Page 1
Voyager Reference Guide
Part No. N450820002 Rev A
Published December 2003
Page 2
COPYRIGHT
©2003 Nokia. All rights reserved.
Rights reserved under the copyright laws of the United States.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the United States Government is subject to restrictions as set
forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of,
this computer software, the rights of the United States Government regarding its use,
reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted
Rights clause at FAR 52.227-19.
IMPORTANT NOTE TO USERS
This software and hardware is provided by Nokia Inc. as is and any express or implied
warranties, including, but not limited to, implied warranties of merchantability and fitness for a
particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or
suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential
damages (including, but not limited to, procurement of substitute goods or services; loss of use,
data, or profits; or business interruption) however caused and on any theory of liability, whether in
contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use
of this software, even if advised of the possibility of such damage.
Nokia reserves the right to make changes without further notice to any products herein.
TRADEMARKS
Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this
document are trademarks or registered trademarks of their respective holders.
030114
2 Voyager Reference Guide
Page 3
Nokia Contact Information
Corporate Headquarters
Web Site http://www.nokia.com
Telephone 1-888-477-4566 or
1-650-625-2000
Fax 1-650-691-2170
Mail
Address
Regional Contact Information
Americas Nokia Inc.
Europe,
Middle East,
and Africa
Asia-Pacific 438B Alexandra Road
Nokia Customer Support
Web Site: https://support.nokia.com/
Email: tac.support@nokia.com
Nokia Inc.
313 Fairchild Drive
Mountain View, California
94043-2215 USA
313 Fairchild Drive
Mountain View, CA 94043-2215
USA
Nokia House, Summit Avenue
Southwood, Farnborough
Hampshire GU14 ONG UK
#07-00 Alexandra Technopark
Singapore 119968
Tel: 1-877-997-9199
Outside USA and Canada: +1 512-437-7089
email: ipsecurity.na@nokia.com
Tel: UK: +44 161 601 8908
Tel: France: +33 170 708 166
email: ipsecurity.emea@nokia.com
Tel: +65 6588 3364
email: ipsecurity.apac@nokia.com
Americas Europe
Voi ce: 1-888-361-5030 or
Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666
Asia-Pacific
Voi ce: +65-67232999
Fax: +65-67232897
Voyager Reference Guide 3
Voi ce: +44 (0) 125-286-8900
1-613-271-6721
031014
Page 4
4 Voyager Reference Guide
Page 5
Voyager Reference Guide 5
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
How to Use Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Command-Line Utility Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Monitoring and Configuring System Resources . . . . . . . . . . . . . . . . . . .33
Dynamic Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Static Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Gigabit Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Virtual LAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
FDDI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
ISDN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Token Ring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Point-to-Point Link over ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
IP over ATM (IPoA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Serial (V.35 and X.21) Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
T1(with built-in CSU/DSU) Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
E1 (with built-in CSU/DSU) Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
HSSI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Cisco HDLC Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Point-to-Point Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Frame Relay Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
DVMRP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
ARP Table Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Configuring ARP for the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Page 6
6 Voyager Reference Guide
Configuring Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
OSPF (Open Shortest Path First) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
RIP (Routing Information Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Protocol-Independent Multicast (PIM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
IGRP (Inter-Gateway Routing Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
DVMRP (Distance Vector Multicast Routing Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
IGMP (Internet Group Management Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Backup Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Route Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Route Rank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
BGP (Border Gateway Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Configuring Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Configuring Clustering in IPSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Configuring Access Control Lists (ACL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Configuring Access Control List Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Configuring Aggregation Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Configuring Queue Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Configuring ATM QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuring Common Open Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Configuring Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Configuring Router Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Bootp (Bootstrap Protocol) Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
IP Broadcast Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
VRRP (Virtual Router Redundancy Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Configuring System Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
DNS Hostname Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Configuring Disk Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Mail Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Failure Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Time and Date Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Static Host Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
System Logging Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Hostname Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Managing Configuration Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Page 7
Voyager Reference Guide 7
Backing Up and Restoring Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
Scheduling Jobs Through the Crontab File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 14
Managing IPSO Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515
Installing New IPSO Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .517
Managing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520
Advanced System Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523
Configuring Security and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .525
Password Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
Group Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532
Network Access Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545
Secure Socket Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Authentication, Authorization, and Accounting (AAA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .560
Cryptographic Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587
Voyager Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 16
Configuring Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
Fault Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .622
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .628
Configuring SNMP v1 and v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .634
Interpreting SNMP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643
SNMP v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .647
Configuring Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
Asset Management Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
Configuring IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .654
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656
IPv6 and IPv4 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657
Routing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662
Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665
Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667
Security and Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .668
Page 8
8 Voyager Reference Guide
IPSO Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
IPSO Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Page 9
1 Overview
Chapter Contents
! Software Overview
! Interface Overview
! Routing Overview
! Redistributing Routes Overview
Software Overview
This section gives you an overview of the Nokia software configured and
maintained by Nokia Voyager software.
Nokia firewalls function with the help of several software components:
! Operating System—Nokia firewalls run Nokia IPSO, a UNIX-like
operating system based on FreeBSD. IPSO is customized to support
Nokia’s enhanced routing capabilities and Check Point’s FireWall-1
firewall functionality, and to "harden" network security. Unnecessary
features have been removed to minimize the need for UNIX system
administration.
! Ipsilon Routing Daemon (IPSRD)—IPSRD is Nokia’s routing software.
The routing policy implemented by IPSRD resides in a database. Voyager
(see below) configures and maintains the routing software and database.
Voyager Reference Guide 9
Page 10
1 Overview
! Check Point Fir eW all-1—FireWall-1 consists of two major components:
(1) the Firewall module, which runs on the Nokia firewall and
implements the security policy, and (2) the Management module, which
runs either on the Nokia firewall or on another workstation. Use the
Management Module to define and maintain the security policy.
! Voyager—Voyager communicates with the routing software to configure
interfaces and routing protocols, to manage routing policy for the firewall,
and to monitor network traffic and protocol performance. Voyager also
provides online documentation. Voyager itself runs on a remote machine
as a client application of the Nokia routing software and is HTML based.
Interface Overview
This section describes how to configure network devices and assign IP
addresses to them using Voyager.
Interface Types
Nokia NAPs support the following interface types.
Note
Consult the appropriate hardware installation guide to find out what
interfaces your unit supports.
! Ethernet/Fast Ethernet
! FDDI
! ATM (RFC1483 PVCs only)
! Serial (V.35 and X.21) running PP P, point-to-point Frame Relay, or Cisco
HDLC
! T1/E1 running PPP, Frame Relay, or Cisco HDLC
! HSSI running PPP, point-to-point Frame Relay, or Cisco HDLC
! VPN Tunneling
10 Voyager Reference Guide
Page 11
! Token Ring
! Unnumbered Interface
! ISDN
You can configure these interfaces with IP addresses. You also can assign
additional IP addresses to the loopback, FDDI, and Ethernet interfaces. All
interface types support IP multicast.
Configuring Network Devices
Voyager displays network devices as physical interfaces. A physical interface
exists for each physical port on a network interface card (NIC) installed in the
unit. Physical interface names have the form:
<type>-s<slot>p<port>
where:
<type>
is a prefix indicating the device type. The interface-name prefixes for
each type are as follows:
Type Prefix
Ethernet
FDDI
ATM atm
Serial
T1/E1
HSSI
Token Ring tok
ISDN isdn
eth
fddi
ser
ser
ser
Voyager Reference Guide 11
Page 12
1 Overview
<slot>
<port>
is the number of the slot the device occupies in the unit.
is the port number of the card. The first port on a NIC is port one. Fo r
example, a two-port Ethernet NIC in slot 2 is represented by two physical
interfaces:
eth-s2p1
and
eth-s2p2
The loopback interface also has a physical interface named
Use Voyager to set the attributes of the device. For example, line speed and
duplex mode are attributes of an Ethernet physical interface. Each
communications port has exactly one physical interface.
Configuring IP Addresses
Logical interfaces are created for a device's physical interface. You assign an
IP address to logical interfaces and then route to the IP address. Ethernet,
FDDI, and Token Ring devices have one logical interface.
For ATM devices, you create a new logical interface each time you configure
an RFC1483 PVC for the device. Serial, T1/E1, and HSSI devices have one
logical interface when they are running PPP or Cisco HDLC. Serial, T1/E1
and HSSI devices running point-to-point Frame Relay have a logical interface
for each PVC configured on the port. You also have the option of configuring
an unnumbered interface for point-to-point interfaces. Tunnels, however,
cannot be configured as unnumbered interfaces.
.
loop0
.
Logical interfaces, by default, are named after the physical interface for which
they are created. If you wish, you can override this default name with a more
descriptive or familiar name. You can also associate a comment with the
logical interface as a further way to define its relationship in the network.
Default logical interface names have the form:
<type>-s<slot>p<port>c<chan>
where
<type>, <slot>
and
<port>
have the same values as the corresponding
physical interface
<chan>
is the channel number of the logical interface. For logical interfaces
created automatically, the channel number is always zero. For logical
12 Voyager Reference Guide
Page 13
interfaces created manually, the channel number is the identifier of the virtual
circuit (VC) for which the interface is created (for example, the ATM VCI or
the Frame Relay DLCI).
Logical Interface
Physical
Interface
Ethernet One (
FDDI One (c0)
ATM One per VCI (
Serial
(X.21 or V.35)
T1/E1 One (
HSSI One (
Default Cisco HDLC PPP Frame Relay
c0
)
c#
)
c0
One (
) One (c0) One per DLCI
(c#)
c0
) One (c0) One per DLCI
(c#)
c0
) One (c0) One per DLCI
(c#)
Token Ring One (c0)
c#
ISDN One (
For example, the logical interface of a physical interface
eth-s2p1c0
slot 3 are called
. The logical interfaces for PVCs 17 and 24 on an ATM NIC in
atm-s3p1c17
and
atm-s3p1c24
respectively.
)
eth-s2p1
is called
Once a logical interface exists for a device, you can assign an IP address to it.
For Ethernet, FDDI, and T oken Ring, you must specify the interface's local IP
address and the length (in bits) of the subnet mask for the subnet to which the
device connects.
If you are running multiple subnets on the same physical network, you can
configure additional addresses and subnet masks on the single logical
Voyager Reference Guide 13
Page 14
1 Overview
interface connected to that network. You do not need to create additional
logical interfaces to run multiple subnets on a single physical network.
For point-to-point media, such as ATM, serial, or HSSI, you can either assign
IP addresses or configure an unnumbered interface. When assigning IP
addresses you must specify the IP address of the local interface and the IP
address of the remote system's point-to-point interface.
You can add only one local/destination IP address pair to a point-to-point
logical interface. To assign IP addresses to multiple VCs, you must create a
logical interface for each VC. IP subnets are not supported on point-to-point
interfaces.
Whenever an unnumbered interface generates a packet, it uses the address of
the interface that the user has specified as the source address of the IP packet.
Thus, for a router to have an unnumbered interface, it must have at least one
IP address assigned to it. The Nokia implementation of unnumbered
interfaces does not support virtual links.
Indicators and Interface Status
The configuration and status of removable-interface devices are displayed.
Interfaces can be changed while they are offline. The events, their effects, and
indications are:
! If you hot-insert a device (not power down the unit first), it appears in the
lists of interfaces immediately (after a page refresh) on the configuration
pages.
! If you hot-pull a device, and no configuration exists for it, it disappears
from the lists of interfaces immediately.
! If you hot-pull a device, and it had a configuration, its configuration
details continue to be displayed and can be changed even after a reboot.
! Hotswapped interfaces that are fully seated in a router’s chassis are
represented in the ifTable (MIB-II), ipsoCardTable (IP440-IPSO-SystemMIB), and the hrNetworkTable
(Host-Resources-MIB).
14 Voyager Reference Guide
Page 15
! Unwanted configurations of absent devices can be deleted, which
removes the physical and logical interfaces from all interface lists.
! None: If no color indication is displayed, the physical interface is
disabled. To enable the interface, click on the physical interface name to
go to its configuration page.
! Blue: The device corresponding to this physical interface has been
removed from the system, but its configuration remains. To delete its
configuration, click on the physical interface name to go to its
configuration page.
! Red: The physical interface is enabled, but the device does not detect a
connection to the network.
! Green: The physical interface is ready for use. It is enabled and
connected to the network.
Address Resolution Protocol (ARP)
ARP allows a host to find the physical address of a target host on the same
physical network using only the target’s IP address. ARP is a low-level
protocol that hides the underlying network physical addressing and permits
assignment of an arbitrary IP address to every machine.ARP is considered
part of the physical network system and not as part of the internet protocols.
Using the Loopback Interface
By default, the loopback interface has 127.0.0.1 configured as its IP address.
Locally originated packets sent to this interface are sent back to the
originating process.
You might want to assign an address to the loopback interface that is the same
as the OSPF firewall ID, or is the termination point of a BGP session. This
allows firewall adjacencies to stay up even if the outbound interface is down.
Do not specify an IP subnet mask length when you add addresses to the
loopback interface.
Voyager Reference Guide 15
Page 16
1 Overview
Configuring Tunnel Interfaces
Tunnel interfaces are used to encapsulate protocols inside IP packets. Use
tunneling to:
! send network protocols over IP networks that don’t support them
! encapsulate and encrypt private data to send over a public IP network.
Create a tunnel logical interface by specifying an encapsulation type. Use
Voyager to set the encapsulation type. Voyager supp orts two encapsulation
types, DVMRP and VPN.
The tunnel logical interface name has the form:
tun0c<chan>
where <chan> (channel number) is an instantiation identifier.
DVMRP (Distance Vector Multicast Routing
Protocol) Tunnels
DVMRP tunnels encapsulate multicast packets using IP-in-IP encapsulation.
The encapsulated packets appear as unicast IP packets. This technique allows
two multicast routers to exchange multicast packets even when they are
separated by routers that cannot forward multicast packets. For each DVMRP
tunnel you create, you must provide the IP address of the interface that forms
the local endpoint of the tunnel and the IP address of the multicast router that
is at the remote end of the tunnel forming the remote endpoint of the tunnel.
Note
The remote multicast router must support IP-in-IP encapsulation and
must be configured with a tunnel interface to the local router.
When you have created the DVMRP tunnel interface, set all other DVMRP
multicast configuration parameters from the DVMRP configuration page.
16 Voyager Reference Guide
Page 17
VPN (Virtual Private Networking) Tunnels
VPN tunnels encapsulate IP packets using Generic Routing Encapsulation
(GRE) without options. The encapsulated packets appear as unicast IP
packets. For each VPN tunnel you create, you must assign a local and remote
IP address. You also must provide the local and remote endpoint addresses of
the interface to which this tunnel is bound. VPN tunnels provide redundant
configuration between two sites for high availability. The remote router must
also support VPN encapsulation and must be configured with a tunnel
interface to the local router.
Routing Overview
This section discusses the following topics:
! Nokia Routing Subsystem
! Routing Protocols
Nokia Routing Subsystem
The Nokia routing subsystem, Ipsilon Routing Daemon (IPSRD), is an
essential part of your firewall. IPSRD’s role is to dynamically compute paths
or routes to remote networks. Routes are calculated by a routing protocol.
Besides providing routing protocols, IPSRD also allows routes to be
converted or redistributed between routing protocols. Finally, when there are
multiple protocols with a route to a given destination, IPSRD allows you to
specify a ranking of protocols. Based on this ranking, a single route is
installed in the forwarding table for each destination.
You can configure each of the supported routing protocols, route
redistribution, and other routing options via the Configuring Routing section
in Voyager.
Routing monitoring is available by following links from the individual
protocol pages or by clicking on the Monitor button in Voyager. Another
Voyager Reference Guide 17
Page 18
1 Overview
monitoring tool is ICLID. This tool provides interactive, text-based
monitoring of the routing subsystem.
Routing Protocols
Routing protocols compute the best route to each destination. Routing
protocols also exchange information with adjacent firewalls. The best route is
determined by the cost or metric values.
Routing protocols can be broken up into two major categories: exterior
gateway protocols (EGPs) and interior gateway protocols (IGPs). Inte rior
gateway protocols exchange routing information inside an autonomous
system (AS). An AS is a routing domain, such as inside an organization, that
contacts its own routing. An EGP exchanges routing information between
ASes and provides for specialized policy-bound filtering and configuration.
Interior Routing Protocols
IPSRD supports three IGPs: RIP (Routing Information Protocol), IGRP
(Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First).
Static routes and aggregate routes are also supported.
RIP
RIP is a commonly used IGP. There are two versions of RIP: RIP version 1,
and RIP version 2. Both versions are supported by IPSRD.
RIP uses a simple distance vector algorithm called Bellman Ford to calculate
routes. In RIP, each destination has a cost or metric value, which is based
solely on the number of hops between the calculating firewall and the given
destination.
The maximum metric value is 15 hops, which means that RIP is not suited to
networks within a diameter greater than 15 firewalls. The advantage of RIP
version 2 over RIP version 1 is that it supports non-classful routes. Classful
routes are old-style class A, B, C routes. You should use RIP version 2 instead
of RIP version 1 whenever possible.
18 Voyager Reference Guide
Page 19
Nokia also supports RIPng, the version of RIP that supports IPv6 interfaces.
Protocol Described in RFC
RIP version 1 RFC1058
RIP version 2 RFC1723
RIPng
IGRP
IGRP (Interior Gateway Routing Protocol) is a distance v ector protocol. IGRP
has a number of metrics for each destination. These metrics include link delay,
bandwidth, reliability, load, MTU, and hop count. A single composite metric
is formed by combining metrics with a particular weight.
Like RIP version 1, IGRP does not fully support non-classful routing.
OSPF
OSPF (Open Shortest Path First) is a modern link-state routing protocol. It
fully supports non-classful networks. OSPF has a single, 24-bit metric for
each destination. You can configure this metric to any desired value.
OSPF allows the AS to be broken up into areas. Areas allow you to increase
overall network stability and scalability. At area boundaries, routes can be
aggregated to reduce the number of routes each firewall in the AS must know
about. If there are multiple paths to a single destination with the same
computed metric, OSPF can install them into the forwarding table.
Protocol Described in RFC
OSPF RFC2328
Voyager Reference Guide 19
Page 20
1 Overview
DVMRP
DVMRP (Distance Vector Multicast Routing Protocol) is a multicast routing
protocol (RIP, OSPF, and IGRP are unicast routing protocols). Multicasting is
typically used for real-time audio and video when there is a single source of
data and multiple receivers. DVMRP uses a hop-based metric and, like RIP, a
distance-vector route calculation.
BGP
BGP (Border Gateway Protocol) is an exterior gateway protocol that is used
to exchange network reachability information between BGP-speaking
systems running in each AS. BGP is unlike interior gateway protocols (IGRP
or OSPF), which periodically flood an intra-domain network with all the
known routing table entries and build their own reliability on top of a
datagram service. Instead, BGP uses TCP as its underlying transport
mechanism.
BGP is also a path-vector routing protocol, which limits the distribution of a
firewall’ s reachability information to its peer or neighbor firewalls. BGP uses
path attributes to provide more information about each route. BGP maintains
an AS path, which includes the number of each AS that the route has
transited. Path attributes may also be used to distinguish between groups of
routes to determine administrative preferences. This allows greater flexibility
in determining route preference and achieves a variety of administrative ends.
BGP supports two basic types of sessions between neighbors: internal (IBGP)
and external (EBGP). Internal sessions run between firewalls in the same
autonomous systems, while external sessions run between firewalls in
different autonomous systems.
Aggregate Routes
Route aggregation allows you to take many small routes and aggregate them
into one large route. This reduces the number of routes advertised for a given
protocol. These aggregate routes are then redistributed into other protocols.
The aggregates are activated by contributing routes. For example, if a firewall
has many stub interface routes subnetted from a class C and is running RIPv2
20 Voyager Reference Guide
Page 21
on another interface, the interface routes may be used to create an aggregate
route (of the class C) that can then be redistributed into RIP. This reduces the
number of routes advertised via RIP. Care must be taken when aggregating if
there are "holes" in the route that is aggregated.
Create an aggregate route by first specifying the network address and mask
length. Second, provide a set of contributing routes. A contributing route is
defined by specifying a source (for example, a routing protocol, a static route,
an interface route) and a route filter, which is a prefix. You can also choose to
contribute all of the routes. An aggregate route can have many contributing
routes, but at least one of the routes must be present to generate an aggregate.
Aggregate routes are not actually used for packet forwarding by the originator
of the aggregate route, only by the receiver (if it wishes). A firewall receiving
a packet which does not match one of the component routes that led to the
generation of an aggregate route should respond with an ICMP network
unreachable message. This message prevents packets for unknown
component routes from following a default route into another network where
they would be forwarded back to the border firewall, continually, until their
TTL expires.
Static Routes
Static routes are routes that you manually configure in the routing table. Static
routes cause packets moving between a source and a destination to take a
specified next hop. Static routes allow you to add routes to destinations that
are not described by dynamic routing protocols. This can be useful if dynamic
protocols cannot be used. It can also be useful in providing a default route.
Static routes consist of the following:
! Destination
! Type
! Next hop gateway
There are three types of static routes:
! Normal
! Black Hole
Voyager Reference Guide 21
Page 22
1 Overview
! Reject
A normal static route is used to forward packets for a given destination in the
direction indicated by the configured firewall.
A black hole static route uses the loopback address as the next hop. This route
discards packets that match the route for a given destination.
A reject static route uses the loopback as the next hop, discards packets that
match the route for a given destination and sends an ICMP unreachable
message back to the sender of the packet.
Redistributing Routes Overview
Route redistribution controls which routes are advertised by IPSRD to other
systems, as well as which routes are redistributed between the protocols run
on the firewall.
A metric is set for any redistributed route. This metric is sent to the peer by
certain protocols and may be used by the peer to choose a better route to a
given destination. Some routing protocols can associate a metric with a route
when announcing the route.
A route filter can be used to explicitly list all the redistributed routes.
Redistributing Routes with BGP
Redistributing to BGP is controlled by an AS. The same policy is applied to
all firewalls in the AS. BGP metrics are 16-bit, unsigned quantities; that is,
they range from 0 to 65535 inclusive, with zero being the most attractive.
While BGP version 4 supports 32-bit unsigned quantities, IPSRD does not.
Note
If you do not specify a redistribution policy, only routes to attached
interfaces are redistributed. If you specify any policy, the defaults are
22 Voyager Reference Guide
Page 23
overridden. You must explicitly specify everything that should be
redistributed.
Redistributing Routes with RIP and IGRP
Redistributing to RIP and IGRP is controlled by any one of three parameters:
! Protocol
! Interface
! Gateway
If more than one parameter is specified, they are processed from most general
(protocol) to most specific (gateway).
It is not possible to set metrics for redistributing RIP routes into RIP or for
redistributing IGRP routes into IGRP. Attempts to do this are silently ignored.
It is also not possible to set the metrics for redistributing routes into IGRP.
Note
If no redistribution policy is specified, RIP and interface routes are
redistributed into RIP and IGRP, and interface routes are redistributed into
IGRP. If any policy is specified, the defaults are overridden. You must
explicitly specify everything that should be redistributed.
RIP version 1 assumes that all subnets of the shared network have the same
subnet mask, so they are able to propagate only subnets of that network. RIP
version 2 removes that restriction and is capable of propagating all routes
when not sending version 1-compatible updates.
Redistributing Routes with OSPF
It is not possible to create OSPF intra-area or inter-area routes by
redistributing routes from the IPSRD routing table into OSPF. It is possible to
redistribute from the IPSRD routing table only into OSPF ASE routes. In
Voyager Reference Guide 23
Page 24
1 Overview
addition, it is not possible to control the propagation of OSPF routes within
the OSPF protocol.
There are two types of OSPF ASE routes:
! Type 1
! Type 2
See the OSPF protocol configuration for a detailed explanation of the two
types.
Route Redistribution Between Protocols
The redistribute_list specifies the source of a set of routes based on
parameters like the protocol from which the source has been learned. The
redistribute_list indirectly controls the redistribution of routes between
protocols.
The syntax varies slightly per source protocol. BGP routes may be specified
by source AS. RIP and IGRP routes may be redistributed by protocol, source
interface, and/or source gateway. Both OSPF and OSPF ASE routes may be
redistributed into other protocols. All routes may be redistributed by AS path.
When BGP is configured, all routes are assigned an AS path when they are
added to the routing table. For all interior routes, this AS path specifies IGP as
the origin and no ASes in the AS path. The current AS is added when the
route is redistributed. For BGP routes, the AS path is stored as learned from
BGP.
24 Voyager Reference Guide
Page 25
2 How to Use Voyager
Chapter Contents
! Navigating in Voyager
! Viewing Online Help
! Viewing Inline Help for the Page
! Viewing Inline Help for a Section or Field
! Voyager Help Conventions
! Opening a Second Window to View Help
Navigating in Voyager
The following table explains the functions of the large blue buttons in
Voyager. Other buttons are described in the inline help for each page.
Note
You can press buttons to produce a result when they ha ve a dark shadow
behind them. Buttons without shadows, such as those found in the
Voyager Online Help instructions, do not function; they are only for
display.
Voyager Reference Guide 25
Page 26
2 How to Use Voyager
Button Description
Apply Applies the settings on the current page (and any deferred applies
Config Takes you to the configuration page main menu.
Contents Takes you to the online help table of contents.
Doc Takes you to the online help table of contents.
Feedback Takes you to the documentation or Technical Assistance Center
Help Turns on contextual inline help for all elements of the page.
H Turns on contextual inline help for a specific element of the page.
from other pages) to the current (running) configuration file in
memory.
(TAC) feedback page.
Home Takes you to the home page.
Monitor Takes you to the monitor page main menu.
Reset Routing Restarts the routing daemon.
Save Saves the current (running) configuration file to disk.
Support Takes you to contact information for the Technical Assistance
Center (TAC).
Top Takes you to the top-level configuration page.
Up Takes you one level up from the current page.
Note
Avoid using your b rowser’s Back and Forward buttons while in Voyager.
The browser caches the HTML page information; therefore, using
and
FORWARD may not display the latest configuration and diagnostic
BACK
26 Voyager Reference Guide
Page 27
information as you move from page to page. Use the CONFIG, MONITOR,
HOME, TOP, and UP buttons to get the most current data.
If the pages seem to have outdated information, you can use the RELOAD
button on the browser to update it. You can also clear memory and disk cache
with the following procedure:
1. Select Network Preferences from the Options menu in Netscape.
2. Select Cache in the Preferences window.
3. Click the C
LEAR MEMORY CACHE NOW button, then click the OK
button.
4. Click the C
LEAR DISK CACHE NOW button, then click the OK button.
5. Click the OK button or close the Preferences window.
Viewing Online Help
Online help consists of procedures for common tasks you can perform with
Voyager.
Note
Buttons without shadows, such as those found in the V oyager on line help
instructions, do not function; they are there only for illustration.
1. Click the DOC button on the top of any Voyag er page.
The online contextual help displays information that relates to your
specific task.
If you can not find help that pertains to your interest, return to the home
page and click on the D
which you want to view online help.
Voyager Reference Guide 27
OC button. Click the topic link for the category for
Page 28
2 How to Use Voyager
Viewing Inline Help for the Page
If you want to view inline help for all of the fields and sections of a page :
1. Click the H
ELP button on any Voyager page.
Text-only definitions and related information on fields, buttons, and
sections appear in a separate window.
2. Click the Close button on the Help window to close inline help.
Viewing Inline Help for a Section or Field
If you want to view inline help for a section or field:
1. Click the H button next to a field or section.
Text-only definitions and related information related to that specific field
or section appear in a separate window.
2. Click the Close button on the Help window to close inline help.
Voyager Help Conventions
Inline and online help use the following text conventions.
This Type of Text Means This
italic text Introduces a word or phrase, highlights an important term,
phrase, or hypertext link, indicates a field name, system
message, or document title.
typewriter text Indicates a UNIX command, program, file name, or path
name.
bold typewriter text Indicates text to be entered verbatim by you.
Represents the name of a key on the keyboard, of a button
displayed on your screen, or of a button or switch on the
hardware. For example, press the R
28 Voyager Reference Guide
ETURN key.
Page 29
This Type of Text Means This
<bracketed> Indicates an argument that you or the software replaces with
an appropriate value. For example, the command rm
<filename> indicates that you should type rm follo wed by
the filename of the file to be removed.
LinkTe xt Indicates a hypertext link.
- OR - Indicates an exclusive choice between two items.
Opening a Second Window to View Help
You can preserve the current page content in your browser and start another
browser window to display the inline or online help text.
1. Using the right button (middle button in UNIX) of your mouse, click the
D
OC button.
2. Click O
PEN LINK IN NEW BROWSER WINDOW.
Displays the online help in a new window.
3. Using the right button (middle button in UNIX) of your mouse, click the
H
ELP ON button.
4. Click O
PEN LINK IN NEW BROWSER WINDOW.
Displays the inline (text-only) help in a new window.
Voyager Reference Guide 29
Page 30
2 How to Use Voyager
30 Voyager Reference Guide
Page 31
3 Command-Line Utility Files
Chapter Contents
! CAMCONTROL
! FTP
! ID
! MAIL
! MTRACE
! NETSTAT
! PCCARDD
! PING
! SCP
! SSH
! SSHD
! SSH-ADD
! SSH-AGENT
! SSH-KEYGEN
! TCPDUMP
! TELNET
! TFTPD
! TRACEROUTE
Voyager Reference Guide 31
Page 32
3 Command-Line Utility Files
32 Voyager Reference Guide
Page 33
4 Monitoring and Configuring
System Resources
Chapter Contents
! Dynamic Monitoring
! Dynamic and Static Monitoring Described
! Displaying System Utilization Statistics
! Configuring Data Collection Events
! Displaying Rate Shaping Bandwidth Report
! Displaying Historical Rate Shaping Bandwidth Statistics
! Displaying Interface Throughput Statistics
! Displaying Historical Interface Throughput Statistics
! Displaying Interface Linkstate Statistics
! Displaying Historical Interface Linkstate Statistics
! Displaying CPU Utilization Statistics
! Displaying Historical CPU Utilization Statistics
! Displaying Memory Utilization Statistics
! Displaying Historical Memory Utilization Statistics
! Monitoring System Health
! Monitoring System Logs
! Static Monitoring
Voyager Reference Guide 33
Page 34
4 Monitoring and Configuring System Resources
! Displaying Cluster Status and Members
! Displaying Routing Protocol Information
! Displaying Resource Settings
! Displaying the Kernel Forwarding Table
! Displaying Route Settings
! Displaying Interface Settings
! Displaying System Status
! Displaying Slot Statistics
! Displaying Cryptographic Acceleration States
! Displaying IPv6 Running States
! Displaying Routing Daemon Status (iclid)
! iclid Commands
! Resolving and Preventing Full Log Buffers and Related Console
Messages
Dynamic Monitoring
Dynamic and Static Monitoring Described
The monitoring features in Voyager give you the ability to better maintain
system performance and security . You can also customize certain types of data
collection to better help you manage and maintain system availability. The
following are some of the key features available to you:
! Displaying rate-sh aping bandwidth, throughput and linkstate data for each
interface
! Ability to monitor core values associated with different protocols
! Easy access to system logs, forwarding tables, and other interface
information
34 Voyager Reference Guide
Page 35
Displaying System Utilization Statistics
These pages display statistical information for the following:
! CPU and Memory
! Disk and Swap Space
! Processes
To display the statistical information, follow these instructions:
1. Click M
ONITOR on the home page.
2. Click the Link under System Utilization for which you want to obtain
statistics.
Configuring Data Collection Events
To configure data collection events, follow these instructions:
1. Click M
2. Click Monitor Report Configuration link.
3. (Optional) Click the O
event. The default is set to on.
4. (Optional) Click the O
collection event.
5. (Optional) Enter the collection interval, in seconds, in the C
I
NTERVAL edit box for each data collection event. The default is 60
seconds.
6. Click A
ONITOR on the home page.
N radio button to enable a particular data collection
FF radio button to disable a particular data
PPLY .
OLLECTION
7. Click S
Voyager Reference Guide 35
AVE.
Page 36
4 Monitoring and Configuring System Resources
Displaying Rate Shaping Bandwidth Report
To display rate shaping bandwidth statistics, follow these instructions:
1. Click M
ONITOR on the home page.
2. Click the Rate Shaping Bandwidth link.
3. In the S
D
AILY, WEEKLY, or MONTHLY.
4. In the S
class for which you want to display a report or click on A
ELECT REPORT TYPE field, click the button next to HOURLY,
ELECT AGGREGATES field, click on the name of the Aggregation
LL AGGREGATES
to display data for all configured aggregation classes.
Note
You must configure an aggregation class and asso ciate it with an access
control list for the name to appear as a choice in the Aggregation Class
list. See Traffic Mana gement, "Creating an Aggregation Class" and
"Creating an Access Control List" in Voyager.
5. In the TYPE OF RATESHAPING DATA field, click the check box either
next to P
6. To select a format type for displaying the report, in the S
field, click the button next to G
you select D
and select either S
ACKETS DELAYED or BYTES DELAYED.
ELECT FORMAT
RAPHICAL VIEW or DELIMTED TEXT. If
ELIMITED TEXT, click on the Delimiter drop-down window
EMI-COLON(;) COMMA(,) or TAB.
Note
The Graphical View displays information at the bottom of the page in a
table. Delimited Text format displays the report in a new page from which
you can download the information.
7. Click VIEW REPORT or APPLY to view current rate shaping bandwidth
data.
36 Voyager Reference Guide
Page 37
Displaying Historical Rate Shaping Bandwidth
Statistics
To Display Rate Shaping Bandwidth for a specific period of time, follow
these instructions:
1. Click M
ONITOR On The Home Page.
2. Click The Rate Shaping Bandwidth link.
3. In the S
EARCH.
S
4. Enter a value for the date and time in the S
ELECT REPORT TYPE field, click the button next to DETAILED
TART DATE Edit Box. The date
defaults to the current date and time minus 10 minutes.
5. Enter a value for the date and time in the E
ND DATE Edit Box. The date
defaults to the current date and time.
Note
Data for the previous 7 days is available.
6. In the SELECT AGGREGATES field, click on the name of the Aggregation
class for which you want to display a report or click on A
LL AGGREGATES
to display data for all configured aggregation classes.
Note
You Must Configure An Aggregation Class And Associate It With An
Access List For The Name To Appear As A Choice In The Aggregation
Class Drop-down Menu. See Traffic Management, "Creating an
Aggregation Class" And "Creating an Access Control List" In Voyager.
7. In the TYPE OF RATESHAPING DATA field, click the check box either
next to P
8. To select a format type for displaying the report, in the S
field, click the button next to G
Voyager Reference Guide 37
ACKETS DELAYED or BYTES DELAYED.
ELECT FORMAT
RAPHICAL VIEW or DELIMTED TEXT. If
Page 38
4 Monitoring and Configuring System Resources
you select DELIMITED TEXT, click on the Delimiter drop-down window
and select either S
Note
The Graphical View displays information at the bottom of the page in a
table. Delimited Text format displays the report in a new page from which
you can download the information.
EMI-COLON(;) COMMA(,) or TAB.
9. Click VIEW REPORT or APPLY to view rate shaping bandwidth data for
the period of time selected.
Displaying Interface Throughput Statistics
To display interface throughput statistics, follow these instructions:
1. Click M
ONITOR on the home page.
2. Click the Interface Throughput link.
3. In the S
AILY, WEEKLY, or MONTHLY. The default is set to Daily.
D
4. Select an interface name from the S
OGICAL to display throughput data for all logical interfaces.
L
ELECT REPORT TYPE field, click the button next to HOURLY,
ELECT INTERFACE list or select ALL
5. In the Type of Throughput field, click the check box next to P
T
HROUGHPUT, BYTE THROUGHPUT, BROADCAST THROUGHPUT, or
ULTICAST THROUGHPUT to select the type of throughput data you want
M
to view.
6. To select a format type for displaying the report, in the S
field, click the button next to G
you select D
and select either S
ELIMITED TEXT, click on the Delimiter drop-down window
EMI-COLON(;) COMMA(,) or TAB.
RAPHICAL VIEW or DELIMTED TEXT. If
ELECT FORMAT
ACKET
38 Voyager Reference Guide
Page 39
Note
The Graphical View displays information at the bottom of the page in a
table and graph. Delimited Text format displays the report as text in a new
page from which you can download the information.
7. Click VIEW REPORT or APPLY to view current interface throughput data.
Displaying Historical Interface Throughput Statistics
To display interface throughput statistics for a specific period of time, follow
these instructions:
1. Click M
ONITOR on the home page.
2. Click the Interface Throughput link.
3. In the S
S
EARCH.
4. Enter a value for the date and time in the S
ELECT REPORT TYPE field, click the button next to DETAILED
TART DATE Edit Box. The date
defaults to the current date and time minus 10 minutes.
5. Enter a value for the date and time in the E
ND DATE Edit Box. The date
defaults to the current date and time.
Note
Data for the previous 7 days is available.
6. Select an interface name from the SELECT INTERFACE list or select ALL
L
OGICAL to display throughput data for all logical interfaces.
7. In the Type of Throughput field, click the check box next to P
T
HROUGHPUT, BYTE THROUGHPUT, BROADCAST THROUGHPUT, or
ULTICAST THROUGHPUT to select the type of throughput data you want
M
ACKET
to view.
Voyager Reference Guide 39
Page 40
4 Monitoring and Configuring System Resources
8. To select a format type for displaying the report, in the SELECT FORMAT
field, click the button next to G
you select D
and select either S
Note
The Graphical View displays information at the bottom of the page in a
table and graph. Delimited Text format displays the report as text in a new
page from which you can download the information.
ELIMITED TEXT, click on the Delimiter drop-down window
EMI-COLON(;) COMMA(,) or TAB.
RAPHICAL VIEW or DELIMTED TEXT. If
9. Click VIEW REPORT or APPLY to view interface throughput data for the
period of time selected.
Displaying Interface Linkstate Statistics
To display interface linkstate statistics, follow these instructions:
1. Click M
ONITOR on the home page.
2. Click the Interface Linkstate link.
3. In the S
D
AILY, WEEKLY, or MONTHLY. The default is set to Daily.
4. Select an interface name from the S
or select A
5. To select a format type for displaying the report, in the S
field, click the button next to G
you select D
and select either S
Note
The Graphical View displays information at the bottom of the page in a
table. Delimited Text format displays the report as text in a new page from
which you can download the information.
ELECT REPORT TYPE field, click the button next to HOURLY,
ELECT INTERFACES FOR QUERY list
LL LOGICAL to display linkstate data for all logical interfaces.
ELECT FORMAT
RAPHICAL VIEW or DELIMTED TEXT. If
ELIMITED TEXT, click on the Delimiter drop-down window
EMI-COLON(;) COMMA(,) or TAB.
40 Voyager Reference Guide
Page 41
6. Click VIEW REPORT or APPLY to view current interface linkstate data
Displaying Historical Interface Linkstate Statistics
To display interface linkstate statistics for a specific period of time, follow
these instructions:
1. Click M
ONITOR on the home page.
2. Click the Interface Linkstate link.
3. In the S
S
EARCH.
4. Enter a value for the date and time in the S
ELECT REPORT TYPE field, click the button next to DETAILED
TART DATE Edit Box. The date
defaults to the current date and time minus 10 minutes.
5. Enter a value for the date and time in the E
ND DATE Edit Box. The date
defaults to the current date and time.
Note
Data for the previous 7 days is available.
6. Select an interface name from the SELECT INTERFACES FOR QUERY list
or select A
7. To select a format type for displaying the report, in the S
field, click the button next to G
you select D
and select either S
LL LOGICAL to display linkstate data for all logical interfaces.
ELECT FORMAT
RAPHICAL VIEW or DELIMTED TEXT. If
ELIMITED TEXT, click on the Delimiter drop-down window
EMI-COLON(;) COMMA(,) or TAB.
Note
The Graphical View displays information at the bottom of the page in a
table. Delimited Text format displays the report as text in a new page from
which you can download the information.
Voyager Reference Guide 41
Page 42
4 Monitoring and Configuring System Resources
8. Click VIEW REPORT or APPLY to view interface linkstate data for the
period of time selected.
Displaying CPU Utilization Statistics
To display CPU Utilization statistics, follow these instructions:
1. Click M
ONITOR on the home page.
2. Click the CPU Utilization link.
3. In the S
D
AILY, WEEKLY, or MONTHLY. The default is set to Hourly.
4. To select a format type for displaying the report, in the S
field, click the button next to G
you select D
and select either S
Note
The Graphical View displays information at the bottom of the page in a
table and graph. Delimited Text format displays the report as text in a new
page from which you can download the information.
ELECT REPORT TYPE field, click the button next to HOURLY,
ELECT FORMAT
RAPHICAL VIEW or DELIMTED TEXT. If
ELIMITED TEXT, click on the Delimiter drop-down window
EMI-COLON(;) COMMA(,) or TAB.
5. Click VIEW REPORT or APPLY to view current CPU utilization data.
Displaying Historical CPU Utilization Statistics
To display cpu utilization statistics for a specific period of time, follow these
instructions:
1. Click M
ONITOR on the home page.
2. Click the CPU Utilization link.
3. In the S
S
EARCH.
42 Voyager Reference Guide
ELECT REPORT TYPE field, click the button next to DETAILED
Page 43
4. Enter a value for the date and time in the START DATE Edit Box. The date
defaults to the current date and time minus 10 minutes.
5. Enter a value for the date and time in the E
ND DATE Edit Box. The date
defaults to the current date and time.
Note
Data for the previous 7 days is available.
6. To select a format type for displaying the report, in the SELECT FORMAT
field, click the button next to G
you select D
and select either S
Note
The Graphical View displays information at the bottom of the page in a
table and graph. Delimited Text format displays the report as text in a new
page from which you can download the information.
ELIMITED TEXT, click on the Delimiter drop-down window
EMI-COLON(;) COMMA(,) or TAB.
RAPHICAL VIEW or DELIMTED TEXT. If
7. Click VIEW REPORT or APPLY to view interface throughput data for the
period of time selected.
Displaying Memory Utilization Statistics
To display memory utilization statistics, follow these instructions:
1. Click M
2. Click the Memory Utilization link.
3. In the S
AILY, WEEKLY, or MONTHLY. The default is set to Hourly.
D
4. To select a format type for displaying the report, in the S
field, click the button next to G
Voyager Reference Guide 43
ONITOR on the home page.
ELECT REPORT TYPE field, click the button next to HOURLY,
ELECT FORMAT
RAPHICAL VIEW or DELIMTED TEXT. If
Page 44
4 Monitoring and Configuring System Resources
you select DELIMITED TEXT, click on the Delimiter drop-down window
and select either S
Note
The Graphical View displays information at the bottom of the page in a
table and graph. Delimited Text format displays the report as text in a new
page from which you can download the information.
EMI-COLON(;) COMMA(,) or TAB.
5. Click VIEW REPORT or APPLY to view current memory utilization data.
Displaying Historical Memory Utilization Statistics
To display memory utilization statistics for a specific period of time, follow
these instructions:
1. Click M
ONITOR on the home page.
2. Click the Memory Utilization link.
3. In the S
EARCH.
S
4. Enter a value for the date and time in the S
ELECT REPORT TYPE field, click the button next to DETAILED
TART DATE Edit Box. The date
defaults to the current date and time minus 10 minutes.
5. Enter a value for the date and time in the E
ND DATE Edit Box. The date
defaults to the current date and time.
Note
Data for the previous 7 days is available.
6. To select a format type for displaying the report, in the SELECT FORMAT
field, click the button next to G
you select D
and select either S
ELIMITED TEXT, click on the Delimiter drop-down window
EMI-COLON(;) COMMA(,) or TAB.
RAPHICAL VIEW or DELIMTED TEXT. If
44 Voyager Reference Guide
Page 45
Note
The Graphical View displays information at the bottom of the page in a
table and graph. Delimited Text format displays the report as text in a new
page from which you can download the information.
7. Click VIEW REPORT or APPLY to view memory utilization data for the
period of time selected.
Monitoring System Health
The following pages allow you to display statistics to help you monitor the
health of your system.
! Useful System Statistics
! Interface Traffic Statistics
! Interface Queue Statistics
! VRRP Service Statistics
To display the statistical information, follow these instructions:
1. Click M
ONITOR on the home page.
2. Click the Link under System Health for which you want to obtain
statistics.
Monitoring System Logs
The following pages allow you to display updated system logs:
! System Message Log
! Web Server access Log
! Web Server error Log
! User Login/Logout Activity
Voyager Reference Guide 45
Page 46
4 Monitoring and Configuring System Resources
! Management Activity Log
To display the statistical information, follow these instructions:
1. Click M
ONITOR on the home page.
2. Click the Link under System Logs for which you want to obtain log
activity.
Note
You do not need to configure the Web Server Access log or the Web
Server Error log. For more information on configuring the System
Message Log, User Login/Logout Activity, and Management Activity Log,
see the appropriate section be low.
To refresh the information in a log, reload the web page.
System Message log
The system message log lets you view the message log file either in its
entirety or to select search criteria to view specific system log activity.
To view a particular type or types of log activity, click one or more items in
the Log Type list. On a management console running the Windows OS, hold
down the
messages. The default is to display all types of system messages.
Crtl key while selecting multiple items. Click APPLY to view
To select a a month for which display messages, click on the Select Month
drop-down list and select a particular month. Click A
display all messages available.
To select a particular date for which to display messages, click on the Select
Date drop-down list and select a particular date. You must also select a month
form the Select Month drop-down list to activate this option. Click A
You can also display system messages based on a keyword. Enter a keyword
to search for in the system messages in the Keyword edit box. To make the
46 Voyager Reference Guide
PPLY . The default is
PPLY.
Page 47
keyword search case-sensitive, click the Case Sensitive check box. Click
A
PPLY.
You can also include certain zipped files in your search. Click the appropriate
check box in the Include Zipped Files in Search section. Click A
PPLY .
The system log also displys messages generated by the Voyager AuditLog.
For more information on how to configure the Voyager AuditLog, see Setting
the Voyager AuditLog.
User Login/Logout Activity
The user login/logout activity log lets you view login and logout activity for
users. The default is to display activity for all users. To view activity for a
particular user only, click the L
OGIN/LOGOUT INFO FOR USER drop-down
window and select the user for whom you want to view login and logout
activity. Click A
PPLY .
Management Activity Log
The management activity log lets you view configuration changes. The log
includes a timestamp, which provides the date and time when a configuration
change occurred; the hostname or IP address from which the user logged in;
and the config entry, which displays the entry changed in the configuration
database.
To activate the management activity log feature, click the System Logging
link in the S
YSTEM CONFIGURATION section. For more information see
“Setting the System Configuration Auditlog.”
Voyager Reference Guide 47
Page 48
4 Monitoring and Configuring System Resources
Static Monitoring
Displaying Cluster Status and Members
This page provides information about a configured IPSO cluster, including
information about cluster status and load sharing among members of the
cluster. This page retrieves an information summary every 30 seconds.
The Cluster Status table contains the following information:
! Cluster ID: ID number of the cluster.
! Cluster Uptime: Ti me since the cluster was formed.
! Number of Members: Current number of members in the cluster.
! Number Of Interfaces: Number of interfaces on which clustering is
enabled.
! Network: Networks on which clustering is enabled.
! Cluster IP Address: Cluster IP Address on each network.
The Cluster Member table contains the following information:
! Member Id: Node ID in the cluster.
! IP Addr: Primary IP address of the member.
! Hostname: Hostname of the node.
! Platform: Type of platform.
! OS Release: Operating system version node is running.
! Rating: Node performance rating.
! Time since join: Time since node joined the cluster.
! Work Assigned(%): Percentage of work load assigned to this node.
To display the information, follow these instructions:
1. Click M
ONITOR on the home page.
2. Click the Cluster Monitor link to view cluster information.
48 Voyager Reference Guide
Page 49
Note
If your cluster is not initialized, the Cluster Monitor page co ntains a link to
the Cluster Configuration page, which enables you to configure cluster
parameters for this node.
Displaying Routing Protocol Information
This page displays statistical information on the following routing protocols:
! OSPF
! BGP
! RIP
! IGRP
! VRRP
! PIM
! DVMRP
! IGMP
It also presents the routing daemon’s information regarding the routing table
(via the Route link) and interfaces (via the Interfaces link).
To display routing information, follow these instructions.
1. Click M
ONITOR on the home page.
2. Click the Routing Protocol link for which you want to obtain statistics.
Displaying Resource Settings
This page displays system resource statistics.
1. Click M
2. Click the Resource Statistics link to display system resource statistics.
Voyager Reference Guide 49
ONITOR on the home page.
Page 50
4 Monitoring and Configuring System Resources
Displaying the Kernel Forwarding Table
This page displays the information contained in the kernel forwarding table.
1. Click M
2. Click the Forwarding Table link.
This displays the IP forwarding table that the kernel is using to make its
forwarding decisions.
ONITOR on the home page.
Displaying Route Settings
This page displays interface statistics.
1. Click M
Click the Route Settings link for the interface for which you want to obtain
statistics.
ONITOR on the home page.
Displaying Interface Settings
This page displays interface statistics.
1. Click M
2. Click the Interface Settings link for the interface for which you want to
obtain statistics.
ONITOR on the home page.
Displaying System Status
To display system status information, follow these instructions:
1. Click M
2. Click the System Status link.
50 Voyager Reference Guide
ONITOR on the home page.
Page 51
Displaying Slot Statistics
To display the statistical information, follow these instructions:
1. Click M
2. Click the Slot Status link.
ONITOR on the home page.
Displaying Cryptographic Acceleration States
Use this procedure to monitor the Nokia Cryptographic Acceleration Card.
1. Click M
2. Click the Cryptographic Accelerator Statistics link in the Hardware
Monitoring section.
ONITOR on the home page.
Displaying IPv6 Running States
Use this page to monitor the IPv6 running state.
1. Click Monitor on the home page.
2. Click the IPv6 Monitor link to display IPv6 running state.
Displaying Routing Daemon Status (iclid)
Obtain routing diagnostic information by creating a telnet session on the
network application platform (NAP) and running iclid (IPSRD CommandLine Interface Daemon).
To display routing daemon status using iclid, follow these instructions.
1. Create a telnet session and log into the firewall.
2. Type
The prompt will change (to <node-name>) to indicate that you can now enter
iclid commands.
Voyager Reference Guide 51
iclid
Page 52
4 Monitoring and Configuring System Resources
iclid Commands
Command Description
? or <tab> Shows all possible command completions.
help
quit or exit Quits iclid.
show
Displays help information.
Shows formatted, categorized system
information.
Some commands might produce more output than can fit on a single screen;
iclid will page the output of such commands for you, that is, stop the
output after one screen and indicate that there is more output with a MORE...
prompt. You can see the next screenful of output by selecting any key except
the
q key; you can abort the command and any further output by typing q at
the MORE... prompt. If you do not enter anything within about 30 seconds,
the system will automatically page to the next screenful of information. You
can temporarily defeat this automatic paging by typing ctl-S, although when
you resume scrolling (by selecting any key) you may lose a page of
information.
At any point in iclid, you can type
? to display possible command
completions. You can also abbreviate commands when there is no ambiguity.
The
help command takes as arguments iclid commands and top-level
iclid categories; it displays a brief summary of what the specified
command will display.
The
quit command returns control to the firewall shell. The exit command
is the same as the
The
show command provides many kinds of information, displayed in useful
quit command.
formats. The following table shows examples of the top-level iclid element
that may be displayed by the
52 Voyager Reference Guide
show command as applied to each parameter,
Page 53
along with any selected categories and subcategories, and a description of the
information the command will display.
Element Category Subcategory Description
bgp Provides a BGP summary.
errors A table of BGP errors.
groups A table of parameters and
data for each BGP group.
detailed Detailed statistics on BGP
groups.
summary A summary of statistics on
BGP groups.
memory Lists BGP memory
parameters and statistics.
neighbor <peerid> advertise Shows BGP neighbor
statistics.
detailed Provides detailed
information about BGP
neighbors and is organized
by neighbor address. In the
event of an excessively
long list, type q.
paths List of BGP paths; in the
event of an excessively
long list, type q.
peers Summary information
about peer firewalls.
Voyager Reference Guide 53
Page 54
4 Monitoring and Configuring System Resources
redistribution to AS <as number> Shows detailed
detailed Detailed information about
each peer firewall; in the
event of an excessively
long list, type q.
summary Summary table about peer
firewalls.
redistribution data from
BGP to the designated AS.
to AS <as number>
from <proto>
statistics A table of peer parameters
summary BGP summary.
bootpgw interface BOOTP relay state of
<interface> BOOTP relay state of
stats Summary of BOOTP relay
rec Summary of BOOTP relay
Shows detailed
redistribution data to the
designated AS from the
specified protocol.
and statistics.
interfaces enabled for
BOOT protocols.
specified interface.
requests, and replies
received and made.
requests received.
54 Voyager Reference Guide
req Summary of BOOTP relay
requests made.
rep Summary of BOOTP relay
replies made.
Page 55
dvmrp Summary of DVMRP state.
interface Interface-specific state of
DVMRP for each DVMRPenabled interface.
neighbor-routes State of DVMRP Neighbor
Route.
neighbors Interface state of DVMRP
neighbor parameters.
route Shows state of DVMRP
route parameters.
stats Statistical information
about DVMRP packets
sent and received,
including an error
summary.
receive A summary of statistical
information about received
DVMRP packets.
transmit A summary of statistical
information about
transmitted DVMRP
packets.
error A summary of DVMRP
packets with errors.
igmp State of IGMP.
groups State of the IGMP groups
maintained for each
network interface.
Voyager Reference Guide 55
Page 56
4 Monitoring and Configuring System Resources
if-stats Summary of information
interface IGMP settings for each
stats Statistical information
inbound-filter Lists inbound filters and
interface Status and addresses of all
about IGMP interface
packets transmitted and
received for each network
interface.
network interface.
about IGMP packets sent
and received as well as an
error summary.
data for all protocols.
configured interfaces.
krt Displays IPSRD core
information.
memory Total memory usage in
kbytes.
detailed Total memory usage as
well as memory usage by
each routing protocol.
ospf border-ro uters Lists OSPF border routers
and associated codes.
database area Provides statistical data on
OSPF database area.
database-summary A database summary of the
OSPF firewall.
56 Voyager Reference Guide
Page 57
router Statistical data on firewall
link states as well as link
connections.
asbr-summary A summary of the OSPF
firewall.
external Information on the OSPF
external database.
summary Summary of OSPF
database.
checksum Statistical data on the
OSPF checksum database.
network Data on OSPF database
network.
type Data on the state of firewall
link parameters.
errors brief Provides basic data on
OSPF errors.
dd OSPF dd errors.
hello OSPF hello errors.
ip OSPF interface protocol
errors.
lsack OSPF ls acknowledge
errors.
lsr OSPF lsr errors.
lsu A list of OSPF lsu errors.
proto OSPF protocol errors.
Voyager Reference Guide 57
Page 58
4 Monitoring and Configuring System Resources
events OSPF events and event
interface detail A comprehensive
neighbor Lists OSPF neighbors and
packets Lists received and
<proto> inbound-filter Lists inbound filter data for
redistribution Lists redistributions from all
occurrences.
presentation of detailed
OSPF interface data.
stats A comprehensive list of
OSPF interface statistics.
associated parameters.
transmitted OSPF packets.
the specified protocol.
sources to the designated
protocol.
redistribution
from <proto>
redistribution Shows a comprehensive
resource A comprehensive listing of
rip A summary of information
errors A list of various RIP errors.
Lists redistributions from a
specified protocol to
another specified protocol.
list of redistributions to
various protocols and
autonomous systems, and
includes detailed
distribution data.
resource statistics.
on the RIP routing process.
58 Voyager Reference Guide
Page 59
packets Statistics on various RIP
transmitted and received
packets.
route Lists data on static and
directly connected routes.
aggregate Data on aggregate routes
by code letter.
all List of all routes and status
data. In the event of a long
list, abort by typing q.
aggregate Data on all aggregate
routes by code letter.
bgp Data on BGP routes.
direct Data on direct routes.
igrp Data on IGRP routes.
ospf Data on OSPF routes.
rip Data on RIP routes.
static Dat a on st atic routes.
bgp Statistics on BGP routes.
aspath List of parameters and
status of BGP AS path.
communities Status of BGP
communities.
detailed Details of BGP routes.
metrics Status of BGP metrics.
Voyager Reference Guide 59
Page 60
4 Monitoring and Configuring System Resources
direct Directly connected routes
igrp Displays IGRP routes.
inactive Inactive routes.
suppressed List and status of
suppressed bgp routes.
and their status.
aggregate Inactive aggregate routes.
bgp Inactive BGP routes.
direct Inactive direct routes.
igrp Inactive IGRP routes.
ospf Inactive OSPF routes.
rip Inactive RIP routes.
static Inactive static routes.
ospf OSPF route data.
rip RIP route data.
static Static route data.
summary Dis plays the number of
routes for each protocol.
version Operating system version
information.
vrrp VRRP state information.
60 Voyager Reference Guide
Page 61
interface VRRP interfaces and
associated information.
stats VRRP transmission and
reception statistics.
The following table shows examples of the iclid show command.
iclid Show Command Results
show ospf
show ospf neighbor (s o n)
show route
show route bgp 127
show b?
Shows OSPF summary information.
Shows OSPF neighbor information.
Shows all routes.
Shows only BGP routes that start with 127.
Shows all possible command completions
show b.
for
Resolving and Preventing Full Log Buffers and
Related Console Messages
When a significant amount of your traffic is using fast path for delay-critical,
real-time routing through the firewall, the console might display one of the
following error messages:
[LOG-CRIT] kernel: FW-1: Log Buffer is full
[LOG-CRIT] kernel: FW-1: lost 500 log/trap messages
The kernel module maintains a buffer of waiting log messages that it forwards
through
logging volumes can cause buffer entries to be overwritten before they are
Voyager Reference Guide 61
fwd
to the management module. The buffer is circular, so that high
Page 62
4 Monitoring and Configuring System Resources
sent to
fwd
. When this happens, the system log displays the following
message:
log records lost
The lost records are those that should have been recorded in the FW-1 log
message file (typically located in the $FWDIR/log directory).
You can use one or both of the following solutions to resolve this issue:
! Reduce the number of rules that are logged by:
! Disa bling as many accounting rules as possible
! Changing as many long logging rules to short logging as possible
! Eliminating logging entirely if it is practical to do so
! Increase the size of the kernel module buffer
Note
To perform the following procedures, use the zap or modzap utility
(which you can obtain from the Nokia Technical Assistance Center
(TAC); refer to Resolution 1261).
If you are using FireWall-1 4.1, do the following:
1. Set the execute permissions by issuing an
fwstop command.
2. To confirm that you have sufficient resources to increase the buffer
size, issue the following command:
# ./modzap -n _fw_logalloc $FWDIR/boot/modules/
fwmod.o 0x20000
where
causes
0x20000
modzap
indicates a buffer size of 2MB, and the -n option
to check the value at the symbol reported.
3. A console message is displayed confirming the change that will take
place when you issue the modzap command in the next step. You can
safely ignore this message.
62 Voyager Reference Guide
Page 63
Note
If the message indicates there are insufficient resources to
accommodate a larger buffer size, take appro priate actions and try
this procedure again. For further information, cont act Nokia Technical
Assistance Center (TAC).
4. After you verify that the change is appropriate, issue the same
-n
command without the
# ./modzap _fw_logalloc $FWDIR/boot/modules/fwmod.o
0x20000
option:
A confirmation message is displayed, which you can safely ignore.
5. Reboot the system.
If you are using FireWall-1 NG, do the following:
1. Set the execute permissions by issuing a
cpstop command.
2. To confirm that you have sufficient resources to increase the buffer
size, issue the following command:
modzap -n _fw_log_bufsize $FWDIR/boot/modules/
fwmod.o 0x200000
where
causes
0x20000
modzap
indicates a buffer size of 2MB, and the -n option
to check the value at the symbol reported.
3. A console message is displayed confirming the change that will take
place when you issue the modzap command in the next step. You can
safely ignore this message.
Note
If the message indicates there are insufficient resources to
accommodate a larger buffer size, take appro priate actions and try
this procedure again. For further information, cont act Nokia Technical
Assistance Center (TAC).
Voyager Reference Guide 63
Page 64
4 Monitoring and Configuring System Resources
4. After verifying that the change is appropriate, issue the same
command without the
modzap _fw_log_bufsize $FWDIR/boot/modules/fwmod.o
0x200000
A confirmation message is displayed, which you can safely ignore.
5. Reboot the system.
Because these console messages are also written to the FW-1 log message
file, Nokia recommends that you do the following to prevent depleting the
disk space allocated for the FW-1 log message file:
1. Move your log file(s) from the system hard drive to a server.
2. Configure the relocated files using the Check Point management client
GUI (Smart Dashboard) as follows:
a. Select the Check Point gateway object you are configuring.
b. Under Gateway Object Configuration, select the Logs and
Masters.section and do the following:
-n
option:
! Spe cify the amount of free disk space required for local logging.
! Specify to stop logging when the free disk space drops below
x MBytes and to start logging to a new file.
Once a new file is being used, the previously used log files are deleted
until the required free disk space is restored.
64 Voyager Reference Guide
Page 65
5 Configuring Interfaces
Chapter Contents
! Ethernet Interfaces
! Configuring an Ethernet Interface
! Changing the Speed of an Ethernet Interface
! Changing the Duplex Setting of an Ethernet Interface
! Changing the Autoadvertise Setting of an Ethernet Interface
! Changing the IP Address of an Ethernet Interface
! Ethernet Example
! Gigabit Ethernet Interfaces
! Configuring a Gigabit Ethernet Interface
! Changing the IP Address of a Gigabit Ethernet Interface
! Gigabit Ethernet Example
! Virtual LAN Interface
! Virtual LAN Description
! Configuring a VLAN Interface
! Defining the Maximum number of VLANs
! VLAN Example Topology
! FDDI Interfaces
! Configuring an FDDI Interface
! Changing the Duplex Setting of an FDDI Interface
Voyager Reference Guide 65
Page 66
5 Configuring Interfaces
! Changing the IP Address of an FDDI Interface
! FDDI Example
! ISDN Interfaces
! Features
! Configuring a Physical Interface
! Creating a Logical Interface
! Dial-on-Demand Routing Lists
! ISDN Network Configuration Example
! ISDN Troubleshooting
! Token Ring Interfaces
! Configuring a Token Ring Interface
! Deactivating a Token Ring Interface
! Changing a Token Ring Interface
! Token Ring Example
! Point-to-Point Link over ATM
! Configuring an ATM Interface
! Changing the VPI/VCI of an ATM Interface
! Changing the IP Address of an ATM Interface
! Changing the IP MTU of an ATM Interface
! Removing an ATM Interface
! ATM Example
! Logical IP Subnets (LIS) over ATM
! Configuring an ATM Logical IP Subnet (LIS) Interface
! Changing the VPI/VCIs of an ATM LIS Interface
! Changing the IP Address of an ATM LIS Interface
! Changing the IP MTU of an ATM Interface
! Removing an ATM Interface
! Serial (V.35 and X.21) Interfaces
! Configuring a Serial Interface for Cisco HDLC
66 Voyager Reference Guide
Page 67
! Configuring a Serial Interface for PPP
! Configuring a Serial Interface for Frame Relay
! Serial Inte rface Example
! T1 (with built-in CSU/DSU) Interfaces
! Configuring a T1 Interface for Cisco HDLC
! Configuring a T1 Interface for PPP
! Configuring a T1 Interface for Frame Relay
! T1 Interface Example
! E1 (with built-in CSU/DSU) Interfaces
! Configuring an E1 Interface for Cisco HDLC
! Configuring an E1 Interface for PPP
! Configuring an E1 Interface for Frame Relay
! HSSI Interfaces
! Configuring an HSSI Interface for Cisco HDLC
! Configuring an HSSI Interface for PPP
! Configuring an HSSI Interface for Frame Relay
! Unnumbered Interfaces
! Unnumbered Interfa ces Description
! Configuring an Unnumbered Interface
! Changing an Unnumbered Interfac e to a Numbered Interface
! Configuring a Static Route over an Unnumbered Interface
! Configuring OSPF over an Unnumbered Interface
! Configuring OSPF over an Unnumbered Interface Using Virtual Links
! Cisco HDLC Protocol
! Changing the Keepalive Interval for Cisco HDLC
! Changing the IP Address in Cisco HDLC
! Point-to-Point Protocol
! Changing the Keepalive Interval in PPP
! Changing the Keepalive Maximum Failures in PPP
Voyager Reference Guide 67
Page 68
5 Configuring Interfaces
! Changing the IP Address in PPP
! Frame Relay Protocol
! Changing the Keepalive Interval in Frame Relay
! Changing the DLCI in Frame Relay
! Changing the LMI Parameters in Frame Relay
! Changing the Interface Type in Frame Relay
! Changing the Active Status Monitor Setting in Frame Relay
! Changing the IP Address in Frame Relay
! Removing a Frame Relay Interface
! Loopback Interfaces
! Adding an IP Address to a Loopback Interface
! Changing the IP Address of a Loopback Interface
! GRE Tunnels
! Creating a GRE Tunnel
! Changing the Local and/or Remote Address or Local/Remote
Endpoint of a GRE Tunnel
! Changing IP TOS Value of a GRE Tunnel
! Rem ov ing a GRE Tunnel
! GRE Tunnel Example
! HA GRE Tunnels Description
! HA GRE Tunnel Example
! DVMRP Tunnels
! Creating a DVMRP Tunnel
! Changing the Local or Remote Addresses of a DVMRP Tunnel
! Removing a DVMRP Tunnel
! DVMRP Tunnel Example
! ARP Table Entries
! Changing ARP Global Parameters
! Adding a Static ARP Entry
68 Voyager Reference Guide
Page 69
! Adding a Proxy ARP Entry
! Deleting a Static ARP Entry
! Viewing Dynamic ARP Entries
! Deleting Dynamic ARP Entries
! Flushing All Dynamic ARP Entries
! Configuring ARP for the ATM Interface
! Changing Global Parameters
! Adding a Static ATM ARP Entry
! Deleting a Static ATM ARP Entry
! Viewing and Deleting Dynamic ATM ARP Entries
Ethernet Interfaces
Configuring an Ethernet Interface
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link you want to configure in the P
HYSICAL
column.
Example—
eth-s2p1
4. Click the 10 MBIT/SEC or the 100 MBIT/SEC radio button in the
P
HYSICAL CONFIGURATION table LINK SPEED field to select the link
speed.
Note
This setting must be the same for all hosts on the network to which the
device connects.
Voyager Reference Guide 69
Page 70
5 Configuring Interfaces
5. Click the FULL or HALF radio button in the PHYSICAL CONFIGURATION
table DUPLEX field to select the duplex mode. Click APPLY.
Note
This setting must be the same for all hosts on the network to which the
device connects.
6. (Optional) Click ON or OFF radio button in the PHYSICAL
CONFIGURATION table AUTOADVERTISE field to enable or disable the
autoadvertise feature. If turned on, the device will advertise its
configuration speed and duplex status using Ethe rnet negotiation. Click
A
PPLY.
7. Click the logical interface name in the I
OGICAL INTERFACES table to go to the Interface page.
L
8. Enter the IP address for the device in the N
9. Enter the IP subnet mask length in the N
Click A
Each time you click A
PPLY .
PPLY, the configured IP address and mask length
NTERFACE column of the
EW IP ADDRESS edit box.
EW MASK LENGTH edit box.
are added to the table. The entry fields remain blank to allow you to add
more IP addresses.
To enter another IP address and IP subnet mask length, repeat steps 8-9.
10. (Optional) Change the interface’s logical name to a more meaningful one
by typing the preferred name in the L
A
PPLY.
OGICAL NAME edit box. Click
11. (Optional) Add a comment to further define the logical interfaces function
in the C
12. Click the U
13. Click the O
have configured, Click A
OMMENTS edit box. Click APPLY.
P button to go to the Interface Configuration page.
N radio button that corresponds to the logical interface you
PPLY.
The Ethernet interface is now available for IP traffic and routing.
To make your changes permanent, click S
70 Voyager Reference Guide
AVE.
Page 71
Changing the Speed of an Ethernet Interface
If the link speed of an Ethernet interface is incorrect, it will not send or
receive data. The following steps describe how to change the speed of an
Ethernet interface.
1. Click C
ONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link you want to change in the P
HYSICAL
column.
Example—
eth-s2p1
4. Click the 10 MBIT/SEC or the 100 MBIT/SEC radio button in the
HYSICAL CONFIGURATION table LINK SPEED field. Click APPLY.
P
Note
This setting must be the same for all hosts on the network to which the
device connects.
To make your changes permanent, click SAVE.
Changing the Duplex Setting of an Ethernet Interface
Note
If the duplex setting of an Ethernet interface is incorrect, it may not
receive data, or it may receive duplicates of the data it sends.
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link you want to change in the P
column.
Voyager Reference Guide 71
HYSICAL
Page 72
5 Configuring Interfaces
Example—
eth-s2p1
4. Click the FULL or HALF radio button in the PHYSICAL CONFIGURATION
table D
Note
This setting must be the same for all hosts on the network to which the
device connects.
UPLEX field. Click APPLY.
To make your changes permanent, click SAVE.
Changing the Autoadvertise Setting of an Ethernet
Interface
When Autoadvertise is enabled on an Ethernet interface, the device advertises
its configured speed and duplex setting using Ethernet negotiation.
1. Click C
ONFIG on the Voyager home page.
2. Click the Interfaces link.
3. Click the Physical interface that you want to change in the Physical
column.
Example—
eth-s2p1
4. Click the O
A
UTOADVERTISE field to enable or disable the autoadvertise feature.
Click
To make your changes permanent, click S
N or OFF radio button in the PHYSICAL CONFIGURATION table
APPLY.
AVE.
72 Voyager Reference Guide
Page 73
Changing the IP Address of an Ethernet Interface
Note
Do not change the IP address you use in your browser to access
Voyager. If you do, you can no longer access the network application
platform (unit) with your browser.
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the logical interface link for which you want to change the IP
address in the L
Example—
eth-s2p1c0
4. To remove the old IP address, click the DELETE check box that
corresponds to the address you want to delete, then click A
OGICAL column.
PPLY.
5. T o add the new IP address, enter the IP address for the device in the N
ADDRESS edit box.
IP
6. Enter the IP subnet mask length in the N
Click A
PPLY .
Each time you click A
length are added to the table. The entry fields remain blank to allow you
to add more IP addresses.
To make your changes permanent, click S
Ethernet Example
This section describes how you might configure the interfaces of your
network application platform (unit) in an example network, using Voyager.
Before you can configure the unit using Voyager, you must configure an IP
address on one of the interfaces. You can do this through the unit console port
EW
EW MASK LENGTH edit box.
PPLY , the newly configured IP address and mask
AVE.
Voyager Reference Guide 73
Page 74
5 Configuring Interfaces
during installation or by using the Lynx browser. This allows a graphical
browser such as Microsoft Internet Explorer or Netscape Navigator to access
the unit through that interface. You can use any graphical web browse r to
configure the other interfaces on the unit by entering the IP address of the unit
in the location field of the browser.
The figure below shows the network configuration for this example.
Provider
(192.168.2.93)
ser-s1p1c0 (192.168.2.1)
Nokia Platform A
atm-s2p1c93 (192.168.3.2)
ATM
Switch
atm-s1p1c52 (192.168.3.1)
Nokia Platform B
eth-s2p1c0 (192.168.4.1/24)
192.168.4.xxx
00037
Server
FDDI
192.168.1.xxx
fddi-s3p1c0
(192.168.1.1/24)
Server Server
In a company's main office, Nokia Platform A terminates a serial line to an
Internet service provider, running PPP with a keepalive value of 10.
Nokia Platform A also provides internet access for a FDDI ring and a remote
branch office connec te d via ATM PVC 93.
74 Voyager Reference Guide
Page 75
The branch office contains Nokia Platform B, which routes traffic between a
local Fast Ethernet network and ATM PVC 52. It provides access to the main
office and the Internet. We are configuring the Ethernet interface on Nokia
Platform B.
1. Click C
ONFIG on the home page.
2. Click the Interfaces link.
3. Click
4. Click the 100 M
5. Click A
6. Click
eth-s2p1 in the PHYSICAL column of the table.
BIT/SEC radio button.
PPLY .
eth-s2p1c0 in the LOGICAL INTERFACES table to go to the Interface
page.
7. Enter 192.168.4.1 in the N
8. Enter 24 in the N
9. Click A
10. Click the U
11. Click the O
12. Click A
13. Click S
PPLY .
P button to go the Interfaces page.
N radio button for eth-s2p1c0.
PPLY .
AVE.
EW MASK LENGTH edit box.
EW IP ADDRESS edit box.
Gigabit Ethernet Interfaces
Configuring a Gigabit Ethernet Interface
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link you want to configure in the P
column of the Interface Configuration page.
Voyager Reference Guide 75
HYSICAL
Page 76
5 Configuring Interfaces
Example—
eth-s5p1
Note
The link speed appears in the PHYSICAL CONFIGURATION table in the
LINK SPEED field. The speed is fixed.
Note
The duplex mode, in the PHYSICAL CONFIGURATION table, is set to full at
all times.
4. (Optional) Click the ON or OFF radio button in the PHYSICAL
CONFIGURATION table’s FLOW CONTROL field to select the appropriate
choice. The default value is OFF. Click A
PPLY.
Click the logical interface name in the I
L
OGICAL INTERFACES table to go to the Interface page.
5. Enter the IP address for the device in the N
6. Enter the IP subnet mask length in the N
Click A
7. Each time you click A
PPLY .
PPLY, the configured IP address and mask length
NTERFACE column of the
EW IP ADDRESS edit box.
EW MASK LENGTH edit box.
are added to the table. The entry fields remain blank to allow you to add
more IP addresses.
To enter another IP address and IP subnet mask length, repeat steps 5-6.
8. (Optional) Change the interface’s logical name to a more meaningful one
by typing the preferred name in the L
PPLY.
A
OGICAL NAME edit box. Click
9. (Optional) Add a comment to further define the logical interfaces function
in the C
10. Click the U
OMMENTS edit box. Click APPLY.
P button to go to the Interface Configuration page.
76 Voyager Reference Guide
Page 77
11. Click the ON radio button that corresponds to the logical interface you
have configured. Click A
PPLY.
The Gigabit Ethernet interface is now available for IP traffic and routing.
To make your changes permanent, click S
AVE.
Changing the IP Address of a Gigabit Ethernet
Interface
Note
Do not change the IP address you use in your browser to access
Voyager. If you do, you can no longer access the network application
platform (unit) with your browser.
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the logical interface link for which you want to change the IP
address in the L
Example—
eth-s5p1c0
OGICAL column of the Interface Configuration page.
4. To remove the old IP address, click the DELETE check box that
corresponds to the address you want to delete; then click A
5. T o add the new IP address, enter the IP address for the device in the N
ADDRESS edit box.
IP
6. Enter the IP subnet mask length in the N
Click A
Each time you click A
PPLY .
PPLY , the newly configured IP address and mask
EW MASK LENGTH edit box.
PPLY .
EW
length are added to the table. The entry fields remain blank to allow you
to add more IP addresses.
To make your changes permanent, click S
Voyager Reference Guide 77
AVE.
Page 78
5 Configuring Interfaces
Gigabit Ethernet Example
This section describes how you might configure the interfaces of your
network application platform (unit) in an example network, using Voyager.
Before you can configure the unit using Voyager, you must configure an IP
address on one of the interfaces. You can do this through the unit’s console
port during installation or by using the Lynx browser. This allows a graphical
browser such as Microsoft Internet Explorer or Netscape Navigator to access
the unit through that interface. You can use any graphical web browse r to
configure the other interfaces on the unit by entering the IP address of the unit
in the location field of the browser.
78 Voyager Reference Guide
Page 79
The figure below shows the network configuration for this example.
Provider
(192.168.2.93)
ser-s1p1c0 (192.168.2.1)
Nokia Platform A
atm-s2p1c93 (192.168.3.2)
ATM
Switch
atm-s1p1c52 (192.168.3.1)
Nokia Platform B
eth-s2p1c0 (192.168.4.1/24)
192.168.4.xxx
00037
Server
FDDI
192.168.1.xxx
fddi-s3p1c0
(192.168.1.1/24)
Server Server
In a company's main office, Nokia Platform A terminates a serial line to an
Internet service provider.
Nokia Platform A also provides internet access for a FDDI ring and a remote
branch office connec ted via ATM.
The branch office contains Nokia Platform B, which routes traffic between a
local Gigabit Ethernet network and ATM. It provides access to the main office
Voyager Reference Guide 79
Page 80
5 Configuring Interfaces
and the Internet. We are configuring the Gigabit Ethernet interface on Nokia
Platform B.
1. Click C
ONFIG on the home page.
2. Click the Interfaces link.
3. Click
4. Click the
P
5. Click A
6. Click
eth-s2p1 in the PHYSICAL column of the table.
ON or OFF radio button in the FLOW CONTROL field of the
HYSICAL CONFIGURATION table.
PPLY .
eth-s2p1c0 in the LOGICAL INTERFACES table to go to the Interface
page.
7. Enter 192.168.4.1 in the N
8. Enter 24 in the N
9. Click A
10. Click the U
11. Click the O
12. Click A
13. Click S
PPLY .
P button to go the Interface Configuration page.
N radio button for eth-s5p1c0.
PPLY .
AVE.
EW MASK LENGTH edit box.
EW IP ADDRESS edit box.
Virtual LAN Interfaces
Virtual LAN Description
Nokia supports Virtual LAN (VLAN) interfaces on all supported ethernet
interfaces. The use of VLAN interfaces lets you configure subnets with a
secure private link to Check Point FW-1/VPN-1 with the existing topology.
The use of VLAN enables the multiplexing of ethernet traffic into channels on
a single cable.
80 Voyager Reference Guide
Page 81
The Nokia implementation supports adding a logical interface with a VLAN
ID to a physical interface. In a VLAN packet, the OSI layer-two header, or
MAC header, contains four more bytes than the typical ethernet header for a
total of 18 bytes. When traffic arrives at the physical interface, the system
examines it for the VLAN layer-two header and accepts and forwards the
traffic if a VLAN logical interface is configured. If the traffic that arrives at
the physical interface does not have a VLAN header, it is directed to the
channel 0, or untagged, interface. In the Nokia implementation the untagged
channel 0 interface drops VLAN packets sent to the subnets on that interface.
Outgoing traffic from a VLAN interface is tagged with the VLAN header . The
Nokia appliance can receive and generate fully conformant IEEE 802.1Q
tags. The IEEE802.1Q standard defines the technology for virtual bridged
networks. The Nokia implementation is completely interoperable as a router,
not as a switch.
Configuring a VLAN Interface
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the link to the physical ethernet interface for which you want to
enable a VLAN interface in the P
HYSICAL field. This action takes you to
the physical interface page for that interface.
4. Enter a value to identify the VLAN interface in the C
VLAN I
D edit box. The range is 2 to 4094. The values 0 and 4095 are
REATE A NEW
reserved by the IEEE standard. VLAN ID 1 is reserved by convention.
There is no default. Click A
5. The new logical interface for the VLAN appears in the L
I
NTERFACES field with the name eth-sXpYcZ, where X is the slot
PPLY.
OGICAL
number, Y is the physical port number and Z is the channel number. The
channel numbers increment starting with 1 with each VLAN ID that you
create.
6. Click S
Voyager Reference Guide 81
AVE to make your changes permanent.
Page 82
5 Configuring Interfaces
7. Repeat steps 4 through 6 for each VLAN interface you want to create.
8. To assign an IP address to the new logical VLAN interface, click the link
for the logical interface in the I
I
NTERFACES table. Enter the IP address in the NEW IP ADDRESS edit
box. Enter the mask length in the N
A
PPLY.
NTERFACE field of the LOGICAL
EW MASK LENGTH edit box. Click
9. Click S
AVE to make your changes permanent.
The new logical interface appears as active on the interface configuration
page. Click the U
P button to view that page.
(Optional) To disable the interface, click the
field in the row for the logical interface. Click A
S
AVE to make your change permanent.
Note
You can assign multiple IP addresses to each logical VLAN interface.
Repeat steps 8 and 9 for each IP address you want to assign to the same
VLAN logical interface.
Deleting a VLAN Interface
1. Click CONFIG on the home page.
2. Click the I
3. Click the link for the physical interface for which you want to delete a
VLAN interface in the P
physical interface page for the interface.
NTERFACES link.
OFF button in the ACTIVE
PPLY , and then click
HYSICAL field. This action takes you to the
4. In the L
OGICAL INTERFACE table, click the DELETE box in the row for the
logical VLAN interface you want to delete.
5. Click A
PPLY , and then click SAVE to make your change permanent.
The entry for the logical VLAN interface disappears from the L
NTERFACES table.
I
82 Voyager Reference Guide
OGICAL
Page 83
Defining the Maximum number of VLANs
1. Click CONFIG on the home page.
2. Click the I
NTERFACES link.
3. Enter a number in the M
The maximum value is 1015.
4. Click A
PPLY , and then click SAVE to make your change permanent.
VLAN Example Topology
The topology below represents a fully-redundant firewall with load sharing
and VLAN. Each Nokia appliance running Check Point FW-1 is configured
with the V irtual Router Redundancy Protocol (VRRP). This protocol provides
dynamic fail-over of IP addresses from one router to another in the event of
failure. See VRRP Description for more information. Each appliance is
configured with Gigabit Ethernet and supports multiple VLANs on a single
cable. The appliances receive and forward VLAN-tagged traffic to subnets
AXIMUM NUMBER OF VLANS ALLOWED edit-box.
Voyager Reference Guide 83
Page 84
5 Configuring Interfaces
configured for VLAN, creating a secure private network. In addition, the
appliances are configured to create VLAN-tagged messages for output.
Multiple VLANs on
single cable
GSR
GS
FDDI Interfaces
gigabit
switch
switch
Un tagged VLAN tagged Un tagged
Ethernet
gigabit
Ethernet
VRRP
pair
NOK/CP
FW-1
FW-1
sync
NOK/CP
FW-1
VRRP
pair
gigabit
Ethernet
gigabit
Ethernet
VLAN
switch
VLAN
switch
00203
Configuring an FDDI Interface
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link you want to configure in the P
column.
84 Voyager Reference Guide
HYSICAL
Page 85
Example—
fddi-s2p1
4. Click the FULL or HALF radio button in the PHYSICAL CONFIGURATION
table D
Note
A device attached to a ring topology should be set to half duplex. If the
device is running in point-to-point mode, the du ple x set tin g sh ou ld be set
to full. This setting must be the same for all hosts on the network to which
the device connects.
UPLEX field, then click APPLY.
5. Click the logical interface name in the INTERFACE column of the
OGICAL INTERFACES table to go to the Interface page.
L
6. Enter the IP address for the device in the N
7. Enter the subnet mask length in the N
click A
Each time you click A
PPLY.
PPLY , the configured IP address and mask length
EW IP ADDRESS edit box.
EW MASK LENGTH edit box, then
are added to the table. The entry fields remain blank to allow you to add
more IP addresses.
To enter another IP address and IP subnet mask length, repeat steps 6-7.
8. (Optional) Change the interface’s logical name to a more meaningful one
by typing the preferred name in the L
PPLY.
A
OGICAL NAME edit box, then click
9. (Optional) Add a comment to further define the logical interfaces function
in the C
10. Click the U
11. Click the O
have configured, then click A
OMMENTS edit box. Click APPLY.
P button to go the Interface Configuration page.
N radio button that corresponds to the logical interface you
PPLY.
The FDDI interface is now available for IP traffic and routing.
To make your changes permanent, click S
AVE.
Voyager Reference Guide 85
Page 86
5 Configuring Interfaces
Changing the Duplex Setting of an FDDI Interface
Note
If the duplex setting of an FDDI interface is incorrect, it may not receive
data, or it may receive duplicates of the data it sends.
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link you want to change in the P
HYSICAL
column.
Example—
fddi-s2p1
4. Click the FULL or HALF radio button in the PHYSICAL CONFIGURATION
table D
Note
A device attached to a ring topology should be set to half duplex. If the
device is running in point-to-point mode, the du ple x set tin g sh ou ld be set
to full. This setting must be the same for all hosts on the network to which
the device connects.
UPLEX field, then click APPLY.
To make your changes permanent, click SAVE.
86 Voyager Reference Guide
Page 87
Changing the IP Address of an FDDI Interface
Note
Do not change the IP address you use in your browser to access
Voyager. If you do, you can no longer access the network application
platform (unit) with your browser.
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the logical interface link for which you want to change the IP
address in the L
Example—
fddi-s2p1c0
4. To remove the old IP address, click the DELETE check box that
corresponds to the address you want to delete,
OGICAL column.
then click APPLY.
5. T o add the new IP address, enter the IP address for the device in the N
IP
6. Enter the subnet mask length in the N
click A
Each time you click A
added to the table. The entry fields remain blank to allow you to add more
IP addresses.
To make your changes permanent, click S
FDDI Example
This section describes how you might configure the interfaces of your
network application platform (unit) in an example network, using Voyager.
Before you can configure the unit using Voyager, you must configure an IP
address on one of the interfaces. You can do this through the unit console port
EW
ADDRESS edit box.
EW MASK LENGTH edit box, then
PPLY.
PPLY , the new IP address and mask length are
AVE.
Voyager Reference Guide 87
Page 88
5 Configuring Interfaces
during installation or by using the Lynx browser. This allows a graphical
browser such as Internet Explorer or Netscape Navigator to access the unit
through that interface. You can use any graphical web browser to configure
the other interfaces on the unit by entering the IP address of the unit in the
location field of the browser.
The figure below shows the network configuration for this example.
Provider
(192.168.2.93)
ser-s1p1c0 (192.168.2.1)
Nokia Platform A
atm-s2p1c93 (192.168.3.2)
ATM
Switch
atm-s1p1c52 (192.168.3.1)
Nokia Platform B
eth-s2p1c0 (192.168.4.1/24)
192.168.4.xxx
00037
Server
FDDI
192.168.1.xxx
fddi-s3p1c0
(192.168.1.1/24)
Server Server
In a company's main office, Nokia Platform A terminates a serial line to an
Internet service provider, running PPP with a keepalive value of 10.
Nokia Platform A also provides internet access for a FDDI ring and a remote
branch office connec te d via ATM PVC 93.
88 Voyager Reference Guide
Page 89
The branch office contains Nokia Platform B, which routes traffic between a
local Fast Ethernet network and ATM PVC 52. It provides access to the main
office and the Internet. We are configuring the FDDI interface on Nokia
Platform A.
1. Click C
ONFIG on the home page.
2. Click the Interfaces link.
3. Click
4. Click the H
5. Click A
6. Click
fddi-s3p1 in the PHYSICAL column of the table.
ALF radio button to select the duplex setting.
PPLY .
fddi-s3p1c0 in the LOGICAL INTERFACES table to go to the
Interface page.
7. Enter
8. Enter 24 in the N
9. Click A
10. Click the U
11. Click the O
12. Click A
13. Click S
192.168.1.1 in the NEW IP ADDRESS edit box.
EW MASK LENGTH edit box.
PPLY .
P button to go the Interfaces page.
N radio button for fddi-s3p1c0.
PPLY .
AVE.
ISDN Interfaces
Integrated Services Digital Network is a system of digital phone connections
that allows voice, digital network services, and video data to be transmitted
simultaneously using end-to-end digital connectivity.
Nokia’s Network Application Platform (Nokia PlatformNokia Platform)
offers support for an ISDN Basic Rate Interface (BRI) physical interface. The
ISDN BRI comprises one 16 Kbps D-channel for signalling and control, and
two 64 Kbps B-channels for information transfer . Nokia’ s physical interface is
Voyager Reference Guide 89
Page 90
5 Configuring Interfaces
certified to conform to the European Telecommunications Standards Institute
(ETSI) ISDN standard.
The physical interface is the manageable representation of the physical
connection to ISDN. One physical interface will be visible in Voyager for
every ISDN BRI card in the Nokia Platform chassis. The physical interface
enables management of the parameters specific to each ISDN connection. It
permits enabling or disabling of the ISDN connection and is the entity under
which logical interfaces are created.
The logical interface is the logical communication end-point. It contains all
information used to set up and maintain the ISDN call. The logical interface
comprises:
! Data link encapsulation and addressing
! Call connection information such as call direction, data rate, and the
number to call
! Authentication information such as names, passwords, and authentication
method
Features
! Bandwidth allocation for Multilink PPP
After configuring the physical interface, then creating and configuring the
logical interfaces, the Nokia Platform will be ready to make and accept ISDN
calls. Detailed information on how to create and configure ISDN interfaces
begins in “Configuring a Physical Interface.”
The features supported by the ISDN interface are summarized below:
! Port—ISDN Basic Rate S/T interface with RJ45 connector
! ISDN signaling—ETSI EURO-ISDN (ETS 300 102)
! B-channel protocols—IETF PPP (RFC 1661 and 1662); IETF Multilink
PPP (RFC 1990)
! Security—PAP (RFC 1334), CHAP (RFC 1994), and ISDN Caller ID
90 Voyager Reference Guide
Page 91
! Dial-on-demand routing—The ISDN interface can be configured so that
only certain types of traffic establish and maintain an ISDN connection.
Circuits are automatically torn down if they are not required.
! Dynamic bandwidth allocation—The ISDN interface can be configured to
add or remove additional bandwidth as the traffic requires it.
! Multiple destination support—An ISDN interface can be configured to
connect to two different destinations simultaneously.
! Dial-in support—The ISDN interface can be configured to accept
incoming calls from remote sites.
Configuring a Physical Interface
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link you want to configure in the P
HYSICAL
column.
Example—
isdn-s2p1
4. From the pull-down menu in the SWITCH TYPE field in the PHYSICAL
C
ONFIGURATION table, select the service provider-switch type that
corresponds to the interface's network connection.
5. In the L
click the P
INE TOPOLOGY field in the PHYSICAL CONFIGURATION table,
OINT-TO-POINT or MULTIPOINT radio button to describe the
connection type of the interface.
6. Click the A
(terminal-endpoint identifier) field in the P
UTOMATIC or MANUAL radio button in the TEI OPTION
HYSICAL CONFIGURATION
table.
Generally, automatic TEIs are used with multipoint connections, while
fixed TEIs are used in point-to-point configurations.
7. Click A
PPLY .
Voyager Reference Guide 91
Page 92
5 Configuring Interfaces
8. (Optional) If you selected MANUAL as the TEI Option, enter the TEI
assigned to the ISDN interface in the TEI field.
9. In the P
P
OWERUP radio button in the TEI ASSIGN field to specify when you
HYSICAL CONFIGURATION table, click the FIRST-CALL or
want the ISDN Layer 2 (TEI) negotiation to occur.
! First-Call—ISDN TEI negotiation should occur when the first ISDN call
is placed or received.
The first-call option is mainly used in European ISDN switch types (for
example, ETSI).
! PowerUp—ISDN TEI negotiation should occur when the router is
powered on.
10. Click A
PPLY .
11. To make your changes permanent, click S
Creating a Logical Interface
To Configure an ISDN Logical Interface to Place
Calls
AVE.
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. In the P
HYSICAL column, click on the ISDN physical-name, interface link
you want to configure.
Example—
isdn-s2p1
4. Using the ENCAPSULATION edit box in the CREATE NEW LOGICAL
I
NTERFACE table, select whether to run PPP or multilink PPP on the
interface; then click A
A newly created logical interface appears in the I
L
OGICAL INTERFACES table.
92 Voyager Reference Guide
PPLY.
NTERFACE column of the
Page 93
5. Click the logical interface name in the INTERFACE column of the
L
OGICAL INTERFACES table to go to the Interface page.
6. If the interface should be unnumbered, perform steps a and b. If the
interface should be numbered, skip to step 7.
In unnumbered mode the interface does not have its own unique IP
address—the address of another interface is used.
a. Click Y
b. Use the P
ES next to UNNUMBERED INTERFACE, then click APPLY.
ROXY INTERFACE pull-down menu to select the logical
interface from which the address for this interface is taken.
7. Enter the IP address for the local end of the connection in the L
ADDRESS edit box in the INTERFACE INFORMATION table.
OCAL
You must enter a valid IP address. IPSO does not support dynamically
assigned IP addresses for ISDN interfaces. Do not enter 0.0.0.0.
8. Enter the IP address of the remote end of the connection in the R
ADDRESS edit box in the INTERFACE INFORMATION table.
9. (Optional) Enter a string comment in the D
ONNECTION INFORMATION table to describe the purpose of the logical
C
ESCRIPTION edit box in the
interface, for example, Connection to Sales Office.
10. Click the O
NFORMATION table.
I
11. (Optional) Enter the value for the idle time-out in the I
in the C
UTGOING Direction radio button in the CONNECTION
DLE TIME edit box
ONNECTION INFORMATION table.
This time entry defines the time in seconds that an active B-channel can
be idle before it is disconnected. A value of zero indicates that the active
B-channel will never disconnect. The range is 0-99999. The default value
is 120.
EMOTE
12. (Optional) Enter the value for the minimum call time in the M
C
ALL TIME edit box in the CONNECTION INFORMATION table.
This entry defines the minimum number of seconds a call must be
connected before it can be disconnected by an idle timeout. A value of 0
indicates that the call can be disconnected immediately upon expiration of
Voyager Reference Guide 93
INIMUM
Page 94
5 Configuring Interfaces
the idle timer . If the service provider has a minimum charge for each call,
it is recommended the minimum call time be set to this value. The range
is 0-99999. The default value is 120.
13. Click the 64 K
ONNECTION INFORMATION table to set the data rate for outgoing calls.
C
14. Enter values for a remote number and subaddress in the R
N
UMBER and (optional) REMOTE SUB NUMBER edit boxes in the
C
ONNECTION INFORMATION table.
BPS or 56 KBPS radio button in the RATE field in the
EMOTE
15. (Optional) Enter values for a calling number and subaddress in the
C
ALLING NUMBER and CALLING SUB NUMBER edit boxes in the
ONNECTION INFORMATION table.
C
The calling number and subaddress are inserted in a SETUP message
when an outgoing call is made.
Note
The AUTHENTICATION table entries, which follow, allow the user to
manage the parameters used to authenticate both ends of the
communication link.
16. In the TO REMOTE HOST section of the AUTHENTICATION table, in the
AME edit box, enter the name that needs to be returned to a remote host
N
when it attempts to authenticate this host.
17. In the T
P
ASSWORD edit box, enter the password to be returned to the remote host
O REMOTE HOST section of the AUTHENTICATION table, in the
for PAP authentication, or the secret used to generate the challenge
response for CHAP authentication.
Note
The TO REMOTE HOST information must be the same as the FROM
EMOTE HOST information (or its equivalent) at the remote end of the
R
link.
94 Voyager Reference Guide
Page 95
18. In the FROM REMOTE HOST section of the AUTHENTICATION table select
the authentication method used to authenticate the remote host.
19. In the F
N
ROM REMOTE HOST section of the AUTHENTICATION table, in the
AME edit box, enter the name that will be returned from the remote host
when this host attempts to authenticate the remote host.
20. In the F
P
ASSWORD edit box, enter a password to be returned by the remote host
ROM REMOTE HOST section of the AUTHENTICATION table, in the
for PAP authentication, or the secret used to validate the challenge
response for CHAP authentication.
Note
The FROM REMOTE HOST information must be the same as the TO
REMOTE HOST information (or its equivalent) at the remote end of the
link.
Note
The BANDWIDTH ALLOCATION table entries that follow allow the network
administrator to manage the p arameters th at are used to determine when
to add or remove an additional B-channel only when using Multilink PPP.
21. In the BANDWIDTH ALLOCATION table, in the UTILIZATION LEVEL edit
box, enter a percentage bandwidth utilization level at which the additional
B-channel will be added or removed. When the measured utilization of an
outgoing B-channel exceeds the utilization level threshold for a period of
time greater than the utilization period, the second B-channel will be
brought into operation. When the outgoing B-channel utilization falls
below the utilization level for a period of time greater than the value of
the utilization period, the second B-channel will be removed from
operation.
A utilization level of zero means that the second B-channel is never
brought into operation. To bring the second B-channel into operation
quickly, set the utilization level to a low number, such as one.
Voyager Reference Guide 95
Page 96
5 Configuring Interfaces
22. In the BANDWIDTH ALLOCATION table, in the UTILIZATION PERIOD edit
box, enter the utilization period. This value specifies the number of
seconds the outgoing B-channel utilization must remain above the
utilization level before a second channel is brought into operation. Once a
second B-channel has been added, this value specifies the nu mber of
seconds that the utilization of the outgoing B-channel must be below the
utilization level before the second B-channel is removed from operation.
A utilization period set to zero will cause the second B-channel to be
brought into operation immediately; the utilization level has been
exceeded. It will also cause the second B-channel to be removed from
operation; immediately the measured utilization drops below the
utilization level.
23. Click A
24. To make your changes permanent, click S
PPLY .
AVE.
For troubleshooting information, see “ISDN Troubl esho oting.”
To Configure an Interface to Receive Calls
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link you want to configure in the P
column.
Example—
isdn-s2p1
4. Select whether to run PPP or multilink PPP on the interface from the
E
NCAPSULATION edit box in the CREATE NEW LOGICAL INTERFACE
table; then click A
A new logical interface appears in the I
OGICAL INTERFACES table.
L
PPLY .
NTERFACE column of the
HYSICAL
5. Click the logical interface name in the I
L
OGICAL INTERFACES table to go to the Interface page.
96 Voyager Reference Guide
NTERFACE column of the
Page 97
6. Enter the IP address for the local end of the connection in the LOCAL
ADDRESS edit box in the INTERFACE INFORMATION table.
7. Enter the IP address of the remote end of the connection in the R
ADDRESS edit box in the INTERFACE INFORMATION table.
8. Click the I
NFORMATION table.
I
9. Click A
NCOMING Direction radio button in the CONNECTION
PPLY .
EMOTE
10. To configure the list of incoming numbers with permission to call into this
interface, click the Incoming Numbers link.
Note
If no incoming call numbers are configured, all incoming calls will be
accepted.
11. In the TO REMOTE HOST section of the AUTHENTICATION table, in the
N
AME edit box, enter the name that needs to be returned to a remote host
when it attempts to authenticate this host.
12. In the T
ASSWORD edit box, enter the password to be returned to the remote host
P
O REMOTE HOST section of the AUTHENTICATION table, in the
for PAP authentication, or the secret used to generate the challenge
response for CHAP authentication.
Note
The TO REMOTE HOST information must be the same as the FROM
EMOTE HOST information (or its equivalent) at the remote end of the
R
link.
13. In the FROM REMOTE HOST section of the AUTHENTICATION table select
the authentication method used to authenticate the remote host.
14. In the F
N
ROM REMOTE HOST section of the AUTHENTICATION table, in the
AME edit box, enter the name that will be returned from the remote host
when this host attempts to authenticate the remote host.
Voyager Reference Guide 97
Page 98
5 Configuring Interfaces
15. In the FROM REMOTE HOST section of the AUTHENTICATION table, in the
P
ASSWORD edit box, enter a password to be returned by the remote host
for PAP authentication, or the secret used to validate the challenge
response for CHAP authentication.
Note
The FROM REMOTE HOST information must be the same as the TO
REMOTE HOST information (or its equivalent) at the remote end of the
link.
16. To make your changes permanent, click SAVE
For troubleshooting information, see “ISDN Troubl esho oting.”
To configure Calling Line-Identification Screening
Incoming calls to the Nokia Platform can be filtered using the calling number
in the received SETUP message. Calling Line Identification (CLID) must be
supported by the network to filter calls using the calling number.
When an incoming call is received, the calling number in the received SETUP
message is checked against the incoming numbers configured on each logical
interface. The calling number is compared with each incoming call using the
“right-most-digits” algorithm. A number matches if the shortest string
between the received calling number and the incoming number is the same.
For example, if the calling number received was 345 and the logical interface
has an incoming number of 12345, then this is deemed a match.
The call is answered on the interface that is configured with the incoming
number with the highest number of matching digits. If no matching incoming
number is found, the call is rejected.
If no incoming numbers are configured on an interface then any incoming call
is deemed a match.
Information on how to add and delete incoming numbers to the logical
interface is detailed below.
98 Voyager Reference Guide
Page 99
To Add an Incoming Number
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link in the P
HYSICAL column.
Example—
isdn-s2p1
4. Click the logical interface link in the LOGICAL INTERFACES table.
5. Click the Incoming Numbers link.
6. In the N
to accept incoming calls; click A
An
7. Click the Y
UMBER edit box, enter the telephone number on which you want
PPLY.
x is used to represent a wild-card character.
ES radio button in the CALLBACK field if you want the
incoming call to be disconnected, and an outgoing call attempted;
otherwise, click the N
O radio button to have the incoming call answered.
If Callback is set to Yes, the Nokia Platform uses the number in the
R
EMOTE NUMBER field on the logical interface to make the outgoing call.
8. If Callback has been set to Yes, enter the value for the timeout in the
TIMEOUT field.
This is the amount of time (in seconds) the Nokia Platform will wait
before placing a call back to the remote system. The range is 0-999. The
default is 15.
9. Click A
10. To record your changes, click S
For troubleshooting information, see “ISDN Troubl esho oting.”
To Remove an Incoming Number
1. Click CONFIG on the home page.
2. Click the Interfaces link.
Voyager Reference Guide 99
PPLY .
AVE.
Page 100
5 Configuring Interfaces
3. Click the physical interface link in the PHYSICAL column.
Example—
isdn-s2p1
4. Click the logical interface link in the LOGICAL INTERFACES table.
5. Click the Incoming Numbers link.
6. Find the incoming number you want to remove in the N
click its corresponding D
7. To record your changes, click S
ELETE button, and then click APPLY.
AVE.
UMBERS table,
To Configure an Interface to Place and Receive
Calls
1. Click CONFIG on the home page.
2. Click the Interfaces link.
3. Click the physical interface link you want to configure in the P
column.
Example—
isdn-s2p1
4. Select whether to run PPP or multilink PPP on the interface from the
NCAPSULATION edit bo x in the Create New Logical Interface section;
E
then click A
A new logical interface appears in the I
PPLY.
NTERFACE column.
HYSICAL
5. Click the logical interface name in the I
L
OGICAL INTERFACES table to go to the Interface page.
6. Enter the IP address for the local end of the connection in the L
ADDRESS edit box.
7. Enter the IP address of the remote end of the connection in the R
ADDRESS edit box.
8. Click the B
100 Voyager Reference Guide
NTERFACE column of the
OCAL
EMOTE
OTH Direction radio button.
Loading...