Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point

13.07.2015 Views
Choosing Global Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Choosing a VRRP Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Understanding Monitored-Circuit VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Selecting Node Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Hello Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Priority Delta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Backup Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109VMAC Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Configuring Monitored-Circuit VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Configuring Monitored-Circuit VRRP using the Simplified Method . . . . . . . . . 112Configuring Monitored-Circuit VRRP using the Full Method . . . . . . . . . . . . . . 113Configuring Monitored-Circuit VRRP using the Quick-Add Method . . . . . . . . 115Configuring VRRPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Configuring Check Point NGX for VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Configuring VRRP Rules for Check Point NGX . . . . . . . . . . . . . . . . . . . . . . . . . 118Configuration Rule for Check Point NGX FP1. . . . . . . . . . . . . . . . . . . . . . . . . 119Configuration Rules for Check Point NGX FP2 and Later. . . . . . . . . . . . . . . . 119Configuring Rules if You Are Using OSPF or DVMRP . . . . . . . . . . . . . . . . . . 120Monitoring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Monitoring the Firewall State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Troubleshooting VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122General Configuration Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Switched Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Monitored-Circuit VRRP in Switched Environments . . . . . . . . . . . . . . . . . . . . 123VRRPv2 in Switched Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1245 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125SNMP Proxy Support for Check Point MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Using the Check Point MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Enabling SNMP and Selecting the Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Configuring the System for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Setting an Agent Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Configuring Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Configuring Trap Receivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Enabling or Disabling Trap Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Setting the Trap PDU Agent Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1358 Nokia Network Voyager Reference Guide for IPSO 6.0

Configuring Location and Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . 135Interpreting Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136GetRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137GetNextRequest. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137GetBulkRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Request Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Managing SNMP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1396 Configuring IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141IPv6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142IPv6 and IPv4 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Configuring IPv6 in IPv4 Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Configuring IPv6 to IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Configuring IPv6 over IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Configuring IPv4 in IPv6 Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Configuring an IPv6 Default or Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Routing Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Configuring OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Configuring RIPng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Creating IPv6 Aggregate Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Creating Redistributed Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Redistributing Static Routes into RIPng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Redistributing Aggregate Routes in RIPng. . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Redistributing Interface Routes into RIPng . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Configuring ICMPv6 Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149VRRP for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Configuring VRRP for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Creating a Virtual Router for an IPv6 Interface Using VRRPv3 . . . . . . . . . . . . . 152Creating a Virtual Router to Back Up Another VRRP Router AddressesUsing VRRPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Monitoring the Firewall State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Setting a Virtual MAC Address for a Virtual Router. . . . . . . . . . . . . . . . . . . . . . . 154Changing the IP Address List of a Virtual Router in VRRPv3 . . . . . . . . . . . . . . . 155Removing a Virtual Router in VRRPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Creating a Virtual Router in Monitored Circuit Mode for IPv6 . . . . . . . . . . . . . . . 156Setting Interface Dependencies for a Monitored Circuit Virtual Router for IPv6 . . . . 157Changing the List of Addresses in a Monitored Circuit Virtual Router for IPv6 . . . . . 158Security and Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Nokia Network Voyager Reference Guide for IPSO 6.0 9

Page 2 and 3: COPYRIGHT©2007 Nokia. All rights r

Page 4 and 5: 4 Nokia Network Voyager Reference G

Page 6 and 7: Deleting Aggregation Groups . . . .

Page 11 and 12: Monitoring Cryptographic Accelerati

Page 13 and 14: Route Dampening . . . . . . . . . .

Page 15 and 16: iclid Commands. . . . . . . . . . .

Page 17 and 18: About the Nokia Network VoyagerRefe

Page 19 and 20: Related DocumentationTable 1 Text C

Page 21 and 22: 1 About Network VoyagerThis chapter

Page 23 and 24: Logging In to Network VoyagerObtain

Page 25 and 26: Navigating in Network Voyager• Ne

Page 27 and 28: 2 Configuring InterfacesThis chapte

Page 29 and 30: Ethernet InterfacesEvents that can

Page 31 and 32: Link AggregationExample: eth-s2p13.

Page 33 and 34: Link Aggregation• Enable lamember

Page 35 and 36: Link AggregationGroup Configuration

Page 37 and 38: Gigabit Ethernet InterfacesTable 4

Page 39 and 40: Gigabit Ethernet InterfacesThe Noki

Page 41 and 42: Loopback Interfacesa secure private

Page 43 and 44: GRE TunnelsEach time you select a t

Page 45 and 46: GRE Tunnels3. Select a value from t

Page 47 and 48: GRE Tunnelsof this reference guide,

Page 49 and 50: DVMRP TunnelsDVMRP TunnelsDVMRP (Di

Page 51 and 52: DVMRP TunnelsA router forwards Mult

Page 53 and 54: ARP Table EntriesThe Retry Limit sp

Page 55 and 56: Virtual Tunnel Interfaces (FWVPN) f

Page 57 and 58: Virtual Tunnel Interfaces (FWVPN) f

Page 59 and 60: 3 Configuring System FunctionsThis

Page 61 and 62: Configuring DHCPDHCP Client Configu

Page 63 and 64: Configuring DHCP22. If you configur

Page 65 and 66: Configuring DHCPAssigning a Fixed-I

Page 67 and 68: Configuring DHCP12. Enter the Simpl

Page 69 and 70: Configuring Disk MirroringThe sourc

Page 71 and 72: Configuring System TimeConfiguring

Page 73 and 74: Configuring System TimeNoteIPSO wil

Page 75 and 76: Using an Optional Disk (Flash-Based

Page 77 and 78: Configuring System LoggingTo remove

Page 79 and 80: Configuring System Logging4. Click

Page 81 and 82: Configuring System LoggingConfiguri

Page 83 and 84: Using a Core Dump Server with Flash

Page 85 and 86: Managing Configuration SetsTo save

Page 87 and 88: Backing Up and Restoring FilesYou c

Page 89 and 90: Backing Up and Restoring FilesTrans

Page 91 and 92: Backing Up and Restoring Files3. If

Page 93 and 94: Managing Nokia IPSO ImagesInstallin

Page 95 and 96: Managing Nokia IPSO ImagesIf perfor

Page 97 and 98: Managing PackagesTable 7 Monitor Re

Page 99 and 100: Advanced System TuningTo delete a p

Page 101 and 102: 4 High Availability SolutionsThis c

Page 103 and 104: How VRRP WorksFigure 2 VRRP Configu

Page 105 and 106: Configuring VRRPTable 8 Global VRRP

Page 107 and 108: Configuring VRRPSelecting Node Para

Page 109 and 110: Configuring VRRPSet the hello inter

Page 111 and 112: Configuring VRRPNoteIf you configur

Page 113 and 114: Configuring VRRP11. If you are usin

Page 115 and 116: Configuring VRRP5. Enter the value

Page 117 and 118: Configuring Check Point NGX for VRR

Page 119 and 120: Configuring Check Point NGX for VRR

Page 121 and 122: Monitoring VRRP• Master—Forward

Page 123 and 124: Troubleshooting VRRP• If you are

Page 125 and 126: 5 Configuring SNMPThis chapter desc

Page 127 and 128: SNMP OverviewMIB Source FunctionSNM

Page 129 and 130: Enabling SNMP and Selecting the Ver

Page 131 and 132: Configuring the System for SNMPSett

Page 133 and 134: Configuring the System for SNMPTabl

Page 135 and 136: Configuring the System for SNMPEnab

Page 137 and 138: Interpreting Error MessagesVariable

Page 139 and 140: Configuring SNMPv3Table 13 Security

Page 141 and 142: 6 Configuring IPv6This chapter desc

Page 143 and 144: InterfacesTo delete an IPv6 address

Page 145 and 146: IPv6 and IPv4 CompatibilityConfigur

Page 147 and 148: Routing Configuration6. To specify

Page 149 and 150: Router Discovery6. To redistribute

Page 151 and 152: VRRP for IPv614. (Optional) To spec

Page 153 and 154: VRRP for IPv6Use this procedure to

Page 155 and 156: VRRP for IPv6Enter the IP address y

Page 157 and 158: VRRP for IPv6configured.The default

Page 159 and 160: Security and Access ConfigurationNo

Page 161 and 162: 7 Managing Security and AccessThis

Page 163 and 164: Password and Account ManagementTabl

Page 165 and 166: Password and Account Management•



Page 171 and 172: Managing User Accounts3. In the tab

Page 173 and 174: Managing User AccountsTable 19 User

Page 175 and 176: Managing User AccountsNoteWhen you

Page 177 and 178: Managing GroupsManaging GroupsYou c

Page 179 and 180: Role-Based AdministrationTo add or

Page 181 and 182: Configuring Network Access and Serv

Page 183 and 184: Configuring Network Access and Serv

Page 185 and 186: Configuring Nokia Network Voyager A

Page 187 and 188: Configuring Nokia Network Voyager A

Page 189 and 190: Secure Shell (SSH)private key in th

Page 191 and 192: Secure Shell (SSH)13. (Optional) To

Page 193 and 194: Secure Shell (SSH)Max unauthenticat

Page 195 and 196: Secure Shell (SSH)Managing User RSA

Page 197 and 198: Authentication, Authorization, and






Page 209 and 210: 8 Configuring RoutingThis chapter d

Page 211 and 212: OSPFBGP is also a path-vector routi

Page 213 and 214: OSPFArea Border RoutersRouters call

Page 215 and 216: OSPFConfiguring OSPF Areas and Glob

Page 217 and 218: OSPFTo configure OSPF1. Complete

Page 219 and 220: OSPFTable 30 Global Settings for OS

Page 221 and 222: OSPFTable 31 Configuration Paramete

Page 223 and 224: RIP5. In the Add New OSPF Area text

Page 225 and 226: RIPNoteNokia also provides support

Page 227 and 228: RIPNoteBy default, the update inter

Page 229 and 230: PIMFor Sparse-Mode PIM, see Protoco

Page 231 and 232: PIMConfiguring Check Point VPN-1 Pr

Page 233 and 234: PIM4. (Optional) For each interface

Page 235 and 236: PIMNoteIf neighboring routers choos

Page 237 and 238: PIMin the summary:DRPriorityCapable

Page 239 and 240: PIMNoteIf you do not configure a mu

Page 241 and 242: PIMNokia appliance being accepted b

Page 243 and 244: IGRP• Graft—Traces graft and gr

Page 245 and 246: IGRP• Valid Neighbors— packets

Page 247 and 248: IGRP8. (Optional) In the Protocol s

Page 249 and 250: DVMRP• Monitoring template• Tra

Page 251 and 252: IGMPimplemented within IPSRD confor

Page 253 and 254: Static RoutesStatic routes can be o

Page 255 and 256: Static RoutesAdding and Managing St

Page 257 and 258: Route Aggregationadvertises. The ag

Page 259 and 260: Route RankNoteIf the backbone is ru

Page 261 and 262: BGPTo configure the routing prefere

Page 263 and 264: BGPthe ISP has the private AS numbe

Page 265 and 266: BGPand BGP). All interior gateways

Page 267 and 268: BGPWhen using route reflection, the

Page 269 and 270: BGPconnections between EBGP peers a

Page 271 and 272: BGPIf the peer autonomous system nu

Page 273 and 274: BGPNoteMake sure that IPSRD is not

Page 275 and 276: BGP11. Enter 10.50.10.1 in the Add

Page 277 and 278: BGP3. Follow the steps described in

Page 279 and 280: BGP5. Enter 100 in MED edit box nex

Page 281 and 282: BGPBGP Confederation ExampleNokiaPl

Page 283 and 284: BGP2. Create confederation group 65

Page 285 and 286: BGPd. Select Internal in the Peer g

Page 287 and 288: BGPCommunities are used to simplify

Page 289 and 290: BGP4. Enter 129.10.2.2 in the Addit

Page 291 and 292: BGP5. In the Nexthop field, click o

Page 293 and 294: BGP6. Click External in the Peer gr

Page 295 and 296: BGPTo configure configure a BGP4 se

Page 297 and 298: Route Redistribution• Refines—M

Page 299 and 300: Route Redistribution• Protocol•

Page 301 and 302: Route Redistribution5. To prevent 1

Page 303 and 304: Inbound Route FiltersInbound Route

Page 305 and 306: Inbound Route FiltersNoteBy default

Page 307 and 308: 9 Configuring Router ServicesThis c

Page 309 and 310: IP Broadcast HelperTo disable BOOTP

Page 311 and 312: Router DiscoveryNoteOnly the server

Page 313 and 314: Network Time Protocol (NTP)• Adve

Page 315 and 316: Network Time Protocol (NTP)NoteOnly

Page 317 and 318: 10 Monitoring System Configuration

Page 319 and 320: Viewing System Utilization Statisti

Page 321 and 322: Monitoring System Health• Monthly

Page 323 and 324: Viewing Cluster Status and MembersN

Page 325 and 326: Using the iclid Tool• Mode—i.e.

Page 327 and 328: Using the iclid TooldetailedProvide

Page 329 and 330: Using the iclid Tooldatabase summar

Page 331 and 332: Using the iclid Toolmetricssuppress

Page 333 and 334: Preventing Full Log Buffers and Rel

Page 335 and 336: IndexAABR (area border router) 213A

Page 337 and 338: ensuring correct time 71cron jobs,

Page 339 and 340: managing 92testing 94upgrading for

Page 341 and 342: network throughput report 320Networ

Page 343 and 344: displaying status 325help 326routin

Page 345 and 346: Vvirtual IP address, VRRP 109virtua

configuration

interface

ipso

configure

voyager

nokia

router

routes

reference

routing

Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point

Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point ... View more Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point

Delete template?

Save as template ?

Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point Nokia Network Voyager Reference Guide for IPSO 6.0 - Check Point