安装指导目录Installation — Hardware Components1Contents11New in this release15Features15Optional interface modules15AC and DC power supplies15Introduction17Nortel Secure Router 4134 hardware components fundamentals19Power supply units19Fan tray21Interface modules for the Secure Router 413422T1/E1 Small Module23ISDN BRI S/T and ISDN BRI U Small Modules24Serial Small Module27T1/E1 Medium Module29HSSI Medium Module30CT3 Medium Module31DS3 Medium Module32GbE Medium Module34FE and FE/PoE Medium Module35GbE Large Module37Internal hardware components39DDR SO-DIMM40VPN/IPSec module41Internal system compact flash41Hot swapping hardware components41Installing Secure Router 4134 hardware components45Installing the interface modules45Installing a Small Module47Installing a Medium Module48Installing a Large Module48Hot swapping interface modules49Connecting power cables51Connecting AC power cables51Connecting DC power52Connecting the console port cable56Installing or replacing a power supply module57Replacing a fan tray module58Installing or removing the internal VPN/IPSec module59Installing the internal VPN/IPSec module60Removing the internal VPN/IPSec module61Replacing the DIMM63Replacing the internal Compact Flash65Environmental requirements69Interface connector pin assignments71Serial cable descriptions79DTE V.35 serial cable79DCE V.35 serial cable80DTE X.21 serial cable81DCE X.21 serial cable83DTE RS-449 serial cable84DCE RS-449 serial cable85DTE RS-232 serial cable87DCE RS-232 serial cable88DTE RS-530 serial cable89DTE RS-530A serial cable91Hardware reliability93Translations of safety messages95Class A device caution statement95Qualified service personnel warning statement96Overcurrent warning statement97Cover plate warning statement98Power cord warning statement99文件大小: 1.9 MB页数: 102Language: English打开用户手册
用户指南目录Security — Configuration and Management1Contents3New in this release13Features13Firewall and NAT13Packet filter14IPsec VPN14GRE and IPIP tunneling15PPPoE client15Authentication, Authorization, and Accounting16SSH217Introduction19Navigation19Firewall and NAT Fundamentals21Firewall Overview21Stateful inspection elements22Virtual firewall zones22Transit policies on trusted zones only23No transit policies on internet untrusted zone23Default firewall24Three-legged firewall24Firewall network protection features25Application and URL filtering25Policy-based controls26Logging and statistics26ALG Overview27Supported ALGs27NAT Overview28Static NAT29Dynamic NAT29PAT29NAT failover for firewalls30Scalability30Interoperability with CS 1000 and MCS 5100 call servers30Cone NAT for CS 100030SIP ALG for MCS 510031NAT Hairpinning35Standards compliance36Packet filter fundamentals37Packet filters on WAN modules and chassis Ethernet ports37Packet filters on Ethernet modules37Maximum allowable filter rules on Ethernet modules38Available packet filters38IPv4 packet filters38IPv6 packet filters39MAC packet filters40Logging40Scalability40Ethernet module limits40Configuration considerations41Troubleshooting41IPsec VPN fundamentals43Site-to-Site VPN44Remote access VPN46Remote access VPN with L2TP server47Supported IPsec security protocols48IPsec modes48Shared key negotiation with IKE48IKE modes49Peer authentication methods for IKE50User authentication for remote access VPN51Digital Certificates in IKE51Internet X.509 PKI certificate and CRL profile52Certificate validation52Certificate enrollment using SCEP client53Manual certificate enrollment54Dead peer detection54Nat Traversal support54Multiple IKE proposals54Multiple IPsec proposals55Identifying traffic to be encrypted with VPN56Firewall considerations for trusted and untrusted VPN interfaces57Routing considerations for VPN (and firewall)57Perfect forward secrecy57Dead peer detection58Security Policy Database59PMTU support59Firewall considerations with VPN59QoS over VPN60Crypto QoS (CBQ) for IPsec VPN60Logging and Statistics62Standards compliance62GRE and IPIP tunneling fundamentals65GRE and IPIP tunneling for IPv465IPIP66GRE66Tunnel protection66IPv6 over IPv4 tunneling66IPv6 over manually-configured IPv4 tunnels66IPv6 over IPv4 GRE tunnels67Auto 6to4 tunneling67Standards compliance67PPPoE client fundamentals69Standards compliance70Authentication, Authorization, and Accounting fundamentals71Authentication71PAP authentication71CHAP authentication72RADIUS72TACACS72EAP IEEE 802.1X73Standards compliance73Authorization74Accounting74SSH2 fundamentals75SSH2 features75SSH ciphers76SSH MAC algorithms76SSH compression76SSH key exchange methods77SSH public key algorithms77SSH user authentication methods77SSH public key file formats78Standards compliance78Firewall and NAT configuration79Configuring global properties79Configuring global ALGs79Configuring global bypass trusted80Configuring global DOS protection81Configuring global NAT hairpinning83Configuring global IP reassembly84Configuring global logging87Configuring global maximum connection limits for the firewall89Configuring NAT failover90Configuring proxy NAT91Configuring global timeout91Configuring global URL key filters93Configuring port trigger records93Configuring policy-specific properties95Configuring firewall objects95Configuring connection reservations97Configuring reset of invalid ACK packets97Configuring stealth mode98Configuring firewall policies98Applying an object to a policy100Configuring bandwidth for the policy101Configuring the maximum connections for the policy within a configured timeframe102Configuring the maximum connections for the policy102Configuring policing for the policy103Enabling the policy104Adding interfaces to the firewall zone104Displaying firewall information105Clearing firewall connections106Clearing firewall statistics106Packet filter configuration107Configuring IPv4 packet filters107Configuring IPv6 packet filters110Configuring MAC packet filters112Applying a packet filter to an interface113Deleting rules from packet filters113Deleting a packet filter114Displaying packet filters114Displaying packet filters applied to an interface114IPsec VPN configuration117Configuring IKE for site-to-site VPN118Creating an IKE policy118Configuring the local address for IKE negotiations118Configuring the IKE policy local ID119Configuring the IKE policy remote ID120Configuring the IKE mode120Configuring the IKE exchange type121Configuring the pre-shared key for IKE122Enabling or disabling PFS123Configuring IKE proposal123Configuring OCSP for the IKE policy128Configuring IPsec for site-to-site VPN129Creating an IPsec policy129Configuring anti-replay129Enabling or disabling the IPsec policy entry130Specifying the IP stream on which to apply IPsec130Configuring DH prime modulus group for PFS131Configuring IPsec proposal132Configuring remote access IKE policies137Creating an IKE policy for remote access VPN137Configuring an IKE proposal for remote access VPN146Configuring remote access IPsec policies151Creating an IPsec policy for remote access VPN151Specifying the IP stream on which to apply IPsec for remote access VPN152Configuring DH prime modulus group for PFS153Configuring IPsec proposal template for remote access VPN154Enabling the dynamic IPsec policy158Configuring L2TP server for L2TP remote access159Creating the L2TP remote access interface159Configuring IP address for the L2TP access interface159Configuring IPsec protection for the L2TP access interface160Configuring client parameters for L2TP remote access161Configuring user parameters for L2TP remote access161Shutting down the L2TP access interface162Configuring dead peer detection keepalive162Enabling dead peer detection162Configuring the keepalive retry interval163Configuring the keepalive transmit-interval163Configuring PMTU163Configuring DF bit163Configuring the MTU threshold value164Configuring processing of unsecured ICMP messages164Configuring CA trustpoint165Configuring the certificate enrollment method165Configuring parameters for the certificate request166Configuring certificate password169Authenticating the CA and importing a CA certificate169Generating a certificate request for enrollment170Manually importing a self certificate171Manually importing an OCSP Responder certificate171Configuring LDAP parameters172Requesting a CRL from the CA173Configuring OCSP173Displaying IPsec VPN configurations174Displaying certificates174Displaying CRL174Displaying trustpoint174Displaying IKE policies175Displaying IKE SA175Displaying IPsec policies175Displaying IPsec SA175Displaying remote access IKE policies176Displaying remote access IPsec policies176Displaying remote access VPN clients176Displaying status of interfaces as trusted or untrusted176Displaying dead peer detection configuration177Displaying PMTU information177Displaying IPsec statistics177Displaying L2TP server configuration177Clearing IPsec configurations178Deleting certificates178Deleting CRL178Deleting CA private key178Clearing IKE SA information178Clearing IPsec SA information179Clearing IPsec statistics179GRE and IPIP tunnel configuration181Configuring a tunnel181Creating a tunnel181Configuring tunnel encapsulation mode182Configuring an IP address for the tunnel182Configuring tunnel source183Configuring tunnel destination183Configuring GRE tunnel parameters184Configuring keepalive for GRE tunnels184Configuring checksum for GRE tunnels185Configuring tunnel key for GRE tunnels185Configuring tunnel sequencing186Configuring tunnel parameters186Configuring path MTU discovery for tunnel packets186Configuring the tunnel as an untrusted interface for IPsec protection187Configuring tunnel protection with IPsec187Configuring tunnel ToS188Configuring tunnel TTL189Shutting down a tunnel189Displaying tunnel information190Clearing tunnel counters190PPPoE client configuration191Creating a PPPoE interface191Configuring IP address for PPPoE interface191Configuring PPPoE tunneling protocol192Configuring PPPoE Ethernet interface193Configuring PPP authentication method and parameters193Configuring PPPoE access concentrator194Configuring PPP keepalive194Displaying PPPoE client information195Authentication, Authorization, and Accounting configuration197Enabling AAA197Configuring AAA authentication197Configuring AAA authentication login197Configuring AAA authentication protocol198Applying AAA authentication to an interface199Configuring AAA authorization199Configuring AAA authorization199Applying AAA authorization to an interface200Configuring AAA accounting200Configuring AAA accounting200Configuring AAA accounting update201Applying AAA accounting to an interface202Configuring RADIUS primary and secondary servers202Configuring RADIUS server port for accounting202Configuring RADIUS server port for authentication203Configuring the RADIUS server IP address203Configuring RADIUS client retries204Configure RADIUS shared secret key205Configure RADIUS timeout205Configuring RADIUS client source address206Configuring TACACS+ primary or secondary server IP address206Configuring TACACS+ retries207Configuring TACACS+ server port207Configuring TACACS+ shared encryption key208Configuring TACACS+ timeout208Configuring 802.1x209Configuring 802.1x on an Ethernet interface209Enable 802.1x on the interface209Configuring the maximum failed requests210Configuring port control210Configuring quiet period211Enabling reauthentication211Configuring reauthorization period212Configuring authentication server response timeout212Configuring supplicant response timeout213Displaying AAA information214Displaying AAA accounting information214Displaying AAA authentication information214Displaying AAA authorization information214Displaying AAA interface information214Displaying AAA status215Displaying RADIUS information215Displaying TACACS+ information215Displaying 802.1x information215Clearing 802.1x statistcs216SSH2 configuration217Configuring SSH2 server keys217Generating SSH2 server keys217Encrypting a private key file218Changing the passphrase used for encryption218Converting public key files to SSH format219Generating a public key digest of a key file220Configuring SSH2 server parameters221Configuring SSH2 authentication221Configuring SSH2 authentication retries221Configuring SSH encryption algorithms222Configuring SSH compression222Enabling and disabling SSH server223Specifying host key file for the SSH server223Enabling and disabling log events224Configuring MAC algorithms225Configuring SSH listen port225Restoring default SSH parameter values226Enabling and disabling SSH SFTP server226Configuring SSH session timeout227Displaying SSH server configuration227Displaying SSH server sessions228Clearing SSH sessions228Configuration examples229Configuring an IPv4 packet filter229Configuring an IPv6 packet filter229Configuring a MAC packet filter230Configuring a default firewall policy230Configuring a simple firewall policy with DMZ231Configuring a simple PAT policy233Configuring a PAT policy with an inbound forwarding policy234Configuring SIP ALG line-side235Configuring SIP ALG trunk-side236Configuring a Site-to-site IPsec VPN238Configuring SR4134 1238Configuring SR4134 2239Configuring a trust point for PKI240Configuring a remote access IPsec VPN241Configuring a remote access VPN with L2TP server242Configuring an IPv4 tunnel243SR4134 1244SR4134 2245Configuring an auto 6to4 tunnel246SR4134 1247SR4134 2248Configuring the firewall for NAT and IPsec tunnels248Firewall configuration for SR4134 1249Firewall configuration for SR4134 2250Configuring a PPPoE client251SR4134 1251SR4134 2252SR4134 configuration for dynamic route exchange over IPsec tunnel interoperability with VPN Router253Capabilities253Secure router configuration for BGP254Secure router configuration for OSPF255Secure router configuration for RIPv2255Figures24Figure 1 Default firewall24Figure 2 Zones25Figure 3 SIP trunk side and line side32Figure 4 MCS PC client behind firewall/NAT32Figure 5 SIP trunk side configuration34Figure 6 One to one44Figure 7 One to Many Hub and spoke VPN45Figure 8 Mesh VPN45Figure 9 Remote access46Figure 10 Remote access VPN with L2TP server47Figure 11 IKE main mode49Figure 12 IKE aggressive mode50Figure 13 LLQ61Figure 14 Default firewall example231Figure 15 Simple firewall policy with DMZ232Figure 16 Simple PAT policy233Figure 17 PAT policy with inbound forwarding policy234Figure 18 SIP ALG line-side example236Figure 19 SIP ALG trunk-side237Figure 20 Site-to-site VPN example238Figure 21 Remote access VPN example241Figure 22 IPv4 tunnel example244Figure 23 Auto 6to4 tunnel247Figure 24 Firewall configuration for NAT and IPsec tunnel249Figure 25 PPPoE client configuration251Tables55Table 1 Supported elements in phase 1 IKE55Table 2 Supported elements in phase 2 IKE56Table 3 IKE standards62Table 4 PKI standards63Table 5 L2TP standards64Table 6 SSH ciphers76Table 7 SSH MAC algorithms76Table 8 SSH key exchange methods77Table 9 SSH public key algorithms77Table 10 SSH user authentication methods77Table 11 SSH public key file formats78Table 12 Variable definitions79Table 13 Variable definitions81Table 14 Variable definitions81Table 15 Variable definitions84Table 16 Variable definitions85Table 17 Variable definitions86Table 18 Variable definitions86Table 19 Variable definitions87Table 20 Variable definitions88Table 21 Variable definitions88Table 22 Variable definitions89Table 23 Variable definitions90Table 24 Variable definitions92Table 25 Variable definitions93Table 26 Variable definitions93Table 27 Variable definitions94Table 28 Variable definitions96Table 29 Variable definitions97Table 30 Variable definitions98Table 31 Variable definitions98Table 32 Variable definitions99Table 33 Variable definitions101Table 34 Variable definitions101Table 35 Variable definitions102Table 36 Variable definitions103Table 37 Variable definitions104Table 38 Variable definitions104Table 39 Variable definitions105Table 40 Variable definitions108Table 41 Variable definitions110Table 42 Variable definitions112Table 43 Variable definitions118Table 44 Variable definitions119Table 45 Variable definitions120Table 46 Variable definitions121Table 47 Variable definitions122Table 48 Variable definitions123Table 49 Variable definitions124Table 50 Variable definitions125Table 51 Variable definitions125Table 52 Variable definitions126Table 53 Variable definitions127Table 54 Variable definitions128Table 55 Variable definitions129Table 56 Variable definitions131Table 57 Variable definitions132Table 58 Variable definitions133Table 59 Variable definitions134Table 60 Variable definitions135Table 61 Variable definitions136Table 62 Variable definitions137Table 63 Variable definitions138Table 64 Variable definitions139Table 65 Variable definitions140Table 66 Variable definitions141Table 67 Variable definitions142Table 68 Variable definitions144Table 69 Variable definitions144Table 70 Variable definitions146Table 71 Variable definitions147Table 72 Variable definitions148Table 73 Variable definitions149Table 74 Variable definitions150Table 75 Variable definitions151Table 76 Variable definitions151Table 77 Variable definitions152Table 78 Variable definitions154Table 79 Variable definitions154Table 80 Variable definitions155Table 81 Variable definitions156Table 82 Variable definitions157Table 83 Variable definitions158Table 84 Variable definitions159Table 85 Variable definitions160Table 86 Variable definitions161Table 87 Variable definitions166Table 88 Variable definitions169Table 89 Variable definitions172Table 90 Variable definitions182Table 91 Variable definitions183Table 92 Variable definitions184Table 93 Variable definitions186Table 94 Variable definitions187Table 95 Variable definitions188Table 96 Variable definitions189Table 97 Variable definitions192Table 98 Variable definitions194Table 99 Variable definitions194Table 100 Variable definitions195Table 101 Variable definitions197Table 102 Variable definitions198Table 103 Variable definitions199Table 104 Variable definitions200Table 105 Variable definitions201Table 106 Variable definitions202Table 107 Variable definitions203Table 108 Variable definitions203Table 109 Variable definitions204Table 110 Variable definitions205Table 111 Variable definitions205Table 112 Variable definitions206Table 113 Variable definitions207Table 114 Variable definitions208Table 115 Variable definitions208Table 116 Variable definitions211Table 117 Variable definitions217Table 118 Variable definitions219Table 119 Variable definitions220Table 120 Variable definitions220Table 121 Variable definitions221Table 122 Variable definitions222Table 123 Variable definitions222Table 124 Variable definitions223Table 125 Variable definitions224Table 126 Variable definitions225Table 127 Variable definitions225Table 128 Variable definitions226Table 129 Variable definitions227Table 130 Variable definitions227文件大小: 3.4 MB页数: 260Language: English打开用户手册
参考指南目录Documentation Roadmap1Contents3Introduction5Software license agreement7Applicability11Roadmap13Customer documentation packaging13Nortel Secure Router 4134 documentation packaging13Product Fundamentals14Installation and Commissioning15Upgrades and Patches15Administration and Security16Operations16Fault and Performance Management17Documentation file formats17Information quality19Draft19Preliminary19Standard19Text conventions21Text conventions21Modular, task-based information25Navigation25Task-based documentation25How is task-based documentation used?26Task flow overview26Work flows, task flows, and procedures27Purpose statements27Prerequisites27Work flows or task flows27Procedure steps28Example procedures28Variable definitions28Job aid28Task-based documentation terms28Customer service29Navigation29How to get help29Getting help from the Nortel Web site29Getting help over the phone from a Nortel Solutions Center29Getting help from a specialist by using an Express Routing Code30Getting help through a Nortel distributor or reseller30Finding the latest updates on the Nortel Web site30Figures14Figure 1 Nortel Secure Router 4134 documentation packaging14Figure 2 Work flows, task flows, and procedures in task-based documentation26Tables28Table 128文件大小: 389.0 KB页数: 32Language: English打开用户手册
快速安装指南目录Quick Start1Contents13New in this release15Features15Secure Router 4134 chassis15Optional interface modules15AC and DC power supplies16Introduction17Secure Router 4134 installation and initial configuration19Secure Router 4134 installation and initial configuration tasks19Secure Router 4134 installation and initial configuration navigation20Installing the Secure Router 4134 chassis and hardware components23Unpacking and inspecting the Secure Router 4134 chassis23Installing a power supply module24Installing the mounting brackets on the chassis25Installing the chassis28Grounding the chassis29Installing the interface modules32Installing a Small Module34Installing a Medium Module34Installing a Large Module35Installing or removing an internal VPN/IPSec module36Installing the internal VPN/IPSec module36Removing the internal VPN/IPSec module38Connecting power cables40Connecting AC power cables41Connecting DC power42Powering up the router46Verifying a successful installation46Configuring the Secure Router 4134 for remote access49Connecting a terminal for local access49Establishing remote access50Using SSH for remote access51Changing the default administrator password52Environmental requirements55Translations of safety messages57Class A device caution statement57Qualified service personnel warning statement58Overcurrent warning statement59Cover plate warning statement60Power cord warning statement61文件大小: 1015.1 KB页数: 64Language: English打开用户手册