuring BOOTP/DHCP Relay. . . . . . . . . . . . . . . . . . . . . . . 470
IP Broadcast Helper. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Router Discovery Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Configuring Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Configuring NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
12 Monitoring System Configuration and Hardware . . . . . . . . . . 479
Viewing System Utilization Statistics . . . . . . . . . . . . . . . . . . . . . . 479
CPU-Memory Live Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Disk and Swap Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Monitoring Process Utilization. . . . . . . . . . . . . . . . . . . . . . . . . . 480
IPSO Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Generating Monitor Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Monitoring System Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Monitoring System Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Viewing Cluster Status and Members . . . . . . . . . . . . . . . . . . . . . 485
Viewing Routing Protocol Information . . . . . . . . . . . . . . . . . . . . . 486
Displaying the Kernel Forwarding Table . . . . . . . . . . . . . . . . . . 486
Displaying Route Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Nokia Network Voyager IPSO 4.0 Refere nc e Guid e 1 7
Displaying Interface Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Hardware Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Using the iclid Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
iclid Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Preventing Full Log Buffers and Related Console Messages . . . 494
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
18 Nokia Network Voyager IPSO 4.0 Reference Guide

About the Nokia Network Voyager Reference Guide

This guide provides information about how to configure and monitor Nokia IPSO systems. This guide provides conceptual information about system features and instructions on how to perform tasks using Nokia Network Voyager, the Web-based interface for IPSO. All of the tasks that you perform with Network Voyager you can also perform with the command-line interface (CLI), allowing you to choose the interface you are most comfortable with. For information specific to the CLI, see the CLI Reference Guide for Nokia IPSO.
This guide is intended for experienced network administrators who configure and manage Nokia IP security platforms. It assumes a working knowledge of networking and TCP/IP protocol principals and some experience with UNIX-based systems.
This guide is organized into the following chapters:
Chapter 1, “About Network Voyager” describes the IPSO operating
system, Nokia Network Voyager, how to use Network Voyager, and how to access documentation and help pages.
Chapter 2, “Configuring Interfaces” describes how to configure and
monitor interfaces.
Chapter 3, “Configuring System Functions” describes how to configure
basic system functions such as DHCP, DNS, disk mirroring, mail relay, system failure notification, system time, host entries, system logging, and
Nokia Network Voyager for IPSO 4.0 Reference Guide 19
About the Nokia Network Voyager Reference Guide
the hostname . It also describes how to save configuration sets, schedule jobs, backup and restore files, manage and upgrade system images, reboot the system, manage packages, and advanced system tuning.
Chapter 4, “Virtual Router Redundancy Protocol (VRRP)” describes how
to provides dynamic failover of IP addresses using VRRP.
Chapter 5, “Configuring Clustering” describes how to provide fault
tolerance and dynamic load balancing using clustering.
Chapter 6, “Configuring SNMP” describes how to configure Simple
Network Management Protocol (SNMP), the protocol used to exchange management information between network devi ces.
Chapter 7, “Configuring IPv6” describes how to configure features that
use the IPv6 protocol.
Chapter 8, “Managing Security and Access” desribes how to manage
passwords, user accounts and groups, assign privileges using role-based administration, and how to configure network access, services, and Network Voyager session management. It also describes how to configure AAA for a new service, encryption acceleration, and virtual tunnel interfaces (VTI), which support Check Point route-based VPN..
Chapter 9, “Configuring Routing” describes the IPSO routing subsystem,
how to configure the various routing protocols that are supporte d, route aggregation, and route redistribution.
Chapter 10, “Configuring Traffic Management” describes traffic
management functionality, including access control lists and aggregation classes.
Chapter 11, “Configuring Router Services” describes how to enable your
system to forward broadcast traffic by enabling the IP Broadcast Helper, forward BOOTP/DHCP traffic by enabling BOOTP relay, how to enable router discovery, and how to configure for Network Time Protocol (NTP).
Chapter 12, “Monitoring System Configuration and Hardware” provides
information on monitoring your system.
20 Nokia Network Voyager for IPSO 4.0 Reference Guide

Conventions This Guide Uses

The following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.

Notices

Caution
Cautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.
Note
Notes provide information of special interest or recommendations.
Conventions This Guide Uses

Text Conventions

Table 1 describes the text conventions this guide uses.
Table 1 Text Conventions
Convention Description
monospace font
bold monospace font
Key names Keys that you press simultaneously are linked by a plus
Nokia Network Voyager for IPSO 4.0 Reference Guide 21
Indicates command syntax, or represents computer or screen output, for example:
Log error 12453
Indicates text you enter or type, for example:
# configure nat
sign (+): Press Ctrl + Alt + Del.
About the Nokia Network Voyager Reference Guide
Table 1 Text Conventions (continued)
Convention Description
Menu commands Menu commands are separated by a greater than sign (>):
Choose File > Open.
Italics
Emphasizes a point or denotes new terms at the place where they are defined in the text.
Indicates an external book title reference.
Indicates a variable in a command:
delete interface if_name

Menu Items

Menu items in procedures are separated by the greater than sign. For example, click Backup and Restore under Configuration > System
Configuration indicates that you first click Configuration to expand the menu if necessary, then click System Configuration, and finally click the Backup and Restore link.

Related Documentation

In addition to this guide, documentation for this product includes the following:
CLI Reference Guide for Nokia IPSO, which is on the IPSO CD.
This guide contains the commands that you can implement from the command-line interface (CLI) for IPSO.
Getting Started Guide and Release Notes for IPSO, which is included in
the release pack. This document contains a list of new features for the current IPSO
release, installation instructions, and known limitations.
22 Nokia Network Voyager for IPSO 4.0 Reference Guide

1 About Network Voyager

This chapter provides an overview of Network Voyager, the Web-based interface that you can use to manage Nokia IPSO systems.
Nokia Network Voyager is a Web-based interface that you can use to manage IPSO systems from any authorized location. Network Voyager comes packaged with the IPSO operating system software and is accessed from a client using a browser.
You can also use the command-line interface (CLI) to perform all of the tasks that you can perform when you use Network Voyager, which allows you to choose the interface you are most comfortable with. For information about the CLI, see the CLI Reference Guide.

Software Overview

Nokia firewalls function with the help of several software components:
Operating System—Nokia IPSO is a UNIX-like operating system based on FreeBSD.
IPSO is customized to support Nokia’s enhanced routing capabilities and Check Point’s FireWall-1 firewall functionality, and to "harden" network security. Unnecessary features have been removed to minimize the need for UNIX system administration.
Ipsilon Routing Daemon (IPSRD)—IPSRD is Nokia’s routing software. The routing
policy implemented by IPSRD resides in a database. Network Voyager (see below) configures and maintains the routing software and database.
Check Point FireWall-1—FireWall-1 consists of two major components: (1) the Firewall
module, which runs on the Nokia firewall and implements the security policy, and (2) the Management module, which runs either on the Nokia firewall or on another workstation. Use the Management Module to define and maintain the security policy.
Network V oyager—Network Voyager communicates with the routing software to configure
interfaces and routing protocols, to manage routing policy for the firewall, and to monitor network traffic and protocol performance. Network Voyager also provides on line documentation. Network Voyager itself runs on a remote machine as a client application of the Nokia routing software and is HTML based.
Nokia Network Voyager for IPSO 4.0 Reference Guide 23
1

Logging In to Network Voyager

When you log in to Network Voyager, the navigation tree you see depends on the role or roles assigned to you. If the roles assigned to your user account do not include access to a feature, you will not see a link to the feature in the tree. If they have read-only access to a feature, you will see a link and be able to access the page, but all the controls will be disabled. For more information on role-based administration, see “Role-Based Administration” on page 293.
Note
The system logs messages about both successful and unsuccessful attempts by users to log in. These are stored in the /var/log/messages file.
To open Nokia Network Voyager
1. Open a Web browser on a computer with network connectivity to the IPSO system.
2. In the Location or Address text box, enter the IP address of the initial interface you
configured for the appliance. You are prompted to enter a username and password. If this is the first login, enter the Admin
username and the password you entered when you performed the initial configuration.
For information about initial configuration, see the Getting S tarted Guide and Release Notes for IPSO.
Note
If the login screen does not appear, you might not have a physical network connection between the host and your appliance, or you might have a network routing pro blem. Confirm the information you entered during the initial configuration and check that all cables are firmly connected.

Logging Off

When you are finished with your Network Voyager session, or if you need to log in to a new session, log out by clicking Log Off at the top of the Network Voyager window.
Note
The Log Off link does not appear if you disabled session management. For information about session management, see “Network Voyager Session Management” on page 311.
You can select to log in with or without an exclusive lock on configuration changes. For more information, see “Obtaining a Configuration Lock” on page 25.
24 Nokia Network Voyager for IPSO 4.0 Reference Guide

Obtaining a Configuration Lock

When you log in with exclusive configuration lock, no other user will be able to change the system configuration. Only users with read/write access privileges are allowed to log in with exclusive configuration lock.
If you acquire a configuration lock and then close your browser without logging out, the lock remains in effect until the session time-out elapses or someone manually overrides the lock. For instructions about how to override a configuration lock, see “To override a configuration lock.”
Users who have one or more read/write access privileges (as defined by the administrator under role-based administration) acquire configuration locks unless they uncheck the Acquire Exclusive Configuration Lock check box when they log in. However, their read/write access is limited to the features assigned by the administrator even though the configuration lock is in effect for all features.
To log in with exclusive configuration lock
1. At the login, enter your user name.
2. Enter your password.
3. Check the Acquire Exclusive Configuration Lock check box. This is the default.
4. Click Log In.
Note
Enabling the exclusive configuration lock in Network Voyager prevents you or other users from using the CLI to configure the system while your browser session is active.
To log in without exclusive configuration lock
1. At the login, enter your user name.
2. Enter your password.
3. Uncheck the Acquire Exclusive Configuration Lock check box.
4. Click Log In.
To override a configuration lock
Note
Only users with read/write access privileges are allowed to override an exclusive configuration lock.
1. From the login page, click Log In with Advanced Options.
2. Verify that the Acquire Exclusive Configuration Lock check box is checked. This is the
default choice.
3. Check the Override Locks Acquired by Other Users check box.
Nokia Network Voyager for IPSO 4.0 Reference Guide 25
1
4. Enter your user name and password.
5. Click Log In.

Navigating in Network Voyager

The following table explains the functions of the buttons in Network Voyager. Other buttons are described in the inline help for each page.
Button Description
Apply Applies the settings on the current page (and any deferred applies from other pages) to
the current (running) configuration file in memory. Feedback Takes you to the documentation or Technical Assistance Center (TAC) feedback page. Help Displays help for all elements of the page. Reset Routing Restarts the routing daemon. Save Saves the current (running) configuration fi le to disk.
Avoid using your browser’s Back and Forward buttons while in Network Voyager. The browser caches the HTML page information; therefore, using Back and Forward may not display the latest configuration and diagnostic information as you move from page to page.

Reloading Pages

If the pages seem to have outdated information, you can use the Reload button on the browser to update it. You can also clear memory and disk cache with the following procedure.
To clear the memory and disk cache
1. Select Network Preferences from the Options menu in Netscape.
2. Select Cache in the Preferences window.
3. Click the Clear Memory Cache Now button, then click OK.
4. Click Clear Disk Cache Now, then click OK.
5. Click OK or close the Preferences window.

Accessing Documentation and Help

You can access the Nokia Network Voyager Reference Guide for IPSO, the CLI Reference Guide, and Network Voyager online help from links within the Network Voyager interface.
26 Nokia Network Voyager for IPSO 4.0 Reference Guide
This guide, the Nokia Network Voyager Reference Guide for IPSO, is the comprehensive reference source for IPSO administration and using the Network Voyager interface. You can access this guide and the CLI Reference Guide from the following locations:
Network Voyager interface—Click the Documentation link in the tree view. Nokia support site (https://support.nokia.com). On the software CD that might have been delivered with your appliance. If you have a CD,
the documentation is located in the doc folder.
Inline help supplies context sensitive information for Network Voyager. T o access inline help for a Network Voyager page, navigate to that page and click Help. Text-only definitions and related information on fields, buttons, and sections appear in a separate window.
Inline and online help use the following text conventions.
Type of Text Description
italic text Introduces a word or phrase, highlights an important term, phrase, or hypertext link,
indicates a field name, system message, or document title. typewriter text Indicates a UNIX command, program, file name, or path name. bold typewriter text Indicates text to be entered verbatim by you.
Represents the name of a key on the keyboard, of a button displayed on your
screen, or of a button or switch on the hardware. For example, press the R
key.
ETURN
<bracketed> Indicates an argument that you or the software replaces with an appropriate value.
For example, the command rm <filename> indicates that you should type rm
followed by the filename of the file to be removed.
LinkText
- OR - Indicates an exclusive choice between two items.
Indicates a hypertext link.
You can preserve the current page content in your browser and start another browser window to display the inline or online help text by using the following procedure.
To open a new window to view help
1. Right-click the Doc button.
2. Click Open Link in New Browser Window.
Displays the online help in a new window.
3. Right-click the Help On button.
4. Click Open Link in New Browser Window.
Displays the inline (text-only) help in a new window.
Nokia Network Voyager for IPSO 4.0 Reference Guide 27
1

Viewing Hardware and Software Information for Your System

The asset management summary page provides a summary of all system resources, including hardware, software and the operating system. The hardware summary includes information about the CPU, Disks, BIOS, and motherboard, including the serial number, model number, and capacity, or date, as appropriate. The summary also displays the amount of memory on the appliance.
The Check Point FireWall summary lists information about the host and policy installed and the date on which the FireWall policy was installed. The summary also describes which version of the FireWall is running and license information.
The operating system summary lists which software release and version of that release is running on the system.
To view the asset management summary
1. Click Asset Management under Configuration in the tree view.
The asset management summary page appears.
2. The page separates information into three tables: Hardware, FireWall Package Informa tion,
and Operating System.
3. Click the Up button to return to the main configuration page.
28 Nokia Network Voyager for IPSO 4.0 Reference Guide

2 Configuring Interfaces

This chapter describes configuring and monitoring the various types of interfaces supported by Nokia IP security platforms, aggregating Ethernet ports, configuring GRE and DVMRP tunnels, using transparent mode to allow your IPSO appliance to behave like a Layer 2 device, and other topics related to physical and logical interfaces.

Interface Overview

Nokia IPSO support the following interface types.
Ethernet/Fast Ethernet Gigabit Ethernet FDDI ATM (RFC1483 PVCs only) Serial (V.35 and X.21) running PPP, point-to-point Frame Relay, or Cisco HDLC T1/E1 running PPP, Frame Relay, or Cisco HDLC HSSI running PPP, point-to-point Frame Relay, or Cisco HDLC VPN Tunneling Token Ring Unnumbered Interface ISDN
Note
For information on what types of interfaces your appliance model supports, see your hardware installation guide.
You can configure these interfaces with IP addresses. You also can assign additional IP addresses to the loopback, FDDI, and Ethernet interfaces. All interface types support IP multicast.
Nokia Network Voyager for IPSO 4.0 Reference Guide 29
2

IP2250 Management Ports

The Ethernet management ports on IP2250 systems are designed to be used for the following purposes:
Managing the appliance Firewall synchronization traffic IP cluster protocol traffic Connection to a log server
Caution
The management ports are not suitable for forwarding production data traffic. Do not use them for this purpose.

Configuring Network Devices

Network Voyager displays network devices as physical interfaces. A physical interface exists for each physical port on a network interface card (NIC) installed in the appliance. Physical interface names have the form:
<type>-s<slot>p<port>
where:
<type> <slot> <port>
is a prefix indicating the device type. is the number of the slot the device occupies in the appliance. is the port number of the NIC. The first port on a NIC is port one. For example, a
two-port Ethernet NIC in slot 2 is represented by two physical interfaces:
eth-s2p2
.
The following table lists the interface-name prefixes for each type.
Type Prefix
Ethernet FDDI ATM Serial
T1/E1
HSSI
eth
fddi
atm
ser
ser
ser
eth-s2p1
and
Token Ring
30 Nokia Network Voyager for IPSO 4.0 Reference Guide
tok
Loading...
+ 480 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use