Enterasys Aurorean ang-3000 Installation and operating instructions

AVN-AN-MGMT-R10 Page 1 of 14

APPLICATION NOTE

Installing and Configuring the Management Interface Card

Introduction

This document describes how to install and configure the ANG-3000/7000 series

management interface card, an optional third Ethernet port (RJ-45) on the

ANG-3000/7000 series designed for a corporation’s management network

supporting SNMP, Telnet, Ping, HTTP(s) and ftp services. In large enterprises, the

management network is often reserved for the IT department’s discreet handling

of all corporate management functions. To understand how the ANG-3000/7000

series’s management interface can be used in your network, refer to the

illustration below.

NOTE

The management interface is configured through the Command Line

Interface (CLI) only.

Figure 1 Management Network Topology

Aurorean Network Gateway

Internet

Router

Firewall

Corporate

Management Network

External

interface

Management

interface Trusted

interface

network

HP OpenView Web browser

Page 2 of 14 AVN-AN-MGMT-R10

Installing the Management Interface Card Application Note

Installing and Configuring the Management Interface Card

This application note provides step-by-step instructions to perform the following:

HRemove the ANG-3000/7000 series from the rack.

HInstall the management interface card

HReplace the ANG-3000/7000 series in its rack and re-cable, including

connecting a cable from the management connector to the management

network.

HConfigure the management interface by using the ircipaddr command

HRestrict access to selected IP services on the management interface by using

the ipsecSelector,ipsecRule, and ipsecSpd commands

NOTE

Refer to the application note: ANG Configuration Using the Command Line Interface

for more details about the irc and ipsec commands.

Installing the Management Interface Card

This section describes how to install the management interface card in the

ANG-3000/7000 series Network Gateway (shown in Figure 1 below).

Figure 2 ANG-3000/7000 series

Before You Begin

To start installation, you must access the inside of the ANG. If the ANG is mounted in

a relay-style rack, you can install the card, while the ANG is in the rack, if there is

enough space above the ANG (at least 12 inches of clearance) to open the ANG’s

cover. If there is not enough room you will have to remove the ANG from the rack.

If the ANG is mounted with sliding rails, you can easily remove it from the rack.

ANG-7050

Application Note Installing the Management Interface Card

Installing and Configuring the Management Interface Card

AVN-AN-MGMT-R10 Page 3 of 14

Removing the ANG-3000/7000 series from the Rack

To remove the ANG-3000/7000 series from the rack, you must first gracefully shut it

down to avoid hard disk errors. Follow the instructions below:

1. On your desktop, click Start, select Programs and double-click Command

Prompt.

2. Telnet to your ANG. Type: telnet

xxx.xxx.xxx.xxx

(your ANG IP address) and

press ENTER.

3. Login (the default is

netadmin

) and press ENTER.

4. Type your password (the default is

netadmin

) and press ENTER.

5. Login as superuser by typing su - and press ENTER.

6. Type the default password welcome and press ENTER.

7. Save the ANG configuration and shut down all Enterasys services by typing

init 0 and press ENTER.

8. Wait a couple minutes then power off the ANG by holding the power button in

for 4 seconds.

9. Remove the Ethernet cable connections.

10. Unfasten the two screws holding the ANG flanges to the rack as shown in

Figure 3.

Figure 3 ANG Fastened to Rack

11. Slide the ANG out of the rack as far as possible.

12. When the assembly locks, press the lock arm on both sides of the rails to

release the ANG as shown in Figure 4.

Remove screws

Page 4 of 14 AVN-AN-MGMT-R10

Installing the Management Interface Card Application Note

Installing and Configuring the Management Interface Card

Figure 4 Removing the ANG from the Rack

13. Remove the ANG from the rack.

Remove the Cover

Follow the instructions below to remove the cover, which is attached to the ANG by

one screw.

Figure 5 Top Cover Mounting Screw Location

1. Remove the screw holding the cover to the ANG as shown in Figure 5.

Lock arm

ANG-7000

Power Status Drive Link 100Mbps

Link 100Mb

Cover

mounting

screw

Application Note Installing the Management Interface Card

Installing and Configuring the Management Interface Card

AVN-AN-MGMT-R10 Page 5 of 14

2. Slide the cover toward the rear of the ANG. It will move back about 1/2 inch.

Press your fingers in the three indents on the cover and apply pressure

toward the rear of the ANG. Refer to Figure 6.

Figure 6 Top Cover Screw Removed

3. From the rear of the ANG, lift the back edge of the cover. It will open as shown

in Figure 7.

Figure 7 Cover Removed

Power Status Drive Link 100Mbps

Link 100Mb

Aurorean

Network Gateway

External Ethernet

Trusted Ethernet

Page 6 of 14 AVN-AN-MGMT-R10

Installing the Management Interface Card Application Note

Installing and Configuring the Management Interface Card

Management Interface Card PCI Slot Location

The PCI slots, used to install upgrades, are located as shown in Figure 8.

Figure 8 Hardware PCI Slot Location

Removing the Card Holding Plate

To remove the card flange holding plate, remove the two screws as shown in Figure 8.

The blank inserts for both card locations are now accessible as shown in Figure 9.

Figure 9 Card Holding Plate Removed

Management card PCI slot

Card flange holding plate

mounting screws

Management card blank insert

Application Note Installing the Management Interface Card

Installing and Configuring the Management Interface Card

AVN-AN-MGMT-R10 Page 7 of 14

Installing the Management Interface Card

Follow the steps below to install the management interface card (shown in Figure 10).

Figure 10 Management Card

1. Remove the Insert from the back of the ANG as shown in Figure 11.

NOTE

Note how this blank plate is mounted to the back of the ANG. The card flange

will be installed so that it replaces the blank insert.

Figure 11 Management Card Insert Blank Removed

Management PCI connector

Insert blank

Card flange holding plate

Page 8 of 14 AVN-AN-MGMT-R10

Installing the Management Interface Card Application Note

Installing and Configuring the Management Interface Card

2. Flip the management card over so the component side of the card faces down

as show in Figure 12.

Figure 12 Orientation of Management Card for Installation

3. Remove the PCI riser from the unit.

4. Align the management card fingers with the connector as shown in Figure 13

and plug the card into the connector.

Figure 13 PCI Riser and Management Card

5. Align the PCI riser connector fingers with the PCI connector. Set the card

flange over the slots that will capture and hold it to the back of the ANG as

showninFigure14.

Application Note Installing the Management Interface Card

Installing and Configuring the Management Interface Card

AVN-AN-MGMT-R10 Page 9 of 14

Figure 14 Aligning the Management Card flange with the PCI Connector

6. Insert the PCI riser into the PCI connector.

7. Replace the card flange holding plate with the two mounting screws.

This holding plate will capture the card flange and hold it securely against the

back of the ANG. Refer to Figure 15.

Figure 15 Management Card Installed

Page 10 of 14 AVN-AN-MGMT-R10

Installing the Management Interface Card Application Note

Installing and Configuring the Management Interface Card

Replace the Cover

In order to replace the cover, reverse the three steps in the section “Remove the

Cover” on page 4.

1. Set the cover as shown in Figure 7. Place the front of the cover about 1/2 inch

behind the front edge of the chassis.

2. Make sure the sides of the cover are inside the sides of the cabinet. The slots

on the cover fit over the mounting screw inserts on the side of the chassis and

allow the cover to seat itself on top of the chassis sides.

If the cover does not seat in the chassis sides, the slots are not aligned with the

screw inserts. Move the cover (back or forward) accordingly to allow the

cover to seat itself.

3. Push the cover forward until the screw holes align themselves. See Figure 5.

Re-install ANG-3000/7000 series In the Rack

Refer to the section “Removing the ANG-3000/7000 series from the Rack” on page 3,

and reverse the steps to re-install the ANG in the rack. Reconnect the Ethernet cables

to the back of the ANG.

The RJ-45 management interface connector location is show in Figure 16.

Figure 16 Management Ethernet Connector Location

Management connector

Aurorean

Network Gateway

External Ethernet

Trusted Ethernet

Application Note Configuring the ANG-3000/7000 series Management Interface

Installing and Configuring the Management Interface Card

AVN-AN-MGMT-R10 Page 11 of 14

Configuring the ANG-3000/7000 series Management Interface

The management interface is configured on the Command Line Interface (CLI) using

the ircipaddr command. You set the IP address, subnet mask and default gateway

IP address just as you would set these parameters for the Trusted interface on the

ANG-3000/7000 series. To do so, perform the following steps:

1. On your desktop, click Start, select Programs and double-click Command

Prompt.

2. Telnet to your ANG. Type: telnet

xxx.xxx.xxx.xxx

(your ANG IP address) and

press ENTER.

A Unix command prompt will display.

3. Login (the default is

netadmin

) and press ENTER.

4. Type your password (the default is

netadmin

) and press ENTER.

5. Change directory to the irc directory. Type the following and press ENTER:

cd /usr/indus/irc

6. Examine the ircipaddr command parameters below.

ircipaddr -n management -i <ANG IP address> -m

7. Issue the ircipaddr command by typing the following and pressing ENTER.

For example:

ircipaddr -n management -i 212.26.12.143 -m 255.255.255.0

-g 0.0.0.0

8. Enter the ircipaddr -L list command to verify the interface was set. Type

ircipaddr -L and press ENTER.

Interface IP Address Subnet Mask Default Gateway

trusted 53.110.245.2 255.255.255.0 53.110.245.1

external 123.141.13.21 255.255.255.0 0.0.0.0

management 212.26.12.143 255.255.255.0 0.0.0.0

Configuring IP Security

To manage the IP traffic you will restrict access to, you must define the selector, rules,

and SPD. The SPD is the means by which the rules are bound to the management

interface.

NOTE

For more detailed configuration information, refer to the Application Note: ANG

Configuration Using the Command Line Interface.

Page 12 of 14 AVN-AN-MGMT-R10

Configuring the ANG-3000/7000 series Management Interface Application Note

Installing and Configuring the Management Interface Card

To begin configuring IP services, change directory to: /usr/indus/ipsec

Defining the Selector

The following command applies rules to SNMP, TELNET, HTTPS and ICMP protocols

(and their associated port numbers) originating from a Class C, 192.168.100.0 network.

The HTTPS selector identifies the type of traffic that is used to manage the ANG with

the Web Config configuration utility. Note that the defined port number is 8080 rather

than the standard HTTPS port number of 443. This is an Enterasys ANG-specific

implementation; the underlying protocol and security remains standard SSL.

The configuration defines named selectors to reach the “local” interface from the

given “remote” network outside the interface. The combination of protocols and ports

define the IP service to which access is restricted. The specific “local” interface is

specified later when binding the corresponding rule to a particular physical interface

(that is, the management interface).

ipsecSelector -a -n SNMP -o physical -r 192.168.100.0/24 -p UDP -v 161 -w 0

ipsecSelector -a -n TELNET -o physical -r 192.168.100.0/24 -p TCP -v 23 -w 0

ipsecSelector -a -n HTTPS -o physical -r 192.168.100.0/24 -p TCP -v 8080 -w 0

ipsecSelector -a -n ICMP -o physical -r 192.168.100.0/24 -p ICMP

The command switches are defined as follows:

Defining the Rules

After the Selectors have been configured, you must define the rules the ANG will use

to perform a particular action on the selectors. The following command applies the

pass Rule to all selectors.

ipsecRule -a -n SNMP -s SNMP -w pass

ipsecRule -a -n TELNET -s TELNET -w pass

-a Adds a Selector

-n Defines the Selector name (SNMP, TELNET, HTTP(S), ICMP, for example)

-o Sets the local address - virtual or physical (the address of the interface the selector is

applied to)

-r Specifies the remote address

-p Specifies the protocol (ANY, TCP, UDP, ICMP, GRE)

-v Sets the local port number (0 for any)

-w Sets the remote local port number (0 for any)

Application Note Configuring the ANG-3000/7000 series Management Interface

Installing and Configuring the Management Interface Card

AVN-AN-MGMT-R10 Page 13 of 14

ipsecRule -a -n HTTPS -s HTTPS -w pass

ipsecRule -a -n ICMP -s ICMP -w pass

The command switches are defined as follows:

Defining the SPD

After the Rules have been stipulated, you must bind the Rules to the management

interface of the ANG-3000/7000 series with a Security Policy Database (SPD).

The implicit rule is to drop all traffic and is applied at the end of the list of rules

defined in the SPD. The example below restricts SNMP, TELNET, HTTPS and ICMP

traffic to the Management Interface from the 192.168.100.0 network. Similar services

can be defined and applied to this or any other interface on the ANG.

The following command specifies the SPD:

ipsecSpd -a -n management -r 'SNMP;TELNET;HTTPS;ICMP'

The command switches are defined as follows:

Configuration is now complete.

-a Adds a Rule

-n Defines the Rule name

-s Specifies the Selector name

-w Defines the action taken on matching packets (Process, Drop or Pass)

-a Adds an SPD entry

-n Specifies the Management Interface name

-r Specifies the Rule name or a separated list of Rule names (with a semi-colon). Rules

are bracketed by quotations

Page 14 of 14 AVN-AN-MGMT-R10

Technical Support Application Note

Installing and Configuring the Management Interface Card

Technical Support

If you experience problems while installing the management interface card,

Enterasys Networks recommends that you first contact your network

administrator or corporate help desk. Using the diagnostic tools provided by

Aurorean equipment at the corporate site, they can help you isolate and resolve

most connection problems.

When you contact your network administrator or corporate help desk, please

have the following information available:

HThe version of the Aurorean Network Gateway system software you are

running. Detailed information can be obtained by telnetting to the ANG,

changing directory to /usr/indus, typing version.txt and pressing

Enter. The current Aurorean Virtual Network release number and name,

patch and build numbers will display.

HDetails about any recent configuration changes or new applications you

may have installed, if applicable.

Contacting Enterasys Networks

For more information about Enterasys Networks, consult the following table:

Please include your name, title, company, and phone number in all correspondence.

Enterasys Networks offers 7x24 customer support by calling 1-800-872-8440 or by

sending E-mail to [email protected].

information that is the property of Enterasys Networks. Information in this publication is subject to change

without notice. Enterasys Networks assumes no responsibility for errors or omissions in this publication or

for the use of this material.

The Enterasys Networks logo is a trademark of Enterasys Networks.

Microsoft, MS, and MS-DOS are registered trademarks and Windows, Windows 95, Windows 98, Windows

NT, Windows 2000 Professional and Windows Millennium are trademarks of Microsoft Corporation in the

USA and other countries.

Other trademarks, trade names, and copyrights used in this publication belong to their respective owners.

U.S. Office

Address 35 Industrial Way

Rochester, NH 03866

Phone 1-877-641-7400

Fax (603) 337-2211

Internet http://www.enterasys.com

Sales 1-877-641-7400

www.enterasys.com

Support Call the Enterasys GTAC at

1-800-872-8440 or email us at

support@enterasys.com

Other manuals for Aurorean ANG-3000

This manual suits for next models

Table of contents

Other Enterasys Gateway manuals

Enterasys

Enterasys Aurorean ANG-3000 How to use

Enterasys

Enterasys ANG-1000 User manual

Enterasys

Enterasys SNS-TAG-HPA User manual

Enterasys

Enterasys ANG-1100 Series How to use

Enterasys

Enterasys Aurorean ANG-3000 Installation and operating instructions

Enterasys

Enterasys ANG-1100 Series User manual

Enterasys

Enterasys ANG-1000 User manual

Enterasys

Enterasys ANG-1100 Series User manual

Enterasys

Enterasys Aurorean ANG-7000 Series Installation and operating instructions

Popular Gateway manuals by other brands

Avaya

Avaya W310 Command reference guide

RTA

RTA 460ETCBC-NNA1 Product user guide

T-Mobile

T-Mobile TMO-G4AR user guide

H3C

H3C SecPath M9000-AI manual

TCS

TCS FBI6119-0400 Product information

Allnet

Allnet ALL7008 user manual

Motorola

Motorola RG2200 user guide

ICP DAS USA

ICP DAS USA UA-5200 Series quick start

Miboxer

Miboxer Zigbee 3.0 manual

SSV

SSV IGW/100 Hardware reference

Westell

Westell RMC-7XX-G installation guide

Entone

Entone Hydra HD B-Series user guide

Polycom

Polycom MGC-25 Release notes

Casa Systems

Casa Systems NetComm CloudMesh NF18MESH quick start guide

RTA

RTA 460MSBS-NNA4 Product user guide

Coalesenses

Coalesenses iSense user guide

Fortinet

Fortinet FortiGate 30B install guide

SAGEMCOM

SAGEMCOM FAST 5295 Installation