Nokia Voyager Reference Manual

Voyager Reference Guide

Part No. N450820002 Rev A

Published December 2003

COPYRIGHT

©2003 Nokia. All rights reserved.
Rights reserved under the copyright laws of the United States.

RESTRICTED RIGHTS LEGEND

Use, duplication, or disclosure by the United States Government is subject to restrictions as set
forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of,
this computer software, the rights of the United States Government regarding its use,
reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted
Rights clause at FAR 52.227-19.

IMPORTANT NOTE TO USERS

This software and hardware is provided by Nokia Inc. as is and any express or implied
warranties, including, but not limited to, implied warranties of merchantability and fitness for a
particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or
suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential
damages (including, but not limited to, procurement of substitute goods or services; loss of use,
data, or profits; or business interruption) however caused and on any theory of liability, whether in
contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use
of this software, even if advised of the possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS

Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this
document are trademarks or registered trademarks of their respective holders.

030114

2 Voyager Reference Guide

Nokia Contact Information

Corporate Headquarters

Web Site http://www.nokia.com

Telephone 1-888-477-4566 or

1-650-625-2000

Fax 1-650-691-2170

Mail
Address

Regional Contact Information

Americas Nokia Inc.

Europe,
Middle East,
and Africa

Asia-Pacific 438B Alexandra Road

Nokia Customer Support

Web Site: https://support.nokia.com/

Email: tac.support@nokia.com

Nokia Inc.
313 Fairchild Drive
Mountain View, California
94043-2215 USA

313 Fairchild Drive
Mountain View, CA 94043-2215
USA

Nokia House, Summit Avenue
Southwood, Farnborough
Hampshire GU14 ONG UK

#07-00 Alexandra Technopark
Singapore 119968

Tel: 1-877-997-9199
Outside USA and Canada: +1 512-437-7089
email: ipsecurity.na@nokia.com

Tel: UK: +44 161 601 8908
Tel: France: +33 170 708 166
email: ipsecurity.emea@nokia.com

Tel: +65 6588 3364
email: ipsecurity.apac@nokia.com

Americas Europe

Voi ce: 1-888-361-5030 or

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

Asia-Pacific

Voi ce: +65-67232999

Fax: +65-67232897

Voyager Reference Guide 3

Voi ce: +44 (0) 125-286-8900

1-613-271-6721

031014

4 Voyager Reference Guide

Voyager Reference Guide 5

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

How to Use Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Command-Line Utility Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Monitoring and Configuring System Resources . . . . . . . . . . . . . . . . . . .33

Dynamic Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Static Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Gigabit Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Virtual LAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

FDDI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

ISDN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Token Ring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Point-to-Point Link over ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

IP over ATM (IPoA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

Serial (V.35 and X.21) Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143

T1(with built-in CSU/DSU) Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

E1 (with built-in CSU/DSU) Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

HSSI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174

Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

Cisco HDLC Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188

Point-to-Point Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Frame Relay Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

DVMRP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209

ARP Table Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214

Configuring ARP for the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217

6 Voyager Reference Guide

Configuring Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

OSPF (Open Shortest Path First) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

RIP (Routing Information Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Protocol-Independent Multicast (PIM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

IGRP (Inter-Gateway Routing Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

DVMRP (Distance Vector Multicast Routing Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

IGMP (Internet Group Management Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Backup Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Route Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Route Rank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

BGP (Border Gateway Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Configuring Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Configuring Clustering in IPSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Configuring Access Control Lists (ACL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Configuring Access Control List Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Configuring Aggregation Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Configuring Queue Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Configuring ATM QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Configuring Common Open Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Configuring Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Configuring Router Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449

Bootp (Bootstrap Protocol) Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

IP Broadcast Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

VRRP (Virtual Router Redundancy Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Configuring System Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

DNS Hostname Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Configuring Disk Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Mail Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

Failure Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

Time and Date Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Static Host Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

System Logging Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Hostname Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

Managing Configuration Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Voyager Reference Guide 7

Backing Up and Restoring Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507

Scheduling Jobs Through the Crontab File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 14

Managing IPSO Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515

Installing New IPSO Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .517

Managing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520

Advanced System Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523

Configuring Security and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .525

Password Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528

Group Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532

Network Access Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533

Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543

Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545

Secure Socket Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555

Authentication, Authorization, and Accounting (AAA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .560

Cryptographic Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583

IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587

Voyager Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 16

Configuring Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621

Fault Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .622

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .628

Configuring SNMP v1 and v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .634

Interpreting SNMP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643

SNMP v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .647

Configuring Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651

Asset Management Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651

Configuring IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .654

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656

IPv6 and IPv4 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657

Routing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662

Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665

Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667

Security and Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .668

8 Voyager Reference Guide

IPSO Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671

IPSO Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689

1 Overview

Chapter Contents

! Software Overview
! Interface Overview
! Routing Overview
! Redistributing Routes Overview

Software Overview

This section gives you an overview of the Nokia software configured and
maintained by Nokia Voyager software.

Nokia firewalls function with the help of several software components:

! Operating System—Nokia firewalls run Nokia IPSO, a UNIX-like

operating system based on FreeBSD. IPSO is customized to support
Nokia’s enhanced routing capabilities and Check Point’s FireWall-1
firewall functionality, and to "harden" network security. Unnecessary
features have been removed to minimize the need for UNIX system
administration.

! Ipsilon Routing Daemon (IPSRD)—IPSRD is Nokia’s routing software.

The routing policy implemented by IPSRD resides in a database. Voyager
(see below) configures and maintains the routing software and database.

Voyager Reference Guide 9

1 Overview

! Check Point Fir eW all-1—FireWall-1 consists of two major components:

(1) the Firewall module, which runs on the Nokia firewall and
implements the security policy, and (2) the Management module, which
runs either on the Nokia firewall or on another workstation. Use the
Management Module to define and maintain the security policy.

! Voyager—Voyager communicates with the routing software to configure

interfaces and routing protocols, to manage routing policy for the firewall,
and to monitor network traffic and protocol performance. Voyager also
provides online documentation. Voyager itself runs on a remote machine
as a client application of the Nokia routing software and is HTML based.

Interface Overview

This section describes how to configure network devices and assign IP
addresses to them using Voyager.

Interface Types

Nokia NAPs support the following interface types.

Note

Consult the appropriate hardware installation guide to find out what
interfaces your unit supports.

! Ethernet/Fast Ethernet
! FDDI
! ATM (RFC1483 PVCs only)
! Serial (V.35 and X.21) running PP P, point-to-point Frame Relay, or Cisco

HDLC

! T1/E1 running PPP, Frame Relay, or Cisco HDLC
! HSSI running PPP, point-to-point Frame Relay, or Cisco HDLC
! VPN Tunneling

10 Voyager Reference Guide

! Token Ring
! Unnumbered Interface
! ISDN

You can configure these interfaces with IP addresses. You also can assign
additional IP addresses to the loopback, FDDI, and Ethernet interfaces. All
interface types support IP multicast.

Configuring Network Devices

Voyager displays network devices as physical interfaces. A physical interface
exists for each physical port on a network interface card (NIC) installed in the
unit. Physical interface names have the form:

<type>-s<slot>p<port>

where:

<type>

is a prefix indicating the device type. The interface-name prefixes for

each type are as follows:

Type Prefix

Ethernet

FDDI

ATM atm
Serial

T1/E1

HSSI

Token Ring tok
ISDN isdn

eth

fddi

ser

ser

ser

Voyager Reference Guide 11

1 Overview

<slot>
<port>

is the number of the slot the device occupies in the unit.

is the port number of the card. The first port on a NIC is port one. Fo r
example, a two-port Ethernet NIC in slot 2 is represented by two physical
interfaces:

eth-s2p1

and

eth-s2p2

The loopback interface also has a physical interface named
Use Voyager to set the attributes of the device. For example, line speed and

duplex mode are attributes of an Ethernet physical interface. Each
communications port has exactly one physical interface.

Configuring IP Addresses

Logical interfaces are created for a device's physical interface. You assign an
IP address to logical interfaces and then route to the IP address. Ethernet,
FDDI, and Token Ring devices have one logical interface.

For ATM devices, you create a new logical interface each time you configure
an RFC1483 PVC for the device. Serial, T1/E1, and HSSI devices have one
logical interface when they are running PPP or Cisco HDLC. Serial, T1/E1
and HSSI devices running point-to-point Frame Relay have a logical interface
for each PVC configured on the port. You also have the option of configuring
an unnumbered interface for point-to-point interfaces. Tunnels, however,
cannot be configured as unnumbered interfaces.

.

loop0

.

Logical interfaces, by default, are named after the physical interface for which
they are created. If you wish, you can override this default name with a more
descriptive or familiar name. You can also associate a comment with the
logical interface as a further way to define its relationship in the network.
Default logical interface names have the form:

<type>-s<slot>p<port>c<chan>

where

<type>, <slot>

and

<port>

have the same values as the corresponding

physical interface

<chan>

is the channel number of the logical interface. For logical interfaces
created automatically, the channel number is always zero. For logical

12 Voyager Reference Guide

interfaces created manually, the channel number is the identifier of the virtual
circuit (VC) for which the interface is created (for example, the ATM VCI or
the Frame Relay DLCI).

Logical Interface
Physical
Interface

Ethernet One (
FDDI One (c0)
ATM One per VCI (
Serial

(X.21 or V.35)
T1/E1 One (

HSSI One (

Default Cisco HDLC PPP Frame Relay

c0

)

c#

)

c0

One (

) One (c0) One per DLCI

(c#)

c0

) One (c0) One per DLCI

(c#)

c0

) One (c0) One per DLCI

(c#)

Token Ring One (c0)

c#

ISDN One (

For example, the logical interface of a physical interface

eth-s2p1c0

slot 3 are called

. The logical interfaces for PVCs 17 and 24 on an ATM NIC in

atm-s3p1c17

and

atm-s3p1c24

respectively.

)

eth-s2p1

is called

Once a logical interface exists for a device, you can assign an IP address to it.
For Ethernet, FDDI, and T oken Ring, you must specify the interface's local IP
address and the length (in bits) of the subnet mask for the subnet to which the
device connects.

If you are running multiple subnets on the same physical network, you can
configure additional addresses and subnet masks on the single logical

Voyager Reference Guide 13

1 Overview

interface connected to that network. You do not need to create additional
logical interfaces to run multiple subnets on a single physical network.

For point-to-point media, such as ATM, serial, or HSSI, you can either assign
IP addresses or configure an unnumbered interface. When assigning IP
addresses you must specify the IP address of the local interface and the IP
address of the remote system's point-to-point interface.

You can add only one local/destination IP address pair to a point-to-point
logical interface. To assign IP addresses to multiple VCs, you must create a
logical interface for each VC. IP subnets are not supported on point-to-point
interfaces.

Whenever an unnumbered interface generates a packet, it uses the address of
the interface that the user has specified as the source address of the IP packet.
Thus, for a router to have an unnumbered interface, it must have at least one
IP address assigned to it. The Nokia implementation of unnumbered
interfaces does not support virtual links.

Indicators and Interface Status

The configuration and status of removable-interface devices are displayed.
Interfaces can be changed while they are offline. The events, their effects, and
indications are:

! If you hot-insert a device (not power down the unit first), it appears in the

lists of interfaces immediately (after a page refresh) on the configuration
pages.

! If you hot-pull a device, and no configuration exists for it, it disappears

from the lists of interfaces immediately.

! If you hot-pull a device, and it had a configuration, its configuration

details continue to be displayed and can be changed even after a reboot.

! Hotswapped interfaces that are fully seated in a router’s chassis are

represented in the ifTable (MIB-II), ipsoCardTable (IP440-IPSO-System­MIB), and the hrNetworkTable
(Host-Resources-MIB).

14 Voyager Reference Guide

! Unwanted configurations of absent devices can be deleted, which

removes the physical and logical interfaces from all interface lists.

! None: If no color indication is displayed, the physical interface is

disabled. To enable the interface, click on the physical interface name to
go to its configuration page.

! Blue: The device corresponding to this physical interface has been

removed from the system, but its configuration remains. To delete its
configuration, click on the physical interface name to go to its
configuration page.

! Red: The physical interface is enabled, but the device does not detect a

connection to the network.

! Green: The physical interface is ready for use. It is enabled and

connected to the network.

Address Resolution Protocol (ARP)

ARP allows a host to find the physical address of a target host on the same
physical network using only the target’s IP address. ARP is a low-level
protocol that hides the underlying network physical addressing and permits
assignment of an arbitrary IP address to every machine.ARP is considered
part of the physical network system and not as part of the internet protocols.

Using the Loopback Interface

By default, the loopback interface has 127.0.0.1 configured as its IP address.
Locally originated packets sent to this interface are sent back to the
originating process.

You might want to assign an address to the loopback interface that is the same
as the OSPF firewall ID, or is the termination point of a BGP session. This
allows firewall adjacencies to stay up even if the outbound interface is down.
Do not specify an IP subnet mask length when you add addresses to the
loopback interface.

Voyager Reference Guide 15

1 Overview

Configuring Tunnel Interfaces

Tunnel interfaces are used to encapsulate protocols inside IP packets. Use
tunneling to:

! send network protocols over IP networks that don’t support them
! encapsulate and encrypt private data to send over a public IP network.

Create a tunnel logical interface by specifying an encapsulation type. Use
Voyager to set the encapsulation type. Voyager supp orts two encapsulation
types, DVMRP and VPN.

The tunnel logical interface name has the form:

tun0c<chan>

where <chan> (channel number) is an instantiation identifier.

DVMRP (Distance Vector Multicast Routing
Protocol) Tunnels

DVMRP tunnels encapsulate multicast packets using IP-in-IP encapsulation.
The encapsulated packets appear as unicast IP packets. This technique allows
two multicast routers to exchange multicast packets even when they are
separated by routers that cannot forward multicast packets. For each DVMRP
tunnel you create, you must provide the IP address of the interface that forms
the local endpoint of the tunnel and the IP address of the multicast router that
is at the remote end of the tunnel forming the remote endpoint of the tunnel.

Note

The remote multicast router must support IP-in-IP encapsulation and
must be configured with a tunnel interface to the local router.

When you have created the DVMRP tunnel interface, set all other DVMRP
multicast configuration parameters from the DVMRP configuration page.

16 Voyager Reference Guide

VPN (Virtual Private Networking) Tunnels

VPN tunnels encapsulate IP packets using Generic Routing Encapsulation
(GRE) without options. The encapsulated packets appear as unicast IP
packets. For each VPN tunnel you create, you must assign a local and remote
IP address. You also must provide the local and remote endpoint addresses of
the interface to which this tunnel is bound. VPN tunnels provide redundant
configuration between two sites for high availability. The remote router must
also support VPN encapsulation and must be configured with a tunnel
interface to the local router.

Routing Overview

This section discusses the following topics:

! Nokia Routing Subsystem
! Routing Protocols

Nokia Routing Subsystem

The Nokia routing subsystem, Ipsilon Routing Daemon (IPSRD), is an
essential part of your firewall. IPSRD’s role is to dynamically compute paths
or routes to remote networks. Routes are calculated by a routing protocol.
Besides providing routing protocols, IPSRD also allows routes to be
converted or redistributed between routing protocols. Finally, when there are
multiple protocols with a route to a given destination, IPSRD allows you to
specify a ranking of protocols. Based on this ranking, a single route is
installed in the forwarding table for each destination.

You can configure each of the supported routing protocols, route
redistribution, and other routing options via the Configuring Routing section
in Voyager.

Routing monitoring is available by following links from the individual
protocol pages or by clicking on the Monitor button in Voyager. Another

Voyager Reference Guide 17

1 Overview

monitoring tool is ICLID. This tool provides interactive, text-based
monitoring of the routing subsystem.

Routing Protocols

Routing protocols compute the best route to each destination. Routing
protocols also exchange information with adjacent firewalls. The best route is
determined by the cost or metric values.

Routing protocols can be broken up into two major categories: exterior
gateway protocols (EGPs) and interior gateway protocols (IGPs). Inte rior
gateway protocols exchange routing information inside an autonomous
system (AS). An AS is a routing domain, such as inside an organization, that
contacts its own routing. An EGP exchanges routing information between
ASes and provides for specialized policy-bound filtering and configuration.

Interior Routing Protocols

IPSRD supports three IGPs: RIP (Routing Information Protocol), IGRP
(Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First).
Static routes and aggregate routes are also supported.

RIP

RIP is a commonly used IGP. There are two versions of RIP: RIP version 1,
and RIP version 2. Both versions are supported by IPSRD.

RIP uses a simple distance vector algorithm called Bellman Ford to calculate
routes. In RIP, each destination has a cost or metric value, which is based
solely on the number of hops between the calculating firewall and the given
destination.

The maximum metric value is 15 hops, which means that RIP is not suited to
networks within a diameter greater than 15 firewalls. The advantage of RIP
version 2 over RIP version 1 is that it supports non-classful routes. Classful
routes are old-style class A, B, C routes. You should use RIP version 2 instead
of RIP version 1 whenever possible.

18 Voyager Reference Guide

Nokia also supports RIPng, the version of RIP that supports IPv6 interfaces.

Protocol Described in RFC

RIP version 1 RFC1058
RIP version 2 RFC1723
RIPng

IGRP

IGRP (Interior Gateway Routing Protocol) is a distance v ector protocol. IGRP
has a number of metrics for each destination. These metrics include link delay,
bandwidth, reliability, load, MTU, and hop count. A single composite metric
is formed by combining metrics with a particular weight.

Like RIP version 1, IGRP does not fully support non-classful routing.

OSPF

OSPF (Open Shortest Path First) is a modern link-state routing protocol. It
fully supports non-classful networks. OSPF has a single, 24-bit metric for
each destination. You can configure this metric to any desired value.

OSPF allows the AS to be broken up into areas. Areas allow you to increase
overall network stability and scalability. At area boundaries, routes can be
aggregated to reduce the number of routes each firewall in the AS must know
about. If there are multiple paths to a single destination with the same
computed metric, OSPF can install them into the forwarding table.

Protocol Described in RFC

OSPF RFC2328

Voyager Reference Guide 19

1 Overview

DVMRP

DVMRP (Distance Vector Multicast Routing Protocol) is a multicast routing
protocol (RIP, OSPF, and IGRP are unicast routing protocols). Multicasting is
typically used for real-time audio and video when there is a single source of
data and multiple receivers. DVMRP uses a hop-based metric and, like RIP, a
distance-vector route calculation.

BGP

BGP (Border Gateway Protocol) is an exterior gateway protocol that is used
to exchange network reachability information between BGP-speaking
systems running in each AS. BGP is unlike interior gateway protocols (IGRP
or OSPF), which periodically flood an intra-domain network with all the
known routing table entries and build their own reliability on top of a
datagram service. Instead, BGP uses TCP as its underlying transport
mechanism.

BGP is also a path-vector routing protocol, which limits the distribution of a
firewall’ s reachability information to its peer or neighbor firewalls. BGP uses
path attributes to provide more information about each route. BGP maintains
an AS path, which includes the number of each AS that the route has
transited. Path attributes may also be used to distinguish between groups of
routes to determine administrative preferences. This allows greater flexibility
in determining route preference and achieves a variety of administrative ends.

BGP supports two basic types of sessions between neighbors: internal (IBGP)
and external (EBGP). Internal sessions run between firewalls in the same
autonomous systems, while external sessions run between firewalls in
different autonomous systems.

Aggregate Routes

Route aggregation allows you to take many small routes and aggregate them
into one large route. This reduces the number of routes advertised for a given
protocol. These aggregate routes are then redistributed into other protocols.
The aggregates are activated by contributing routes. For example, if a firewall
has many stub interface routes subnetted from a class C and is running RIPv2

20 Voyager Reference Guide

on another interface, the interface routes may be used to create an aggregate
route (of the class C) that can then be redistributed into RIP. This reduces the
number of routes advertised via RIP. Care must be taken when aggregating if
there are "holes" in the route that is aggregated.

Create an aggregate route by first specifying the network address and mask
length. Second, provide a set of contributing routes. A contributing route is
defined by specifying a source (for example, a routing protocol, a static route,
an interface route) and a route filter, which is a prefix. You can also choose to
contribute all of the routes. An aggregate route can have many contributing
routes, but at least one of the routes must be present to generate an aggregate.

Aggregate routes are not actually used for packet forwarding by the originator
of the aggregate route, only by the receiver (if it wishes). A firewall receiving
a packet which does not match one of the component routes that led to the
generation of an aggregate route should respond with an ICMP network
unreachable message. This message prevents packets for unknown
component routes from following a default route into another network where
they would be forwarded back to the border firewall, continually, until their
TTL expires.

Static Routes

Static routes are routes that you manually configure in the routing table. Static
routes cause packets moving between a source and a destination to take a
specified next hop. Static routes allow you to add routes to destinations that
are not described by dynamic routing protocols. This can be useful if dynamic
protocols cannot be used. It can also be useful in providing a default route.

Static routes consist of the following:

! Destination
! Type
! Next hop gateway

There are three types of static routes:

! Normal
! Black Hole

Voyager Reference Guide 21

1 Overview

! Reject

A normal static route is used to forward packets for a given destination in the
direction indicated by the configured firewall.

A black hole static route uses the loopback address as the next hop. This route
discards packets that match the route for a given destination.

A reject static route uses the loopback as the next hop, discards packets that
match the route for a given destination and sends an ICMP unreachable
message back to the sender of the packet.

Redistributing Routes Overview

Route redistribution controls which routes are advertised by IPSRD to other
systems, as well as which routes are redistributed between the protocols run
on the firewall.

A metric is set for any redistributed route. This metric is sent to the peer by
certain protocols and may be used by the peer to choose a better route to a
given destination. Some routing protocols can associate a metric with a route
when announcing the route.

A route filter can be used to explicitly list all the redistributed routes.

Redistributing Routes with BGP

Redistributing to BGP is controlled by an AS. The same policy is applied to
all firewalls in the AS. BGP metrics are 16-bit, unsigned quantities; that is,
they range from 0 to 65535 inclusive, with zero being the most attractive.
While BGP version 4 supports 32-bit unsigned quantities, IPSRD does not.

Note

If you do not specify a redistribution policy, only routes to attached
interfaces are redistributed. If you specify any policy, the defaults are

22 Voyager Reference Guide

overridden. You must explicitly specify everything that should be
redistributed.

Redistributing Routes with RIP and IGRP

Redistributing to RIP and IGRP is controlled by any one of three parameters:

! Protocol
! Interface
! Gateway

If more than one parameter is specified, they are processed from most general
(protocol) to most specific (gateway).

It is not possible to set metrics for redistributing RIP routes into RIP or for
redistributing IGRP routes into IGRP. Attempts to do this are silently ignored.
It is also not possible to set the metrics for redistributing routes into IGRP.

Note

If no redistribution policy is specified, RIP and interface routes are
redistributed into RIP and IGRP, and interface routes are redistributed into
IGRP. If any policy is specified, the defaults are overridden. You must
explicitly specify everything that should be redistributed.

RIP version 1 assumes that all subnets of the shared network have the same
subnet mask, so they are able to propagate only subnets of that network. RIP
version 2 removes that restriction and is capable of propagating all routes
when not sending version 1-compatible updates.

Redistributing Routes with OSPF

It is not possible to create OSPF intra-area or inter-area routes by
redistributing routes from the IPSRD routing table into OSPF. It is possible to
redistribute from the IPSRD routing table only into OSPF ASE routes. In

Voyager Reference Guide 23

1 Overview

addition, it is not possible to control the propagation of OSPF routes within
the OSPF protocol.

There are two types of OSPF ASE routes:

! Type 1
! Type 2

See the OSPF protocol configuration for a detailed explanation of the two
types.

Route Redistribution Between Protocols

The redistribute_list specifies the source of a set of routes based on
parameters like the protocol from which the source has been learned. The
redistribute_list indirectly controls the redistribution of routes between
protocols.

The syntax varies slightly per source protocol. BGP routes may be specified
by source AS. RIP and IGRP routes may be redistributed by protocol, source
interface, and/or source gateway. Both OSPF and OSPF ASE routes may be
redistributed into other protocols. All routes may be redistributed by AS path.

When BGP is configured, all routes are assigned an AS path when they are
added to the routing table. For all interior routes, this AS path specifies IGP as
the origin and no ASes in the AS path. The current AS is added when the
route is redistributed. For BGP routes, the AS path is stored as learned from
BGP.

24 Voyager Reference Guide

2 How to Use Voyager

Chapter Contents

! Navigating in Voyager
! Viewing Online Help
! Viewing Inline Help for the Page
! Viewing Inline Help for a Section or Field
! Voyager Help Conventions
! Opening a Second Window to View Help

Navigating in Voyager

The following table explains the functions of the large blue buttons in
Voyager. Other buttons are described in the inline help for each page.

Note

You can press buttons to produce a result when they ha ve a dark shadow
behind them. Buttons without shadows, such as those found in the
Voyager Online Help instructions, do not function; they are only for
display.

Voyager Reference Guide 25

2 How to Use Voyager

Button Description

Apply Applies the settings on the current page (and any deferred applies

Config Takes you to the configuration page main menu.
Contents Takes you to the online help table of contents.
Doc Takes you to the online help table of contents.
Feedback Takes you to the documentation or Technical Assistance Center

Help Turns on contextual inline help for all elements of the page.
H Turns on contextual inline help for a specific element of the page.

from other pages) to the current (running) configuration file in
memory.

(TAC) feedback page.

Home Takes you to the home page.
Monitor Takes you to the monitor page main menu.
Reset Routing Restarts the routing daemon.
Save Saves the current (running) configuration file to disk.
Support Takes you to contact information for the Technical Assistance

Center (TAC).
Top Takes you to the top-level configuration page.
Up Takes you one level up from the current page.

Note

Avoid using your b rowser’s Back and Forward buttons while in Voyager.
The browser caches the HTML page information; therefore, using
and

FORWARD may not display the latest configuration and diagnostic

BACK

26 Voyager Reference Guide

information as you move from page to page. Use the CONFIG, MONITOR,

HOME, TOP, and UP buttons to get the most current data.

If the pages seem to have outdated information, you can use the RELOAD
button on the browser to update it. You can also clear memory and disk cache
with the following procedure:

1. Select Network Preferences from the Options menu in Netscape.

2. Select Cache in the Preferences window.

3. Click the C

LEAR MEMORY CACHE NOW button, then click the OK

button.

4. Click the C

LEAR DISK CACHE NOW button, then click the OK button.

5. Click the OK button or close the Preferences window.

Viewing Online Help

Online help consists of procedures for common tasks you can perform with
Voyager.

Note

Buttons without shadows, such as those found in the V oyager on line help
instructions, do not function; they are there only for illustration.

1. Click the DOC button on the top of any Voyag er page.

The online contextual help displays information that relates to your
specific task.

If you can not find help that pertains to your interest, return to the home
page and click on the D
which you want to view online help.

Voyager Reference Guide 27

OC button. Click the topic link for the category for

2 How to Use Voyager

Viewing Inline Help for the Page

If you want to view inline help for all of the fields and sections of a page :

1. Click the H

ELP button on any Voyager page.

Text-only definitions and related information on fields, buttons, and
sections appear in a separate window.

2. Click the Close button on the Help window to close inline help.

Viewing Inline Help for a Section or Field

If you want to view inline help for a section or field:

1. Click the H button next to a field or section.

Text-only definitions and related information related to that specific field
or section appear in a separate window.

2. Click the Close button on the Help window to close inline help.

Voyager Help Conventions

Inline and online help use the following text conventions.

This Type of Text Means This

italic text Introduces a word or phrase, highlights an important term,

phrase, or hypertext link, indicates a field name, system
message, or document title.

typewriter text Indicates a UNIX command, program, file name, or path

name.

bold typewriter text Indicates text to be entered verbatim by you.

Represents the name of a key on the keyboard, of a button
displayed on your screen, or of a button or switch on the
hardware. For example, press the R

28 Voyager Reference Guide

ETURN key.

This Type of Text Means This

<bracketed> Indicates an argument that you or the software replaces with

an appropriate value. For example, the command rm
<filename> indicates that you should type rm follo wed by
the filename of the file to be removed.

LinkTe xt Indicates a hypertext link.

- OR - Indicates an exclusive choice between two items.

Opening a Second Window to View Help

You can preserve the current page content in your browser and start another
browser window to display the inline or online help text.

1. Using the right button (middle button in UNIX) of your mouse, click the

D

OC button.

2. Click O

PEN LINK IN NEW BROWSER WINDOW.

Displays the online help in a new window.

3. Using the right button (middle button in UNIX) of your mouse, click the
H

ELP ON button.

4. Click O

PEN LINK IN NEW BROWSER WINDOW.

Displays the inline (text-only) help in a new window.

Voyager Reference Guide 29

2 How to Use Voyager

30 Voyager Reference Guide