Nokia IPSO 4.0 Reference Manual
  1. Manuals
  2. Brands
  3. Nokia Manuals
  4. Software
  5. IPSO 4.0
  6. Reference manual
Nokia IPSO 4.0 Reference Manual

Nokia IPSO 4.0 Reference Manual

Nokia network voyager reference guide
Hide thumbs
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
Table of Contents

Advertisement

Quick Links

Download this manual
Nokia Network Voyager
for IPSO 4.0
Reference Guide
Part No. N451818001 Rev A
Published October 2005

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the IPSO 4.0 and is the answer not in the manual?

Questions and answers

Related Manuals for Nokia IPSO 4.0

Summary of Contents for Nokia IPSO 4.0

  • Page 1 Nokia Network Voyager for IPSO 4.0 Reference Guide Part No. N451818001 Rev A Published October 2005...
  • Page 2 Rights clause at FAR 52.227-19. IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services;...
  • Page 3 Nokia Customer Support Web Site: Email: Americas Voice: Fax: Asia-Pacific Voice: Fax: Nokia Network Voyager for IPSO 4.0 Reference Guide 1-650-691-2170 Nokia Inc. 313 Fairchild Drive Mountain View, California 94043-2215 USA Nokia Inc. 313 Fairchild Drive Mountain View, CA 94043-2215...
  • Page 4 Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 5: Table Of Contents

    Contents About the Nokia Network Voyager Reference Guide ..19 Conventions This Guide Uses ......21 Notices .
  • Page 6 Unnumbered Interfaces ....... . 107 Nokia Network Voyager IPSO 4.0 Reference Guide...
  • Page 7 Configuring the DHCP Server ......147 DHCP Server Configuration ......148 Nokia Network Voyager IPSO 4.0 Reference Guide...
  • Page 8 Restoring Files from Locally Stored Backup Files... 172 Managing Nokia IPSO Images ......173 Changing Current Image .
  • Page 9 Downgrading Nokia IPSO Images..... . . 176 Configuring Monitor Reports ......177 Managing Packages.
  • Page 10 Configuring the Internal and External Routers ... . . 245 Clustering Example With Non-Check Point VPN ... 246 Nokia Network Voyager IPSO 4.0 Reference Guide...
  • Page 11 Configuring VRRP for IPv6 ......277 Creating a Virtual Router for an IPv6 Interface Nokia Network Voyager IPSO 4.0 Reference Guide...
  • Page 12 Configuring a Modem on COM2, COM3, or COM4..298 Configuring Nokia Network Voyager Access ....300 Configuring Basic Nokia Network Voyager Options .
  • Page 13 Routing Overview ........351 Nokia Network Voyager IPSO 4.0 Reference Guide...
  • Page 14 IGRP Aggregation ........388 Nokia Network Voyager IPSO 4.0 Reference Guide...
  • Page 15 BGP Neighbors Example ......415 Path Filtering Based on Communities Example ... . 418 Nokia Network Voyager IPSO 4.0 Reference Guide...
  • Page 16 Configuring ATM QoS ....... . . 459 Configuring Common Open Policy Server ....461 Nokia Network Voyager IPSO 4.0 Reference Guide...
  • Page 17 Displaying Route Settings ......486 Nokia Network Voyager IPSO 4.0 Reference Guide...
  • Page 18 Index ..........497 Nokia Network Voyager IPSO 4.0 Reference Guide...

  • Page 19: About The Nokia Network Voyager Reference Guide

    Network Voyager you can also perform with the command-line interface (CLI), allowing you to choose the interface you are most comfortable with. For information specific to the CLI, see the CLI Reference Guide for Nokia IPSO. This guide is intended for experienced network administrators who configure and manage Nokia IP security platforms.
  • Page 20 Simple describes how to configure features that desribes how to manage describes the IPSO routing subsystem, describes traffic describes how to enable your Nokia Network Voyager for IPSO 4.0 Reference Guide describes how provides...

  • Page 21: Conventions This Guide Uses

    Table 1 Text Conventions Convention monospace font bold monospace font Key names Nokia Network Voyager for IPSO 4.0 Reference Guide Description Indicates command syntax, or represents computer or screen output, for example: Log error 12453 Indicates text you enter or type, for example:...

  • Page 22: Menu Items

    In addition to this guide, documentation for this product includes the following: CLI Reference Guide for Nokia IPSO, which is on the IPSO CD. This guide contains the commands that you can implement from the command-line interface (CLI) for IPSO.

  • Page 23: About Network Voyager

    This chapter provides an overview of Network Voyager, the Web-based interface that you can use to manage Nokia IPSO systems. Nokia Network Voyager is a Web-based interface that you can use to manage IPSO systems from any authorized location. Network Voyager comes packaged with the IPSO operating system software and is accessed from a client using a browser.

  • Page 24: Logging In To Network Voyager

    The Log Off link does not appear if you disabled session management. For information about session management, see “Role-Based Administration” “Obtaining a Configuration Lock” “Network Voyager Session Management” Nokia Network Voyager for IPSO 4.0 Reference Guide on page 293. on page 25. on page 311.

  • Page 25: Obtaining A Configuration Lock

    2. Verify that the Acquire Exclusive Configuration Lock check box is checked. This is the default choice. 3. Check the Override Locks Acquired by Other Users check box. Nokia Network Voyager for IPSO 4.0 Reference Guide “To override a configuration lock.”...

  • Page 26: Navigating In Network Voyager

    5. Click OK or close the Preferences window. Accessing Documentation and Help You can access the Nokia Network Voyager Reference Guide for IPSO, the CLI Reference Guide, and Network Voyager online help from links within the Network Voyager interface. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 27 This guide, the Nokia Network Voyager Reference Guide for IPSO, is the comprehensive reference source for IPSO administration and using the Network Voyager interface. You can access this guide and the CLI Reference Guide from the following locations: Network Voyager interface—Click the Documentation link in the tree view.

  • Page 28: Viewing Hardware And Software Information For Your System

    The asset management summary page appears. 2. The page separates information into three tables: Hardware, FireWall Package Information, and Operating System. 3. Click the Up button to return to the main configuration page. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 29: Configuring Interfaces

    This chapter describes configuring and monitoring the various types of interfaces supported by Nokia IP security platforms, aggregating Ethernet ports, configuring GRE and DVMRP tunnels, using transparent mode to allow your IPSO appliance to behave like a Layer 2 device, and other topics related to physical and logical interfaces.

  • Page 30: Ip2250 Management Ports

    Ethernet NIC in slot 2 is represented by two physical interfaces: eth-s2p2 The following table lists the interface-name prefixes for each type. Type Prefix Ethernet FDDI fddi Serial T1/E1 HSSI Token Ring Nokia Network Voyager for IPSO 4.0 Reference Guide eth-s2p1...

  • Page 31: Configuring Ip Addresses

    (for example, the ATM VCI or the Frame Relay DLCI). Physical Interface Ethernet FDDI Nokia Network Voyager for IPSO 4.0 Reference Guide have the same values as the corresponding physical interface. <port> Logical Interface Default...

  • Page 32: Interface Status

    IP packet. Thus, for a router to have an unnumbered interface, it must have at least one IP address assigned to it. The Nokia implementation of unnumbered interfaces does not support virtual links.

  • Page 33: Configuring Tunnel Interfaces

    Create a tunnel logical interface by specifying an encapsulation type. Use Network Voyager to set the encapsulation type. Network Voyager supports two encapsulation types, DVMRP and GRE. The tunnel logical interface name has the form: tun0c<chan> where (channel number) is an instantiation identifier. <chan> Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 34: Ethernet Interfaces

    Do not change the IP address you use in your browser to access Network Voyager. If you do, you can no longer access the IP security platform with your Network Voyager browser. Nokia Network Voyager for IPSO 4.0 Reference Guide on page 457.

  • Page 35: Link Aggregation

    13. To make your changes permanent, click Save. Link Aggregation Nokia IPSO appliances allow you to aggregate (combine) Ethernet ports so that they function as one logical port. You get the benefits of greater bandwidth per logical interface and load Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 36: Managing Link Aggregation Using Snmp

    You must configure the appropriate switch ports to use static link aggregation. (On Cisco switches, this means you must enable EtherChannel.) That is, if you aggregate four ports into one group on your Nokia appliance, the four switch ports that they connect to must static link aggregation.

  • Page 37: Static Link Aggregation

    Static Link Aggregation The IPSO implementation of link aggregation complies with the IEEE 802.3ad standard for static link aggregation. Nokia has also tested IPSO link aggregation with the following Cisco Catalyst switches: 6500 Series...
  • Page 38 You can connect the aggregated ports using a switch, hub, or crossover cable. Do not include ports on different I/O cards in the same aggregation group. delete a port from the Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 39: Configuring Link Aggregation

    Be careful not to select a port that you are using for a management connection. 3. Configure the physical configuration to the settings you want. Nokia Network Voyager for IPSO 4.0 Reference Guide , in which is the group ID.

  • Page 40: Group Configuration

    Note that Network Voyager’s display of the aggregated bandwidth does not reflect whether any of the ports are physically up or logically active. through step 5 again to configure the other interfaces identically. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 41: Gigabit Ethernet Interfaces

    Parameter Active Link Trap Flow Control Link Recognition Delay Nokia Network Voyager for IPSO 4.0 Reference Guide ae100c0 Table 4 for each Gigabit Ethernet interface. on page 35. Description Select On to enable the interface, select Off to disable the interface.
  • Page 42 (Optional) This field is displayed on the main Interface Configuration and the Logical Interface pages. Use it to add a description that you might find useful in identifying the logical interface. Nokia Network Voyager for IPSO 4.0 Reference Guide eth-s5p1...

  • Page 43: Point-To-Point Over Ethernet

    The PPPOE Profile Configuration page is displayed. Here you can create PPPoE profiles, change profiles, and view existing profiles on your system. 4. Enter a name for the profile and, optionally, a description. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 44 PPPoE profile. If you select Dynamic, the Local Address should be the IP address of the logical interface. The Remote Address should be the name of the logical interface. “Configuring MSS Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 45 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the Interfaces link. 3. Click the pppoe0 link. 4. Click the PPPoE Profile link. Nokia Network Voyager for IPSO 4.0 Reference Guide “To delete PPPoE logical interfaces.”...

  • Page 46: Configuring Mss Clamping

    VPN-1 with the existing topology. VLAN enables the multiplexing of Ethernet traffic into channels on a single cable. The Nokia implementation of VLAN supports adding a logical interface with a VLAN ID to a physical interface. In a VLAN packet, the OSI Layer 2 header, or MAC header, contains four more bytes than the typical Ethernet header for a total of 18 bytes.
  • Page 47 This action takes you to the physical interface page for the interface. 3. In the Logical Interface table, click Delete in the row for the logical VLAN interface to delete. 4. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 48 The following topology represents a fully redundant firewall with load sharing and VLAN. Each Nokia appliance running Check Point FW-1 is configured with the Virtual Router Redundancy Protocol (VRRP). This protocol provides dynamic failover of IP addresses from one router to another in the event of failure.

  • Page 49: Fddi Interfaces

    The FDDI interface is now available for IP traffic and routing. 13. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide to a ring topology to half duplex. If the device is running in point-to-...
  • Page 50 Each time you click Apply, the new IP address and mask length are added to the table. The entry fields remain blank to allow you to add more IP addresses. 8. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 51: Isdn Interfaces

    Bandwidth allocation for Multilink PPP After configuring the physical interface, then creating and configuring the logical interfaces, the Nokia appliance is ready to make and accept ISDN calls. Detailed information on how to create and configure ISDN interfaces begins in The ISDN interface supports the following features.
  • Page 52 In unnumbered mode the interface does not have its own unique IP address—the address of another interface is used. a. Click Yes next to Unnumbered interface. b. Click Apply. step Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 53 If the service provider has a minimum charge for each call, Nokia recommends the minimum call time be set to this value. The range is 0 to 99999. The default value is 120.
  • Page 54 B- channel must be below the use level before the second B-channel is removed from operation. Nokia Network Voyager for IPSO 4.0 Reference Guide ext box, enter...
  • Page 55 CHAP authentication. Note The To Remote Host information must be the same as the From Remote Host information (or its equivalent) at the remote end of the link. Nokia Network Voyager for IPSO 4.0 Reference Guide “ISDN Troubleshooting.”...

  • Page 56: Configuring Calling Line-Identification Screening

    For troubleshooting information, see Configuring Calling Line-Identification Screening You can filter incoming calls to the Nokia appliance by using the calling number in the received SETUP message. The network must support Calling Line Identification (CLID) to filter calls by using the calling number.
  • Page 57 6. Click Yes in the Callback field for the incoming call to be disconnected, and an outgoing call attempted; otherwise, click No to have the incoming call answered. If Callback is set to Yes, the Nokia appliance uses the number in the Remote Number field on the logical interface to make the outgoing call.

  • Page 58: Dial-On-Demand Routing (Ddr) Lists

    Therefore, if the packet matched a rule in the Access list that had an associated action of drop, “To configure an ISDN logical interface to place calls” “ISDN Troubleshooting.” Nokia Network Voyager for IPSO 4.0 Reference Guide to set “To add an incoming...
  • Page 59 1, 2, 3, and 4—you can place a new rule between rules 2 and 3 by checking the Add Rule Before check box on rule 3. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 60 The DDR list is added to the isdn-s2p2c1 ISDN interface. 1. Click Dial on Demand Routing under Configuration > Traffic Management in the tree view. 2. Enter NotRIP in the Create New DDR List text box. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 61: Isdn Network Configuration Example

    ISDN interface on the Nokia IP330 in this example has its minimum-call timer set to four minutes and its idle timer set to one minute. The Nokia IP330 is configured to send a username and password to the main office.
  • Page 62 Remote Number text box in the Connection Information 384020 in the Local Address text box in the Interface Information table. in the Remote Address text box in the Interface Information table. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 63 16. Click Apply. 17. Click Save. Sample Call Traces Sample traces for call setup between the Nokia IP Security platform follow. The traces were produced by issuing the following command on each device: “ Traffic was generated by doing a “...
  • Page 64 The trace for connecting a call from the Nokia IP330 is: 06:23:45.186511 O > PD=8 CR=23(Orig) SETUP:Bc:88 90. CalledNb:80 33 38 34 30 32 30.SendComp: 06:23:45.255708 I < PD=8 CR=23(Dest) CALL-PROC:ChanId:89. 06:23:45.796351 I < PD=8 CR=23(Dest) ALERT: 06:23:45.832848 I < PD=8 CR=23(Dest) CONN:DateTime:60 06 0c 05 2d.

  • Page 65: Isdn Troubleshooting

    All messages of this level and below are sent to the message log. To view the message log 1. Click Monitor on the home page. 2. Click the View Message Log link under the System logs heading. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 66 2 - Public network serving local user 3 - Transit network 4 - Public network serving remote user 5 - Private network serving remote user 7 - International network A - Network beyond Internetworking point Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 67 Number changed Non-selected user clearing Designation out of order Invalid number format Facility rejected Nokia Network Voyager for IPSO 4.0 Reference Guide Description Class of cause value Value of cause value (Optional) Diagnostic field that is always 8. (Optional) Diagnostic field that is one of the following values: 0 is...
  • Page 68 Discarded information-element identifier(s) (Note 6) Note 10 See ISDN Cause Values table. Facility identification (Note 1) Note 3 Note 3 Note 3 Note 3 Channel Type (Note 7) Facility Identification (Note 1) Channel identity Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 69 Table B-2. Note 5—New destination is formatted as the called-party number information element, including information element identifier. Transit network selection might also be included. Nokia Network Voyager for IPSO 4.0 Reference Guide Diagnostics Clearing cause Incompatible parameter (Note 2)
  • Page 70 0x8890 for 64 Kbps or 0x218F for 56 Kbps Value Description ITU-T coding standard; unrestricted digital information Circuit mode, 64 Kbps Layer 1, V.110 / X.30 Synchronous, no in-band negotiation, 56 Kpbs Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 71: Token Ring Interfaces

    Each time you click Apply, the configured IP address and mask length are added to the table. The entry fields remain blank to allow you to add more IP addresses. Nokia Network Voyager for IPSO 4.0 Reference Guide ]. When the option is off, it maps a multicast IP address to an IEEE-...
  • Page 72 6. (Optional) To change a logical interface link, click the logical interface link to change in the Logical column. Example: tok-s3p1c0 The Logical Interface setup page appears. 7. Perform the following procedures to make the desired changes. Nokia Network Voyager for IPSO 4.0 Reference Guide tok-s3p1.

  • Page 73: Token Ring Example

    The branch office contains IP650 B, which routes traffic between a local fast Ethernet network and a Token Ring. IP650 B provides access to the main office and the Internet. This example configures the Token Ring interface on IP650 A. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 74 9. Click the logical interface link to configure in the Logical column. fddi-s3p1c0 FDDI 192.168.1.xxx (192.168.1.1/24) Token Ring 192.168.3.4 Server (Optional) Server Nokia Network Voyager for IPSO 4.0 Reference Guide Provider (192.168.2.93) ser-s1p1c0 (192.168.2.1) Nokia Platform A tok-s2p1c0 (192.168.3.2) 192.168.3.5 Server (Optional) tok-s1p1c0 (192.168.3.1) Nokia Platform B eth-s2p1c0 (192.168.4.1/24)

  • Page 75: Point-To-Point Link Over Atm

    5. Select the VPI/VCI range in the VPI/VCI Range Configuration list box. 6. Select point-to-point in the Type list box in the Create a new LLC/SNokia Platform RFC1483 interface section. Enter the VPI/VCI number in the VPI/VCI text box. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 76 4. Click Apply. The logical interface disappears from the list. Any IP addresses configured on this interface are also removed. 5. Select the VPI/VCI range in the VPI/VCI Range Configuration selection box. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 77 2. In the Logical column, click the Logical interfaces link for the item on which to change the IP address. Example: atm-s2p1 3. Enter a number in the IP MTU text box to configure the device’s maximum length (in bytes) of IP packets transmitted on this interface. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 78: Atm Example

    The following figure shows the network configuration for this example. Server In a company’s main office, Nokia Platform A terminates a serial line to an Internet service provider, running PPP with a keepalive value of 10. Nokia Platform A also provides Internet access for an FDDI ring and a remote branch office connected through ATM PVC 93.

  • Page 79: Ip Over Atm (Ipoa)

    11. Click Save. Note The steps for configuring the ATM interface on Nokia Platform B are the same except that you should set the to 52 when you create the logical interface and reverse the IP addresses should be reversed.
  • Page 80 IP security platform with your browser. 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the physical interface link to configure in the Physical column. Example: Nokia Network Voyager for IPSO 4.0 Reference Guide atm-s2p1.
  • Page 81 All hosts in the same LIS must use the same IP MTU in their interface to the LIS. Packets longer than the length you specify are fragmented before transmission. 4. Click Apply. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide atm-s2p1c8.

  • Page 82: Ipoa Example

    ATM interface on Nokia Platform A. The interface is connected to Nokia Platform B through ATM PVC 42 and to Nokia Platform C through ATM PNC 53. Nokia Platform B and Nokia Platform C are connected to each other through an ATM PVC; their ATM interfaces have already configured.

  • Page 83: Serial (V.35 And X.21) Interfaces

    These messages are used periodically to test for an active remote system. Note This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 84 These messages are used periodically to test for an active remote system. Note This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 85 5. If you turned the internal clock on, enter a value in the Internal clock speed text box. If the device can generate only certain line rates, and the configured line rate is not one of these values, the device selects the next highest available line rate. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 86 Each time you click Apply after you enter a DLCI, a new logical interface appears in the Interface column. The DLCI entry field remains blank to allow you to add more frame relay logical interfaces. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 87: Serial Interface Example

    The following figure shows the network configuration for this example. Server In a company’s main office, Nokia Platform A terminates a serial line to an Internet service provider, running PPP with a keepalive value of 10. Nokia Platform A also provides Internet access for a FDDI ring and a remote branch office connected through ATM PVC 93.

  • Page 88: T1(With Built-In Csu/Dsu) Interfaces

    The branch office contains Nokia Platform B, which routes traffic between a local Fast Ethernet network and ATM PVC 52. It provides access to the main office and the Internet. To configure the serial interface on Nokia Platform A 1. Click Interfaces under Configuration > Interface Configuration in the tree view.
  • Page 89 This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates. 15. (Optional) Click the Advanced T1 CSU/DSU Options link to select advanced T1 options. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 90 This setting must match the line encoding of the CSU/DSU at the other end of the point-to- point link. 7. Click Apply. 8. Click Superframe (D4) or Extended SF in the T1 Framing field to select the T1 Framing format. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 91 19. From the Advanced T1 CSU/DSU Options page, click Up to return to the physical interface page. 20. Click the Advanced PPP Options link. The PPP Advanced Options page appears. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 92 This setting must match the line encoding of the CSU/DSU at the other end of the point-to- point link. 7. Click Superframe (D4) or Extended SF radio button in the T1 Framing field to select the T1 Framing format. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 93 19. From the Advanced T1 CSU/DSU Options page, click Up to return to the physical interface page. 20. (Optional) Click the Advanced Frame Relay Options link to go to the Frame Relay Advanced Options page. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 94: T1 Interface Example

    34. Click Save to make your changes permanent. T1 Interface Example This section describes how you might use Network Voyager to configure the interfaces of your IP security platform in an example network. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 95 The following figure shows the network configuration for this example. Server In a company’s main office, Nokia Platform A terminates a T1 line to an Internet service provider, running PPP with a keepalive value of 10. The T1 line uses B8ZS line encoding, Extended Super Frame, T1 framing, and 64 Kbps channels.

  • Page 96: E1 (With Built-In Csu/Dsu) Interfaces

    6. Click E1 (channel 0 framing) or No Framing in the E1 Framing field to select the E1 framing format. in the Local address text box. in the Remote address text box. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 97 12. From the Advanced E1 CSU/DSU Options page, click Up to return to the physical interface page. 13. Click the logical interface name in the Interface column of the Logical Interfaces table to go to the Interface page. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 98 6. Click E1 (channel 0 framing) or No Framing in the E1 Framing field to select the E1 Framing format. Use E1 framing to select whether timeslot-0 is used for exchanging signaling data. 7. Click On or Off for the E1 CRC-4 Framing field. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 99 E1 device. The values you enter on this page depend on the subscription provided by your service provider. Nokia Network Voyager for IPSO 4.0 Reference Guide that timeslot-16 cannot be used as a data channel. See...
  • Page 100 Clock to On; otherwise, set it to Off. Internal clocking for E1 is fixed at 2.048 Mbits/sec. To configure slower speeds, you must configure fractional E1 on the Advanced E1 CSU/DSU Options page. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 101 This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates. 11. Click DTE or DCE in the Interface Type field. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 102 21. Enter the IP address of the remote end of the PVC in the Remote Address text box. Click Apply. 22. (Optional) Change the interface’s logical name to a more meaningful one by typing the preferred name in the Logical name text box. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 103: Hssi Interfaces

    These messages are used periodically to test for an active remote system. Note This value must be identical to the keepalive value configured on the system at the other end of a point-to-point link, or the link state fluctuates. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 104 7. Enter a number in the Keepalive text box to configure the PPP keepalive interval. Click Apply. This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 105 2. Click the physical interface link to configure in the Physical column. Example: 3. (Optional) Click On or Off in the Physical configuration table Internal Clock field to set the internal clock on the HSSI device. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 106 A new logical interface appears in the Interface column. The DLCI number appears as the channel number in the logical interface name. The new interface is on by default. 13. (Optional) Enter another DLCI number in the DLCI text box to configure another frame relay PVC. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 107: Unnumbered Interfaces

    IP packet. Thus, for a router to have an unnumbered interface, it must have at least one IP address assigned to it. The Nokia implementation of Unnumbered Interfaces supports OSPF (Open Shortest Path First) and Static Routes only. Virtual links are not supported.
  • Page 108 To change an unnumbered interface to a numbered interface 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the logical interface link to configure in the Logical column. Example: Nokia Network Voyager for IPSO 4.0 Reference Guide atm s3p1c1.
  • Page 109 Select the unnumbered logical interface to use as a next-hop gateway to the destination network. 8. Click Apply, and then click Save to make your change permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide for the interface.

  • Page 110: Configuring Ospf Over Unnumbered Interface

    The following graphic below shows a network configuration that uses both virtual links and an unnumbered serial link. Nokia Platform A has two OSPF areas configured (Area 1 and Area 3), but it is not physically connected to the Backbone area. Thus, a virtual link is configured between Nokia Platform A and Nokia Platform C.

  • Page 111: Cisco Hdlc Protocol

    Both Nokia Platform B and Nokia Platform C are configured with IP addresses (10.10.10.2 and 101.10.10.1 respectively). The interfaces that comprise the virtual link between Nokia Platform A and Nokia Platform C are both configured as unnumbered. This link will fail because OSPF does not support a virtual link that uses an unnumbered interface on either end of the link.

  • Page 112: Point-To-Point Protocol

    3. Enter a number in the Keepalive text box to configure the PPP keepalive interval. Click Apply. This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.
  • Page 113 IP address of the remote end of the connection in the Remote address text box. Click Apply. This adds the new IP address pair. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1.

  • Page 114: Frame Relay Protocol

    7. Enter the IP address for the local end of the PVC in the Local address text box. 8. Enter the IP address of the remote end of the PVC in the Remote address text box. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1. ser-s2p1.
  • Page 115 2. Click the physical interface link to change in the Physical column. Example: 3. Change DTE or DCE in the Interface type field. Click Apply. 4. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p1 ser-s2p2.
  • Page 116 3. Find the logical interface you wish to remove and click the corresponding Delete button in the Logical Interfaces table. Click Apply. This removes the logical interface from the list. 4. To make your changes permanent, click Save. Nokia Network Voyager for IPSO 4.0 Reference Guide ser-s2p2...

  • Page 117: Loopback Interfaces

    Each time you click Apply, the configured IP address appears in the table. The entry fields remain blank to allow you to add more IP addresses. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 118: Gre Tunnels

    The remote endpoint must not be one of the systems interface addresses and must be the local endpoint configured for the GRE tunnel at the remote router. 10. Bind the tunnel to the outgoing interface: tun0c1. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 119 3. (Optional) Enter the IP address of the local end of the GRE tunnel in the Local address text box. The local address cannot be one of the systems interface addresses and must be the remote address configured for the GRE tunnel at the remote router. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 120 4. (Optional) If you selected custom value from the TOS value drop-down window, enter a value in the range of 0-255. Click Apply. 5. Click Save to make your changes permanent. tun0c1. Nokia Network Voyager for IPSO 4.0 Reference Guide USTOM ALUE...

  • Page 121: Gre Tunnel Example

    By default, the TOS bits are copied from the inner IP header to the encapsulating IP header. If the desired TOS value is not displayed in the drop-down window, select Custom Value from the menu. Nokia Network Voyager for IPSO 4.0 Reference Guide Internet 192.68.26.65/30 10.0.0.1 VPN Tunnel 192.68.22.0/24...

  • Page 122: High Availability Gre Tunnels

    In our example, we configure two-way tunnels between IP Units 1 and 2, and IP Units 3 and 4. Since the steps required to configure a HA GRe tunnel are addressed in the appropriate sections Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 123 This example requires repeating steps 7 through 10 of the GRE Tunnel example four times as follows: a. Configuring from IP Unit 1 to IP Unit 2: Enter 10.0.0.1 Enter 10.0.0.2 Nokia Network Voyager for IPSO 4.0 Reference Guide Remote PCs Site A 192.168.0.1 Nokia 170.0.0.1 10.0.0.1...
  • Page 124 186. Use the following values to configure with 192.168.0.1 with 192.168.1.1 with 192.168.0.2 with 192.168.1.2 Nokia Network Voyager for IPSO 4.0 Reference Guide “Configuring OSPF as a backup 192.168.0.2 as a backup 192.168.1.2 as a backup 192.168.0.1 as a backup...

  • Page 125: Dvmrp Tunnels

    Logical name text box. Click Apply. 9. (Optional) Add a comment to further define the logical interfaces function in the Comments text box. Click Apply. 10. To make your changes permanent, click Save. Nokia Network Voyager for IPSO 4.0 Reference Guide tun0c1.

  • Page 126: Dvmrp Tunnel Example

    Provider (ISP). This ISP provides a multicast traffic tunnel. Multicast traffic uses the address space above 224.0.0.0 and below 238.0.0.0. Multicast traffic is different from unicast (point-to- point) traffic in that is in one-to-many traffic forwarded by routers. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 127 22.1/24 In the preceding example, a DVMRP tunnel originates from the ISP at 22.254/24. This tunnel has a present endpoint of 22.1/24. A DVMRP tunnel set up on Nokia Platform A points to 22.254/24. 1. Initiate a Network Voyager session to Nokia Platform A. In this example, we use Nokia Platform A as the starting point.

  • Page 128: Arp Table Entries

    The range of the Keep Time value is 60 to 86400 seconds with a default of 14400 seconds (4 hours). 3. Enter the retry limit in the Retry Limit field in the Global ARP Settings section. g Configuration page by first completing “Configuring DVMRP”). Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 129 4. (Optional) If User-Defined MAC Address was selected, enter the MAC address corresponding to the IP address in the MAC Address text box in the Proxy ARP Entries table. Click Apply. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 130: Configuring Arp For Atm Interfaces

    Timeout specifies an InATMARP request retransmission interval in seconds. Network Voyager enforces that the timeout must be less than a third of Keep Time. The Range of Timeout value is 1 to 300 with a default value of five seconds. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 131 To view and delete dynamic ATM ARP entries 1. Click Interfaces under Configuration > Interface Configuration in the tree view. 2. Click the logical ATM interface to configure in the Logical column. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 132: Transparent Mode

    Interfaces configured for transparent mode do not pass non-IP traffic. In fact, all non-IP traffic is simply dropped at the Ethernet input layer before it reaches the transparent mode layer which only registers to receive IP traffic. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 133: Transparent Mode Processing Details

    IP address to determine whether the packet destination is local after the packet returns from the firewall’s ingress filtering. If the packets destination is local, the packet is delivered to the IP layer for local processing. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 134: Configuring Transparent Mode In Vpn Environments

    In this example, the network administrator of Network A wants to provide Network B with access to certain addresses behind the Nokia Platform with Firewall, which is in transparent mode.

  • Page 135: Example Of Transparent Mode

    IP address from the ISP, IP 1.5.4.0/24. Nokia’s transparent mode solution provides firewall protection for the LAN without having to obtain new IP addresses or reconfigure addresses on the LAN. Packet traffic continues to run at Layer 2, rather than at Layer 3 with a conventional firewall solution.

  • Page 136: Configuring Transparent Mode

    You configure transparent mode by first creating a transparent mode group and then adding interfaces to the group. When interfaces are in the same transparent mode group, then they are logically in the same subnet. A transparent mode group is disabled until you enable it. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 137 If you get the topology and your changes to interfaces are not shown, you can stop and restart the firewall to view your changes. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 138 2. Select Yes or No in the Enable column associated with the transparent mode group you want to enable or disable. 3. Click Apply. 4. Click Save to make your changes permanent Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 139: Monitoring Transparent Mode Groups

    When you use the Check Point NGX SmartDashboard to configure the Gateway Cluster properties of a VRRP pair that uses IPSO transparent mode, you must follow this procedure. Nokia Network Voyager for IPSO 4.0 Reference Guide “Transparent Mode” on page 132. As a VRRP standby, it “Configuring VRRP”...

  • Page 140: Virtual Tunnel Interfaces (Fwvpn) For Route-Based Vpn

    Unnumbered VTIs Nokia IPSO supports only unnumbered VTIs. Local and remote IP addresses are not configured; instead, the interface is associated with a proxy interface from which it inherits an IP address. Traffic that is initiated by the gateway and routed through the VTI will have the proxy interface IP address as the source IP address.
  • Page 141 VTIs appear in Nokia Network Voyager as unnumbered interfaces and are given logical names in the form tun0cn. You configure static or dynamic routes on VTIs the same way you configure them on other unnumbered interfaces. The dynamic routing protocols supported on VTIs are BGP4 and OSPFv2.

  • Page 142: Creating Virtual Tunnel Interfaces

    You must configure an empty VPN domain as described in the community” 2. Create the virtual tunnel interface on each gateway, using either Nokia Network Voyager or the Check Point vpn shell. The procedure how to do so using Nokia Network Voyager.
  • Page 143 VPN domain is to create an empty VPN domain group. 3. Create a VPN community and add both gateways to that community. 4. Create a security policy rule and install the policy on both gateways. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 144 Check Point software about the status of the VPN tunnel. Note Both the Description and Status fields are read-only fields. Do not edit them. Once created, a VTI is always up unless you administratively set it down. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 145: Configuring System Functions

    Dynamic Host Configuration Protocol (DHCP) for Nokia IPSO provides complete DHCP client and DHCP server capabilities for your Nokia appliance. DHCP gives you the ability to provide network configuration parameters, through a server, to clients which need the parameters to operate on a network.

  • Page 146: Configuring Dhcp Client Interfaces

    The Ethernet interface must be enabled before you enable the client. For more information on how to configure Ethernet interfaces see 4. Enter a host name in the Host Name text box. 5. Click Apply. “Ethernet Interfaces” “Ethernet Interfaces” Nokia Network Voyager for IPSO 4.0 Reference Guide on page...

  • Page 147: Configuring The Dhcp Server

    TFTP text box. 11. (Optional) Enter the file name where diskless clients will find the boot file in the File Name text box. Nokia Network Voyager for IPSO 4.0 Reference Guide “Ethernet Interfaces” on page 34. ld. This is the default selection.

  • Page 148: Dhcp Server Configuration

    DHCP Server Configuration To enable the DHCP server process 1. Click DHCP under Configuration > System Configuration in the tree view. 2. Click Server in the DHCP Service Selection box. 3. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 149: Changing Dhcp Service

    3. Enter the range of IP addresses the server will assign to clients in the Start and End text boxes respectively in the New Pool field. Nokia Network Voyager for IPSO 4.0 Reference Guide “Configuring the DHCP Server” on page 147, steps 5, 6, and 7. For more “Ethernet Interfaces”...

  • Page 150: Enabling Or Disabling Dhcp Address Pools

    5. Enter the IP address you want to assign the client in the IP Address text box. 6. (Optional) Enter the Trivial File Transfer Protocol (TFTP) server clients will use in the TFTP text box. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 151: Creating Dhcp Client Templates

    This procedure describes how to create a template for subnet and fixed-ip entries. After creating a template, you will have the ability to configure server and clients quickly and with fewer errors Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 152 14. If you configure NetBIOS, enter the node type that the client will identify itself as in the Node Type text box. 15. If you configure NetBIOS, enter the scope for the client in the Scope text box. 16. Click Apply. 17. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 153: Configuring Dynamic Domain Name System Service

    7. (Optional) Enter the IP address of the secondary DNS server in the Secondary text box. 8. Click Apply. 9. Click Save to make your changes permanent. To add more zones, complete steps 4 through 9 for each new zone. Nokia Network Voyager for IPSO 4.0 Reference Guide Service.”...

  • Page 154: Configuring The Domain Name Service

    7. Click Save to make your changes permanent. Configuring Disk Mirroring The Nokia disk mirroring feature (RAID Level 1) protects against downtime in the event of a hard-disk drive failure in your appliance (for platforms that support the feature). You must have a second hard disk drive installed on your appliance.

  • Page 155: Using An Optional Disk (Flash-Based Systems Only)

    If you remove a PC card that contains log files and want to permanently store the data, insert the card into a PC or other computer and save the data to that system before reinserting the card into a Nokia flash-based platform. Note Use only PC card flash memory that is supported for your platform.

  • Page 156: Mail Relay

    IPSO supports the following mail relay features: Presence of a mail client or Mail User Agent (MUA) that can be used interactively or from a script Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 157: System Failure Notification

    3. Enter the username on the mail server to which mail addressed to admin or monitor is sent in the Remote User text box; then click Apply. 4. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 158: Sending Mail

    If you have not enabled NTP, you can set the system time once from a time server. For information on configuring NTP to update the time on a regular basis, see Protocol (NTP)” “Network Time Protocol (NTP)” on page 475. Nokia Network Voyager for IPSO 4.0 Reference Guide on page 475. “Network Time...

  • Page 159: Configuring Host Addresses

    The new hostname appears in the list of Current Host Address Assignments. 4. Enter the IP address of the new host in the IP address text box. 5. Click Apply. 6. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 160: Configuring System Logging

    Any log messages sent to remote devices are also stored in the local log directories. You can use this feature, for example, to send log messages to a device that is configured for more secure Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 161: Configuring Logging On Flash-Based Systems

    If you decide to use PC card flash memory, you must install and configure it before you set up the system logging. (For information about installing a flash memory card, see and configure PC card flash memory” Nokia Network Voyager for IPSO 4.0 Reference Guide on page 156.) “To install...
  • Page 162 Flash-based systems can hold 512 log messages in a specific memory buffer. Use this configuration option to control when the messages are saved to the remote server and the buffer is cleared. For example, assume that the threshold percentage is 50 percent. When Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 163: Configuring Audit Logs

    For Network Voyager configuration pages that do not include Apply and Save buttons, such as image.tcl, the log records the relevant action, such as clicking Reboot. Nokia Network Voyager for IPSO 4.0 Reference Guide “Monitoring System Logs” on page 484.
  • Page 164 You must enter a destination file name to view log messages in the Management Activity Log. The default destination file logs messages in the standard system log file. To access the Management Activity Log page, click Monitor on the Home page in Network Voyager and then Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 165: Remote Core Dump Server On Flash-Based Systems

    Note This feature does not apply to Nokia IPSO kernel core files. To transfer these files to a remote system, you must use the command savecore -r ftp://user:passwd@host-ip-address/directory/ Flash-based systems store kernel core files on the internal compact flash memory card and can store a maximum of two at a time.

  • Page 166: Changing The Hostname

    The current configuration is saved in the new file, and the file appears in the list of database files on this page. Subsequent configuration changes are saved in the new file. To create a new configuration database file that contains only the factory default configuration settings, use the following procedure. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 167: Scheduling Jobs

    3. Enter the name of the command you want the cron daemon to execute in the Command name text box. The command can be any UNIX command. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 168: Backing Up And Restoring Files

    You can perform manual backups of files or you can configure your system to run regularly scheduled backups, as described in You can also use Nokia Network Voyager to manage your backup files, including the following tasks: Restore from locally stored files. See Transfer backup files to, and restore them from, a remote server.

  • Page 169: Creating Backup Files

    (/var/cron) etc (/var/etc) IPSec files (/var/etc/IPSec) Note Export versions of Nokia IPSO do not include IPSec files. You can also choose to include the following in your backup file: User home directories (stored in /var/emhome) Log files (stored in /var/logs) To create a backup file manually 1.

  • Page 170: Transferring Backup Files

    Network Voyager. When you transfer backup files to a remote server, they are removed from the system. Configuring Automatic Transfers To configure the system to automatically transfer backup files to a remote server on an hourly basis, use the following procedure. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 171 Nokia recommends that you use FTP unless you are sure that your TFTP server accepts writes to files that do not already exist on the server.

  • Page 172: Restoring Files From Locally Stored Backup Files

    Directory in which to save the backup file. Enter the name of the user account for connecting to the FTP server. Enter the name of the password to use when connecting to the FTP server. step Nokia Network Voyager for IPSO 4.0 Reference Guide “Creating...

  • Page 173: Managing Nokia Ipso Images

    To prevent this problem, delete old images before you install a new image so that you do not have more than three or so images on your system. Nokia Network Voyager for IPSO 4.0 Reference Guide on page 176.

  • Page 174: Installing New Images

    1. Click Upgrade Images under Configuration > System Configuration > Images in the tree view. 2. Enter following information in the appropriate text boxes. a. URL or IP address of the FTP, HTTP, or file server on which the Nokia IPSO image is installed. Note If you enter a URL, the system must be configured to use a valid DNS server.

  • Page 175: Testing A New Image

    (Optional) If the HTTP site on which the Nokia IPSO image is stored requires authentication, enter the HTTP realm to which authentication is needed. c. (Optional) If the server on which the Nokia IPSO image is stored requires authentication, enter the user name and password.

  • Page 176: Upgrading Nokia Ipso Images For A Cluster

    Upgrading Nokia IPSO Images for a Cluster You can use Cluster Voyager to upgrade the Nokia IPSO image on all the cluster nodes. After you see that the new image is successfully installed on all of the nodes, you need to reboot them so that they will run the new image.

  • Page 177: Configuring Monitor Reports

    Rate Shaping Bandwidth Interface Throughput Interface Link State CPU Utilization Memory Utilization For more information about these reports, see Nokia Network Voyager for IPSO 4.0 Reference Guide just as you would with any other fresh install. “Generating Monitor Reports” on page 482...

  • Page 178: Managing Packages

    Range: 24 - 167 hours Default: 24 hours Note: On flash-based systems, Nokia recommends that you set this option to 24 hours (the default value) to avoid exhausting the available storage space. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 179 5. Select a package to download from the Site Listing field. 6. Click Apply. The selected package is downloaded to the local Nokia IPSO system. After the download is complete, the package appears in the Unpack New Packages field. 7. Select the package in the Unpack New Packages field, then click Apply.

  • Page 180: Advanced System Tuning

    For example, if you set this value to 512 and a remote system advertises 1024, this system sends packets with a TCP segment size of 512. It is only relevant to Check Point security servers or similar products that require the Nokia appliance to terminate the connection.

  • Page 181: Router Alert Ip Option

    You can use this feature to specify whether IPSO should strip the router alert IP option before passing packets to the firewall. (The router alert IP option is commonly enabled in IGMP packets.) Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 182 Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 183: Virtual Router Redundancy Protocol (Vrrp)

    Virtual Router Redundancy Protocol (VRRP) provides dynamic failover of IP addresses from one router to another in the event of failure. VRRP is defined in RFC 3768. The Nokia implementation of VRRP includes all of the features described in RFC 3768, plus the additional feature of monitored circuit, described below.
  • Page 184 Nokia provides support for OSPF, BGP, RIP, and PIM (both sparse and dense mode) to advertise the virtual IP address of the VRRP virtual router. You must use monitored-circuit VRRP, not VRRPv2, to configure virtual IP support for a dynamic routing protocol. You must also enable the Accept Connections to VRRP IPs option.
  • Page 185 If one platform fails, the other takes over its VRID and IP addresses and provides uninterrupted service to both default IP addresses. This configuration provides both load balancing and full redundancy. Nokia Network Voyager for IPSO 4.0 Reference Guide Internet Public Network VRID 1 Master 200.10.10.1...

  • Page 186: Understanding Monitored-Circuit Vrrp

    VRID. To release the priority, IPSO subtracts the priority delta, a Nokia-specific parameter that you configure when you set up the VRID, from the priority to calculate an effective priority. If you configured your system correctly, the effective priority is lower than that of the backup routers and, therefore, the VRRP election protocol is triggered to select a new master.

  • Page 187: Selecting Configuration Parameters

    The range of values for priority is 1 to 254. The default setting is 100. Note In Nokia’s monitored-circuit VRRP, the master is defined as the router with the highest priority setting, although RFC 3768 specifies that the master must have a priority setting of 255.

  • Page 188: Hello Interval

    VRRP packets on the LAN. However, when combined with the TTL check used by VRRP (TTL is set to 255 and is checked on receipt), simple authentication make it unlikely that a VRRP packet from another LAN will disrupt VRRP operation. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 189 The backup address parameter is added to standard VRRP for use with Nokia’s monitored-circuit VRRP. It does not apply to VRRPv2. The backup address must be in the same network as the interface you want to use for the VRID.
  • Page 190 IP addresses for the master and backup. This is expected behavior since both the master and backup routers are temporarily using the same virtual IP address until they resolve into master and backup. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 191: Before You Begin

    This option allows VRRP to monitor Firewall State. This replaces cold-start delay of previous releases. Nokia recommends that you do not disable the Monitor Firewall State option when running a firewall on a security platform. If you change the setting for Monitor Firewall State from enabled (the default) to disabled, VRRP negotiation for master state might start before the firewall is completely started.

  • Page 192: Configuring Monitored-Circuit Vrrp

    Choose a value that will ensure that when an interface fails, the priority delta subtracted from the priority results in an effective priority that is lower than that of all of the backup routers. Nokia recommends you use a standard priority delta, such as 10, to simplify your configuration. For more information, see Hello Interval Range is 1 to 255;...
  • Page 193 6. Click Apply. 7. Additional fields are displayed showing the configuration parameters. Enter values into these fields. For more information see Nokia Network Voyager for IPSO 4.0 Reference Guide “Configuring Monitored-Circuit VRRP using the Simplified “Configuring Monitored-Circuit VRRP using the Full “Selecting Configuration...
  • Page 194 In addition to the configuration parameters used with the simplified configuration method (see Table 9 on page 191), configuration method. “Selecting Configuration Table 10 shows the additional parameters you can set when using the full Nokia Network Voyager for IPSO 4.0 Reference Guide Parameters”.
  • Page 195 3. In the row for the interface you want to configure, select the Monitored Circuit radio button. 4. Click Apply. The Create Virtual Router text box appears. Nokia Network Voyager for IPSO 4.0 Reference Guide Description Preempt mode is enabled by default.

  • Page 196: Configuring Vrrpv2

    4. Click Apply. 5. Click Save to make your changes permanent. Configuring VRRPv2 Use VRRPv2 rather than Nokia’s monitored-circuit VRRP only if you do not have an extra IP address to use for monitored-circuit VRRP. Note You must use monitored-circuit VRRP when configuring virtual IP support for any dynamic routing protocol.

  • Page 197: Configuring Check Point Ngx For Vrrp

    That is, make sure each system is completely configured and the firewall has begun synchronization before putting the VRRP group in service. Following this process ensures that all connections are properly synchronized. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 198 If you use different encryption accelerator cards in two appliances that are part of a VRRP group or an IP cluster (such as the Nokia Encrypt Card in one appliance and the older Nokia Encryption Accelerator Card in another appliance), you should select encryption/ authentication algorithms that are supported on both cards.

  • Page 199: Configuring Vrrp Rules For Check Point Ngx

    For information about how to configure VRRP rules for Check Point FireWall-1 4.1, contact the Nokia Technical Assistance Center (TAC). Configuration Rule for Check Point NGX FP1 Locate the following rule above the Stealth Rule: Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 200 Node Host object with the IP address 224.0.0.18. “Configuration Rule for Check Point NGX FP1” are applicable for any multicast destination. Nokia Network Voyager for IPSO 4.0 Reference Guide Action Accept Service Action...

  • Page 201: Link Aggregation (Ip2250 Systems Only)

    If you configure two IP2250 appliances in a VRRP pair and run VPN-1/FireWall-1 on them, Nokia recommends that you create a 200 mbps logical link between them and configure VPN-1 NGX to use this network for firewall synchronization traffic. If you use a single 100 mbps connection for synchronization, connection information might not be properly synchronized if the appliance is handling a large number of connections.
  • Page 202 Bad Advertise Interval Received—Number of VRRP packets received and discarded due to misconfigured advertisement interval. Authentication Mismatch—Number of VRRP packets received and discarded due to misconfigured authentication type. Authentication Failure—Number of VRRP packets received and discarded due to authentication failure. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 203: Monitoring The Firewall State

    4. Click Save to make your changes permanent. Troubleshooting VRRP This section lists common problems with VRRP configurations. Please consult this section before contacting Customer Support. For information about contacting Nokia Customer Support, go to https://support.nokia.com/ You can log information about errors and events to troubleshoot VRRP by enabling traces for VRRP.

  • Page 204: Firewall Policies

    If you use different encryption accelerator cards in two appliances that are part of a VRRP group or an IP cluster, such as the Nokia Encrypt Card in one appliance and the older Nokia Encryption Accelerator Card in another appliance, you must select encryption algorithms for each card that are supported on both cards.

  • Page 205: Switched Environments

    VRID that is the same as the other, the system can fail. Duplicate VRIDs create duplicate MAC addresses, which will probably confuse the switch. Nokia Network Voyager for IPSO 4.0 Reference Guide refers to slot 3 ports 1 and 2.
  • Page 206 Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 207: Configuring Clustering

    Do not combine an IP2250 with any other model in an IP cluster. That is, the other platform must also be an IP2250. See details that are specific to the IP2250. Nokia Network Voyager for IPSO 4.0 Reference Guide “Clustering IP2250 Platforms” for more information about this and other...

  • Page 208: Example Cluster

    Router 192.168.1.0 192.168.1.10 192.168.1.10 Firewall A 192.168.2.10 192.168.2.10 192.168.2.0 VPN-1/FireWall-1 External (Secured Network) Router Internet Nokia Network Voyager for IPSO 4.0 Reference Guide Primary Cluster Protocol Network:192.168.3.0 Cluster IP: 192.168.3.10 Firewall B Secondary Cluster Protocol Network: 192.168.4.0 Cluster IP: 192.168.4.10...

  • Page 209: Cluster Management

    Note Nokia recommends that the the primary cluster protocol network be dedicated to this purpose (as shown here). The ideal configuration is to physically separate the cluster protocol network from the production networks. This configuration is preferable to using separate VLANs on one switch to separate them.

  • Page 210: Cluster Terminology

    Cluster administrator: When you log into a Nokia appliance as a user that has been assigned a cluster role, you log in as a cluster administrator. The default cluster administrator user name is When you create a cluster you must specify a password, and that password is the cadmin.
  • Page 211 If it is the master, one of the remaining nodes becomes the new master. These interfaces should be internal, and Nokia also recommends that you use a dedicated network for the primary cluster protocol network. The ideal configuration is to physically separate the primary cluster protocol networks from the production networks (connect them Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 212: Clustering Modes

    Clustering Modes IPSO clusters have three modes of operation. Nokia provides this choice so that IPSO clusters can work in any network environment. All cluster nodes must use the same mode. Note If you use PIM, you must use multicast mode or multicast mode with IGMP as the cluster mode.
  • Page 213 Otherwise, the master processes the packet itself. Use forwarding mode if the routers and switches on either side of the cluster do not support multicast MAC addresses. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 214: Considerations For Clustering

    You must configure a cluster IP address as a local address. Nokia recommends that you configure BGP so that peer traffic does not run on the cluster protocol interfaces.

  • Page 215: Other Considerations

    Do not directly connect the cluster protocol interfaces using a crossover cable. For performance purposes, Nokia recommends that you do not use hubs to connect a cluster to user data networks. If possible, use switches for these connections. (If you need to troubleshoot a cluster that uses a multicast mode, you might want to temporarily replace switches with hubs to simplify your configuration.)
  • Page 216 You should not configure more than two IP2250 appliances in a cluster. Nokia recommends that you aggregate two of the built-in 10/100 Ethernet management ports to create a 200 mbps logical link and configure NGX to use this network for firewall synchronization traffic.

  • Page 217: If You Do Not Use A Dedicated Primary Cluster Protocol Network

    This section explains how to create and configure an IPSO cluster. It includes information about upgrading from IPSO 3.6 if you have created clusters with 3.6 and also explains how to add nodes to a cluster. Nokia Network Voyager for IPSO 4.0 Reference Guide for more information about multicast mode with IGMP.)

  • Page 218: For All Upgrades

    Upgrading from IPSO 3.7 or Later If you want to upgrade a cluster from IPSO 3.7 or later to a later version of IPSO, Nokia recommends that you use Cluster Voyager to upgrade the IPSO image on all the cluster nodes.
  • Page 219 Cluster Voyager or the CCLI. 4. Enter the password for 5. Click Apply. The page displays fields for changing the change this password in the future. Nokia Network Voyager for IPSO 4.0 Reference Guide user on each of the nodes. cadmin password. cadmin cadmin again (for verification).

  • Page 220: Creating And Configuring A Cluster

    You must also configure the NGX to work with the IPSO cluster. Use the Check Point client application to add a gateway object for the Nokia appliance. You also must create a gateway cluster object and add the gateway object to it. Refer to the Check Point documentation and “Configuring NGX for Clustering”...

  • Page 221: Selecting The Cluster Mode

    Setting the work assignment to static prevents the cluster from moving active connections between nodes. It does not ensure stickiness or connection symmetry. You must use static work assignment if you use any of the following NGX features: Floodgate-1. Nokia Network Voyager for IPSO 4.0 Reference Guide Cluster.

  • Page 222: Configuring An Interface

    (not a primary or secondary cluster interface). The other interface must be the primary interface. Note Nokia recommends that you select another interface as a secondary cluster protocol interface. Remember that the primary and secondary cluster protocol networks should not carry any production traffic.

  • Page 223: Configuring Firewall Monitoring

    2. If you want to support non-Check Point gateways, enter the appropriate tunnel and mask information, as explained in 3. If you want to support IP pools, follow the instructions in Voyager.” Nokia Network Voyager for IPSO 4.0 Reference Guide “Configuring NGX for Clustering” “Configuring VPN Tunnels.” for information about selecting the firewall...

  • Page 224: Configuring Vpn Tunnels

    IPSO clusters support the use of IP pools (address ranges), which are useful for solving certain routing problems. For example, you might want to use an IPSO cluster (and NGX) to create a for an example of configuring a Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 225 IP pool networks with the internal cluster IP address (192.168.1.10) as the gateway address. Do not use the real IP addresses of the internal Nokia Network Voyager for IPSO 4.0 Reference Guide Internal Router...

  • Page 226: Configuring Join-Time Shared Features

    (for example, if it is rebooted). It can also occur in forwarding mode if you manually adjust the performance rating or if a system with a higher rating becomes joins the cluster. “Configuring the Performance Rating”for more information. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 227 If the system that is joining the cluster already has static routes configured, they are retained. The routes copied as a result of the joining process are added to the list of static routes. Note Beginning with IPSO 4.0, Monitor Report Configuration and System Logging are no longer sharable features. What if Settings Conflict? If there is a conflict between configuration settings on the existing node and the joining system, the settings on the joining system are changed to those of the master node.
  • Page 228 The changes may be overwritten by cluster configuration. This message alerts you that settings for this feature can be changed by a cluster administrator. “Managing Configuration Sets” for information about saving and loading you cannot conveniently make features sharable Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 229: Making The Cluster Active

    You receive error messages if the node does not meet these requirements. Adding a Node to a Cluster It is very easy to add Nokia appliances to an existing cluster. There are two methods you can use: Joining (automatic configuration). This is the recommended method because:...

  • Page 230: Recommended Procedure

    This should only be done in a test environment. Recommended Procedure Nokia recommends that you follow this general procedure when building a cluster: 1. Fully configure the first cluster node and make sure that all the appropriate features are cluster sharable.

  • Page 231: Joining A System To A Cluster

    If the node does not successfully join the cluster, you see a message indicating why. Correct the problem and attempt the join again. Managing a Cluster You can choose between two different approaches to making configuration changes on cluster nodes: Nokia Network Voyager for IPSO 4.0 Reference Guide in both password fields. cadmin...

  • Page 232: Using Cluster Voyager

    Using Cluster Voyager You can perform the tasks explained in this section using Cluster Voyager or Voyager. Nokia recommends that you use Cluster Voyager whenever possible. Doing so facilitates configuration tasks and helps ensure that your cluster is configured consistently and correctly.
  • Page 233 That is, if you create a cluster administrator user on node A but not on node B, you cannot log into node B as this user. However, any changes that you make to node A using Nokia Network Voyager for IPSO 4.0 Reference Guide on page 25 for more information.
  • Page 234 The default performance rating for a system reflects its performance relative to that of other Nokia platforms. You can adjust the performance rating to change the amount of work a system is assigned relative to other members. If a cluster uses forwarding mode, you can adjust the on page 293 for more information about creating and Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 235 The original routes are unchanged. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 236 If you want to upgrade a cluster from IPSO 3.7 or later to a later version of IPSO (or revert to the earlier version), Nokia recommends that you use Cluster Voyager to change the IPSO image on all the cluster nodes. To download and install an image in a cluster, follow these steps: 1.
  • Page 237 Note The originating node is the node that you are logged into. It might not be the cluster master. Nokia Network Voyager for IPSO 4.0 Reference Guide “Rebooting a Cluster”). If you manually...

  • Page 238: Removing A Node From A Cluster

    1. On the Clustering Setup Configuration page, change the cluster state to down. 2. Click Apply. The node leaves the cluster, but the cluster configuration information is saved. 3. To rejoin the node to the cluster, simply click Join. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 239: Synchronizing The Time On Cluster Nodes

    1. Log into Cluster Voyager 2. Under System Configuration, click Local Time Setup 3. Select the appropriate time zone. 4. Click Apply. All the cluster nodes are now set to the time zone you specified. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 240: Configuring Ntp

    The instructions provided in the following sections assume that you are using Cluster Voyager. Note Nokia recommends that you keep NTP as a cluster sharable feature (the default setting) so that if a node leaves and rejoins the cluster it will automatically obtain the proper NTP settings.

  • Page 241: Configuring Ngx For Clustering

    Set the gateway cluster object address to the external cluster IP address (that is, the cluster IP address of the interface facing the Internet). Add a gateway object for each Nokia appliance to the gateway cluster object. In the General Properties dialog box for the gateway cluster object, do not check ClusterXL.
  • Page 242 (not recommended), or a dedicated network (avoid using a production network for firewall synchronization). If you use a cluster protocol network for firewall synchronization, Nokia recommends that you use the secondary cluster protocol network for this purpose.

  • Page 243: Clustering Example (Three Nodes)

    To enable sequence validation in the Check Point management application and IPSO, follow these steps: a. On the main Configuration page in Nokia Network Voyager, click Advanced System Tuning (in the System Configuration section). b. On the Advanced System Tuning page, click the button to enable sequence validation.

  • Page 244: Configuring The Cluster In Voyager

    This example assumes that you have not enabled Firewall-1 before configuring the cluster. 14. Make sure that are selected to be shared across the cluster. 15. Change the cluster state to On. 16. Click Apply. “Clustering Modes” for more information about this feature. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 245: Configuring The Internal And External Routers

    192.168.1.10 (the internal cluster IP address) as the gateway address. On the external router, configure a static route for 192.168.1.0 (the internal network) using the cluster IP 192.168.2.10 (the external cluster IP address) as the gateway address. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 246: Clustering Example With Non-Check Point Vpn

    Synchronization Network Router VPN Tunnel Internet Tunnel Endpoint: 10.1.2.5 Non-Check Point VPN Gateway “Configuring the Cluster in Voyager.” Nokia Network Voyager for IPSO 4.0 Reference Guide Primary Cluster Protocol Network:192.168.3.0 Cluster IP: 192.168.3.10 192.168.1.10 eth-s3p1 eth-s1p1 eth-s3p1 Firewall C eth-s4p1...
  • Page 247 6. In the Tunnel End Point field, enter 10.1.2.5. 7. Click Apply. 8. Click Save. 9. Configure the same tunnel in NGX. For more information, see “Configuring NGX for Clustering” and the Check Point documentation. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 248 Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 249: Configuring Snmp

    Configuring SNMP This chapter describes the Nokia IPSO implementation of Simple Network Management Protocol (SNMP) and how to configure it on your system. SNMP Overview The Simple Network Management Protocol (SNMP) is the Internet standard protocol used to exchange management information between network devices. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network.
  • Page 250 RFC 2572 Provides message processing and dispatching. RFC 2574 Provides management information definitions for SNMP User-based Security Model RFC 1907 Defines SNMPv2 entities. Note: The warmStart trap is not supported. RFC 2578 Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 251 Contains hardware management information. Note: IPSO does not send the traps that this MIB supports when the Nokia platform is used as an IP security device. proprietary proprietary Note: IPSO does not send traps that this MIB supports when the Nokia platform is used as an IP security device.

  • Page 252: Snmp Proxy Support For Check Point Mib

    MIBs, see the /etc/snmp/mibs directory. Note The SNMPv2-CONF MIB resides in the /etc/snmp/mibs/unsupported directory. The SNMP agent implemented in Nokia IPSO enables an SNMP manager to monitor the device and to modify the sysName, sysContact and sysLocation objects only. Note You must configure an SNMP string first to configure sysContact and sysLocation.

  • Page 253: Using The Check Point Mib

    You must run the cpsnmp_start script to make sure that CP-SNMPd is running on Check Point versions NG FP1, FP2, and FP3. You do this by first enabling the IPSO SNMPd from Nokia Network Voyager and then enabling the CP-SNMPd by using /bin/cpsnmp_start on the command line.

  • Page 254: Enabling Snmp And Selecting The Version

    5. If you selected v1/v2/v3, enter a new read-only community string under Community Strings. This is a basic security precaution that you should always take. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 255: Configuring The System For Snmp

    You can use the IP address of any existing and valid interface. 3. Click Apply. The IP address and a corresponding Delete check box appear. 4. Click Save to make your change permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide “Setting an Agent Address” “Configuring Traps” on page 256.

  • Page 256: Configuring Traps

    The linkUp and linkDown traps are associated with the ifIndex, ifAdminStatus, and ifOperStatus objects. Table 12 lists the types of SNMPv1 and SNMPv2 traps which IPSO supports. Note The Nokia implementation of SNMPv3 does not yet support SNMPv3 traps. Table 12 Types of SNMP Traps Type of Trap coldStart linkUp/linkDown...
  • Page 257 Nokia Network Voyager for IPSO 4.0 Reference Guide Description Supplies notification when a port is added to a link aggregation group. Supplies notification when a port is removed from a link aggregation group. Supplies notification when an SNMP operation is not properly authenticated.
  • Page 258 Supplies notification when the status of the SNMP daemon is changed, either turned off or turned on. “Enabling or Disabling Trap Types” on page 260. Nokia Network Voyager for IPSO 4.0 Reference Guide “Configuring Trap Receivers” on page 259. “Setting the Trap PDU Agent...

  • Page 259: Configuring Trap Receivers

    If you do not configure an agent address for traps, the system identifies the trap agent address as 0.0.0.0 in SNMP traps (in accordance with RFC 2089). (For releases of Nokia IPSO previous to 3.7, the default was to use the IP address of the first valid interface.) To set the trap PDU agent address 1.

  • Page 260: Interpreting Error Messages

    The following table lists the error status codes and their corresponding meanings. Error status code Meaning Error status code noError tooBig NoSuchName BadValue ReadOnly genError noAccess wrongType wrongLength Nokia Network Voyager for IPSO 4.0 Reference Guide Meaning wrongValue noCreation inconsistentValue resourceUnavailable commitFailed undoFailed authorizationError notWritable inconsistentName...
  • Page 261 The following table lists possible value field sets in the response PDU or error-status messages when performing a GetRequest. Value Field Set noSuchObject noSuchInstance Nokia Network Voyager for IPSO 4.0 Reference Guide Error status code wrongEncoding Description Value associated with each object instance; specified in a PDU request.

  • Page 262: Configuring Snmpv3

    SNMP message payloads). The system uses the MD5 hashing algorithm to provide authentication and integrity protection and DES to provide encryption (privacy). Nokia recommends that you use both authentication Description If the processing of a variable fails for any other reason, the responding entity returns genErr and a value in the error-index field that is the index of the problem object in the variable-bindings field.

  • Page 263: Request Messages

    SNMP manager requests. The IPSO system responds accordingly. Note Nokia systems do not protect traps with authentication or encryption. Request Messages You must configure your SNMP manager to specify the security you want. If you are using a...
  • Page 264 Enter a pass phrase that is between 8 and 128 characters in length. 4. Click Apply. An entry for the new user appears in the SNMP USM Users table. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 265 2. Click Manage USM Users at the bottom of the page. The Manage SNMP Users page appears. 3. Select the appropriate Delete check box. 4. Click Apply. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 266 Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 267: Configuring Ipv6

    Configuring IPv6 This chapter describes the IPv6 features supported by Nokia IPSO and how to configure them on your system. IPv6 Overview IPv6 is the next generation IP protocol and is expected to replace IPv4, the current IP protocol. The Internet Engineering Task Force (IETF) formally began to work on the new protocol in 1994.

  • Page 268: Interfaces

    6. Click Up at the top of the page to take you back to the IPv6 Logical Interfaces page. 7. To enable the IPv6 address, click On in the IPv6 Active field. 8. Click Apply. 9. Click Save to make your change permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide eth-s1p1c0...
  • Page 269 This value represents the number of times to retry Multicast Neighbor Discovery requests. 5. In the Global Neighbor Discovery Settings field, enter the value for the duplicate address detection retry limit in the Duplicate Address Detection Retry Limit text box. This value Nokia Network Voyager for IPSO 4.0 Reference Guide eth-s1p1c0...

  • Page 270: Ipv6 And Ipv4 Compatibility

    6. (Optional) Enter a value in the Time to Live text box for the Time to Live (TTL) packets sent on the tunnel. 7. Click Apply. 8. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 271: Configuring Ipv6 To Ipv4

    4. Enter the IPv4 address of the local interface in the Local IPv4 Address text box. Note This address must be the address of another interface configured for the router. 5. (Optional) Enter a value in the for the Time to Live (TTL) packets sent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 272: Configuring Ipv4 In Ipv6 Tunnels

    5. Select the interface that the route will use to reach the gateway in the Interface field. Note This interface must be specified only if the gateway is a link local address. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 273: Routing Configuration

    2. Enter the IPv6 prefix for the new aggregate route in the Prefix for New Aggregate text box. 3. Enter the mask length (number of bits) in the Mask Length text box. 4. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide “OSPF” on page 353.

  • Page 274: Creating Redistributed Routes

    Aggregates into RIPng field. 3. Enter a value in the Metric text box for the metric cost that the created RIPng routes will have 4. Click Apply. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 275: Router Discovery

    Nokia implements only the ICMPv6 router discovery server portion, which means that the Nokia platform can advertise itself as a candidate default router, but it will not adopt a default router using the router discovery protocol.
  • Page 276 12. (Optional) Enter a value in the Cur Hop Limit text box for the router advertisement packets hop limit field 13. (Optional) To specify that the IPv6 prefix can be used for on-link determination, click Yes in the Onlink Flag field. “Configuring VRRP for Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 277: Vrrp For Ipv6

    VRRP for IPv6 Configuring VRRP for IPv6 Beginning with IPSO 3.8.1, Nokia supports VRRP configuration for IPv6 interfaces. Nokia supports VRRP version 3, which is based on VRRP version 2 as defined for IPv4 in RFC 3768, and Monitored Circuit.

  • Page 278: Using Vrrpv3

    VRRP backup router takes over the IP address while the master is still active with that IP address. To configure the master router, see Virtual Router for an IPv6 Interface Using VRRPv3.” “Configuring ICMPv6 Router Discovery.” Nokia Network Voyager for IPSO 4.0 Reference Guide “Creating a...

  • Page 279: Monitoring The Firewall State

    VRRP master detects that the firewall is not ready to handle traffic or is not functioning properly, the master fails over to a backup system. If all the firewalls on all the systems in the VRRP group are not ready to forward traffic, no traffic will be forwarded. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 280: Setting A Virtual Mac Address For A Virtual Router

    To specify the virtual router ID for the virtual router to be used to back up the local interface address(es), enter a value of from 1 to 255 in the Create Virtual Router text box. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 281: Changing The Ip Address List Of A Virtual Router In Vrrpv3

    Removing a Virtual Router in VRRPv3 When you disable a virtual router, the VRRP operation terminates, and the configuration information no longer appears on the VRRP for IPV6 Configuration page in Network Voyager. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 282: Creating A Virtual Router In Monitored Circuit Mode For Ipv6

    1 one-hundredth of a second, between VRRP advertisement transmissions. This value should be the same on all the routers with this virtual router “Setting Interface Dependencies for a Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 283: Setting Interface Dependencies For A Monitored Circuit Virtual Router For Ipv6

    When an interface goes down, the priority delta value for the that interface is subtracted from the base priority value of the virtual router, Nokia Network Voyager for IPSO 4.0 Reference Guide “Setting a...

  • Page 284: Changing The List Of Addresses In A Monitored Circuit Virtual Router For Ipv6

    5. To make your changes permanent, click Save. Traffic Management Configuring traffic management features for IPv6 is essentially the same as for IPv4. See Chapter 10, “Configuring Traffic Management” for more information. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 285: Security And Access Configuration

    Configuration > Security and Access Configuration in the tree view. 2. Select Yes next to the types of access you want to allow for IPv6—FTP, Telnet, and TFTP. 3. Click Apply. 4. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 286 Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 287: Managing Security And Access

    2. Enter your old password in the Old Password text box. 3. Enter your new password and enter it again in the Confirm New Password text box. 4. Click Apply. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 288: Managing User Accounts

    Managing User Accounts You can use Nokia Network Voyager to add users to your IPSO system, and to edit the user ID, group ID, home directory, and default shell for a user. You can also enter a new password for the user.

  • Page 289: Adding And Deleting Users

    Groups page. Files and directories owned by the user are assigned the permissions of that user’s primary group. Range: 0-65535. Nokia recommends that you reserve 0 to 100 for system use, although this is not enforced. Numbers 0 and 10 are reserved for the predefined Wheel and Other groups respectively.

  • Page 290: Managing And Using S/Key

    S/Key program running on a secure machine. After you enter these arguments and your S/Key secret key, the key program produces a password that you use to log in only once. not all fields are Nokia Network Voyager for IPSO 4.0 Reference Guide “Managing SNMP...
  • Page 291 2. At the prompt, enter either admin or monitor as a user name. 3. The server returns an S/Key challenge, which is comprised of the S/key sequence number and seed, for example, 95 ma74213. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 292: Managing Groups

    Use groups for the following purposes: Specify UNIX file permissions. By default all users are assigned to the Other group. Use the Wheel group to control which users have root access to the system. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 293: Role-Based Administration

    6. Click Save to make your changes permanent. Role-Based Administration When you add a new user, the user is given read-only privileges to the Nokia Network Voyager home page and CLI prompt but cannot access other Network Voyager pages or execute commands from the CLI prompt.

  • Page 294: Managing Roles

    3. If you are adding a role, enter a name in the Role Name text box. The role name can be any combination of letters and numbers, but it must start with a letter. You cannot edit the name of an existing role. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 295: Assigning Roles And Access Mechanisms To Users

    To give a user permissions for various features, assign the role or roles that contain the feature permissions to the user. You can also specify whether a user can use Nokia Network Voyager and the CLI by assigning access mechanisms to the user from the Assign Roles to User page.

  • Page 296: Creating Cluster Administrator Users

    Note If you assign the Clustering feature to a user with the role type System, that user can configure clustering on individual nodes but cannot use Cluster Voyager or the CCLI. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 297: Configuring Network Access And Services

    The chargen service sends data without regard to the input. The data sent is a repeating sequence of printable characters. Nokia Network Voyager for IPSO 4.0 Reference Guide Description Enable or disable FTP access to this appliance. You can use FTP access to obtain configuration files from the appliance.

  • Page 298: Configuring A Modem On Com2, Com3, Or Com4

    When set to Yes, an incoming call on the modem is dropped after you log in, and the modem automatically calls the Dialback Number and connects a login process to the line. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 299 Click Save to make your changes permanent. Note When you dial into a Nokia appliance that has an Ositech Five of Clubs III modem installed, be sure to set the connection rate to 9600 BPS. If you do not, the text you receive from the appliance will be unreadable.

  • Page 300: Configuring Nokia Network Voyager Access

    Norway step 7 of the preceding procedure. Code Country Code Greece Iceland Italy Luxembourg Netherlands Norway Portugal Nokia Network Voyager for IPSO 4.0 Reference Guide Code Country Portugal Spain Sweden Switzerland United Kingdom United States Country Spain Sweden Switzerland United Kingdom...

  • Page 301: Configuring Basic Nokia Network Voyager Options

    Configuring Basic Nokia Network Voyager Options You can configure the following options for Nokia Network Voyager access: Allow Network Voyager access (enabled by default) Enable session management (enabled by default) Specify a Network Voyager SSL/TLS port number Require encryption Note Changes to some of these settings might make Network Voyager unusable.

  • Page 302: Generating And Installing Ssl/Tls Certificates

    IPSO uses the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol to secure connections over the Internet from the Nokia Network Voyager client to the IPSO system. SSL/ TLS, the industry standard for secure Web connections, gives you a secure way to connect to Network Voyager.
  • Page 303 4. Perform a cut-and-paste operation on your private key to move it to the Associated private key field in the Install Certificate for SSL page. Be sure to include the lines -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 304: Secure Shell (Ssh)

    6. Click Submit. Troubleshooting SSL/TLS Configuration You might have trouble accessing Nokia Network Voyager if SSL/TLS is not configured correctly. If you have trouble accessing Network Voyager, try the following remedies. Check that you are using the correct URL. When you enable SSL/TLS, you must use https rather than http when you connect through your Web browser, unless the Redirect HTTP Requests to HTTPS option is enabled.

  • Page 305: Initial Ssh Configuration

    You can authenticate SSH connections by using public keys (for RSA and DSA SSHv2), standard user and password information, rhosts files, and RSA keys (for SSHv1). You Nokia Network Voyager for IPSO 4.0 Reference Guide “Configuring Secure Shell Authorized Keys”...

  • Page 306: Configuring Advanced Options For Ssh

    In all cases the default is Yes, except for rhost and rhost with RSA authentication. The rhost authentication is insecure and Nokia does not recommended using it. 7. Click Apply 8. (Optional) In the Configure Server Protocol Details field, click the version of SSH to be used.
  • Page 307 RSA keys (for SSHv1), or any combination of these methods. In all cases the default is Yes, except for rhost and rhost with RSA authentication. The rhost utility is insecure and Nokia does not recommend using it.

  • Page 308: Configuring Secure Shell Authorized Keys

    RSA/DSA key. One commonly used file name on your SSH client that is used for storing this information is id_dsa.pub documentation. . For SSHv2 implementations, you need to enter the identity.pub . For more information, consult your SSH client software Nokia Network Voyager for IPSO 4.0 Reference Guide Default Value 3600 seconds 600 seconds...

  • Page 309: Changing Secure Shell Key Pairs

    Generate New RSA v1 Host Key drop-down list. Note The most secure value is 1024 bits. Values over 1024 bits cause problems for some clients, including those based on RSAREF. 3. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 310: Managing User Rsa And Dsa Identities

    Generate New DSA Identity for user name. 8. Enter the passphrase in the Enter password field and then again to verify it. 9. Click Apply. 10. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 311: Tunneling Http Over Ssh

    IPSO session management lets administrators prevent multiple users from making simultaneous configuration changes, whether they are using Nokia Network Voyager or the CLI. When you log in, you can acquire an exclusive configuration lock so that other users cannot make configuration changes to an appliance while you are logged into it.

  • Page 312: Enabling Enabling Or Disabling Session Management

    2. In the Session Timeout text box, enter the time in seconds. The default is 20 minutes. 3. Click Submit. “Obtaining a Configuration Lock” “Obtaining a Configuration Lock” Nokia Network Voyager for IPSO 4.0 Reference Guide on page 25. on page 25.

  • Page 313: Authentication, Authorization, And Accounting (Aaa)

    The steps for configuring each of these elements is described in the following subsections. Note You can add an Authorization, Accounting, or Session profile without using any of them in a Service Profile. 4. Click Apply. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 314 Auth. Profile table; make sure that the name does not match any of the Names in the Auth. Profile table. 2. Select the item in the Type drop-down list that matches the service requirements. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 315 ROOTOK pam_rootok_auth.so.1.0 SECURETTY pam_securetty_auth.so.1.0 Allows root logins only if the user is logging in on a secure Nokia Network Voyager for IPSO 4.0 Reference Guide “Profile Controls.” Description Uses the local password database to authenticate the user, using a special algorithm specifically for the Apache Web server.
  • Page 316 When the user enters the user name and password, this module is called to authenticate the user, which, in turn, verifies the user name and password from /etc/passwd and /etc/ master.passwd files. “Profile Controls.”) Nokia Network Voyager for IPSO 4.0 Reference Guide “Accounting...
  • Page 317 PERMIT pam_permit.so.1.0 UNIX pam_unix_sess.so.1.0 Nokia Network Voyager for IPSO 4.0 Reference Guide Description Returns PAM_SUCCESS when invoked. password is still valid. If the password is expired for some reason, this module logs in appropriate messages. This module also prompts for a password change if the password is going to expire soon.
  • Page 318 The result is reported immediately optional A result of success is reported. Creating a Service Module Example In creating a new service, there are unique requirements for authentication, accounting and session management, as follows: Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 319: Configuring Radius

    A host contacts a RADIUS server, which determines who has access to that service. Beginning with IPSO 3.5, Nokia provides RADIUS client support only.
  • Page 320 4. Click the Control drop-down list and select required, requisite, sufficient, optional or NOKIA-SERVER-AUTH-SUFFICIENT to determine the level of authentication to apply to a profile. For more information, see 5. Click Apply, and then click Save to make your changes permanent.

  • Page 321: Configuring Tacacs

    For more information, see 3. Click Type and select TACPLUS from the drop-down list as the type of service. 4. Click Control and select required, requisite, sufficient, optional or NOKIA-SERVER- AUTH-SUFFICIENT from the drop-down list to determine the level of authentication to apply to a profile.

  • Page 322: Deleting An Aaa Authentication Server Configuration

    1. Click AAA under Configuration > Security and Access in the tree view. 2. In the Auth. Profile table, click the Servers link in the row for the RADIUS or TACACS+ authentication profile. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 323: Changing An Aaa Configuration

    If the requirements for the service do not match any of the entries in the Auth. Profile, create a new Auth. Profile using Creating an Authentication Profile and enter that name in the Auth. Profile text box. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 324 The following graphic screens below show an example of how to create a service which has the requirement for multiple authentication algorithms. Only the portion of the page that has changes is shown here. and add them in the desired order using Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 325 Changing an Authentication Profile Configuration In the Auth. Profile table make one or more of the following changes to the Auth. Profile name is in the Name column: Nokia Network Voyager for IPSO 4.0 Reference Guide and add them in the desired order using...
  • Page 326 Values other than required are effective only when the service requires more than one Session Profile. For a description of the effect on result disposition and subsequent algorithm invocation that the list items represent, see Profile Controls. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 327: Deleting An Aaa Configuration

    (VPN) tunnels. By taking over cryptographic processing, the cards allows the appliance CPU to perform other tasks. These cards include the Nokia Encryption Accelerator Card and the Nokia Encrypt Card. For information on which security algorithms your encryption accelerator card supports, refer to the installation documentation for your card.

  • Page 328: Enabling Encryption Accelerator Cards

    The IPSec protocol suite provides three new protocols for IP: An authentication header (AH) that provides connectionless integrity and data origin authentication. The IP header is included in the authenticated data. It does not offer encryption services. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 329: Transport And Tunnel Modes

    If ESP is used, no protection is offered to the IP header, but data payload is authenticated and can be encrypted. IP header header IP header Nokia Network Voyager for IPSO 4.0 Reference Guide Payload Authenticated Payload ESP trailer ESP header...
  • Page 330 (SA). An SA is a policy and set of keys used to protect a one- Old IP Payload header Old IP header Authenticated Old IP Payload ESP trailer header ESP header Old IP header Payload Authenticated Nokia Network Voyager for IPSO 4.0 Reference Guide Payload 00128 ESP auth ESP trailer ESP auth Encrypted 00129...
  • Page 331 One mode is defined for phase 2. This mode is called Quick Mode. Quick Mode uses three messages, two for proposal parameters and a third one to acquit the choice. With “perfect forward secrecy” enabled, the default value in Nokia’s configuration, a new Diffie-Hellman Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 332: Using Pki

    The IPSO operating system provides a native IPSec implementation supporting ESP in tunnel mode. This implementation is compliant with the following RFCs: Table 20 IPSec RFCs Description RFC 2401 Security Architecture for the Internet Protocol RFC 2402 IP authentication header Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 333 The traffic that matches filters associated to the policy is encapsulated by using tunnel addresses. Policies can also be reused in different tunnels. An IPSec tunnel cannot function without an associated policy. Nokia Network Voyager for IPSO 4.0 Reference Guide Description IP Encapsulating Security Payload (ESP) Supports algorithms: 3DES, DES, and Blowfish for encryption and SHA-1 and MD5 for authentication.

  • Page 334: Platform Support

    See Policy” for more information. “Proposal and Filters” “Creating an IPSec Policy” “Creating an IPSec Policy” “Trusted CA Certificates” Nokia Network Voyager for IPSO 4.0 Reference Guide for more information. for more information. “Creating an IPSec...

  • Page 335: Creating An Ipsec Policy

    Selected range values might be different; consult the inline Help option for specifics. The following sections describe how to create an IPSec policy. Nokia Network Voyager for IPSO 4.0 Reference Guide “Putting It All Together” “Creating an IPSec Policy”...
  • Page 336 2. An Apply Successful message appears and the name of the CA you just entered appears in the Trusted CA Certificates table. if you do not plan to use a X.509 certificate and want to use Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 337: Device Certificates

    Device Certificates A device certificate is used to identify a particular IPSec system. Follow the steps below. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 338 “Trusted CA Certificates.” Note Before you install the certificate, ensure that CA approved the certificate and that you know how to access the approved certificate. If you need to wait for the CA’s approval, Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 339 URL of the directory server. Because of different implementations, the internal configuration of the directory server might not be compatible with IPSO that has implemented LDAP query formats. Nokia Network Voyager for IPSO 4.0 Reference Guide IPSec General Configuration...

  • Page 340: Putting It All Together

    Note Each Network Voyager page displays a maximum of 10 policies. If you create more than 10 policies, they are continued on new pages. Access these pages by clicking the link directly Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 341: Creating An Ipsec Tunnel Rule

    The IPSec Tunnel page appears. 9. (Optional) Activate Hello Protocol inside the tunnel, then click Apply. Note This and the following two steps are not applicable for tunnels without logical interface parameters. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 342: Transport Rule

    IPv6. 3. Enter the name of the new rule in the New Transport Rule field. In the Select a policy field select the desired option from the drop-down list, the click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 343 10 rules, they are continued on new pages. Access the new pages by clicking the link directly below the rule section. The link to more pages appears only after you create more than 10 transport rules. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 344: Ipsec Tunnel Rule Example

    New Filter text box. Enter site_B in the Address text box and 24 in the Mask Length text box. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide 192.68.26.74/30 192.68.23.0/24 Remote PCs...
  • Page 345 24. Select site_B from the Destination Filters drop-down list. 25. Click Apply. 26. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide as the name for a new policy in the New Policy text box. rule_1 rule_1 from the Add a Proposal drop-down list.

  • Page 346: Ipsec Transport Rule Example

    Configure Nokia Platform 2 Now set up network application platform 2 (Nokia Platform 2). Perform the same steps that you performed to configure Nokia Platform 1, with the following changes. 1. Step 18; enter 2. Step 19; enter 3. Step 24; select 4.
  • Page 347 21. Select remote from the Destination Filters drop-down list. 22. Click Apply. 23. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide as the name for a new policy in the New Policy text box. rule_2 5 from the Add a Proposal drop-down list.

  • Page 348: Changing The Local/Remote Address Or Local/Remote Endpoint Of An Ipsec Tunnel

    Configure PC1 You now need to set up PC1. Perform the same steps that you performed to configure Nokia Platform 1 (IPSO), with the following changes. 1. Step 6; for the local filter, enter 2. Step 7; for the remote filter, enter...

  • Page 349: Miscellaneous Security Settings

    SYN and FIN bits set. This behaviour addresses a CERT advisory. For more information on that advisory, go to http://www.kb.cert.org/vul/id/464133. You must change the default configuration if you want your Nokia platform to accept packets that have both the SYN and FIN bits set. Complete the following procedure to configure your platform to accept packets that have both SYN and FIN bits set.
  • Page 350 Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 351: Configuring Routing

    Routing Overview The Nokia routing subsystem, Ipsilon Scalable Routing Daemon (IPSRD), is an essential part of your firewall. IPSRD’s role is to dynamically compute paths or routes to remote networks. Routes are calculated by a routing protocol. IPSRD provides routing protocols, allows routes to be converted or redistributed between routing protocols, and, when there are multiple protocols with a route to a given destination, allows you to specify a ranking of protocols.
  • Page 352 (IGRP or OSPF), which periodically flood an intra-domain network with all the known routing table entries and build their own reliability. Instead, BGP uses TCP as its underlying transport mechanism and sends update only when necessary. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 353: Route Maps

    OSPF is suitable for complex networks with a large number of routers. It can coexist with RIP on a network. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 354: Types Of Areas

    The information is stored in the link-state database, which is identical on all routers in the AS. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 355: Area Border Routers

    Routers called Area Border Routers (ABR) have interfaces to multiple areas. ABRs compact the topological information for an area and transmit it to the backbone area. Nokia supports the implementation of ABR behavior as outlined in the Internet draft of the Internet Engineering Task Force (IETF).

  • Page 356: Configuring Ospf

    “IP Clustering Description.” Note IPSO does not support OSPFv3 in an IP cluster. Nokia strongly recommends that you not configure OSPF or any other routing protocol on the primary or secondary cluster protocol interfaces of an IP cluster. Configuring OSPF To configure OSPF on your system, you must complete the following: 1.
  • Page 357 NSSA (Not So Stubby Area). For more information on NSSA, see RFC 3101. Nokia Network Voyager for IPSO 4.0 Reference Guide Description You can configure any area with any number of address ranges. Use these ranges to reduce the number of routing entries that a given area emits into the backbone and thus all areas.
  • Page 358 By definition, a Type-7 address range consists of a prefix and a mask length. Note: To prevent a specific prefix from being advertised, select On in the Restrict field next to the entry for that prefix. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 359: Configuring Virtual Links

    Additional fields appear. 4. Configure the following parameters for the virtual link: Nokia Network Voyager for IPSO 4.0 Reference Guide for the interface and assign an IP address to the interface. Table 22 Table “Configuring Virtual Links”...

  • Page 360: Configuring Global Settings

    Table 24 shows the global settings that you can specify for OSPF. Configure these settings by clicking OSPF under Configuration > Routing Configuration in the tree view and scrolling down to these fields. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 361 Route Cost Default ASE Route Type Nokia Network Voyager for IPSO 4.0 Reference Guide Description This implementation of OSPF is based on RFC2178, which fixed some looping problems in an earlier specification of OSPF. If your implementation is running in an environment with OSPF implementations based on RFC1583 or earlier, enable RFC 1583 compatibility to ensure backwards compatibility.

  • Page 362: Configuring Ospf Interfaces

    OSPF route. For example, you can assign different relative costs to two interfaces to make one more preferred as a routing path. You can explicitly override this value in route redistribution. Range is 1-65535. Default is 1. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 363 The OSPF interface configuration parameters are displayed showing the default settings. If you want to accept the default settings for the interface, no further action is necessary. Nokia Network Voyager for IPSO 4.0 Reference Guide Description Specifies the priority for becoming the designated router (DR) on this link. When two routers attached to a network both attempt to become a designated router, the one with the highest priority wins.
  • Page 364 Nokia Platform A and Nokia Platform B are on the backbone area. Nokia Platform D is on Area 1. The routes in Area 0 are learned by Nokia Platform D when the ABR (Nokia Platform C) injects summary link state advertisements (LSAs) into Area 1.

  • Page 365: Rip

    8. Click 1 area in the drop-down list for e2; then click Apply. 9. Click Save. 10. Initiate a Network Voyager session to Nokia Platform D. 11. Click Config on the home page. 12. Click the OSPF link in the Routing Configuration section.

  • Page 366: Rip 1

    RIP 1. Virtual IP Address Support for VRRP Beginning with IPSO 3.8.1, Nokia supports the advertising of the virtual IP address of the VRRP virtual router. You can configure RIP to advertise the virtual IP address rather than the actual IP address of the interface.

  • Page 367: Configuring Rip

    Note Nokia also provides support for BGP, OSPF, and PIM, both Sparse-Mode and Dense-Mode, to advertise the virtual IP address of the VRRP virtual router, beginning with IPSO 3.8. Note You must use Monitored Circuit mode when configuring virtual IP support for any dynamic routing protocol, including RIP.

  • Page 368: Configuring Rip Timers

    Apply. Note When you use RIP 2, always select the multicast option. Nokia recommends that you not operate RIP 1 and RIP 2 together. 9. (Optional) If you selected RIP 2 for an interface, select the type of authentication scheme to use from the AuthType drop-down list;...

  • Page 369: Configuring Auto-Summarization

    2. Click RIP under Configuration > Routing Configuration in the tree view. 3. Click on for the eth-s2p1c0 interface; then click Apply. 4. (Optional) Enter a new cost in the Metric edit box for the eth-s2p1c0 interface; then click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide “Ethernet Interfaces.”...

  • Page 370: Pim

    PIM and DVMRP on the same appliance. For more information about PIM, read the following Internet Engineering Task Force (IETF) drafts. For Dense-Mode PIM, see Protocol-Independent Multicast—Dense Mode (PIM-DM): Protocol Specification (Revised). “Ethernet Interfaces.” Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 371: Configuring Virtual Ip Support For Vrrp

    Do not use forwarding mode. For more information about IP clustering, see Clustering Description” Note Nokia strongly recommends that you not configure PIM or any other routing protocol on the primary or secondary cluster protocol interfaces of an IP cluster. PIM Dense-Mode...

  • Page 372: Pim Sparse-Mode

    SPT is created. Note For both PIM-SM and PIM- DM, the Nokia implementation of IP clustering does not forward traffic addressed to 244.0.1.144. IP clustering uses multicast to communicate synchronization messages and has reserved multicast group address 244.0.1.144 for this purpose.

  • Page 373: Configuring Dense-Mode Pim

    DM is enabled with IP Clustering: a. For the availability mode of the gateway cluster object, select load sharing. b. In the third-party drop-down list, select Nokia IP clustering. c. Make sure that the check box next to Forward Cluster Members’ IP addresses is not checked.

  • Page 374: Disabling Pim

    8. Click Apply, and then click Save to make your change permanent. Disabling PIM You can disable PIM on one or more interfaces you configured on each Nokia platform. 1. Click PIM under Configuration > Routing Configuration in the tree view.

  • Page 375: Setting Advanced Options For Dense-Mode Pim (Optional)

    This value represents the interval between the last time an assert is received and when the assert is timed out. 10. In the General Timers section, enter a value for the assert rate limit in the Assert Rate Limit text box. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 376: Configuring Sparse-Mode Pim

    3. Click Apply. 4. In the Interfaces section, click On for each interface on which to run PIM. Note The number of interfaces on which you can run PIM is unlimited. 5. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 377: Configuring High-Availability Mode

    PIM-enabled interfaces are available only if each interface is up and has a valid address assigned. If any PIM-enabled interface goes down or if all of its valid addresses are deleted, then Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 378 IP address is chosen. If even one router does not advertise a DR election priority value in its hello messages, DR election is based on the IP addresses. The default is 1, and the range is 0 to 4294967295 (2^32 - 1). “VRRP.” Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 379: Configuring This Router As A Candidate Bootstrap And Candidate Rendezvous Point

    The candidate bootstrap router with the highest preference value is elected the bootstrap router. To break a tie, the bootstrap candidate router with the highest IP address is elected the bootstrap router. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 380: Configuring A Pim-Sm Static Rendezvous Point

    The number of interfaces on which you can run PIM is unlimited. 5. Click Apply. 6. In the Sparse Mode Rendezvous Point (RP) Configuration section, to enable a Static Rendezvous Point router, click On in the Static RP Router field. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 381: Setting Advanced Options For Sparse-Mode Pim (Optional)

    8. In the Sparse Mode Timers section, enter a value for the candidate rendezvous point advertisement interval (in seconds) in the Candidate RP-Advertisement Interval text box. This value represents the interval between which Candidate Rendezvous Point routers send Candidate-RP-Advertisement messages. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 382 Assert Rank values are used to compare protocols and determine which router forwards multicast packets on a multiaccess LAN. Assert messages include these values when more than one router can forwarding the multicast packets. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 383: Debugging Pim

    If you experience difficulties having PIM register messages sent by the Nokia appliance being accepted by a Cisco router that is the elected rendezvous point (RP), configure this option. A Nokia appliance that is the elected RP accepts register messages that calculate the checksum with or without the multicast payload, that is, it accepts all register messages.
  • Page 384 The RP selected for a particular group based on information from the active RP-set. Error statistics for multicast forwarding cache (MFC); Bootstrap Router (BSR) messages; Candidate Rendezvous Point (CRP) advertisements; and the Internet Group Management Protocol (IGMP). Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 385: Igrp

    IGRP calculates a single composite metric from this vector to compare routes. Since the metrics attempt to physically characterize the path to a destination, IGRP attempts to provide optimal routing. IGRP has two packet types. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 386 This implementation has interoperated with other vendor’s implementations of IGRP, namely Cisco IOS version 10.3(6) and 11.0(7). Listed here for completeness are a few minor observable differences between the Nokia and the Cisco implementations (no interoperability problems have occurred to date because to these differences): Validity Checks—packets that are malformed (that is, those that have trailing data on a...

  • Page 387: Generation Of Exterior Routes

    IGRP update messages as exterior. A direct interface route is advertised only once. Therefore, a direct interface route that is marked exterior is not also advertised as interior or as system. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 388: Aliased Interfaces

    7. (Optional) In the Protocol section, enter a new bandwidth multiplier in the K1 (bandwidth multiplier) text box; then click Apply. K1 is used to globally influence bandwidth over delay. link on the Configuration page.) for the interface. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 389 6. (Required) Enter a reliability metric in the Reliability text box for each interface; then click Apply. 7. (Required) Enter the load metric in the load text box for each interface; then click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide “Ethernet Interfaces.”...

  • Page 390: Dvmrp

    The IPSO implementation of DVMRP supports the following features. DVMRP v.3 Prune and graft messages Generation ID Capability flags Interface metric and threshold configuration Interface administrative scoping on the 239.X.X.X addresses Interfaces with secondary addresses iclid wizards Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 391: Configuring Dvmrp

    6. To make your changes permanent, click Save. Configuring DVMRP Timers You can configure values for DVMRP timers. Nokia recommends that if you have a core multicast network, you configure the timer values so that they are uniform throughout a network.

  • Page 392: Igmp

    IP. Unfortunately, you cannot apply such mechanisms to IP multicast packets. The key mechanism for unicast traceroute is the ICMP TTL exceeded message that is specifically precluded as a response to multicast packets. The traceroute facility Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 393: Configuring Igmp

    Additionally, you can enable and disable router alert. Nokia supports IGMP in an IP cluster as part of the new support for PIM, both dense-mode and sparse-mode, in an IP cluster. The support for IGMP in an IP cluster ensures synchronization of IGMP state from master to members when a new node running PIM joins the cluster.

  • Page 394: Static Routes

    A router configured for IGMP version 2 can interoperate with hosts running either IGMP version 1 or version 2. Nokia recommends that you use version 1 only on networks that include multicast routers that are not upgraded to IGMP version 2.
  • Page 395 For each route, the system uses the route from the protocol with the lowest rank number. The default for static routes is 60. The range you can enter is 0 to 255. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 396 Static Routes page. Note The text box displays any entries that contain errors. Error messages appear at the top of the page. 6. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide “Static Routes”...

  • Page 397: Adding And Managing Static Routes Example

    Internet (no OSPF or BGP). A corporate WAN is between Nokia platform B and Nokia platform C, and no routing occurs on this link. Use static routes so that the remote PC LAN can have Internet access.

  • Page 398: Backup Static Routes

    4. To make your changes permanent, click Save. Route Aggregation Route aggregation allows you to take numerous specific routes and aggregate them into one encompassing route. Route aggregation can reduce the number of routes that a given protocol Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 399 1. Click Route Aggregation under Configuration > Routing Configuration in the tree view. 2. Click off for the aggregate route disable; then click Apply. 3. To make your changes permanent, click Save. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 400: Route Aggregation Example

    The figure below shows the network configuration for the example. In the preceding figure Nokia Platform B, Nokia Platform C, and Nokia Platform D are running OSPF with the backbone area. Nokia Platform A is running OSPF on one interface and RIP 1 on the backbone side interface.

  • Page 401: Route Rank

    A default rank is assigned to each protocol. Rank values range from 0 to 255, with the lowest number indicating the most preferred route. The table below summarizes the default rank values. Preference of Interface routes OSPF routes Static routes IGRP routes RIP routes Aggregate routes Nokia Network Voyager for IPSO 4.0 Reference Guide Default...

  • Page 402: Routing Protocol Rank Example

    RIP from the bottom of the network, and OSPF from the top of the network. When other hosts want to go to 192.168.22.0 through Nokia Platform D, Nokia Platform D can select one protocol route, such as an OSPF route first, to reach the destination. If that route is broken, then Nokia Platform D uses another available route to reach the destination.

  • Page 403: Bgp

    On each peer you configure the type of routes (capability) that should be exchanged between peers. Choose from the following selections: IPv4 unicast (the default) IPv6 unicast Nokia Network Voyager for IPSO 4.0 Reference Guide for OSPF and for RIP.

  • Page 404: Bgp Sessions (Internal And External)

    A path attribute is a list of AS numbers that a route has traversed to reach a destination. BGP uses path attributes to provide more information about each route and to help prevent routing Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 405 Routing information shared between peers in BGP has two formats: announcements and withdrawals. A route announcement indicates that a router either learned of a new network Nokia Network Voyager for IPSO 4.0 Reference Guide Definition Identifies the autonomous systems through which routing information carried in an UPDATE message passed.

  • Page 406: Bgp Multi-Exit Discriminator

    The first lookup uses a BGP route to establish the exit router, while the second lookup determines the IGP path to the exit router. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 407: Inbound Bgp Route Filters

    The routers in the community can capture routes that match their community values. Use community attributes to can configure your BGP speaker to set, append, or modify the community of a route that controls which routing information is accepted, preferred, or Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 408: Route Reflection

    ID should be selected to identify all reflectors serving the cluster, using the cluster ID keyword. Note Nokia recommends that you not use multiple redundant reflectors unnecessarily as it increases the memory required to store routes on the peers of redundant reflectors.

  • Page 409: Confederations

    ID is the AS number of the single, large AS. For this reason, the confederation ID must be a globally unique, normally assigned AS number. Note Do not nest confederations. Nokia Network Voyager for IPSO 4.0 Reference Guide Non-client Non-client Nokia...

  • Page 410: Ebgp Multihop Support

    In addition, you can use EBGP multihop support to balance the traffic among all links. RDI A RDI B CBGP EBGP CBGP RDI C 00329 Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 411: Route Dampening

    RST packets. Internal sources, such as BGP speakers, can inject bogus routing information from any other legitimate BGP speaker. Bogus information from either external or internal sources can affect routing behavior over a wide area in the Internet. Nokia Network Voyager for IPSO 4.0 Reference Guide Nokia EBGP...

  • Page 412: Bgp Support For Virtual Ip For Vrrp

    BGP Support for Virtual IP for VRRP The Nokia IPSO implementation of BGP supports advertising the virtual IP address of the VRRP virtual router. You can force a route to use the virtual IP address as the local endpoint for TCP connections for a specified internal or external peer autonomous system.

  • Page 413: Bgp Support For Ip Clustering

    BGP in clustered mode. For more information on IP Clustering, see “IP Clustering Description” Note Nokia recommends that you configure BGP in an IP cluster so that peer traffic does not run on the primary and secondary cluster protocol interfaces. Note BGP support for IP clustering is only available for IPv4 BGP sessions, not for IPv6.

  • Page 414: Memory Size

    The answer is 48,000 or 50 K. 4. Add all of the results together (2MB + 2MB + 4MB + 50K). The answer is 8.05MB, which means that IPSRD requires 8.05MB of memory for this example. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 415: Bgp Neighbors Example

    5. Enter 100 in the AS number text box. 6. Enter 100 in the Peer autonomous system number text box. 7. Click Internal in the Peer group type drop-down list; then click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide xpand Nokia...
  • Page 416 8. Enter 170.20.1.2 in the Add remote peer IP address text box; then click Apply. 9. Configure an inbound route policy for AS100 according in Example.” To configure Nokia Platform C as an IBGP peer to Nokia Platform A 10. Click BGP under Configuration > Routing Configuration in the tree view. “Configuring OSPF”...
  • Page 417 5. Configure route redistribution policy according to 407. 6. Configure an inbound route filter according to page 446 to allow Nokia Platform C to accept routes from its EBGP peer. To configure EBGP on Nokia Platform D 1. Configure the interface as in 2.

  • Page 418: Path Filtering Based On Communities Example

    Note To filter BGP updates based on peer AS numbers, see Nokia Platform D based on an autonomous system number.” To filter BGP updates based on community ID or special community, specify an AS number along with the community ID or the name of one of the following possible special community attributes: no export, no advertise, no subconfed, or none.

  • Page 419: Bgp Multi Exit Discriminator Example

    Apply. 5. Click Save to make your changes permanent. This MED value is propagated with all of the BGP updates that are propagated by Nokia Platform D to all of its EBGP peers in AS100 and AS200. Nokia Network Voyager for IPSO 4.0 Reference Guide “To configure route inbound policy on Nokia Platform D...
  • Page 420 This configuration allows Nokia Platform D to prefer Nokia Platform A (with the lower MED value of 100) over Nokia Platform B (with the higher MED value of 200) as the entry point to AS100 while it propagates routes to AS100. Similarly, this configuration propagates routes with an MED value of 50 to AS200, although no multiple entry points exist to AS200.

  • Page 421: Changing The Local Preference Value Example

    This example shows how to set up two IBGP peers, and how to configure routes learned using Nokia Platform A to have a higher local preference value over Nokia Platform B (which has a default local preference value of 100).
  • Page 422 3. Enter in the Mask length text box. 4. Enter 20.10.10.2 To configure the static routes required for Nokia Platform B 1. Configure the interface as in 1. Click BGP under Configuration > Routing Configuration in the tree view. 2. Enter 20.10.10.2...

  • Page 423: Bgp Confederation Example

    BGP Confederation Example In the above diagram, all the routers belong to the same Confederation 65525. Nokia platform A and Nokia platform B belong to routing domain ID 65527, Nokia platform C and Nokia platform D belong to routing domain ID 65528, and Nokia platform E belongs to routing domain ID 65524.
  • Page 424 Add a new peer text box; then click Apply. in the Confederation text box. in the Routing domain identifier text box; then click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide in the ASPATH Regular Expression text...
  • Page 425 Click On in the All BGP AS 65524 Routes Into AS 65528 field; then click Apply. g. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide in the Peer Autonomous System Number text box.

  • Page 426: Route Reflector Example

    Nokia platform C, and Nokia platform D are in AS 65526. This example shows how to configure Nokia platform B to act as a route reflector for clients Nokia platform C and Nokia platform D: You then configure platforms C and D and IBGP peers to platform D, as the example shows.
  • Page 427 (127.0.0.1) is preferred. 3. Enter 65526 Nokia Network Voyager for IPSO 4.0 Reference Guide in the Add remote peer ip address text box under the AS65526 in the Add remote peer ip address text box under the AS65526 in the AS Number text box.

  • Page 428: Bgp Community Example

    AS. in the Peer Autonomous System Number text box. in the Add remote peer IP address text box; then click Apply. 65526 Nokia Network Voyager for IPSO 4.0 Reference Guide in the AS edit box; then click Apply.
  • Page 429 2. Thus, all of the routes with the community attributes set to 4:1, 5:2, and no export are redistributed with the appended community attributes 4:1, 5:2, no export, 6:23, and no advertise. Nokia Network Voyager for IPSO 4.0 Reference Guide “Redistributing OSPF to BGP Example.” “Path Filtering Based on...

  • Page 430: Ebgp Load Balancing Example: Scenario #1

    Nokia Platform A is in autonomous system AS100, and Nokia Platform B is in autonomous system AS200. Nokia Platform A has a loopback address of 1.2.3.4, and Nokia Platform B has a loopback address of 5.6.7.8. Configuring a Loopback Address on Platform A 1.
  • Page 431 The default value is 64 and the range is 1 to 255. Click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide in the Additional Gateway edit box; then click Apply. in the Additional Gateway edit box; then click Apply.

  • Page 432: Ebgp Load Balancing Example: Scenario #2

    Add a new stub host column, then click Apply. in the Add a New Stub Host column and then click Apply. “Ethernet Interfaces.” as the local address on the main BGP configuration page. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 433: Adjusting Bgp Timers Example

    The default value is 64 and the range is 1 to 255. Click Apply. Configuring an EBGP Peer on Platform B 1. Configure an EBGP peer on Nokia Platform B as in 2. Enter 5.6.7.8 3. Configure the inbound and route redistribution policies.

  • Page 434: Tcp Md5 Authentication Example

    4. Enter in the AS number text box, then click Apply. The following 2 steps configure the EBGP peer for Nokia Platform B. 5. Enter in the Peer autonomous system number text box. 6. Select External in the Peer group type drop-down list; then click Apply.

  • Page 435: Bgp Route Dampening Example

    4. Enter any changes in the text boxes that correspond to the appropriate fields, then click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide in the Add remote peer ip address text box; then click Apply. Default value Units of measurement...

  • Page 436: Bgp Path Selection

    Note The Nokia implementation of weight value differs from that of other vendors. If the weights are the same, prefer the path with the largest local preference. If the local preferences are the same, prefer the route that has the shortest AS_path.
  • Page 437 3. On Router 1, create a route map named advertise_to_as2 to advertise the routes from Router 1 to Router 2. Note For information on creating and using route maps, see the CLI Reference Guide for Nokia IPSO. Nokia Network Voyager for IPSO 4.0 Reference Guide show IPv6 route...

  • Page 438: Route Redistribution

    Normal—Matches any route that is equal to or more specific than the given prefix. This is the default modifier. Exact—Matches a route only if it equals the IP address and mask length of the given prefix. Nokia Network Voyager for IPSO 4.0 Reference Guide “Route...

  • Page 439: Redistributing Routes To Bgp

    If you do not specify a redistribution policy, only routes to attached interfaces are redistributed. If you specify any policy, the defaults are overridden. You must explicitly specify everything that should be redistributed. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 440: Redistributing Routes To Rip And Igrp

    Route redistribution allows you to redistribute routes from one autonomous system into another autonomous system. To configure BGP route redistribution on Nokia Platform D 1. Click Route Redistribution under Configuration > Routing in the tree view. 2. Click BGP Routes Based on AS under the Redistribute to BGP section.
  • Page 441 In this example, Nokia Platform A is connected to a RIP network and is redistributing RIP routes to and from OSPF for the Nokia OSPF Backbone. Nokia Platform D is connected to a subnet of Unix workstations that is running routed.
  • Page 442 Make sure that the Corporate net RIP router is advertising RIP on the interface connected to the Nokia network. It must be receiving and transmitting RIP updates. Nokia does not currently support the notion of trusted hosts for authentication of RIP routes.

  • Page 443: Redistributing Ospf To Bgp Example

    5. If you do not want to export all OSPF routes into RIP, click Restrict and define a route filter to advertise only certain OSPF routes into RIP. 6. Assume that Nokia Platform B has another interface not shown in the diagram and that it has two additional OSPF routes: 10.0.0.0/8 and 10.1.0.0/16 strictly more specific than 10.0.0.0/8...

  • Page 444: Redistributing Routes With Ospf

    Nokia Platform E of AS 100 and Nokia Platform A of AS 4 are participating in an EBGP session. Nokia Platform F of AS 200 and Nokia Platform D of AS 4 are also participating in an EBGP session. 26.65/30 26.61/24...

  • Page 445: Inbound Route Filters

    4. If you set All Routes to accept and click Apply, the Rank field is displayed. In the Rank field you can specify the rank to a value that all routes should have. The range of values is 1 to 255. Nokia Network Voyager for IPSO 4.0 Reference Guide “Route Maps” on page 353 and...

  • Page 446: Bgp Route Inbound Policy Example

    You can selectively accept routes from different BGP peers based on a peer autonomous system or an AS path regular expression. To configure route inbound policy on Nokia Platform D based on an autonomous system number 1. Click Inbound Route Filters under Configuration > Routing in the tree view.
  • Page 447 This specifies discard the routes that match this prefix. 5. Click Apply. The filter is fully configured. To configure route inbound policy on Nokia Platform D based on ASPATH regular expressions 1. Click Inbound Route Filters under Configuration > Routing in the tree view.

  • Page 448: Bgp As Path Filtering Example

    ASPATH regular expressions, neighbors (AS numbers), or community IDs. To filter BGP updates based on ASPATH regular expressions, see policy on Nokia Platform D based on ASPATH regular expressions.” however, give a more detailed description of how to create ASPATH regular expressions.

  • Page 449: Configuring Traffic Management

    Measured over longer time intervals, the traffic will be coerced to the configured mean rate. Over shorter intervals, traffic is allowed to burst to higher rates. This coercion is accomplished Nokia Network Voyager for IPSO 4.0 Reference Guide “Configuring ACL Rules” on page...

  • Page 450: Traffic Queuing Description

    “To create an Aggregation Class” “Configuring ACL Rules” on page 452 “To create an Aggregation Class” interface”. Nokia Network Voyager for IPSO 4.0 Reference Guide 452. Select shape as the action for on page 456 for information about for information about creating ACL for information about “To apply or...
  • Page 451 "skip." Note Only the default rule appears in the Access Control List until you create your own rule. c. Click Apply. The new interface appears in the Selected Interfaces section. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 452: Configuring Acl Rules

    TCP establishment flags—When selected, traffic matches this rule when it is part of the initial TCP handshake. Type of Service (TOS) for IPv4; Traffic Class for IPv6 The following values can be used to mark traffic: DiffServ codepoint (DSfield) Queue Specifier (QueueSpec) Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 453: Modifying A Rule

    ACL.” Table 27 describes the attributes of an ACL rule that you can modify. To delete a rule, select the delete check box for that rule and click Apply. Nokia Network Voyager for IPSO 4.0 Reference Guide “To add...
  • Page 454 Type of Service (TOS) Specifies the type of service to be used for matching this rule. Range: any or 0x0-0xff for IPv4 Default: Any Traffic Class for IPv6 o be used for matching this rule. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 455: Configuring Aggregation Classes

    Traffic that arrives consistently at a rate less than or equal to the configured meanrate will always be marked conformant and will not be delayed or dropped in the respective shaper or policer stages. Nokia Network Voyager for IPSO 4.0 Reference Guide on page 456...
  • Page 456 5. Select an existing aggregation class from the Aggregation Class drop-down list. Note If there is no aggregation class listed, you need to create an aggregation class. Go to “To create an Aggregation Class.” Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 457: Configuring Queue Classes

    The QoS functionality is not achieved without a cost. The choice of QoS with minimal latency is the most costly in terms of forwarding performance, but it allows the least amount of head-of-line blocking for high priority traffic. Nokia Network Voyager for IPSO 4.0 Reference Guide Priority IETF DiffServ Codepoint Queue Specifier Value...
  • Page 458 Enter a value of zero (0) to disable a queue. Neither the Internetwork Control nor the Best Effort queue can be disabled. 4. Click Apply 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 459: Configuring Atm Qos

    The category for any new ATM QoS Descriptor that you configure is set to constant bit rate (CBR). CBR limits the maximum cell output rate to adhere to the requirements on CBR traffic imposed by the network. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 460 In the QoS Configured PVCs field, click the QoS Descriptor drop-down window and select Default (UBR). 4. Click Apply. 5. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 461: Configuring Common Open Policy Server

    Quality of Service (QoS) in an IP (Internet Protocol) network. This information is exchanged between PDPs (Policy Decision Points) and PEPs Nokia Network Voyager for IPSO 4.0 Reference Guide “To delete an ATM QoS descriptor”...

  • Page 462: Configuring A Cops Client Id And Policy Decision Point

    (Policy Enforcement Points). The PDPs are network-based servers that decide which types of traffic (such as voice or video) receive priority treatment. The PEPs are routers that implement the decisions made by the PDPs. In the Nokia implementation, the Nokia platform functions as a PEP.

  • Page 463: Assigning Roles To Specific Interfaces

    10. Click Save to make your changes permanent. Assigning Roles to Specific Interfaces The Nokia COPS implementation lets you assign roles to specific interfaces. A role refers to a logical name assigned to a group of objects within a network. The role name lets you group objects to which you want to assign a particular policy.

  • Page 464: Activating And Deactivating The Cops Client

    The COPS Diffserv specific configuration page appears. 3. To disable the Client ID, click the Client ID drop-down list in the DiffServ PIB specific configuration section and select either another existing client ID name or none. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 465: Example: Rate Shaping

    2. For the rule you set up when you created the Access Control List, select the aggregation class you created from the Aggregation Class drop-down window. 3. Click Apply. 4. Select eth-s2p1c0 from the Add Interfaces drop-down window, and select Output from the Direction drop-down window. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 466: Example: Expedited Forwarding

    Nokia Platform A and Nokia Platform B. 1. Save the current configuration on each Nokia Platform before you set up QoS. Doing so allows you to compare the relative performance of the QoS and non-QoS configurations.
  • Page 467 Select wan_1_ef from the Aggregation Class drop-down window, and then click Apply. k. For Nokia Platform A, enter 23 in the Destination Port Range edit box, and for Nokia Platform B, enter 23 in the Source Port Range edit box.
  • Page 468 Click on the Interface Statistics link. d. Scroll down to view statistics for Queue Class wan_1_ef. You should see values other than zero on both Nokia Platform A and Nokia Platform B for the Packets Passed and Bytes Passed counters in the Expedited Forwarding row.

  • Page 469: Configuring Router Services

    Broadcast Helper, forward BOOTP/DHCP traffic by enabling BOOTP relay, how to enable router discovery, and how to configure for Network Time Protocol (NTP). A Nokia appliance, like any routing device, does not forward broadcast traffic outside its broadcast domain as per ethernet standards. To have your appliance forward broadcast traffic,...

  • Page 470: Configuring Bootp/Dhcp Relay

    New Server—Enter the IP address of the BOOTP/DHCP configuration server to which to relay BOOTP requests. 5. Click Apply. 6. Repeat to relay BOOTP requests to more than one server. 7. Click Save to make your changes permanent. Nokia Network Voyager for IPSO 4.0 Reference Guide Table...

  • Page 471: Ip Broadcast Helper

    Forward Nonlocal IP Helper Interface On/Off Nokia Network Voyager for IPSO 4.0 Reference Guide Description Allows you to forward packets that are not originated by a source that is directly on the receiving interface. When you enable Forward Nonlocal, it applies to all interfaces that are running the IP Helper service.

  • Page 472: Router Discovery

    UDP port number will be forwarded to the configured server(s). Specifies the servers defined for forwarding for the interface and UDP service. relaying of broadcast UDP packets Nokia Network Voyager for IPSO 4.0 Reference Guide on your system, use the following...

  • Page 473: Router Discovery Overview

    Note server Only the IPSO implements only the ICMP router discovery server portion, which means that a Nokia router can advertise itself as a candidate default router, but it will not adopt a default router using the router discovery protocol.
  • Page 474 The default is Eligible. Enter a value to indicate the level of preference for the IP address as a default router address in the text box below the Eligible button. The default is 0. router discovery services on your system, use the following procedure. Nokia Network Voyager for IPSO 4.0 Reference Guide Table...

  • Page 475: Network Time Protocol (Ntp)

    If an NTP server or peer is not available, you can turn on the NTP reference clock to have your server configured as a source of time information. In this mode, Nokia recommends that you keep the stratum value at its default (1). The stratum value tells how far away the NTP reference clock is from a valid time source.

  • Page 476: Configuring Ntp

    Apply. The Stratum edit box and Clock source drop-down list appear. By default, the Stratum value is 1, and the Clock source is set to Local Clock. Nokia recommends that you keep these defaults. 8. To configure a new peer, enter the new peer IP address in the Add New Peer: Address: edit box.
  • Page 477 11. Click Apply. The Stratum and Clock source fields appear. By default, the Stratum value is 1, and the Clock source is set to Local Clock. Nokia recommends that you keep these defaults. 12. Click Save to make your changes permanent.
  • Page 478 Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 479: Monitoring System Configuration And Hardware

    + cache pages. The remainder is active memory (memory the operating system is currently using). The free memory might differ (will mostly be lower) as compared to output of a vmstat command. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 480: Disk And Swap Space

    (R) that is a session leader (s). For more information, see the process status man page (man ps). STARTED—Time the command started. TIME—Accumulated CPU time: user plus system (alias cputime). COMMAND—Command and arguments. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 481: Ipso Process Management

    Starting and stopping the processes under its control Automatically restarting the processes if they terminate abnormally The Nokia IPSO processes that the PM monitors are listed in the following table. In addition, the PM might also monitor application package processes, such as IFWD, FWD, CPRID.

  • Page 482: Generating Monitor Reports

    Shows historical memory utilization, including: • Active Real Memory—Kilobytes of real memory being used in a given time interval. • Free Real Memory—Kilobytes of real memory free in a given time interval. Nokia Network Voyager for IPSO 4.0 Reference Guide on page...

  • Page 483: Monitoring System Health

    Useful System Statistics—Summarizes configuration information, including the following: Active Routes—The number of active routes configured. Packets Forwarded—The number of packets forwarded. VRRP Masters—The number of VRRP masters configured. Nokia Network Voyager for IPSO 4.0 Reference Guide on page 177. “Configuring Monitor...

  • Page 484: Monitoring System Logs

    Include Zipped Files in Search section. Note The system log also displays messages generated by the system configuration audit log. For information configuring the audit log, see log” on page 164. “To set the system configuration audit Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 485: Viewing Cluster Status And Members

    IP Addr—Primary IP address of the member. Hostname—Hostname of the node. Platform—Type of platform. OS Release—Operating system version node is running. Rating—Node performance rating. Nokia Network Voyager for IPSO 4.0 Reference Guide “To set the system configuration audit log” on page 164.

  • Page 486: Viewing Routing Protocol Information

    For IPv6, click IPv6 Forwarding Table under Monitor > IPv6 Monitor. Displaying Route Settings To view the route settings for your system, click Route under Monitor > Routing Protocols in the tree view. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 487: Displaying Interface Settings

    Context: number of times that an invalid context was specified to process a data message. Packet Header: number of times that an mbuf did not have a valid header. Nokia Network Voyager for IPSO 4.0 Reference Guide...

  • Page 488: Using The Iclid Tool

    Displays help information. Quits iclid. Shows formatted, categorized system information. key; you can abort the command and any further output by typing to display possible command completions. You can also Subcategory Nokia Network Voyager for IPSO 4.0 Reference Guide Description at the...
  • Page 489 Element Category bootpgw interface stats Nokia Network Voyager for IPSO 4.0 Reference Guide Provides a BGP summary. A table of BGP errors. A table of parameters and data for each BGP group. detailed Detailed statistics on BGP groups.
  • Page 490 Subcategory Description Lists inbound filters and data for all protocols. Subcategory Description Status and addresses of all configured interfaces. Subcategory Description Displays IPSRD core information. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 491 Element Category ospf border routers database errors events interface Nokia Network Voyager for IPSO 4.0 Reference Guide Subcategory Description Total memory usage in kilobytes. Total memory use as well as memory use by each routing protocol. Subcategory Description Lists OSPF border routers and associated codes.
  • Page 492 List of all routes and status data. In the event of a long list type q. aggregate Data on all aggregate routes by code letter. Data on BGP routes. direct Data on direct routes. Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 493 Element Category version Element Category Nokia Network Voyager for IPSO 4.0 Reference Guide igrp Data on IGRP routes. ospf Data on OSPF routes. Data on RIP routes. static Data on static routes. Statistics on BGP routes.

  • Page 494: Preventing Full Log Buffers And Related Console Messages

    VRRP transmission and reception statistics. Shows OSPF summary information. OSPF neighbor information. All routes. Only BGP routes that start with 127. All possible command completions for . When this happens, the system log displays Nokia Network Voyager for IPSO 4.0 Reference Guide show b...
  • Page 495 Note To perform the following procedures, use the zap or modzap utility. You can obtain these utilities from the Nokia Technical Assistance Center (TAC)—refer to Resolution 1261. If you are using FireWall-1 4.1 1. Set the execute permissions by issuing an 2.
  • Page 496 A confirmation message is displayed, which you can safely ignore. 5. Reboot the system. Because these console messages are also written to the FW-1 log message file, Nokia recommends that you do the following to prevent depleting the disk space allocated for the FW-1 log message file: 1.

  • Page 497: Index

    398 IPv6 273 weight 401 aggregation class 454 aggregation classes associating with rules 456 Nokia Network Voyager for IPSO 4.0 Reference Guide configuring 455 Apply button 26 area border routers 355 areas OSPF, defined 354 changing global parameters 128...
  • Page 498 Cluster Voyager 209, 212 using 232 clusterAdminRole 233 clustering BGP 214 configuring NGX for 241 considerations 214 crossover cables 215 example 208 forwarding mode 213 modes 212 multicast mode 213 OSPF 214 Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 499 485 saving 166 traps 257 configuration file creating 167 configuration locks described 25 Nokia Network Voyager for IPSO 4.0 Reference Guide log in with 25 overriding 25 configuring Ethernet interfaces 34 IP addresses 31 mail relay 157 network devices 30...
  • Page 500 Ethernet management ports 30 expedited forwarding example 466 expedited forwarding queue level 457 extended mode, VMAC 190 exterior routes, IGRP 387 failure traps 257 failure interval clusters 234 failure notification configuring 157 Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 501 GetRequest error messages 261 Getting Started Guide and Release Notes 22 GRE tunnels 118 groups adding 293 Nokia Network Voyager for IPSO 4.0 Reference Guide described 292 editing 293 group ID 293 ID 289 other group 292 SSH privileges 307...
  • Page 502 FDDI 50 changing in Cisco HDLC 112 changing in PPP 113 configuring 31 IP Broadcast Helper configuring 472 description 471 IP forwarding MIB 250 IP MIB 250 IP over ATM (IPoA) 79 Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 503 Place and Receive Calls 57 Receive Calls 55 Removing an Incoming Number 57 troubleshooting 65 ISDN interfaces 51 ISDN MIB 250 Nokia Network Voyager for IPSO 4.0 Reference Guide jobs, scheduling 167 joining cluster 229 join-time shared features 212, 226, 235 keepalive...
  • Page 504 23 setting session timeout 312 troubleshooting access problems 301 Web access options 301 new password field 289 NEXT_HOP path attribute 405 configuring for clustering 241 NMS 256 notification configuring failure 157 Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 505 449 passwords changing 287 interception of 304 managing 287 path attributes BGP 404 Nokia Network Voyager for IPSO 4.0 Reference Guide path attributes (BGP) definitions 405 PC card installing 155 logging to 161 storing logs on 156 PCMCIA login 297...
  • Page 506 BGP 408 route-based VPN 140 router alert IP option 181 router discovery 472 configuring 473 disabling 475 IPv6 275 server 473 router services configuring 469 in clusters 215 routes flapping 411 redistributing 439 Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 507 311 enabling 301, 312 Log Off link 24 specifying timeout 301 session timeout configuring 312 Nokia Network Voyager for IPSO 4.0 Reference Guide setting time/date 158 shell, user’s 289 show mcvr 201 show vrrp 201 slots monitoring 487...
  • Page 508 VPN 134 traps sending 259 troubleshooting ISDN 65 SSL/TLS configuration 304 tunnels configuring IPv6 in IPv4 270 GRE 118 IPv4 in IPv6 272 tunnel MIB 251 tunnels DVMRP 125 UDP MIB 251 Nokia Network Voyager for IPSO 4.0 Reference Guide...
  • Page 509 VRID 183 selecting 191 VRRP active-active configuration 185 advertisements 183 authentication 192 Nokia Network Voyager for IPSO 4.0 Reference Guide authentication method 188 auto-deactivation 195 backup address 189, 192 changing backup address 195 Check Point configuration rules 199 Check Point NGX 197...
  • Page 510 485 wheel group 292 X.21 configuring for Cisco HDLC 83 configuring for frame relay 85 example 87 interfaces 83 xntpd process 481 xpand process 481 Index - 510 Nokia Network Voyager for IPSO 4.0 Reference Guide...

This manual is also suitable for:

Network voyager

Table of Contents