Page 1: Voyager Reference Guide
Voyager Reference Guide Part No. N450820002 Rev A Published December 2003...
Page 2 Rights clause at FAR 52.227-19. IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services;...
Page 3 313 Fairchild Drive Outside USA and Canada: +1 512-437-7089 Mountain View, CA 94043-2215 email: ipsecurity.na@nokia.com Europe, Nokia House, Summit Avenue Tel: UK: +44 161 601 8908 Middle East, Southwood, Farnborough Tel: France: +33 170 708 166 and Africa Hampshire GU14 ONG UK email: ipsecurity.emea@nokia.com...
Page 4 Voyager Reference Guide...
Page 5: Table Of Contents
..........9 How to Use Voyager .
Page 6 ..........505 Voyager Reference Guide...
Page 7 ............. . .587 Voyager Session Management .
Page 8 ......... . 689 Voyager Reference Guide...
Page 9: Overview
Routing Overview Redistributing Routes Overview Software Overview This section gives you an overview of the Nokia software configured and maintained by Nokia Voyager software. Nokia firewalls function with the help of several software components: Operating System—Nokia firewalls run Nokia IPSO, a UNIX-like operating system based on FreeBSD.
Page 10: Interface Overview
Voyager also provides online documentation. Voyager itself runs on a remote machine as a client application of the Nokia routing software and is HTML based. Interface Overview This section describes how to configure network devices and assign IP addresses to them using Voyager.
Page 11: Configuring Network Devices
IP addresses to the loopback, FDDI, and Ethernet interfaces. All interface types support IP multicast. Configuring Network Devices Voyager displays network devices as physical interfaces. A physical interface exists for each physical port on a network interface card (NIC) installed in the unit. Physical interface names have the form: <type>-s<slot>p<port>...
Page 12: Configuring Ip Addresses
The loopback interface also has a physical interface named loop0 Use Voyager to set the attributes of the device. For example, line speed and duplex mode are attributes of an Ethernet physical interface. Each communications port has exactly one physical interface.
Page 13 (in bits) of the subnet mask for the subnet to which the device connects. If you are running multiple subnets on the same physical network, you can configure additional addresses and subnet masks on the single logical Voyager Reference Guide...
Page 14 IP packet. Thus, for a router to have an unnumbered interface, it must have at least one IP address assigned to it. The Nokia implementation of unnumbered interfaces does not support virtual links.
Page 15 OSPF firewall ID, or is the termination point of a BGP session. This allows firewall adjacencies to stay up even if the outbound interface is down. Do not specify an IP subnet mask length when you add addresses to the loopback interface. Voyager Reference Guide...
Page 16: Configuring Tunnel Interfaces
IP network. Create a tunnel logical interface by specifying an encapsulation type. Use Voyager to set the encapsulation type. Voyager supports two encapsulation types, DVMRP and VPN. The tunnel logical interface name has the form: tun0c<chan>...
Page 17: Routing Overview
You can configure each of the supported routing protocols, route redistribution, and other routing options via the Configuring Routing section in Voyager. Routing monitoring is available by following links from the individual protocol pages or by clicking on the Monitor button in Voyager. Another Voyager Reference Guide...
Page 18: Routing Protocols
15 firewalls. The advantage of RIP version 2 over RIP version 1 is that it supports non-classful routes. Classful routes are old-style class A, B, C routes. You should use RIP version 2 instead of RIP version 1 whenever possible. Voyager Reference Guide...
Page 19 Nokia also supports RIPng, the version of RIP that supports IPv6 interfaces. Protocol Described in RFC RIP version 1 RFC1058 RIP version 2 RFC1723 RIPng IGRP IGRP (Interior Gateway Routing Protocol) is a distance vector protocol. IGRP has a number of metrics for each destination. These metrics include link delay, bandwidth, reliability, load, MTU, and hop count.
Page 20 This reduces the number of routes advertised for a given protocol. These aggregate routes are then redistributed into other protocols. The aggregates are activated by contributing routes. For example, if a firewall has many stub interface routes subnetted from a class C and is running RIPv2 Voyager Reference Guide...
Page 21 This can be useful if dynamic protocols cannot be used. It can also be useful in providing a default route. Static routes consist of the following: Destination Type Next hop gateway There are three types of static routes: Normal Black Hole Voyager Reference Guide...
Page 22 0 to 65535 inclusive, with zero being the most attractive. While BGP version 4 supports 32-bit unsigned quantities, IPSRD does not. Note If you do not specify a redistribution policy, only routes to attached interfaces are redistributed. If you specify any policy, the defaults are Voyager Reference Guide...
Page 23: Redistributing Routes With Ospf
It is not possible to create OSPF intra-area or inter-area routes by redistributing routes from the IPSRD routing table into OSPF. It is possible to redistribute from the IPSRD routing table only into OSPF ASE routes. In Voyager Reference Guide...
Page 24 For all interior routes, this AS path specifies IGP as the origin and no ASes in the AS path. The current AS is added when the route is redistributed. For BGP routes, the AS path is stored as learned from BGP. Voyager Reference Guide...
Page 25: How To Use Voyager
Navigating in Voyager The following table explains the functions of the large blue buttons in Voyager. Other buttons are described in the inline help for each page. Note You can press buttons to produce a result when they have a dark shadow behind them.
Page 26 How to Use Voyager Button Description Apply Applies the settings on the current page (and any deferred applies from other pages) to the current (running) configuration file in memory. Config Takes you to the configuration page main menu. Contents Takes you to the online help table of contents.
Page 27 Online help consists of procedures for common tasks you can perform with Voyager. Note Buttons without shadows, such as those found in the Voyager online help instructions, do not function; they are there only for illustration. 1. Click the D button on the top of any Voyager page.
Page 28 If you want to view inline help for all of the fields and sections of a page: 1. Click the H button on any Voyager page. Text-only definitions and related information on fields, buttons, and sections appear in a separate window.
Page 29 Displays the online help in a new window. 3. Using the right button (middle button in UNIX) of your mouse, click the button. 4. Click O INK IN ROWSER INDOW Displays the inline (text-only) help in a new window. Voyager Reference Guide...
Page 30 How to Use Voyager Voyager Reference Guide...
Page 31: Command-Line Utility Files
Command-Line Utility Files Chapter Contents CAMCONTROL MAIL MTRACE NETSTAT PCCARDD PING SSHD SSH-ADD SSH-AGENT SSH-KEYGEN TCPDUMP TELNET TFTPD TRACEROUTE Voyager Reference Guide...
Page 32 Command-Line Utility Files Voyager Reference Guide...
Page 33: Monitoring And Configuring System Resources
Displaying Historical Interface Throughput Statistics Displaying Interface Linkstate Statistics Displaying Historical Interface Linkstate Statistics Displaying CPU Utilization Statistics Displaying Historical CPU Utilization Statistics Displaying Memory Utilization Statistics Displaying Historical Memory Utilization Statistics Monitoring System Health Monitoring System Logs Static Monitoring Voyager Reference Guide...
Page 34: Dynamic Monitoring
Dynamic Monitoring Dynamic and Static Monitoring Described The monitoring features in Voyager give you the ability to better maintain system performance and security. You can also customize certain types of data collection to better help you manage and maintain system availability. The...
Page 35 5. (Optional) Enter the collection interval, in seconds, in the C OLLECTION edit box for each data collection event. The default is 60 NTERVAL seconds. 6. Click A PPLY 7. Click S Voyager Reference Guide...
Page 36 Aggregation Class list. See Traffic Management, "Creating an Aggregation Class" and "Creating an Access Control List" in Voyager. 5. In the T field, click the check box either...
Page 37 Access List For The Name To Appear As A Choice In The Aggregation Class Drop-down Menu. See Traffic Management, "Creating an Aggregation Class" And "Creating an Access Control List" In Voyager. 7. In the T field, click the check box either...
Page 38 ELECT ORMAT field, click the button next to G or D . If RAPHICAL ELIMTED you select D , click on the Delimiter drop-down window ELIMITED and select either S (;) C (,) or T OLON OMMA Voyager Reference Guide...
Page 39 OGICAL 7. In the Type of Throughput field, click the check box next to P ACKET , or HROUGHPUT HROUGHPUT ROADCAST HROUGHPUT to select the type of throughput data you want ULTICAST HROUGHPUT to view. Voyager Reference Guide...
Page 40 (,) or T OLON OMMA Note The Graphical View displays information at the bottom of the page in a table. Delimited Text format displays the report as text in a new page from which you can download the information. Voyager Reference Guide...
Page 41 (,) or T OLON OMMA Note The Graphical View displays information at the bottom of the page in a table. Delimited Text format displays the report as text in a new page from which you can download the information. Voyager Reference Guide...
Page 42 To display cpu utilization statistics for a specific period of time, follow these instructions: 1. Click M on the home page. ONITOR 2. Click the CPU Utilization link. 3. In the S field, click the button next to D ELECT EPORT ETAILED EARCH Voyager Reference Guide...
Page 43 . The default is set to Hourly. AILY EEKLY ONTHLY 4. To select a format type for displaying the report, in the S ELECT ORMAT field, click the button next to G or D . If RAPHICAL ELIMTED Voyager Reference Guide...
Page 44 ELECT ORMAT field, click the button next to G or D . If RAPHICAL ELIMTED you select D , click on the Delimiter drop-down window ELIMITED and select either S (;) C (,) or T OLON OMMA Voyager Reference Guide...
Page 45: Monitoring System Health
2. Click the Link under System Health for which you want to obtain statistics. Monitoring System Logs The following pages allow you to display updated system logs: System Message Log Web Server access Log Web Server error Log User Login/Logout Activity Voyager Reference Guide...
Page 46 Select Month drop-down list to activate this option. Click A PPLY You can also display system messages based on a keyword. Enter a keyword to search for in the system messages in the Keyword edit box. To make the Voyager Reference Guide...
Page 47 You can also include certain zipped files in your search. Click the appropriate check box in the Include Zipped Files in Search section. Click A PPLY The system log also displys messages generated by the Voyager AuditLog. For more information on how to configure the Voyager AuditLog, see Setting the Voyager AuditLog.
Page 48: Static Monitoring
Time since join: Time since node joined the cluster. Work Assigned(%): Percentage of work load assigned to this node. To display the information, follow these instructions: 1. Click M on the home page. ONITOR 2. Click the Cluster Monitor link to view cluster information. Voyager Reference Guide...
Page 49 2. Click the Routing Protocol link for which you want to obtain statistics. Displaying Resource Settings This page displays system resource statistics. 1. Click M on the home page. ONITOR 2. Click the Resource Statistics link to display system resource statistics. Voyager Reference Guide...
Page 50: Displaying The Kernel Forwarding Table
2. Click the Interface Settings link for the interface for which you want to obtain statistics. Displaying System Status To display system status information, follow these instructions: 1. Click M on the home page. ONITOR 2. Click the System Status link. Voyager Reference Guide...
Page 51 ONITOR 2. Click the Slot Status link. Displaying Cryptographic Acceleration States Use this procedure to monitor the Nokia Cryptographic Acceleration Card. 1. Click M on the home page. ONITOR 2. Click the Cryptographic Accelerator Statistics link in the Hardware Monitoring section.
Page 52: Iclid Commands
The following table shows examples of the top-level iclid element that may be displayed by the command as applied to each parameter, show Voyager Reference Guide...
Page 53 In the event of an excessively long list, type q. paths List of BGP paths; in the event of an excessively long list, type q. peers Summary information about peer firewalls. Voyager Reference Guide...
Page 54 BOOT protocols. <interface> BOOTP relay state of specified interface. stats Summary of BOOTP relay requests, and replies received and made. Summary of BOOTP relay requests received. Summary of BOOTP relay requests made. Summary of BOOTP relay replies made. Voyager Reference Guide...
Page 55 DVMRP packets. transmit A summary of statistical information about transmitted DVMRP packets. error A summary of DVMRP packets with errors. igmp State of IGMP. groups State of the IGMP groups maintained for each network interface. Voyager Reference Guide...
Page 56 Total memory usage as well as memory usage by each routing protocol. ospf border-routers Lists OSPF border routers and associated codes. database area Provides statistical data on OSPF database area. database-summary A database summary of the OSPF firewall. Voyager Reference Guide...
Page 57 Provides basic data on OSPF errors. OSPF dd errors. hello OSPF hello errors. OSPF interface protocol errors. lsack OSPF ls acknowledge errors. OSPF lsr errors. A list of OSPF lsu errors. proto OSPF protocol errors. Voyager Reference Guide...
Page 58 A comprehensive listing of resource statistics. A summary of information on the RIP routing process. errors A list of various RIP errors. Voyager Reference Guide...
Page 59 Data on RIP routes. static Data on static routes. Statistics on BGP routes. aspath List of parameters and status of BGP AS path. communities Status of BGP communities. detailed Details of BGP routes. metrics Status of BGP metrics. Voyager Reference Guide...
Page 60 Inactive OSPF routes. Inactive RIP routes. static Inactive static routes. ospf OSPF route data. RIP route data. static Static route data. summary Displays the number of routes for each protocol. version Operating system version information. vrrp VRRP state information. Voyager Reference Guide...
Page 61 The kernel module maintains a buffer of waiting log messages that it forwards through to the management module. The buffer is circular, so that high logging volumes can cause buffer entries to be overwritten before they are Voyager Reference Guide...
Page 62 Increase the size of the kernel module buffer Note To perform the following procedures, use the zap or modzap utility (which you can obtain from the Nokia Technical Assistance Center (TAC); refer to Resolution 1261). If you are using FireWall-1 4.1, do the following: 1.
Page 63 If the message indicates there are insufficient resources to accommodate a larger buffer size, take appropriate actions and try this procedure again. For further information, contact Nokia Technical Assistance Center (TAC). 4. After you verify that the change is appropriate, issue the same...
Page 64 5. Reboot the system. Because these console messages are also written to the FW-1 log message file, Nokia recommends that you do the following to prevent depleting the disk space allocated for the FW-1 log message file: 1. Move your log file(s) from the system hard drive to a server.
Page 65: Configuring Interfaces
Changing the IP Address of a Gigabit Ethernet Interface Gigabit Ethernet Example Virtual LAN Interface Virtual LAN Description Configuring a VLAN Interface Defining the Maximum number of VLANs VLAN Example Topology FDDI Interfaces Configuring an FDDI Interface Changing the Duplex Setting of an FDDI Interface Voyager Reference Guide...
Page 66 Changing the VPI/VCIs of an ATM LIS Interface Changing the IP Address of an ATM LIS Interface Changing the IP MTU of an ATM Interface Removing an ATM Interface Serial (V.35 and X.21) Interfaces Configuring a Serial Interface for Cisco HDLC Voyager Reference Guide...
Page 67 Configuring OSPF over an Unnumbered Interface Using Virtual Links Cisco HDLC Protocol Changing the Keepalive Interval for Cisco HDLC Changing the IP Address in Cisco HDLC Point-to-Point Protocol Changing the Keepalive Interval in PPP Changing the Keepalive Maximum Failures in PPP Voyager Reference Guide...
Page 68 HA GRE Tunnel Example DVMRP Tunnels Creating a DVMRP Tunnel Changing the Local or Remote Addresses of a DVMRP Tunnel Removing a DVMRP Tunnel DVMRP Tunnel Example ARP Table Entries Changing ARP Global Parameters Adding a Static ARP Entry Voyager Reference Guide...
Page 69: Ethernet Interfaces
100 M radio button in the table L field to select the link HYSICAL CONFIGURATION INK SPEED speed. Note This setting must be the same for all hosts on the network to which the device connects. Voyager Reference Guide...
Page 70 Interface Configuration page. 13. Click the O radio button that corresponds to the logical interface you have configured, Click A PPLY The Ethernet interface is now available for IP traffic and routing. To make your changes permanent, click S Voyager Reference Guide...
Page 71 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Click the physical interface link you want to change in the P HYSICAL column. Voyager Reference Guide...
Page 72 When Autoadvertise is enabled on an Ethernet interface, the device advertises its configured speed and duplex setting using Ethernet negotiation. 1. Click C on the Voyager home page. ONFIG 2. Click the Interfaces link. 3. Click the Physical interface that you want to change in the Physical column.
Page 73 This section describes how you might configure the interfaces of your network application platform (unit) in an example network, using Voyager. Before you can configure the unit using Voyager, you must configure an IP address on one of the interfaces. You can do this through the unit console port...
Page 74 Server 00037 In a company's main office, Nokia Platform A terminates a serial line to an Internet service provider, running PPP with a keepalive value of 10. Nokia Platform A also provides internet access for a FDDI ring and a remote branch office connected via ATM PVC 93.
Page 75: Gigabit Ethernet Interfaces
The branch office contains Nokia Platform B, which routes traffic between a local Fast Ethernet network and ATM PVC 52. It provides access to the main office and the Internet. We are configuring the Ethernet interface on Nokia Platform B.
Page 76 Click OGICAL NAME PPLY 9. (Optional) Add a comment to further define the logical interfaces function in the C edit box. Click A OMMENTS PPLY 10. Click the U button to go to the Interface Configuration page. Voyager Reference Guide...
Page 77 Changing the IP Address of a Gigabit Ethernet Interface Note Do not change the IP address you use in your browser to access Voyager. If you do, you can no longer access the network application platform (unit) with your browser. 1. Click C on the home page.
Page 78 This section describes how you might configure the interfaces of your network application platform (unit) in an example network, using Voyager. Before you can configure the unit using Voyager, you must configure an IP address on one of the interfaces. You can do this through the unit’s console port during installation or by using the Lynx browser.
Page 79 192.168.4.xxx Server Server 00037 In a company's main office, Nokia Platform A terminates a serial line to an Internet service provider. Nokia Platform A also provides internet access for a FDDI ring and a remote branch office connected via ATM.
Page 80: Virtual Lan Interfaces
Configuring Interfaces and the Internet. We are configuring the Gigabit Ethernet interface on Nokia Platform B. 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Click in the P column of the table. HYSICAL eth-s2p1 4.
Page 81 The Nokia implementation supports adding a logical interface with a VLAN ID to a physical interface. In a VLAN packet, the OSI layer-two header, or MAC header, contains four more bytes than the typical ethernet header for a total of 18 bytes. When traffic arrives at the physical interface, the system examines it for the VLAN layer-two header and accepts and forwards the traffic if a VLAN logical interface is configured.
Page 82 NTERFACE ELETE logical VLAN interface you want to delete. 5. Click A , and then click S to make your change permanent. PPLY The entry for the logical VLAN interface disappears from the L OGICAL table. NTERFACES Voyager Reference Guide...
Page 83 VLAN Example Topology The topology below represents a fully-redundant firewall with load sharing and VLAN. Each Nokia appliance running Check Point FW-1 is configured with the Virtual Router Redundancy Protocol (VRRP). This protocol provides dynamic fail-over of IP addresses from one router to another in the event of failure.
Page 84: Fddi Interfaces
Un tagged 00203 FDDI Interfaces Configuring an FDDI Interface 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Click the physical interface link you want to configure in the P HYSICAL column. Voyager Reference Guide...
Page 85 11. Click the O radio button that corresponds to the logical interface you have configured, then click A PPLY The FDDI interface is now available for IP traffic and routing. To make your changes permanent, click S Voyager Reference Guide...
Page 86 This setting must be the same for all hosts on the network to which the device connects. To make your changes permanent, click S Voyager Reference Guide...
Page 87 This section describes how you might configure the interfaces of your network application platform (unit) in an example network, using Voyager. Before you can configure the unit using Voyager, you must configure an IP address on one of the interfaces. You can do this through the unit console port...
Page 88 Server 00037 In a company's main office, Nokia Platform A terminates a serial line to an Internet service provider, running PPP with a keepalive value of 10. Nokia Platform A also provides internet access for a FDDI ring and a remote branch office connected via ATM PVC 93.
Page 89: Isdn Interfaces
The branch office contains Nokia Platform B, which routes traffic between a local Fast Ethernet network and ATM PVC 52. It provides access to the main office and the Internet. We are configuring the FDDI interface on Nokia Platform A.
Page 90 (ETSI) ISDN standard. The physical interface is the manageable representation of the physical connection to ISDN. One physical interface will be visible in Voyager for every ISDN BRI card in the Nokia Platform chassis. The physical interface enables management of the parameters specific to each ISDN connection. It permits enabling or disabling of the ISDN connection and is the entity under which logical interfaces are created.
Page 91 TEI O UTOMATIC ANUAL PTION (terminal-endpoint identifier) field in the P HYSICAL ONFIGURATION table. Generally, automatic TEIs are used with multipoint connections, while fixed TEIs are used in point-to-point configurations. 7. Click A PPLY Voyager Reference Guide...
Page 92 NCAPSULATION REATE NEW OGICAL table, select whether to run PPP or multilink PPP on the NTERFACE interface; then click A PPLY A newly created logical interface appears in the I column of the NTERFACE table. OGICAL NTERFACES Voyager Reference Guide...
Page 93 This entry defines the minimum number of seconds a call must be connected before it can be disconnected by an idle timeout. A value of 0 indicates that the call can be disconnected immediately upon expiration of Voyager Reference Guide...
Page 94 ASSWORD for PAP authentication, or the secret used to generate the challenge response for CHAP authentication. Note information must be the same as the EMOTE information (or its equivalent) at the remote end of the EMOTE link. Voyager Reference Guide...
Page 95 B-channel will be removed from operation. A utilization level of zero means that the second B-channel is never brought into operation. To bring the second B-channel into operation quickly, set the utilization level to a low number, such as one. Voyager Reference Guide...
Page 96 A new logical interface appears in the I column of the NTERFACE table. OGICAL NTERFACES 5. Click the logical interface name in the I column of the NTERFACE table to go to the Interface page. OGICAL NTERFACES Voyager Reference Guide...
Page 97 14. In the F section of the A table, in the EMOTE UTHENTICATION edit box, enter the name that will be returned from the remote host when this host attempts to authenticate the remote host. Voyager Reference Guide...
Page 98 “ISDN Troubleshooting.” To configure Calling Line-Identification Screening Incoming calls to the Nokia Platform can be filtered using the calling number in the received SETUP message. Calling Line Identification (CLID) must be supported by the network to filter calls using the calling number.
Page 99 N radio button to have the incoming call answered. If Callback is set to Yes, the Nokia Platform uses the number in the field on the logical interface to make the outgoing call. EMOTE UMBER 8.
Page 100 6. Enter the IP address for the local end of the connection in the L OCAL edit box. ADDRESS 7. Enter the IP address of the remote end of the connection in the R EMOTE edit box. ADDRESS 8. Click the B Direction radio button. Voyager Reference Guide...
Page 101 A Dial-on-Demand Routing (DDR) List is used to ascertain the packets which should bring up and maintain an ISDN connection. This section explains how to configure DDR Lists for ISDN interfaces. To aid in the discussion of DDR Voyager Reference Guide...
Page 102 Access list that had an associated action of drop, the packet will never be sent over the ISDN interface. After the packet is checked against the Access list, the DDR list applied to the interface (if any) is then checked. Voyager Reference Guide...
Page 103 DDR list name that you want to ELETE delete; then click A PPLY The DDR list name will disappear from the DDR List Configuration page. 4. To make your changes permanent, click S Voyager Reference Guide...
Page 104: Modifying A Rule
2. Click the Dial on Demand Routing Configuration link under the Traffic Management section. 3. Locate the DDR list that contains the rule you want to modify. The following items can be modified: Action Source IP address Source mask length Destination IP address Destination mask length Voyager Reference Guide...
Page 105 3. Locate the appropriate DDR list. 4. Select the appropriate interface from the Add Interfaces drop-down window; then click A PPLY The new interface will appear in the Selected Interfaces section. 5. To make your changes permanent, click S Voyager Reference Guide...
Page 106 ANGE XISTING RULES RIP table. 6. Select from the Action drop-down window in the E XISTING ignore RIP table. RULES FOR 7. Select from the Add Interfaces drop-down window; then isdn-s2p1c1 click A PPLY 8. Click S Voyager Reference Guide...
Page 107: Isdn Network Configuration Example
ISDN Network Configuration Example The following figure shows the network configuration for the example explained below. eth-s1p1 206.226.5.2 206.226.5.1 ISDN phone isdn-s4p1 206.226.15.1 number 384020 206.226.5.3 ISDN Cloud ISDN phone 206.226.15.2 isdn-s2p1 number 38400 eth-s3p1 192.168.24.66 192.168.24.65 192.168.24.67 00067 Voyager Reference Guide...
Page 108 7. Enter in the R edit box in the I EMOTE DDRESS NTERFACE 206.226.15.1 table. NFORMATION 8. In the C table, enter in the ONNECTION NFORMATION Main Office edit box so that the connection is easily identified. ESCRIPTION Voyager Reference Guide...
Page 109 Interface page. OGICAL NTERFACES 6. Enter in the L edit box in the I OCAL DDRESS NTERFACE 206.226.15.1 table. NFORMATION 7. Enter in the R edit box in the I EMOTE DDRESS NTERFACE 206.226.15.2 table. NFORMATION Voyager Reference Guide...
Page 110 17. Click S Sample Call Traces Traces for call setup between the Nokia Platforms are shown below. The traces were produced by issuing the command “tcpdump -i <interface>” on each machine. Traffic was generated by doing a “ping 206.226.15.1” on IP300.
Page 111 06:23:49.102224 O B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 06:23:49.102241 O B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 06:23:49.102257 O B1: 206.226.15.2 > 206.226.15.1: icmp: echo request 06:23:49.128295 I B1: 206.226.15.1 > 206.226.15.2: icmp: echo reply 06:23:49.139918 I B1: 206.226.15.1 > 206.226.15.2: icmp: echo reply Voyager Reference Guide...
Page 112 15:10:12.549968 O B1: success 15:10:12.550039 O B1: ppp-ipcp: conf_req (addr) 15:10:12.557258 I B1: ppp-ipcp: conf_req (addr) 15:10:12.557300 O B1: ppp-ipcp: conf_ack (addr) 15:10:12.559629 I B1: ppp-ipcp: conf_ack (addr) 15:10:12.573896 I B1: 206.226.15.2 > 206.226.15.1: icmp: echo request Voyager Reference Guide...
Page 113: Isdn Troubleshooting
A call being disconnected Setting Level of Messages to be Logged 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Click the physical interface link you want to configure in the P HYSICAL column. Voyager Reference Guide...
Page 114 If the -v option is used, Q.931 messages will be displayed. Also the fields in all PPP messages and their values will be displayed in an extended format. Tracing ISDN Traffic Using tcpdump 1. Create a telnet session and log into the firewall. 2. Type tcpdump -i <isdn-interface> Voyager Reference Guide...
Page 115 A - Network beyond internetworking point Class of cause value Value of cause value (Optional) Diagnostic field that is always 8. (Optional) Diagnostic field that is one of the following values: 0 is Unknown, 1 is Permanent, and 2 is Transient Voyager Reference Guide...
Page 116 Normal call clearing Note 12 User busy No user responding No answer from user (user alerted) Call rejected User-supplied diagnostic (Notes 4 & 12) Number changed Non-selected user clearing Designation out of order Invalid number format Voyager Reference Guide...
Page 117 Quality of service See ISDN Cause Values table unavailable Requested facility not Facility identification (Note 1) subscribed Bearer capability not Note 3 authorized Bearer capability not Note 3 presently available Service or option not Note 3 available or specified Voyager Reference Guide...
Page 118 A suspended call exists, but call identity does not exist Call identity in use No call suspended Call having the requested- Clearing cause call identity has been cleared Incompatible destination Incompatible parameter (Note 2) Invalid transit-network selection Invalid message, unspecified Voyager Reference Guide...
Page 119 1. The coding of facility identification is network dependent. 2. Incompatible parameter is composed of incompatible information element identifier. 3. The format of the diagnostic field for cause 57, 58, and 65 is shown in the ITU-T Q.931 specification. Voyager Reference Guide...
Page 120 Annex J of the ITU-T Q.931 specification. 11. The diagnostic field contains the entire transit network selection or network-specific facilities information element, as applicable. 12. Refer to ISDN Cause Codes table for the coding that is used. Voyager Reference Guide...
Page 121: Token Ring Interfaces
Example— tok-s3p1 The physical interface setup page is displayed. 4. In the R column of the P table, PEED HYSICAL CONFIGURATION select the desired value: 16 M or 4 M . There is no default value. Voyager Reference Guide...
Page 122 , the configured IP address and mask length PPLY are added to the table. The entry fields remain blank to allow you to add more IP addresses. To enter another IP address and IP subnet mask length, repeat steps 12-13. Voyager Reference Guide...
Page 123 3. In the P column, click the physical interface link you want to HYSICAL change. If you want to change only the properties of a logical interface, proceed to Step 6. Example— tok-s3p1 The physical interface setup page appears. Voyager Reference Guide...
Page 124 There is no default. ADDRESS b. In the N field, enter the appropriate value. The EW MASK LENGTH range is 8-30, and there is no default. c. To delete an IP address, click the D box. ELETE Voyager Reference Guide...
Page 125: Token Ring Example
PPLY 9. Click S Token Ring Example This section describes how you might use Voyager to configure the interfaces of your network application platform (unit) in an example network. Before you can configure interfaces using Voyager, you must first configure an IP address on one of the interfaces.
Page 126 192.168.3.5 Server Server (Optional) (Optional) tok-s1p1c0 (192.168.3.1) Nokia Platform B eth-s2p1c0 (192.168.4.1/24) 192.168.4.xxx 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Select in the P column of the table. HYSICAL tok-s2p1 Voyager Reference Guide...
Page 127 10. Click the logical interface link you want to configure in the L OGICAL column. 11. In the N field, enter the appropriate IP address. ADDRESS 12. In the N field, enter the appropriate value. EW MASK LENGTH 13. Click A PPLY 14. Click S Voyager Reference Guide...
Page 128: Point-To-Point Link Over Atm
ATM interface card supports them. The setting should match the type of transmission network to which the interface is connected. 5. Select F or L as the transmit clock choice in the REERUN IMING table. HYSICAL ONFIGURATION Voyager Reference Guide...
Page 129 11. Enter a number in the IP MTU edit box to configure the device’s maximum length (in bytes) of IP packets transmitted in this interface. Click A PPLY The default value is 1500. Note The maximum packet size must match the MTU of the link partner. Voyager Reference Guide...
Page 130 5. Select the VPI/VCI range in the VPI/VCI R ANGE ONFIGURATION selection box. 6. Select in the T selection box in the Create a new POINT POINT LLC/SNokia Platform RFC1483 interface section. Enter the VPI/VCI number in the VPI/VCI edit box. Click A PPLY Voyager Reference Guide...
Page 131 Changing the IP Address of an ATM Interface Note Do not change the IP address you use in your browser to access Voyager. If you do, you can no longer access the network application platform (unit) with your browser. 1. Click C on the home page.
Page 132 5. To make your changes permanent, click S Removing an ATM Interface 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Click the physical interface link in the P column on the Interface HYSICAL Configuration page. Example— atm-s2p1 Voyager Reference Guide...
Page 133: Atm Example
This section describes how you might configure the interfaces of your network application platform (unit) in an example network, using Voyager. Before you can configure interfaces using Voyager, you must first configure an IP address on one of the interfaces. You can do this through the unit console port during installation or by using the Lynx browser.
Page 134 Server 00037 In a company's main office, Nokia Platform A terminates a serial line to an Internet service provider, running PPP with a keepalive value of 10. Nokia Platform A also provides internet access for a FDDI ring and a remote branch office connected via ATM PVC 93.
Page 135 12. Click S Note The steps for configuring the ATM interface on Nokia Platform B are the same except that the VCI should be set to 52 when you create the logical interface and the IP addresses should be reversed.
Page 136: Ip Over Atm (Ipoa)
VPI/VCI numbers that will be used by the interface in the VPI/VCI edit box. The set of VPI/VCIs can be given as a comma-separated list of VPI/VCIs or VPI/VCI ranges such as 1/42, 1/48, 1/50-60. 8. Click A PPLY Voyager Reference Guide...
Page 137 L edit box. Click OGICAL NAME PPLY 14. (Optional) Add a comment to further define the logical interfaces function in the C edit box. Click A OMMENTS PPLY 15. To make your changes permanent, click S Voyager Reference Guide...
Page 138 Changing the VPI/VCIs of an ATM LIS Interface Note Do not change the VCI address of the connection you are using. If you do, you can no longer access the network application platform (Nokia Platform) with your browser. 1. Click C on the home page.
Page 139 Changing the IP Address of an ATM LIS Interface Note Do not change the IP address you use in your browser to access Voyager. If you do, you can no longer access the network application platform (Nokia Platform) with your browser. 1. Click C on the home page.
Page 140 4. Find the ATM logical interface you want to remove in the L OGICAL table and click the corresponding D button. Click NTERFACES ELETE PPLY The ATM logical interface disappears from the list. 5. To make your changes permanent, click S Voyager Reference Guide...
Page 141: Ipoa Example
Voyager. Before you can configure interfaces using Voyager, you must first configure an IP address on one of the interfaces. You can do this through the Nokia Platform console port during installation or by using the Lynx browser. This allows a graphical browser such as Internet Explorer or Netscape Navigator to access the Nokia Platform through that interface.
Page 142 Nokia Platform A. The interface is connected to Nokia Platform B via ATM PVC 42 and to Nokia Platform C via ATM PNC 53. Nokia Platform B and Nokia Platform C are connected to each other via an ATM PVC; their ATM interfaces have already been configured.
Page 143: Serial (V.35 And X.21) Interfaces
HDLC radio button in the E field. Click ISCO NCAPSULATION PPLY A logical interface appears in the L table. OGICAL NTERFACES 8. Enter a number in the K edit box to configure the Cisco HDLC EEPALIVE keepalive interval. Click A PPLY Voyager Reference Guide...
Page 144 To make your changes permanent, click S Configuring a Serial Interface for PPP 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Click the physical interface link you want to configure in the P HYSICAL column. Example— ser-s2p1 Voyager Reference Guide...
Page 145 EEPALIVE MAXIMUM FAILURES This value sets the number of times a remote system may fail to send a keepalive protocol message within a keepalive interval before the systems considers the link down. 10. Click A PPLY Voyager Reference Guide...
Page 146 To make your changes permanent, click S Configuring a Serial Interface for Frame Relay 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Click the physical interface link you want to configure in the P HYSICAL column. Voyager Reference Guide...
Page 147 9. Click the DTE or DCE radio button in the I field. NTERFACE DTE is the usual operating mode when the device is connected to a Frame Relay switch. Voyager Reference Guide...
Page 148 16. Enter the IP address for the local end of the PVC in the L OCAL ADDRESS edit box. 17. Enter the IP address of the remote end of the PVC in the R EMOTE edit box. Click A ADDRESS PPLY Voyager Reference Guide...
Page 149: Serial Interface Example
This section describes how you might configure the interfaces of your network application platform (unit) in an example network, using Voyager. Before you can configure the unit using Voyager, you must first configure an IP address on one of the interfaces. You can do this through the unit console port during installation or by using the Lynx browser.
Page 150 Server 00037 In a company's main office, Nokia Platform A terminates a serial line to an Internet service provider, running PPP with a keepalive value of 10. Nokia Platform A also provides internet access for a FDDI ring and a remote branch office connected via ATM PVC 93.
Page 151 Internet. We are configuring the serial interface on Nokia Platform A. 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Select in the P column of the table. HYSICAL ser-s1p1 4. Click the PPP radio button in the E field.
Page 152: T1(With Built-In Csu/Dsu) Interfaces
Use T1 framing to divide the data stream into 64Kbps channels and to synchronize with the remote CSU/DSU. This setting must match the frame format used by the CSU/DSU at the other end of the point-to-point link. Voyager Reference Guide...
Page 153 The T1 CSU/DSU Advanced Options page allows you to configure fractional T1 channels, line build-out values and other advanced settings for the T1 device. The values you enter on this page are dependent on the subscription provided by your service provider. Voyager Reference Guide...
Page 154 I to O ; otherwise, set it to O . Internal NTERNAL LOCK clocking for T1 is fixed at 1.544Mbps. To configure slower speeds, you must configure fractional T1 on the Advanced T1 CSU/DSU Options page. Voyager Reference Guide...
Page 155 10. Click the PPP radio button in the E field. Click A NCAPSULATION PPLY A logical interface appears in the L table. OGICAL NTERFACES 11. Enter a number in the K edit box to configure the PPP keepalive EEPALIVE interval. Click A PPLY Voyager Reference Guide...
Page 156 18. Click Y or N in the N field. EGOTIATE AXIMUM ECEIVE Clicking Y enables the interface to send a request to negotiate an MRU with a peer. 19. Click A PPLY Voyager Reference Guide...
Page 157 I to O ; otherwise, set it to O . Internal NTERNAL LOCK clocking for T1 is fixed at 1.544Mbps. To configure slower speeds, you must configure fractional T1 on the Advanced T1 CSU/DSU Options page. Voyager Reference Guide...
Page 158 FDL type. 10. Click the F radio button in the E field. Click RAME RELAY NCAPSULATION PPLY 11. Enter a number in the K edit box to configure the frame relay EEPALIVE keepalive interval. Click A PPLY Voyager Reference Guide...
Page 159 16. (Optional) Click the Advanced Frame Relay Options link to go to the Frame Relay Advanced Options page. The Frame Relay Advanced Options page allows you to configure frame relay protocol and LMI parameters for this device. Voyager Reference Guide...
Page 160 L edit box. Click OGICAL NAME PPLY 24. (Optional) Add a comment to further define the logical interfaces function in the C edit box. Click A OMMENTS PPLY To make your changes permanent, click S Voyager Reference Guide...
Page 161: T1 Interface Example
This section describes how you might use Voyager to configure the interfaces of your network application platform (unit) in an example network. Before you can configure the unit using Voyager, you must first configure an IP address on one of the interfaces. You can do this through the console port during installation or by using the Lynx browser.
Page 162 Server 00037 In a company's main office, Nokia Platform A terminates a T1 line to an Internet service provider, running PPP with a keepalive value of 10. The T1 line uses B8ZS line encoding, Extended Super Frame, T1 framing, and 64 Kbps channels.
Page 163 Internet. We are configuring the serial interface on Nokia Platform A. 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Select in the P column of the table. HYSICAL ser-s1p1 4. Click the B8ZS radio button in the T1 E field.
Page 164: E1 (With Built-In Csu/Dsu) Interfaces
RAMING field to select the E1 framing format. RAMING Use E1 framing to select whether timeslot-0 is used for exchanging signaling data. 8. Click the O or O radio button for the E1 CRC-4 F field. RAMING Voyager Reference Guide...
Page 165 Click A PPLY This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system. The range is 0-255. The default is 10. Voyager Reference Guide...
Page 166 Click A OMMENTS PPLY To make your changes permanent, click S Note Try and ping the remote system from the command prompt. If the remote system does not work, contact your service provider to confirm the configuration. Voyager Reference Guide...
Page 167 RAMING field to select the E1 Framing format. RAMING Use E1 framing to select whether timeslot-0 is used for exchanging signaling data. 8. Click the O or O radio button for the E1 CRC-4 F field. RAMING Voyager Reference Guide...
Page 168 EEPALIVE interval. Click A PPLY This value sets the interval, in seconds, between keepalive protocol message transmissions. These messages are used periodically to test for an active remote system. The range is 0-255. The default is 5. Voyager Reference Guide...
Page 169 N field. EGOTIATE AXIMUM ECEIVE Clicking Y enables the interface to send a request to negotiate an MRU with a peer. 19. Click A PPLY 20. Click U to return to the Physical Interface page. Voyager Reference Guide...
Page 170 E1 device. Click A PPLY If you’re connecting to a device or system that does not provide a clock source, set I to O ; otherwise, set it to O . Internal NTERNAL LOCK Voyager Reference Guide...
Page 171 CSU/DSU at the other end of the link. 9. Click the O or O radio button for the E1 -16 F TIMESLOT RAMING then click A PPLY Note E1 F This option appears only if you have set the field to RAMING CHANNEL FRAMING Voyager Reference Guide...
Page 172 The E1 CSU/DSU Advanced Options page allows you to configure fractional E1 channels and other advanced settings for the E1 device. The values you enter on this page are dependent on the subscription provided by your service provider. Voyager Reference Guide...
Page 173 21. Enter the IP address for the local end of the PVC in the L OCAL DDRESS edit box. 22. Enter the IP address of the remote end of the PVC in the R EMOTE edit box. Click A DDRESS PPLY Voyager Reference Guide...
Page 174: Hssi Interfaces
NTERNAL LOCK the serial device. Click A PPLY Set the internal clock to O when you are connecting to a device or system that does not provide a clock source. Otherwise, set the internal clock to O Voyager Reference Guide...
Page 175 11. Enter the IP address of the remote end of the link in the R EMOTE edit box. Click A ADDRESS PPLY 12. (Optional) Change the interface’s logical name to a more meaningful one by typing the preferred name in the L edit box. Click OGICAL NAME PPLY Voyager Reference Guide...
Page 176 7. Click the PPP radio button in the E field. Click A NCAPSULATION PPLY A logical interface appears in the L table. OGICAL INTERFACES 8. Enter a number in the K edit box to configure the PPP keepalive EEPALIVE interval. Click A PPLY Voyager Reference Guide...
Page 177 17. Enter the IP address for the local end of the link in the L OCAL ADDRESS edit box. 18. Enter the IP address of the remote end of the link in the R EMOTE edit box. Click A ADDRESS PPLY Voyager Reference Guide...
Page 178 6. Click the F or L radio button in the C UPLEX OOPBACK HANNEL field. Full duplex is the normal mode of operation. Voyager Reference Guide...
Page 179 The values you enter are dependent on the settings of the frame relay switch to which you are connected or to the subscription provided by your service provider. 12. From the Frame Relay Advanced Options page, click the U button to return to the Physical Interface page. Voyager Reference Guide...
Page 180: Unnumbered Interfaces
Traditionally, each network interface on an IP host or router has its own IP address. This situation can cause inefficient use of the scarce IP address space because every point-to-point link must be allocated an IP network prefix. To Voyager Reference Guide...
Page 181 IP packet. Thus, for a router to have an unnumbered interface, it must have at least one IP address assigned to it. The Nokia implementation of Unnumbered Interfaces supports OSPF (Open Shortest Path First) and Static Routes only. Virtual links are not supported.
Page 182 If the proxy interface has multiple IP addresses associated with it, you can delete or add addresses. A proxy interface must have at least one IP address associated with it. 8. To make your changes permanent, click S Voyager Reference Guide...
Page 183 This interface must not be the next hop of a static route. 4. Click the N radio button in the U field. NNUMBERED NTERFACE 5. Click A PPLY 6. To your change permanent, click S Note You must now configure a numbered logical interface. Voyager Reference Guide...
Page 184 OGICAL unnumbered interfaces that are configured. Select the unnumbered logical interface you want to use as a next-hop gateway to the destination network. 10. Click A , and then click S to make your change permanent. PPLY Voyager Reference Guide...
Page 185 Platform B Platform A Unnumbered Serial Link Backbone 00043 1. Configure the interfaces on Nokia Platform A and Nokia Platform B as in “Configuring an Unnumbered Interface.” 2. For each Nokia Platform, configure an OSPF area as in “Configuring OSPF.”...
Page 186 Backbone area. Thus, a virtual link is configured between Nokia Platform A and Nokia Platform C. A virtual link is also configured between Nokia Platform B and Nokia Platform C because Nokia Platform B also is not physically connected to the Backbone area. Both Nokia Platform B and Nokia...
Page 187 Host PC Area 2 00044 The interfaces that comprise the virtual link between Nokia Platform A and Nokia Platform C are both configured as unnumbered. This link will fail because OSPF does not support a virtual link that uses an unnumbered interface on either end of the link.
Page 188: Cisco Hdlc Protocol
Configuring Interfaces The virtual link between Nokia Platform B and Nokia Platform C will function because each Nokia Platform is configured with an IP address. Cisco HDLC Protocol Changing the Keepalive Interval for Cisco HDLC 1. Click C on the home page.
Page 189: Point-To-Point Protocol
Changing the IP Address in Cisco HDLC Note Do not change the IP address you use in your browser to access Voyager. If you do, you can no longer access the network application platform (unit) with your browser. 1. Click C on the home page.
Page 190 Click A PPLY This value sets the number of times the remote system may fail to send a keepalive protocol message within the keepalive interval before this network application platform (unit) considers the link down. Voyager Reference Guide...
Page 191 Changing the IP Address in PPP Note Do not change the IP address you use in your browser to access Voyager. If you do, you can no longer access the network application platform (unit) with your browser. 1. Click C on the home page.
Page 192: Frame Relay Protocol
To move an IP address from one PVC to another, you must first delete the logical interface for the old PVC, then create a new logical interface for the new PVC. 1. Click C on the home page. ONFIG 2. Click the Interfaces link. Voyager Reference Guide...
Page 193 11. (Optional) Add a comment to further define the logical interfaces function in the C edit box. Click A OMMENTS PPLY To make your changes permanent, click S Changing the LMI Parameters in Frame Relay 1. Click C on the home page. ONFIG 2. Click the Interfaces link. Voyager Reference Guide...
Page 194 DTE. You may need to change the interface type to DCE if it is connected point-to-point with another router. 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Click the physical interface link you want to change in the P HYSICAL column. Example— ser-s2p2 Voyager Reference Guide...
Page 195 Changing the IP Address in Frame Relay Note Do not change the IP address you use in your browser to access Voyager. If you do, you can no longer access the network application platform (unit) with your browser. 1. Click C on the home page.
Page 196 4. Find the logical interface you wish to remove and click the corresponding button in the L table. Click A ELETE OGICAL NTERFACES PPLY This removes the logical interface from the list. To make your changes permanent, click S Voyager Reference Guide...
Page 197: Loopback Interfaces
To make your changes permanent, click S Changing the IP Address of a Loopback Interface 1. Click C on the home page. ONFIG 2. Click the Interfaces link. 3. Click the loopback logical interface link in the L column OGICAL loop0c0 Voyager Reference Guide...
Page 198: Gre Tunnels
, the new PPLY tunnel appears in the logical interfaces table. 6. Click the logical interface name in the I column of the Logical NTERFACE interfaces table to go to the Interface page for the specified tunnel. Voyager Reference Guide...
Page 199 QoS features and possibly improve the routing of important packets. By default, the TOS bits are copied from the inner IP header to the encapsulating IP header. Voyager Reference Guide...
Page 200 5. (Optional) Enter the IP address of the remote end of the GRE tunnel in the edit box. EMOTE ADDRESS The remote address cannot be one of the system’s interface addresses and must be the local address configured for the GRE tunnel at the remote router. Voyager Reference Guide...
Page 201 By default, the TOS bits are copied from the inner IP header to the encapsulating IP header. If the desired TOS value is not displayed in the drop-down window, select from the menu. Click A . An entry field appears. USTOM ALUE PPLY Voyager Reference Guide...
Page 202 4. Locate the tunnel logical interface you want to delete in the L OGICAL table and click the corresponding D checkbox. NTERFACES ELETE 5. Click A PPLY The tunnel logical interface disappears from the list. 6. To make your changes permanent, click S Voyager Reference Guide...
Page 203: Gre Tunnel Example
5. Click A PPLY 6. From the I column on the Logical interfaces table, select NTERFACE tun01 7. Enter in the L edit box. OCAL ADDRESS 10.0.0.1 8. Enter in the R edit box. EMOTE ADDRESS 10.0.0.2 Voyager Reference Guide...
Page 204 15. To make changes permanent, click S HA GRE Tunnels Description High Availability GRE Tunnels provide redundant encrypted communication among multiple hosts. They are created by performing the procedures associated with the configuration of GRE tunnels, OSPF, VRRP, and Check Point firewall. Voyager Reference Guide...
Page 205: Ha Gre Tunnel Example
In our example, we configure two-way tunnels between IP Units 1 and 2, and IP Units 3 and 4. Since the steps required to configure a HA GRe tunnel are addressed in the appropriate sections of this reference guide, they will not be Voyager Reference Guide...
Page 206 Site A 192.168.0.X/24 192.168.0.1 192.168.0.2 Nokia Nokia Platform 1 170.0.0.1 Platform 3 170.0.1.1 10.0.0.1 11.0.0.1 Internet VPN Tunnel VPN Tunnel 10.0.0.2 11.0.0.2 171.0.0.1 171.0.1.1 Nokia Nokia Platform 2 Platform 4 192.168.1.1 192.168.1.2 192.168.1.X/24 Remote PCs Site B 00002 Voyager Reference Guide...
Page 207 2. OSPF provides redundancy in case a tunnel goes down. OSPF detects when the firewall at the other end of an HA GRE tunnel is no longer reachable and then obtains a new route using the backup HA GRE tunnel Voyager Reference Guide...
Page 208 IP addresses. The firewall needs to be configured to accept all packets with the original IP header so the encapsulation can take place. An encrypt rule is then defined to encrypt those packets matching the tunnel endpoints. Voyager Reference Guide...
Page 209: Dvmrp Tunnels
The local address must be one of the system’s interface IP addresses and must also be the remote address configured on the DVMRP tunnel on the remote router. 8. Enter the IP address of the remote end of the DVMRP tunnel in the edit box. EMOTE DDRESS Voyager Reference Guide...
Page 210 4. (Optional) Enter the IP address of the local end of the DVMRP tunnel in the L edit box. OCAL ADDRESS The local address must be one of the system’s interface IP addresses and must also be the remote address configured on the DVMRP tunnel on the remote router. Voyager Reference Guide...
Page 211: Dvmrp Tunnel Example
Internet Service Provider (ISP). This ISP provides a multicast traffic tunnel. Multicast traffic uses the address space above 224.0.0.0 and below 238.0.0.0. Multicast traffic is different from unicast (point-to-point) traffic in that is in one-to-many traffic forwarded by routers. Voyager Reference Guide...
Page 212 This tunnel has a present endpoint of 22.1/24. A DVMRP tunnel set up on Nokia Platform A points to 22.254/24. 1. Initiate a voyager session to Nokia Platform A. In this example, we use Nokia Platform A as the starting point.
Page 213 17. (Optional) Define the time-to-live (TTL) threshold for the multicast datagram. Enter it as follows in the T edit box: HRESHOLD We use 128 for the purpose of broadcasting. A 128 TTL is defined as internet broadcast. Voyager Reference Guide...
Page 214: Arp Table Entries
The range of retry limit is 1 to 100 and the default value is 3. 5. If your network configuration requires it, click the button to enable the appliance to accept multicast ARP replies. Voyager Reference Guide...
Page 215 Add a New Proxy DDRESS ARP Entry section. 4. In the I field of the Add a new Proxy ARP Entry section, select NTERFACE the interface whose MAC address is returned in ARP replies. Voyager Reference Guide...
Page 216 2. Click the ARP link under the Interfaces section. 3. Click the Display or Remove Dynamic ARP Entries link. 4. Click the check box in the D column next to the ARP entry you ELETE want to delete. Click A PPLY Voyager Reference Guide...
Page 217: Configuring Arp For The Atm Interface
ARP entries. The range of Keep Time value is 1–900 seconds (15 minutes). Timeout specifies an InATMARP request retransmission interval in seconds. Voyager enforces that the timeout must be less than a third of Keep Time. The Range of Timeout value is 1-300 with a default value of five seconds.
Page 218 The newly created static ATM ARP entry appears in the S TATIC ARP E table. The IP datagrams destined to the IP address of the NTRIES entry will be sent to the PVC specified in the entry. 7. To make your changes permanent, click S Voyager Reference Guide...
Page 219 Deleting a dynamic entry triggers a transmission of an InATMARP request on the PVC. If the remote end responds and its IP address has not changed, a new dynamic ATM ARP entry identical to the deleted one appears in the table immediately. Voyager Reference Guide...
Page 220 Configuring Interfaces Voyager Reference Guide...
Page 221: Configuring Routing
RIP Example PIM (Protocol-Independent Multicast) PIM Description Configuring Dense-Mode PIM (PIM-DM) Disabling PIM Setting Advanced Options for Dense-Mode PIM (Optional) Configuring Sparse-Mode PIM (PIM-SM) Configuring High-Availability Mode Configuring this Router as a Candidate Bootstrap and Candidate Rendezvous Point Voyager Reference Guide...
Page 222 Configuring Multiple Static Routes Adding and Managing Static Routes Example Backup Static Routes Backup Static Routes Description Creating a Backup Static Route Deleting a Backup Static Route Route Aggregation Route Aggregation Description Creating Aggregate Routes Removing Aggregate Routes Voyager Reference Guide...
Page 223 Adjusting BGP Timers Example TCP MD5 Authentication Example BGP Route Dampening Example BGP Path Selection Redistributing Routes BGP Route Redistribution Example Redistributing RIP to OSPF Example Redistributing OSPF to BGP Example Inbound Route Filters Description Configuration of IGP Inbound Filters Voyager Reference Guide...
Page 224: Ospf (Open Shortest Path First)
Type 2 ASEs are used for routes whose metrics are not comparable to OSPF internal metrics. In this case, only the external OSPF cost is used. In the event of ties, the least cost to an AS border router is used. Voyager Reference Guide...
Page 225 In addition, a sequence number is maintained to prevent the replay of older packets. This method provides stronger assurance that routing data originated from a router with a valid authentication key. Voyager Reference Guide...
Page 226: Configuring Ospf
Rather than redefine an ABR, the the Nokia implementation includes in its routing calculation summary LSAs from all actively attached areas if the ABR does not have an active backbone connection, means that the backbone is activley attached and includes at least one fully adjacent neighbor.
Page 227 12. (Optional) To add a new stub network: a. Enter the prefix in the A box. DD NEW STUB NETWORK REFIX b. Enter the mask length in the M edit box. ASK LENGTH c. Click A PPLY Voyager Reference Guide...
Page 228 MD5 password (in the MD5 S edit box); then click A ECRET PPLY 15. To make your changes permanent, click S Configuring OSPF Example This example consists of the following: Enabling OSPF with backbone area (Area 0) on one interface Voyager Reference Guide...
Page 229 Nokia Platform A and Nokia Platform B are on the backbone area. Nokia Platform D is on the area 1. The routes in Area 0 are learned by Nokia Platform D when the area border router (Nokia Platform C) injects summary link state advertisements (LSAs) into Area 1.
Page 230: Rip (Routing Information Protocol)
A AREA PPLY 10. Click S 11. Initiate a Voyager session to Nokia Platform D. 12. Click C on the home page. ONFIG 13. Click the OSPF link in the Routing Configuration section.
Page 231 16 characters is included in the packet. If this does not match what is expected, the packet is discarded. This method provides very little security, as it is possible to learn the authentication key by watching RIP packets. Voyager Reference Guide...
Page 232 Our implementation of RIP 1 supports auto summarization; this allows the router to aggregate and redistribute non-classful routes in RIP 1. Voyager Interface Using Voyager, you can configure the following options. Version: You an use either RIP 1or RIP 2.
Page 233: Configuring Rip
ETRIC then click A PPLY 7. (Optional) If you want to configure the interface to not accept updates, radio button in the A click on the field; then click CCEPT UPDATES PPLY Voyager Reference Guide...
Page 234: Configuring Rip Timers
Cisco Interoperability field. The default is , which means that RIP MD5 is set to conform to Nokia platforms. Click A PPLY To make your changes permanent, click S Configuring RIP Timers Configuring RIP timers allows the user to vary the frequency with which updates are sent as well as when routes are expired.
Page 235 3. To enable auto-summarization click the radio button in the A field; then click A UMMARIZATION PPLY 4. To disable auto-summarization click the radio button in the A field; then click A UMMARIZATION PPLY 5. To make your changes permanent, click S Voyager Reference Guide...
Page 236: Rip Example
3. Click the RIP link in the Routing Configuration section. 4. Click the radio button for the eth-s2p1c0 interface; then click A PPLY 5. Click the radio button in the V 2 field for the eth-s2p1c0 ERSION interface; then click A PPLY Voyager Reference Guide...
Page 237: Protocol-Independent Multicast (Pim)
(DVMRP). Like DVMRP, dense-mode PIM uses Reverse Path Forwarding and the flood-and-prune model. Sparse mode is most useful when: There are few receivers in a group. Senders and receivers are separated by WAN links. The type of traffic is intermittent. Voyager Reference Guide...
Page 238 PIM will use this address to OCAL DDRESS send advertisements on the interface. Note If neighboring routers choose advertisement addresses that do not appear to be on a shared subnet, all messages from the neighbor will be Voyager Reference Guide...
Page 239: Disabling Pim
PIM. To disable PIM entirely, click the O radio button next to each interface that is currently running PIM. 4. Click A , and then click S to make your change permanent. PPLY Voyager Reference Guide...
Page 240 8. Click on the Advanced PIM Options Link. In the General Timers section, enter a value for the hello interval (in seconds) in the H ELLO NTERVAL edit box. The router uses this interval to send periodic Hello messages on the LAN. Voyager Reference Guide...
Page 241 15. In the Assert Ranks section, enter a value for the routing protocol(s) you are using in the appropriate edit box. Assert Rank values are used to compare protocols and determine which router forwards multicast packets Voyager Reference Guide...
Page 242 This option is useful only when multiple addresses are configured on the interface. Note If neighboring routers choose advertisement addresses that do not appear to be on a shared subnet, then all messages from the neighbor Voyager Reference Guide...
Page 243 If any PIM-enabled interface goes down or all its valid addresses are deleted, then all PIM-enabled interfaces become unavailable and remain in that state until all interfaces are back up. Voyager Reference Guide...
Page 244 A PIM router on a shared LAN must have at least one interface address with a subnet prefix shared by all neighboring PIM routers. Voyager Reference Guide...
Page 245 4. Click A PPLY 5. In the Interfaces section, click the O button(s) for each interface on which you want to run PIM. Note There is no limit to the number of interfaces on which you can run PIM. Voyager Reference Guide...
Page 246 Configure an address for the Candidate Rendezvous Point to select the local address used in candidate-RP-advertisements sent to the elected bootstrap router. By default, the router chooses an address from one of the interfaces on which PIM is enabled. Voyager Reference Guide...
Page 247 5. In the Interfaces section, click the O radio button(s) for each interface on which you want to run PIM. Note There is no limit to the number of interfaces on which you can run PIM. 6. Click A PPLY Voyager Reference Guide...
Page 248 3. In the PIM I field, click the O radio button for sparse. NSTANCE 4. Click A PPLY 5. In the Interfaces section, click the O radio button(s) for each interface on which you want to run PIM. Voyager Reference Guide...
Page 249 PPLY 12. (Optional) In the General Timers section, enter a value for the hello interval (in seconds) in the H edit box. The router uses ELLO NTERVAL this interval to send periodic Hello messages on the LAN. Voyager Reference Guide...
Page 250 19. (Optional) In the Assert Ranks section, enter a value for the routing protocol(s) you are using in the appropriate edit box. Assert Rank values are used to compare protocols and determine which router forwards Voyager Reference Guide...
Page 251: Debugging Pim
PPLY Debugging PIM Below are some useful iclid commands to assist you in debugging PIM: show pim interface: shows which interfaces are running PIM, their status, and the mode they are running. This command also displays the Voyager Reference Guide...
Page 252 RP-set. show pim sparse-mode statistics: shows error statistics for multicast forwarding cache (MFC); Bootstrap Router (BSR) messages ; Candidate Rendezvous Point (CRP) advertisements; and the Internet Group Management Protocol (IGMP). Voyager Reference Guide...
Page 253 Bootstrap: traces bootstrap messages. CRP: traces candidate-RP-advertisements. RP: traces RP-specific events, including both RP set-specific and bootstrap-specific events. Register: traces register and register-stop packets. The following trace option applies to dense-mode implementations only: Graft: traces graft and graft acknowledgment packets Voyager Reference Guide...
Page 254: Igrp (Inter-Gateway Routing Protocol)
Current edition number of the routing table Checksum of the update message Count of the number of routes included List of route entries There are three types of route entries in an IGRP update packet: Interior System Exterior Voyager Reference Guide...
Page 255 If all the following are true, the route is deleted and put into a holddown: Holddowns are enabled. Route entry comes from the originator of the route. Calculated composite metric is worse than the existing route’s composite metric by more than 10%. Voyager Reference Guide...
Page 256 (that is, those that have trailing data on a request packet, have non-zero data in a field that must be zero, or have route counts in an update packet that do not agree with the actual packet size) are rejected. Other Voyager Reference Guide...
Page 257 In the absence of a default or more general route, packets destined for this address are dropped. Other implementations continue to forward packets to routes marked as unreachable until a route is flushed from the table. Voyager Reference Guide...
Page 258: Generation Of Exterior Routes
IGRP as opposed to the complete interface (all addresses of the interface). IGRP Aggregation Most routing aggregation occurs only if explicitly configured; therefore, it is worth noting some of the implicit aggregation that occurs in IGRP. By Voyager Reference Guide...
Page 259: Configuring Igrp
(for example, 100 for 10Mbps Ethernet); then click A PPLY The delay is measured in units of 10 microseconds. 7. (Optional) Enter a new bandwidth metric in the B edit box for ANDWIDTH each interface (for example, 1000 for 10Mbps Ethernet); then click PPLY Voyager Reference Guide...
Page 260 16. (Optional) In the Protocol section, click the Y radio button in the N field; then click A HECK PPLY Leave this field set to N to interoperate with Cisco equipment. 17. To make your changes permanent, click S Voyager Reference Guide...
Page 261 A larger MTU will reduce the IGRP cost. 10. Click the radio button for eth-s1p1c0; then click A PPLY Note You must have an IGRP license and the option selected on the Licenses page to use this feature. Voyager Reference Guide...
Page 262: Dvmrp (Distance Vector Multicast Routing Protocol)
DVMRP adds the encapsulation when a packet enters a tunnel and removes it when the packet exits from a tunnel. The packets are encapsulated using the IP-in-IP protocol (IP protocol number 4). This tunneling mechanism Voyager Reference Guide...
Page 263: Configuring Dvmrp
Supports the Monitoring template Correctly tracks the number of subordinate routers per route Voyager Interface Using Voyager, you can configure the following options: DVMRP interfaces New minimum time to live (TTL) threshold for each interface New cost metric for sending multicast packets for each interface Configuring DVMRP 1.
Page 264: Igmp (Internet Group Management Protocol)
This exchange allows the multicast routers to maintain a database of all active host groups on each of their attached subnets. A group is declared inactive (expired) when no report has been received for several query intervals. Voyager Reference Guide...
Page 265 Features Complete IGMPv.2 functionality Multicast traceroute Complete configurability of protocol timers Administratively-blocked groups Support for interfaces with secondary addresses ICLID wizards Monitoring template Voyager Interface Using Voyager, you can configure the following options. Version number Loss robustness Voyager Reference Guide...
Page 266: Configuring Igmp
9. (Optional) Enter the last member query interval in the L AST MEMBER edit box,; then click A QUERY INTERVAL PPLY 10. (Optional) Click either the D radio ISABLE ROUTER ALERT ON buttons; then click A PPLY 11. To make your changes permanent, click S Voyager Reference Guide...
Page 267: Static Routes
A reject static route is a route that uses the loopback address as the next hop. This route discards packets that match the route for a given destination and sends an ICMP unreachable message back to the sender of the packet. Voyager Reference Guide...
Page 268 7. Enter the IP address of the default router in the G edit box; then ATEWAY click A PPLY 8. To disable a default route, click the radio button in the D EFAULT field; then click A PPLY 9. To make your changes permanent, click S Voyager Reference Guide...
Page 269 IP address of the gateway. 7. Click A PPLY 8. Enter the IP address of the next hop router in the G edit box; then ATEWAY click A PPLY 9. To make your changes permanent, click S Voyager Reference Guide...
Page 270 IP addresses for each static route you want to add. Use the following format: IP address/mask length next hop IP address The IP addresses must be specified in a dotted-quad format ([0-255]).[0- 255].[0-255].[0-255]) The range for the mask length is 1-32. Voyager Reference Guide...
Page 271 Static Routes page. OUTE Note The text box displays any entries that contain errors. Error messages appear at the top of the page. 7. Click S to make your changes permanent. Voyager Reference Guide...
Page 272: Adding And Managing Static Routes Example
Remote PCs 00345 In this example, Nokia Platform A is connected to the Internet, and there is no routing occurring on the interface connected to the Internet (no OSPF or BGP). Between Nokia Platform B and Nokia Platform C, there is a corporate WAN, and there is no routing occurring on this link.
Page 273 PPLY 192.168.22.1 You should now have one static default route in your routing tables on Nokia Platform A. In order for the rest of the network to know about this route, you must redistribute the static route to OSPF. After completing this task, any gateway connected to Nokia Platform B has the default route with 192.168.22.1 as the nexthop in the routing tables.
Page 274: Backup Static Routes
The IP address of the additional gateway that you entered appears in the Gateway column, and new A and P edit DDITIONAL GATEWAY RIORITY boxes are displayed. To add more backup static routes, repeat steps 3 and 4. Voyager Reference Guide...
Page 275: Route Aggregation
Aggregate routes are not actually used for packet forwarding by the originator of the aggregate route, only by the receiver. A router receiving a packet that does not match one of the component routes that led to the generation of an Voyager Reference Guide...
Page 276 Removing Aggregate Routes 1. Click C on the home page. ONFIG 2. Click the Aggregation link in the Routing Configuration section. 3. Click the radio button for the aggregate route you want to disable; then click A PPLY Voyager Reference Guide...
Page 277: Route Aggregation Example
00344 In the above example Nokia Platform B, Nokia Platform C, and Nokia Platform D are running OSPF with the backbone area. Nokia Platform A is running OSPF on one interface and RIP 1 on the backbone side interface. Assume that all the interfaces are configured with the addresses and the routing protocol as shown above.
Page 278: Route Rank
(IGP); this is accomplished automatically by the protocol and is based on the protocol metric. You can use rank to select routes from the same external gateway protocol (EGP) learned from different peers or autonomous systems. Voyager Reference Guide...
Page 279: Rank Assignments
The table below summarizes the default rank values. Preference of Default Interface routes OSPF routes Static routes IGRP routes RIP routes Aggregate routes OSPF AS external routes BGP routes Voyager Reference Guide...
Page 280: Routing Protocol Rank Example
RIP Network Routed Enabled 22.0/24 Corporate Net 26.79/28 26.80/28 00337 In the figure, the top part of network is running OSPF and the bottom part of network is running RIP. Nokia Platform D learns network 192.168.22.0 from Voyager Reference Guide...
Page 281: Bgp (Border Gateway Protocol)
RIP from bottom of the network, and OSPF from top of the network. When other hosts want to go to 192.168.22.0 through Nokia Platform D, Nokia Platform D can select one protocol route, such as OSPF route first, to reach the destination. If that route is broken, then Nokia Platform D uses another available route to reach destination.
Page 282 Internal BGP sessions carry at least one metric in the path attributes that BGP calls the local preference. The size of the metric is identical to the MED. The use of these metrics is dependent on the type of internal protocol processing. Voyager Reference Guide...
Page 283: Bgp Path Attributes
BGP does not read information formed by the kernel message by message. Instead, it fills the input buffer. BGP processes all complete messages in the buffer before reading again. BGP also performs multiple reads to clear all incoming data queued on the socket. Voyager Reference Guide...
Page 284 BGP speakers. The BGP speaker that receives this route cannot remove the ATOMIC_AGGREGATE attribute or make any NLRI (Network Layer Reachability Information) of the route more specific. This is used only for debugging purposes. Voyager Reference Guide...
Page 285: Bgp Interactions With Igps
Interior Gateway Protocol (IGP) used by that particular AS. In general, traffic that originates outside of a given AS passes through both interior gateways (gateways that support the IGP only) and border gateways (gateways that support both the IGP and BGP). All interior gateways receive information Voyager Reference Guide...
Page 286: Inbound Bgp Route Filters
BGP stores rejected routes in the routing table with a negative preference. A negative preference prevents a route from becoming active and prevents it from being installed in the forwarding table or being redistributed to other Voyager Reference Guide...
Page 287 BGP sources are present in the redistribution list. Note If BGP routes are being redistributed into IBGP, the local preference cannot be overridden, and this parameter is ignored for IBGP sources. The same is true for confederation peers (CBGP). Voyager Reference Guide...
Page 288 NO_EXPORT_SUBCONFED(0xFFFFFF03) Is not advertised to external BGP peers. This includes peers in other members’ autonomous systems inside a BGP confederation. Refer to the communities documents (RFCs 1997 and 1998 as of this writing) for further details. Voyager Reference Guide...
Page 289: Route Reflection
In this case, a cluster ID should be selected to identify all reflectors serving the cluster, using the cluster ID keyword. Note Unnecessary use of multiple redundant reflectors is not advised as it increases the memory required to store routes on the peers of redundant reflectors. Voyager Reference Guide...
Page 290 (RDI). The RDI has the same syntax as an AS number, but as it is not visible outside of the confederation so it does not need to be globally unique, although it does need to be unique within the confederation. Many Voyager Reference Guide...
Page 291 AS1 has seven BGP-speaking routers grouped under different routing domains: RDI A, RDI B, and RDI C. Instead of having a full-mesh connection among all seven routers, you can have a full-meshed connection just within a routing domain. Voyager Reference Guide...
Page 292: Ebgp Multihop Support
Address 00330 Router A and Router B are connected by two parallel serial links. We provide fault tolerance and enable load-balance by enabling EBGP multihop and using addresses on the loopback interface for the EBGP peering sessions. Voyager Reference Guide...
Page 293: Route Dampening
Internet. The TCP MD5 options allows BGP to protect itself against the introduction of spoofed TCP segments into the connection stream. To spoof a connection Voyager Reference Guide...
Page 294: Bgp Memory Requirements
Local RIB: Multiply the number of routes accepted by a local policy by the size of each local route entry. Outbound RIB: Multiply the number of peers by the number of routes advertised, then multiply this value by the size of each BGP outbound route entry. Voyager Reference Guide...
Page 295 Check Point, xpand etc. To find out how much memory IPSRD occupies, run this command: ps -auxww | grep ipsrd The fourth column labeled %MEM displays the percentage of memory that IPSRD occupies. Voyager Reference Guide...
Page 296: Bgp Neighbors Example
Platform E AS200 AS300 00331 Configuring IBGP on Nokia Platform A 1. Configure the interface as in “Configuring an Ethernet Interface” 2. Configure an internal routing protocol such as OSPF or configure a static route to connect the platforms within AS100 to each other. For more information see “Configuring OSPF”...
Page 297 10.50.10.2 click A PPLY Configuring IBGP on Nokia Platform B 1. Configure the interface as in “Configuring an Ethernet Interface”. 2. Configure an internal routing protocol such as OSPF or configure a static route to connect the platforms in AS100 to each other. For more information see “Configuring OSPF”...
Page 298 DD REMOTE PEER ADDRESS 10.50.10.1 click A PPLY Configuring EBGP on Nokia Platform A 1. Configure the interface on Nokia Platform A as in “Configuring an Ethernet Interface” 2. Click C on the home page. ONFIG Voyager Reference Guide...
Page 299 DD A NEW PEER PPLY 129.10.21.2 7. Configure route redistribution policy as per example given. Configuring EBGP on Nokia Platform C 1. Click C on the home page of Platform C. ONFIG 2. Click the BGP link in the Routing Configuration section.
Page 300: Path Filtering Based On Communities Example
“Displaying Routing Protocol Information.”. show bgp neighbor Path Filtering Based on Communities Example Note To filter BGP updates based on peer AS numbers, go to “Configuring Route Inbound Policy on Nokia Platform D Based on an Autonomous System Number” Voyager Reference Guide...
Page 301 R field or enter EDISTRIBUTE OUTES specific IP prefixes to redistribute as described in the “Configuring Route Inbound Policy on Nokia Platform D Based on an Autonomous System Number” example, then click A PPLY Voyager Reference Guide...
Page 302 This diagram shows four different configurations. Configuring Default MED for Nokia Platform D Configuring MED Values for all Peers of AS200 Configuring MED Values per External BGP for Nokia Platform D Configuring MED Values and Route Redistribution Policy on Nokia Platform D Configuring Default MED for Nokia Platform D 1.
Page 303 This MED value is propagated with all of the BGP updates propagated by Nokia Platform D to all of its EBGP peers in AS100 and AS200. Configuring MED Values for all Peers of AS200 1. Click C on the home page.
Page 304 Configuring Routing This configuration allows Nokia Platform D to prefer Nokia Platform A (with the lower MED value of 100) over Nokia Platform B (with the higher MED value of 200) as the entry point to AS100 while propagating routes to AS100. Similarly, this propagates routes with an MED value of 50 to AS200, although there are no multiple entry points to AS200.
Page 305: Changing The Local Preference Value Example
00332 This example shows how to set up two IBGP peers, and how to configure routes learned using Nokia Platform A to have a higher local preference value over Nokia Platform B (which has default local preference value of 100).
Page 306 Configuring Routing The following steps describe how to configure an IBGP peer for Nokia Platform B. 1. Enter in the P edit box. EER AUTONOMOUS SYSTEM NUMBER 2. Click I in the P drop-down window; then click NTERNAL EER GROUP TYPE PPLY 3.
Page 307 Configuring the Static Routes Required for Nokia Platform B 1. Configure the interface as in “Configuring an Ethernet Interface.” 2. Click the BGP link in the Routing Configuration section. 3. Enter in the R ID edit box. OUTER 20.10.10.2 4. Enter in the AS edit box.
Page 308: Bgp Confederation Example
00333 In the above diagram, all the routers belong to same Confederation 65525. Nokia Platform A and Nokia Platform B belong to Routing domain ID 65527, Nokia Platform C and Nokia Platform D belong to routing domain ID 65528 and Nokia Platform E belong to Routing domain ID 65524. The following configuration is done on Nokia Platform C.
Page 309 192.168.45.2 PPLY 4. Define BGP route inbound policy using regular expressions for any AS path and from any origin. a. Click C on the home page. ONFIG b. Click the BGP link in the Routing Configuration section. Voyager Reference Guide...
Page 310 E NABLE REDISTRIBUTION OF AS 65524 AS 65528 field; then click A ROUTES FROM INTO PPLY g. Click the BGP AS 65524 radio button in the ROUTES INTO AS 65528; then click A PPLY h. Click S Voyager Reference Guide...
Page 311: Route Reflector Example
Platform D 00334 In the above diagram, router Nokia Platform A is on AS 65525, and routers Nokia Platform B, Nokia Platform C, and Nokia Platform D are in AS 65526. This example shows how to configure Nokia Platform B to act as a route reflector for clients Nokia Platform C and Nokia Platform D.
Page 312 ONFIG b. Click the BGP link in the Routing Configuration section. c. Click the Advanced BGP Options link. d. Enter in the A edit box DD REMOTE PEER IP ADDRESS 192.168.20.2 under the AS65526 routing group. Voyager Reference Guide...
Page 313 Click C on the home page. ONFIG b. Click the Route Redistribution link in the Routing Configuration section. c. Click the BGP Routes Based on AS link in the Redistribute to BGP section. Voyager Reference Guide...
Page 314: Bgp Community Example
If you want to restrict incoming routes based on their community values, go to Path Filtering Based on Communities Example. If you want to redistribute routes that match a specified community attribute, append a community attribute value to an existing community attribute value, or both, follow these examples. Voyager Reference Guide...
Page 315 4. Match AS 6 with community ID 23 (6:23) by entering in the AS edit in the C ID/S box and edit box; then OMMUNITY PECIAL COMMUNITY click A PPLY 5. Match AS with no advertise; then click A PPLY Voyager Reference Guide...
Page 316 Configuring peers Configuring inbound and route redistribution policies In the following diagram: Nokia Platform A is in autonomous system AS100, and Nokia Platform B is in autonomous system AS200. Nokia Platform A has a loopback address of 1.2.3.4, and Nokia Platform B has a loopback address of 5.6.7.8.
Page 317 ONFIG 2. Click the Static Routes link in the Routing Configuration section. 3. Enter in the N edit box in order to reach the EW STATIC ROUTE 1.2.3.4 loopback address of Platform A. Voyager Reference Guide...
Page 318 4. Click on the link for specific peer you configured in Step 1. This action takes you the page that lets you configure options for that peer. 5. In the Nexthop field, click the on button next to EBGP Multihop to enable the multihop option, and then click A PPLY Voyager Reference Guide...
Page 319 3. Click the backbone area in the drop-down window for the interface whose IP address is 129.10.2; then click A PPLY 4. Enter in the A , then click DD A NEW STUB HOST COLUMN 1.2.3.4 PPLY Voyager Reference Guide...
Page 320 EBGP multihop session is established. The default value is 64 and the range is 1-255. Click A PPLY Platform A 1. Configure an EBGP peer on Nokia Platform B as in “Configuring an Ethernet Interface” 2. Enter as the local address on the BGP page.
Page 321: Adjusting Bgp Timers Example
BGP does not use any transport-protocol-based keepalive mechanism to determine if peers are reachable. Instead, keepalive messages are exchanged between peers to determine if the peer is still reachable. The default value is 60 seconds. To make your changes permanent, click S Voyager Reference Guide...
Page 322: Tcp Md5 Authentication Example
OUTER 4. Enter in the AS edit box, then click A NUMBER PPLY 5. The following 2 steps configure the EBGP peer for Nokia Platform B. 6. Enter in the P edit box. EER AUTONOMOUS SYSTEM NUMBER 7. Click E...
Page 323: Bgp Route Dampening Example
OUTER 4. Enter in the AS edit box; then click A NUMBER PPLY The following 2 steps configure the EBGP peer for Nokia Platform B. 5. Enter in the P edit box. EER AUTONOMOUS SYSTEM NUMBER 6. Click E in the P drop-down window;...
Page 324 A PPLY Verification To verify that you have configured route dampening correctly, run the following command in ICLID. For more information on this command, go to Displaying Routing Protocol Information. show route bgp suppressed Voyager Reference Guide...
Page 325: Bgp Path Selection
Normally, the route with the highest set weight value would be the least preferred. Note The Nokia implementation of weight value differs from that of other vendors. If the weights are the same, prefer the path with the largest local preference.
Page 326 4. Range matches any route whose IP address equals the given prefix’s IP address and whose mask length falls within the specified mask length range. A small number of sample route redistribution examples follows. Note Under the Route Redistribution link, there are over thirty possible route redistribution options. Voyager Reference Guide...
Page 327 Platform C EBGP EBGP Nokia Platform D 00339 Configuring BGP Route Redistribution on Nokia Platform D 1. Click C on the home page. ONFIG 1. Click the Route Redistribution link in the Routing Configuration section. 2. Click the BGP Routes based on AS link under the Redistribute to BGP section.
Page 328 PPLY Redistributing RIP to OSPF Example In this example, Nokia Platform A is connected to a RIP network and is redistributing RIP routes to and from OSPF for the Nokia OSPF Backbone. Nokia Platform D is connected to a subnet of Unix workstations that is running routed.
Page 329 RIP Network Routed Enabled 22.0/24 Corporate Net 26.79/28 26.80/28 00337 Redistributing Routes from RIP to OSPF External Nokia Platform A from Corporate Net RIP Router Routes are redistributed from the corporate RIP network to the Nokia OSPF network. Voyager Reference Guide...
Page 330 Note Make sure that the Corporate net RIP router is advertising RIP on the interface connected to the Nokia network. It must be receiving and transmitting RIP updates. Nokia does not currently support the notion of trusted hosts for authentication of RIP routes.
Page 331 Redistributing Routes from OSPF to RIP Routes are redistributed from the Nokia OSPF network to the Corporate RIP Network. 1. Use the Voyager connection to Nokia Platform A you have from the previous procedure. 2. Click C on the home page.
Page 332: Redistributing Ospf To Bgp Example
Nokia Platform A is running OSPF and BGP and its local AS is 4. Nokia Platform E of AS 100 and Nokia Platform F of AS are participating in an EBGP session. Nokia Platform F of AS 200 and Nokia Platform A are also participating in an EBGP session.
Page 333: Inbound Route Filters
4. Routes that match a given prefix with a prefix length between a given range of prefix lengths. For example, the filter could specify that it match any route in network 10 with a prefix length between 8 and 16. Voyager Reference Guide...
Page 334 10. In the Rank field, enter the appropriate value, and then click A PPLY 11. If this completes your actions for this route filtering option, click S Voyager Reference Guide...
Page 335: Bgp Route Inbound Policy Example
Platform C EBGP EBGP Nokia Platform D 00339 Configuring Route Inbound Policy on Nokia Platform D Based on an Autonomous System Number 1. Click C on the home page. ONFIG 2. Click the Inbound Route Filters link in the Routing Configuration section.
Page 336 5. Click A . The filter is fully configured. PPLY Configuring Route Inbound Policy on Nokia Platform D Based on ASPATH Regular Expressions 1. Click C on the home page. ONFIG 2.
Page 337 10.0.0.0/8 10. Finally, click on in the A field. This specifies that we RESTRICT CTION want to discard the routes that match this prefix. 11. Click A . The filter is fully configured. PPLY Voyager Reference Guide...
Page 338: Bgp As Path Filtering Example
ASPATH regular expressions, neighbors (AS numbers), or community IDs. To filter BGP updates based on ASPATH regular expressions, go to “Configuring Route Inbound Policy on Nokia Platform D Based on ASPATH Regular Expressions” . The following examples, however, give a more detailed description of how to create ASPATH regular expressions.
Page 339: Configuring Traffic Management
Clustering Example (Three Nodes) Clustering Example With a VPN Tunnel Redundant Topology Examples Configuring Access Control Lists Traffic Management Description Packet Filtering Description Traffic Shaping Description Traffic Queuing Description Creating an Access Control List Deleting an Access Control List Voyager Reference Guide...
Page 340: Configuring Access Control List Rules
Creating a New QoS Descriptor Deleting an ATM QoS Descriptor Associating an ATM QoS Descriptor with an Interface and a Virtual Channel Configuring Common Open Policy Server Common Open Policy Server Description Configuring a COPS Client ID and Policy Decision Point Voyager Reference Guide...
Page 341: Configuring Clustering In Ipso
It includes information about upgrading from IPSO 3.6 to IPSO 3.7 if you have a cluster configured with IPSO 3.6, and it also presents information about how to configure Check Point’s VPN-1/Firewall-1 to work with an IPSO cluster. Voyager Reference Guide...
Page 342: Example Cluster
B. The cluster balances inbound and outbound network traffic between the nodes. If an internal or external interface on one of the nodes fails, or if a node itself fails, the existing connections handled by the failed Voyager Reference Guide...
Page 343 In this example: The external router needs a static route to the internal network (192.168.1.0) with 192.168.2.10 as the gateway address. The internal router needs a static route to the external network (192.168.2.0) with 192.168.1.10 as the gateway address. Voyager Reference Guide...
Page 344: Cluster Management
You can manage all the nodes of a cluster simultaneously by using Cluster Voyager. This is a feature that lets you configure a cluster as a single virtual device. You can make configuration changes once and have them take effect on all the cluster nodes.
Page 345: Cluster Terminology
Firewall B Individual Nodes are Managed by admin User Any changes you make in Voyager or Cluster Voyager are immediately reflected in the CLI and CCLI. The reverse is also true—settings made in the CLI or CCLI are immediately reflected in Voyager or Cluster Voyager.
Page 346 Nodes simply drop packets that they should not process. In this mode, the master is the node that joins the cluster first. Voyager Reference Guide...
Page 347 You create these networks by connecting cluster protocol interfaces. You must create a primary cluster protocol network, and Nokia recommends that you also create a secondary cluster protocol network for redundancy. You specify which interfaces are cluster protocol interfaces by selecting from the configured Ethernet interfaces.
Page 348 If it is the master, one of the remaining nodes becomes the new master. Cluster Voyager: A feature that lets you centrally manage all the nodes in a cluster as a single virtual system using one browser session.
Page 349: Clustering Modes
Clustering Modes IPSO clusters have two modes of operation. Nokia provides this choice so that IPSO clusters can work in any network environment: In multicast mode each cluster node receives every packet sent to the cluster and decides whether to process it based on information it receives from the master node.
Page 350: Considerations For Clustering
Note All cluster nodes must use the same mode. You can change the cluster mode without interrupting traffic flow through the cluster. Use Cluster Voyager or the CCLI to change the mode on all the nodes simultaneously. Considerations for Clustering...
Page 351 Do not directly connect the cluster protocol interfaces using a crossover cable. For performance purposes, Nokia recommends that you do not use hubs to connect a cluster to user data networks. If possible, use switches for these connections.
Page 352 Note Nokia recommends that you use dedicated networks as the cluster protocol networks—that is, the cluster protocol networks should not carry production traffic. If you configure a cluster this way, the cluster protocol messages will not appear on your production networks even if the switches on the data networks do not support IGMP snooping.
Page 353 Though a cluster functions if its master runs IPSO 3.6 and one or more nodes run IPSO 3.7, but Nokia strongly recommends that you upgrade all the nodes of your IPSO 3.6 clusters to IPSO 3.7. IPSO supports a 3.6 master with 3.7 members to allow a cluster to remain in service during an upgrade.
Page 354 The Cluster Management Configuration page appears. 4. Enter a password for the user cadmin. This is the password you will use to log into Cluster Voyager or the CCLI. 5. Enter the password for cadmin again (for verification). 6. Click A PPLY The page displays fields for changing the cadmin password.
Page 355: Configuration Overview
7. Repeat this procedure on each of the other nodes that you upgraded from IPSO 3.6. You can now manage the cluster using Cluster Voyager or the CCLI. Creating and Configuring a New Cluster Configuration Overview To create and configure a cluster, follow these basic steps: 1.
Page 356: Creating A Cluster
You must also configure the VPN-1/FireWall-1 to work with the IPSO cluster. Use the Check Point client application to add a gateway object for the Nokia appliance. You also must create a gateway cluster object and add the gateway object to it.
Page 357: Selecting The Cluster Mode
The other interface must be the primary interface. Note Nokia recommends that you select another interface as a secondary cluster protocol interface. Remember that the primary and secondary cluster protocol networks should not carry any production traffic.
Page 358 VPN-1/FireWall-1 NG. When configuring cluster interfaces, you must choose the appropriate hash method. If the nodes in the cluster are configured to use NAT, do not use the Voyager Reference Guide...
Page 359: Configuring Firewall Monitoring
(This is particularly relevant if a cluster node is rebooted while it is in service.) This option also specifies whether IPSO should monitor VPN-1/ FireWall-1 and remove the node from the cluster if the firewall stops functioning. Voyager Reference Guide...
Page 360 If you want SecuRemote clients to be able to access servers behind the cluster, click Y in the E field. NABLE EMOTE LIENTS This option is available only if you are using VPN-1/FireWall-1 NG FP3. VPN-1/FireWall-1 NG with Application Intelligence and later does not require this delay. Voyager Reference Guide...
Page 361 Clustering Setup Configuration page (as well as in VPN-1/ FireWall-1). If you are using VPN-1/FireWall-1 NG with Application Intelligence, you do not configure the tunnels in Voyager. You configure the tunnels only in VPN-1/FireWall-1. The configuration options for VPN tunnels do not appear in Voyager.
Page 362 IP pool of the cluster node that handles the connection. To set up this configuration, you would: Configure the IP pools in VPN-1/FireWall-1 On the internal router: Voyager Reference Guide...
Page 363 For VPN-1/FireWall-1 NG with Application Intelligence and later: Do not configure the IP pools in IPSO. Configuring the pools in FireWall-1 is sufficient. Configuring IP Pools To configure IP pools in Voyager, follow this procedure: 1. In the N field, enter the network that the IP pool ETWORK DDRESS addresses will be assigned from.
Page 364 Configuring Join-Time Shared Features You may want to have many configuration settings be identical on each cluster node. Voyager makes this easy for you by letting you specify which features will be configured the same on all cluster nodes. The features that are configured this way are called join-time shared features.
Page 365 C. If the active configuration changes because of join-time sharing, you can reload the desired configuration on C from the saved configuration file. See “Managing Configuration Sets” for information about saving and loading configuration files. Voyager Reference Guide...
Page 366 Caution After you click (the next step) you cannot conveniently make PPLY features sharable again if you make them unshared in this step. Make sure that the settings are correct before you proceed. 3. Click A PPLY Voyager Reference Guide...
Page 367: Making The Cluster Active
If a feature is shared and you want to reconfigure it on all the cluster nodes, use Cluster Voyager or the CCLI. Any changes you make are implemented on all the nodes automatically. Making the Cluster Active Nokia recommends that you configure a firewall and or VPN on the node before you activate the cluster.
Page 368: Adding A Node To A Cluster
You receive error messages if the node does not meet these requirements. Adding a Node to a Cluster It is very easy to add Nokia appliances to an existing cluster. There are two methods you can use: Joining (automatic configuration). This is the recommended method...
Page 369: Recommended Procedure
VPN-1/FireWall-1 to a cluster that is in service. This should only be done in a test environment. Recommended Procedure Nokia recommends that you follow this general procedure when building a cluster: 1. Fully configure the first cluster node and make sure that all the appropriate features are cluster sharable.
Page 370: Joining A System To A Cluster
7. Click A PPLY 8. In the C field, enter an IP address that meets the LUSTER NODE ADDRESS following criteria: You should use an address of an interface on the cluster node that you configured first. Voyager Reference Guide...
Page 371: Managing A Cluster
9. Click J If the node successfully joins the cluster, Voyager displays a number of new fields. If the node does not successfully join the cluster, you see a message indicating why.
Page 372: Using Cluster Voyager
If either of the following conditions are true, you can log into Cluster Voyager, but you cannot make configuration changes unless you break the configuration lock: Someone else is logged into one of the cluster nodes as admin (using...
Page 373 If you forget the cadmin password If you forget the password for the cadmin user, you are not able to start Cluster Voyager. To recover from this situation, follow these steps: 1.
Page 374 The default performance rating for a system reflects its performance relative to that of other Nokia platforms. You can adjust the performance rating to change the amount of work a system is assigned relative to other members. If...
Page 375 When you log in as cadmin (and use Cluster Voyager or the CCLI) and change a setting of a shared feature, the change is made on all the nodes.
Page 376 Note Some settings of cluster shareable features cannot be configured as cadmin. For example, you cannot use Cluster Voyager to set SSH host and identity keys. To configure these settings, you must log into the individual cluster nodes as admin.
Page 377 Installing IPSO images You can use Cluster Voyager to upgrade the IPSO image on all the cluster nodes. After you see that the new image has been successfully installed on all the nodes, you need to reboot them so that they will run the new image.
Page 378 Safe Reboot Status. Caution Do not log out of Cluster Voyager, end your browser session, or otherwise break your connection with the cluster while a cluster safe reboot is in progress. Doing so causes the nodes that you are not logged into to leave the cluster.
Page 379 If you want to change the cluster interface configuration of a node—for example, if you want to change the primary interface—you must log into the node as admin. You cannot use Cluster Voyager or the CCLI. Note Any time you make a change to the cluster interface configuration, the node leaves and attempts to rejoin the cluster.
Page 380: Synchronizing The Time On Cluster Nodes
NTP so that each node gets its time from the same time server Assigning the Time Zone To conveniently assign the same time zone to each node, follow these steps: 1. Log into Cluster Voyager 2. Under System Configuration, click Local Time Setup 3.
Page 381: Configuring Ntp
This situation could lead to problems with firewall synchronization. The most convenient way to set up NTP in a cluster is to use Cluster Voyager (or the CCLI) because you need to perform the configuration steps only one time instead of performing them on each node individually.
Page 382 If you use a device outside the cluster as the NTP server, do the following steps on the NTP configuration page (you must enable NTP before you can access this page): 1. Log into Cluster Voyager. 2. Under System Configuration, click NTP. 3. Enable NTP.
Page 383 When you use Check Point’s cpconfig program (at the command line or through the Voyager interface to this program), follow these guidelines: You must install VPN-1/FireWall-1 as an enforcement module (only) on each node. Do not install it as a management server and enforcement module.
Page 384 Set the gateway cluster object address to the external cluster IP address (that is, the cluster IP address of the interface facing the Internet). Add a gateway object for each Nokia appliance to the gateway cluster object. In the General Properties dialog box for the gateway cluster object, do...
Page 385 Disable the automatic ARP option on the NAT tab in Global Properties in Check Point’s SmartDashboard management application. Using Cluster Voyager, create a proxy ARP entry for the internal and external cluster interfaces. To do this, follow the procedure in “Creating Proxy ARP Entries for NAT.”...
Page 386 4. In the information about the internal and external cluster interfaces, identify the cluster MAC addresses. Look in that output for “ ” followed by a MAC address. For example clustermac clustermac 1:50:5a:a:a:1 Voyager Reference Guide...
Page 387 Mode of the gateway cluster object to Load Sharing. Do not set it to High Availability. In the pull-down menu, select Nokia IP Clustering. Check all the available check boxes. Enable automatic proxy ARP on the NAT Global Properties tab.
Page 388 (not recommended), or a dedicated network (avoid using a production network for firewall synchronization). If you use a cluster protocol network for firewall synchronization, Nokia recommends that you use the secondary cluster protocol network for this purpose. Note The firewall synchronization network should have bandwidth of 100 mbps or greater.
Page 389: Configuring The Cluster In Voyager
VPN-1/FireWall-1 192.168.2.5 Cluster IP: 192.168.4.10 Synchronization Network External Router Configuring the Cluster in Voyager 1. Using Voyager, log into node A. 2. Click C ONFIG 3. On the main configuration page, click Interfaces to display the Interface Configuration page. 4. Configure interfaces with IP addresses in each of the networks shown in the example and activate the interfaces.
Page 390 13. In the Primary Interface column, click Y for eth-s3p1 to make it the primary cluster protocol interface for the node. 14. In the Secondary Interface column, click Y for eth-s4p1 to make it the secondary cluster protocol interface for the node. Voyager Reference Guide...
Page 391: Configuring The Internal And External Routers
(This is not necessary if you use forwarding mode.) 2. Configure static routes to the cluster: On the internal router, configure a static routes for 192.168.2.0 (the external network) using 192.168.1.10 (the internal cluster IP address) as the gateway address. Voyager Reference Guide...
Page 392 Configuring Traffic Management On the external router, configure a static route for 192.168.1.0 (the internal network) using the cluster IP 192.168.2.10 (the external cluster IP address) as the gateway address. Voyager Reference Guide...
Page 393 Secondary Cluster Protocol Network: 192.168.4.0 192.168.2.5 192.168.2.5 Cluster IP: 192.168.4.10 VPN-1/FireWall-1 External Synchronization Network Router VPN Tunnel Internet Tunnel Endpoint: 10.1.2.5 10.1.1.0 Remote Router Network This example cluster is very similar to the previous example. The additional elements are: Voyager Reference Guide...
Page 394 Here is are the steps you would perform to configure the tunnel: 1. Follow the steps under “Configuring the Cluster in Voyager.” 2. Log into the cluster using Cluster Voyager. 3. In the Add New VPN Tunnel section of the Clustering Setup Configuration page, enter 10.1.1.0 in the N field.
Page 395 To prevent this problem, you can directly connect a cluster to at least two switches (or hubs) on each network that the cluster connects to (excluding the Voyager Reference Guide...
Page 396 Depending on the specifics of this type of topology, interface or system failures could lead to partial losses of connectivity. For example, if the internal cluster interface (eth-s1p1) of firewall A fails, internal devices connected to the cluster to through switch 1 could lose their connection to the Voyager Reference Guide...
Page 397 To avoid this possibility, you could create a fully redundant topology similar the one shown in the following diagram. Voyager Reference Guide...
Page 398 Configuring Traffic Management Internal Network Internal Router Internal Router Primary Cluster Protocol Network Switch Switch Firewall A Firewall B Secondary Cluster Switch Switch Protocol Network External External Router Router Internet Voyager Reference Guide...
Page 399: Configuring Access Control Lists (Acl)
Drop—The drop action drops the traffic without any notification. Reject—The reject action drops the traffic and sends an ICMP error message to the source. For information on how to configure a packet filter, see “Description of Access Control List Rules” Voyager Reference Guide...
Page 400: Traffic Shaping Description
Prioritization is only relevant for outgoing traffic. Incoming traffic is never prioritized. Use the DSfield in the Access Control List (ACL) to set the value for marking traffic that matches a given ACL rule. The QueueSpec is used to map a flow with the output queue. Voyager Reference Guide...
Page 401 3. Enter a name for the ACL in the C edit box. REATE A CCESS Click A PPLY The Access Control List name, D check box, and B ELETE YPASS THIS field appear. CCESS 4. To make your changes permanent, click S Voyager Reference Guide...
Page 402 3. Click the link for the appropriate Access Control List in the ACL N field. This takes you to the page for that Access Control List. 4. Select the appropriate interface from the A drop-down NTERFACES window. Voyager Reference Guide...
Page 403 For IPv4 ACLs, click the Access List Configuration link under the section. RAFFIC ANAGEMENT b. For IPv6 ACLs, click the IPv6 link. This takes you to the IPv6 page. Click the Access List Configuration link under the T RAFFIC section. ANAGEMENT Voyager Reference Guide...
Page 404: Configuring Access Control List Rules
Skip—skip this rule and proceed to the next rule Prioritize—give this traffic stream preferential scheduling on output Shape—coerce this traffic’s throughput according to the set of parameters given by an aggregation class Rules can be set up to match any of these properties: Voyager Reference Guide...
Page 405 "prioritize" are marked with the corresponding DSfield and sent to the queue set by QueueSpec field. The DSfield and QueueSpec field can only be edited when the Action field is set to "prioritize." Voyager Reference Guide...
Page 406 For IPv6 ACLs, click the IPv6 link. This takes you to the IPv6 page. Click the Access List Configuration link under the T RAFFIC section. ANAGEMENT 3. Click the link for the appropriate Access Control List in the ACL N field. Voyager Reference Guide...
Page 407 TCP handshake. This option applies only to IPv4 ACLs. Note You can specify the TCP Establishment flag only if the selected protocol is TCP, 6, or "any." Type of Service (TOS) for IPv4; Traffic Class for IPv6 Voyager Reference Guide...
Page 408 For IPv6 ACLs, click the IPv6 link. This takes you to the IPv6 page. Click the Access List Configuration link under the T RAFFIC section. ANAGEMENT 3. Click the link for the appropriate Access Control List in the ACL N field. Voyager Reference Guide...
Page 409: Configuring Aggregation Classes
Traffic that arrives consistently at a rate less than or equal to the configured meanrate will always be marked conformant and will not be delayed or dropped in the respective shaper or policer stages. Voyager Reference Guide...
Page 410 3. Click the D check box next to the aggregation class that you want ELETE to delete. Click A PPLY This aggregation class disappears from the E XISTING GGREGATION section. LASSES 4. To make your changes permanent, click S Voyager Reference Guide...
Page 411 A rule treats traffic as if it were configured for "skip," if the traffic matches a rule whose action has been set to "prioritize" or "shape" and no Aggregation Class is configured. 6. To make your changes permanent, click S Voyager Reference Guide...
Page 412: Configuring Queue Classes
AGCs so that the aggregate of the NC and EF flows consumes no more than 50% of the output link bandwidth. This action prevents lower-priority traffic from being starved. See RFC 2598 for more information. The other policers should also be configured to prevent the lower-priority queue from being starved. Voyager Reference Guide...
Page 413 IPv6 link and then click the Queue ANAGEMENT Class Configuration link under the T section. RAFFIC ANAGEMENT 3. Click the D check box in the E field next ELETE XISTING UEUE LASSES to the name of the Queue class you want to delete. Voyager Reference Guide...
Page 414 Q edit box. UEUE PECIFIER 6. For each queue, enter a value for the maximum number of packets that can be queued before packets are dropped in the M UEUE ENGTH Voyager Reference Guide...
Page 415 4. You are now in the physical interface page for the interface you selected. To enable QoS queuing, select either M or M HROUGHPUT from the Q drop-down window in Q UEUE UEUE ATENCY field. ONFIGURATION 5. Click A PPLY Voyager Reference Guide...
Page 416: Configuring Atm Qos
The CBR feature limits the peak cell rate for each CBR channel in the output direction only. Each ATM port supports up to 100 CBR channels with 64 kbits/sec of bandwidth resolution. “Queue Class Description” for more information about queue classes. Voyager Reference Guide...
Page 417 Peak Cell Rate of all the CBR channels on an interface cannot exceed 146Mbs. 5. Click A PPLY The new ATM QoS Descriptor appears in the E ATM Q XISTING field. ESCRIPTORS 6. Click S to make your changes permanent. Voyager Reference Guide...
Page 418 Configuration page for the physical interface you selected. In the Q field, click the Q drop-down ONFIGURED ESCRIPTOR window and select D (UBR). EFAULT 5. Click A , and then click S to make your changes permanent. PPLY 6. Click the ATM QoS Descriptors link. Voyager Reference Guide...
Page 419 Note You cannot delete or modify a QoS Descriptor that has been associated with a permanent virtual channel (PVC). You must first disassociate the PVC from the QoS descriptor. See “Deleting an ATM QoS Descriptor” more information. Voyager Reference Guide...
Page 420: Configuring Common Open Policy Server
(such as voice or video) receive priority treatment. The PEPs are routers that implement the decisions made by the PDPs. In the Nokia implementation, the Nokia platform functions as a PEP.
Page 421: Configuring A Cops Client Id And Policy Decision Point
You must configure at least one COPS Client ID and a corresponding policy decision point, that is, policy server, for the COPS Policy Module to function. 1. Click either C on the Voyager home page or click the Traffic ONFIG Management link on the home page.
Page 422: Configuring Security Parameters For A Cops Client Id
Configuring Traffic Management Configuring Security Parameters for a COPS Client ID The Nokia implementation lets you configure send and receive key IDs for each COPS Client ID to authenticate sessions with the PDP, or policy server. 1. Click either C...
Page 423: Assigning Roles To Specific Interfaces
Assigning Roles to Specific Interfaces The Nokia COPS implementation lets you assign roles to specific interfaces. A role refers to a logical name assigned to a group of objects within a network. The role name lets you group objects to which you want to assign a particular policy.
Page 424: Activating And Deactivating The Cops Client
You can deactivate the COPS client to halt the COPS module implementation. 1. Click either C on the Voyager home page or the Traffic ONFIG Management link on the home page. 2. Click the COPS link in the Traffic Management section.
Page 425: Deleting A Client Id
Before you delete a Client ID, make sure that it is not active. Perform the following steps to deactivate a client ID before you delete it. 1. Click either C on the Voyager home page or the Traffic ONFIG Management link on the home page.
Page 426 2. Enter the name of the new Aggregation Class in the N edit box in the section. REATE A GGREGATION LASS 3. Click A , and then click S to make your change permanent. PPLY 4. Enter in the M ) edit box. EANRATE Voyager Reference Guide...
Page 427 WAN connection within a corporate intranet as shown in the diagram below. The WAN interfaces for Network Application Platform (Nokia Platform) A and for Network Application Platform (Nokia Platform) B are ser-s3p1. The...
Page 428 Nokia Platform A Platform B 00045 1. Save the current configuration on each Nokia Platform before you set up QoS. Doing so allows you to compare the relative performance of the QoS and non-QoS configurations. a. Click on C on the home page.
Page 429 5. Create a new Access Control List rule to classify, condition, and prioritize telnet traffic. a. Click C on the home page. ONFIG b. Click on the Access List Configuration link under the T RAFFIC section. ANAGEMENT Voyager Reference Guide...
Page 430 LASS window, and then click A PPLY l. For Nokia Platform A, enter in the D ESTINATION ANGE edit box, and for Nokia Platform B, enter in the S OURCE edit box. ANGE Note The telnet port number is 23.
Page 431 HYSICAL d. Click on the Interface Statistics link. e. Scroll down to view statistics for Queue Class wan_1_ef. You should see values other than zero on both Nokia Platform A and Nokia Platform B for the P and B ACKETS...
Page 432: Configuring Transparent Mode
ISP. Using transparent mode support, you configure interfaces on the firewall router to act as ports on a bridge. The interfaces then forward traffic using layer 2 addressing. Nokia’s transparent mode supports only Ethernet 10/100/1000 Mbps. For more information on configuring Ethernet, see “Configuring an Ethernet Interface.”...
Page 433 MAC addresses, the transparent mode module also transmits packets that originate locally or are forwarded based on routing. Locally originated ARP packets are broadcast on all interfaces of the transparent mode group. Locally originated IP packets are also broadcast on Voyager Reference Guide...
Page 434 IP address to a local IP address to deliver packets to the security server on the local protocol stack. It does this by performing a route lookup for the packet’s destination IP address to determine whether Voyager Reference Guide...
Page 435 Transport Mode Support is not supported in a cluster environment. For Configuring Clustering in more information on cluster configuration, see IPSO VPN Support When you configure transparent mode in a virtual private network environment, you must create a range or group of addresses that will be Voyager Reference Guide...
Page 436 Group M Switch Nokia Platform with Firewall Switch Internet Firewall B Network B 00327 In the above example, the network administrator of Network A wants Network B to have access to certain addresses behind the Nokia Platform with Voyager Reference Guide...
Page 437 For information on how to create groups, objects, and rules on the firewall, see your Check Point documentation that was included with your Nokia IPSO software package. Example of Transparent Mode Functionality The following illustration shows a network connected to an internet service provider (ISP) through a switch.
Page 438 1.5.3.3/24 00294 Nokia’s transparent mode solution provides firewall protection for the LAN without having to obtain new IP addresses or reconfigure addresses on the LAN. Packet traffic continues to run at Layer 2, rather than at Layer 3 with a conventional firewall solution.
Page 439 To configure transparent mode in the preceding network configuration, you would do the following in Voyager. 1. Click C on the home page. ONFIG 2. Click Transparent Mode in the Interface section 3. Enter any positive integer (an integer greater than 0) in the edit box, for example 100.
Page 440 2. Click Transparent Mode in the Interface section 3. Enter any positive integer (an integer greater than 0) in the edit box. 4. Click A PPLY Deleting a Transparent Mode Group This procedure describes how to delete a transparent mode group. Voyager Reference Guide...
Page 441 2. Click Transparent Mode in the Interface section 3. Click the link of the transparent mode group to which you would like to add an interface. 4. In the A drop-down box, select an interface to associate NTERFACE with the transparent mode group. Voyager Reference Guide...
Page 442 2. Click Transparent Mode in the Interface section 3. Click the link of the transparent mode group from which you would like to delete an interface. 4. Click the R radio button associated with the interface you would EMOVE like to delete. Voyager Reference Guide...
Page 443 Enable column associated with the transparent mode group you would like to enable. 4. Click A PPLY 5. Click S to make your changes permanent Disabling a Transparent Mode Group This procedure describes how to disable a transparent mode group. Voyager Reference Guide...
Page 444 3. Click the link of the transparent mode group to which you would like to enable VRRP. 4. Click the Y radio button in the VRRP E table. NABLED 5. Click A PPLY 6. Click S to make your changes permanent Voyager Reference Guide...
Page 445: Monitoring Transparent Mode Groups
“VRRP Description.” Monitoring Transparent Mode Groups This procedure describes how to monitor transparent mode groups. 1. Click M on the home page. ONITOR 2. Click Transparent Mode Monitor. 3. Click a transparent mode group under XMODE Group id. Voyager Reference Guide...
Page 446 Configuring Traffic Management Voyager Reference Guide...
Page 447: Configuring Router Services
Router Discovery Overview Enabling Router Discovery Services Disabling Router Discovery Services VRRP (Virtual Router Redundancy Protocol) VRRP Description Configuring VRRP Rules for Check Point NG Sample Configurations Creating a Virtual Router for an Interface's Addresses in VRRPv2 Voyager Reference Guide...
Page 448 Changing the Backup Address List of a Virtual Router in Monitored Circuit Mode (Simplified Configuration) Changing Authentication Method and Password in Monitored Circuit Mode (Simplified Configuration) Creating a Virtual Router in Monitored Circuit Mode (Legacy Configuration) Troubleshooting and Monitoring VRRP NTP Description Voyager Reference Guide...
Page 449: Bootp (Bootstrap Protocol) Relay
If a primary IP is specified, it stamps the request with that address, otherwise it stamps the request with the lowest numeric IP address specified for the interface. Voyager Reference Guide...
Page 450 Configuring Router Services You can use Voyager to enable Bootp Relay on each interface. If the interface is enabled for relay, you can set up a number of servers to which to forward Bootp requests. Enter a new IP address in the N...
Page 451: Ip Broadcast Helper
To make your changes permanent, click S IP Broadcast Helper IP Broadcast Helper Description IP Broadcast Helper is a form of static addressing that uses directed broadcasts to forward local and all-nets broadcasts to desired destinations within the internetwork. Voyager Reference Guide...
Page 452 PPLY 6. Verify that each interface, UDP port, or server is enabled ( radio button checked) or disabled ( radio button checked) for IP helper support according to your needs. To make your changes permanent, click S Voyager Reference Guide...
Page 453 UDP port you want to disable for IP Helper service. Click A PPLY 5. Click the radio button for each server you want to disable for IP Helper service. Click A PPLY To make your changes permanent, click S Voyager Reference Guide...
Page 454: Router Discovery
This lifetime is configured such that another router advertisement will be sent before the lifetime has expired. A lifetime of zero indicates that one or more addresses are no longer valid. Voyager Reference Guide...
Page 455 6. (Optional) Enter the lifetime of advertisement packets for each enabled interface in the Advertisement lifetime edit box. Click Apply. Range: Between the value in the Maximum advertisement interval field and 9000 seconds Default: 3 times the values in the Maximum advertisement interval field. Voyager Reference Guide...
Page 456 1. Click C on the home page. ONFIG 2. Click the Router Discovery link in the Router Services section. 3. Click the radio button for each interface you want to disable support for router discovery service. Click A PPLY Voyager Reference Guide...
Page 457: Vrrp (Virtual Router Redundancy Protocol)
This is done by configuring the default router's Virtual Router information (its VRID and IP addresses) on each of the backup routers. They will then use VRRP to take over the default router's addresses, should it fail. Voyager Reference Guide...
Page 458 Advertisements. It also determines the fail-over interval; that is, how long it takes a backup router to take over from a failed default router. VRRP Advertisements are broadcast on the LAN by the current master of each Virtual Router. Backup routers listen for these Advertisements and Voyager Reference Guide...
Page 459: Authentication Methods
TTL check makes it difficult for a VRRP packet being from another LAN to disrupt VRRP operation. This type of authentication is recommended when there is minimal risk of nodes on a LAN actively disrupting VRRP operation. Voyager Reference Guide...
Page 460 Caution The VRRP rule constructions used in Check Point FireWall-1 4.1 and earlier does not work with Check Point NG, and using these constructions could result in VRRP packets being dropped by the cleanup rule. Voyager Reference Guide...
Page 461 For information about configuring VRRP rules for Check Point FireWall-1 4.1, contact the Nokia Technical Assistance Center (TAC). Configuration Rule for Check Point NG FP1 Locate the following rule above the Stealth Rule: Note The object for VRRP is not the same as the gateway cluster object for HA.
Page 462 VRRP IP address supported by the firewalls is a Node Host object with the IP address 224.0.0.18 mcast-224.0.0.18 Configuring Rules if You Are Using OSPF or DVMRP All of the solutions above are applicable for any multicast destination. Voyager Reference Guide...
Page 463 IP destinations using the following values: Name: MCAST.NET 224.0.0.0 Netmask: 240.0.0.0 Then you can use one rule for all multicast protocols you are willing to accept, as shown below: Source Destination Service Action cluster-all-ips fwcluster-object vrrp Accept MCAST.NET igmp ospf dvmrp Voyager Reference Guide...
Page 464 Note that in this example, IP B is not backed up by the router on the left. IP B is only used by the router on the right as its interface address. In order to backup IP B, a second Virtual Router would have to be configured. This is shown in the third example. Voyager Reference Guide...
Page 465 Note that in this example, IP B and IP C are not backed up by Virtual Router #1. These addresses are only used by the routers as their interface addresses. In order to back up IP B and IP C, additional virtual routers would have to be configured. Voyager Reference Guide...
Page 466 IP addresses and provide uninterrupted service to both default IP addresses for the hosts. This has the effect of load balancing the outgoing traffic, while also providing full redundancy. Voyager Reference Guide...
Page 467 The value in this field must be the same for all routers running VRRP on this interface's LAN. 8. If you selected S , enter the authentication password string in the IMPLE edit box. Click A ASSWORD PPLY Voyager Reference Guide...
Page 468 5. Enter the remote router's VRID in the B VRID edit ACK UP OUTER WITH box. Click A PPLY Note This value must be the same VRID as that on the virtual router created on the remote router to back up its addresses. Voyager Reference Guide...
Page 469 , enter the authentication password string in the IMPLE edit box. Click A ASSWORD PPLY The value in this field must be the same for all routers running VRRP on this interface's LAN. To make your changes permanent, click S Voyager Reference Guide...
Page 470 3. Click the Advanced VRRP Configuration link. 4. Click the E radio button to accept connections to VRRP IPs. NABLED 5. To disable this option, if you have enabled it, click the D radio ISABLED button. The default is Disabled. Voyager Reference Guide...
Page 471: Setting A Virtual Mac Address For A Virtual Router
IP address(es), enter a value between 1 and 255 in the VRID edit box. Click A ACKUP OUTER WITH PPLY edit box appears that allows you to add an IP ACKUP DDRESS address for this virtual router. Voyager Reference Guide...
Page 472 IP address temporarily until they resolve into master and backup. Removing a Virtual Router in VRRPv2 When you disable a virtual router, the VRRP operation terminates, and the configuration information no longer displays in the browser. Fail-over of the Voyager Reference Guide...
Page 473 A virtual router that is configured for an interface contains the IP address of that interface. If IP addresses are added to or removed from the interface, they will automatically be added to or removed from the virtual router for the interface. Voyager Reference Guide...
Page 474 The priority determines which backup router takes over when the default router fails. Higher values equal higher priority. 1. Click C on the home page. ONFIG 2. Click the VRRP link in the Router Services section. 3. Click the Advanced VRRP Configuration link. Voyager Reference Guide...
Page 475 5. Change the number in the H edit box for the matching ELLO INTERVAL VRID. Click A PPLY The hello interval should be the same value on all systems with this virtual router configured. To make your changes permanent, click S Voyager Reference Guide...
Page 476 "black hole" failure scenarios. In high availability situations, where you have many routers acting as one virtual router and many interfaces on multiple systems, the configuration can be difficult and error prone. The simplified method, described in this section, helps eliminate configuration difficulties, Voyager Reference Guide...
Page 477 The Backup Address(es) associated with the monitored circuit virtual router must not match the real IP address of any host or router on the interface’s network. Repeat this step if you want to add additional Backup Addresses. Voyager Reference Guide...
Page 478 8. Enter the IP address you want to assign to the virtual router back up in the edit box. Click A ACKUP DDRESS PPLY 9. (Optional) Repeat steps 3 through 8 to add additional virtual routers. 10. Click Save to make your changes permanent. Voyager Reference Guide...
Page 479 ONFIG 2. Click the VRRP link in the Router Services section. 3. Locate the virtual router with the priority you want to change. You can locate the virtual router information using the VRID column. Voyager Reference Guide...
Page 480 4. Enter a number in the P edit box. Click A RIORITY ELTA PPLY Note The Priority Delta must not be greater than the virtual router’s Priority divided by the number of Backup Addresses for that virtual router. If you Voyager Reference Guide...
Page 481 Voyager will display an error message. For best perfomance, you should set the Priority Delta to 80 percent of the Priority divided by the number of Backup Addresses. To make your changes permanent, click S Changing the Backup Address List of a Virtual Router in Monitored Circuit Mode (Simplified Configuration) Virtual routers are used to back up other routers’...
Page 482 4. Click the M radio button next to the interface for ONITORED IRCUIT which you want to enable Monitored Circuit. Click A PPLY 5. Enter the VRID in the C edit box, and then click REATE IRTUAL OUTER PPLY Voyager Reference Guide...
Page 483 You must select the interface you want to monitor and enter a priority delta value in order to monitor interfaces. Otherwise, an error message will display 11. (Optional) Repeat steps 8 and 9 if you want to add more monitored interface dependencies. To make your changes permanent, click S Voyager Reference Guide...
Page 484: Ntp
Configuring Router Services Troubleshooting and Monitoring VRRP There are several tools you can use for monitoring. From Voyager, you can view VRRP status by performing the following steps. 1. Click M on the home page. ONITOR 2. Click the VRRP link in the Routing Protocols section.
Page 485 Preferring NTP peers and/or servers over other NTP peers and/or servers. Enabling the NTP reference clock if an NTP peer or server is unavailable. Features not in this Release Authentication Kernel access lists can be used instead. Voyager Reference Guide...
Page 486 If you wish to prefer this server over other servers, click the P radio button. Click A REFER PPLY 6. To delete a server, click the corresponding radio button. Click PPLY The new server’s IP address will disappear from the NTP S field. ERVERS Voyager Reference Guide...
Page 487 The S edit box and C drop-down window will TRATUM LOCK SOURCE display. By default, the Stratum value is 1, and the Clock source is set to Local Clock. It is recommended that you keep these defaults. Voyager Reference Guide...
Page 488 Configuring Router Services To make your changes permanent, click S Voyager Reference Guide...
Page 489: Configuring System Functions
Mail Relay Description Configuring Mail Relay Sending Mail System Failure Notification Setting System-Failure Notification Time and Date Procedures Setting the System Time Static Host Procedures Adding a Static Host Deleting a Static Host System Logging System Logging Voyager Reference Guide...
Page 490 Configuring System Functions Remote System Logging Setting the System Configuration Auditlog Setting the Voyager AuditLog Disabling the System Configuration Auditlog Disabling the Voyager AuditLog Hostname Procedure Changing the Hostname Managing Configuration Sets Saving the Current Configuration as a New Configuration Set...
Page 491: Dns Hostname Procedures
A NAME SERVER PPLY 6. (Optional) Enter the IP address of the tertiary DNS in the T ERTIARY edit box; then click A NAME SERVER PPLY 7. Click S to make your changes permanent. Voyager Reference Guide...
Page 492: Configuring Disk Mirroring
Disk mirroring gives you the ability to configure a mirror set comprised of a source hard disk drive and a mirror hard disk drive using Voyager. The hard disk drive in which you have installed IPSO is your source hard disk drive.
Page 493 You can view hard disk drive geometry in the Drivers Information table. 4. Click A . You will see text at the top of the Voyager window with a PPLY message indicating a mirror set was created, numbers indicating which hard disk drive is the source and which hard disk drive is the mirror, and that mirror syncing is in progress.
Page 494: Mail Relay
Presence of a sendmail-like replacement that relays mail to a mail hub using SMTP Ability to specify the default recipient on the mailhub Features not Supported Support for incoming mail Support for mail transfer protocols other than outbound SMTP Voyager Reference Guide...
Page 495: Configuring Mail Relay
Ability to telnet to port 25 Support for mail accounts other than admin or monitor Configuring Mail Relay In Voyager, follow these instructions to configure mail relay for your firewall. 1. Click C on the home page. ONFIG 2. Click the Mail Relay link in the System Configuration section.
Page 496: Failure Notification
Examples of a system failure include crashing daemons (snmpd, ipsrd, ifm, xpand) and a system reboot due to a fatal error. In a system failure notification, the following information appears: System information Image information Crash information Crash trace To make your changes permanent, click S Voyager Reference Guide...
Page 497: Time And Date Procedures
3. Enter the new hostname in the A edit box; then click DD NEW HOSTNAME PPLY 4. Enter the IP address of the new host in the IP edit box; then ADDRESS click A PPLY To make your changes permanent, click S Voyager Reference Guide...
Page 498: System Logging Procedures
ONFIG 2. Click the System Logging link in the System Configuration section. 3. Enter the IP address of the host machine to which you are sending syslog messages, and then click A PPLY Voyager Reference Guide...
Page 499 2. Click the System Logging link in the System Configuration section. 3. To log transient configuration changes only, click the L OGGING OF button in the S TRANSIENT CHANGES YSTEM ONFIGURATION UDITLOG field. Transient changes refer to changes that apply only to the currently Voyager Reference Guide...
Page 500 To access the Management Activity Log page, click M on the Home ONITOR page in Voyager and then click the Management Activity Log link in the System Logs section. For more information, see “Monitoring System Logs.” 8. Click A , and then click S to make your changes permanent.
Page 501 Voyager page, and the name of the button that was pressed. The log records these actions whether or not the operation succeeded. To view the log, click the Monitor button on the Voyager home page, and then click the System Message Log link to view system messages. For more...
Page 502: Hostname Procedure
3. In the V field, click the D button to stop OYAGER UDITLOG ISABLED having the system log all Apply and Save actions to Voyager. 4. Click A , and then click S to make your change permanent. PPLY Hostname Procedure...
Page 503: Managing Configuration Sets
2. Click the Manage Configuration Sets link in the System Configuration section. 3. Enter the name of the factory default configuration database file in the field labelled C REATE A NEW FACTORY DEFAULT CONFIGURATION 4. Click A PPLY Voyager Reference Guide...
Page 504 Loading this configuration set will cause all system configurations to be deleted from the system. You will not be able to configure the system through Voyager until you have configured an IP address through the system console. Loading a Configuration Set This procedure describes how to switch a currently active database.
Page 505: Backing Up And Restoring Files
Backing Up and Restoring Files Description of Creating Backup Files You can configure your Nokia appliance to perform manual or regularly scheduled backups. By default, the backup file contains all the configuration (/config), cron (/var/cron), etc (/var/etc), and IPsec files (/var/etc/ipsec).
Page 506 ACKUP Note Nokia recommends that you back up GPLC config files. 7. Click A PPLY 8. To make your changes permanent, click S Creating a Regularly Scheduled Backup File 1.
Page 507 ACKUP Note Nokia recommends that you back up GPLC config files. 12. Click A PPLY 13. To make your changes permanent, click S Transferring Backup Files to a Remote Server 1.
Page 508: Restoring Files From Locally Stored Backup Files
Restoring Files from Locally Stored Backup Files This procedure describes how to restore your files to the system from locally stored backup files. You must first create backup files. See “Creating a Backup File Manually” “Creating a Regularly Scheduled Backup File” Voyager Reference Guide...
Page 509 Warning Make sure that you have enough disk space available on your Nokia appliance before restoring files. If you try to restore files and you do not have enough disk space, you risk damaging the operating system.
Page 510 Restoring from a backup file overwrites your existing files. Note The system must be running the same version of the operating system and the same packages as those of the backup file(s) from which you restore file(s). Voyager Reference Guide...
Page 511 Warning Make sure that you have enough disk space available on your Nokia appliance before restoring files. If you try to restore files and you do not have enough disk space, you risk damaging the operating system. 3. In the R...
Page 512: Scheduling Jobs Through The Crontab File
PPLY Scheduling Jobs Through the Crontab File Configuring Scheduled Jobs This procedure describes how to use Voyager to access the crontab file and schedule regular jobs. The cron daemon executes jobs at dates and times you specify through this procedure.
Page 513: Managing Ipso Images
, and then click S to make your changes permanent. PPLY Managing IPSO Images <TBD: Add information about how Cluster Voyager adds to managing images> Selecting IPSO Images This procedure describes how to select an IPSO image: 1. Click C on the home page.
Page 514 OMMIT TESTBOOT you are testing. 8. (Optional) Click the R radio EVERT TO PREVIOUS IMAGE AND EBOOT button to use the original image. 9. Click A PPLY To make your changes permanent, click S Voyager Reference Guide...
Page 515: Installing New Ipso Images
IPSO Release Notes, which is available on the Nokia customer support site: https://support.nokia.com for more information. To upgrade the image from Voyager, you must first install the image that is on the Nokia CD on an http server, ftp server, or file server.
Page 516 You see a message telling you that the upgrade process could take a long time if the network is slow. 9. Click A again. PPLY The system downloads the specified image file. 10. To see messages about the status of the download and installation process, click New image installation status. Voyager Reference Guide...
Page 517 If you do not perform these steps within five minutes, the system automatically reboots the previous image. 1. Log into the system. The IPSO Image Management page appears. 2. Click T . The new image is now the default image. ESTBOOT OMMIT Voyager Reference Guide...
Page 518: Managing Packages
Configuring System Functions Upgrading IPSO Images for a Cluster You can use Cluster Voyager to upgrade the IPSO image on all the cluster nodes. After you see that the new image has been successfully installed on all the nodes, you need to reboot them so that they will run the new image. See “Managing a Cluster”...
Page 519 13. (Optional) Click the Yes radio button next to Upgrade. 14. (Optional) Click the radio button of the package from which you want to upgrade under Choose one of the following packages to upgrade from. Voyager Reference Guide...
Page 520 To make your changes permanent, click S Deleting Packages This procedure describes how to delete a package: 1. Click C on the home page. ONFIG 2. Click the Manage Installed Packages link in the System Configuration section. Voyager Reference Guide...
Page 521: Advanced System Tuning
TCP segment size of 512. It is only relevant to Check Point security servers or similar products that require the Nokia appliance to terminate the connection. Only the remote terminating node responds to the MSS value you set; that is, intermediate nodes do not.
Page 522 The range for this value is 512 through 1500, and the default value is 1024. If you enter a value outside of this range, an out-of-range error is generated. 4. Click A PPLY 5. Click S to make your changes permanent. Voyager Reference Guide...
Page 523: Configuring Security And Access
Adding Users Removing a User Configuring S/Key Using S/Key Disabling S/Key Changing the S/Key Password Group Procedures Managing Groups Network Access Procedures Voyager Web Access FTP Access Telnet Access CLI Over HTTP CLI Over HTTPs Admin Network Login Voyager Reference Guide...
Page 524 Managing User RSA and DSA Identities Tunneling HTTP Over SSH Secure Socket Layer (SSL) SSL Description Enabling SSL Voyager Web Access Generating a Certificate and Private Key Installing a Certificate and Private Key Troubleshooting SSL Configuration Authentication, Authorization, and Accounting (AAA)
Page 525 Changing the Local/Remote Address or Local/Remote Endpoint of an IPsec Tunnel Removing an IPsec Tunnel Voyager Session Management Voyager Session Management Description Enabling Voyager Session Management Disabling Voyager Session Management Logging In with Exclusive Configuration Lock Logging In without Exclusive Configuration Lock...
Page 526: Password Procedures
DD NEW USER OME DIRECTORY path name of a directory into which the user will log in. For example, if the name of the new user is tester, you could enter a path /var/tester for the home directory. Voyager Reference Guide...
Page 527 To make your changes permanent, click S Configuring S/Key This procedure describes how to enable S/key based authentication for admin and monitor accounts. S/key is a One-Time Password (OTP) system that can Voyager Reference Guide...
Page 528 To make your changes permanent, click S Using S/Key Note You will need an S/Key calculator on your platform to generate the S/Key One-Time Password. Many Unix derived and Unix-like systems include the S/Key calculator command “key.” Many GUI calculators include Voyager Reference Guide...
Page 529 Disabling S/Key 1. To disable S/Key, click the D radio button in the S/K ISABLED field; then click A ASSWORD PPLY The sequence number and seed disappear. Voyager Reference Guide...
Page 530: Group Procedures
DD NEW GROUP ROUP NAME or fewer characters) of the new group you want to add. 4. In the G field, enter a numeric ID. The number must be unique. Note Suggested values are between 100 and 65000. Voyager Reference Guide...
Page 531: Network Access Procedures
This procedure describes how to enable web access using Voyager. 1. Click C on the home page. ONFIG 2. Click the Voyager Web Access link in the Security and Access Configuration section. 3. The radio button in the A field is the LLOW VOYAGER WEB ACCESS default.
Page 532 2. Click the Network Access and Services link in the Security and Access Configuration section. 3. Click the radio button in the A field; then LLOW TELNET ACCESS click A PPLY To make your changes permanent, click S Voyager Reference Guide...
Page 533 Admin Network Login This procedure describes enabling network login access using the admin account. 1. Click C on the home page. ONFIG 2. Click the Network Access and Services link in the Security and Access Configuration section. Voyager Reference Guide...
Page 534 Configuring a Modem on COM2 This procedure describes how to configure a modem on COM2: 1. Click C on the home page. ONFIG 2. Click the Network Access and Services link in the Security and Access Configuration section. Voyager Reference Guide...
Page 535 IALBACK UMBER field. The dialback feature uses this number to back an authenticated user (for example, 408 555 0093). If dialback is disabled, ignore this value. 10. Click A PPLY To make your changes permanent, click S Voyager Reference Guide...
Page 536 IALBACK LOGIN enable modem dialback. When set to Yes, an incoming call on the modem is dropped after you log in, and the modem automatically calls the D IALBACK UMBER connects a login process to the line. Voyager Reference Guide...
Page 537 7. (Optional) In the D edit box, enter the dialback number IALBACK UMBER used by the Dialback feature when calling back an authenticated user. Voyager Reference Guide...
Page 538 Ositech Five of Clubs PCMCIA modem card, and the second table refers to the Ositech Five of Clubs II PCMCIA modem card. Country Code for Ositech Five of Clubs Card Country Canada Australia Belgium Denmark Finland France Germany Greece Iceland Ireland Italy Voyager Reference Guide...
Page 539 Country Code for Ositech Five of Clubs Card Country Luxembourg The Netherlands Norway Portugal Spain Sweden Switzerland United Kingdom Country Code for Ositech Five of Clubs II Card Country Canada Australia Belgium Denmark Finland France Voyager Reference Guide...
Page 540 Luxembourg The Netherlands Norway Portugal Spain Sweden Switzerland United Kingdom , and then click S Click A to make your changes permanent. PPLY Note This feature is available on the IP500 series and IP700 series platforms only. Voyager Reference Guide...
Page 541: Services
Chargen service sends data without regard to input. The data sent is a repeating sequence of printable characters. 1. Click C on the home page. ONFIG 2. Click the Network Access and Services link in the Security and Access Configuration section. Voyager Reference Guide...
Page 542 2. Click the Network Access and Services link in the Security and Access Configuration section. 3. Click the radio button in the E ‘ ’ field; then NABLE TIME SERVICE click A PPLY To make your changes permanent, click S Voyager Reference Guide...
Page 543: Secure Shell (Ssh)
You can use SSH instead of utilities such as telnet or rlogin to securely manage your platform. You can also tunnel HTTP over SSH to use Voyager to securely manage your platform. This implementation supports both SSHv1and SSHv2. Some of the...
Page 544 RSA authentication. The rhost authentication is insecure and is not recommended. 8. Click A PPLY 9. (Optional) In the C field, click ONFIGURE ERVER ROTOCOL ETAILS the radio button next to the version of SSH you want to use. The default is Both 1 and 2. Voyager Reference Guide...
Page 545 SSH S field, with no NABLE ISABLE ERVICE need to configure other options or advanced options. 1. Click C on the home page. ONFIG 2. Click the Secure Shell (SSH) link in the Security and Access Configuration section. Voyager Reference Guide...
Page 546 If you specify users or groups, only those users and groups will be allowed or forbidden. Group settings only apply to a user’s primary group—the Gid setting in the Voyager Password page. For more information on configuring users and groups see Adding Users and Managing Groups.
Page 547 Note The default settings for LLOW REMOTE CONNECTIONS TO FORWARD ’ fields are No. The PORTS GNORE USER S OWN KNOWN HOSTS FILE default setting for field is Yes. The GNORE RHOSTS AND SHOSTS FILES Voyager Reference Guide...
Page 548: Configuring Secure Shell Authorized Keys
. For more information, consult your SSH id_dsa.pub client software documentation. 1. Click C on the home page. ONFIG 2. Click the Secure Shell (SSH) link in the Security and Access Configuration section. 3. Click the Go to the authorized keys page link. Voyager Reference Guide...
Page 549: Changing Secure Shell Key Pairs
7. Click S to make your changes permanent. Changing Secure Shell Key Pairs The following procedure describes how to generate new RSA and DSA keys. When you generate new keys, you may need to change configurations of each Voyager Reference Guide...
Page 550 Note Recreating keys might cause problems with some clients, because the server will be using a key different from the one it used before. You can reconfigure the client to accept the new key. Voyager Reference Guide...
Page 551: Managing User Rsa And Dsa Identities
ENERATE KEY OF SIZE Identity for ‘user name’. 12. Enter the passphrase in the E field. NTER PASSWORD 13. Enter the password again to verify it. 14. Click A PPLY 15. Click S to make your changes permanent. Voyager Reference Guide...
Page 552: Tunneling Http Over Ssh
Use the -L option to redirect a port to port 80 on the remote platform. The example below redirects port 8000. At the shell prompt, type: ssh -l admin Nokia Platform.corp.com -L 8000:127.0.0.1:80 From a Windows terminal do the following: Use the client to redirect port 8000.
Page 553: Secure Socket Layer (Ssl)
This procedure describes how to enable SSL web access and encryption using Voyager. 1. Click C on the home page. ONFIG 2. Click the Voyager Web Access link in the Security and Access Configuration section. 3. Click the radio button in the A field.
Page 554 Generating a Certificate and Private Key This procedure describes how to generate a certificate and its associated private key using Voyager. To better ensure your security, you should generate the certificate and private key over a trusted connection. 1. Click C on the home page.
Page 555 12. (Optional) Enter your e-mail address in the E edit box. MAIL DDRESS 13. Click the G X.509 (CSR) ENERATE AN CERTIFICATE SIGNING REQUEST radio button if you are requesting a certificate from a certification authority. Voyager Reference Guide...
Page 556 X.509 certificate—and its associated private key— New private key. You must perform a cut-and-paste operation to move the certificate and the private key to the Voyager SSL Certificate page. (See Installing a Certificate later in this section.) Installing a Certificate and Private Key This procedure describes how to install a certificate and its associated private key using Voyager.
Page 557 “https” rather than “http” when connecting through your web browser. 2. Use the Voyager command line utility if you want to turn off SSL and restart Voyager. You can access this utility by logging onto your network application platform (Nokia Platform) through your console terminal or the 'ssh' client.
Page 558: Authentication, Authorization, And Accounting (Aaa)
Configuring Security and Access To change or reenter the certificate and private key, first use step 2 above to turn off SSL and restart Voyager. Then use Voyager to add the certificate and private key. (See Installing a Certificate and Private Key earlier in this section.)
Page 559 ROFILE the P in the S table. ROFILE AMES ERVICE ROFILE 2. In the A edit box under the S table, enter ROFILE ERVICE ROFILE either an existing item from the A table, if the service’s ROFILE Voyager Reference Guide...
Page 560 REQUIRED service requires more than one Auth. Profile. (For a description of the effect on result disposition and subsequent algorithm invocation represented by the list’s items, see “Profile Controls.”) Note The Server/File field is unused. Voyager Reference Guide...
Page 561 Apache web server. When the user requests a Voyager page, this module is called to authenticate the user, which, in turn, verifies the user name and password supplied during the Voyager login against the information in /etc/master.passwd.
Page 562 This module authenticates the SNMP packets from a user (Management Station). When a user is added in the system through Voyager, a corresponding authentication and privacy key is created and kept in the usmUser database, /var/ucd-snmp/ snmpd.conf. When an SNMP...
Page 563 Type Module Description TACPLUS pam_tacplus_auth.so.1.0 This module is a client/server authentication system that supports remote administrator login to Voyager and command line configuration, and selected management functions. The implemented protocol is called TACACS+. UNIX pam_unix_auth.so.1.0 This module uses the local...
Page 564 S table. AMES ESSION ROFILE 2. Select the item in the T drop-down list that matches the service’s requirements. (For a description of the session algorithms represented by the list’s items, see “Session Profile Types.”) Voyager Reference Guide...
Page 565 Lists of algorithms are specified by defining multiple entries under the A , and S ROFILE ROFILE ESSION ROFILE columns of a S ERVICE ROFILE The following table describes these effects for algorithm invocation not at the end of the list. Voyager Reference Guide...
Page 566 The result is reported immediately. sufficient The result is reported immediately optional A result of success is reported. Creating a Service Module Example In creating a new service, there are unique requirements for authentication, accounting and session management, as follows: Voyager Reference Guide...
Page 567: Configuring Radius
This service allows an organization to maintain user profiles in a centralized database that resides on an authentication server that can be shared by multiple remote access servers. A host contacts a RADIUS server, which Voyager Reference Guide...
Page 568 Configuring Security and Access determines who has access to that service. Beginning with IPSO 3.5, Nokia provides RADIUS client support only. This procedure shows you how to configure RADIUS servers for a single authentication profile. 1. Click C on the home page.
Page 569 13. (Optional) Enter the maximum number of times to attempt to contact the server in the M edit box. If all the attempts do not make a RIES reliable connection within the timeout period, the client stops trying to contact the RADIUS server. The default is 3. Voyager Reference Guide...
Page 570: Configuring Tacacs
TACACS+ is not supported by IPSO at this time. TACACS+ support may be configured separately for various services. The Voyager service is one of those for which TACACS+ is supported and is configured as the “httpd” service. When TACACS+ is configured for use with a service, IPSO contacts the TACACS+ server each time it needs to check a user password.
Page 571 (every page view). If the server fails or is unreachable, the password is not recognized and you are not allowed access. In Voyager, this is effective immediately. Before you change the Voyager configuration, confirm any new configuration. This procedure shows you how to configure TACACS+ servers for a single authentication profile.
Page 572 TACACS+ authentication profile. Note Repeat steps 8 to 13 of this procedure to configure additional AAA TACACS+ Authentication Servers only. Voyager Reference Guide...
Page 573: Deleting An Aaa Authentication Server Configuration
Changing the Service Profile b. Changing a Service Module Configuration c. Changing an Authentication Profile Configuration d. Changing an Accounting Profile Configuration e. Changing a Session Profile Configuration f. Deleting an Item in a Service Profile Entry Voyager Reference Guide...
Page 574 “Deleting an Item in a Service Profile Entry,” and add them in the desired order using this procedure. Creating a Stacked Service Module In creating a “service,” the requirement for multiple authentication algorithms is as follows: Voyager Reference Guide...
Page 575 SKEY required: SECURETTY The following graphic screens below show an example of creating a “service,” which has the requirement for multiple authentication algorithms. Only the portion of the page that has changes is shown here. Voyager Reference Guide...
Page 576 To change the order, delete the algorithms which are out-of-order, using “Deleting an Item in a Service Profile Entry,” and add them in the desired order using this procedure. Voyager Reference Guide...
Page 577 REQUIRED service requires more than one Auth. Profile. (For a description of the effect on result disposition and subsequent algorithm invocation represented by the list’s items, see Profile Controls.) Note The Server/File field is unused. Voyager Reference Guide...
Page 578 Values other than are effective only when the REQUIRED service requires more than one Session Profile. (For a description of the effect on result disposition and subsequent algorithm invocation represented by the list’s items, see Profile Controls.) Voyager Reference Guide...
Page 579: Deleting An Aaa Configuration
ROFILE ERVICE ODULE table. ONFIGURATION 4. Click A PPLY 5. Click S to make your changes permanent. The following services may not be deleted: httpd snmpd login sshd other Voyager Reference Guide...
Page 580: Cryptographic Acceleration
11,476 bytes. CRP forwarding slows packet throughput on your network application platform. If you have a Nokia encryption accelerator card installed, IPSO supports IKE acceleration for Check Point VPN-1/FireWall-1. The Nokia Encryption Accelerator I supports 1024 bit groups (keys)
Page 581: Ipsec Tunnels
The Nokia Encryption Accelerator I supports 1524 bit groups (keys) The Voyager-based version of Check Point's cpconfig program makes it easier for you to enable IKE acceleration—you simply choose the option for registering the PKCS #11 module. If you want to use IKE acceleration, use the Voyager-based version of cpconfig (instead of running cpconfig at a command prompt) to perform the initial configuration of VPN-1/FireWall-1.
Page 582 Note You cannot enable the accelerator card before you install it. The options in Voyager for enabling the card do not appear until it is installed. The way you enable the card depends on whether you use Check Point software to create and manage VPN tunnels or use Nokia Network Voyager to create and manage tunnels (in IPSO).
Page 583: Monitoring Cryptographic Acceleration
Enabling the accelerator card for a Check Point 1. Start Nokia Network Voyager for your appliance. 2. On the Voyager home page, click Security and Access Configuration. 3. Click Cryptographic Hardware Acceleration. If you don’t see this link, the VPN-1/FireWall-1 package is not installed.
Page 584: Ipsec Tunnels
Transport and Tunnel Modes The basic building blocks of IPsec, AH and ESP, use symmetric cryptographic techniques for ensuring data confidentiality and data signatures for authenticating the data’s source. IPsec operates in two modes: Transport mode Tunnel mode Voyager Reference Guide...
Page 585 If AH is used, selected portions of the original IP header and the data payload are authenticated. IP header Payload IP header Payload Authenticated 00126 If ESP is used, no protection is offered to the IP header, but data payload is authenticated and can be encrypted. Voyager Reference Guide...
Page 586 IP header. By default, ESP, providing the highest level of confidentiality, is used in this release. New IP header ESP header Old IP Payload ESP trailer ESP auth header New IP header ESP header Old IP header Payload ESP trailer ESP auth Authenticated Encrypted 00129 Voyager Reference Guide...
Page 587 IP packet going through a secure gateway The SA database that contains parameters associated with each active SA. Examples are the authentication algorithms, encryption algorithms, keys, lifetimes for each SA (by seconds and bytes) and modes to use Voyager Reference Guide...
Page 588 The one method to complete phase 1 is Main Mode. The Main Mode negotiation uses six messages, in a three two-way exchange. The messages containing the identity information are not authenticated nor encrypted. Voyager Reference Guide...
Page 589: Using Pki
Mode uses three messages, two for proposal parameters and a third one to acquit the choice. With “perfect forward secrecy” enabled, the default value in Nokia’s configuration, a new Diffie-Hellman exchange must take place during Quick Mode. Consequently, the two peers generate a new Diffie- Hellman key pair.
Page 590: Ipsec Implementation In Ipso
RFC 2411—IP Security Document Roadmap RFC 2412—The OAKLEY Key Determination Protocol RFC 2451—ESP CBC-Mode Cipher Algorithms IPsec configuration in Voyager is based on three different IPsec objects: proposals, filters and policies. Proposals define the combination of encryption and authentication algorithms that will secure phase 1 negotiation (Main Mode) as well as phase 2 negotiations (Quick Mode) and IPsec packets.
Page 591 IPSO platforms except the IP3000 series. For the IP3000 series platform, you must create a logical interface with each tunnel rule. You can create tunnel rules without logical interfaces if you require a large number of tunnels. However, creating IPsec tunnels without interfaces can slow down non-IPsec traffic. Voyager Reference Guide...
Page 592: Ipsec Parameters
Phase 2 lifetime. Set the encryption to 3DES, and set the authentication so that it is the same as the Phase 2 algorithm. Platforms IPsec is supported across all Nokia security appliances. IPsec Parameters The two IPsec peers should agree on authentication and encryption methods, exchange keys, and be able to verify each other’s identities.
Page 593 IPsec SAs. The value options are 1, 2, 5, or none; 2 is the default. Setting the value to none disables PFS. Note When IPSO is acting as the responder of the Phase 2 negotiation, it always accepts the PFS group proposed by the initiator. Voyager Reference Guide...
Page 594: Creating An Ipsec Policy
The primary difference is the format of the IP addresses. IPv4 uses dotted quad format and IPv6 uses canonical address format. There may be differences in selected range values; consult the inline Help option for specifics. The following sections describe how to create an IPsec policy: Voyager Reference Guide...
Page 595 Repeat this operation for as many networks as needed. Note Each Voyager page displays a maximum of 10 proposals and/or 10 filters. If you create more than 10, they are continued on new pages. Access these pages by clicking the link directly below the appropriate section.
Page 596 P PEM E ; click A ASTE THE NCODED ERTIFICATE PPLY This action should print a Success message. Click on the link titled IPsec General Configuration page to return to the main IPsec configuration page. Voyager Reference Guide...
Page 597 Device Certificates table. 3. Click on the new link with the same name you entered in Step 1. This action takes you to the IPsec Certificate Enrollment page for that named item. Voyager Reference Guide...
Page 598 ILL DO IT LATER 7. Click A PPLY If you chose C OMPLETED THE CERTIFICATE REQUEST AT THE SITE proceed to step 8. If you chose the W , skip to ILL DO IT LATER OPTION step 9. Voyager Reference Guide...
Page 599 Error (default value)—Only error messages or audit messages are logged. b. Info—provides minimum information about the successful connections to the system. Also includes error messages. c. Debug—Besides the informational messages, full details of the negotiations performed by the subsystem are given. Voyager Reference Guide...
Page 600 2. An Apply Successful message is displayed and the policy name is displayed in the P table. Click on the policy name in the OLICIES table. OLICIES The IPsec Policy Configuration page for the name is displayed. Voyager Reference Guide...
Page 601 If they are not set the same, IPSO IPsec may deny the negotiation. 6. In the Diffie-Hellman Groups table, if the default values in the IKE Group and PFS Group edit boxes are not appropriate, modify them. Then click PPLY Voyager Reference Guide...
Page 602: Creating An Ipsec Tunnel Rule
Configuring Security and Access Note Each Voyager page displays a maximum of 10 policies. If you create more than 10 policies, they are continued on new pages. Access these pages by clicking the link directly below the policy section. The link to more pages appears only after you create more than 10 policies.
Page 603 Note IPSO can support up to 1500 rules. However, each Voyager page displays a maximum of 10. If you create more than 10 rules, they are continued on new pages. Access these pages by clicking the link directly below the rule section. The link to more pages appears only after you create more than 10 rules.
Page 604: Transport Rule
If there are 40 or more source or destination filters, they will not be displayed as a list on the Voyager page. To view a filter that is not displayed, type the name of the filter in the appropriate field.
Page 605 If there are 40 or more source or destination filters, they will not be displayed as a list on the Voyager page. To view a filter that is not displayed, type the name of the filter in the appropriate field.
Page 606: Ipsec Tunnel Rule Example
Configuring Security and Access Note Each Voyager page displays a maximum of 10 transport rules. If you create more than 10 rules, they are continued on new pages. Access these pages by clicking the link directly below the rule section. The link to more pages appears only after you create more than 10 transport rules.
Page 607 Configure Nokia Platform 1 1. Click C on the home page of the Network Application Platform 1 ONFIG (Nokia Platform 1). 2. Click the IPsec link. 3. Under the P table, enter as a name for a new ROPOSALS md5-des proposal in the N edit box.
Page 608 This action displays a new table, L INKED OLICY 24. Select _A from the S pulldown menu. OURCE ILTERS SITE 25. Select _B from the D pulldown menu. ESTINATION ILTERS SITE 26. Click A PPLY 27. To make changes permanent, click S Voyager Reference Guide...
Page 609: Ipsec Transport Rule Example
Configure Nokia Platform 2 You now need to set up Network Application Platform 2 (Nokia Platform 2). Accomplish the same steps the were performed to configure Nokia Platform 1 with the following changes. a. Step 18; enter in the L edit box.
Page 610 Policy page is displayed to complete the missing parameters of the policy. 13. Select 5 from the A pulldown menu. Enter DD A ROPOSAL the P edit box. RIORITY 14. If not default selected, select P in the HARED ECRET field. UTHENTICATION ETHOD Voyager Reference Guide...
Page 611 24. To make changes permanent, click S Configure PC1 You now need to set up PC1. Accomplish the same steps the were performed to configure Nokia Platform 1 (IPSO) with the following changes. a. Step 6; for the local filter, enter in the A edit 192.68.26.74...
Page 612: Removing An Ipsec Tunnel
IPv6 General Configuration page is desired, scroll to the bottom of the page and click on the IPv6 IPsec General Configuration link. 3. Under the IPsec Tunnel Rules heading, click in the Delete square of the tunnel name(s) you wish to delete. 4. Click A PPLY Voyager Reference Guide...
Page 613: Voyager Session Management
The lock does not expire until the session timeout elapses or someone manually overrides the lock. If you acquire a lock while using Voyager, CLI users are also prevented from making changes (as well as other Voyager users). The reverse is also true—a...
Page 614 Configuring Security and Access lock acquired by a CLI user prevents Voyager users (and other CLI users) from making configuration changes on the appliance. For instructions about how to override a configuration lock, see “Overriding Configuration Locks.” Enabling Voyager Session Management Note Your browser must be configured to accept cookies.
Page 615 CQUIRE XCLUSIVE ONFIGURATION This is the default. 4. Click Login. Note Enabling exclusive configuration lock in Voyager prevents you from using the IPSO command line interface to configure the system while the session is in progress. Voyager Reference Guide...
Page 616: Configuring Session Timeouts
5. Enter your user password. 6. Click Login. Configuring Session Timeouts You can adjust the time interval which Voyager will allow a user to be logged in without activity. If you close your browser without logging out, this Voyager Reference Guide...
Page 617 To change the session timeouts, follow the procedure below. 1. Click C on the home page. ONFIG 2. Click the Voyager Web Access link in the Security and Access Configuration section. 3. In the S edit box, enter the time in seconds.
Page 618 Configuring Security and Access Voyager Reference Guide...
Page 619: Configuring Fault Management
Fault Management Description Enabling Fault Management Disabling Fault Management Configuring Alarm Log Enabling Automatic Shutdown Viewing Active Alarms Viewing Active Alarm Details Canceling an Active Alarm Viewing Logged Alarm Events Specifying Global Filtering Rules Enabling or Disabling Specific Alarms Voyager Reference Guide...
Page 620: Fault Management Configuration
IPSO fault management supports a basic set of alarms. Alarms, for the most part, are features of third party applications that support alarm interfaces. You will be able to do the following using Voyager: Enable and disable alarm traps View configured and all permissible alarms...
Page 621 The default is Logging. ONTROL 5. (Optional) If you do not want to log new events, select Suspend in the drop-down list. The default is Logging. ONTROL 6. Click A PPLY 7. Click S to make your changes permanent. Voyager Reference Guide...
Page 622 1. Click C ONFIG 2. Click the Current Alarm List link under the Fault Management Configuration section. 3. In the Alarm ID field, click the number corresponding to the alarm to which you would like more detail. Voyager Reference Guide...
Page 623 This procedure describes how to view logged alarm events. 1. Click C ONFIG 2. Click the Alarm Log link under the Fault Management Configuration section. 3. In the Notification ID field, click the number corresponding to the alarm to which you would like more detail. Voyager Reference Guide...
Page 624 2. Click the Alarm Filtering link under the Fault Management Configuration section. 3. Under the List of Alarms, click the O or O radio button next to the alarm you want to Enabled or Disabled. 4. Click A PPLY 5. Click S to make your changes permanent. Voyager Reference Guide...
Page 625: Configuring Snmp
Entering SNMP Location and Contact Information Interpreting SNMP SNMP Error Messages Configuring SNMPv3 Adding a User-based Security Model User Deleting a User-based Security Model User Modifying a User-based Security Model User Entry Changing a User-based Security Model User Permissions Voyager Reference Guide...
Page 626: Overview
Configuring SNMP Overview SNMP Description SNMP, as implemented on the Nokia platforms, supports the following: GetReqest, GetNextRequest, GetBulkRequest and a select number of traps. The Nokia implementation also supports SetRequest for three attributes only: sysContact,sysLocation, and sysName. See “Setting Community Strings.”...
Page 627 IANAifType MIB Internet Assigned Defines the IANAifType Numbers Authority textual convention, including the values of the ifType object defined in the MIB-II ifTable. IF MIB RFC 2233 Describes generic objects for network interface sub-layers Voyager Reference Guide...
Page 628 SNMP MPD MIB RFC 2572 Provides message processing and dispatching. SNMP User-based SM MIB RFC 2574 Provides management information definitions for SNMP User-based Security Model SNMPv2 MIB RFC 1907 Defines SNMPv2 entities. Note: the warmStart trap is not supported. Voyager Reference Guide...
Page 629 Tunnel-MIB RFC 2667 Provides statistics about IP tunnels UDP-MIB RFC 2013 Provides statistics about UDP implementations Frame Relay DTE MIB RFC 2115 Keeps statistics and errors in one or more circuits of a device implementing Frame Relay. Voyager Reference Guide...
Page 630 Nokia platform is used as an IP security device. Nokia Common MIB OID proprietary Registration MIB Nokia Common NE Role MIB proprietary Nokia Enhanced SNMP Solution proprietary Note: IPSO does not Suite Alarm IRP MIB send traps supported by...
Page 631 Nokia Enhanced SNMP Solution proprietary Note: IPSO does not Suite Common Definition MIB send traps supported by this MIB when the Nokia platform is used as an IP security device. Nokia Enhanced SNMP Solution proprietary Suite PM Common Definition MIB...
Page 632: Configuring Snmp V1 And V2
Note You must configure an SNMP string first to configure sysContact and sysLocation. Use Voyager to perform the following tasks: Define and change one read-only community string. Define and change one read-write community string Enable and disable the SNMP daemon...
Page 633 Click A . The IP address and its current DDRESS PPLY status appears on the Voyager page. 4. Click S to make your change permanent. Note The default is for the protocol to respond to requests from all interfaces.
Page 634 Note To enable specific SNMPv3 users, click the Add USM Users link at the bottom of the SNMP voyager page, which takes you to the voyager page that lets you configure users for SNMPv3. For more information, see “Adding a User-based Security Model User.”...
Page 635 4. (Optional) Enter the community string, using alphanumeric characters (do not use spaces), for the specified receiver in the C OMMUNITY TRING edit box. Click A . The default is FOR NEW ECEIVER PPLY community string for the trap receiver is public. Voyager Reference Guide...
Page 636 The system traps are defined in the Nokia-IPSO-System-MIB. The ifLinkUpDown trap is defined in the IF-MIB. The clustering traps are defined in the Nokia-IPSO-LBCluster-MIB. The Disk Mirror traps are defined in the Nokia-IPSO-System-MIB. The text files that define the MIBs are located in the /etc/snmp/mibs directory.
Page 637 NABLE SYSTEM ONFIGURATION HANGE TRAPS Click A PPLY 11. (Optional) If you want to know when space on the system disk is low, button next to the E click the NABLE SYSTEM PACE Voyager Reference Guide...
Page 638 AILURE field. Click A TRAPS PPLY Note The systemTrapDiskFailure applies only the IP740 and IP530 Nokia platforms. 14. (Optional) If you want to receive notification when a system disk mirror button next to the E set is created, click the NABLE field.
Page 639 Click A PPLY 23. To make your changes permanent, click S Setting the SNMP Trap Agent Address 1. Click C on the home page ONFIG 2. Click the SNMP link. Voyager Reference Guide...
Page 640 C LICK PPLY 4. (Optional) In the SNMP field, enter the CONTACT STRING DEPARTMENT OR PERSON WHO HAS ADMINISTRATIVE RESPONSIBILITY FOR THE DEVICE LICK PPLY 5. To make your changes permanent, click S Voyager Reference Guide...
Page 641: Interpreting Snmp Messages
See the table below for the error status codes and their corresponding meanings. Error Status Code Meaning noError tooBig NoSuchName BadValue ReadOnly genError noAccess wrongType wrongLength wrongEncoding wrongValue Voyager Reference Guide...
Page 642 The next, or fifth field, is the variable-bindings field. It consists of a sequence of pairs; the first is the identifier. The second element is one the following five: value, unSpecified, noSuchOjbect, noSuchInstance, and EndofMibView. The table below describes each element. Voyager Reference Guide...
Page 643 If the variable's name does not exactly match the name of a variable, then its value field is set to noSuchInstance. Voyager Reference Guide...
Page 644 If at any point in the process, a lexicographic successor does not exist, the endofMibView value is returned with the name of the last lexicographic Voyager Reference Guide...
Page 645: Snmp V3
SNMP. SNMPv3 defines a user-based security mechanism that enables per-message authentication and encryption. See RFC 2574 for more information. You must use Voyager to create USM user accounts. SNMPv3 uses a default configuration to generate USM keys.The Nokia implementation supports DES and MD5 authentication to automatically generate USM keys.
Page 646 The password of an SNMP USM user must be at least 8 characters long. 12. Click A , and then click S to make your changes permanent. PPLY Note A table appears on the SNMP page with the name of each user and his/ her permissions. Voyager Reference Guide...
Page 647 Password Setting page. To reach that page, click C on the home page and then click the Users ONFIG link in the Security and Access Configuration section. Click A PPLY 4. Click S to make your changes permanent. Voyager Reference Guide...
Page 648 Click the radio button corresponding to the type of permission you would like for that user in the Permission column. 4. Click A , and then click S to make your changes permanent. PPLY Voyager Reference Guide...
Page 649: Configuring Asset Management
The Check Point FireWall summary lists information about the host and policy installed and the date on which the FireWall policy was installed. The summary also describes which version of the FireWall is running and license information. Voyager Reference Guide...
Page 650 2. Click the Asset Management Summary link. This action takes you to the asset management summary page. 3. The page separates information into three tables: Hardware, FireWall Package Information, and Operating System. 4. Click the U button to return to the main configuration page. Voyager Reference Guide...
Page 651: Configuring Ipv6
Configuring IPv4 in IPv6 Tunnels Routing Configuration Configuring an IPv6 Default Route Creating an IPv6 Static Route Configuring RIPng Creating IPv6 Aggregate Routes Creating Redistributed Routes Redistributing Static Routes into RIPng Router Discovery Configuring ICMPv6 Router Discovery Voyager Reference Guide...
Page 652: Overview
IPv6 includes a transition mechanism that allows users to adopt and deploy IPv6 in a highly diffuse way and provides direct interoperability between IPv4 and IPv6 hosts. The Nokia implementation supports the following features as specified in the corresponding RFCs: IPv6 Specification (RFC 2460)
Page 653 IPv6 to IPv4 (Internet Draft) Generic Packet Tunneling (RFC 2473, IPv4 through IPv6 only) RIPng for IPv6 Static Routes Route Aggregation Route Redistribution IPv6 inetd IPv6 telnet client and server IPv6 ftp client and server Utilities (ping, netstat, tcpdump, ndp) Voyager Reference Guide...
Page 654: Interfaces
4. In the G field, enter the value LOBAL EIGHBOR ISCOVERY ETTINGS for the unicast retry limit in the U edit box. This NICAST ETRY IMIT Voyager Reference Guide...
Page 655: Ipv6 And Ipv4 Compatibility
1. Click C on the home page. ONFIG 2. Click the IPv6 in IPv4 Tunnels link in the IPv6 section. 3. Enter the IPv4 address of the local tunnel endpoint in the L OCAL edit box. DDRESS Voyager Reference Guide...
Page 656: Configuring Ipv6 To Ipv4
This value represents the pseudo-interface that is associated with this feature. It does not correspond to a specific physical device. 5. Enter the IPv4 address of the local interface in the L OCAL DDRESS edit box. Voyager Reference Guide...
Page 657: Configuring Ipv6 Over Ipv4
6. (Optional) Enter a value for the Time to Live (TTL) of the packets sent in the T edit box. IME TO 7. Click A , and then click S to make your changes permanent. PPLY Voyager Reference Guide...
Page 658: Configuring Ipv4 In Ipv6 Tunnels
The options are normal, reject, and black hole. 5. Select the interface the static route will use to reach the gateway in the field. NTERFACE Note This interface must be specified only if the gateway is a link local address. Voyager Reference Guide...
Page 659 6. Enter the IPv6 address of the gateway router in the N edit box. 7. Select the type of next hop the static route will take from the N drop-down window. 8. Select the interface the static route will take to reach the gateway in the field. NTERFACE Voyager Reference Guide...
Page 660: Routing Configuration
4. Enter a value for the RIPng metric to be added to routes that are sent by way of the specified interface in the M edit box. ETRIC 5. Click A , and then click S to make your changes permanent. PPLY Voyager Reference Guide...
Page 661: Creating Ipv6 Aggregate Routes
4. To redistribute all currently valid static routes into RIPng, click the O button in the R field. EDISTRIBUTE ALL TATICS IN THE 5. Enter a value for the metric cost that the created RIPng routes will have in the M edit box. ETRIC Voyager Reference Guide...
Page 662 , and then click S to make your changes permanent. PPLY Redistributing Interface Routes into RIPng 1. Click C on the home page. ONFIG 2. Click the Route Redistribution link in the IPv6 section. 3. Click the Interface Routes link. Voyager Reference Guide...
Page 663: Router Discovery
Nokia implements only the ICMPv6 router discovery server portion, which means that the Nokia platform can advertise itself as a candidate default router, but it will not adopt a default router using the router discovery protocol.
Page 664 12. (Optional) Enter a value (in seconds) for the router advertisement packet’s retransmission timer field in the R edit box. This ETRANSMISSION IMER value represents the time between which neighbor solicitation messages are retransmitted if the node doesn’t receive a response. Voyager Reference Guide...
Page 665: Traffic Management
Traffic Management Traffic Management Overview and Configuration Click the links below to view documentation on Traffic Management features and how to configure them. “Configuring Clustering in IPSO” “Packet Filtering Description” “Traffic Shaping Description” “Traffic Queuing Description” Voyager Reference Guide...
Page 666: Security And Access Configuration
Configuring IPv6 Network Access and Services Enabling FTP Access 1. To enable IPv6 FTP access, click the Y radio button in the A LLOW FTP A field. CCESS 2. Click A , and then click S to make your changes permanent. PPLY Voyager Reference Guide...
Page 667 Enabling Telnet Access 1. To enable Ipv6 Telnet Access, click the Y radio button in the A LLOW field. ELNET CCESS 2. Click A , and then click S to make your changes permanent. PPLY Voyager Reference Guide...
Page 668 Configuring IPv6 Voyager Reference Guide...
Page 669: Ipso Process Management
Automatically restarting the processes if they abnormally terminate. The IPSO processes monitored by PM are listed in the following table . In addition, application package processes, such as IFWD, FWD, CPRID, might also be monitored by PM. Voyager Reference Guide...
Page 670 Web server daemon. sshd Secure shell daemon. xpand Configuration daemon (also called configd). This daemon processes and validates all user configuration requests, updates the system configuration database, and calls other utilities to carry out the request. snmpd SNMP agent. Voyager Reference Guide...
Page 671 (for example, 2 seconds, 4 seconds, 8 seconds, 16 seconds, and so on). If PM fails to start the process after 900 seconds, it stops trying. Each unsuccessful attempt is logged in the system message log. PM’s process monitoring behavior is not user configurable. Voyager Reference Guide...
Page 672 IPSO Process Management Voyager Reference Guide...
Page 673: Glossary
Asynchronous Transfer Mode. A technology that transmits all voice, video, and data in packets as small 53-bit cells (5-bit header, 48-bits data). ATM is capable of high-speed routing up to 622 Mbps and is not packet-switched. Voyager Reference Guide...
Page 674 All address information is contained in the message itself. Cyclic Redundancy Check. A method used to check the transmission accuracy of a communications link. A sending computer performs a calculation on the data and attaches the result, and the receiving computer Voyager Reference Guide...
Page 675 TCP/IP hosts on a network. DLCI Data Link Connection Identifier. A frame relay value that identifies a logical connection. Data Terminal Equipment. A terminal or computer that functions as a source or destination of network communication; end-user equipment. See DCE. Voyager Reference Guide...
Page 676 Firewall A system of hardware and software that enforces a boundary between two or more networks in accordance with a local security policy. Nokia technology combines a firewall with a router. FDDI Fiber Distributed Data Interface. LAN technology for data transfer (up to 100 Mbps) on a dual, counter-rotating, fiber-optic cable, token ring.
Page 677 IP (host). Cost is the number of routers encountered along a route (series of hops) to a destination IP. HSSI High-speed Serial Interface. A network standard for high-speed (up to 52 Mbps) serial communications over WAN links. Voyager Reference Guide...
Page 678 IGRP Interior Gateway Routing Protocol. A a widely used interior gateway protocol that uses distance vectors. Like RIP, IGRP allows multiple paths to a single destination, thus providing load sharing and stability during topology changes. Voyager Reference Guide...
Page 679 IPSRD Nokia (Ipsilon) Software Routing Daemon. Nokia software that computes routes using resident-database information, which is configured and maintained by Nokia's Voyager. A daemon is a dormant, background process (in a UNIX environment) that waits to perform tasks. ISDN Integrated Digital Service Network. The recommendation published by...
Page 680 Network Application Platform. A term describing the Nokia hardware chassis and software that routes network traffic and operates network applications. Nokia NAPs provide a full range of networking capabilities, including IP routing, combined with state-of-the-art security applications, virus detection, and intrusion detection.
Page 681 It calculates routes based on least hops, speed of transmission lines, and congestion delays. Open Systems Interconnection. A set of international, openly developed and accepted standards created by the ISO and CCITT (now ITU-T) for data networking. Voyager Reference Guide...
Page 682 (packets), each chunk has the address of where it came from and where it is going. This enables packets of data from many different sources to co-mingle on the same lines, and be sorted (at nodes) and directed to different routes. Voyager Reference Guide...
Page 683 2 prime numbers. RSA has been analyzed closely and is considered very secure provided a sufficiently long key is used. SDLC Synchronous Data Link Control. A bit-synchronous link-layer protocol that has spawned numerous similar protocols, including HDLC and LAPB. Voyager Reference Guide...
Page 684 Secure Shell. A program to log into another computer over a network that allows execution of commands and to movement of files. Intended as a replacement for rlogin, rsh, and rcp, it provides strong authentication and secure communications over channels that are not secure. Symbol A 4-bit unit. Voyager Reference Guide...
Page 685 Now as a datagram is forwarded, its TTL is decrements by one. Thus, TTL actually represents the maximum number of Hops that a datagram can make before being discarded. Voyager Reference Guide...
Page 686 UDP contains an exact-port address. Voyager Nokia Voyager software. Nokia's Voyager software that communicates with its routing software element, Ipsilon Routing Daemon (IPSRD) to configure interface hardware, set routing protocols and routing policies, and monitor routing traffic and protocol performance.
Page 687: Index
Configuring for the ATM Interface Adding a New Rule Deleting a Static Entry Applying to an Interface Deleting Dynamic Entries Creating Flushing All Dynamic Entries Deleting Proxy, Adding an Entry Modifying a Rule Static, Adding an Entry Removing Voyager Reference Guide Index - 689...
Page 688 ATM QoS Descriptor Redistribution Associating with an Interface and a Virtual Route Dampening Channel Route Dampening, Verification Auditlog, Disabling Route Inbound Policy Authentication Route Redistribution Methods Sessions (Internal and External) Profile Types Tables Authentication Profile Index - 690 Voyager Reference Guide...
Page 689 Disabling on an Interface Cluster Voyager Enabling on an Interface Configuring Bootstrap Protocol Relay Configuring for NAT Border Gateway Protocol Configuring in Voyager Configuring VPN-1/FireWall-1 Creating a Cluster Deleting a Configuration CA Certificates Displaying Cluster Status and Members Call Traces, ISDN...
Page 690 DSA and RSA Expedited Forwarding Managing User Identities Rate Shaping DVMRP Crontab File, Scheduling Jobs DVMRP Tunnel Cryptographic Acceleration Configuring Displaying States Creating Internet Key Exchange Protocol (IKE) Removing Monitoring DVMRP Tunnels CSU/DSU, T1 Interfaces Index - 692 Voyager Reference Guide...
Page 691 Configuring FDDI Creating FDDI Interface Removing Changing the Duplex Setting GRE Tunnels Changing the IP Address Example Configuring Group Procedures Features Groups Not in this Release Managing Not Supported Supported Files, Backup and Restore Voyager Reference Guide Index - 693...
Page 692 High Availability, PIM Viewing Dynamic for a Section or Field Hostname Viewing for the Page Changing Interface Hostnames, Resolving Displaying Historical Linkstate Statistics Hot Swapping Nokia Encryption Accelerator Displaying Historical Throughput Cards Statistics HSSI Interfaces Displaying Linkstate Statistics HTTP Unnumbered...
Page 693 IPsec Transport Rule Example IPsec Tunnel Incoming Number Configuring Interfaces IPSO Logical Interface IPSO Image Network Configuration Example Upgrading Place and Receive Calls IPSO Images Deleting Receive Calls Installing Managing Removing an Incoming Number Selecting Voyager Reference Guide Index - 695...
Page 694 Using OSPF Authentication Configuring Description Mail Relay Redistributing Routes Configuring Unnumbered Interface Mail, Sending Virtual Links Management Activity Log Outgoing Call Configuring the IP330 Memory Size Overriding Configuration Locks Message Log, Viewing Mirror Set Index - 696 Voyager Reference Guide...
Page 695 Configuring an E1 Interface Configuring Timers Configuring an HSSI Interface RIP 1 Process, Management Enabling on an Interface Protocol-Independent Multicast RIP 1, Network Mask RIP 2 Authentication Enabling on an Interface QoS Descriptor Network Mask Creating Voyager Reference Guide Index - 697...
Page 696 Displaying Status Enabling Routing Information Protocol Session Profile Configuration Routing Protocol, Displaying Information Changing Routing Protocols Session Profile Types Routing Subsystem Session Timeouts RSA and DSA Configuring Managing User Identities Settings Rule Interface Deleting Index - 698 Voyager Reference Guide...
Page 697 Software Configuring Sparse-Mode PIM System Time, Setting Configuring System Utilization, Displaying Statistics Setting Advanced Options System-Failure Notification, Setting Configuring T1 Interface Enabling Voyager Web Access TACACS+ Troubleshooting Configuring Static Host TCP MD5 Authentication Deleting TCP/IP stack Static Monitoring Tuning Static Route...
Page 698 VRRP Support Enabling Session Management Transparent Mode Group Help Conventions Adding an Interface How to Use Creating Navigating Deleting Voyager Session Management Deleting an Interface Disabling Disabling Voyager Web Access Disabling VRRP Enabling Building on ESP Enabling VRRP Configuring Tunnels...
Page 699 (Simplified Configuration), Priority Sample Configurations Setting a Virtual MAC Address for a Virtual Router Troubleshooting and Monitoring Virtual Routers VRRPv2 Configuration VRRPv2, Creating a Virtual Router VRRPv2, Removing a Virtual Router X.21 Voyager Reference Guide Index - 701...
Page 700 Index - 702 Voyager Reference Guide...

Nokia Voyager Reference Manual

Quick Links

Voyager Reference Guide

Related Manuals for Nokia Voyager

Summary of Contents for Nokia Voyager