Nortel Contivity VPN Switches (5126) - CA...

Nortel Contivity VPN SwitchesManagement Module Guide

Document 5126


Document 5126

NoticeCopyright Notice Copyright © 2002-present by Aprisma Management Technologies, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set forth in DFARS 252.227-7013(c)(1)(ii) and FAR 52.227-19.

Liability Disclaimer Aprisma Management Technologies, Inc. (“Aprisma”) reserves the right to make changes in specifications and other information contained in this document without prior notice. In all cases, the reader should contact Aprisma to inquire if any changes have been made.

The hardware, firmware, or software described in this manual is subject to change without notice.

IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES.

Trademark, Service Mark, and Logo Information SPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registered trademarks of Aprisma Management Technologies, Inc., or its affiliates. APRISMA, APRISMA MANAGEMENT TECHNOLOGIES, the APRISMA MANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS, DCM, VNM, SpectroGRAPH, SpectroSERVER, Inductive Modeling Technology, Device Communications Manager, SPECTRUM Security Manager, and Virtual Network Machine are unregistered trademarks of Aprisma Management Technologies, Inc., or its affiliates. For a complete list of Aprisma trademarks, service marks, and trade names, go to:

http://www.aprisma.com/manuals/trademark-list.htm

All referenced trademarks, service marks, and trade names identified in this document, whether registered or unregistered, are the intellectual property of their respective owners. No rights are granted by Aprisma Management Technologies, Inc., to use such marks, whether by implication, estoppel, or otherwise. If you have comments or concerns about trademark or copyright references, please send an e-mail to [email protected]; we will do our best to help.

Restricted Rights Notice (Applicable to licenses to the United States government only.)This software and/or user documentation is/are provided with RESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure by the government is subject to restrictions as set forth in FAR 52.227-14 (June 1987) Alternate III(g)(3) (June 1987), FAR 52.227-19 (June 1987), or DFARS 52.227-7013(c)(1)(ii) (June 1988), and/or in similar or successor clauses in the FAR or DFARS, or in the DOD or NASA FAR Supplement, as applicable. Contractor/manufacturer is Aprisma Management Technologies, Inc. In the event the government seeks to obtain the software pursuant to standard commercial practice, this software agreement, instead of the noted regulatory clauses, shall control the terms of the government's license.

Virus Disclaimer Aprisma makes no representations or warranties to the effect that the licensed software is virus-free. Aprisma has tested its software with current virus-checking technologies. However, because no antivirus system is 100-percent effective, we strongly recommend that you write protect the licensed software and verify (with an antivirus system with which you have confidence) that the licensed software, prior to installation, is virus-free.

Contact Information Aprisma Management Technologies, Inc., 273 Corporate Drive, Portsmouth, NH 03801 USA

Phone: 603.334.2100U.S. toll-free: 877.468.1448Web site: http://www.aprisma.com

http://www.aprisma.com/manuals/trademark-list.htm


Document 5126

Contents

Notice ........................................................................................... 2

Preface ......................................................................................... 6

Intended Audience ..................................................................... 6

How to Use This Guide ................................................................ 6

Text Conventions ....................................................................... 7

Document Feedback ................................................................... 7

Online Documents ...................................................................... 7

Required Reading ....................................................................... 8

Overview ...................................................................................... 9

Device Support .........................................................................10

Model Types ........................................................................11

Firmware Information ................................................................11

Application Support ...................................................................11

Device MIB Support ..................................................................12

Traps, Events, and Alarms .......................................................... 13

Trap Support - ContivityVPNII ....................................................13

Trap Support - ContivityVPN .......................................................14

Trap Processing ...................................................................14

Notes .................................................................................22

Event Frequency ..................................................................22

VPN Status ................................................................................. 31

Tunnel Interface Filtering ........................................................... 32

Purpose ...................................................................................32

Enabling and Disabling Tunnel IF Filtering ....................................32

Contivity Enhancements for 6.6 Service Pack 3 .......................... 34

Modeling of Tunnel Interfaces .....................................................34

Tunnel Interface "Stacking" ........................................................34


Document 5126

Automatic Connectivity Mapping .................................................34

Interface Model Identification .....................................................35

Interface Model Aging ................................................................35

Link Down Trap Correlation ........................................................35

Status Monitoring of Tunnel Interfaces .........................................36

Recommendations for Management of Contivity Devices with SPECTRUM ............................................................................... 37

Contivity Management Settings ...................................................37

Enable Tunnel MIB ...............................................................37

Enable Link Up/Down Traps ...................................................37

Nail-Up Your Monitored Tunnels .............................................37

SPECTRUM Management Settings ................................................38

Automatically Reconfigure Interfaces ......................................38

Reconfigure on LINK change ..................................................38

Discovery after Reconfigure ...................................................38

Create Sub-Interfaces ..........................................................38

Suppress Linked Port Alarms .................................................38

Contivity Fault Scenarios ............................................................ 39

Key .........................................................................................39

Two Link Down Traps For One Down Tunnel .................................40

Loss of Contact and Link Down Trap ............................................41

Physical Port Down, Loss of Contact, and Link Down Traps .............42

Loss of Contact to Whole Network ...............................................43

66 SP3 Upgrade Considerations .................................................. 44

Reconfiguring Existing Device Models ...........................................44

Known Anomalies ....................................................................... 45

Create Sub-Interface Changes ....................................................45

Autodiscovery and Public Addresses ............................................45

Port Aging is not Aggressive .......................................................45

Web Administration .................................................................... 47


Document 5126

Index .......................................................................................... 48


Document 5126

Preface

Welcome to the user guide for SPECTRUM’s Nortel Contivity VPN (SM-NTL1004) management module.

Please take a moment to read through this short preface, which explains how the information in this guide is organized and presented and lets you know how to access information about other SPECTRUM products.

In This Section

Intended Audience

How to Use This Guide

Text Conventions [Page 7]

Document Feedback [Page 8]

Online Documents [Page 8]

Required Reading [Page 8]

Intended Audience

This guide is intended for users of SPECTRUM’s Nortel Contivity VPN management module.

How to Use This Guide

Use this guide as a reference for managing the Nortel devices described on [Page 9] with SPECTRUM management module SM-NTL1004. The guide is organized as follows:

• Overview [Page 9]

• Traps, Events, and Alarms [Page 12]

• VPN Status [Page 30]

• Tunnel Interface Filtering [Page 31]

• Contivity Enhancements for 6.6 Service Pack 3 [Page 33]


Document 5126

• Recommendations for Management of Contivity Devices with SPECTRUM [Page 36]

• Contivity Fault Scenarios [Page 38]

• 66 SP3 Upgrade Considerations [Page 43]

• Known Anomalies [Page 44]

• Web Administration [Page 46]

Only information specific to SM-NTL1004 is included in this guide. For general information about device management using SPECTRUM and explanations of SPECTRUM functionality and navigation techniques, refer to the topics listed under Required Reading [Page 8].

Text Conventions

The following text conventions are used in this document:

Element Convention Used Example

User-supplied parameter names

Courier and Italic in angle brackets <>.

The user needs to type the password in place of <password>.

On-screen text Courier The following line displays:

path=”/audit”

User-typed text Courier Type the following path name: C:\ABC\lib\db

Cross-references Underlined and hypertext-blue

See Document Feedback [Page 8].

References to SPECTRUM documents (title and number)

Italic SPECTRUM Installation Guide (9030675)

Functionality enabled by SPECTRUM Alarm Notification Manager (SANM)

SANM in brackets []. [SANM] AGE_FIELD_ID


Document 5126

Document Feedback

Please send feedback regarding SPECTRUM documents to the following e-mail address:

[email protected]

Thank you for helping us improve our documentation.

Online Documents

SPECTRUM documents are available online at:

http://www.aprisma.com/manuals

Check this site for the latest updates and additions.

Required Reading

To use this documentation effectively, you must be familiar with the information covered by the SPECTRUM documents listed below.

• Getting Started with SPECTRUM for Operators (1763)

• Getting Started with SPECTRUM for Administrators (0985)

• How to Manage Your Network with SPECTRUM (1909)

• SPECTRUM Views (2517)

• SPECTRUM Menus (2519)

• SPECTRUM Icons (2518)

• Application View and MIBs (2560)

• SPECTRUM Software Release Notice (0743)

mailto:[email protected]

http://www.aprisma.com/manuals


Document 5126

Overview

This section introduces the SPECTRUM documentation for the Contivity series of VPN devices manufactured by Nortel.

In This Section

Device Support [Page 9]

Firmware Information [Page 10]

Application Support [Page 10]

Device MIB Support [Page 11]

Device Support

SPECTRUM management module SM-NTL1004 currently provides modeling for the following Nortel Contivity devices.

Table 1: Supported Devices, Firmware, and Model Type

Device Firmware Revision Model Type

Contivity 100 Instant Internet 7.11 and 7.2 ContivityVPNII



Contivity 600 Contivity Extranet Switch 4.05, 4.06, 4.5, and 4_80.124 ContivityVPN

Contivity 1000 Contivity Extranet Switch 4.05, 4.06, and 4.5 ContivityVPN










Document 5126

Model Types

The model types for models of Nortel Contivity devices are ContivityVPN and ContivityVPNII (see Table 1).

Firmware Information

This management module was certified against Instant Internet 7.11 and 7.2 as well as Contivity Extranet Switch 4.05, 4.06, and 4.5.

See Table 1: Supported Devices, Firmware, and Model Type [Page 9] for a list of devices and the firmware they support.

Application Support

This management module supports the RFC2667App (IP Tunnel MIB) application. See the Transmission Applications (5064) document for information.







Device Firmware Revision Model Type


Document 5126

Device MIB Support

Table 2 lists the MIBs supported by this management module.

Table 2: Device MIB References

Vendor MIBs Standards

ces.mib RFC 1213 MIB2

cesTraps.mib RFC 1406 DS1-MIB

ces_trapAck.mib RFC 1514 HOST-RESOURCES-MIB

RFC 1724 RIPv2-MIB

RFC 1850 OSPF-MIB

RFC 2233 IF-MIB

RFC 2667 TUNNEL-MIB

RFC 2737 ENTITY-MIB

RFC 2787 VRRP-MIB

Novell-IPX-MIB

Novell-RIPSAP-MIB


Document 5126

Traps, Events, and Alarms

This chapter specifies the supported traps for the Nortel Contivity VPN management module and describes how the trap is processed using SPECTRUM events and alarms.

Trap Support - ContivityVPNII

The following standard traps are supported by the ContivityVPNII model type. See Supported Devices, Firmware, and Model Type [Page 9] for a list of ContivityVPNII devices.

Note: The ContivityVPN model type supports coldStart, warmStart, and egpNeighborLoss as above. ContivityVPN supports linkDown, linkUp, and authenticationFailure as described in Table 3: Nortel Contivity Traps [Page 14] and Table 4: Contivity Event Frequency Table [Page 22].

Trap Name OID

coldStart 0.0

warmStart 1.0

linkDown 2.0

linkUp 3.0

authenticationFailure 4.0

egpNeighborLoss 5.0


Document 5126

Trap Support - ContivityVPN

There are two possible trap support configurations that you can use for the Nortel ContivityVPN devices. The default configuration generates an event and sometimes an alarm when one of the supported traps is received. The alternative configuration tracks the rate at which some traps are received, and only generates an alarm if the number of traps exceeds a specified threshold within a certain time frame.

Trap Processing

When determining the Event ID that should be generated, the intelligence for the ContivityVPN takes into consideration not only the trap OID but also the Alarm Severity varbind sent along with the trap. This allows for a finer resolution of Event ID generation and provides a better alarm criticality assignment to the device model.

Table 3: Nortel Contivity Traps [Page 14] shows the events and alarms created by traps defined in the Nortel CONTIVITY-TRAPS-V1-MIB. This is the default trap support configuration.

Table 4: Contivity Event Frequency Table [Page 22] shows the Event Frequency [Page 21] rules for the Nortel Contivity devices. This trap support is based on the rate at which certain traps are received.

Note: See the Nortel CONTIVITY-TRAPS-V1-MIB for descriptive information about these traps.


Document 5126

Table 3: Nortel Contivity Traps

Trap Name OID Trap Varbind Alarm Severity

Event Generated Alarm Generated SPECTRUM Default Alarm Severity

Recommended Trap Configuration on Device

hardDisk1StatusTrap 1.3.6.1.4.1.2505.1.1.0.1001 WARNING 0x04620000 0x04620000 Send Once

ALERT 0x04620001 0x04620001 N / A

Unexpected 0x04620048 0x04620048 Yellow N / A

hardDisk0StatusTrap 1.3.6.1.4.1.2505.1.1.0.1002 WARNING 0x04620002 0x04620002 Yellow Send Once

ALERT 0x04620003 0x04620003 Orange N / A


memoryUsageTrap 1.3.6.1.4.1.2505.1.1.0.1003 WARNING 0x04620004 0x04620004 Yellow Send Once



lanCardStatusTrap 1.3.6.1.4.1.2505.1.1.0.1004 WARNING 0x04620006 0x04620006 Orange Send Once

ALERT 0x04620007 0x04620007 Red N / A


cpuTwoStatusTrap 1.3.6.1.4.1.2505.1.1.0.1005 ALERT 0x04620008 0x04620008 Red Send Once


fanOneStatusTrap 1.3.6.1.4.1.2505.1.1.0.1006 ALERT 0x04620009 0x04620009 Orange Send Once


fanTwoStatusTrap 1.3.6.1.4.1.2505.1.1.0.1007 ALERT 0x0462000a 0x0462000a Orange Send Once

Yellow

Orange


Document 5126


chassisFanStatusTrap 1.3.6.1.4.1.2505.1.1.0.1008 ALERT 0x0462000b 0x0462000b Orange Send Once


fiveVoltsPosStatusTrap 1.3.6.1.4.1.2505.1.1.0.1009 ALERT 0x0462000c 0x0462000c Orange Send Once


fiveVoltsMinusTrap 1.3.6.1.4.1.2505.1.1.0.10010 ALERT 0x0462000d 0x0462000d Orange Send Once


threeVoltsPositiveTrap 1.3.6.1.4.1.2505.1.1.0.10011 ALERT 0x0462000e 0x0462000e Orange Send Once


twoDotFiveVATrap 1.3.6.1.4.1.2505.1.1.0.10012 ALERT 0x0462000f 0x0462000f Orange Send Once


twoDotFiveVBTrap 1.3.6.1.4.1.2505.1.1.0.10013 ALERT 0x04620010 0x04620010 Orange Send Once


twelveVoltsPositveTrap 1.3.6.1.4.1.2505.1.1.0.10014 ALERT 0x04620011 0x04620011 Orange Send Once


twelveVoltsMinsTrap 1.3.6.1.4.1.2505.1.1.0.10015 ALERT 0x04620012 0x04620012 Orange Send Once


normalTemperatureTrap 1.3.6.1.4.1.2505.1.1.0.10016 ALERT 0x04620013 0x04620013 Orange Send Once





Document 5126


criticalTemperatureTrap 1.3.6.1.4.1.2505.1.1.0.10017 ALERT 0x04620014 0x04620014 Red Send Once


chassisIntrusionTrap 1.3.6.1.4.1.2505.1.1.0.10018 ALERT 0x04620015 0x04620015 Orange Send Once


dualPowerSupplyTrap 1.3.6.1.4.1.2505.1.1.0.10019 ALERT 0x04620016 0x04620016 Orange Send Once


t1WANStatusTrap 1.3.6.1.4.1.2505.1.1.0.10020 WARNING 0x04620017 0x04620017 Orange Send Once

ALERT 0x04620018 0x04620018 Red N / A


t3WANStatusTrap 1.3.6.1.4.1.2505.1.1.0.10021 WARNING 0x04620019 0x04620019 Orange Send Once

ALERT 0x0462001a 0x0462001a Red N / A


hwAccelTrap 1.3.6.1.4.1.2505.1.1.0.10022 UNKNOWN 0x0462001b none none Send Once

HEALTH 0x0462001c none none N / A

WARNING 0x0462001d 0x0462001d Orange N / A

ALERT 0x0462001e 0x0462001e Red N / A






Document 5126

radiusAcctServerTrap 1.3.6.1.4.1.2505.1.2.0.3001 WARNING 0x04620043 0x04620043 Orange Send Once

ALERT 0x04620044 0x04620044 Red N / A


backupServerTrap 1.3.6.1.4.1.2505.1.2.0.3002 WARNING 0x0462001f 0x0462001f Yellow Send Once



diskRedundencyTrap 1.3.6.1.4.1.2505.1.2.0.3003 ALERT 0x04620021 0x04620021 Red Send Once


intLDAPServerTrap 1.3.6.1.4.1.2505.1.2.0.3004 WARNING 0x04620022 none none Send Once

ALERT 0x04620023 0x04620023 Red N / A


loadBalancingServerTrap 1.3.6.1.4.1.2505.1.2.0.3005 DISABLED 0x04620024 none none Send Once

WARNING 0x04620025 0x04620025 Orange N / A


dnsServerTrap 1.3.6.1.4.1.2505.1.2.0.3006 WARNING 0x04620026 0x04620026 Orange Send Once

ALERT 0x04620027 0x04620027 Red N / A


snmpServerTrap 1.3.6.1.4.1.2505.1.2.0.3007 WARNING 0x04620028 0x04620028 Orange Send Once





Document 5126

ALERT 0x04620029 0x04620029 Red N / A


ipAddressPoolTrap 1.3.6.1.4.1.2505.1.2.0.3008 WARNING 0x0462002a 0x0462002a Yellow Send Once

ALERT 0x0462002b 0x0462002b Orange N / A


extLDAPServerTrap 1.3.6.1.4.1.2505.1.2.0.3009 WARNING 0x0462002c 0x0462002c Orange Send Once

ALERT 0x0462002d 0x0462002d Red N / A


radiusAuthServerTrap 1.3.6.1.4.1.2505.1.2.0.30010 WARNING 0x0462002e 0x0462002e Orange Send Once

ALERT 0x0462002f 0x0462002f Red N / A


certificateServerTrap 1.3.6.1.4.1.2505.1.2.0.30011 HEALTH 0x04620030 none none Send Once

DISABLED 0x04620031 none none N / A

WARNING 0x04620032 0x04620032 Yellow N / A



extLDAPAuthServerTrap 1.3.6.1.4.1.2505.1.2.0.30012 WARNING 0x04620034 0x04620034 Orange Send Once

ALERT 0x04620035 0x04620035 Red N / A





Document 5126


cmpServerTrap 1.3.6.1.4.1.2505.1.2.0.30013 WARNING 0x04620036 none none Send Once


netBuffersTrap 1.3.6.1.4.1.2505.1.3.0.5001 WARNING 0x04620037 0x04620037 Orange Send Once

ALERT 0x04620038 0x04620038 Red N / A


fireWallTrap 1.3.6.1.4.1.2505.1.3.0.5002 DISABLED 0x04620039 none none N / A

WARNING 0x0462003a 0x0462003a Yellow N / A

ALERT 0x0462003b 0x0462003b Orange N / A


fipsStatusTrap 1.3.6.1.4.1.2505.1.3.0.5003 WARNING 0x0462003c 0x0462003c Yellow Send Once

ALERT 0x0462003d 0x0462003d Orange N / A


failedLoginTrap 1.3.6.1.4.1.2505.1.4.0.101 WARNING 0x0462003e none none N / A


securityIntrusionTrap 1.3.6.1.4.1.2505.1.5.0.201 ALERT 0x0462003f 0x0462003f Red N / A


powerUpTrap 1.3.6.1.4.1.2505.1.0.401 WARNING 0x04620040 none none Send Once





Document 5126


periodicHeartbeatTrap 1.3.6.1.4.1.2505.1.0.601 UNKNOWN 0x04620041 none none Send Once


firewallRuleTriggeredTrap 1.3.6.1.4.1.2505.1.14.3.0.1 WARNING 0x04620042 none none Send Once


Down Link (see Notes [Page 21])

1.3.6.1.2.1.2.0 N / A 0x04620045 0x0220001 Orange N / A

Up Link (see Notes [Page 21])

1.3.6.1.2.1.3.0 N / A 0x04620046 none none N / A

Authentication Fail 1.3.6.1.2.1.4.0 N / A 0x04620047 0x04620047 Yellow N / A

licensingStatusTrap 1.3.6.1.4.1.2505.1.3.0.5004 WARNING 0x04620050 0x04620050 Yellow N / A



natStatusTrap 1.3.6.1.4.1.2505.1.3.0.5005 DISABLED 0x04620052 none none N / A

WARNING 0x04620053 0x04620053 Yellow N / A







Document 5126

Notes

Unexpected

SPECTRUM Events and Alarms are generated based on the Trap Varbind Alarm Severity. For each Contivity trap, the potential alarm severities that can be sent are listed. If an unexpected Alarm Severity is sent for a particular trap, an unexpected Alarm Severity event is generated.

Link Up / Link Down Traps For ContivityVPN Model Types

Nortel Contivity Extranet Switches have Link Up / Link Down Trap Enabled options for BranchOffice Nailed-Up Tunnels and BranchOffice OnDemand Tunnels that you can set. These options are located under the ADMIN > SNMP Traps menu option of the Nortel Contivity web administration application (Web Administration [Page 46]). To change these options, click the “Configure” button in the Standard IETF section. It is recommended that you leave these options enabled. However, due to the filtering out of interfaces of type tunnel (131), critical alarms will not be mapped to these traps.

Event Frequency

An alternative Event Disposition file is available to use for processing events. This file contains rules that create an alarm if a certain number of events are received within a specified window of time. These rule apply to some, but not all of the events generated. Table 4 outlines how events are processed with this alternative Event Disposition file.

Note: MINOR Alarm mappings (Yellow) were removed from the Rules based EventDisp file.

To configure SPECTRUM to do this:

1. Navigate to the <$SPECROOT>/SS/CsVendor/NortelVPN directory.

2. Find the file named EventDisp. Change the name of this file to EventDisp.norules.

3. Navigate to the <$SPECROOT>/SS/CsVendor/NortelVPN/Rules directory and find the file named EventDisp.rules.

4. Copy this file into the <$SPECROOT>/SS/CsVendor/NortelVPN directory. Change the name of this file to EventDisp.


Document 5126

Table 4: Contivity Event Frequency Table


Event Generated

Event Frequency Default Settings

Alarm Generated SPECTRUM Default Alarm Severity


hardDisk1StatusTrap 1.3.6.1.4.1.2505.1.1.0.1001 WARNING 0x04620000 N/A None None Interval 5 Minutes

ALERT 0x04620001 3 Times, 15 min 0x04620100 N / A

Unexpected 0x04620048 N/A 0x04620048 Orange N / A

hardDisk0StatusTrap 1.3.6.1.4.1.2505.1.1.0.1002 WARNING 0x04620002 N/A None None Interval 5 Minutes

ALERT 0x04620003 3 Times, 15 min 0x04620101 Orange N / A


memoryUsageTrap 1.3.6.1.4.1.2505.1.1.0.1003 WARNING 0x04620004 N/A None None Interval 5 Minutes

ALERT 0x04620005 3 Times, 15 min 0x04620102 Orange N / A


lanCardStatusTrap 1.3.6.1.4.1.2505.1.1.0.1004 WARNING 0x04620006 N/A 0x04620006 Orange Send Once

ALERT 0x04620007 N/A 0x04620007 Red N / A


cpuTwoStatusTrap 1.3.6.1.4.1.2505.1.1.0.1005 ALERT 0x04620008 N/A 0x04620008 Red Send Once


fanOneStatusTrap 1.3.6.1.4.1.2505.1.1.0.1006 ALERT 0x04620009 N/A 0x04620009 Orange Send Once

Orange


Document 5126


fanTwoStatusTrap 1.3.6.1.4.1.2505.1.1.0.1007 ALERT 0x0462000a N/A 0x0462000a Orange Send Once


chassisFanStatusTrap 1.3.6.1.4.1.2505.1.1.0.1008 ALERT 0x0462000b N/A 0x0462000b Orange Send Once


fiveVoltsPosStatusTrap 1.3.6.1.4.1.2505.1.1.0.1009 ALERT 0x0462000c 3 Times, 15 min 0x04620103 Orange Interval 5 Minutes


fiveVoltsMinusTrap 1.3.6.1.4.1.2505.1.1.0.10010 ALERT 0x0462000d 3 Times, 15 min 0x04620104 Orange Interval 5 Minutes


threeVoltsPositiveTrap 1.3.6.1.4.1.2505.1.1.0.10011 ALERT 0x0462000e 3 Times, 15 min 0x04620105 Orange Interval 5 Minutes


twoDotFiveVATrap 1.3.6.1.4.1.2505.1.1.0.10012 ALERT 0x0462000f 3 Times, 15 min 0x04620106 Orange Interval 5 Minutes


twoDotFiveVBTrap 1.3.6.1.4.1.2505.1.1.0.10013 ALERT 0x04620010 3 Times, 15 min 0x04620107 Orange Interval 5 Minutes



Event Generated





Document 5126

twelveVoltsPositveTrap 1.3.6.1.4.1.2505.1.1.0.10014 ALERT 0x04620011 3 Times, 15 min 0x04620108 Orange Interval 5 Minutes


twelveVoltsMinsTrap 1.3.6.1.4.1.2505.1.1.0.10015 ALERT 0x04620012 3 Times, 15 min 0x04620109 Orange Interval 5 Minutes


normalTemperatureTrap 1.3.6.1.4.1.2505.1.1.0.10016 ALERT 0x04620013 3 Times, 15 min 0x0462010a Orange Interval 5 Minutes


criticalTemperatureTrap 1.3.6.1.4.1.2505.1.1.0.10017 ALERT 0x04620014 3 Times, 15 min 0x0462010b Red Interval 5 Minutes


chassisIntrusionTrap 1.3.6.1.4.1.2505.1.1.0.10018 ALERT 0x04620015 N/A 0x04620015 Orange Send Once


dualPowerSupplyTrap 1.3.6.1.4.1.2505.1.1.0.10019 ALERT 0x04620016 N/A 0x04620016 Orange Send Once


t1WANStatusTrap 1.3.6.1.4.1.2505.1.1.0.10020 WARNING 0x04620017 N/A 0x04620017 Orange Send Once

ALERT 0x04620018 N/A 0x04620018 Red N / A


t3WANStatusTrap 1.3.6.1.4.1.2505.1.1.0.10021 WARNING 0x04620019 N/A 0x04620019 Orange Send Once


Event Generated





Document 5126

ALERT 0x0462001a N/A 0x0462001a Red N / A


hwAccelTrap 1.3.6.1.4.1.2505.1.1.0.10022 UNKNOWN 0x0462001b N/A none none Send Once

HEALTH 0x0462001c N/A none none N / A

WARNING 0x0462001d N/A 0x0462001d Orange N / A

ALERT 0x0462001e N/A 0x0462001e Red N / A


radiusAcctServerTrap 1.3.6.1.4.1.2505.1.2.0.3001 WARNING 0x04620043 N/A 0x04620043 Orange Send Once

ALERT 0x04620044 N/A 0x04620044 Red N / A


backupServerTrap 1.3.6.1.4.1.2505.1.2.0.3002 WARNING 0x0462001f N/A none none Interval 5 Minutes

ALERT 0x04620020 3 Times, 15 min 0x0462010d Orange N / A


diskRedundencyTrap 1.3.6.1.4.1.2505.1.2.0.3003 ALERT 0x04620021 N/A 0x04620021 Red Send Once


intLDAPServerTrap 1.3.6.1.4.1.2505.1.2.0.3004 WARNING 0x04620022 N/A none none Send Once

ALERT 0x04620023 N/A 0x04620023 Red N / A



Event Generated





Document 5126

loadBalancingServerTrap 1.3.6.1.4.1.2505.1.2.0.3005 DISABLED 0x04620024 N/A none none Interval 5 Minutes

WARNING 0x04620025 3 Times, 15 min 0x04620110 Orange N / A


dnsServerTrap 1.3.6.1.4.1.2505.1.2.0.3006 WARNING 0x04620026 N/A 0x04620026 Orange Send Once

ALERT 0x04620027 N/A 0x04620027 Red N / A


snmpServerTrap 1.3.6.1.4.1.2505.1.2.0.3007 WARNING 0x04620028 N/A 0x04620028 Orange Interval 5 Minutes

ALERT 0x04620029 3 Times, 15 min 0x04620112 Red N / A


ipAddressPoolTrap 1.3.6.1.4.1.2505.1.2.0.3008 WARNING 0x0462002a N/A none none Send Once

ALERT 0x0462002b N/A 0x0462002b Orange N / A


extLDAPServerTrap 1.3.6.1.4.1.2505.1.2.0.3009 WARNING 0x0462002c 3 Times, 15 min 0x04620118 Orange Interval 5 Minutes

ALERT 0x0462002d 3 Times, 15 min 0x04620114 Red N / A


radiusAuthServerTrap 1.3.6.1.4.1.2505.1.2.0.30010 WARNING 0x0462002e 3 Times, 15 min 0x04620119 Orange Interval 5 Minutes


Event Generated





Document 5126

ALERT 0x0462002f 3 Times, 15 min 0x04620115 Red N / A


certificateServerTrap 1.3.6.1.4.1.2505.1.2.0.30011 HEALTH 0x04620030 N/A none none Send Once

DISABLED 0x04620031 N/A none none N / A

WARNING 0x04620032 N/A none none N / A

ALERT 0x04620033 N/A 0x04620033 Orange N / A


extLDAPAuthServerTrap 1.3.6.1.4.1.2505.1.2.0.30012 WARNING 0x04620034 3 Times, 15 min 0x0462011a Orange Interval 5 Minutes



cmpServerTrap 1.3.6.1.4.1.2505.1.2.0.30013 WARNING 0x04620036 N/A none none Send Once


netBuffersTrap 1.3.6.1.4.1.2505.1.3.0.5001 WARNING 0x04620037 3 Times, 15 min 0x0462011b Orange Interval 5 Minutes



fireWallTrap 1.3.6.1.4.1.2505.1.3.0.5002 DISABLED 0x04620039 N/A none none N / A

WARNING 0x0462003a N/A none none N / A


Event Generated





Document 5126

ALERT 0x0462003b N/A 0x0462003b Orange N / A


fipsStatusTrap 1.3.6.1.4.1.2505.1.3.0.5003 WARNING 0x0462003c N/A none none Send Once

ALERT 0x0462003d N/A 0x0462003d Orange N / A


failedLoginTrap 1.3.6.1.4.1.2505.1.4.0.101 WARNING 0x0462003e N/A none none N / A


securityIntrusionTrap 1.3.6.1.4.1.2505.1.5.0.201 ALERT 0x0462003f N/A 0x0462003f Red N / A


powerUpTrap 1.3.6.1.4.1.2505.1.0.401 WARNING 0x04620040 N/A none none Send Once


periodicHeartbeatTrap 1.3.6.1.4.1.2505.1.0.601 UNKNOWN 0x04620041 N/A none none Send Once


firewallRuleTriggeredTrap 1.3.6.1.4.1.2505.1.14.3.0.1 WARNING 0x04620042 N/A none none Send Once


Down Link (see Notes [Page 21])

1.3.6.1.2.1.2.0 N / A 0x04620045 N/A 0x0220001 Orange N / A

Up Link (see Notes [Page 21])

1.3.6.1.2.1.3.0 N / A 0x04620046 N/A none none N / A


Event Generated





Document 5126

Authentication Fail 1.3.6.1.2.1.4.0 N / A 0x04620047 N/A 0x04620047 Orange N / A

licensingStatusTrap 1.3.6.1.4.1.2505.1.3.0.5004 WARNING 0x04620050 N/A none none N / A

ALERT 0x04620051 N/A 0x04620051 Orange N / A

Unexpected 0x04620049 N/A none none N / A

natStatusTrap 1.3.6.1.4.1.2505.1.3.0.5005 DISABLED 0x04620052 N/A none none N / A

WARNING 0x04620053 N/A none none N / A

ALERT 0x04620054 0x04620054 0x04620054 Orange N / A


Event Generated





Document 5126

VPN Status

This management module supports the RFC2667App (IP Tunnel MIB) application. This support includes the availability of the RFC2667App application’s VPN Status menu options from the device icon. See the Transmission Applications (5064) document for information.


Document 5126

Tunnel Interface Filtering

This section describes the Tunnel Interface Filter Functionality added for Nortel Contivity devices.

Purpose

The ContivityVPN device populates the ifTable with both user and branch VPN tunnel interface entries. However, it is possible for thousands of user VPN tunnel interfaces to exist. The ContivityVPN interface filtering functionality was introduced to selectively filter out user tunnel interfaces and prevent unnecessary modeling of these interfaces.

Note: Tunnel interface filtering is only available for models of type ContivityVPN.

Enabling and Disabling Tunnel IF Filtering

Tunnel IF filtering (enabled by default in SPECTRUM 6.6 original release) can be disabled or enabled by following the procedure below.

Note: If this setting is changed in the SpectroSERVER database prior to installing the Service Pack 3 enhancement, the tunnel interfaces modeled as Serial_IF_Ports will not be converted automatically to Tunnel_If models upon upgrading. See Reconfiguring Existing Device Models [Page 43].

Procedure

Note: This procedure only applies to SPECTRUM 6.6 releases prior to Service Pack 3.

1. In the Model Type Editor, set the default list value for attribute If_Mtype_Map handle 0x011fb4. Looking at the list of values, locate OID instance 131.

2. It should be set to a value of 0. Setting it to zero will prevent the interface type from being modeled.

3. To disable tunnel interface filtering and allow these models to be created, set this value to 220013.


Document 5126

Note: See the Model Type Editor User’s Guide (0659) for more information.


Document 5126

Contivity Enhancements for 6.6 Service Pack 3

This section summarizes the enhancements made with 6.6 Service Pack 3 for the Nortel Contivity Management Module.

Modeling of Tunnel Interfaces

Creation of models to represent site-to-site or branch tunnel interfaces is now controlled by the Create Sub-Interface attribute of the Contivity device model. This can be set from the Configuration tab of the Global Attribute Editor, or from the Redundancy and Model Reconfiguration Options GIB on an individual model. (No models are ever created to represent "user" tunnels. This behavior is consistent with the previous version.)

Tunnel Interface "Stacking"

Tunnel interface models are created as sub-interfaces of the physical interface whose IP address matches the tunnel's local address as indicated in the Tunnel MIB. Since Contivity devices don't support the ifStackTable, this mechanism of determining the lower-layer interface is necessary and effective.

Automatic Connectivity Mapping

When a tunnel interface model activates for the first time (i.e. during initial device modeling or during an interface reconfiguration), SPECTRUM will search for a tunnel interface model representing the other end-point of the tunnel. If such a model is found, the connection between these two interfaces is modeled. SPECTRUM uses the local address and remote address indicated in the Tunnel MIB (rfc2667) to find the other end-point of the tunnel.


Document 5126

Interface Model Identification

Tunnel interface models are now identified uniquely by their local address and remote address as indicated in the Tunnel MIB (rfc2667). This enables SPECTRUM to preserve the interface model even if the ifIndex of the interface changes.

Interface Model Aging

During an interface reconfiguration, any interface model that no longer has a representation in the MIB is marked as "stale" instead of being destroyed. This feature enables SPECTRUM to retain the connectivity modeling between tunnel interfaces and other devices while the tunnel is down. The connectivity information can then be leveraged for event correlation and fault suppression.

On subsequent reconfigurations, the port age out time of the device model is compared with how long the interface model has been stale. If the interface does not reappear in the MIB, the interface model will be destroyed after it has aged out. If the interface does reappear in the MIB, then the interface model will be marked as current. The port is marked as stale by setting the "isStale" attribute to TRUE. The port age out time can be set per device by setting the "PortAgeOutTime" on the device to the number of minutes desired. The default age out time for the Contivity is two hours (120 minutes).

Link Down Trap Correlation

In an effort to reduce multiple alarms for a single network outage, link down traps for "tunnel" interface models are correlated with other conditions. The alarm for the link down trap will be suppressed if the lower layer (i.e. physical interface) is down. Also, if the "Suppress Linked Port Alarms" setting of the Live Pipes model is set to TRUE, the alarm for the link down trap will be suppressed if either of the following conditions are met:

1. The connected device is unreachable (by the SpectroSERVER)

2. The "linked" tunnel interface model is alarmed (RED)


Document 5126

Status Monitoring of Tunnel Interfaces

On the Contivity, the ifOperStatus of a tunnel interface entry is always "UP", right up to the point when it disappears from the ifTable. If a tunnel model becomes "stale", and no link down trap has yet been processed for the tunnel, SPECTRUM will generate a red alarm on the model. However, this alarm will be suppressed in the same cases in which a link down trap alarm would be suppressed, that is if the lower layer (i.e. physical interface) is down. Also, if the "Suppress Linked Port Alarms" setting of the Live Pipes model is set to TRUE, this alarm will be suppressed if either of the following conditions are met:

1. The connected device is unreachable (by the SpectroSERVER)

2. The "linked" tunnel interface model is alarmed (RED)


Document 5126

Recommendations for Management of Contivity Devices with SPECTRUM

Some changes to both the Contivity management settings and the SPECTRUM configuration settings may be required to achieve the best possible management of Contivity-based VPNs.

Contivity Management Settings

The following Contivity settings are recommended.

Enable Tunnel MIB

Aprisma recommends that the Tunnel IP MIB be enabled on all managed Contivity devices. This allows SPECTRUM to create models to represent the tunnel end points on the device. This MIB can be enabled/disabled from the ADMIN->SNMP section of the Contivity web management pages.

Enable Link Up/Down Traps

Aprisma recommends that link up and link down traps are enabled for physical interfaces and for "Nailed-Up" branch tunnels. This will give SPECTRUM more immediate notification of link state changes. Our experience has shown that link traps for "OnDemand" tunnels don't provide much value. The tunnel must be down for 15 minutes or so before the trap is sent.

Nail-Up Your Monitored Tunnels

Aprisma recommends that all tunnels for which connection monitoring is important be "Nailed-Up". SPECTRUM will not alarm "OnDemand" tunnels when they go down. Specifically, the Alarm on LINK down Trap attribute of the Tunnel_If model determines whether it will respond to link down traps or changes to the isStale attribute. A value of Always (1) will cause SPECTRUM to process these events; a value of Never (0) will cause SPECTRUM to ignore them. When SPECTRUM creates Tunnel_If models for the Contivity, it will set this attribute to Always for "Nailed-Up" branch tunnels, and Never for "OnDemand" tunnels. The Alarm on LINK down setting can be changed from the Configuration tab of the Global Attribute Editor, but we recommend you leave it as SPECTRUM has set it.


Document 5126

SPECTRUM Management Settings

The following SPECTRUM management settings are recommended.

Automatically Reconfigure Interfaces

Set this attribute to TRUE for Contivity models if you want SPECTRUM to manage the branch tunnels of the device. For devices that only support "User" tunnels, this setting should be FALSE. When TRUE, SPECTRUM will reconfigure the interface models whenever the ifNumber object of the device's SNMP agent changes.

Reconfigure on LINK change

Aprisma recommends this attribute be set to FALSE for all Contivity models. When set to TRUE, SPECTRUM performs an interface reconfiguration after every link up or link down trap received.

Discovery after Reconfigure

Aprisma recommends this attribute be set to FALSE (the default setting) for all Contivity models. SPECTRUM will model connections between newly found tunnels regardless of this setting. SPECTRUM's Autodiscovery process can add little or no value after most link state changes, especially for the Contivity devices, for which, most link state changes will represent tunnels coming up and going down, and not new router or bridge ports being configured.

Create Sub-Interfaces

Set this attribute to TRUE for Contivity models if you want SPECTRUM to monitor the branch tunnels. If this attribute is set to FALSE, SPECTRUM will not create models for the tunnel interfaces.

All of these settings can be modified using the Configuration tab of the Global Attribute Editor or the Redundancy and Model Reconfiguration Options GIB for a particular device model.

Suppress Linked Port Alarms

Aprisma recommends setting this attribute of the Live Pipes model to TRUE. This will suppress port alarms when either the connected device is unreachable or the linked port model is already alarmed. This setting can be modified from the Live Pipes Model Information View, which can be accessed from the VNM model's Configuration GIB.


Document 5126

Contivity Fault Scenarios

This section describes fault scenarios likely in a VPN environment and SPECTRUM's response to these scenarios.

In This Section

Key

Two Link Down Traps For One Down Tunnel [Page 39]

Loss of Contact and Link Down Trap [Page 40]

Physical Port Down, Loss of Contact, and Link Down Traps [Page 41]

Loss of Contact to Whole Network [Page 42]

Key

Figure 1: Key to Diagrams applies to each of the following diagrams.

Figure 1: Key to Diagrams


Document 5126

Two Link Down Traps For One Down Tunnel

In this scenario (Figure 2), the SpectroSERVER retains contact to all managed elements in this meshed environment, but a tunnel between two devices goes down. SPECTRUM receives two link down traps. One tunnel interface is alarmed; the other is suppressed.

Figure 2: Two Link Down Traps For One Down Tunnel


Document 5126

Loss of Contact and Link Down Trap

In this scenario (Figure 3), SPECTRUM loses contact with a "spoke" Contivity in a hub and spoke network. SPECTRUM also receives a link down trap from the hub, indicating the tunnel to the lost device. SPECTRUM alarms the lost device and suppresses the alarm on the tunnel interface indicated by the trap.

Figure 3: Loss of Contact and Link Down Trap


Document 5126

Physical Port Down, Loss of Contact, and Link Down Traps

In this scenario (Figure 4), a physical port of a Contivity goes down or loses its link to the public network. SPECTRUM gets link down traps for the physical port and tunnels of the Contivity, and loses contact with remote Contivity devices. The link down alarms on the tunnel interface models are suppressed, however SPECTRUM's fault isolation will create red alarms on the lost Contivity device models because they have an "up" neighbor. In a future release, SPECTRUM will suppress these alarms and the impact of the physical port alarm will include these lost devices.

Figure 4: Physical Port Down, Loss of Contact, and Link Down Traps


Document 5126

Loss of Contact to Whole Network

In this scenario (Figure 5), SPECTRUM loses contact to the entire VPN network. SPECTRUM's fault isolation suppresses all but one loss of contact alarms.

Figure 5: Loss of Contact to Whole Network


Document 5126

66 SP3 Upgrade Considerations

This section describes possible upgrade considerations for the Contivity Management Module for SPECTRUM 66 SP3.

Reconfiguring Existing Device Models

Because of changes to the way tunnel interfaces are modeled, Aprisma recommends forcing an interface reconfiguration for all existing Contivity device models. This can be done using the Search Manager. First, find by model type all Contivity models. Select all desired models, and click on Manage > Reconfigure. It is strongly recommended that Discovery after Reconfigure be set to FALSE prior to forcing reconfigurations in this manner.

In the original release of SPECTRUM 6.6, the Contivity MM was configured with a setting that prevented tunnel interfaces from being modeled. The procedure described in Enabling and Disabling Tunnel IF Filtering [Page 31] shows how to change this setting so that Serial_IF_Port models are created for each tunnel interface. If this setting has been changed in the SpectroSERVER database prior to installing the Service Pack 3 enhancement, the tunnel interfaces modeled as Serial_If_Ports will not be converted automatically to Tunnel_If models upon upgrading. Aprisma recommends that these interface models be destroyed prior to initiating reconfigurations on the device models.


Document 5126

Known Anomalies

This section describes known anomalies for the Contivity Management Module for SPECTRUM 66 SP3.

Create Sub-Interface Changes

If Create Sub-Interfaces is changed from TRUE to FALSE for a Contivity model after tunnel interface models have been created, a subsequent interface reconfiguration will cause the tunnel interface models to go stale and start aging out, rather than being destroyed immediately. In an environment in which tunnel monitoring is desired for some, but not all, Contivity devices, it may be desirable to set the default value of Create Sub-Interfaces for the Contivity model type to FALSE. Once you have set this value to FALSE, set Create Sub-Interfaces to TRUE for the individual models of Contivity devices for which tunnel monitoring is desired.

Autodiscovery and Public Addresses

It is generally the case that the public addresses on the Contivity devices in a VPN will be in different subnets because they will be separated by several Internet routers. It is possible, however, to have Contivity devices with public interfaces on the same subnet. In this case, SPECTRUM's autodiscovery may attempt to map the connectivity of the public interfaces. The manifestation of this would be a LAN container in the same topology view as the Contivity models with pipes to the Contivity models. A fanout model without the LAN would be connected to the public interface models of the Contivities.

Port Aging is not Aggressive

When a tunnel goes away, the tunnel interface model is marked as "Stale". Any future reconfiguration that occurs after the "portAgeOutTime" of the device will cause that tunnel model to be destroyed. However, if there are no future reconfigurations of the device, the "Stale" tunnel interface model will stay around. For example, consider a polling interval of 5 minutes and a portAgeOutTime of 30 minutes. If a tunnel goes down at 10:27 and SPECTRUM polls at 10:30, SPECTRUM will detect an ifNumber change and perform and interface reconfiguration. During this process, the tunnel


Document 5126

interface will be marked as stale. You may expect that, if the tunnel doesn't come back up, the tunnel interface model will be destroyed at 11:00 precisely. However, if ifNumber does not change again for a week, interface reconfiguration won't run again for a week, and this tunnel interface model will remain stale until this time. Then, it will be destroyed.


Document 5126

Web Administration

The Nortel web-based administration application can be launched from the Nortel Contivity device model.

To launch the web management view for the Nortel Contivity devices, right click on the device icon of the device model in the Topology view and choose Web Administration.

Note: By default, the Web Admin URL is http://<0x1027f> (the Network_Address attribute). You can use the Global Attribute Editor in Search Manager to change this. See the Global Attribute Editor section of the Search Manager User Guide (2383) for more information.


Page 48

Document 5126

Index

AAutomatically Reconfigure Interfaces [38]

CCONTIVITY-TRAPS-V1-MIB [14]Create Sub-Interfaces [38]

DDiscovery after Reconfigure [38]

EEvent Frequency Rules [22]

FFault Scenarios [39]Firmware

Version Tested Against [11]

IifNumber [45], [46]ifOperStatus [36]ifStackTable [34]Interface Reconfiguration [45]IP Tunnel MIB [11]

LLink Up/Down Traps [37]

options [22]


Page 49

Document 5126

MManagement Settings

Recommended [37]Model Types [11]

NNailed-Up branch tunnels [37]

OOnDemand tunnels [37]

PPortAgeOutTime [35], [45]

RReconfigure on LINK change [38]RFC2667app [11], [31]

SSerial_IF_Port [32], [44]Suppress Linked Port Alarms [38]

TTransmission Applications [11], [31]Trap Processing [14]Tunnel IF Filtering, disable [32]Tunnel MIB (rfc2667) [34], [35]Tunnel_If [32], [37], [44]

WWeb Administration [47]

Nortel Contivity VPN Switches (5126) - CA...

Documents

Transcript of Nortel Contivity VPN Switches (5126) - CA...