Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point

13.07.2015 Views
2 Configuring InterfacesYou can specify a minimum number of ports that must be active for the logical interface toremain active. If the number of active ports is less than this number, the logical interface isdeactivated. This option is particularly useful in VRRP configurations. For example, you mighthave a VRRP pair in which both the master and backup systems use two aggregated GigabitEthernet ports as their external connection. If one of the Gigabit Ethernet ports in the masterfails, you probably would prefer that the backup system becomes the master so that there is noloss of bandwidth in the external connection. In this case, you would set the minimum number ofactive ports to be two.You can aggregate as many as four ports in one aggregation group, and you can have as many aseight aggregation groups on one appliance.You can hot swap NICs that have ports participating in an aggregation group. If the group hasports on other NICs, the traffic is distributed to those ports and the aggregation group continuesto function when you remove a NIC in this manner. If you reinsert the NIC, the appropriate portsrejoin the aggregation group and resume forwarding traffic automatically.You can view statistical information about link aggregation groups and the individual interfacesin the groups by clicking Configuration > Monitor > System Health > Interface TrafficStatistics > Link Aggregation Statistics.Static Link AggregationThe IPSO implementation of link aggregation complies with the IEEE 802.3ad standard forstatic link aggregation. Nokia has also tested IPSO link aggregation with the following CiscoCatalyst switches:• 6500 Series• 3550 Series• 2950 SeriesIPSO 6.0 does not support LACP, which is used for dynamic link aggregation. IPSO 4.2 doessupport LACP.CautionMake sure that dynamic link aggregation (LACP) is disabled before you upgrade fromIPSO 4.2 to IPSO 6.0. If you do not, the ports in the aggregation group will loseconnectivity after the upgrade.Managing Link Aggregation Using SNMPNokia IPSO systems use a proprietary SNMP MIB to manage link aggregation. To incorporatelink aggregation into your SNMP-based management, perform the following tasks:• Copy the file NOKIA-IPSO-LINKAGGREGATION-MIB.txt to your management system.This file is located at /etc/snmp/mibs/.• In Network Voyager or the IPSO CLI, enable the following traps:32 Nokia Network Voyager Reference Guide for IPSO 6.0

Link Aggregation• Enable lamemberActive traps• Enable lamemberInactive trapsNoteIPSO does not use the standard IEEE8023-LAG-MIB to support link aggregation.Configuring Switches for Link AggregationObserve the following considerations when you configure a switch to support link aggregationin combination with a Nokia appliance:• You must configure the appropriate switch ports to use static link aggregation. (On Ciscoswitches, this means you must enable EtherChannel.) That is, if you aggregate four portsinto one group on your Nokia appliance, the four switch ports that they connect to muststatic link aggregation.• When you assign switch ports to an EtherChannel group, set the channel mode to on toforce the ports to form a channel without using the Link Aggregation Control Protocol(LACP) or Port Aggregation Protocol (PAgP).• If your switch supports it, configure the aggregated ports to distribute the traffic usingsource and destination IP addresses.• If your switch can only distribute traffic based on source or destination MAC addresses,configure it to use the source MAC addresses. If it uses the destination MAC address todistribute the load, all the traffic flowing from the switch to the IPSO system over theaggregated link is sent to the primary port of the aggregation group.• You must configure the switch ports to have the same physical characteristics (link speed,duplicity, autoadvertise/autonegotiation setting, and so on) as the corresponding aggregatedports on the Nokia system.• On Cisco switches, trunking must be enabled if you create more than one tagged VLAN onan aggregated link. (You can configure as many as 1015 VLANs for an IPSO system.).• If you use IOS on a Cisco switch, trunking is enabled automatically.• If you run CatOS on a Cisco switch, use the following command to configure VLANtrunking on the EtherChannel:set trunk ports nonegotiate dot1q vlansConfiguring Link AggregationTo set up link aggregation in Network Voyager1. Physically configure the interfaces.2. Create the aggregation group.3. Logically configure the aggregation group.These steps are explained in the following sections.Nokia Network Voyager Reference Guide for IPSO 6.0 33

Page 2 and 3: COPYRIGHT©2007 Nokia. All rights r

Page 4 and 5: 4 Nokia Network Voyager Reference G

Page 6 and 7: Deleting Aggregation Groups . . . .

Page 8 and 9: Choosing Global Settings. . . . . .

Page 11 and 12: Monitoring Cryptographic Accelerati

Page 13 and 14: Route Dampening . . . . . . . . . .

Page 15 and 16: iclid Commands. . . . . . . . . . .

Page 17 and 18: About the Nokia Network VoyagerRefe

Page 19 and 20: Related DocumentationTable 1 Text C

Page 21 and 22: 1 About Network VoyagerThis chapter

Page 23 and 24: Logging In to Network VoyagerObtain

Page 25 and 26: Navigating in Network Voyager• Ne

Page 27 and 28: 2 Configuring InterfacesThis chapte

Page 29 and 30: Ethernet InterfacesEvents that can

Page 31: Link AggregationExample: eth-s2p13.

Page 35 and 36: Link AggregationGroup Configuration

Page 37 and 38: Gigabit Ethernet InterfacesTable 4

Page 39 and 40: Gigabit Ethernet InterfacesThe Noki

Page 41 and 42: Loopback Interfacesa secure private

Page 43 and 44: GRE TunnelsEach time you select a t

Page 45 and 46: GRE Tunnels3. Select a value from t

Page 47 and 48: GRE Tunnelsof this reference guide,

Page 49 and 50: DVMRP TunnelsDVMRP TunnelsDVMRP (Di

Page 51 and 52: DVMRP TunnelsA router forwards Mult

Page 53 and 54: ARP Table EntriesThe Retry Limit sp

Page 55 and 56: Virtual Tunnel Interfaces (FWVPN) f

Page 57 and 58: Virtual Tunnel Interfaces (FWVPN) f

Page 59 and 60: 3 Configuring System FunctionsThis

Page 61 and 62: Configuring DHCPDHCP Client Configu

Page 63 and 64: Configuring DHCP22. If you configur

Page 65 and 66: Configuring DHCPAssigning a Fixed-I

Page 67 and 68: Configuring DHCP12. Enter the Simpl

Page 69 and 70: Configuring Disk MirroringThe sourc

Page 71 and 72: Configuring System TimeConfiguring

Page 73 and 74: Configuring System TimeNoteIPSO wil

Page 75 and 76: Using an Optional Disk (Flash-Based

Page 77 and 78: Configuring System LoggingTo remove

Page 79 and 80: Configuring System Logging4. Click

Page 81 and 82: Configuring System LoggingConfiguri

Page 83 and 84: Using a Core Dump Server with Flash

Page 85 and 86: Managing Configuration SetsTo save

Page 87 and 88: Backing Up and Restoring FilesYou c

Page 89 and 90: Backing Up and Restoring FilesTrans

Page 91 and 92: Backing Up and Restoring Files3. If

Page 93 and 94: Managing Nokia IPSO ImagesInstallin

Page 95 and 96: Managing Nokia IPSO ImagesIf perfor

Page 97 and 98: Managing PackagesTable 7 Monitor Re

Page 99 and 100: Advanced System TuningTo delete a p

Page 101 and 102: 4 High Availability SolutionsThis c

Page 103 and 104: How VRRP WorksFigure 2 VRRP Configu

Page 105 and 106: Configuring VRRPTable 8 Global VRRP

Page 107 and 108: Configuring VRRPSelecting Node Para

Page 109 and 110: Configuring VRRPSet the hello inter

Page 111 and 112: Configuring VRRPNoteIf you configur

Page 113 and 114: Configuring VRRP11. If you are usin

Page 115 and 116: Configuring VRRP5. Enter the value

Page 117 and 118: Configuring Check Point NGX for VRR

Page 119 and 120: Configuring Check Point NGX for VRR

Page 121 and 122: Monitoring VRRP• Master—Forward

Page 123 and 124: Troubleshooting VRRP• If you are

Page 125 and 126: 5 Configuring SNMPThis chapter desc

Page 127 and 128: SNMP OverviewMIB Source FunctionSNM

Page 129 and 130: Enabling SNMP and Selecting the Ver

Page 131 and 132: Configuring the System for SNMPSett

Page 133 and 134: Configuring the System for SNMPTabl

Page 135 and 136: Configuring the System for SNMPEnab

Page 137 and 138: Interpreting Error MessagesVariable

Page 139 and 140: Configuring SNMPv3Table 13 Security

Page 141 and 142: 6 Configuring IPv6This chapter desc

Page 143 and 144: InterfacesTo delete an IPv6 address

Page 145 and 146: IPv6 and IPv4 CompatibilityConfigur

Page 147 and 148: Routing Configuration6. To specify

Page 149 and 150: Router Discovery6. To redistribute

Page 151 and 152: VRRP for IPv614. (Optional) To spec

Page 153 and 154: VRRP for IPv6Use this procedure to

Page 155 and 156: VRRP for IPv6Enter the IP address y

Page 157 and 158: VRRP for IPv6configured.The default

Page 159 and 160: Security and Access ConfigurationNo

Page 161 and 162: 7 Managing Security and AccessThis

Page 163 and 164: Password and Account ManagementTabl

Page 165 and 166: Password and Account Management•



Page 171 and 172: Managing User Accounts3. In the tab

Page 173 and 174: Managing User AccountsTable 19 User

Page 175 and 176: Managing User AccountsNoteWhen you

Page 177 and 178: Managing GroupsManaging GroupsYou c

Page 179 and 180: Role-Based AdministrationTo add or

Page 181 and 182: Configuring Network Access and Serv

Page 183 and 184: Configuring Network Access and Serv

Page 185 and 186: Configuring Nokia Network Voyager A

Page 187 and 188: Configuring Nokia Network Voyager A

Page 189 and 190: Secure Shell (SSH)private key in th

Page 191 and 192: Secure Shell (SSH)13. (Optional) To

Page 193 and 194: Secure Shell (SSH)Max unauthenticat

Page 195 and 196: Secure Shell (SSH)Managing User RSA

Page 197 and 198: Authentication, Authorization, and






Page 209 and 210: 8 Configuring RoutingThis chapter d

Page 211 and 212: OSPFBGP is also a path-vector routi

Page 213 and 214: OSPFArea Border RoutersRouters call

Page 215 and 216: OSPFConfiguring OSPF Areas and Glob

Page 217 and 218: OSPFTo configure OSPF1. Complete

Page 219 and 220: OSPFTable 30 Global Settings for OS

Page 221 and 222: OSPFTable 31 Configuration Paramete

Page 223 and 224: RIP5. In the Add New OSPF Area text

Page 225 and 226: RIPNoteNokia also provides support

Page 227 and 228: RIPNoteBy default, the update inter

Page 229 and 230: PIMFor Sparse-Mode PIM, see Protoco

Page 231 and 232: PIMConfiguring Check Point VPN-1 Pr

Page 233 and 234: PIM4. (Optional) For each interface

Page 235 and 236: PIMNoteIf neighboring routers choos

Page 237 and 238: PIMin the summary:DRPriorityCapable

Page 239 and 240: PIMNoteIf you do not configure a mu

Page 241 and 242: PIMNokia appliance being accepted b

Page 243 and 244: IGRP• Graft—Traces graft and gr

Page 245 and 246: IGRP• Valid Neighbors— packets

Page 247 and 248: IGRP8. (Optional) In the Protocol s

Page 249 and 250: DVMRP• Monitoring template• Tra

Page 251 and 252: IGMPimplemented within IPSRD confor

Page 253 and 254: Static RoutesStatic routes can be o

Page 255 and 256: Static RoutesAdding and Managing St

Page 257 and 258: Route Aggregationadvertises. The ag

Page 259 and 260: Route RankNoteIf the backbone is ru

Page 261 and 262: BGPTo configure the routing prefere

Page 263 and 264: BGPthe ISP has the private AS numbe

Page 265 and 266: BGPand BGP). All interior gateways

Page 267 and 268: BGPWhen using route reflection, the

Page 269 and 270: BGPconnections between EBGP peers a

Page 271 and 272: BGPIf the peer autonomous system nu

Page 273 and 274: BGPNoteMake sure that IPSRD is not

Page 275 and 276: BGP11. Enter 10.50.10.1 in the Add

Page 277 and 278: BGP3. Follow the steps described in

Page 279 and 280: BGP5. Enter 100 in MED edit box nex

Page 281 and 282: BGPBGP Confederation ExampleNokiaPl

Page 283 and 284: BGP2. Create confederation group 65

Page 285 and 286: BGPd. Select Internal in the Peer g

Page 287 and 288: BGPCommunities are used to simplify

Page 289 and 290: BGP4. Enter 129.10.2.2 in the Addit

Page 291 and 292: BGP5. In the Nexthop field, click o

Page 293 and 294: BGP6. Click External in the Peer gr

Page 295 and 296: BGPTo configure configure a BGP4 se

Page 297 and 298: Route Redistribution• Refines—M

Page 299 and 300: Route Redistribution• Protocol•

Page 301 and 302: Route Redistribution5. To prevent 1

Page 303 and 304: Inbound Route FiltersInbound Route

Page 305 and 306: Inbound Route FiltersNoteBy default

Page 307 and 308: 9 Configuring Router ServicesThis c

Page 309 and 310: IP Broadcast HelperTo disable BOOTP

Page 311 and 312: Router DiscoveryNoteOnly the server

Page 313 and 314: Network Time Protocol (NTP)• Adve

Page 315 and 316: Network Time Protocol (NTP)NoteOnly

Page 317 and 318: 10 Monitoring System Configuration

Page 319 and 320: Viewing System Utilization Statisti

Page 321 and 322: Monitoring System Health• Monthly

Page 323 and 324: Viewing Cluster Status and MembersN

Page 325 and 326: Using the iclid Tool• Mode—i.e.

Page 327 and 328: Using the iclid TooldetailedProvide

Page 329 and 330: Using the iclid Tooldatabase summar

Page 331 and 332: Using the iclid Toolmetricssuppress

Page 333 and 334: Preventing Full Log Buffers and Rel

Page 335 and 336: IndexAABR (area border router) 213A

Page 337 and 338: ensuring correct time 71cron jobs,

Page 339 and 340: managing 92testing 94upgrading for

Page 341 and 342: network throughput report 320Networ

Page 343 and 344: displaying status 325help 326routin

Page 345 and 346: Vvirtual IP address, VRRP 109virtua

configuration

interface

ipso

configure

voyager

nokia

router

routes

reference

routing

Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point

Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point ... View more Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point

Delete template?

Save as template ?

Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point