ARP The Address Resolution Protocol (ARP) provides a way to find a node’s MAC address when only the IP address is known. The way ARP works is simple. A sending node will send a broadcast through the network with the IP address of the node that it is trying to locate. Once a node recognizes an IP address in an ARP broadcast, it will respond to the originating node with the MAC address that matches the IP address. ARP entries are stored in a cache, known as the ARP table. ARP is limited to the nodes within the network that support broadcasting and will accept a broadcast packet. Other nodes will ignore the broadcasts. Sometimes a node may be moved or, for some other reason, a node may no longer be able to locate another node within the network. When this occurs, you might want to try to force the node to relearn where the destination node may reside. The Arp section of the Tools screen provides access to the ARP table and some options that can be used to assist in troubleshooting. This section is located at the bottom of the Tools screen (see Figure 12-38). Within the Arp sec- tion is one field that allows you to specify the IP address of a node that you would like to have removed from the ARP cache so the device will resend the ARP broadcast packets. You can enter the IP address and then press the Arp delete button that is in this section. Two other buttons can be chosen within the Arp section. The first button is the Show Arp Table button. By clicking this button, you will receive an output of the ARP table, which lists the entries contained in the VPN Router’s ARP cache. Figure 12-39 shows an example of an ARP table. The other button pro- vides an option to clear the entire ARP table. Figure 12-38: The Arp section of the System Tools screen Troubleshooting Overview 581 15_781274 ch12.qxp 6/21/06 10:09 PM Page 581 Figure 12-39: The ARP table Packet Capture Previously in this chapter, we discussed the use of sniffers as a helpful tool in troubleshooting data connection issues within a network. Often, however, a link must be broken to put a sniffer “in line” before it can be used. Also, some nodes (such as the Nortel VPN Router) use an encryption technology that a sniffer may not understand when capturing packets. Many data nodes (such as VPN Routers) support what is known as Packet Capture (PCAP) built into the software. This allows the capture of packets that are passing through the node without requiring an external sniffer to be placed in the network segment. PCAP is an application program interface (API) that supports the capture of packets within a network. The captured packets are then stored in a trace (often referred to as a capture), which can then be ana- lyzed by a packet sniffer application, such as Ethereal. Figure 12-40 shows an example of a PCAP capture of a client tunnel session that is being viewed in Ethereal. 582 Chapter 12 15_781274 ch12.qxp 6/21/06 10:09 PM Page 582 Beginning with VPN Router code version v04_85, the Nortel VPN Router supports packet capturing by including PCAP support within the software. The Nortel VPN Router PCAP utility allows for the capturing of packets that are passing through all interfaces, tunnels, and even Ethernet segments that are not related to the VPN Router. Several security events are in place when performing a PCAP on the Nortel VPN Router. Performing a PCAP must be done from the console interface. The administration password must be other than the default password, and a pass- word is assigned to the capture, so that password must be known before the capture can be read. Performing the PCAP operation on the VPN Router is memory-intensive so it should be performed only when required for troubleshooting purposes. There are filters that can be implemented to reduce the amount of data capture and free up some resources, but the process still requires the use of VPN Router resources. Most sniffer applications provide a few features that allow you to view dif- ferent aspects of the PCAP file. This is helpful when you are trying to gather statistics or narrow down the information that you are viewing. These features include the ability to sort by protocol hierarchy (see Figure 12-41) and graph statistics (see Figure 12-42). Figure 12-40: Viewing the PCAP capture Troubleshooting Overview 583 15_781274 ch12.qxp 6/21/06 10:09 PM Page 583 Figure 12-41: Viewing the protocol hierarchy statistics in a client tunnel session PCAP capture Figure 12-42: Viewing a statistical graph of a client tunnel session PCAP capture General Network Proactive Measures As mentioned previously, problems with communication in a data network are going to happen. Hardware failures, compatibility issues, data traffic flow issues, and many other things can contribute to a break in communication. Sometimes these issues are simple to diagnose, and sometimes they can take hours and even days to resolve. 584 Chapter 12 15_781274 ch12.qxp 6/21/06 10:09 PM Page 584 Proactive measures can be taken in anticipation of potential failures. View- ing outages in a proactive manner can truly help the resolution time when a problem arises. Unfortunately, a proactive approach is not always practiced in many LANs. This section discusses some recommended proactive measures to assist you in considering and in taking a proactive stance toward the maintenance of the VPN Router, as well as other network nodes. Perform Regular Backups One of the easiest things that can be done to the VPN Router (as well as other nodes within the network) is to perform system backups regularly. If possible, it is also a good practice to make duplicate backups in case of a backup storage device failure. Anticipate the possible and try to accommodate. System configurations, databases, images, and other system files do get corrupted and sometimes may even get lost. Having a recent backup for any required file can save you a lot of work in the long run. Many network man- agers perform daily backups of critical files. This may or may not be a practice that needs to be adhered to in every network, but a regular backup is highly recommended. Consider what problems may arise if a core network node experiences con- figuration corruption and the network administrator does not practice regular system backups. That core device’s configuration will have to be rebuilt, which will probably contribute to extended downtime for the device. In turn, user productivity will drop because of the lack of network resources. The lack of a recent backup may cost your employer hundreds to thousands of dollars. Backups are also a necessity when performing system maintenance. Whether it is a hardware replacement or a configuration change, always back up the system-critical files before you begin the scheduled maintenance for the device. A little time spent up front in backing up these files can save you a lot of time in the long run. Research When planning a network design or considering a change to the network, always research before you implement. If tasked to support a certain protocol or application, ensure that you understand how that application and/or pro- tocol works. Ensure that the nodes within the network are compatible with the considered change or implementation. Consider the impact that the change may have on the existing network infrastructure. Troubleshooting Overview 585 15_781274 ch12.qxp 6/21/06 10:09 PM Page 585 Effective planning is paramount in data networks. In addition to planning how the change may affect the current network, it is also prudent to anticipate future growth. What might occur if you need to purchase a VPN Router and you don’t consider the number of active tunnels that you may need in your decision? What problems might occur if you purchase a NIC upgrade for a server only to later discover that there are compatibility issues with the brand of NIC and some of the nodes within your network? Effective planning is always a very important proactive step to take. It’s always possible that not all contingencies can be considered up front, but plan- ning for as many as you can think of will help alleviate potential problems in the future. Always Have a System Recovery Disk Available Making a system recovery disk and having it available to you are very impor- tant, but often ignored. The process of making the recovery disk is very quick and easy and can save you a lot of problems in the future. If you are running multiple versions of code on the VPN Routers in your network (which, by the way, is not recommended), then ensure that you have a recovery disk to match each of those versions of code. When making a recovery disk, also ensure that you make the recovery disk available. It will not serve any purpose if you are onsite working on a VPN Router issue and need your recovery disk, which happens to be in another state. We recommend that you keep the recovery disk available in an area that is local to the VPN Router. In addition to making one local to the router, ensure that it is accessible to anyone who may be performing troubleshooting and/or maintenance on the VPN Router. Another practice that is followed by some VPN administrators is to provide a copy of the recovery disk to all personnel who may need to have it. The prob- lem with this practice it that a procedure would need to be set up to allow for recovery disk upgrades. Consider the impact that the users would feel if you had a catastrophic fail- ure on the VPN Router and you did not have a recovery disk available. The system downtime would then be increased until a recovery disk was obtained, or a VPN Router replacement would have to be ordered. Whatever policy you choose to implement, the main thing is to ensure that the recovery disk is made and is made available to anyone who may be work- ing on the VPN Router. 586 Chapter 12 15_781274 ch12.qxp 6/21/06 10:09 PM Page 586 Dial Access for Support Personnel Providing access to the network for the support personnel within the network is a very important proactive step to take. If the network provides for an on- call person for potential outages, then it is very important that that person be able to access the network from a remote area. Ensuring that all support personnel have remote access can assist in clearing up outages in a timely manner. Of course, remote access is not always going to be the resolution to a problem, and personnel will have to go to the site where the equipment resides, but it may help in certain instances. Knowledge Sharing Because of security concerns and some other factors, some networks provide critical information about the network and the nodes within the network to only a few personnel. Far too often, this information resides with only one person. Knowledge management is a very important factor when running a net- work. The sharing of knowledge can also make the resolution to network problems much easier to contend with. Ensure not only that as many people as possible are involved in the administration of basic network duties, but also that at least two or three trusted individuals have access to all of the docu- mentation pertaining to the network. Consider what problems may arise if you entrust only one person to retain the management login information for all of the VPN Routers in the network. What may occur if that person is on vacation or has left the company and you need to access the VPN Router for troubleshooting purposes? Because of the security considerations for the VPN Router, there is no default or back-door password. In the event of system failure when login access is denied, the unit will have to be replaced. Also consider the extended time it may take to troubleshoot a problem within a subnet when the only person who is aware of the nodes within the subnet is not available. Tracing down problem areas can be very time consum- ing (if not impossible) at times. Knowledge sharing is very important and it can make a tremendous differ- ence in resolving issues that occur in the network. Follow this very important proactive step to help ensure that network connectivity timelines stay up and to reduce recovery time when network troubleshooting is required. Troubleshooting Overview 587 15_781274 ch12.qxp 6/21/06 10:09 PM Page 587 Documentation Using a system of developing and retaining effective documentation that relates to your network can be very rewarding in not only troubleshooting the network, but also in future growth and development. Effective documentation can also provide a wealth of information for training and reference. Among the most important documents that should be developed are net- work topology diagrams. These diagrams can provide a lot of help when you are troubleshooting a network. They also make great reference documents when you are training new personnel, or planning for network changes and/ or growth. Following are some examples of other helpful documentation to have available: ■■ Network change control documents ■■ Contractual support documents ■■ IP schemes ■■ Topology diagrams ■■ List of support centers ■■ List of contacts ■■ Information about network nodes ■■ Training documentation Retaining documentation relating to the nodes within your network, as well as the network itself, is very effective for the overall support of the network. There is really no such thing as too much documentation. Upgrades and Configuration Changes Data communications are always changing. New products are always being introduced to the marketplace. New technologies and protocols are developed on a fairly constant basis. Keeping up with these changes is a time-consuming process, but one that is required to meet the demands of customers and employees within the corporate LAN. Technology that was cutting-edge just 5 to 10 years ago is being replaced with the technology of today. Data equipment upgrades and replacements are fairly common with most large corporations and, with that, the need to ana- lyze and plan for that growth is a requirement and not a luxury. In addition to keeping up with the ever-expanding data communications market, there are times when an upgrade or a change is required to resolve an issue, or simply to meet internal growth. 588 Chapter 12 15_781274 ch12.qxp 6/21/06 10:09 PM Page 588 You have already learned that planning to meet the current needs of the net- work is important. When cost is a factor, planning for the future is also impor- tant. So, now that the planning is complete and the hardware and software that are needed to implement the change are available, it’s time to take the plan and put it into action. Because most planned events on the network do require some network downtime, it makes sense to reduce the downtime as much as possible and to make the transition run as simply as possible. This section contains a few proactive steps that can be taken to help ensure that the implementation of the plan runs more smoothly than it would if the changes were put into place “on the fly.” Research When planning for a network change event, it is important to ensure that you research what you are trying to accomplish. If you are introducing new hard- ware or support of a new protocol or technology, research to ensure that the existing infrastructure can support what you want to introduce. Following are some questions to consider when introducing a technology change or hard- ware change: ■■ Will the new hardware or change accomplish what you need? ■■ Are there any interoperability issues with the new change and the exist- ing equipment within the network? ■■ Are any code upgrades required to support the new hardware/change? ■■ Are any other changes or hardware upgrades required to support the new change? If you are performing a software upgrade, then research the release notes for the software to ensure that you are aware of new changes and implementa- tions within the new code version, as well as any known issues. When upgrad- ing your VPN Router, ensure that you read the code version release notes. Following are examples of things to check and verify: ■■ Will the new code accomplish what you need? ■■ Are there any known issues in the new code that may affect the network? ■■ Are any hardware upgrades required to support the new code? ■■ Are any higher versions of code that may need to be considered? ■■ Are there any interim upgrades required to upgrade to the version that you need? ■■ If upgrading VPN Router code, will a Client upgrade be required as well? Troubleshooting Overview 589 15_781274 ch12.qxp 6/21/06 10:09 PM Page 589 Knowing the answers to these questions is important. Consider what prob- lems may occur if you upgrade to a version that is not compatible with tech- nologies that are supported within your network? What is the impact of the upgrade to the end user? Knowing what to expect and planning for it will help the transition run smoothly. Pre-Testing Whenever practical, it is always a good practice to pre-test the change that you will be making in a lab environment. Not only will this give you an opportu- nity to document the steps required to complete the change, but it will also give you practice in doing the change. Pre-testing should be accomplished as far in advance as possible. This will give you ample time to walk through and document the process, and will also provide time to let the setup run in the lab for a while. If the setup runs smoothly in the lab, chances are it will run fine when implemented in your production network. As with upgrades and changes to existing equipment, pre-staging new equip- ment can be a tremendous help in implementing a change in the network. Pre- staging new equipment gives you an opportunity to “burn” the equipment in and also test to ensure that the equipment is functional. If pre-staged correctly, you can also simply move the new equipment into place with very little con- figuration required. This process greatly reduces network downtime during the change. Action Plan A detailed action plan is a tremendous help when implementing a network change. Not only does the action plan outline all steps to be taken during the duration of the change, but it can provide a lot of insight if technical support is required at some point during the change. A network change action plan should be as detailed as possible. Following are some of the things that should be included within the action plan: ■■ Exact time and date of the change ■■ Equipment that will be affected ■■ What the purpose of the change is ■■ Individuals to be involved ■■ Anticipated duration ■■ List of required tools (software, configurations, hardware, and so on) ■■ Login information 590 Chapter 12 15_781274 ch12.qxp 6/21/06 10:09 PM Page 590 [...]... known as Command Line Interface, commands have less intensive bandwidth requirements and may be used for out-of-band management via a low-speed dialup connection connected to the Console Interface This aids in monitoring the Nortel VPN Router when TCP/IP connectivity over the Internet has been lost and allows a user to communicate with the device to monitor and perform remote diagnostics and troubleshooting... introduction to the Nortel VPN Router Using and understanding the information in this book will greatly improve your understanding and effectiveness when working with your Nortel VPN Router APPENDIX A Abbreviation and Acronym Reference Listing This appendix contains abbreviations and acronyms for VPN terminology, as well as other abbreviations and acronyms that you will come across occasionally as the VPN. .. System Commands The cd, dir, ls, and pwd commands are used to view and verify the directory structure and files contained within the Nortel VPN Router The pwd command is used to print the working directory where the user is currently located This will provide the user with the directory tree structure in subdirectory ldif Following is an example: CES>pwd /ide0/system/slapd/ldif/ The dir and ls commands are... number Nortel telephone support can be reached at 1-800- 4NORTEL The Nortel Web site also contains a lot of support information that can assist the users of Nortel equipment in troubleshooting and/ or configuring the equipment The Nortel Web site is located at: www .Nortel. com If you must call the Nortel support center for help with a problem with your Nortel VPN Router, there is some basic information... event log (admin mode) dir To display a list of files in the current directory enable Enables privileged commands exit Enables settings and disables exec mode and enables user level mode help Displays information about using commands interactively ls To display a list of files in the current directory ping Sends a ping message to a destination pwd To show the current directory reset Resets a port show... Command Line Interface Reset System to Factory Defaults Exit, Save and Invoke Changes Please select a menu choice (0 - 9, B,P,C,L,R,E): Command Line Interpreter Commands Select selection L to enter the CLI The user is presented with the following prompt to begin entering commands: CES> Access via Telnet Session Using any Telnet utility program, a Telnet session may be established with the Nortel VPN. .. get someone to test the action plan in the lab Finally, save a copy of the action plan and have it available in case you need to involve a support person from one of your vendors at some point during the change Nortel Support Nortel provides technical support 24/7 for most of its products The Nortel VPN Router is included in this support To access Nortel technical support, you will need to have a valid... compatible serial cable to a PC running a terminal emulation program such as HyperTerminal in Windows The default settings for the Console Interface on a Nortel VPN Router is 96 00 baud, 8 bits, 1 stop bit, and no parity Upon connection to the Console Interface, you may need to press the Enter key to display the login screen The prompt appears as follows: Please enter the administrator’s user name: admin... Primary Administrator of the unit> Please enter the administrator’s password: setup N OT E On a new unit, the default user ID for the Primary Administrator is admin with a password of setup These values may be changed upon initial configuration of the Nortel VPN Router and can be changed only by that administrator The user ID and password must... A Remote File Service RFS RIF Routing Information Field Routing Information Protocol RIP RISC Reduced Instruction Set Computing Remote Job Entry RJE RLOGIN Remote Login Radio Link Protocol RLP Return Merchandise Authorization RMA RMON Remote Monitoring RNR Receive Not Ready ROM Read Only Memory RPC Remote Procedure Call RPM Rotations per Minute RR Receive Ready Routing and Remote Access Service RRAS . introduction to the Nortel VPN Router. Using and understanding the information in this book will greatly improve your understanding and effectiveness when working with your Nortel VPN Router. 592 Chapter. www .Nortel. com. If you must call the Nortel support center for help with a problem with your Nortel VPN Router, there is some basic information that you should have available to provide to the. hardware, and so on) ■■ Login information 590 Chapter 12 15_781274 ch12.qxp 6/21/06 10: 09 PM Page 590 ■■ Topology diagram(s) ■■ Pre-change testing information ■■ Post-change testing information ■■ White