Ip380 Security Appliance

IP300 Series Security PlatformInstallation Guide

Part No. N450312006 Rev A

Published September 2005

Downloaded from www.Manualslib.com manuals search engine

http://www.manualslib.com/

2 Nokia IP300 Series Security Platform Installation Guide

COPYRIGHT©2005 Nokia. All rights reserved.Rights reserved under the copyright laws of the United States.

RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

050110



Nokia IP300 Series Security Platform Installation Guide 3

Nokia Contact InformationCorporate Headquarters

Regional Contact Information

Nokia Customer Support

Web Site http://www.nokia.com

Telephone 1-888-477-4566 or 1-650-625-2000

Fax 1-650-691-2170

Mail Address

Nokia Inc.313 Fairchild DriveMountain View, California94043-2215 USA

Americas Nokia Inc.313 Fairchild DriveMountain View, CA 94043-2215USA

Tel: 1-877-997-9199Outside USA and Canada: +1 512-437-7089email: [email protected]

Europe, Middle East, and Africa

Nokia House, Summit AvenueSouthwood, FarnboroughHampshire GU14 ONG UK

Tel: UK: +44 161 601 8908Tel: France: +33 170 708 166email: [email protected]

Asia-Pacific 438B Alexandra Road#07-00 Alexandra TechnoparkSingapore 119968

Tel: +65 6588 3364email: [email protected]

Web Site: https://support.nokia.com/

Email: [email protected]

Americas Europe

Voice: 1-888-361-5030 or 1-613-271-6721

Voice: +44 (0) 125-286-8900

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

Asia-Pacific

Voice: +65-67232999

Fax: +65-67232897

050602







Contents

About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3In this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Conventions this Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9About the Nokia IP300 Series Disk-Based Appliance . . . . . . . . . . 10About the Nokia IP300 Series Flash-Based Appliance . . . . . . . . . 11Managing the IP300 Series Appliance . . . . . . . . . . . . . . . . . . . . . . 12About the IP300 Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 13

Ethernet Management Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Built-in Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Built-in AUX Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Site Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Product Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2 Installing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Rack Mounting the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Connecting Power and Turning the Power on . . . . . . . . . . . . . . . . 25Connecting Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 26




3 Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . 27Using a Console Connection to Perform the Initial Configuration . 28Accessing Nokia Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . 30

Accessing Network Voyager Reference Information. . . . . . . . . . 31Using Network Voyager to Monitor an IP300 Series Appliance . 32

Using Nokia Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4 Installing and Replacing Network Interface Cards . . . . . . . . . 35Deactivating Configured Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 36Removing, Installing, and Replacing NICs. . . . . . . . . . . . . . . . . . . 36

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Configuring and Activating Interfaces . . . . . . . . . . . . . . . . . . . . . . 43Monitoring Network Interface Cards. . . . . . . . . . . . . . . . . . . . . . . . 43

5 Connecting PMC Network Interface Cards . . . . . . . . . . . . . . . . 45Four-Port and Two-Port 10/100 Mbps Ethernet Interface, PMC . . 46

Ethernet PMC NIC Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Connectors and Cables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Two-Port V2 Gigabit Ethernet Card, PMC, Copper . . . . . . . . . . . . 49Connectors and Cables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Two-Port Gigabit Ethernet Card, PMC, Fiber. . . . . . . . . . . . . . . . . 52Connectors and Cables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6 Installing and Replacing Other Components . . . . . . . . . . . . . . 55Installing a PCMCIA Modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Replacing a Hard-Disk Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Replacing or Upgrading Memory . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Adding or Replacing DIMMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Installing an Encryption Accelerator Card . . . . . . . . . . . . . . . . . . . 67Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68




Installing the Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Configuring Software to Use Hardware Acceleration . . . . . . . . . 72

Replacing the Battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7 Installing PC Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Installing a Flash-Memory PC Card . . . . . . . . . . . . . . . . . . . . . . 78Storing System Logs on the Flash-Memory PC Card . . . . . . . . . 78Transferring Files with the Flash-Memory PC Card . . . . . . . . . . 79

8 Using the Boot Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Viewing the Variables and Other System Parameters . . . . . . . . 84Setting the Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Other Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Booting the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Using the Boot Manager to Install IPSO. . . . . . . . . . . . . . . . . . . . . 89Protecting the Boot Manager with a Password . . . . . . . . . . . . . . . 90Installing the Boot Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Upgrading the Boot Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

9 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95General Troubleshooting Information. . . . . . . . . . . . . . . . . . . . . . . 95Troubleshooting Routing Problems . . . . . . . . . . . . . . . . . . . . . . . 105

A Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Physical Dimensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111NIC Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112




B Compliance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Declaration of Conformity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115FCC Notice (US) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119




Figures

Figure 1 Component Locations Front View . . . . . . . . . . . . . . . . . 13Figure 2 Component Locations Rear View . . . . . . . . . . . . . . . . . 14Figure 3 Ethernet Management Ports Details . . . . . . . . . . . . . . . 14Figure 4 Pin Assignments for Console Connection . . . . . . . . . . . 16Figure 5 Pin Assignments for Modem Connection . . . . . . . . . . . 17Figure 6 Appliance Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . 18Figure 7 Mounting Screws Location . . . . . . . . . . . . . . . . . . . . . . 24Figure 8 Adjustable Mounting Brackets . . . . . . . . . . . . . . . . . . . . 24Figure 9 Back Panel Power Switch . . . . . . . . . . . . . . . . . . . . . . . 25Figure 10 Network Voyager Reference Access Points . . . . . . . . 31Figure 11 Four-Port Ethernet NIC Front Panel Details . . . . . . . . 46Figure 12 Two-Port Ethernet NIC Front Panel Details . . . . . . . . 47Figure 13 Output Connector for the Ethernet Cable . . . . . . . . . . 48Figure 14 Ethernet Crossover-Cable Pin Connections . . . . . . . . 49Figure 15 Two-Port V2 Gigabit Ethernet NIC, Copper . . . . . . . . 50Figure 16 Ethernet Cable Connector Output Pin Assignments . . 51Figure 17 Gigabit Ethernet Crossover Cable Pin Connections . . 52Figure 18 10/100 Ethernet Crossover Cable Pin Connections . . 52Figure 19 Two-Port Gigabit Ethernet NIC, Fiber . . . . . . . . . . . . . 53Figure 20 Hard-Disk Drive Location . . . . . . . . . . . . . . . . . . . . . . 58Figure 21 DIMM Socket Locations . . . . . . . . . . . . . . . . . . . . . . . 63Figure 22 Battery Location in the Nokia IP300 Series Appliance 75







About this Guide

This guide describes how to install and use the Nokia IP300 Series security platforms—Nokia IP350, Nokia IP355, Nokia IP380, and Nokia IP385. Installation and maintenance should be performed by experienced technicians or Nokia-approved service providers only. This preface provides the following information:

In this GuideConventions t his Guide UsesRelated Documentation

In this GuideThis guide is organized into the following chapters and appendixes:

Chapter 1, “Overview” presents a general overview of the IP300 Series appliance.Chapter 2, “Installing the Appliance” describes how to rack-mount the appliance and how to physically connect it to a network and power.Chapter 3, “Performing the Initial Configuration” describes how to make the appliance available on the network.Chapter 4, “Installing and Replacing Network Interface Cards” describes how to install, monitor, and replace network interface cards (NICs).




Chapter 5, “Connecting PMC Network Interface Cards” describes how to connect to and use each of the supported NICs.Chapter 6, “Installing and Replacing Other Components” describes how to install or replace PCMCIA modems, memory, the hard-disk drive, an encryption accelerator card, and the battery.Chapter 7, “Installing PC Cards” describes how to install the flash-memory PC cards.Chapter 8, “Using the Boot Manager” describes how to use the Nokia IPSO boot manager.Chapter 9, “Troubleshooting” discusses problems you might encounter and proposes solutions to these problems.Appendix A, “Technical Specifications” gives technical specifications such as interface characteristics.Appendix B, “Compliance Information” includes compliance and regulatory information.

Conventions this Guide UsesThe following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.

Notices

WarningWarnings advise the user that bodily injury might occur because of a physical hazard.



Conventions t his Guide Uses


CautionCautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.

NoteNotes provide information of special interest or recommendations.

Command-Line ConventionsThis section defines the elements of commands that are available in Nokia Network Security Solutions products. You might encounter one or more of the following elements on a command-line path.

Table 1 Command-Line Conventions

Convention Description

command This required element is usually the product name or other short word that invokes the product or calls the compiler or preprocessor script for a compiled Nokia product. It might appear alone or precede one or more options. You must spell a command exactly as shown and use lowercase letters.

Italics Indicates a variable in a command that you must supply. For example:delete interface if_name

Supply an interface name in place of the variable. For example:delete interface nic1




angle brackets < > Indicates arguments for which you must supply a value:retry-limit <1–100>

Supply a value. For example:retry-limit 60

Square brackets [ ] Indicates optional arguments.delete [slot slot_num]

For example:delete slot 3

-flag A flag is usually an abbreviation for a function, menu, or option name, or for a compiler or preprocessor argument. You must enter a flag exactly as shown, including the preceding hyphen.

.ext A filename extension, such as .ext, might follow a variable that represents a filename. Type this extension exactly as shown, immediately after the name of the file. The extension might be optional in certain products.

( . , ; + * - / ) Punctuation and mathematical notations are literal symbols that you must enter exactly as shown.

' ' Single quotation marks are literal symbols that you must enter as shown.

Table 1 Command-Line Conventions (continued)




Conventions t his Guide Uses


Text ConventionsTable 2 describes the text conventions this guide uses.

Table 2 Text Conventions


monospace font Indicates command syntax, or represents computer or screen output, for example:Log error 12453

bold monospace font Indicates text you enter or type, for example:# configure nat

Key names Keys that you press simultaneously are linked by a plus sign (+):Press Ctrl + Alt + Del.

Menu commands Menu commands are separated by a greater than sign (>):Choose File > Open.

The words enter and type Enter indicates you type something and then press the Return or Enter key.Do not press the Return or Enter key when an instruction says type.

Italics • Emphasizes a point or denotes new terms at the place where they are defined in the text.

• Indicates an external book title reference.• Indicates a variable in a command: delete interface if_name




Related DocumentationThe documentation set for the Nokia IP300 Series security platform consists of:

Getting Started Guide and Release Notes for the version of Nokia IPSO you are usingNokia IP300 Series Security Platform Installation Guide (this document)Nokia Network Voyager inline help feature, and Nokia Network Voyager Reference Guide (online)CLI Reference Guide for the version of Nokia IPSO you are using

You can find the Nokia IP300 Series Security Platform Installation Guide in PDF on the Nokia support site (https://support.nokia.com). You can access inline help and the Nokia Network Voyager Reference Guide from Nokia Network Voyager.




1 Overview

This guide describes the installation and use of the Nokia IP300 Series appliances–the IP350 and IP380 disk-based appliances and the IP355 and IP385 flash-based appliances. Most of the information for how to use these appliances is the same. Where differences exist between different IP300 platforms, they are noted in the documentation.The Nokia IP300 Series appliance combines the power of Nokia IPSO software with your choice of firewall, VPN, and intrusion detection security applications. These appliances are ideally suited for growing companies and satellite offices that want high-performance IP routing combined with the industry-leading Check Point VPN-1/FireWall-1 enterprise security suite. The small size of the IP300 Series appliance makes them ideal for installations that need to conserve space.As network devices, these appliances support a comprehensive suite of IP-routing functions and protocols, including RIPv1/RIPv2, IGRP, OSPF and BGP4 for unicast traffic, and DVMRP for multicast traffic. The integrated router functionality eliminates the need for separate intranet and access routers in security applications.This chapter provides an overview of the IP300 Series appliance and the requirements for using it. The following topics are covered:

About the Nokia IP300 Series Disk-Based ApplianceAbout the Nokia IP300 Series Flash-Based ApplianceManaging the IP300 Series ApplianceAbout the IP300 Series Appliance



1 Overview


Site RequirementsProduct DisposalSoftware Requirements

About the Nokia IP300 Series Disk-Based Appliance

Both the IP350 and the IP380 share the same one-rack unit (1 RU) size and support the same selection of network interface cards. The IP350 appliance supports a minimum memory configuration of 256 MB, and a maximum memory configuration of 512 MB. The IP380 appliance supports a minimum memory configuration of 256 MB, and a maximum memory configuration of 1 GB.The Nokia IP300 Series appliance provides built-in hardware-based encryption acceleration. The IP380 appliance also supports an optional encryption accelerator card to further enhance VPN performance.

Table 3 Specifications for IP300 Series Disk-Based Appliances

Feature Nokia IP350 Nokia IP380

Maximum memory size 512 MB 1 GB

Optional encryption accelerator card

No Yes

Line cards • 2 two-port 10/100 NICs• 1 four-port 10/100 NIC• 2 two-port V2 Copper

Gigabit Ethernet NICs• 2 two-port Fiber

Gigabit Ethernet NICs

• 2 two-port 10/100 NICs• 1 four-port 10/100 NIC• 2 two-port V2 Copper





About the Nokia IP300 Series Flash-Based Appliance


About the Nokia IP300 Series Flash-Based Appliance

Both the IP355 and the IP385 share the same one-rack unit (1 RU) size. The Nokia IP355 and IP385 flash-based appliances support the same cards as IP350 and IP380 appliances. Both flash-based appliances have a maximum memory size of 1GB.

Nokia IPSO version 3.9 3.9

Check Point (Enforcement Module support only)

Check Point NGX R60 Check Point NGX R60

Table 3 Specifications for IP300 Series Disk-Based Appliances


Table 4 Specifications for IP300 Series Flash-Based Appliances


Maximum memory size 1 GB 1 GB

Compact Flash 512 MB 512 MB

Optional PC card flash for logging (PCMCIA slot)

1 GB 1 GB

Optional encryption accelerator card

No Yes



1 Overview


Managing the IP300 Series ApplianceYou can manage the IP300 Series appliance by using one of the following interfaces:

Nokia Network Voyager—an SSL-secured, Web-based element management interface to Nokia IP security platforms. Network Voyager is preinstalled on the IP300 Series appliance and enabled through the IPSO operating system. With Network Voyager, you can manage, monitor, and configure the IP300 Series appliance from any authorized location within the network by using a standard Web browser.For information about how to access Network Voyager and the related reference materials, see “Accessing Nokia Network Voyager” on page 30.The IPSO command-line interface (CLI)—an SSHv2-secured interface that enables you to easily configure Nokia IP security platforms from the command line. Everything that you can accomplish with Network Voyager—manage, monitor, and configure the IP300 Series appliance—you can also accomplish with the CLI.

Line cards • 2 two-port 10/100 NICs• 1 four-port 10/100 NIC• 2 two-port V2 Copper



• 2 two-port 10/100 NICs• 1 four-port 10/100 NIC• 2 two-port V2 Copper



Optional disk No No

Nokia IPSO version 3.9 3.9

Check Point (Enforcement Module support only)

Check Point NGX R60 Check Point NGX R60

Table 4 Specifications for IP300 Series Flash-Based Appliances




About the IP300 Series Appliance


For information about how to access the CLI, see the Nokia CLI Reference Guide for the version of Nokia IPSO you are using.Nokia Horizon Manager—a secure GUI-based software image management application. With Horizon Manager, you can securely install and upgrade the Nokia IPSO operating system, plus hardware and third-party applications such as Check Point FireWall-1 for Nokia. Horizon Manager can perform installations and upgrades on up to 2,500 Nokia IP security platforms, offering administrators the most rapid and dependable upgrade to Check Point NG.

About the IP300 Series ApplianceThe following figures show component locations for the Nokia IP300 Series appliance.

Figure 1 Component Locations Front View

Built-in Ethernet ports(10/100 Mbps)

PMC interfaces

Status LEDs Modem (AUX) port

PCMCIA slotsReset switch Console port



1 Overview


Figure 2 Component Locations Rear View

Ethernet Management PortsThe Ethernet management ports are located on the front of the appliance. Figure 3 shows the layout of the Ethernet management ports and link LEDs.

NoteThe Ethernet management ports are intended for management purposes. These ports do not provide the same performance as Ethernet cards in the PMC slots.

Figure 3 Ethernet Management Ports Details

CautionCables that connect to the Ethernet ports must be IEEE 802.3 compliant to prevent potential data loss.

00249

Power plugPower switch

00120

Activity LED (yellow)Link LED (green)

RJ-45 connectors





NoteNokia recommends the use of shielded twisted-pair cables and connectors for best Electromagnetic Interference and Immunity performance.

The IP300 Series appliance includes two PMC (PCI mezzanine card) expansion slots for Nokia supported network interface cards. For more information, see “Four-Port and Two-Port 10/100 Mbps Ethernet Interface, PMC” on page 46.

The IP300 Series appliance also includes a PCMCIA slot that supports PCMCIA modems. See “Installing a PCMCIA Modem” on page 56.

NoteNokia products only support NICs purchased from Nokia Corporation or Nokia-approved resellers. The Nokia Global Support Services group can only provide support for Nokia products that use Nokia-approved accessories. For sales or reseller information, contact a Nokia service provider listed in the “Nokia Contact Information” on page 3.

Built-in Console PortUse the built-in console port, shown in Figure 1, to supply the information that makes the appliance available on the network. Figure 4 provides pin assignment information for console connections.



1 Overview


Figure 4 Pin Assignments for Console Connection

7000016 9

51

Pin# Assignment Input/Output

1 DCD Input

2 RXD Input

3 TXD Output

4 DTR Output

5 GND

6 DSR Input

7 RTS Output

8 CTS Input

9 DTR Output





Built-in AUX PortYou can use the AUX port, shown in Figure 1, to establish a modem connection for managing the appliance. Figure 5 provides pin assignment information for modem connections.

Figure 5 Pin Assignments for Modem Connection

700001

6 9

51

Pin Input/OutputTo DB25 Cable Out

To DB9 Cable Out

1 (DCD) Input 8 (DCD) 7 (RTS)8 (CTS)

2 (RXD) Input 2 (TXD) 3 (TXD)

3 (TXD) Output 3 (RXD) 2 (RXD

4 (DTR) Output 20 (DTR) 6 (DSR)9 (RI)

5 (GND) 7 (GND) 5 (GND)

6 (DSR) Input 6 (DSR) 4 (DTR)

7 (RTS) Output 4 (RTS) 1 (DCD)

8 (CTS) Input 5 (CTS) 1 (DCD)

9 (RI) Output 22 (RI) 4 (DTR)



1 Overview


Status LEDsYou can monitor the basic operation of IP300 Series appliance and network interface cards (NICs) by checking their status LEDs. The system status LEDs are located on the front panel of the appliance, as Figure 6 shows.

Figure 6 Appliance Status LEDs

Table 5 Appliance Status LEDs

Status Indication ExplanationLED Front Panel Symbol

Solid Power on

Solid Unit is experiencing an internal Voltage problem

Blinking The unit is experiencing a temperature problem

Solid red One or more fans are not operating properly, or a 5V, 3.3V, or 12V fuse is blown

Power-status

Fan problemVoltage

!

!



Site Requirements


The location and meaning of the status LEDs for network interface cards are explained in Chapter 5, “Connecting PMC Network Interface Cards.”

For information on the built-in Ethernet interface LEDs, see “Ethernet Management Ports” on page 14.For information on the two-port Ethernet card LEDs, see “Four-Port and Two-Port 10/100 Mbps Ethernet Interface, PMC” on page 46.

Site RequirementsBefore you install a Nokia IP300 Series appliance, ensure that your computer room or wiring closet conforms to the environmental specifications listed in Appendix A, “Technical Specifications.”

Product DisposalAt the end of its useful life, your appliance and all peripherals included with it, including power cords and cables, must be disposed of in accordance with all applicable national, state, and local laws and regulations. These devices contain materials and components that must be disposed of properly. Therefore, to help prevent damage to the environment, Nokia encourages you to dispose of these devices in an environmentally-friendly manner.The following resources are available to you to help with equipment-disposal decisions:

Many Nokia products are labeled with information about the materials used in their manufacture that can help those who will process equipment after you have disposed of it.The Nokia web site (http://www.nokia.com) provides information about our environmental programs and practices, which includes details about materials used in manufacturing and end-of-life practices. You can also find your product’s Eco Declaration, which provides basic information on the environmental attributes of the product covering material use, packaging, disassembly, and recycling.



1 Overview


Contact your local waste management agencies for guidelines specific to your area.

WarningHazardous radiation exposure can occur if you use controls, make performance adjustments, or follow procedures that are not described in this document.

WarningAn explosion can occur if the battery is incorrectly placed. Replace only with the same or equivalent type battery recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions.

WarningTo reduce the risk of fire, electric shock, and injury when you use telephone equipment, follow basic safety precautions. Do not use the product near water.

CautionDo not place objects over the ventilation holes on the IP350 or IP380 appliance. The components might overheat and become damaged.

The crossed-out wheeled bin means that within the European Union the product must be taken to separate collection at the product end-of-life. This applies to your device but also to any enhancements marked with this symbol. Do not dispose of these products as unsorted municipal waste.



Software Requirements


CautionFor IP300 Series appliances intended for shipment outside of the United States, the cord might be optional. If a cord is not provided, use a power cord rated at 6A, 250V, maximum 15 feet long, made of HAR cordage and IEC fittings approved by the country of end use.

Software RequirementsThe Nokia IP300 Series appliance supports the following operating system and applications:

Operating System Requirements—IPSO v3.5.1, v3.7 and later. Flash-based appliances require IPSO v3.9 or later.Firewall and VPN Software Requirements—Check Point NG VPN-1/FW-1 FP2 or higher.

For information about changes to the software requirements or additional applications that have become available since this guide was published, contact your Nokia service provider, as listed in “Nokia Contact Information” on page 3.



1 Overview





2 Installing the Appliance

This chapter describes how to install the Nokia IP300 Series appliance. The following topics are covered:

Rack Mounting the ApplianceConnecting Power and Turning the Power onConnecting Network Interfaces

CautionProtect your IP300 Series appliance and other electronic equipment from static discharge by making sure you are properly grounded before you touch any electronic components.

NoteThe operating temperature range for the Nokia IP300 Series appliance is 0° C to 45° C (32° F to 113° F).

Rack Mounting the ApplianceThe IP300 Series appliance mounts in a standard 19-inch rack with four mounting screws as Figure 7 shows.





NoteTo avoid damaging your equipment, Nokia recommends that you use all four rack-mounting bolts when you install your appliance on the rack.

Figure 7 Mounting Screws Location

You can relocate the mounting brackets as Figure 8 shows so that the unit is 2 inches forward of the rack.

Figure 8 Adjustable Mounting Brackets

Two mounting positions are available allowing you to mount the unit either flush with the rack, or two inches forward of the rack.

Mounting Screw Slots

00251a



Connecting Power and Turning the Power on


CautionBlocking ventilation openings during installation may result in damage to the appliance.

Connecting Power and Turning the Power onThe power plug and power switch for the IP300 Series appliance is located on the back of the appliance, as Figure 9 shows.

NoteThe IP300 Series appliance power supply automatically detects the input voltage (115VAC/60Hz [90 to 132] or 220VAC/50Hz [180 to 264]) and configures itself appropriately.

Figure 9 Back Panel Power Switch

To connect the power supply1. Connect the power cord securely into the power socket on the back of the

appliance. 2. Plug the other end of the cord into a three-wire grounded power strip or

wall outlet.3. Press the power switch to the “on” position to turn on power to the

appliance.

00249

Power plugPower switch





The fan unit on the power supply turns on when you press the power switch. Verify that the fans are running after you press the switch.Check the power LED on the front panel of the appliance (the Nokia logo) to ensure that the power supply is operating correctly. The power LED should be illuminated. For more information about the system status LEDs, see “Status LEDs” on page 18.If the power supply fans are not running, or if the power LED is not illuminated:

Check the power supply cord to make sure it is properly connected.Make sure the power switch is on.Make sure the chassis assembly is pushed all the way in from the front of the appliance.Make sure that power is turned on to the power strip or wall receptacle you plugged the appliance in to.

If the fans are still not running, or if the power LED does not illuminate, contact your Nokia service provider as listed in “Nokia Contact Information” on page 3 for technical support.

Connecting Network InterfacesConnect at least one network interface to use as the Network Voyager system management interface. This interface is configured during the system startup procedure, as described in Chapter 3, “Performing the Initial Configuration.”You can also connect the remaining LAN interface wires at this point, although you are not required to do so.To connect Ethernet devices:

Use a straight-through RJ-45 cable to connect to a 10-Mbps or 100-Mbps hub.Use a crossover RJ-45 cable to connect directly to a host.

For details, see “Connectors and Cables” on page 47.After you connect the network interfaces, continue with Chapter 3, “Performing the Initial Configuration.”




3 Performing the Initial Configuration

The first time you turn power on to a Nokia IP300 Series appliance, the initial configuration process begins. This process enables you to configure the network settings and provides access to the admin account. You can perform the initial configuration in two ways.

You can configure a DHCP server to provide the initial configuration information the first time the appliance is started. You can perform the initial configuration manually by using a console connection.

This chapter describes how to perform the initial configuration manually by using a console connection. It includes the following sections:

Using a Console Connection to Perform the Initial ConfigurationAccessing Nokia Network VoyagerUsing Nokia Horizon Manager

For information about how to use the DHCP client for initial configuration, see the Read Me First document.





Using a Console Connection to Perform the Initial Configuration

If you do not use DHCP to perform the initial configuration of your IP300 Series appliance, you must use a serial console connection (cable included). After you perform the initial configuration, the console connection is no longer required.You can use any standard VT100-compatible terminal with an RS-232 data terminal equipment (DTE) interface or terminal-emulation program configured with the following settings for the console:

9600 bps8 data bitsNo parity1 stop bit

To connect to the console1. Connect the supplied null-modem cable (console cable) to the console

port on the front panel of the IP300 Series appliance.Use only the DB9 port on the front panel labeled Console; the serial (AUX) port is an auxiliary modem port.If you connect the console port to a data communications equipment (DCE) device, use a straight-through cable.

For cable pin assignments for the console connection, see “Built-in Console Port” on page 15.

Console port



Using a Console Connection to Perform the Initial Configuration


2. Connect the other end of the cable to the VT100 console or to a system running a terminal-emulation program.

To perform the initial configuration1. Turn on the appliance.

At the console a Series of startup messages appears, then the following prompt appears:BOOTMGR[0]>

The prompt remains on the screen for about five seconds. If you type any character during this time, the appliance activates the Nokia IPSO boot manager.

NoteFor information about using the boot manager, see Chapter 8, “Using the Boot Manager.”

After some miscellaneous output, the following prompt appears:Hostname?

If the Hostname? prompt does not appear on the console, check the console port and console display connections to ensure that the serial cable is completely plugged in at both ends. If you verify the console connections and still do not see either the BOOTMGR> or Hostname? prompts, verify that the terminal or terminal emulator program settings are correct. If the settings are correct, contact your Nokia service provider as listed in “Nokia Contact Information” on page 3.

2. Respond to the Hostname? prompt within 30 seconds to prevent the DHCP client from starting.If the DHCP client starts, it might configure the appliance with an incorrect host name and IP address (this could happen if a DHCP server





on your network is configured to respond to any request). To reset the incorrect host name and IP address:a. Establish a console connection to the appliance.b. Enter the following:

rm /config/active

ormv /config/active /config/active.old

c. Reboot the appliance.d. Respond to the Hostname? prompt within 30 seconds to prevent the

DHCP client from restarting.3. At each subsequent prompt, type the requested configuration information

and then press Enter.For more information about how to respond to the prompts during the initial configuration process, see the release notes for the Nokia software release you are running.

4. After you complete the initial configuration, you can use Network Voyager to configure the remaining network ports.

Accessing Nokia Network VoyagerYou can use Network Voyager to configure the remaining network ports on your IP300 Series appliance.

To open Network Voyager1. Start Netscape Navigator or Microsoft Internet Explorer on the host you

want to use to complete the configuration. 2. In the Location or Address field, enter the IP address of the initial

interface you configured on the appliance. You are prompted to enter the admin username and the password you entered when performing the initial configuration.



Accessing Nokia Network Voyager


NoteIf the username popup menu does not appear, you might not have a network connection between the host and your IP300 Series appliance. Confirm the information you entered during the initial configuration and check that all cables are firmly connected.

Accessing Network Voyager Reference InformationAs you use Network Voyager, the Nokia Network Voyager Reference Guide and Network Voyager inline help are available for you to use.You can access both information sources from the Network Voyager interface, as Figure 10 shows.

Figure 10 Network Voyager Reference Access Points

Links to Inline Help (Context Sensitive)

Link to Online Help (Voyager Reference





Network Voyager Reference GuideThe Nokia Network Voyager Reference Guide is the reference source for Voyager. To access this source, click Doc.You can also access the Nokia Network Voyager Reference Guide at the Nokia support site (https://support.nokia.com) or on the CD that was delivered with your IP300 Series appliance.

Network Voyager Inline HelpYou can access inline help when you use Network Voyager. Inline help is the context-sensitive information source for Network Voyager.To enable inline help for a specific subject, click the Help icon next to the subject. You can also click Help at the top of the Network Voyager window to get inline help for the entire Network Voyager window. To turn off inline help, click Close.

Using Network Voyager to Monitor an IP300 Series Appliance

After you install and configure your IP300 Series appliance, you can use Network Voyager to monitor its operation. Click Monitor from the Network Voyager home page to access the monitoring functions.After you finish configuring the network interfaces with Network Voyager, the appliance is ready for routing and application configuration.Use Network Voyager to configure the routing performed by the appliance. For information about how to access Network Voyager, see “To open Network Voyager” on page 30.Use the documentation provided with your security application to configure firewall, VPN, and intrusion detection software.



Using Nokia Horizon Manager


Using Nokia Horizon ManagerYou can use Horizon Manager to install and upgrade the Nokia proprietary IPSO operating system. For information about how to obtain Horizon Manager, see the “Nokia Contact Information” on page 3.








4 Installing and Replacing Network Interface Cards

Your IP300 Series appliance comes with any network interface cards (NICs) you ordered already installed. This chapter describes how to remove, add, or replace NICs later if it becomes necessary. The following topics are covered:

Deactivating Configured InterfacesRemoving, Installing, and Replacing NICsConfiguring and Activating InterfacesMonitoring Network Interface Cards

For detailed information on specific network interface cards, see Chapter 5, “Connecting PMC Network Interface Cards.”

CautionYou should have a working knowledge of networking equipment before attempting to service an IP300 Series appliance. Limit service of the unit to the procedures described in this chapter.





CautionProtect your IP300 Series appliance and other electronic equipment from electrostatic discharge (ESD) by making sure you are properly grounded before touching any electronic components.

Deactivating Configured InterfacesIf you are removing or replacing an installed network interface card, use Network Voyager to deactivate any configured ports on the NIC before removing it.

Deactivate all of the logical interfaces on the NIC.Deactivate all of the physical interfaces on the NIC.

If you do not deactivate the interfaces before removing the NIC, you may have to reinstall the NIC to deactivate its logical and physical interfaces in Network Voyager.For information about how to access Network Voyager, see “Accessing Nokia Network Voyager” on page 30.

Removing, Installing, and Replacing NICs

NoteBefore removing a configured network interface card with these instructions, you must deactivate the NIC in Network Voyager. For additional information, see “Deactivating Configured Interfaces” on page 36.

Use these instructions to remove, install, or replace a NIC in the IP300 Series appliance. Some steps are not applicable to all procedures. The instructions point out steps appropriate to each procedure.





Before You StartTo remove, install, or replace a Nokia network interface card, you need the following:

A Phillips-head screwdriverPhysical access to the applianceAccess to the appliance by using Nokia Network Voyager or the CLISuitable, grounded work surface Field replaceable unit kit, including the NIC

To remove, install, or replace a network interface card

NoteBecause power to the IP300 Series appliance is automatically disconnected when the chassis assembly is opened, you do not need to manually disconnect the power for this procedure. Any servicing of the unit, however, should be completed with the chassis assembly fully removed from the appliance. Power is still active in the chassis body and care should be taken when working on the power supply or power supply wiring without disconnecting the power cord.

1. Use Network Voyager to shut the appliance down.For information about how to access Network Voyager, see “Accessing Nokia Network Voyager” on page 30.





2. Use your fingers or a screwdriver to loosen the retaining screws that hold the chassis assembly.

3. Gently pull the chassis assembly forward to expose the NIC connectors. Remove the tray completely to avoid damaging components.

Chassis assembly retaining screws

00252a





4. From underneath the chassis assembly, remove the bezel retaining screws.

If you are installing a NIC in an unoccupied slot, remove the blank bezel that occupies the space in the appliance front panel, retain it for future use, and proceed to step 7.

5. From above the chassis assembly, remove the NIC retaining screws from the back of the NIC.

00254b

00255a





6. Remove the NIC by lifting the back of the NIC away from the chassis assembly and pulling the NIC gently away from the front panel.

7. Insert the new NIC or blank bezel.If you are removing a NIC without installing another NIC:a. Insert a blank bezel into the front panel slot formerly occupied by the

NIC and push it gently into place. Make sure that the bezel is completely seated into the front panel and that the screw holes on the bottom of the bezel align with those in the front panel.

NoteTo reduce electromagnetic interference (EMI), a blank bezel needs to be installed in the place of any NIC you have removed.

b. Proceed to step 9.

00257





If you are installing or replacing a NIC, insert the NIC.a. Insert the NIC bezel into the front panel.

b. Gently push the back of the NIC down toward the chassis assembly.Make sure that the NIC edge is completely seated into the connectors on the chassis assembly.

8. From the top of the chassis assembly, screw the NIC retaining screws into the standoffs on the back of the NIC.

00256a

00255b





9. From beneath the chassis assembly, screw in the bezel retaining screws.

10. Insert and close the chassis assembly until it clicks into place.

00254a

00252c



Configuring and Activating Interfaces


11. Tighten the retaining screws that hold the chassis assembly.

The appliance automatically restarts when the chassis assembly clicks into place.

Configuring and Activating InterfacesThe IP300 Series appliance automatically detects any new NIC when the appliance is restarted. Use Network Voyager to configure and activate the logical and physical interfaces on the NIC.For information about how to access Network Voyager and the related reference materials, see “To open Network Voyager” on page 30.

Monitoring Network Interface CardsYou can asses the general operating condition of the NICs in your appliance by looking at the LED status indicators on the NICs. The status indicators for each NIC are explained in the NIC reference chapter.For the status indicator information for the built-in Ethernet ports or the two-port Ethernet NIC, see “Four-Port and Two-Port 10/100 Mbps Ethernet Interface, PMC” on page 46.

Use Network Voyager to access detailed port information. For information about accessing Network Voyager, see “Accessing Nokia Network Voyager” on page 30. You can also use the IPSO tcpdump command to examine the track on a specific port.









5 Connecting PMC Network Interface Cards

This chapter describes the PMC NICs available for the IP300 Series appliance and describes how to connect those NICs to your network. The following NICs are covered:

Four-Port and Two-Port 10/100 Mbps Ethernet Interface, PMCTwo-Port V2 Gigabit Ethernet Card, PMC, CopperTwo-Port Gigabit Ethernet Card, PMC, Fiber

For instructions on adding or replacing interface cards, see Chapter 4, “Installing and Replacing Network Interface Cards.”

CautionProtect your IP300 Series appliance and other electronic equipment from electrostatic discharge (ESD) damage by making sure you are properly grounded before you touch any electronic component.





Four-Port and Two-Port 10/100 Mbps Ethernet Interface, PMC

Every IP300 Series appliance has four built-in dual-mode 10-Mbps and 100-Mbps ports. Additionally, the appliance supports Nokia-approved, two-port UTP5 dual-mode 10-Mbps and 100-Mbps Ethernet NICs.When you purchase an Ethernet NIC with your IP300 Series appliance, the NIC is installed before the appliance is delivered to you. For information on how to add or replace a NIC later, see Chapter 4, “Installing and Replacing Network Interface Cards.”

Ethernet PMC NIC FeaturesThe Ethernet PMC NIC supports tracing through tcpdump.You can configure and monitor Ethernet interfaces with Network Voyager. Specifically, you set the port speed and full-duplex or half-duplex mode by using Network Voyager.

Figure 11 Four-Port Ethernet NIC Front Panel Details

00026.1

3211234

4

Link LEDs (solid green)Activity LEDs (blinking green)

Ports



Four-Port and Two-Port 10/100 Mbps Ethernet Interface, PMC


NoteIn the IP300 Series appliance, you cannot use two PMC four-port 10/100 Ethernet NICs in one appliance. However, you can use one PMC four-port 10/100 Ethernet NIC in combination with any other NIC that the IP300 Series appliance supports.

Figure 12 shows the front panel layout of the two-port Ethernet NIC.

Figure 12 Two-Port Ethernet NIC Front Panel Details

After the power is turned on, the Ethernet link LEDs on the appliance and on the remote equipment illuminate to indicate the connection. As data is transmitted, the activity LEDs on the appliance light up.

Connectors and CablesThe connectors on the Ethernet NIC are RJ-45 connectors:

To connect to a 10-Mbps or 100-Mbps hub, use a straight-through RJ-45 cable.To connect directly to a host, use an RJ-45 crossover cable.

Use IEEE 802.3 10BASE-T, 100BASE-TX unshielded twisted-pair, full-duplex or half-duplex cable.

00258.1

NO

KIA

10/1

00

RJ-45 connectors

Link LEDs (green)

Activity LEDs (yellow)





CautionCables that connect to the Ethernet card must be IEEE 802.3 compliant to prevent potential data loss.

You can order appropriate adapter cables separately. You can order additional cables from a cable vendor of your choice.Figure 13 shows the pin assignments for the cable. The RJ-45 cable output connector is numbered from right to left, with the copper tabs facing up and toward you.

Figure 13 Output Connector for the Ethernet Cable

Figure 14 shows the pin assignments for the RJ-45 cross-over cable.

Pin# Assignment

1 TX

2 TX

3 RX

4

5

6 RX

7

8

00270

8 1



Two-Port V2 Gigabit Ethernet Card, PMC, Copper


Figure 14 Ethernet Crossover-Cable Pin Connections


All NICs installed in a Nokia IP300 Series platform are installed into slots on the appliance. Ethernet NICs can occupy any of the slots or subslots in an appliance that other I/O cards do not occupy.

NoteCopper Gigabit Ethernet NICs you use in IP300 Series appliances need to be the Version 2 type, as indicated on the right end of the NIC faceplate. These NICs are sold by Nokia under the order code NIF4425.

The V2 copper Gigabit Ethernet NIC supports packet tracing for analysis using the tcpdump program in the IPSO operating system.

00017.1

12345678

12345678





Figure 15 shows the front panel details for the two-port V2 copper Gigabit Ethernet NIC you use in the Nokia IP300 Series appliance.

Figure 15 Two-Port V2 Gigabit Ethernet NIC, Copper

Connectors and CablesThe copper Gigabit Ethernet NIC receptacles are RJ45 connectors.To connect to a 1 Gbps hub, switch, or router, use a straight-through RJ-45 cable (Category 5 type cable, or as required by your network configuration).

NoteCertain circumstances might require shielded Category 5 Ethernet cables to meet Class B emissions requirements.

NoteAll Nokia copper Gigabit Ethernet NICs support cable auto-sensing. You can use a straight-through or crossover cable to connect the NIC to a Gigabit Ethernet hub or switch, or to connect directly to a host.

In Figure 16, the RJ-45 cable output connector is numbered from right to left, with the copper pins facing up and toward you.

00386.4

LINK

ACT

V2

LINK

ACT

1000

Base

T

Link LEDs (green or yellow)Activity LEDs (yellow)

Ports





Figure 16 Ethernet Cable Connector Output Pin Assignments

To connect directly to a host, use an RJ-45 crossover cable wired as Figure 18 shows.

00270

Pin#

GigabitEthernetAssignment

10/100 MbpsAssignment

1 BI_DA+ TX

2 BI_DA- TX

3 BI_DB+ RX

4 BI_DC+

5 BI_DC-

6 BI_DB- RX

7 BI_DD+

8 BI_DD-

8 1





Figure 17 Gigabit Ethernet Crossover Cable Pin Connections

Figure 18 10/100 Ethernet Crossover Cable Pin Connections

To connect the IP300 Series appliance to other network components, you can order appropriate adapter cables separately from a cable vendor of your choice.

Two-Port Gigabit Ethernet Card, PMC, FiberAll NICs installed in the IP300 Series appliance are installed into slots on the appliance. Ethernet NICs can occupy any of the slots or subslots in an appliance that other I/O cards do not occupy.

00020

12345678

12345678

00017.1

12345678

12345678



Two-Port Gigabit Ethernet Card, PMC, Fiber


The two-port Fiber Gigabit Ethernet Card provides the following features:High bandwidthFull-duplex mode operation up to 1 Gbps (no half-duplex support)Link speed auto advertisingTracing through tcpdumpCompliance with PCI Industrial Computer Manufacturers Group (PICMG) cPCI specification v2Compliance with IEEE 802.3z Gigabit Ethernet specification

You can configure and monitor Ethernet interfaces with Nokia Network Voyager, the Web-based element management interface to Nokia IP security platforms. Specifically, you set the port speed and full-duplex mode with Network Voyager. Figure 19 shows the front panel details for the two-port fiber-optic Gigabit Ethernet NIC you use in the IP300 Series appliance.

Figure 19 Two-Port Gigabit Ethernet NIC, Fiber

Connectors and CablesTo connect the two-port Gigabit Ethernet NIC to other network components, use a multimode, fiber-optic cable with an LC connector for each NIC

Link LEDs (green or yellow)Activity LEDs (yellow)

Ports





interface. The destination end of the cable can be either LC or SC, depending on the type of connector required for the destination Gigabit Ethernet device. You can also use a half-duplex LC-to-LC cable to loop back the transmit port of an interface to the receiver port.Two LC-to-SC cables are included with two-port fiber-optic Gigabit Ethernet NICs. You can order additional cables from a cable vendor of your choice.




6 Installing and Replacing Other Components

This chapter provides information on how to add or replace user serviceable items other than network interface cards in your IP300 Series appliance. The following topics are covered:

Installing a PCMCIA ModemReplacing a Hard-Disk DriveReplacing or Upgrading MemoryInstalling an Encryption Accelerator CardReplacing the Battery

For instructions on adding or replacing interface cards, see Chapter 4, “Installing and Replacing Network Interface Cards”

CautionYou should have a working knowledge of networking equipment before attempting to service an IP300 Series appliance. Limit service of the appliance to the procedures described in this chapter.





CautionProtect your IP300 Series appliance and other electronic equipment from electrostatic discharge (ESD) damage by making sure you are properly grounded before you touch any component.

Installing a PCMCIA ModemThe IP300 Series appliance supports a PCMCIA modem card that allows you to set the country code through Network Voyager. For information about the country codes, see the Nokia Network Voyager Reference Guide.

NoteThe IP300 Series appliance supports PCMCIA modems. Nokia supports only Nokia-supplied modems. For further information, contact the appropriate Nokia customer support site listed “Nokia Contact Information” on page 3.

Before You StartTo install the modem in your appliance, you need the following:

Physical access to the applianceA Nokia-approved PCMCIA modemAccess to the appliance using Network Voyager or console access to the applianceA telephone cable appropriate for the phone system where the unit is installedAn analog phone line



Replacing a Hard-Disk Drive


To use a modem with an IP300 Series appliance1. If the modem is not already installed, insert the PCMCIA modem into

either the top or bottom PCMCIA slot until the modem clicks into place.

The modem and the ejector tab on the left of the slot protrude from the unit. The appliance automatically recognizes the modem.

2. Connect the modem to a phone line.Use the appropriate cable for the modem and telephone system in the country in which the device is used.

To configure IPSO to allow logins through the modem, click Config on the Home page in Network Voyager and then click on the Network Access and Services link in the Security and Access Configuration section.For information about accessing Network Voyager and the related reference materials, see “Accessing Nokia Network Voyager” on page 30.

Replacing a Hard-Disk DriveThe IP350 and IP380 appliances each include one hard-disk drive, which you can remove and replace. The following figure shows the location of the hard-disk drive on the motherboard.

NoteBack up your files to a remote system on a regular basis. For back up and restore procedures, see the IPSO release notes.

PCMCIA Slots





Figure 20 Hard-Disk Drive Location

NoteThe hard-disk drive must contain the IPSO partitions and boot loader before installation. For further information, contact the appropriate Nokia customer support site as listed in “Nokia Contact Information” on page 3.

Before You StartTo install the hard-disk drive in your appliance, you need the following:

Physical access to the applianceA Nokia-approved hard-disk driveAccess to the appliance through Network VoyagerA Phillips-head screwdriverA torque screwdriver capable of a 69.4ozf*in (5kgf*cm) setting

To replace a hard-disk drive1. Use Network Voyager to shut the appliance down.

For information about how to access Network Voyager, see “Accessing Nokia Network Voyager” on page 30.

00253

Hard-disk drive





2. Loosen the retaining screws that hold the chassis assembly.

3. Gently slide the chassis assembly forward to remove the tray from the appliance so you can access the hard-disk drive retaining screws from the bottom of the tray.

NoteBecause power to an IP300 Series appliance is automatically disconnected when the chassis assembly is opened, you do not need to manually disconnect the power for this procedure. Any servicing of the unit, however, should be completed with the chassis assembly fully removed from the appliance. Power is still active in the chassis body and care should be taken when working on the power supply or power supply wiring without disconnecting the power cord.


00252a





4. From the bottom of the chassis assembly, remove the retaining screws that hold the hard-disk drive unit.

5. Gently remove the hard-disk drive from the motherboard, taking care not to damage the connector.

6. Insert the new hard-disk drive unit.

00261

00262





NotePush the hard-disk drive gently into place. Take care to align the connectors correctly as the connectors are not keyed.

7. Tighten the retaining screws that holds the hard-disk drive into place.

8. Slide the chassis assembly back into the appliance until it clicks into place.

00261

00252c





9. Tighten the retaining screws that hold the chassis assembly.

The appliance automatically restarts when the chassis assembly clicks into place.

Replacing or Upgrading MemoryThe IP350 and IP380 appliances each have two dual inline memory-module (DIMM) sockets. This section explains how to upgrade or replace the memory for either appliance by using a Nokia-approved memory upgrade kit.The IP350 and IP380 come with different memory configurations. Contact Nokia customer support for more information on the supported memory configurations.

NoteNokia recommends that you obtain memory kits only from Nokia or authorized resellers. For further information, contact the appropriate Nokia customer support site listed “Nokia Contact Information” on page 3.

The DIMM sockets are located at the right of the motherboard, as you look at the appliance from the front, as Figure 21 shows.




Replacing or Upgrading Memory


Figure 21 DIMM Socket Locations

Before You StartTo upgrade or replace the memory in your appliance, you need the following:

Physical access to the applianceNokia memory upgrade kit and accompanying documentationNetwork or console access to the appliance

CautionTo protect the IP300 Series appliance and the memory modules from electrostatic discharge (ESD), make sure you are properly grounded before you touch these components.

NoteBecause power to an IP300 Series appliance is automatically disconnected when the chassis assembly is opened, you do not need to manually disconnect the power for this procedure. Any servicing of the unit, however, should be completed with the chassis assembly fully removed from the appliance. Power is still active in the chassis body and

00253

DIMM sockets





care should be taken when working on the power supply or power supply wiring without disconnecting the power cord.

Adding or Replacing DIMMs

To add or replace DIMMs1. Use Network Voyager, the CLI, or the IPSO shell to halt the IP350 or

IP380 appliance. To use the CLI or IPSO shell, simply enter halt.For information about accessing Network Voyager, see “Accessing Nokia Network Voyager” on page 30.

2. Loosen the two front panel retaining screws.




Replacing or Upgrading Memory


3. Slide the chassis assembly forward to expose the DIMM sockets. Remove the tray completely to avoid damaging components.

4. Remove any memory module necessary by pressing the two retaining clips outward and carefully pulling each DIMM upward as the following figure shows.

You might need to pull opposite ends of the DIMM alternately to gradually free it from the contact pins.

5. The memory DIMMs are keyed to prevent improper insertion. Press the new DIMM into the socket until it clicks into place.

00252a

00263





The top of the DIMM is smooth. The bottom edge has three different length sets of contacts, which mate with the slots on the socket. Be sure the contacts and slots are properly aligned before you insert the DIMM.

The retaining clips move into the lock position as you press the DIMM into place.

6. Slide the chassis assembly back into the appliance until it clicks into place.

00264

00252c



Installing an Encryption Accelerator Card


7. Resecure the two retaining screws.

The appliance automatically recognizes the new memory configuration. You can verify this from the Network Voyager, the CLI, or the IPSO shell.To verify the memory from the CLI, enter:show asset hardware

To verify the memory from the IPSO shell, enter:dmesg | grep ‘real memory’


NoteThe IP350 and IP355 do not support the optional encryption accelerator card.

The encryption accelerator card provides high-speed cryptographic processing that enhances VPN performance in the IP380. The IP380 and IP385 appliances also support an optional encryption accelerator card to further enhance VPN performance. No hardware configuration is required for the encryption accelerators. The built-in hardware encryption accelerators are enabled by default on both appliances. Installing the optional encryption accelerator card on the IP380






and IP385 appliances automatically disable the built-in accelerator and enables the card. Removing the card reverses the process. When you order an encryption accelerator card with the appliance, the card is installed before the appliance is delivered. This section provides instructions for installing or replacing the card at a later time.The IP380 and IP385 appliances use a PMC format encryption accelerator card. The accelerator card has no external connections and requires no cables.The accelerator card software package is part of IPSO, so the appliance automatically detects and configures the card.You must use Network Voyager to configure your software applications (IPSec or Checkpoint VPN) to make use of the available hardware accelerator. For details, see “Configuring Software to Use Hardware Acceleration” on page 72.

Before You StartBefore you install the encryption accelerator card, you need:

Physical access to the unitA Phillips-head screwdriverFour screws (included in packaging)A disposable wrist strap (included in packaging)

WarningTo help guard against electrostatic discharge damage, follow the instructions on the wrist strap envelope before you handle the encryption accelerator card or open the appliance.





Installing the Card1. Use Nokia Network Voyager, the CLI, or the IPSO shell to halt the

appliance. To use the CLI or IPSO shell, simply enter halt.2. Loosen the two front-panel retaining screws.

3. Slide the chassis assembly forward to expose the motherboard components, as the following figure shows.

4. Locate the PMC connectors on the rear of the motherboard.

CautionMake sure you locate the correct connectors for the VPN acceleration card. Do not use the PMC connectors located at the front of the motherboard, those connectors are for NICs.


00252a





5. Position the male PMC connectors on the card over the female PMC connectors on the motherboard. The two sets of connectors should be aligned with each other. The four screw holes and four standoffs should also be aligned with one another.

6. Push down on the card until it is properly seated on the motherboard.

00267

A B

Standoffs

Insert the VPN card into connectors. Screw card into standoffs.

PMC connectorsfor VPN card





7. Place the screws through the standoff holes on the card and into the standoffs on the motherboard.

8. Turn each screw clockwise so that the card is attached to the standoffs. Do not tighten completely.

9. Make sure that all four standoff connections are properly aligned.10. To secure the connections, tighten the screws firmly, but do not

overtighten. 11. Slide the chassis assembly back into the appliance and resecure the two

retaining screws.

Reseating the chassis assembly automatically restores power to the appliance.

12. Configure your software to use hardware acceleration. For more information, see “Configuring Software to Use Hardware Acceleration.”

Screw

Accelerator cardStandoff hole

Motherboard standoff






Configuring Software to Use Hardware Acceleration

Use Network Voyager to configure virtual private network (VPN) tunnels to use hardware acceleration. This step is necessary for both the built-in hardware accelerators and for the optional encryption accelerator card on the IP380 appliance.The way you enable the software depends on whether you create VPN tunnels with Network Voyager or with Check Point software. If you use Network Voyager to create a VPN tunnel, see “To configure IPsec” on page 72. If you use Check Point software to create a VPN tunnel, see “To configure Check Point VPN” on page 72.

To configure IPsec1. Start Nokia Network Voyager for your appliance.2. On the Network Voyager home page, click Config.3. Under Interfaces, click IPSec.4. Scroll down and click IPSec Advanced Configuration.5. At Hardware Device Configuration, click On.6. Click Apply to enable the card.

To configure Check Point VPN1. Start Nokia Network Voyager for your appliance.2. On the Network Voyager home page, click Config.3. Scroll down to Security and Access Configuration and click

Cryptographic Hardware Acceleration.4. At Hardware Device Configuration, click On.5. Click Apply to enable the card.You can also monitor Nokia encryption accelerator card interfaces by using Nokia Network Voyager. For more information about accessing Nokia



Replacing the Battery


Network Voyager and locating relevant reference materials, see the Nokia Voyager Reference Guide.

Replacing the BatteryThe section provides instructions for replacing the motherboard battery in Nokia IP300 Series appliance.

Before You StartTo replace the battery, you need the following:

The appropriate Nokia battery replacement kit for your appliancePhysical access to the applianceA Phillips-head screwdriverA wrist grounding strap(Optional) Safety glasses

WarningAn explosion might occur if the battery is incorrectly placed. Replace the battery only with the same or equivalent type that the manufacturer recommends. Dispose of used batteries according to the manufacturer’s instructions.

WarningMake certain that you removed the power cord from the appliance before you proceed with any of the following steps. Failure to do so could cause electric shock with burns or death resulting for the user.





CautionMake certain that you are properly grounded when you handle components internal to the appliance to protect against electrostatic discharge damage to the appliance. Use the disposable grounding strap included in the battery replacement kit.

To install the battery, perform the following tasks

1. Locate the battery on the motherboard.The battery is in a black battery holder secured with a battery retaining pin.Figure 22 shows the battery location in the IP300 Series appliance.



Replacing the Battery


Figure 22 Battery Location in the Nokia IP300 Series Appliance

2. Remove the old battery. Use a small nonconductive device, such as a plastic probe, to slide the battery out of the battery holder through the cutout in the holder.

CautionYou must place the new battery into the battery holder observing the correct polarity. The positive terminal of the battery must be facing up.

3. With the positive side facing up, slide the new battery through the cutout in the battery holder.

00459





4. Make sure that the battery is securely installed in the battery holder with the positive side of the battery facing up.The appliance should start up normally with the new battery installed. If it does not, repeat this procedure. If the appliance does not start up normally after that, contact your Nokia service provider.

5. Reset the appliance date and time information using Network Voyager or the command-line interface You need to do this because the battery is required to maintain the date and time whenever you shut down the appliance.




7 Installing PC Cards

This chapter includes information about how to install flash-memory PC cards in your IP300 Series appliance. You can use the flash-memory PC card to store local system logs, Nokia IPSO images, and configuration files. The IP300 Series appliance supports storage space of 512 MB or higher. The IP300 Series appliance has two PCMCIA slots that can support a flash-memory PC card having a capacity of 1 GB or higher.

Before You BeginTo install a PC card, you need:

Physical access to the applianceAccess to the appliance by using Nokia Network Voyager or the command-line interface (CLI)Replacement PC card and accompanying documentation

CautionTo avoid potential equipment malfunction, Nokia recommends that you obtain PC cards only from Nokia or authorized resellers. For further information, contact the appropriate Nokia customer support site listed in Nokia Contact Information on page 3.





Installing a Flash-Memory PC Card

CautionYou risk damage to the appliance or loss of data if you do not use the following procedure when you replace the flash-memory PC card.

NoteThe flash-memory PC card comes formatted from the factory.

To install the flash-memory PC card1. Insert the flash-memory PC card into PC-card slot 1 or slot 2.2. Press gently on the card until it is firmly seated in the slot.

The eject button to the left of the slot should be flush with the card.

Storing System Logs on the Flash-Memory PC CardYou can use the flash-memory PC card to store system log messages. Use Nokia Network Voyager to configure the flash-memory PC card as an optional disk. After you reboot the Nokia IP300 Series appliance, use Network Voyager to configure system logging options. For more information, see the Nokia Network Voyager Reference Guide.You must disable the flash-memory PC card before you remove it. You can disable the flash-memory PC card by using Network Voyager or the CLI.

To use Nokia Network Voyager to disable a flash-memory PC card 1. Click System Logging under System Configuration and check the

Unselect check box.2. Click Apply.3. Click Up.




4. Click Optional Disks under System Configuration and click the Off radio button under Local Logging.

5. Click Apply.6. Click Save.7. Click Up.8. Click Reboot, Shut Down System to shut down or reboot the appliance.You can now remove the flash-memory PC card.

To use the CLI to disable a flash-memory PC card 1. Enter the following command:

set syslog local-log off

2. Enter the following command, where the number 1 or 2 indicates the PC-card slot:set optional-disk device-id <1 | 2> off

3. Enter the following command:halt or reboot

You can now remove the flash-memory PC card.

CautionWhen you remove the card, hold the flash-memory PC card while you push the eject button to prevent the card from ejecting too quickly.

Transferring Files with the Flash-Memory PC CardYou can copy configuration files between the internal compact flash memory and the flash-memory PC card. If you do not use Nokia Network Voyager to configure the flash-memory PC card as an optional disk, you must mount the flash-memory PC card when you insert it in the PC-card slot, and you must





unmount the flash-memory PC card before you remove it. You do not need to reboot or shut down the system if you manually mount and unmount the flash-memory PC card.

To transfer Nokia IPSO images or configuration files to the flash-memory PC card:1. Insert the flash-memory PC card into the IP300 Series appliance.2. Connect to the IP300 Series appliance by using a console or terminal

connection.3. Mount the flash-memory PC card by using the following command:

mount /dev/wd1 /cdrom

The /cdrom directory is a default directory in IPSO for mounting media.

4. Use the cp command to transfer IPSO images or configuration files to and from the flash-memory PC card.For example, to copy the current IPSO image from the compact flash to the flash-memory PC card, use the following command:cp /image/current/ipso.tgz /cdrom/

5. Use the following command to unmount the flash-memory PC card before you eject it:umount /cdrom

6. To remove the card, slowly push the eject button located to the left of the card.

CautionHold the flash-memory PC card while you push the eject button to prevent the card from ejecting too quickly.




8 Using the Boot Manager

This chapter describes how to use the IPSO boot manager. The following topics are discussed in this chapter:

VariablesBooting the SystemUsing the Boot Manager to Install IPSOProtecting the Boot Manager with a PasswordInstalling the Boot ManagerUpgrading the Boot Manager

The Nokia IP300 Series appliance incorporates a boot manager on disk to control the boot-up process. The boot manager allows you to perform a number of tasks, including the following:

Booting from alternate kernels, which might reside on nondefault devices or directoriesInstalling new versions of IPSO (the operating system)Obtaining system informationPerforming various housekeeping tasks

When you first receive your IP300 Series appliance, the boot manager uses factory-default parameters (kernel, boot device, and so on) for the boot process. The factory defaults cause the appliance to bypass the boot manager prompt after a five-second wait. You can change these defaults to reflect your own needs, or you can use different parameters in the command line at boot time. The boot manager maintains the default values of these parameters on





the hard-disk drive. You can set these values by using boot manager commands.This chapter describes the boot manager commands.

VariablesA number of variables are stored by the boot manager in nonvolatile memory. You can set and view most variables from the boot manager prompt. The following sections describe how to view and set the variables. The variables are:

Table 6 Boot manager variables

Variable Description

boot manager revision

The version number of the boot manager. This variable cannot be set from the command line.

autoboot If autoboot is set to no, the IP300 Series appliance stops at the boot manager command line during the boot process.If autoboot is set to yes, the IP300 Series appliance does not stop at the boot manager command line during a boot up. It does wait for the amount of time specified in bootwait for input from the keyboard. If input is received, the boot manager goes to the command line; otherwise, it proceeds with the boot up.Factory default: yes.

bootwait The amount of time, in seconds, that the boot manager waits for input during a boot up when autoboot is set to yes. Factory default: five seconds.



Variables


The following table shows possible boot flags.

boot-device: This is the device from which the boot-file loads.Factory default: wd0.Options: wd0 (hard disk).

boot-file The name of the operating system kernel file.Factory default: /image/current/kernel.

boot-flags The string of flags passed to the kernel.Factory default: -x.

Flag Meaning

-d Debug Mode: Enters the kernel debugger as soon as possible in the kernel initialization.

-s Single-User Mode: If the console is marked as insecure, you must enter the root password to access the manager.

-v Verbose Mode: Verbose during device probing and thereafter.

Table 6 Boot manager variables

Variable Description





Viewing the Variables and Other System Parameters

printenvUse the printenv command to view the values of variables currently stored in the boot manager nonvolatile memory. The command has the following syntax:

printenv

For example:BOOTMGR[93]> printenv

Bootmgr Revision: 3.3,base kernel=3.5.1- 06.12.2002-080000

autoboot: YES

testboot: NO

bootwait: 0

boot-file:

boot-flags:

boot-device:

vendor: Nokia

model: IP



Variables


sysinfoUse the sysinfo command to view system information such as CPU speed, memory size, and so forth. The command has the following syntax:

sysinfo

For example:CPU 0: 700 MHz Pentium-III w ATC

Memory: 268435456 (256M bytes)

Disk Devices:

IO port 0x1f0 wdc0: unit 0 (wd0): <IBM-DJSA-205> 5000MB (9767520 sectors), 608 cyls, 255 heads, 63 S/T, 512 B/S

Network Interfaces:

loop0: flags=10b<UP,LINK,LOOPBACK,PRESENT>

soverf0: flags=2923<UP,LINK,MULTICAST,PRESENT,IPV6ONLY>

stof0: flags=2903<UP,LINK,PRESENT,IPV6ONLY>

tun0: flags=107<UP,LINK,POINTOPOINT,PRESENT>

eth1: flags=131<LINK,BROADCAST,MULTICAST,PRESENT>

ether 0:20:30:0:11:4 speed 10M full duplex

eth2: flags=130<BROADCAST,MULTICAST,PRESENT>










lsUse the ls command to view the contents of directories on the devices in your IP300 series appliance. The command has the following syntax:

ls device directory

where device is the device containing the directory you want to look at, and directory is the directory on that device. Both device and directory are optional. The default directory is /image on the wd0 device.For example:BOOTMGR[2]> ls wd0 /image/current

.description bootmgr etc kernel.debug usr

VERSION cdrom ipso.tgz mnt web

bin dev kernel sbin

Setting the Variables

setenvUse the setenv command to set a particular variable. The command has the following syntax:

setenv name value

where name is the name of the variable, and value is the new value you want the variable to assume.For example:

BOOTMGR[2]> setenv autoboot yes

sets the value of autoboot to be yes.



Variables


unsetenvUse the unsetenv command to clear a particular variable. The command has the following syntax:

unsetenv name

where name is the name of the variable to be cleared.For example, the following command clears the boot-file variable:

BOOTMGR[2]> unsetenv boot-file

NoteThis command sets the autoboot variable to no, and the bootwait variable to zero.

set-defaultsUse the set-defaults command to set variables to their factory-default values. The command has the following syntax:

set-defaults name

where name is the name of the variable to be set to its factory default. If name is not specified, all variables are set to their factory defaults.For example, the following command sets the value of autoboot to be yes, the factory default:

BOOTMGR[2]> set-defaults autoboot

setaliasUse the setalias command to set an alias. The command has the following syntax:

setalias name device

where name is the alias name, and device the device for which name is the alias.





For example, the following command sets the alias disk to have the value of wd0:

BOOTMGR[2]> setalias disk wd0

You can have a maximum of eight aliases set at one time.

unsetaliasUse the unsetalias command to clear an alias. The command has the following syntax:

unsetalias name

where name is the name of the alias to be cleared.For example, the following command deletes the disk alias from the list of aliases:

BOOTMGR[2]> unsetalias disk

Other Commands

haltUse the halt command to halt the system. The command has the following syntax:

halt

helpUse the help command to display a list of the available commands. The command has the following syntax:

help or ?



Booting the System


Booting the SystemThe boot command lets you boot up the operating system (IPSO). It allows you to set the boot device, boot file, and boot flags from the command line.The command has the following syntax:

boot boot-device boot-file boot-flags

where boot-device is the storage device from which the operating system loads at boot up, and boot-file is the operating system kernel. The boot-flags control the operation of the command. Refer to the boot flag table in “Variables” on page 82.For example, at the boot manager command prompt enter the following:

BOOTMGR[0]> boot wd0 /image/current/mykernel -vd

This command boots mykernel from disk wd0 in verbose and debug mode.You can supply all, any, or none of the arguments. If you do not supply an argument, the boot manager uses its default. It first searches its nonvolatile memory to see if the corresponding default argument is specified there. If so, it uses that value; if not, it defaults to the values in the following table:

Using the Boot Manager to Install IPSOUse the install command to install IPSO. The syntax of the command is:

install

For complete installation procedures, refer to the appropriate version of release notes.

Argument Default

boot-device wd0 (the hard-disk drive)

boot-file /image/current/kernel

boot-flags -x





NoteA full installation using the install command deletes the existing IPSO image on the IP300 series appliance.

To install a new copy of the IPSO kernel1. At the boot manager command prompt, enter:

BOOTMGR[0]>install

If you used the passwd command to protect this command with a password, the boot manager prompts you for your password before allowing you to execute the install command.

2. Enter the information the install command requests (your system IP address, the server IP address, and other information).

3. Reboot the IP300 Series appliance.

Protecting the Boot Manager with a PasswordTo prevent accidental or unauthorized access to your IP300 Series appliance hard disk, you can require that the user enter a password to access the boot manager install command. Use the password command to set the password.

NoteThe password you enter gives you access to the install command in boot manager, not access to IPSO.

To set a password1. At the boot manager command prompt enter:

BOOTMGR[0]> passwd

The passwd program prompts you for your current password.



Installing the Boot Manager


2. If the appliance is protected by a password, enter your current password.The program prompts you for the new password.

3. Enter the new password.The program prompts you to reenter the new password for verification.

4. Enter the new password again.

NoteIf you forget your install password, contact the appropriate Nokia Customer Support site as listed in “Nokia Contact Information” on page 3 for information on how to set a new one.

Installing the Boot ManagerThe boot manager is installed at the factory; you should not need to reinstall it. If you should need to reinstall the boot manager, contact the appropriate Nokia customer support site listed in the “Nokia Contact Information” on page 3 for instructions and a new boot manager.The command to install the boot manager has the following syntax:

install_bootmgr boot-device boot-file

where boot-device is the storage device to which you write the new boot manager image and from which boot manager image loads at boot up. Boot-file is the new boot manager. The new boot manager options are cpipflash, cpvpnflash, nkipflash, and nkvpnflash. Execute the install_bootmgr command from IPSO (the operating system), not from the boot manager.

NoteTo install the new boot manager, you must be in single-user mode.





To install the new boot manager1. Start the appliance in single-user mode.2. At the IPSO command prompt, enter:

/etc/install_bootmgr wd0 /image/current/bootmgr/nkipflash

The command installs the new boot manager image (nkipflash) into the flash device (wd0). The installation takes some time to complete. Do not interrupt the installation process.

Upgrading the Boot ManagerThe command to upgrade your boot manager has the following syntax:

upgrade_bootmgr boot-device boot-file

where boot-device is the storage device from which the boot manager loads at boot up and boot-file is the new boot manager image. The new boot manager options are cpipflash, cpvpnflash, nkipflash, and nkvpnflash. Execute the upgrade_bootmgr command from IPSO (the operating system), not from the boot manager.For complete upgrade procedures, refer to the appropriate version of release notes.

NoteTo install the new boot manager, you must be in single user mode.

To upgrade the boot manager1. Get the upgraded boot manager image from the appropriate Nokia

customer support site as listed in the Nokia Contact Information section at the front of this guide.

2. Start the IP300 Series appliance in single-user mode.



Upgrading the Boot Manager


3. At the IPSO command prompt, enter:/etc/upgrade_bootmgr wd0 /etc/nkipflash

The command upgrades the boot manager with the new image (nkipflash), writing it into the hard-disk drive (wd0). The upgrade takes some time to complete. Do not interrupt the upgrade process.








9 Troubleshooting

This chapter provides troubleshooting tips, problems, and solutions related to IP300 Series appliance installations.

General Troubleshooting InformationThe information in this section relates to non-routing problems. For information about how to troubleshoot routing problems, see “Troubleshooting Routing Problems” on page 105.

Unable to Log in to the Console Port—No Error MessageTwo laptop computers (using terminal emulation programs) or terminals should be able to communicate back to back in the same way that the terminal communicates with the IP300 Series appliance. If this is not possible using your laptop computer or terminal, the problem is with the terminal or cable and not the appliance.

Problem You do not have a console connection to the IP300 Series appliance.Solution For information about how to create a console connection, see “Using a Console Connection to Perform the Initial Configuration” on page 28.



9 Troubleshooting


Problem Not connected with a null-modem cable. Solution Verify that you are using a null-modem cable. For pinout information, see “Using a Console Connection to Perform the Initial Configuration” on page 28.

Problem Wrong terminal settings.Solution Verify terminal settings: 8 data, 1 stop, no parity, 9600 bps.

Problem Terminal set for flow control.Solution The IP300 Series appliance does not use flow control. The terminal should be set for no flow control.

Problem Defective IP300 Series appliance or file system.Solution Contact the Nokia customer support site listed in “Nokia Contact Information” on page 3.

Problem Database is corrupt.Solution Return to default settings according to the instructions included in the instructions for resetting the default password, or contact the Nokia customer support site listed in “Nokia Contact Information” on page 3.

Login Prompt Appears, But Password Not Accepted

Problem Entered wrong password.Solution Obtain a valid password or set the password to a default value.



General Troubleshooting Information


To reset the admin password to a default value

NoteYou must have local serial access to your appliance console to perform this procedure. With a keyboard and monitor directly connected to the appliance, the boot: prompt does not appear, and you cannot perform this procedure.

1. Boot up the appliance in single-user mode by restarting or power cycling the appliance.When the boot: prompt appears, enter -s before the appliance goes into multiuser mode; you have about 10 seconds to do this.

2. After the appliance boots up, the following text appears:Enter pathname of shell or RETURN for sh:

Press Enter.3. Type /etc/overpw at the # prompt.

When the response asks if you want to continue, type y.4. The admin password defaults to no password for admin.

Continue to boot to multiuser mode.5. Reconfigure the password as you normally would.

NoteBlank passwords are not accepted in Network Voyager. In such cases, enter the following command to reset the password from the command line using a blank password:dbpasswd admin newpassword ""The two double quotation marks at the end of the command properly indicate a blank password.After you execute this command, the system reports that the password was not successfully changed. However, the password is changed and is now newpassword.



9 Troubleshooting


Finally, return the entire database to its default settings and bring up the new system-startup procedure. The new system-startup procedure is described in Chapter 3, “Performing the Initial Configuration”.

To reset the default database settings1. Log in to the IP300 Series appliance as admin by using Network Voyager.

For information about how to access Network Voyager and the related reference materials, see “Accessing Nokia Network Voyager” on page 30.

2. Under Configuration Database Management (Config > System Configuration > Manage Configuration Sets), choose the option to create a new factory default configuration.

3. Create the new default configuration.

Do Not Get a Login Prompt—Error Messages Appear

Problem The IP300 Series appliance is defective, or the file system on the IP300 Series appliance is defective.Solution Contact the Nokia customer support site listed in “Nokia Contact Information” on page 3.

NoteUse the full installation procedure to install a new system. The new system completely replaces the contents of the drive and might be needed to restore or reload an IP300 Series appliance. This procedure erases any configuration database on the appliance. For information about how to complete the full installation procedure, see the current release notes. The release notes are located on the Nokia customer support Web site as listed in the “Nokia Contact Information” on page 3.





Unable to Connect to Network Voyager Using the Ethernet Port, But Console Access Works

Problem Using the wrong Ethernet cable.Solution Use a crossover Ethernet cable if you are connecting directly to the computer. Use a straight-through cable if you are connecting to a hub. For cabling information, see “Four-Port and Two-Port 10/100 Mbps Ethernet Interface, PMC” on page 46.

Problem Port is not configured as active. Solution Use the CLI over the console connection to verify the interface configuration and fix it if necessary.

Problem Host port configuration is incorrect.Solution Use the CLI over the console connection to verify the interface configuration and fix it if necessary.

Problem Wrong link speed.Solution Use the CLI over the console connection to verify the interface configuration and fix it if necessary.

Do Not See Interfaces that Should be Present

Problem Local IP300 Series appliance ports do not appear. Solution Your NIC might be defective. Contact the appropriate Nokia customer support site as listed in “Nokia Contact Information” on page 3.

NoteThe problem could be with the slot on the PMC card carrier. Try installing the NIC in another slot.



9 Troubleshooting


Common Ethernet Problems—Connectivity with Attached Device

Problem No link light. Solution You might have used the wrong cable. Use a crossover cable between an IP300 Series appliance and a host, and a straight-through cable between an appliance and a hub.

Problem Solid data and activity LED. Solution You might have set the wrong speed. Verify that the speeds match on each end of the Ethernet connection (10 Mbps or 100Mbps).

Problem Port not enabled.Solution Verify from the Interface page in Network Voyager that the interface port is configured as active.

Problem High collision rate on the hub. Solution Disconnect connections one at a time until the problem is localized to one computer and troubleshoot further.

Unable to Ping Through Appliance—No Connectivity Between Ports This section covers connectivity issues that are isolated within an IP300 Series appliance or network.Localize the problem by issuing pings to various network interfaces. Use tcpdump to help isolate the problem. Use tcpdump to verify that a packet is leaving or entering a port.

Problem Interfaces not up. Solution Ensure that all interfaces are up and active, as described in Chapter 3, “Performing the Initial Configuration.”





Problem No route to network. Solution Check the routing table to see if a route exists to the network where the interface is located. If no route exists, see “Troubleshooting Routing Problems” on page 105.

Problem Attached device does not have proper default route or routing information. Solution If a local computer is unable to ping through an attached appliance, the computer might contain either an invalid default route or invalid routing information.If you are using default routes from a computer, ensure that the local interface is the default route for that computer.

Problem The ARP table has old information. Solution If the ARP table has an old or invalid entry for the device associated with the IP address you are attempting to ping, use Network Voyager to delete the invalid entry.For information about how to access Network Voyager and the related reference materials, see “Accessing Nokia Network Voyager” on page 30.

To delete the invalid entry1. Click Config.2. Click ARP in the Interfaces section.3. Click Display or Remove Dynamic ARP Entries.4. Click Delete for the entry you want to delete.5. Click Apply.

Problems with MulticastUse tcpdump to view packets. To display packets for a specific interface, use the following command: tcpdump -i interface proto igmp. For more



9 Troubleshooting


information about how to use the tcpdump command, see the Nokia Network Voyager Reference Guide.Under Routing Options in the Routing Configuration section in Network Voyager, you can also enable several types of trace options for DVMRP. These traces are logged into /var/tmp/ipsrd.log.For information about how to access Network Voyager and the related reference materials, see “Accessing Nokia Network Voyager” on page 30.

Problem No IP connectivity. Solution Verify that you have IP connectivity; ping various hosts on each network.

Problem DVMRP is not enabled on the interfaces.Solution Verify that DVMRP is enabled on the interfaces in use.

Problem Exceeding TTL on clients.Solution Verify that the client is set up for the proper TTL number. Many clients are set to receive local traffic only one hop away.

Problems Interfacing to 1483 Devices (Classical IP)

Problem Remote and local devices are not configured for the same VC and VP value.Solution Set remote and local devices to the same VC and VP values. Consult your 1483 device documentation.

Problem Remote and local devices are not in the supported VC range of the network interface card.Solution Use ipsctl to determine the VC range. Enter the following command:ipsctl ifphys:logical interface:max_rxlabel





Problem Encapsulation is not set to LLC/SNAP.Solution Set encapsulation to LLC/SNAP. Consult your 1483 device documentation.

Problem The MTU size is not 1500.Solution The MTU size must be 1500. Nokia does not support larger MTU sizes.

Appliance Not Receiving Power

Problem Power cord is not properly plugged in.Solution Check cord. Make sure it is properly seated at both ends.

Problem Power supply not providing power.Solution Check power source. If there is no power at the source, take appropriate action such as inserting a new fuse or resetting circuit breaker.

Appliance Does Not Recognize New Memory Configuration

Problem DIMMs are not properly seated in DIMM sockets.Solution Repeat memory installation procedures. Make sure DIMMs are fully seated in sockets. Be sure DIMMs click into place.



9 Troubleshooting


Appliance locks up after you upgrade Nokia IPSO with a console connection. No error messages appear, but the appliance stops responding to console and network.

Problem During the upgrade process, some of the environment variables might not have updated correctly.Solution You can verify what the current boot manager settings are by issuing a printenv command at the boot manager prompt, as shown in this example:Loading boot manager ..

BOOTMGR[0]> printenv

Bootmgr Revision: 3.3,base kernel=3.5.1-fcs1

02.12-2001-102644

autoboot: NO

bootwait: 5

boot-file:

boot-flags:

boot-device:

No referenced boot-file or boot-device appears.Setting the boot manager to defaults causes the boot manager to determine that no environment variables are set, and it responds by importing the defaults from the binary file. To set the boot manager to defaults, issue the set-defaults command at the boot manager prompt as shown in this example:BOOTMGR> set-defaults



Troubleshooting Routing Problems


If you issue the printenv command again, the boot-file and boot-device entries are present, as shown in this example:BOOTMGR[2]> printenv

Bootmgr Revision: 3.3,base kernel=3.5.1-fcs1

02.12.2001-102644

autoboot: YES

bootwait: 5

boot-file: /image/current/kernel

boot-flags:

boot-device: wd0

Issue the halt command to restart your appliance.BOOTMGR> halt

Troubleshooting Routing Problems Several useful tools are available to troubleshoot routing problems. The first tool is available from the Monitor page in Network Voyager, from which you display routing statistics and errors. You can access this information from the command-line interface using the ICLID (IPSRD command-line interface daemon) command. An example use of the ICLID command is shown below. For information about the ICLID command, see the Nokia Network Voyager Reference Guide. For information about how to access Network Voyager and the related reference materials, see “Accessing Nokia Network Voyager” on page 30.



9 Troubleshooting


NoteAdding a question mark (?) after any command provides additional command options. Typing a question mark (?) at a prompt provides a list of available commands.

hostname[admin]# iclid

hostname | IP address>

hostname | IP address> ?

exit get help quit show

hostname | IP address>

hostname | IP address> show ?

address bgp igmp iphelper mfc ripvrrp bootpgw igrp krt ospf route inbound-filter dvmrp interface memory resource version

hostname | IP address> show route ?

aggregate bgp igrp ospf static

all direct inactive rip summary

hostname | IP address> show route ospf

Codes: C - connected, S - static, I - IGRP, R - RIP,

B - BGP, O - OSPF, E - OSPF external, A - Aggregate,

K - Kernel Remnant, H - Hidden, S - Suppressed

The response to the preceding ICLID command is as follows:0 172.16/16 via 10.1.1.225, eith-sp4p1c0,cost 3, age 3111

In addition, several trace options are available. You can enable these options under the routing options in Network Voyager. When a trace is enabled the output appears in /var/tmp/ipsrd.log.





Common Problems with OSPF Use tcpdump to view routing information. Use the following command display routing updates for that interface:tcpdump -i interface proto ospf

For more information about how to use the tcpdump command, see the Nokia Network Voyager Reference Guide.Under routing options in Network Voyager, you can also enable several types of trace options for OSPF. These traces are logged in /var/tmp/ipsrd.log.For information about how to access Network Voyager and the related reference materials, see “Accessing Nokia Network Voyager” on page 30.

Problem OSPF is not configured. Solution Verify that OSPF is properly configured for all interfaces that are involved in OSPF routing. For more information, see Configuring OSPF from the Configuring Routing document page in Network Voyager. You can access the document page by pressing Doc.

Problem OSPF hello and dead timers are not the same on each interface for a given link.Solution Verify that the settings at the end of each link are identical.

Problem Attached devices do not support OSPF.Solution Ensure that the attached IP300 Series appliance supports OSPF. If the attached appliance does not support OSPF, configure it with a protocol that the appliance supports and exchange routes with OSPF, or set a default or static route.

NoteYou can also use ICLID to display OSPF details.



9 Troubleshooting


Common Problems with RIP Use tcpdump to view routing information. Use the following command to display routing updates for a specific interface:tcpdump -i interface proto rip

For more information about how to use the tcpdump command, see the Nokia Network Voyager Reference Guide.Under routing options in Network Voyager, you can also enable several types of trace options for routing information protocol (RIP). These traces are logged in /var/tmp/ipsrd.log.For information about how to access Network Voyager and the related reference materials, see “Accessing Nokia Network Voyager” on page 30.

Problem Inconsistent subnet mask (netmask does not match the class of IP address for RIP v1).Solution RIP version 1 must use consistent subnet masks; change to RIP version 2 or OSPF to use inconsistent subnet masks.

Problem Number of networks exceeds the RIP limit.Solution RIP can span up to 16 networks. Verify that your network topology does not exceed this limit.

Common Problems Exchanging Routes Always enter a metric value if you are exporting routes from OSPF to RIP.

Problem Exchanging routes are not configured correctly.Solution Exchanging routes involves several configuration steps. Follow the tasks in the Nokia Network Voyager Reference Guide (online documentation) to ensure that you follow all steps. For information about how to access Network Voyager and the related reference materials, see “Accessing Nokia Network Voyager” on page 30.





Problem Routing protocol is not functioning properly.Solution to ensure that each routing protocol is functioning properly, see “Common Problems with OSPF” on page 107 and “Common Problems with RIP” on page 108.



9 Troubleshooting





A Technical Specifications

Physical Dimensions

Space RequirementsThe IP300 Series appliance is designed for front-screw mounting in a 19-inch rack. Each IP300 Series appliance requires the following space in a rack:

1.75 inches (4.45 centimeters) of vertical space 18 inches (46 centimeters) behind the front-panel of the rack 6 inches (15 centimeters) behind the IP300 Series appliance to allow the back exit fan to move air through the appliances

Dimensions Height: 1.75 in. (4.45 cm)

Width: 17 in. (44 cm)19 in. (48 cm) rack mountable

Depth: 16.12 in. (40.94 cm)

Weight 17 lbs. (7.7 kg) base system



A Technical Specifications


CautionDo not place objects over the ventilation holes on the IP350 or IP380 appliance. The appliance might overheat and become damaged.

NIC Interfaces

Cable TypeCable Output Connector

Four-port and two-port Ethernet

IEEE 802.3 10BASE-T, 100BASE-T, 1000BASE-T unshielded twisted pair, full-duplex or half-duplex

RJ-45

Two-port Fiber Gigabit Ethernet

IEEE 802.32 Gigabit Ethernet Multimode Fiber

LC

Two-port V2 Copper Gigabit Ethernet

Straight-through RJ-45 cable (Category 5 type) or crossover cable; in some cases, shielded Category 5 Ethernet cable to meet Class B emissions standards

RJ-45




B Compliance Information

This appendix contains the following compliance information:Declaration of ConformityCompliance StatementsFCC Notice (US)

Declaration of ConformityAccording to ISO/IEC Guide 22 and EN 45014:

Manufacturer’s Name: Nokia Inc.

Manufacturer’s Address: 313 Fairchild DriveMountain View, CA 94043-2215USA





declares that the product:

conforms to the following standards:

Supplementary information:Pursuant to directive 1999/5/EC this product complies with the requirements of the Low Voltage Directive 73/23/EEC and the EMC Directive 89/336/EEC with Amendment 93/68/EEC.

Product Name: IP350, IP355, IP380, IP385, 100i, 100s

Model Number: IP0380

Product Options: All

Serial Number: 1 to 100,000

Date First Applied: 2002

Safety: EN60950-1:2001+A11; IEC60950-1:2001; UL60950, Third Edition:2000; CAN/CSA-C22.2 No.60950:2000.

EMC: EN55024 1998, EN55022A 1998, EN61000-3-2, EN61000-3-3



Compliance Statements


Compliance StatementsThis hardware complies with the standards listed in this section.

Emissions Standards

Christopher SaleemCompliance & Reliability Engineering ManagerSecurity & Mobile Connectivity, Enterprise SolutionsMountain View, CaliforniaJanuary 2005

Elie HabibSenior Vice PresidentSecurity & Mobile Connectivity, Enterprise SolutionsMountain View, CA

FCC Part 15 Subpart B Class A US/Canada

EN55022 (CISPR 22 Class A) European Community (CE)





Immunity Standards

Harmonics and Voltage Fluctuation

Safety Standards

FCC Notice (US)This device has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction, may cause harmful interference to radio communications. However, there is no

EN55024 European Community (CE)

EN61000-4-2

EN61000-4-3

EN61000-4-4

EN61000-4-5

EN61000-4-6

EN61000-4-11

EN61000-3-2 European Community (CE)

EN61000-3-3 European Community (CE)

UL60950/EN60950 US/European Community(CE)

CAN/CSA-C22.2 No.60950 Canada



FCC Notice (US)


guarantee that interference will not occur in a particular installation. If this device does cause harmful interference to radio or television reception, the user is encouraged to try to correct the interference by one or more of the following measures:

Reorient or relocate the receiving antenna.Increase the separation between the computer and receiver.Connect the computer into an outlet on a circuit different from that to which the receiver is connected.Consult the dealer or an experienced radio/TV technician for help.

CautionAny changes or modifications not expressly approved by the grantee of this device could void the user’s authority to operate the equipment.

050324







Nokia IP300 Series Security Platform Installation Guide Index - 119

Index

Aaccelerator card 67accessing and removing DIMMs 64appliance components 13appliance status LEDs 18arguments 89attaching accelerator card to motherboard 71autoboot variable 82AUX port 17

Bbattery, replacing 73boot command 89boot manager 81

booting the system 89installing 91password protection for 90upgrading 92using to install IPSO 82, 89variables 82, 89

boot manager revision variable 82boot-device variable 83boot-file variable 83boot-flags variable 83bootwait variable 82built-in console port 15

Ccable output connector 112

cable type 112Check Point 11, 12commands

halt 88help 88ICLID 105install 89ls 86printenv 84setalias 87set-defaults 87setenv 86sysinfo 85unsetalias 88unsetenv 87

compact flash 11compliance information 113component locations 13connections

Ethernet network interface cards 47modem 17power 25

connector pin assignmentsEthernet network interface cards 48

connectors forGigabit Ethernet network interface cards 53

console cable 28copper two-port V2 Gigabit Ethernet network interface card 50



Index - 120 Nokia IP300 Series Security Platform Installation Guide

Ddata communications equipment device 28deactivating, network interface cards 36depth 111DHCP server 27DIMMs

accessing and removing 64adding 64socket locations 63

disabling flash-memory PC card 78disk-based appliances 10DVMRP 9

EEMC standards 114encryption accelerator card 67encryption accelerator card, optional 10, 11end-of-life information 19equipment disposal 19Ethernet cable output connector 48Ethernet crossover-cable pin connections 49Ethernet management ports 14Ethernet network interface cards

cable pin assignments 48connecting to 47

Ffiber two-port Gigabit Ethernet network inter-face card 53

flash-based appliances 11flash-memory card

disabling 78transferring files 79

flash-memory PC cards 77four-port Ethernet network interface card 46

GGigabit Ethernet network interface cards 50, 53connectors 53

Hhalt command 88hard-disk drive, replacing 57height 111help command 88

IICLID command 105install command 89installing

network interface cards 36PCMCIA modem 56

interfacesspecifications 112

IP routing 9IP300Series appliances, monitoring 18IP355 appliances 11IP385 appliances 11IPsec 72IPSO command-line interface 12IPSO version 11IPSO, booting 89

LLC connector 53LEDs 18

secondary status 19status 18

line cards 10, 12ls command 86



Nokia IP300 Series Security Platform Installation Guide Index - 121

Mmanagement ports 14memory

capacity 62upgrading 62

memory size 10, 11model number 114modems, PMCIA 15monitoring IP300 Series appliances 18mounting 23mounting bracket 24mounting positions 24mounting screws 24multicast traffic 9multimode, fiber-optic cable 53

Nnetwork interface cards 10, 12

cable output connector 112cable type 112deactivating 36four-port Ethernet 46front panel location 13installing 35, 36two-port Ethernet 47two-port Gigabit Ethernet, fiber 53two-port V2 Gigabit Ethernet, copper 50types supported 15

network interfaces, connecting 26Network Voyager 12

accessing 30configuring VPN tunnels 72

Nokia Horizon Manager 13Nokia IPSO version 11, 12null-modem cable 28

Oopening Network Voyager 30operating temperature range 23optional disk 12optional PC card 11output connector

for the Ethernet cable 48

PPCI mezzanine card 15PCMCIA modem, installing 56PCMCIA modems, slot for 15physical dimensions 111pin assignments for modem connections 16, 17

PMC expansion slots 15power connections 25power supply 25power switch 25printenv command 84

Rrack mounting 23rack unit size 11recycling retired equipment 19replacing battery 73replacing hard-disk drive 57reset switch 13RJ-45 connector 47, 48

Ssafety standards 114secondary status LEDs 19serial number 114setalias command 87set-defaults command 87setenv command 86



Index - 122 Nokia IP300 Series Security Platform Installation Guide

setting variables 86space requirements 111specifications

interfaces 112specifications for IP300 Series disk-based appliances 10

specifications for IP300 Series flash-based appliances 11

specifications, technical 111static discharge 63status LEDs 18storing system log messages 78sysinfo command 85system log messages, storing 78

Ttcpdump 46technical specifications 111temperature range 23transfer Nokia IPSO images 80transferring files with flash-memory PC card 79

troubleshooting 95two-port Ethernet network interface card 47two-port Gigabit Ethernet network interface card, fiber 53

two-port V2 Gigabit Ethernet network inter-face card, copper 50

Uunsetalias command 88unsetenv command 87upgrading memory 62

Vvariables 82

autoboot 82

boot flag 83boot manager 82boot-device 83boot-file 83bootwait 82setting 86viewing 84

Wweight 111width 111



Documents

Ip380 Security Appliance