Cisco WAN Manager Installation Guide, 15.3.00 - 10 - Router and Node Configuration [Cisco WAN Manager]

Table Of Contents

Configuring Routers and Nodes

Configuring Routers

Configuring Nodes

Assigning IP Addresses

IGX and BPX Nodes

BPX/SES Nodes

MGX nodes

Setting up ATM Connections

IGX and BPX Nodes

BPX/SES Nodes

MGX Nodes

Enabling ATM ILMI

IGX and BPX Nodes

BPX/SES Nodes

MGX nodes

Setting up Community Strings

IGX and BPX Nodes

BPX/SES Nodes

MGX nodes

Setting up Statistics Collection

IGX and BPX Nodes

BPX/SES Nodes

MGX nodes

Setting up Trap Management

IGX and BPX Nodes

BPX/SES Nodes

MGX nodes

Using Firewalls

Configuring Routers and Nodes

This chapter describes how to configure routers and nodes in a CWM system. See these sections:

•Configuring Routers

•Configuring Nodes

This system consists of CWMs that include a server, clients, and statistics collectors; routers (acting as intermediaries between the CWM; and the managed network, and nodes that make up the managed network. See Figure 10-1.

Figure 10-1 Network Management Components

Together, the CWMs together provide network management by performing the following functions.

•Discover the network topology using AutoRoute and/or PNNI ILMI

•Manage MIB objects using SNMP

•Collect statistics using FTP and TFTP.

•Handle traps from managed nodes.

Note The procedures described in this chapter assume the use of the CLI for configuring nodes. Some of these commands contain parameters that are not concerned with the CWM and network management and, as such, these parameters are not discussed in this chapter.

Full details of all node commands can be found in the appropriate command reference (see the "Related Documentation" section in the Preface of this Installation Guide).

The procedures described in this chapter should be performed before you launch the CWM for the first time. After the CWM is launched, the GUI can be used to add or modify many configuration parameters set in these procedures.

Configuring Routers

In the context of the CWM, routers act as intermediaries between the CWMs and the managed network nodes, see Figure 10-1.

Routers need to be configured for an ATM interface on the network side and for a LAN (Ethernet) interface on the CWM side.

ATM Network Side

To configure the ATM interface to the gateway node, you need to perform the following tasks:

Step 1 Create an ATM interface.

Step 2 Assign an IP address for the ATM interface.

Step 3 Assign an ATM address (AESA) for the ATM interface.

Step 4 Configure the ATM interface to be the ATMARP server for the gateway node.

Step 5 Enable and configure ILMI

LAN Ethernet Side

If the router's IP address for the ATM interface is on the same subnet as the IP address on the node's ATM interface, no additional configuration is required for the router's IP LAN interface.

If not, you need to perform these tasks to configure the IP interface to the LAN.

•Manually configure the IP host-route for each Cisco MGX 8850 to which the interface will connect.

•Configure a routing protocol to broadcast the switch IP addresses to the LAN or create default routes to the switch on the management workstation.

The specific procedure used to configure the ATM router depends on the router type. The following example shows the IOS commands used to configure a Cisco 7204 router to support IP over ATM communications with the Cisco MGX 8850.

Example 10-1 Router Configuration Commands for IP Communications over ATM
config term 	# Enters global configuration mode
ip routing		#enables ip routing
ip route 0.0.0.0 0.0.0.0 W.X.Y.Z 1 (set default route)
interface atm 0
ip address A.B.C.D G.H.I.J   # G.H.I.J = netmask
atm nsap-address 47.0091.8100.0000.0010.7b65.f258.0010.7b65.ffff.f1
atm uni-version 3.1
atm pvc 1 0 5 qsaal
atm pvc 2 0 16 ilmi #Optional. Enter to enable ILMI.
atm ilmi-keepalive 10 #Optional. Enter to configure ILMI.
atm esi-address 00107B65FFFF.F1 #Optional. Enter to support ILMI.
atm arp-server self
no shut
^Z
Configuring Nodes

The various tasks used to configure managed network nodes are described in general in the sections below:

•Assigning IP Addresses

•Setting up ATM Connections

•Enabling ATM ILMI

•Setting up Community Strings

•Setting up Statistics Collection

•Setting up Trap Management

•Using Firewalls

The precise procedures for performing these tasks vary depending on the node device type. Node device types are categorized as IGX, BPX, BPX/SES, and MGX.

Assigning IP Addresses

All managed nodes require addresses by which they can be identified and reached. Depending on the node type, addresses are a combination of one or more of the following.

•A LAN IP address

•A network IP address

•An ATM address

IGX and BPX Nodes

Step 1 Assign an IP address for use by the CWM.

For inband communications, use the cnfnwip command to assign a network IP address.
The syntax for this command is as follows:
cnfnwip <IPAddr> <IPSubmask)
For out-of-band communications, use the cnflan command to assign a LAN IP address.
The syntax for this command is as follows:
cnflan <IP_Address> <IP_Subnet_Mask> <Maximum LAN Transit Unit> <TCP Service Port>
The TCP service port should be entered as 5120.

BPX/SES Nodes

Step 1 Check that the IP addresses for the BPX node have been set up as described in the previous section.

Step 2 In the SES, use the ipifconfig command to setup the IP address
This command is used to assign both a LAN IP address and a Network IP address.

For inband communications assign a Network IP address. The command syntax is as follows:
ipifconfig atm0 [<ip_address>] [netmask <mask>] [broadcast <broad_addr>] 
[ dest <peer_ip_address> ] [ up | down ] [arp | noarp][svc | nosvc] [pvc | nopvc] [ 
default | nodefault] [clrstats]
Step 3 For out-of-band communications, assign a LAN IP address. The command syntax is as follows:
ipifconfig lnPci0 [ <ip_address> ] [ netmask <mask> ] [ broadcast <broad_addr> ] 
[ dest <peer_ip_address> ] [ up | down ] [arp | noarp][svc | nosvc] [pvc | nopvc] [ 
default | nodefault] [clrstats]
Step 4 Enter the IP address to be assigned and its netmask in the first two parameters.

Step 5 Use to cnfndparms command, option 7, to specify which IP address is to be used with the CWM. The format of this command is as follows:
cnfndparms 7 <option_value>
Step 6 In the option_value field, enter the value to be used as follows:

0—The atm0 interface will be the primary.

1—No interface will be used. This prevents ILMI Node Discovery.

2—The lnPci0 interface will be the primary.

MGX nodes

Use the following procedure to assign IP addresses to MGX nodes.

Step 1 For inband communications assign a Network IP address. The command format is as follows:
ipifconfig atm0 [ <ip_address> ] [ netmask <mask> ] [ broadcast <broad_addr> ] 
[ dest <peer_ip_address> ] [ up | down ] [arp | noarp][svc | nosvc] [pvc | nopvc] [ 
default | nodefault] [clrstats]
Step 2 For out-of-band communications, assign a LAN IP address. The command format is as follows:
ipifconfig lnPci0 [ <ip_address> ] [ netmask <mask> ] [ broadcast <broad_addr> ] 
[ dest <peer_ip_address> ] [ up | down ] [arp | noarp][svc | nosvc] [pvc | nopvc] [ 
default | nodefault] [clrstats]
Step 3 In the first two parameters, enter the IP address to be assigned and its netmask.

Step 4 Use to cnfndparms command, option 8, to specify which IP address is to be used with the CWM. The format of this command is as follows:
cnfndparms 8 <option_value>
Step 5 In the option_value field, enter the value to be used as follows:

0—The atm0 interface will be the primary.

1—No interface will be used. This prevents ILMI Node Discovery.

Step 6 2—The lnPci0 interface will be the primary.

Setting up ATM Connections

Except for completely out-of-band LAN based network management, all nodes must be configured so that ATM connections can be established between the CWMs and the managed nodes. Usually this consists of setting up the correct node interfaces that are used for CWM-node communication.

Note Regardless or whether inband or out-of-band is used, all nodes must also have ATM connections to carry non-CWM regular network traffic.

IGX and BPX Nodes

IGX nodes and BPX nodes (not equipped with an SES), use the Cisco proprietary Link0/Link1 and AutoRoute protocols for network discovery and CWM connectivity. Under this scheme one node can be designated as a gateway node to provides the CWM with connectivity to all the other similar nodes. Alternatively the CWM can communicate directly with each managed node. The user specifies which method is to be used in the network.conf file in the CWM.

Configure each node as follows.

Step 1 Check that the node has its IP addresses assigned correctly. If not, use the cnflan or cnfnwip commands as appropriate (see above).

Step 2 Use the cnfname command to assign a node name.The command format is:

cnfname <nodename>

BPX/SES Nodes

Step 1 Check that the BPX has a nodename (see previous section).

Step 2 On the SES, check that its IP addresses are assigned correctly. If not, use the ipifconfig and cnfndparms commands as appropriate (see above).

Use the following steps to configure the SES to be a PNNI controller for the BPX.

Step 3 Enter the cnfpnni-node -enable false command to disable the node index.

Step 4 Enter the addpnni-node command and set the desired PNNI parameters. See the SES Command Reference for details.

Step 5 Enter the cnfpnni-node -enable true command to enable the node index.

Use the following steps to create and configure a PNNI port.

Step 6 On the SES PXM card, enter the addpnport command to create a pnni port. The command format is:

addpnport <slot number><port number>

Step 7 Enter the dnpnport command to down the port. This is required to configure the port. The format of the command is:

dnpnport <slot number><port number>

Step 8 Enter the cnfpnportsig command to configure the type of signalling on the port. The format of the command is:

cnfpnportsig <slot number><port number> -nniver pnni10

This command configures the port for NNI with PNNI version 10 signalling

Step 9 Enter the uppnport command to activate the port. The format of the command is:

uppnport <slot number><port number>.

MGX Nodes

ATM connections extend node management to all CWMs that have access to the ATM network in which the node is installed.

To support the ATM SVCs over which the IP traffic travels, both the router and nodes are configured to map the respective IP addresses to ATM End Station Addresses (AESAs). When a management session is initiated, the IP workstation directs all communications to the IP address assigned to the ATM interface on the node. The router encapsulates this IP traffic in ATM cells and forwards it over SVCs to the node. The destination node retrieves the IP messages from the ATM cells and forwards them to the internal IP management tools. Replies to the workstation follow the same path in reverse.

Any workstation with a connection to a properly-configured ATM router can manage any node in the network. Furthermore, additional routers connected to other nodes can be configured to support this feature, enabling node configuration from multiple locations throughout an ATM network.

To support IP connectivity over the ATM interface, perform the following tasks:

•Assign an IP address to the ATM interface.

•Assign an AESA to the ATM interface.

•Define an AESA for every adjacent router that supports IP communications to the ATM interface.

•Configure ATM communications between the node and the router.

To configure the node to support IP connectivity to the ATM interface, use the following procedure.

Step 1 Check that the MGX node has an assigned network IP address and netmask.Use the ifipconfig atm0 command to assign such an address and mask if necessary (see Assigning IP Addresses above for details).

Step 2 Enter the svcifconfig command to configure the node AESA (ATM address) for IP connectivity. The format of this command is:

svcifconfig <interface> <router | local> <svc_address> [atmarp | noatmarp] [llcencap | vcmux]
[default | nodefault] [reset] [delete][force] [clrstats]

Specify atm0 for the interface parameter and specify local for the router|local parameter

Enter the assigned ATM address for the node in the svc_address parameter. This address must conform to the address plan for the node. The command becomes:

svcifconfig atm0 local <svc_address>.

Step 3 Enter the svcifconfig command again to define the ATM address of the router.

Specify router for the router|local parameter and enter the router's address.

svcifconfig atm0 router <ATM_Addr>

Step 4 If not already configured, configure the PNNI controller.

Use the addcontroller command to configure the PNNI controller. The format of this command is:

addcontroller <cntrlrId> i <cntrlrType> <slot> [cntrlrName]

cntrlId cntrlrType should both be specified as 2 (PNNI)

Step 5 Configure the controller using the cnfpnni-node command. This command is used to configure values for peer level, peer group ID, peer node address, and peer node ID.

For more details of the addcontroller and cnfpnni-node commands, refer to Cisco MGX 8850 Software Configuration Guide Release 5.1.

Step 6 Configure an ATM line and port to the ATM router. The sequence of commands is:
upln - bring up a line to the router.
cnfln - if necessary, specify more configuration values for the line.
addport - add a port to the line, specify UNI for the interface type and an SCT of 6.
cnfport - if necessary, specify more configuration values for the port
addpart - add a partition of type PNNI and support for at least 20 connections.
upport - bring up the port.

For more details see "Configuration Quickstart" in Chapter 5, "Provisioning AXSM Lines and Cards for Communication" in the Cisco MGX 8850 Software Configuration Guide, Release 5.1.

Step 7 Enter the dsppnsysaddr command to verify connectivity to directly attached ATM routers.

The ATM addresses of directly attached ATM routers should appear in the list the node displays. To display an ATM address for a remote router, you need to establish a CLI session on the remote node and enter the dsppnsysaddr command.

Step 8 Enter the dsppnports command to check the status of ports leading to directly-attached ATM routers,

The following example shows commands that you can use to configure an Cisco MGX 8850 for IP communications over ATM.

Example 10-2 Node Commands for IP Communications over ATM
mgx8850a.7.PXM.a> ipifconfig atm0 A.B.E.F    # Replace A.B.E.F with IP Address
mgmgx8850a.7.PXM.a> svcifconfig atm0 local 
47.0091.8100.0000.0010.7b65.f258.0010.7b65.1111.01
mgx8850a.7.PXM.a> svcifconfig atm0 router 
47.0091.8100.0000.0010.7b65.f258.0010.7b65.ffff.f1
mgx8850a.7.PXM.a> addcontroller 2 i 2 7 #if controller does not already exist
mgx8850a.10.AXSM.a > upln 1.1
mgx8850a.10.AXSM.a > addport 1 1.1 96000 96000 6 1
mgx8850a.10.AXSM.a > addpart 1 1 2 500000 500000 500000 500000 1 20 32 52 1 20
mgx8850a.10.AXSM.a > upport 1
mgx8850a.10.AXSM.a > cnfilmi -if 1 -id 1 -ilmi 1 -vpi 0 -vci 16 -trap 1 -s 10 -t 10 
-k 10 #Optional. This command configures ILMI for the port.
mgx8850a.7.PXM.a> dsppnsysaddr
(example output)
47.0091.8100.0000.0010.7b65.f258.0010.7b65.ffff/152
Type:      uni     Port id:   17111041
mgx8850a.7.PXM.a> dsppnports
(example output)
Per-port status summary
PortId         IF status         Admin status       ILMI state       Total 
Activeconns
10:1.1:1        up                up                 Undefined        3       
Enabling ATM ILMI

IGX and BPX Nodes

Step 1 Use the ATM cnfport command protocol parameter to enable ILMI (or XLMI in the case of hybrid networks). Set the advertise interface information parameter to Yes. This parameter defines whether the interface is authorized to advertise its interface information. Values are Y/N. The default is Y.

Step 2 Use the configure node parameters command, cnfnodeparm, to specify which IP address is to be used by the CWM. Set option 56 in this command to NW or Lan as appropriate. This option specifies whether to use the configured LAN IP or network IP address as the management IP address used in the ILMI Neighbor Discovery procedure.

BPX/SES Nodes

Step 1 Set up the configuration on the BPX as described in the previous section.

Step 2 On the SES use the dnpnport command to de-activate a PNNI port.

Step 3 On the SES use the cnfilmienable command to enable ILMI on a PNNI port.

MGX nodes

All ports on MGX nodes that are used for PNNI discovery must be ILMI enabled.

Use the cnfilmi command. The format of this command is:

cnfilmi <ifNum> -id <partitionID> -ilmi <ilmiEnable> -vpi <vpi> -vci <vci> -trap <ilmiTrapEnable> -s <keepAliveInt> -t<pollingIntervalT491> -k <pollInctFact>

Make the partition ID the same as that for the port set up to communicate with the router.
Set both of the ilmiEnable and ilmiTrapEnable parameters to enable.
The standard vpi and vci numbers for PNNI ILMI are 0 and 16 respectively.

Setting up Community Strings

The SNMP protocol requires that an SNMP manager provides a correct community string before an SNMP agent in the node will respond to a GET or SET command. SNMP community strings must be configured at each node and the corresponding strings must be configured in the SNMP manager in the the CWM.

Two string types can be configured:

•One for read only privileges (for GET commands), with a default of "public").

•One for read/write privileges (for SET and TRAP commands), with a default of "private".

The SNMP rules for community strings are:

•Up to 32 characters in length

•Strings cannot contain a blank space, an "@," or a quote (") character.

• Reserved strings are:

•Community rw string: "private"

•Community ro: "public"

IGX and BPX Nodes

Step 1 Use the cnfsnmp command to configure the node's SNMP community string. This command has the syntax:
cnfsnmp <GET community string> <SET community string>

Enter the community strings as appropriate. If strings are not provided, the defaults are used.

BPX/SES Nodes

Step 1 Check that the community strings for the BPX have been configured (see previous section).

Step 2 On the SES, use the cnfsnmp command to set the community strings for the SES. The syntax of this command is:

cnfsnmp <GET community string> <SET community string>

Enter the GET (read only) community string and the SET (read/write) community strings. Traps will use the SET community string.

MGX nodes

Use the cnfsnmp command to set the community strings. This command also allows the user to specify the SNMP values for contact and location. Depending upon the use of this command, it has three forms as follows:

cnfsnmp community string [ro | rw>]

cnfsnmp contact string

cnfsnmp location string

The cnfsnmp community form of the command allows the specification of both read only (ro) and read/write (rw) community strings but only one string can be specified in a single command. To specify both ro and rw strings, the command must be executed twice.

Setting up Statistics Collection

IGX and BPX Nodes

Use the following procedure to setup statistics collection on IGX and BPX nodes.

Step 1 Use the cnfcdparm command to configure the multichannel statistics feature.

This feature is supported on the BPX and IGX platforms, for BXM and UXM cards. It enables the nodes to collect and propagate statistics to a CWM. The channel statistic types vary in number and type based upon the level of support specified in the cnfcdparm command. The syntax of this command is:

cnfcdparm <slot> <index> <value>

<slot> is the slot number for which the statistics level is being specified.

Note Configuration of the channel statistic level is a slot-based parameter. For example, if slot 5 is configured to support level 3 channel statistics, all connections on the card in slot 5 will be set to level 3 statistics.

<index> this parameter can be 1, 2, or 3. Enter a value of 1 to signify that multichannel statistics are being specified.

<value> specifies the level of statistics to be collected, it can have the value of 0, 1, 2, or 3. Enter the value corresponding to the level of statistics to be collected.

For a description of all four channel statistics levels, see the BPX 8600 Installation and Configuration Manual Release 9.3.30, Chapter 5 BXM Card Sets: T3/E3, 155, and 622.

Step 2 Use the cnfstatmast command to specify the CWM to which statistics are to be sent. The syntax of this command is:

cnfstatmast <IP Address>

Specify the IP address of the CWM that is collecting statistics for this node.

BPX/SES Nodes

Step 1 Check that statistics collection for the BPX has been configured as described in the previous section.

Step 2 On the SES, use the cnfstatsmgr command to specify the CWM to which statistics are to be sent. The syntax of this command is:

cnfstatsmgr <index> <IP Address>

<index> can have the value of 1, 2, 3, and 4 to indicate type of system associated with the IP address.

1 = Primary statistics manager

2 = Secondary statistics manager

3 = Tertiary statistics manager

4 = Master statistics manager

<IP Address> is the IP address of the CWM that is collecting statistics for the SES.

MGX nodes

Step 1 Use the cnfstatsmgr command to specify the CWM to which statistics are to be sent. The syntax of this command is:

cnfstatsmgr <index> <IP Address>

<index> can have the value of 1, 2, 3, and 4 to indicate type of system associated with the IP address.

1 = Primary statistics manager

2 = Secondary statistics manager

3 = Tertiary statistics manager

4 = Master statistics manager

Note In the current release, index options 1 through 3 are not applicable to the present switch architecture. Use index option 4 to specify the IP address of the statistics master for the switch. This action defines the IP address of the workstation that is authorized to enable or disable statistic on the switch.

<IP Address> is the IP address of the CWM that is collecting statistics for the SES.

Setting up Trap Management

IGX and BPX Nodes

IGX and BPX nodes do not send standard SNMP trap messages to the CWM. Instead, these node use a variety of message types to communicate network changes and alarms. These messages are converted to SNMP traps in the CWM where they can be processed along with traps received from other node types. Operating within the Cisco proprietary Link0/Link1 protocol, the following message types are used.

•Events in ASCII string format

•Topology update messages

•Object updates in robust object message format

•Alarms in robust alarm message format

Note The term "robust" is used to mean that the protocol contains acknowledgement features to guarantee delivery of the message.

Two commands can be used to configure parameters for robust alarm messages.

cnfrobparm (configure robust parameters) and cnfasm (configure ASM card)

Use the following procedure to configure robust alarms.

Step 1 Use the cnfrobparm command to configure parameters associated with the transmission of robust alarms. The syntax of this command is:

cnfrobparm <index> <value>

Enter values for <index> and <value> according to Table 10-1

Table 10-1 Index and Parameter Values for the cnfrobparm command

Index No.

Parameter

Description

Default

1

Robust State wakeup timer

The Robust State machine becomes active after the specified time period has elapsed. If this timer value increases, the state machine operates less often and places less load on the controller card. Units of measure are seconds.

10 seconds

2

Robust update timer

Once a message has gone to the NMS, another message does not go until this timer expires. Units of measure are seconds

10 seconds

3

Robust acknowledgment time-out

An acknowledgment must be returned by the NMS within this time period or it is assumed the communications link is down. Units of measure are seconds.

600 seconds

4

Robust acknowledgment reset timeout

After a downed link has been repaired, the next message goes out after this time period has elapsed. The purpose of this time period is to let the link settle after the repair. Units of measure are seconds.

60 seconds

Step 2 Use the cnfasm command to configure certain alarm parameters. This command allows the user to set various alarm values and to enable or disable the commands.

When this command is executed, the following list of alarms is displayed. The user responds by entering an alarm number and then changing the value (or status) as necessary.
[1] Cabinet temp threshold:	50 C  [4] Polling interval (msec):    	10000
[2] Power A deviation:	10 V (48.0)  [5] Fan threshold (RPM):	 2000
[3] Power B deviation:	10 V (49.1)
	 ALM	ALM
[6]  ACO button	 - 	[14] BPX 8600 card slot	 -
[7]  History button	 - 	[15] PSU A failure	Y        
[8]  Cabinet temp 	Y 	[16] PSU A removed	Y
[9]  Power A volt 	Y 	[17] PSU B failure	Y
[10] Power B volt	Y	[18] PSU B remove	Y
[11] Fan 1 RPM	Y
[12] Fan 2 RPM	Y
[13] Fan 3 RPN	Y
BPX/SES Nodes

Step 1 On the SES use the cnftrapip command to configure the address on the SES where the traps are configured before being sent out to the CWM.The syntax for this command is:

cnftrapip <ip address>

Enter the IP address of the switch that will be sending the traps to the CWM.

Step 2 Use the addtrapmgr command to set up an SNMP manager to receive traps.

The syntax of this command is:

addtrapmgr <ip_addr> <portnum>

<ip_addr> is the IP address of the CWM to receive the traps.

<portnum> is the port number to be used to send traps. The SNMP default port number is 162.

MGX nodes

Step 1 Use the cnftrapip command to configure the address on the MGX where the traps are configured before being sent out to the CWM. The syntax for this command is:

cnftrapip <ip address>

Enter the IP address of the switch that will be sending the traps to the CWM.

Step 2 Use the addtrapmgr command to set up an SNMP manager to receive traps.

The syntax of this command is:

addtrapmgr <ip_addr> <portnum>

<ip_addr> is the IP address of the CWM to receive the traps.

<portnum> is the port number to be used to send traps. The SNMP default port number is 162.

Using Firewalls

Firewalls set up on managed networks and on PCs being used as clients may affect several different functionalities on the CWM. They may affect use of the GUI. Also, if you are using a firewall between the server and the clients, you should open a range of ports for the CWM servers. The firewall should be configured to open the ports in both directions.

When the CWM server cannot ping the client and an error message is displayed on the CWM, one of the common reasons is that a firewall on the client PC is preventing the server from being seen. In these cases, the DNS is configured to communicate. You must verify that the client can be pinged from the CWM.

For additional information on resolving issues for firewalls set up on PCs or firewall set up on the LAN, see the following information:

•Firewalls on PCs

If a PC based firewall such as BlackIce is used, the protection settings to enable incoming connections may need to be changed. When running a client is running on a remote PC, the server opens new connections when sending node and network updates to the GUI. If the PC blocks all incoming calls, this causes the topology map not to appear on the GUI.

These suggested solutions address this problem:

–Lower the protection level for incoming connections. When using Black Ice, for example, the Protection Level should be set to "Cautious: block some unsolicited inbound traffic" instead of the more restrictive "Nervous: block most unsolicited inbound traffic."

–If the firewall software allows, add the CWM as a trusted IP address and allow all traffic from the CWM host.

–Limit the ports used by CWM clients and servers for communication and open these ports on the firewall software.

•Firewalls on LANs

If the network where the CWM is located has a firewall configured to restrict traffic from inside the LAN and from an outside PC, the topology map will not show up in the GUI. You can resolve the problem with any of these options:

–Use VPN tunneling for the remote PCs to connect to the CWM machines in the lab.

–Set up trusted IP addresses in the firewall. Both CWM machines and the remote PC that are going to use CWM GUI need to be added as trusted IP addresses in the firewall configuration.

–Limit the ports that the CWM clients and servers use for Orbix communication and open these ports on the firewall software.

Use this procedure to set up the ports.

Step 1 Stop the CWM core.

Step 2 Stop Orbix processes using the stoporbix2000 script.

Step 3 Add the following line at the end of the /usr/users/svplus/orbix_domain/domains/cwm_<cwm-machine-name>_domain.cfg file on the CWM:
policies:iiop:server_address_mode_policy:port_range = "5500:6000";
This designates that the CWM processes use ports between 5500 and 6000 for communication. This range is enough for up to 20 clients connecting to the CWM simultaneously. If more than 20 clients will be connected to the CWM at one time, increase the upper limit as follows:

•30 simultaneous clients—5500:6100

•40 simultaneous clients—5500:6200

•50 simultaneous clients—5500:6300

Step 4 Start the CWM core.

Step 5 Configure the firewall to open the above ports in both directions—from the CWM to the clients and back. Other than these ports, the firewall also needs to allow 3075 and 3094 ports for communication with the Orbix processes.

The port range can start from any number as required. Note that the number of ports should remain the same as shown above. For example, the port range can be set to 9000:9500 for 20 clients and so on.