BSGX4e Business Gateway User Guide Release 01.
Trademarks Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other trademarks appearing in this guide are the exclusive property of their respective owners. Hardware Notice WARNING: Before working on this equipment, be aware of good safety practices and the hazards involved with electrical circuits. WARNING: To reduce risk of injury, fire hazard, and electric shock, do not install the unit near a damp location.
CONTENTS ABOUT THIS GUIDE Audience ........................................................................... 23 Organization ....................................................................... 23 Conventions ....................................................................... 25 Command Prompt Convention ................................................ 25 Text Font Conventions ......................................................... 25 Documentation.................................................
2 INITIAL SETUP Setting the Time ..................................................................47 Show the Current Time.........................................................47 Setting the Time Manually .....................................................47 Setting the Time through an SNTP Server ...................................48 Watchdog Reset Timer ...........................................................49 Watchdog Timer Command ....................................................
TACACS+ Authentication Records ............................................ 72 Example of Configuring a TACACS+ Authentication Record .............. 73 Show TACACS+ Authentication Records ..................................... 73 TACACS+ Activity Logs ......................................................... 74 TACACS+ Authentication......................................................... 74 Configuration Requirements .................................................. 74 TACACS+ Authentication Records .....
Show Port Configuration .......................................................99 Show Port Status ................................................................99 Show Port Statistics.............................................................100 LAN Interface (eth1) ..............................................................102 eth1 Configuration Command .................................................102 Configure eth1 Interface Example ...........................................
Delete a Static Route .......................................................... 126 Starting the RIP Daemon......................................................... 126 RIP Constraints.................................................................. 126 RIP Daemon Command......................................................... 126 RIP Daemon Example .......................................................... 127 Show RIP Status.................................................................
Show IKE Security Associations ...............................................157 Show IKE Statistics ..............................................................158 IPsec.................................................................................158 IPsec Parameters ................................................................159 IPsec Proposals ..................................................................160 IPsec Policies ....................................................................
Configuring Layer 2 QoS ....................................................... 201 Configuring Layer 3 QoS ....................................................... 204 12 MGCP CONFIGURATION Introduction to MGCP ............................................................ 209 MGCP Session Controller ...................................................... 210 MGCP Gateway.................................................................. 211 MGCP Configuration Steps ............................................
Line Impedance Settings .......................................................243 Electrical Status.................................................................244 Line Fault Testing ...............................................................245 Voice Quality Monitoring (VQM).................................................247 Monitored Calls ..................................................................248 VQM Analyser Command .......................................................
Endpoint Status Handling (ESH) .............................................. 277 SIP Gateway ....................................................................... 278 SIP Settings for the Gateway ................................................. 278 SIP Gateway Configuration.................................................... 280 Numbering Plan for the Gateway ............................................ 284 SIP Endpoints ......................................................................
TFTP Cache Command .........................................................318 Specifying Files to be Cached .................................................318 TFTP Cache Example ...........................................................319 Show TFTP Cache Settings and Usage .......................................319 Show TFTP Cache Contents....................................................319 Delete Files to be Cached .....................................................320 Clear TFTP Cache .........
Netflow Configuration Example .............................................. 345 Show Netflow Status ........................................................... 346 Show Netflow Filters........................................................... 346 Show Netflow Statistics ....................................................... 346 Clear Netflow Statistics ....................................................... 346 SNMP Agent ........................................................................
Help Icons ........................................................................382 Operations Menu ................................................................383 Web UI Menus ......................................................................384 Configuration Example ...........................................................388 Monitoring Example ...............................................................390 Wizards Example ..................................................................
FCC Telecom Statement ....................................................... 419 Declaration of Conformity .................................................... 420 Equipment Attachment Regulations (Canada) ............................. 421 Canadian Department of Communications Statement .................... 421 Supplementary Information................................................... 421 G COPYRIGHT INFORMATION ......................................................................................
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
TABLES 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 User Guide Organization.................................................. Text Conventions .......................................................... Telnet Server Configuration Parameters................................ Telnet Parameters......................................................... SSH Configuration Parameters............................................
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 18 NN47928-102 Security Policy Parameters ................................................ Connection Configuration Parameters ................................... NAT Status Parameters..................................................... NAT Policy Configuration Parameters.................................... ALG Configuration Parameters ............................................
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 AC Impedance Register Values ........................................... SIP Server Profile Parameters ............................................ SIP Session Controller Parameters ....................................... SIP Gateway Parameters .................................................. SIP Gateway Configuration Parameters ...........................
125 126 127 128 129 130 131 132 133 20 NN47928-102 IKE Security .................................................................. IPsec Security ................................................................ Quality of Service ........................................................... Services ....................................................................... Monitoring .................................................................... SIP Session Controller ....................................
FIGURES 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 BSGX4e Connectivity......................................................... 30 Connect to the Console Port ............................................... 32 Head office and branch office traffic .................................... 169 Logical path of the routing engine ....................................... 170 VPN operations when NAT is disabled.................................... 172 VPN operations when NAT is enabled ........................
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
ABOUT THIS GUIDE This preface describes the intended audience for this guide, how this guide is organized, its conventions, and access to customer support. Audience This document provides guidelines for configuring and monitoring the BSGX4e Business Gateway device. It is designed for network managers, administrators, and technicians who are responsible for the management of networking equipment in enterprise and service provider environments.
Table 1. User Guide Organization (continued) Chapter Title 8 Routing Configuration Content How to manage an Address Resolution Protocol (ARP) table, configure static routes, and start the Routing Information Protocol (RIP) daemon. Part III: Traffic Protection 9 Security Configuration Security topics, including the firewall, Network Address Translation (NAT), Application Layer Gateway (ALG), and Intrusion Detection System (IDS).
About This Guide Table 1. User Guide Organization (continued) Chapter Title Content E Standards Compliance Lists the data and voice standards to which the device complies. F Rule Compliance Describes how the device complies with U.S. Federal Communications Commission (FCC) and Canadian telecommunication rules. G Copyright Information Lists copyright acknowledgements and restrictions. Conventions The following conventions are used throughout the guide.
Documentation The documentation for the unit is on the CD-ROM, titled Nortel BSGX4e Documentation, that is shipped with the unit. PDF files on the CD contain the following guides: BSGX4e Business Gateway Installation Guide BSGX4e Business Gateway User Guide To view PDF files, use Adobe Acrobat® Reader® 5.0, or later, from your workstation. If Adobe Acrobat Reader is not installed on your system, you can obtain it free from the Adobe website: www.adobe.
About This Guide Getting Help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: www.nortel.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
1 CONNECTING TO THE DEVICE This chapter describes the features of the BSGX4e device and its role in an IP network. It also describes how to connect to the device and how to set up remote administrative services. The BSGX4e is an integrated device, that contains a broad set of networking functionality for voice and data in a single unit: It acts as a full-featured router with VoIP, QoS, and advanced security capabilities.
Administrative Servers VoIP Call Servers ICAD40 Central Office Line Analog Phone VoIP Phones Figure 1. BSGX4e Connectivity Device Features An BSGX4e unit provides the following services: VoIP Session Controller The BSGX4e unit acts as the session controller for up to 1000 VoIP phones. It can use the SIP or MGCP protocol and can control up to 500 concurrent calls. When the WAN is down, the unit provides VoIP survivability.
Connecting to the Device An BSGX4e unit provides two telephony interfaces: one FXS port for connectivity of analog phones or fax machines and one FXO port to act as a backup lifeline to the PSTN. Security To provide network security, an BSGX4e unit includes a firewall, an advanced Intrusion Detection System (IDS), Application Layer Gateway (ALG), and support for network address translation (NAT) and virtual private networks (VPNs).
Connecting to the Unit This user guide assumes that the BSGX4e unit is installed in a working IP network. The installation procedures are described in the BSGX4e Business Gateway Installation Guide. Configure and monitor this unit by using commands or by using its Web user interface. This user guide describes command use; the Web user interface is introduced in “Web User Interface” (page 379).
Connecting to the Device 3. Enter the password for the user account. Password: The initial password is PlsChgMe!; it may have been changed during installation. 4.System information is displayed, ending with the command prompt that ends with the greater than (>) symbol. 5. After the command prompt, enter the following command: > show interface ip A display similar to the following appears: "eth0" info: Interface eth0 Flags (A843) < UP BROADCAST RUNNING SIMPLEX LINKUP MULTICAST IP Address/Mask 172.16.1.
The Telnet server in the unit is initially disabled, you must open a connection to the unit from a Telnet session on a workstation. For more information, see “Telnet Access” (page 34). The SSH server in the unit is also initially enabled. It provides a means of secure, remote access. For more information, see “SSH Server” (page 36). The Web server is initially enabled to allow the use of the Web user interface. Access to the Web server is described in “Web Server” (page 38).
Connecting to the Device Table 3. Telnet Server Configuration Parameters Parameter Description enabled Enables the Telnet server (Boolean). Initially, Telnet is enabled. port Telnet server port number. The default is 23. Telnet Configuration Example The following example disables the Telnet server on port 23.
SSH Server This section describes how to configure the Secure Shell (SSH) server. The SSH server enables secure remote access to the BSGX4e device over an insecure network, such as the Internet. SSH version 2 is supported. SSH use requires the following: The workstation on the WAN or LAN must provide an SSH client (for example, PuTTY or SSH secure shell). As initially configured, the SSH server in the unit is enabled, and the firewall allows SSH access from the WAN.
Connecting to the Device Table 5. SSH Configuration Parameters Parameter Description enabled Enables the SSH server (Boolean). The initial setting is enabled. port SSH server port number. The default is 22. hostkeys Host keys that the SSH server uses to authenticate itself (none | 640bit). The default is 640bit. To regenerate the SSH keys, set HostKeys to none, and then to 640bit. authmethods Permitted authentication methods (all | keyboard | password | publickey | none). The default is all.
HostKeys AuthMethods Services generating... keyboard + password + publickey ssh + sftp The key regeneration can take several seconds. During this period, the value of the parameter HostKeys is generating.... Upload Public Key To upload the public key of an SSH client, use a Simple File Transfer Protocol (SFTP) session. The following example uploads the key of client fred to the BSGX4e device, IP address 192.168.134.217. 1.Start the SFTP session: fred@cygnus ~ $ sftp admin@192.168.134.
Connecting to the Device The workstation on the WAN or LAN must provide a Web browser (Microsoft Internet Explorer or Mozilla Firefox). As initially configured, the Web server in the unit is enabled, and the firewall allows HTTP or HTTPS traffic from the WAN terminating at the BSGX4e. NOTE: The initial unit configuration enables the Web server and configures a security policy to allow Web access from the WAN to the unit.
HTTP Port HTTPS Port 80 443 Show Web Server Statistics To display the statistics of the Web server, enter the following command: > stats service web Web Stats: Redirects Access Err Form Hits 0 0 0 Errors Timeouts Local Hits 0 0 0 Table 7 describes the Web server statistics. Table 7. Web Server Statistics Statistic Description Redirects Number of redirections from the Web server. Errors Number of Web server errors. Access Err Number of security violations from the Web server.
Connecting to the Device NOTE: If the SSL key is deleted, new SSL connections cannot be created. To see the status of the SSL key, enter show ssl key. A new SSL key can be generated. The number of bits is constrained to 512, 768, 1024, or 2048. When the SSL key record is created or modified, a key generation task is started. Key generation can take several minutes, depending on the size of the key.
Table 9. SSL CSR Configuration Parameters (continued) Parameter Description locality Locality or city name (such as, Fremont). orgname Company name (such as, NewCo). orgunit Organizational unit (such as, Engineering). commonname Domain name (such as, www.example.com). email E-mail address (such as, webadmin@example.com). Upload SSL CSR Use SFTP to upload an SSL CSR. The recommended directory for the uploaded CSR file is /cf0sys/ssl. An example follows. 1.
Connecting to the Device A single X509 certificate can be generated. When self-signed, the certificate is derived from the current CSR record and key record. NOTE: A self-signed certificate can be generated only if an SSL key record and an SSL CSR record exist. Alternately, you can import an SSL certificate using a file containing a certificate signed by an external certificate authority (CA).
Bits Status 768 ok (While key generation occurs, the Status field displays generating…. After key generation is complete, it displays ok.) > show ssl csr SSL Certificate Signing Request: Type Country State Locality OrgName OrgUnit CommonName Email Status PEMData x509 FR Paris EiffelGroup Sells www.eiffelgroup.com contact@eiffelgroup.
Connecting to the Device Status ok The Sha1FingerPrint field displays the Secure Hash Algorithm-One (SHA1) fingerprint of the certificate. The Status field indicates the status of a self-signed certificate: no key No SSL key record exists; generate a new key. no csr No SSL CSR exists; generate a new CSR key. waiting for The certificate is being generated. key generator… ok BSGX4e Business Gateway User Guide Release 01.01 Certificate generation is complete.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
2 INITIAL SETUP This chapter describes the initial setup of the BSGX4e device, including: system time and SNTP server configuration watchdog reset timer DNS server configuration default configuration settings For information about customizing the command line, see “Customizing the Command Session” (page 78). Setting the Time Two methods exist for setting the system time for the BSGX4e unit. Acquire the time from the IP network through the SNTP protocol.
Setting the Time through an SNTP Server The unit can automatically synchronize its internal time to the time provided by an SNTP server. For automatic time synchronization: The SNTP client configuration must specify at least one SNTP server and the appropriate time zone offset. The SNTP client must be enabled. NOTE: To change an SNTP server, the SNTP client must be disabled.
Initial Setup SNTP: Enabled Server 1 Server 2 Server 3 Server 4 Gmt Offset Sync Interval Last Sync Next Sync on ntpserver.wan.com 0.0.0.0 0.0.0.0 0.0.0.0 +01:00 7 days FRI FEB 17 15:53:25 2006 FRI FEB 24 15:53:25 2006 Changing SNTP Servers To change the SNTP servers, disable the SNTP client first.
Watchdog Timer Example The following example enables the watchdog and sets its refresh interval to five seconds. > config system watchdog enabled refresh 5 *> save Show Watchdog Configuration To show the current watchdog configuration, enter the following command: > show system watchdog Watchdog Configuration: Watchdog Enabled yes Refresh interval 5 seconds DNS Client The Domain Name Service (DNS) client in the unit sends requests to a DNS server on the WAN.
Initial Setup Table 13. DNS Client Configuration Parameters Parameter Description dns1 IP address of the primary DNS server. dns2 IP address of an optional, secondary DNS server. domain Domain name for the unit. For a name that is not an FQDN, the DNS client adds the domain to the host before querying the DNS server. Example: If the specified name is host and the specified domain is domain.com, the query is for host.domain.com. source Source of the DNS configuration (user | dhcp | ppp).
3.Change the source parameter to user and the previously entered, user-provided configuration is used. > config system dns source user > show system dns DNS Settings: DNS1 DNS2 Domain Source 192.168.1.2 0.0.0.0 user Show DNS Client Configuration To see the configuration currently in use by the DNS client, enter the following command: > show system dns DNS Settings: DNS1 DNS2 Domain Source 192.168.134.160 0.0.0.0 wan.
Initial Setup Table 14 lists the initial settings of the unit when it is shipped. It also references the sections in this guide where the settings are discussed. Table 14. Initial Settings IP Interface Initial Settings To change, go to: eth0 IP address: 0.0.0.0 No IP mask DHCP client is on (enabled) “eth0 Configuration Command” (page 92) eth1 IP address/mask: 192.168.1.1/255.255.255.
Table 14. Initial Settings (continued) Security Policies 54 NN47928-102 Traffic from WAN to LAN is rejected. Traffic from WAN terminating at the unit is rejected, except for Web UI, SSH, and Telnet traffic.
Initial Setup Table 14. Initial Settings (continued) SSH server Enabled. AuthMethods: keyboard + password + publickey Services: ssh + sftp “SSH Server” (page 36) Web server Enabled. “Web Server” (page 38) Logging Audit logging: enabled (show audit log) “Audit Logging” (page 324) Remote module logging (udplog and and “Module Logging” syslog): disabled. (page 325). Local module logging: enabled (show logging internal) Watchdog reset timer Enabled.
Table 14. Initial Settings (continued) VLAN 56 NN47928-102 Disabled. “VLAN Configuration” (page 111) Netflow agent Disabled. “Netflow Exporter” (page 343) PMON agent “Protocol Monitoring (PMON)” (page 340) Disabled. BSGX4e Business Gateway User Guide Release 01.
3 USER MANAGEMENT This chapter describes how to control access to the BSGX4e unit: password entry adding and removing users setting up groups assigning permission to users and to groups authentication using a Radius server or a TACACS+ server IMPORTANT: The security of the BSGX4e unit depends on password security. To ensure secure access to the unit, change passwords regularly and keep them secure.
n n Authenticates the entered password by using either strong password hashing (SHA) or external authentication through a Radius server. Never stores passwords in clear text. Tracks log on attempts: Locks out the console port after three failed log on attempts. Keeps a log of all failed log on attempts and logouts. n n Can limit user accounts to specific access methods, including CLI, Web UI, Telnet, SSH, and/or File Transfer Protocol (FTP).
User Management All invalid log on attempts are recorded in the audit log. For more information about the audit log, see “Audit Logging” (page 324). Changing a Password Changing a password depends on whether the user account uses internal or external authentication (as determined by its auth parameter; see “User Accounts” (page 61)) If a user account uses internal authentication, the password for the account can be changed while logged on to the account.
Showing Active Users To see which users are currently logged in to the unit, use the maintenance command whoison; its display shows the source IP address of the user and the type of access in effect. An example follows: > whoison User Source IP Type -----------------------------------------------------------admin Unknown Terminal user 10.0.1.2 Web The Type field indicates how the user is connected to the unit: Terminal (console port), SSH, Telnet, or Web.
User Management User Accounts, Groups and Rights User access to an BSGX4e unit is managed by using user accounts, user groups, and user rights settings. The initial factory settings for the unit define the following: Two user groups—one for administrators (admins) and one for other users (users). The admins user group is granted all access modes, and the other user group is granted only Web and CLI access. Two user accounts—one for administrators (admin) and one for other users (user).
Table 16 describes the parameters for config user account. Table 16. User Account Configuration Parameters Parameter Description 62 NN47928-102 [name] Name of the existing account to be changed or the new account to be added. This parameter is required. If an existing account is specified, only the specified parameter values are changed; all other existing values remain unchanged. access Access methods allowed to this user. The default is none. all All access methods allowed. none No access allowed.
User Management Add User Account Example This example assumes that the user is given read and write access to the unit, but only while connected directly to its console port or to the Web interface—no remote access is allowed: name of user account: user1 access methods allowed: Web + cli group membership: admins assigned password: test123 NOTE: This example is shown in interactive mode. For more information, see “Interactive Mode” (page 82).
> del user account user1 *> save User Groups Before you add a new user group or change an existing user group, review the settings of the current user groups by entering the following command: > show user groups Then, to add or change a group, use the following command: > config user group NOTE: The maximum number of user groups that you can define for the BSGX4e unit is 10. Table 17 describes the parameters for config user group. Table 17.
User Management Table 17. User Group Configuration Parameters (continued) Parameter Description auth Internal or external password authentication. The default is internal Strong Password Hashing (SHA). To require external authentication, specify RADIUS or TACACS and configure an authentication record for this user account. For more information, see “Radius Authentication” (page 68). all Indicates whether all access is given to the group.
User Rights This section describes how to configure a record that defines the access of a group to certain objects. The available access rights are read, write, and execute. Read allows the viewing of data; write allows the writing of data; execute is not currently used. A group can have more than one rights record defined for it. For example, the predefined rights records useradv and userbasic are both defined for the same user group: the user group users.
User Management deemed necessary and only when the effects of authority and object ownership are clearly understood. Configuration Command Before adding a new rights record or changing an existing rights record, review the current records by entering the following command: > show user rights Then, to add or change a rights record, use the following command: > config user rights Table 18 describes the parameters for config user rights. Table 18.
Enter the following commands: > config user rights user access read gname users object Users *> save Show User Rights Record To show the rights record named user, enter the following command: > show user rights user The display is similar to the following: Access Rights: Identifier Access mode Group name Object name ------------------------------------------------------------user read users Users Deleting a User Rights Record To delete a user rights record, specify the name of the record on the command
User Management provides legacy authentication, which enables the BSGX4e to function as a Network Access Server (NAS) NOTE: The password of a user account is externally authenticated by a Radius server only if its auth parameter value is Radius. This value can be specified for the user account or for a user group to which the user account belongs. User account configuration is described on page 61 and user group configuration is described on page 64.
the name or address of the Radius server (authserver) the secret that the client shares with the server (secret) how the Radius server accesses the Radius client: If DHCP is enabled, specify that the client automatically binds to an interface (auto yes) and specify the interface (interface). If DHCP is disabled, specify the binding IP address of the client (bindaddr).
User Management > conf radius client RadiusUser Entering interactive mode: ctrl^z | 'exit', ctrl^c | 'quit' TAB to cycle parameter options radius-cl-user#> enabled yes radius-cl-user#> auto yes radius-cl-user#> authserver radius.wan.com radius-cl-user#> secret Radsecret radius-cl-user#> interface eth0 radius-cl-user#> exit 2.
One external authentication method uses the TACACS+ protocol. This protocol provides authentication, authorization, and accounting services. Normal operation fully encrypts the body of the packet for secure communication. It uses TCP port 49. The TACACS+ client: Is compatible with standard TACACS+ servers. Maps TACACS+ authentication records to users by their user account name. Can reference up to twenty TACACS+ authentication records.
User Management Table 20. TACACS+ Authentication Record Parameters Parameter Description [user] Name of the user account to which the authentication record applies. The user account must specify TACACS+ authentication. enabled Whether the TACACS+ client is enabled for the user. The default is yes. server IP address of the TACACS+ server that the client references. key Shared key for the client as determined by the server.
TACACS+ Activity Logs TACACS+ client activity is reported in the system log. Log entries indicate whether authentication attempts are successful or not.
User Management 3. The user account and its password must be defined on the external TACACS+ server. NOTE: Disabling its authentication record suspends TACACS+ authentication for a user account. This prevents logins by the user account until either its authentication record is re-enabled or its authentication method (auth value) is changed. TACACS+ Authentication Records For each user account configured to use TACACS+ authentication, a TACACS+ authentication record must be configured.
> show user account TACuser Users: Name Access Auth Group1 Group3 Group5 Password Inherit Group2 Group4 Enabled -------------------------------------------------------------------TACuser ssh + web + cli + telnet TAC* admins ****** yes yes 76 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
4 COMMAND INTERFACE This chapter describes the Command Line Interface (CLI) for the BSGX4e device. The CLI provides commands for every function of the device. It also provides online help and an interactive mode for easier command entry. For an introduction to the other user interface, the Web User Interface, see “Web User Interface” (page 379). This chapter discusses these topics: Command entry. Logging out. Customizing the command session. Saving configuration changes across restarts.
For more information about the authority granted to user accounts, see “User Accounts, Groups and Rights” (page 61). The Command Line Interpreter executes a command as soon as it receives it. If the entire command is entered on one line, the command is executed immediately after the key is typed. If the command is entered in interactive mode (see “Interactive Mode” (page 82)), the command is executed as soon as its entry is complete (after entry of exit or ).
Command Interface line width (initially, 80 characters) command prompt session timeout (initially, 60 minutes) To see the current terminal settings, enter the following command: > show shell terminal Terminal Settings: Width Prompt Timeout 80 BSG 60 (min) Changing the Terminal Settings To change the terminal settings, use the following command: > config shell terminal Table 22 lists the terminals parameters: Table 22.
To remind you that configuration changes are pending, the command prompt changes so it contains asterisks. For example, the default command prompt changes from BSGX4e> to *BSGX4e*>. The asterisks indicate that, although received and applied, the entered changes are not yet stored in nonvolatile memory. By convention, this guide shows the command prompt with asterisks as just *>. For example, the save command is entered after a *> prompt: *> save Saving:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:............:.....:.:.:..
Command Interface For example, the following commands cause the unit to display its system information immediately after each restart: > config system startup 0 command “show system info” *> save Online Help To get online help with commands while logged in to the device, use the command help. General Help To list general information about the CLI, type the word help after a command prompt and press the enter key: > help A long list is displayed.
An example follows: For information about the command to configure an IP interface, enter any of the following: > help config interface ip or > config interface ip ? or > config interface ip In response to any of those entries, the online help display lists the parameters for config interface ip, as follows: [if] Interface to change behaviour of (eth0 | eth1) ip IP address and mask of interface mtu The Maximum Transmission Unit (MTU) of the interface dhcp Whether or not DHCP is enabled for the
Command Interface NOTE: The command prompt changes while in the interactive mode. NOTE: To leave the interactive mode, enter exit or the key combination ctrl-z to execute the command, or enter quit or the key combination ctrl-c to cancel the command.
Notice that the first parameter, [name], is bracketed, indicating that it is a primary key. Parameter Values In general, a parameter is specified by its name followed by its value. For example, port 2600 specifies the value 2600 for the port parameter. The following list describes exceptions for specifying parameter values: Primary Key If the first parameter for a command is listed in brackets (such as [name]), it is a primary key parameter and specifies the object of the command.
Command Interface For example, the following command turns off the Netflow agent by turning off the Boolean parameter enabled: > config netflow agent no enabled As an example of using no to clear a string parameter, the following command clears the name of the unit. (The default unit name is MyUnit.) > config system info no unit To see the result, enter: *> show system info The Unit Name is now blank: System Info: Unit Name Bootcode Ver App.
Maintenance Commands To see a list of available maintenance commands, enter the help command. The maintenance commands are also listed at the end of this section. Maintenance Command Syntax Maintenance commands have the following syntax: {[] []} NOTE: Square brackets ([ ]) indicate one or no occurrence, and braces ({ }) indicate one or more occurrences.
Command Interface Commands that Require Only Users Authority Command Purpose arp Show or flush the ARP table, or set/delete static arp entries cat Display files cd Change to another directory cls Clear the terminal screen cp Copy a file cpu Show details on CPU and AP usage dump Dump the current configuration as a re-entryable script logoff Log off the system ls List the file system mkdir Make directories netstat List current networking connections and listening ports password Change the specified user's pa
Debug Commands A set of debug commands provides access to additional information for debugging purposes. NOTE: All debug commands (and the command that enables debug mode) require Admins authority. To access debugging information, you must log on with a user ID that has administrator authority (such as nnadmin). To see a list of available debug commands, enter the help command. The debug commands are also listed at the end of this section. Debug commands are available in debug mode only.
Command Interface apgos apids aplookup apmode apregs apwrite basemac bcmchip collision connections devs dspread dsptest dsptone dspwrite dumpcmd emac flash fxo fxs gosstats i2cscan initfunc jbshow ledflash memory mib mii nfsmount scanblocked stack tasks temp thrash trustedlist tt vqmt BSGX4e Business Gateway User Guide Release 01.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
5 WAN INTERFACE CONFIGURATION This chapter describes how to configure the data interface that connects the BSGX4e unit to an external network, or WAN. The WAN interface in the BSGX4e is an Ethernet interface referenced as eth0. It provides a bandwidth of 100 Mbps. Ethernet WAN Port and Interface The Ethernet WAN settings include both speed and duplex mode for the WAN port, and IP address settings for the WAN interface.
Its duplex mode can be half duplex, full duplex, or autonegotiated. The default is autonegotiated. NOTE: You cannot configure the eth0 flow control setting; it is always disabled. WAN Interface (eth0) For traffic to be routed to the WAN interface (eth0), you must assign an IP address to it. The IP address is assigned automatically by a DHCP server if the DHCP service is enabled for the eth0 interface. Otherwise, you must assign an IP address manually.
WAN Interface Configuration Configure eth0 Example This section provides configuration examples for the WAN front port. Example 1 The following example shows how to configure DHCP service for the eth0 interface. > config interface ip eth0 dhcp *> save > show interface ip eth0 "eth0" info: Interface eth0 Flags (A843) < UP BROADCAST RUNNING SIMPLEX LINKUP MULTICAST > IP Address/Mask 172.29.0.124/255.255.0.
Lease expires MAC Address Speed Configured Speed N/A 00:19:09:74:00:00 FULL100 AUTONEG Show eth0 Configuration To show the eth0 configuration, enter the following command: > show interface ip eth0 The display is similar to the following: "eth0" info: Interface Flags IP Address/Mask MTU DHCP Lease obtained Lease expires MAC Address Speed Configured Speed eth0 (8843) < UP BROADCAST RUNNING SIMPLEX MULTICAST > 0.0.0.0/255.0.0.
WAN Interface Configuration OutPause OutMulticasts Tx error Deferred Late Collisions Collisions Excessive Multiple Single Out Octets 0 0 3317 0 0 0 0 0 0 97968068849 InPause InMulticasts Rx error InDiscards CRCErr Jabber AlignErr Undersize Oversize Filtered Fragments InGoodOctets In64Octets In127Octets In255Octets In511Octets In1023Octets InMaxOctets 0 19908 96 0 75572 92 0 0 0 0 350813118374 1488666 19993035 193333088 330017 11193721 197620444 Clear Statistics The following command clears the statist
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
6 LAN SWITCH CONFIGURATION This chapter describes how to configure the following features of the BSGX4e device: the ports of the LAN switch the Ethernet interface (eth1) to the LAN switch Address Resolution Logic (ARL) (see “ARL Configuration” (page 104)) layer 2 QoS (see “Layer 2 QoS” (page 106)) The LAN switch also allows for monitoring of port traffic as described in “Port Mirroring” (page 339).
Flow Control You can disable or configure flow control for a port to provide either back pressure (forced collision) for half duplex mode or pause frames for full duplex mode. The initial configuration for each LAN port disables flow control. NOTE: You cannot enable flow control if layer 2 QoS is enabled (see “Layer 2 QoS” (page 106)).
LAN Switch Configuration > config switch port 3 speed 100full flow yes enabled yes *> save Example 3 This example enables port 4 and changes its configuration, as follows: Speed: 10half (10 Mbps, half duplex) Flow control: yes Enabled: yes > config switch port 4 flow yes speed 10half enabled yes *> save Show Port Configuration To show the current configuration of the LAN ports, enter the following command: > show switch port Switch Ports: Port Speed Enabled Flow Ctrl -----------------------------------0
The possible Flow Ctrl values are: None No flow control by either the BSGX4e or its partner. No-Local Flow control by the BSGX4e, but not by its partner. No-Partner Flow control by the its partner, but not by the BSGX4e. Yes-Both Flow control by both the BSGX4e and its partner. Show Port Statistics The device keeps packet statistics for the LAN switch ports. You can display the statistics as a summary of statistics for all LAN ports or as detailed statistics for a specific port.
LAN Switch Configuration Table 26. LAN Port Summary Statistics Statistic Description Undersize Total frames with length less than 64 octets, with valid FCS. Oversize Total frames with length greater than the maximum size, with valid FCS. In Bad Total data octets of received frames with invalid FCS (preamble not Octets included). This count includes jabbers and fragments. Align Err Total frames of a valid size, but with invalid FCS and nonintegral octets.
LAN Interface (eth1) This section describes how to configure the IP interface to the LAN (eth1). The eth1 interface is the interface for the uplink (MII) port for the LAN switch. Thus, its configuration is always 100 Mbps, full duplex mode, with flow control disabled. NOTE: Configure the LAN ports before configuring the LAN interface (eth1). See “LAN Switch Ports” (page 97). NOTE: Initially, the DHCP client is disabled for eth1 and the static IP address 192.168.1.1/24 is assigned to the interface.
LAN Switch Configuration Enter the following commands: > config interface ip eth1 ip 192.168.1.1/24 *> save Show eth1 Configuration To show the current eth1 configuration, enter the following command: > show interface ip eth1 The display is similar to the following: "eth1" info: Interface Flags IP Address/Mask MTU DHCP MAC Address Speed BSGX4e Business Gateway User Guide Release 01.01 eth1 (A843) < UP BROADCAST RUNNING SIMPLEX LINKUP MULTICAST> 192.168.1.1/255.255.255.
ARL Configuration Address Resolution Logic (ARL) maps Media Access Control (MAC) addresses to specific LAN ports. This enables the switching of packets between ports based on the MAC address in the packet. ARL provides the following features: Dynamic Entries A MAC address learning process automatically builds the ARL table as a forwarding database. The entries the table creates are dynamic entries: entries that are flushed regularly from the table.
LAN Switch Configuration Table 28. ARL Parameters Parameter Description priority Priority assigned to packets that match this entry (LOWESTQ | LOWQ | HIGHQ | HIGHESTQ). This parameter applies only to static entries. No default exists. This priority assignment overrides any priority queue assignment by layer 2 QoS. ports LAN ports associated with this MAC address (0[MII] to 4). No default exists. Add Static Entry Example The following example adds a static ARL entry to the forwarding database.
Remove an ARL Entry To remove an entry from the ARL table, specify its index on the del switch arl command. NOTE: The del switch arl command cannot delete the static entry that maps port 0 to the MAC address for the eth1 interface. For example, these commands remove the entry with index 2 from the ARL table: > del switch arl index 2 *> save Flush ARL Table It can be necessary to rebuild the ARL table. To do so, you must flush (empty) the existing ARL table first.
LAN Switch Configuration Priority Queues Layer 2 QoS provides four queues to classify and prioritize network traffic: LOWESTQ, LOWQ, HIGHQ, and HIGHESTQ. LOWESTQ is the lowest priority queue; HIGHESTQ is the highest priority queue. The four queues are assigned weights (8:4:2:1) that determine the time and number of packets serviced from the queue. The queue weighting cannot be changed.
Selecting Layer 2 QoS Settings To select a layer 2 QoS type setting, enter the following command: > config switch qos setting Table 30 describes the parameters for config switch qos setting. Table 30. Layer 2 QoS Setting Parameters Parameter Description type Packet value that layer 2 QoS uses to classify traffic (port | TOSDiff | 8021p ). The initial setting is port. scheduling Method of QoS scheduling to use (wfq for Weighted Fair Queueing or fixed for fixed scheduling). The default is wfq.
LAN Switch Configuration IEEE 802.1p Tag Mapping Example The following example selects IEEE 802.
Switch QoS: Port Priority ------------------------------------------------0-1 LOWESTQ 0-2 LOWQ 0-3 HIGHESTQ 0-4 HIGHESTQ 110 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
7 VLAN CONFIGURATION This chapter describes how to configure virtual LANs (VLANs) for the BSGX4e device. NOTE: VLAN configuration is optional. Initially, no VLANs or virtual interfaces (vifs) are configured. A virtual LAN (VLAN) is a logically independent network, a logical subcomponent of a physical network. Each VLAN functions as a separate network, and so its traffic is isolated from traffic on other VLANs and traffic on the rest of the physical network.
Packet Tagging Packets can be tagged with the VLAN ID to enable switching on the VLAN. A port is configured as tagged or untagged when it is assigned to the VLAN. VLANs handle packets as follows: Untagged ports transmit untagged packets. Tagged ports transmit tagged packets. Untagged packets delivered to an untagged port are internally tagged with the VLAN ID to which the port belongs; this enables those packets to be switched.
VLAN Configuration > config switch vlan 3 name v3 p1 u *> save Example 2 The following example assigns port 1 to both VLANs 3 and 4. To be assigned to more than one VLAN, a port must be configured as tagged.
NOTE: You must delete the security policies and virtual interface for the VLAN before you can delete the port assignment for a VLAN.
VLAN Configuration Table 35. Virtual Interface Parameters (continued) Parameter Description interface Physical Ethernet interface on which the virtual interface is configured (eth0 for the WAN interface or eth1 for the LAN interface). (If eth0 is specified, the WAN port is automatically assigned to the VLAN.) This parameter is required. status Enables the virtual interface (on | off). comment Optional comment describing the VLAN.
Show IP Address Assignment To see the IP address assignment for a virtual interface, specify the virtual interface on the show interface ip command. For example, the following command shows the virtual interface vif0: > show interface ip vif0 "vif0" info: Interface Flags LINKUP MULTICAST > IP Address/Mask MTU DHCP MAC Address Speed vif0 (A843) < UP BROADCAST RUNNING SIMPLEX 192.168.135.1/255.255.255.
VLAN Configuration MTU DHCP MAC Address Speed *> save 1500 off 00:19:09:74:00:01 N/A Example 2 The following example configures VLAN 2 on the WAN interface eth0. It assumes that the WAN port is assigned to VLAN 2.The example configures a virtual interface for VLAN 2 and shows the interface to determine its vif reference (vif1). The example then assigns an IP subnet to the virtual interface: VLAN ID: 2 IP address: 192.168.136.1 IP mask: 255.255.255.
Change the IP address subnet that is assigned to the virtual interface. For example, to change the IP address subnet for vif0, enter the new subnet: > config interface ip vif0 ip 1.2.3.4/24 All other changes require that you delete and recreate the VLAN configuration. To remove a VLAN, everything configured for that VLAN (security policies, IP address assignment, virtual interface, and port assignment) must be removed. Thus, deletion of a VLAN requires these steps: 1.
VLAN Configuration 5.Delete the virtual interface for VLAN 1 by using the following command: *> del interface vlan 1 6.Delete the switch port assignment for VLAN 1 by using the following command: *> del switch vlan 1 7.Save the deletion by using the following command: *> save BSGX4e Business Gateway User Guide Release 01.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
8 ROUTING CONFIGURATION This chapter describes the configuration options for routing in the BSGX4e device, including: Adding static entries to the Address Resolution Protocol (ARP) table. Adding static routes to the routing table. Starting a Routing Information Protocol (RIP) daemon to receive routing information from other RIP routers. The BSGX4e device supports RIP versions 1 and 2. NOTE: One or more routes can be defined during installation.
Configuring ARP This section describes the Address Resolution Protocol (ARP) in the BSGX4e device. ARP is a network layer protocol that automatically maps IP addresses to hardware Media Access Control (MAC) addresses. When a network node sends data to an IP address on its segment, that node broadcasts an ARP request to resolve the IP address to an Ethernet MAC address. ARP maintains the ARP table in the device. Each entry in the table maps an IP address to a MAC address.
Routing Configuration ARP entries: Host MAC Type ------------------------------------------------------------192.168.134.1 00:30:64:01:9F:FC Dynamic 192.168.134.160 00:10:B5:D2:78:42 Dynamic 192.168.134.161 00:11:25:AA:32:11 Dynamic 192.168.134.163 00:11:22:33:44:55 Static 192.168.134.
Usually, traffic is classified for quality group protection by using the firewall (as described in “Secure Traffic Processing” (page 129)). However, ARP packets do not pass through the firewall. Therefore, a special command is required to assign ARP traffic to a GoS quality group.
Routing Configuration > config route table Table 38 describes the configuration parameters for config route table. Table 38. Route Configuration Parameters Parameter Description [dest] Range of destination IP addresses to which the route applies. To add a default route to the table, specify default. gw IP address of the gateway. The gateway must be reachable from the BSGX4e device. if Optional interface for the route (none | lo0 | eth0 | eth1).
192.168.134.0 66.206.164.194 255.255.255.0 eth0 Notice that the default route is listed first; its destination address range is shown as 0.0.0.0, netmask 0.0.0.0. Delete a Static Route To remove a static route from the routing table, specify its destination address and subnet mask on the command del route table. For example, to delete the static route for destination 192.168.134.0, netmask 255.255.255.0, enter the following command: > del route table 192.168.134.
Routing Configuration Table 39. RIP Daemon Parameters Parameter Description started Indicates whether the RIP daemon is running. The default value is no. version Version of the RIP protocol to run (v1 | v2). The default value is v2 (the recommended version 2).
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
9 SECURITY CONFIGURATION This chapter describes how to configure the BSGX4e security features, including: Firewall security policies Network Address Translation/Application Level Gateway (NAT/ALG) (see “NAT/ALG” (page 134)) Intrusion Detection System (IDS) (see “IDS” (page 140)) You can also configure Virtual Private Networks (VPN) to ensure secure communications through an insecure network (see “VPN Configuration” (page 153)).
3. If the firewall accepts a packet, then the IDS checks if the packet format is normal (known as a sanity check). Abnormally formatted packets are discarded. IDS then checks whether the packet should be considered an attack and, if so, discards it. Otherwise, the packet is delivered to the destination interface. 4. If the packet is identified as valid, information in its header is modified by NAT/ALG to guard private IP information from public entities.
Security Configuration Policy sequence numbers are always evenly spaced. Thus, when a new policy is inserted within the sequence, policy sequence numbers can be reassigned. 1. For example, assume that policies 3 and 5 exist and a new policy is to be inserted between them. 2. The command specifies 4 as the sequence number of the new policy. 3. However, the new policy is created as policy 5, and the existing policies are renumbered as 3 and 7.
Table 41. Security Policy Parameters (continued) Parameter Description qosqg Name of GoS quality group. (Not applicable to firewall policies; see “GoS Configuration” (page 181)). iptos IP ToS tag value (decimal byte). Specify any to match all tag values. seq Position of the new policy within the policy sequence (Begin | End | Position). If Position is specified, the index number specifies where the policy is inserted in the sequence. (See “Security Policy Sequence” (page 130)).
Security Configuration To show the system log, enter the following command: > show logging internal The following log entry is an example that shows the rejection of a packet by the firewall. The entry shows the source, destination, and protocol of the packet. (W)15:28:03: Firewall denied [Id:0] [Src:192.168.134.71:137] [Dst:192.168.134.255:137] [Proto:UDP] [If: 0] Connection Time-outs The firewall dynamically opens and closes ports for data traffic.
NAT/ALG Network Address Translation (NAT) provides security by hiding the internal addresses of the private network from the Internet: addresses and/or ports are translated from private IP addresses to public IP addresses, and vice versa. The BSGX4e device can do both standard and reverse NAT: Standard NAT (also known as Network Address Port Translation [NAPT]) Standard NAT translates the source IP address of the LAN to the public WAN IP address.
Security Configuration Enable NAT on the WAN Interface NOTE: NAT is initially enabled on the WAN interface (eth0). To verify that it is enabled, enter the command show security nat interface. To enable NAT on a WAN interface, enter the following command: > config security nat interface NOTE: An IP address must be assigned to the WAN interface (see “WAN Interface Configuration” (page 91)). You can also enable NAT for virtual interfaces (vif) and VPN interfaces (vpn) defined on the physical WAN interface.
NOTE: You must enable NAT on the WAN interface. To configure a NAT policy, enter the following command: > config security nat policy Table 44 describes the parameters for config security nat policy. Table 44. NAT Policy Configuration Parameters Parameter Description [id] Policy ID number. Specify new when creating a new policy. type Type of policy (static | rport | raddr). Specify rport for port forwarding; raddr for address forwarding.
Security Configuration 192.168.134.199 Port Forwarding NAT port forwarding requires the following policies: A NAT policy of type redirect port (rport) that provides the private information. A security policy that provides the public information and references the NAT policy (see “Security Policy Configuration Command” (page 131)). NOTE: NAT must be enabled on the WAN interface. To see the NAT interface status, enter show security nat interface.
*> config security policy new from eth0 to self dport 9000 proto udp nat 2 3. Save the configuration. Enter the following command: *> save Address Forwarding NAT address forwarding requires the following configuration: A NAT policy of type redirect address (raddr) that provides the private information. A security policy that provides the public information and references the NAT policy (see “Security Policy Configuration Command” (page 131)). NOTE: NAT must be enabled on the WAN interface.
Security Configuration For example, the following commands enable translation of a private LAN address to a public IP address. 1. Define the public address as a NAT address (192.168.134.65): > config security nat public 192.168.134.65 2. Define a static NAT policy to provide the public IP address (192.168.134.65): *> config security nat policy new type static address 192.168.134.65 The new NAT policy is assigned index 4. 3. Define a security policy to provide the private information.
Notice that the NAT field in the security policy list references the Id of a NAT policy. ALG Configuration The Application Layer Gateway (ALG) enables the transfer of FTP and TFTP traffic through firewall policies and NAT. This is done by creating dynamic holes in the firewall policy and changing IP addresses in application protocol headers. ALG is supported only for FTP and TFTP protocols. NOTE: NAT must be enabled on the WAN interface. (See “Enable NAT on the WAN Interface” (page 135)).
Security Configuration This section describes the attack types against which IDS provides protection. In the initial configuration of the unit, IDS protection is enabled against all attack types. NOTE: For a secure system, it is recommended that IDS protection remain enabled.
Protection for two packet anomalies can be enabled or disabled. The two anomalies are: IP fragment is overlapped (fragoverlap). Too many fragments need to be reassembled (fragoverrun). Protection against all other anomalies is enabled by default and cannot be disabled. Table 47 lists the other anomalies. Table 47.
Security Configuration Table 48. Packet Fragment Anomaly Parameters (continued) Parameter Description active Indicates whether to activate this attack detection.
In an ARP flood, an unauthorized attempt is made to change the ARP table, which can result in Denial of Service or Man-in-the-Middle attacks. Also, repeated packets can be sent, resulting in multiple MAC addresses being saved in the ARP tables, which causes packets to be broadcast, rather than sent to one destination. synflood SYN (synchronization) packets are repeatedly sent to every port on the server, using fake IP addresses. SYN flooding can result in denial of service.
Security Configuration Show Flood Detection Activation To see the status of IDS protection against floods, enter the following command: > show ids flood activity IDS Flood: Attack Active Name ------------------------------------------------------------udpflood on UDP Flood icmpflood on ICMP Flood (Threshold = 100 pp* arpflood on ARP Flood (Threshold = 255 pps) synflood on SYN Flood (Threshold = 50 pps) espflood on ESP Flood unknowipprotoflood on Unknown IP proto Flood cdpflood on CDP Flood (Threshold = 50
Table 51. Flood Threshold Setting Parameters Parameter Description [service] Protocol or service whose threshold value is changed (dhcp | dns | esp | ike | mgcp | radius_1 | radius_2 | rip | sip | snmp | sntp | tftp | unknown_IP_proto | unknown_port). threshold Threshold level (minimum number of packets/second) to be considered an attack.
Security Configuration tcpsynscan A TCP SYN scan is a series of messages sent with the TCP Syn flag set. pingsweep ICMP requests are sent to multiple hosts. A ping sweep is a means to locate network devices that are active and responding, and so, could be targets for an attack. IDS Scan Activation To activate a scan type or change its timeout value, enter the following command: > config ids scan Table 52 describes the configuration parameters for config ids scan. Table 52.
IDS assumes that spoof attacks arrive from the WAN, and so, by default, it assigns untrusted status to the eth0 interface (and to virtual WAN interfaces). This activates spoof detection for that interface. However, IDS assumes that LAN traffic is safe and the LAN is not a likely source of spoof attacks, and so, by default, spoof protection is not needed on LAN interfaces (eth1 and virtual LAN interfaces). IDS assumes that a VPN secures its traffic from spoof attacks.
Security Configuration Show IDS Spoof Status To see the interfaces on which IDS checks for spoof attacks, enter the following command: > show ids spoof In the following example, IDS only checks for spoofs on the WAN interface, eth0. IDS Spoofing: Interface Type -----------------------------------------------------eth0 untrusted eth1 trusted vif0 trusted vpn0 trusted IDS Statistics This section shows how to view IDS statistics. IDS keeps a count for each type of attack.
TCP FIN with no ACK TCP SYN + IP MF Large ICMP (>1024) 0 0 0 FIREWALL TCP Flags not in connection 0 TCP Orphaned FIN 0 Firewall Policy 0 No route to destination 2 IP fragment is overlapped 0 IP datagram is overrun 0 Too many IP datagram in reassembly state 0 Link table overflow 0 SCAN TCP SYN scan UDP Port Scan Ping sweep 0 0 0 FLOOD Layer 2/3 ARP Flood 0 STP flood 0 CDP flood 0 Unknown Ethernet Type flood 0 Layer 4 UDP Flood 0 UDP Rate limiting to host overflow 0 ICMP flood 0 SYN Flood 0 ACK Flood 0 ES
Security Configuration NOTE: To avoid filling the log and the resulting denial of service, IDS reports only one attack for every 64 attacks detected. To see the log entries, enter the following command: > show logging internal The following example shows two IDS entries; the first reports a Bad IP version attack, and the second reports a Ping flood attack: (W)15:27:59: Defended 'Bad IP version' [Src:192.168.134.140:128] [Dst:192.168.134.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
10 VPN CONFIGURATION This chapter describes how to configure Virtual Private Networks (VPN). VPN Support A VPN provides a secure connection through an insecure shared network, such as the Internet. The BSGX4e device supports VPNs using the IP security (IPsec) protocol. An IPsec VPN serves as a point-to-point tunnel interface. For example, a VPN could connect to an Internet Service Provider (ISP).
After IPsec SAs are established, the VPN becomes operational; secure gateways use IPsec tunneling to secure IP traffic between LANs. Each IP packet sent between LANs is securely encrypted inside an Encapsulated Security Payload (ESP) packet during transmission between the secure gateways. Two types of SAs exist: IKE SA Established during IKE main mode negotiations, IKE SAs determine how to secure subsequent IKE negotiations between the secure gateways.
VPN Configuration IKE Policies An IKE policy is a set of security parameters used when negotiating an IKE SA with a remote secure gateway. Sixteen predefined IKE policies are provided, offering every combination of encryption algorithm, hash digest, and Diffie-Hellman group available. The IKE policies that the BSGX4e can accept or offer are listed in priority order. NOTE: To negotiate an IKE SA, the remote gateway must have an IKE policy configured to match one of the local predefined IKE policies.
Table 55. IKE Parameters (continued) Parameter Description maxlifetime Maximum IKE SA lifetime (in seconds). The initial setting is 259200 (72 hours). Show IKE Parameters To show the IKE parameter settings, enter the following command: > show ike parameters IKE Parameters: Lifetime Maximum Lifetime 86400 seconds 259200 seconds IKE Preshared Key Records An IKE preshared key record specifies the preshared key used to encrypt Internet Security Association and Key Management Protocol (ISAKMP) messages.
VPN Configuration Table 56. IKE Preshared Configuration Parameters (continued) Parameter Description key Preshared key (up to 50 characters). The same preshared key must be configured at the remote gateway. IKE Preshared Key Record Examples This example configures an IKE preshared key record: IP address of remote gateway: 10.0.1.2 Preshared key:1J3W5RE89 > config ike preshared 10.0.1.2 key 1J3W5RE89 *> save This example configures a default key: IP address for default key: 0.0.0.
After successful negotiation, the display is similar to the following: IKE SAs: LocalAddr Group Encryption Duration InitiatorCookie RemoteAddr Initiator Hash LifeType ResponderCookie ----------------------------------------------------------------172.30.3.55 DH1024 3DES 86387 0xE92F945832B6D96B 172.29.3.56 Yes SHA Seconds 0xC1FDA432155BF2FE Table 57. IKE SAs Parameter Description LocalAddr, RemoteAddr IP addresses of the two ends of the tunnel.
VPN Configuration An IPsec configuration uses: IPsec parameter settings (config ipsec parameters on “IPsec Parameters” (page 159)) IPsec proposals (config ipsec proposal on “IPsec Proposals” (page 160)) IPsec policies (config ipsec policy on “IPsec Policies” (page 160)) NOTE: IPsec traffic on the BSGX4e device still requires routing. IPsec policies are used only for negotiation; the encrypted traffic still relies on the route table.
IPsec Proposals An IPsec proposal is a set of security parameters used when negotiating an IPsec SA with a remote secure gateway. IPsec proposals are used by the IPsec policies that reference them. The initial BSGX4e configuration provides a predefined IPsec proposal named VPN-A. This predefined IPsec proposal conforms with the recommendations for a standard IPsec cryptographic suite called VPN-A, as described in RFC 4308.
VPN Configuration The configuration of an IPsec policy also configures an IP interface for the policy. The IP interface is assigned a name vpnn, such as vpn0, and requires configuration like any other IP interface. IPsec Policy Requirements The IP address of the remote secure gateway in an IPsec policy must also appear as the peer in an IKE preshared key record. The VPN interface must be assigned an IP address. A route must send traffic to the VPN interface.
Table 60. IPsec Policy Parameters (continued) Parameter Description remote Remote IP address secured by the VPN (any or addresses specified as a range or as a subnet). prop Name of the IPsec proposal. One predefined proposal is available—VPN-A. Policy Configuration Example The following command configures a policy that secures traffic for all local and remote addresses and forwards it to the gateway address 172.28.16.20: > config ipsec policy Remote2 gateway 172.28.16.
VPN Configuration NOTE: A tunnel can be up only if security associations are shown for both directions (OUTBOUND and INBOUND). Clear IPsec Security Associations To clear the current IPsec security associations (SAs), enter the following command: > clear ipsec sa NOTE: The clear ipsec sa command clears all IPsec SAs IPsec Statistics Statistics are kept to record the number of packets that IPsec receives, transmits, and drops. Counts are provided for inbound packets and for outbound packets.
Main office LAN subnet: 192.168.1.0/24 Branch office IP addresses: Branch office gateway: 194.23.7.34 Branch office LAN subnet: 192.168.2.0/24 Perform the following steps to configure the VPN between the two BSG devices. 1. Log on to the BSG device at the main office. 2. Configure the VPN at the main office. 3. Specify the key shared with the branch gateway by using the following command: > config ike preshared 194.23.7.34 key x359QWa78b3l12 4.
VPN Configuration 11.Assign an IP subnet to the IP interface of the tunnel (vpn0) by using the following command. Currently, any IP subnet can be assigned to the vpn interface; the IP address assignment does not determine the traffic on the interface. *> config interface ip vpn0 ip 10.10.10.1/24 12.Define a route that sends branch office traffic out of the VPN interface by using the following command: *> config route table 192.168.2.0/24 if vpn0 13.
23.Configure the VPN IP interface. 24.Assign an IP subnet to the IP interface of the tunnel (vpn0) by using the following command. Currently, any IP subnet can be assigned to the vpn interface. *> config interface ip vpn0 ip 10.10.10.2/24 25.Define the default route to send traffic out the VPN interface by using the following command. All traffic without another explicit route uses the default route. *> config route table 0.0.0.0 if vpn0 26.
VPN Configuration *> config interface ip vpn0 ip 192.168.100.1 6. Enable NAT on the tunnel interface by using the following command: *> config security nat interface vpn0 status on 7. Define a default route for the tunnel interface by using the following command. This route sends all traffic on the tunnel unless the traffic has another explicit route. This also applies to VoIP traffic. *> config route table 0.0.0.0 if vpn0 8. Configure the firewall to allow tunnel traffic. 9.
*> show ipsec policy IPSEC Policy Settings: Name Gateway Local Remote Proposal Interface ------------------------------------------------------------Tunnel 192.168.100.2 VPN-A 10.0.0.1 192.168.100.1 vpn0 5. Assign an IP address to the IP interface of the tunnel (vpn0) by using the following command: *> config interface ip vpn0 ip 192.168.100.2 6. Define a default route for the tunnel interface. This route sends all traffic on the tunnel unless the traffic has another explicit route.
VPN Configuration Configuring a VPN This section describes the steps for setting up VPNs to secure traffic between branch and head offices. Head office PSTN Traffic LAN Traffic Application Servers Trunking Gateway Softswitch SIP/MGCP WAN Traffic Media Server WAN IP Network 195.178.11.11 194.23.7.1 194.23.7.34 ICAD40 SIP/MGCP IP Phones POTS/FXS Phones Workstations Branch office Figure 3 Head office and branch office traffic Table 61 describes network information Table 61.
The SIP Session Controller (SIP SC) controls VoIP telephones are installed in the LAN network. The SIP User Agent (SIP UA) controls an analog fax machine is attached to the FXS port of the BSGX4e. Workstations installed in the LAN access various data services such as e-mail, chat, and the World Wide Web. Head office exchanges all VoIP and data traffic traffic. Traffic is plain routed and encrypted.
VPN Configuration packets, even if QoS operates after VPN. If packets that must be sent to the WAN are bigger than the Maximum Transmission Unit (MTU) of the WAN interface after encryption, the routing stacks fragments before encryption. As described in diagram 1, the packets sent to the WAN are encrypted before QoS treatments are applied. The QoS stack needs to know how packets are modified by the encryption (packets are bigger) in order to calculate what exactly will be sent to the wire.
Encryption and decryption work based on the routing table. They do not work based on the IPSec policies. They are only used to negotiate Internet Key Exchange (IKE) phase 2. A slight difference exists depending on whether you use NAT.
VPN Configuration If NAT is enabled, the processes work as below: Operation of Tunnel-Mode IPsec on outgoing packets Apply Normal-NAT Or Drop as appropriate no Outgoing Packet (private domain) Does the packet go out a VPN interface (routing table)? yes Apply outbound Normal-NAT Peform Outbound Forward Security IPsec pkt (tunnel mode) Operation of Tunnel-Mode IPsec on incoming packets IPSec pkt coming in a VPN itf Perform inbound security (detunnel) Firewall rules Perform inbound Normal-NAT Does th
Three flow types can be distinguished: Internal host traffic: this is the traffic terminating at the unit. The source IP address of the packets sent that for encryption is that of the egress VPN interface of the unit. It concerns the services run by the internal host such as Telnet, RADIUS Web, and Simple Network Management Protocol (SNMP). Routed traffic: this is the traffic normally routed by the unit.
VPN Configuration Setting up a VPN requires that you configure both IKE and IPSec. Packets are encrypted and decrypted by a hardware assist engine allowing both VoIP and data traffic to be securely conveyed through IP networks. Example This example shows how to deploy VPN to secure VoIP and data traffic with a Cisco router 3845. Plain routed is implemented.
2. Configuring IPSec. Configure IPSec encryption and authentications algorithms, 3DES/SHA as follows. This creates the vpn interface vpn0. *BSG*> conf ipsec proposal 3DES-SHA encrypt 3DES auth SHA *BSG*> config ipsec policy cisco Gateway 195.178.11.11 Local 0.0.0.0/0.0.0.0 Remote 192.168.1.0/24 Prop 3DES-SHA NOTE: By setting local to any, it forces the Cisco router to accept any packets (plain routed or relayed) coming from the BSGX4e to be decrypted.
VPN Configuration Configure a symmetrical IPSec policy. cisco> access-list 101 permit ip 192.168.1.0 0.0.0.255 any cisco> crypto map BSGX4e-Cisco3845 1 ipsec-isakmp set peer 194.23.7.34 set transform-set BSGX4e-Cisco3845-IPSEC match address 101 NOTE: By setting this, you force the Cisco router to accept any packets (plain routed or relayed) coming from the BSGX4e to be decrypted. 3. Configuring routing. Assign the IKE/IPSec configuration to the WAN interface of the Cisco router (ge 0/0 in this case).
2. Is IPSec SA successfully negotiated? The command show ipsec sa reports the status of this negotiation. An entry for each direction (INBOUND and OUTBOUND) of the tunnel must be displayed. If the negotiation fails, no entry is displayed.
VPN Configuration Table 63.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
11 GOS CONFIGURATION This chapter describes how to configure the advanced Quality of Service (QoS) feature in the BSGX4e. This feature is called Guarantee of ServiceTM or GoSTM. GoS is based on network layer 3. The BSGX4e also supports layer 2 QoS, which allows the user to prioritize LAN traffic as it enters the device. For information on layer 2 QoS, see “Layer 2 QoS” (page 106). Introduction to GoS The BSGX4e device uses Nortel’s patented QoS technology, GoS™, to deliver reliable quality of service.
GoS can provide: Guaranteed bandwidths with enforced bandwidth limits and reuse of unclaimed bandwidth. This feature provides network stability under an increasing load. Separate control of loss and delay priorities. Fair sharing of quality, not just bandwidth. No stream is allowed to use excessive network resources. This enhances the IDS protection against denial of service attacks and similar packet floods (see “Flood Protection” (page 143)). Live monitoring of delivered quality.
GoS Configuration Increasing Sensitivity to Delay Increasing Sensitivity to Loss Figure 9. GoS Classes A—C represents the range of packet loss; typically, packet loss is more acceptable for voice traffic than for data traffic. 1—3 represents the range of packet delay; typically, packet delay is more acceptable for data traffic than for voice and other real-time traffic. Class A1 provides the minimum loss and minimum delay of packets. Assign this class to only the most critical traffic.
Figure 10.
GoS Configuration The two limits used by CAR policing (the committed rate and the burst rate) are illustrated in Figure 11. Figure 11.
A security policy defines an outgoing traffic stream and assigns it to a quality group. Configuring a GoS Link This section describes how to configure a GoS link. A GoS link specifies the outgoing interface whose traffic is to be managed and the size of the bandwidth to be managed—the maximum speed of that link. NOTE: The current software release supports only one GoS link for the device. NOTE: The GoS link is configured on the physical WAN interface, eth0.
GoS Configuration Interface Max Comment -----------------------------------------------------------eth0 1500000 Office link Delete GoS Link NOTE: Before you can delete a GoS link, you must delete all quality groups that apply to the link. To list the quality groups, enter the command show quality group. For example, the following command deletes the GoS link for the WAN interface eth0: > del qos link eth0 *> save Configuring Quality Groups This section describes how to configure quality groups.
Traffic can be discarded even when the average theoretical throughput of the flow is within contract. This can happen when the traffic source is bursting and packets are being deterministically dropped. Packet loss is typically due to peak traffic; however, it can also occur if an incorrect load estimate is made. For example, suppose that up to fifteen VoIP calls can be set up simultaneously, but the quality group to protect VoIP traffic is sized to protect only ten calls.
GoS Configuration Table 65. GoS Group Configuration Parameters (continued) Parameter Description burst Burst rate for the quality group (in bps). Specify a value if type is car and qg is not BE. Ensure that the burst rate is greater than the committed rate and less than or equal to the maximum link rate (as specified by the config qos link). iptoS IP ToS value to be written into each packet assigned to this quality group (decimal, 0-255). Specify no if no ToS value is to be written.
Quality group class: A3 (maximum delay, minimum loss) Type of policer: CAR Committed rate: 850 000 (850 kbps) Burst rate: 1 500 000 (1.
GoS Configuration VoIP Traffic Protection To protect VoIP traffic, two quality group settings are needed: one to protect VoIP signaling traffic and the other to protect VoIP media streams. The quality group to protect VoIP signaling traffic is specified by the sigqos parameter. Enter it as a session controller setting (see “Session Controller Setting Command” (page 272) [SIP] or in “Session Controller Setting Command” (page 216) [MGCP]).
Table 41 describes the parameters for config security policy. Use the same command to define security policies for the firewall, NAT, and GoS. For GoS, the security policy parameters are used as follows: The qosqg parameter specifies the GoS quality group to which the traffic flow is assigned. The following parameters define the traffic flow. Specify only those parameters required to define the flow.
GoS Configuration Show GoS Security Policies The command to show the GoS security policies is the same as the one to show other security policies, as follows: > show security policy The GoS security policies are the policies listed with a value in the QoS field: Security Policies: Id Seq From Source IP Dest IP Source Dest Proto NAT QoS To Action ToS -------------------------------------------------------------------1 1 eth1 10.0.1.100 192.168.134.100 any 20-21 tcp 0 Data eth0 allow any 2 1 self any 192.
Bytes out Bytes dropped 209556913319 bytes 0 bytes Quality Group Statistics To display cumulative statistics for a quality group, specify the group name on the command stats qos counters.
GoS Configuration Table 66. GoS Cumulative Statistics (continued) Counter Description Bytes dropped Byte count for the Packets dropped counter. Bytes Byte count for the Downgraded packets counter. This statistic is downgraded not provided for best effort traffic. Clearing GoS Cumulative Statistics As needed, you can clear the GoS statistic counters and reset to zero. Best Effort Statistics To clear the BE statistics kept for the link, specify the link on a clear qos link command.
Table 67 describes the statistics of stats qos group. Byte counts include the Ethernet header without FCS for an Ethernet link. Table 67. GoS Instantaneous Statistics Statistic Description Input rate Offered rate to the quality group. Output rate Overall output rate of the quality group, including protected and downgraded traffic. Primary output rate Output rate of the protected traffic. Downgrade output rate Output rate of downgraded (nonprotected) traffic.
GoS Configuration Configuring QoS This section describes the steps for setting up QoS in order to protect VoIP traffic from Data traffic. PSTN Traffic Application Servers LAN Traffic WAN Traffic Trunking Gateway Softswitch SIP/MGCP Media Server WAN IP Network 172.29.250.1 PSTN ICAD40 FXO to PSTN SIP/MGCP IP Phones POTS/FXS Phones Workstations Table 68 describes network information, and Table 69 describes server information Table 68. Network Information LAN IP range Access router 10.0.0.0/16 10.
The SIP Session Controller (SIP SC) controls VoIP telephones installed in the Local Area Network (LAN). The SIP User Agent (SIP UA) controls the analog fax machine attached to the FXS port of the BSGX4e. Workstations installed in the LAN access various data services such as e-mail, chat, and the World Wide Web. VoIP traffic is protected from data traffic. To configure the Quality of Service of the BSGX4e, you must understand how VoIP and data flows go through the BSGX4e.
GoS Configuration Traffic to WAN Traffic from WAN LAN 400 Mbps Switch Router 100 Mbps Bottleneck 1 1,5 Mbps WAN Bottleneck 2 Figure 13. Hardware path Traffic to the WAN suffers from two bottlenecks. The first one concerns the LAN-switched traffic sent to be forwarded to the WAN. The uplink of the four-port LAN switch to the router runs at 100 Mbps (in reality the switch has five ports; four are in the rear of the BSGX4e and one is internally connected to the routing engine).
The routing engine runs Layer 3 QoS. Guarantee of Service (GoS) is implemented. For more information about GoS, see the GoS documents. GoS allows applying or controlling three QoS constraints per traffic type: bandwidth, loss and delay. Bandwidth calculations take into account the Ethernet header size (14 bytes), because packets are transmitted to the WAN over the Ethernet. Loss and delay are defined relatively among traffic types.
GoS Configuration Management: SNMP polling does not require a very high bandwidth, 64 Kbps is enough. SNMP traffic is not very sensitive to loss and delay. By assigning to this traffic a bandwidth of 64 Kbps you can ensure too many packets are not dropped (the rate can be higher at some times) so the SNMP applications can run normally (no timeout). Other: The other traffic can be handled in best effort mode, for which no bandwidth is allocated and nothing is required for the loss and delay.
3.Configuring the mapping between the DiffServ/ToS byte value and the priority queue (classifier). VoIP packets are tagged with a DiffServ/ToS byte of 45.
GoS Configuration 38 HIGHQ 39 LOWESTQ 40 LOWESTQ 41 LOWESTQ 42 LOWESTQ 43 LOWESTQ 44 LOWESTQ 45 HIGHESTQ 46 HIGHESTQ 47 LOWESTQ 48 LOWESTQ 49 LOWESTQ 50 LOWESTQ 51 LOWESTQ 52 LOWESTQ 53 LOWESTQ 54 LOWESTQ 55 LOWESTQ 56 LOWESTQ 57 LOWESTQ 58 LOWESTQ 59 LOWESTQ 60 LOWESTQ 61 LOWESTQ 62 LOWESTQ 63 LOWESTQ 4.Layer 2 QoS is now configured. Check that Layer 2 QoS is working correctly.
Deferred 0 Out Octets 978710557 InDiscards 879 InGoodOctets 968946799 AlignErr 0 InBadOctets 0 Oversize 0 Undersize 0 Jabber 0 Fragments 0 Collisions 0 Late Collisions 0 Excessive 0 Filtered 0 Single 0 Multiple 0 Configuring Layer 3 QoS The configuration of Layer 3 QoS requires the following steps: 1. Configuring the size of the WAN link. You can manage the traffic for a full T1 WAN link.
GoS Configuration 7. Configuring the classifier. The SIP Session Controller detects VoIP signalling packets. You must configure it to manage them by the QoS Quality Group VoIP_sig.
Id Seq From Source IP Dest IP Source Dest Proto NAT QoS To Action ToS ----------------------------------------------------------------------------1 1 eth0 any any any any any 0 self allow any 2 3 eth0 172.29.3.
GoS Configuration Packets in 2211704 Packets out 2211704 Downgraded packets 0 Packets dropped 0 Bytes in 406953536 bytes Bytes out 406953536 bytes Bytes dropped 0 bytes Bytes downgraded 0 bytes When the BSGX4e is polled by a SNMP network management workstation, the QoS counters can be incremented. You may observe downgraded packets because the Quality Group Management uses a CAR policer (if the offered load is higher than 64 Kbps, it is downgraded in best effort).
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
12 MGCP CONFIGURATION This chapter describes the configuration of the MGCP session controller and the integrated MGCP gateway. You can configure the BSGX4e device to act as both VoIP session controller and VoIP gateway. The session controller and VoIP gateway can use either the Session Initiation Protocol (SIP) or the Media Gateway Control Protocol (MGCP). Configuration for SIP is described in “SIP Configuration” (page 263).
MGCP Servers SIP Servers IICAD40CAD40 Workstation MGCP Phone Figure 14. MGCP Network Layout MGCP Session Controller All VoIP traffic is directed through the session controller, allowing the session controller to isolate and control all VoIP devices on the internal network (LAN). The session controller can handle up to 1000 VoIP endpoints and up to 500 concurrent calls.
MGCP Configuration n If the call server requires Keep-alive messages, but a LAN endpoint device does not send those messages, the session controller generates those packets for the endpoint device. Tracks device status on the LAN to learn when a LAN endpoint goes down (using Audit Endpoint (AUEP) requests). The MGCP registration information is kept in nonvolatile storage, so it can be immediately restored at restart. Manages the Access List Control (ACL) rules.
MGCP Call Servers This section describes how to configure a server profile, which determines how the session controller accesses MGCP servers to provide VoIP service. An MGCP server is also known as a Media Gateway Controller (MGC). One of the session controller settings specifies the call server profile that the session controller is to use. A server profile can explicitly specify up to three MGCP servers.
MGCP Configuration > config mgcp server settings Table 70 describes the parameters for config mgcp server settings. Table 70. MGCP Server Profile Parameters Parameter Description [name] Name of the server profile to be created or edited. mgc1 First Media Gateway Controller (either a fully qualified domain name [FQDN] or an IP address). port1 Port number for mgc1. The default is 2727. mgc2 Optional second Media Gateway Controller (FQDN | IP address). port2 Port number for mgc2.
Blacklist duration: 300 seconds > config mgcp server settings Sylantro_FailOverMode mgc1 primary.sylantro.com port1 2727 mgc2 secondary.sylantro.com port2 2727 retries 10 blacklist 300 *> save Show Server Settings To show the MGCP server setting profiles, enter the following command: > show mgcp server settings MGCP Server "Sylantro": Name MGC1 Port1 MGC2 Port2 MGC3 Port3 Retries Blacklist Sylantro 206.229.26.
MGCP Configuration MGCP Server "Sylantro_FailOverMode": Name Active MGC1 Port1 MGC2 Port2 MGC3 Port3 Sylantro_FailOverMode Yes primary.sylantro.com (In-use) 2727 secondary.sylantro.com (Ready) 2727 2727 The display shows the information specified by the setting. The display also shows the following status information: Field Description Active Yes This session controller is actively communicating with an MGCP server. No The session controller is not actively communicating with any server.
MGCP Signaling Proxy (MSP) The MGCP Signaling Proxy (MSP) relays MGCP messages between MGCP endpoints (phones or terminals) and a Media Control Gateway (MGC) server on the WAN. The session controller settings are as follows: Modification information for MGCP headers so that messages can be relayed (server). Note: The MGCP session controller only supports the endpoint identification endpoint@domain-name in which the domain-name is a MAC address. It does not support identification per IP address.
MGCP Configuration Table 71. MGCP Session Controller Parameters (continued) Parameter Description eptimeout Endpoint timeout interval (in seconds). The default is 3600 seconds (one hour). See “Endpoint Status Handling (ESH)” (page 220). maxcalls Maximum number of calls allowed simultaneously. The default is the maximum for the unit—500 calls. sigqos Name of the GoS quality group that specifies the QoS protection for MGCP signaling traffic. To see the configured quality groups, enter show qos group.
My Wan IpAddr Wan Rx Port Lan Rx Port CAC Max Calls 192.168.134.217 2427 2427 500 The display shows configured information and the following status field: MGC Server Ready Yes if an MGCP server is active. No if no MGCP server is active. Show MGCP Signaling Statistics To show the counts for relayed MGCP signaling packets, enter the following command: > stats mgcp sc status MGCP Session Controller message stats: Msg per sec.
MGCP Configuration LanCmdDropDataErr LanRspDropDataErr LanRspDropStateErr 0 0 0 The count fields (WanMsgRecvCount, WanMsgProcCount, LanMsgRecvCount, and LanMsgProcCount) report the counts of normal packets received and processed. The other fields report error counts. The counters WanCmdCacRejErr and LanCmdCacRejErr report the number of calls rejected by Call Admission Control [see “Call Admission Control (CAC)” (page 236)].
NOTE: A local call from a LAN endpoint to another LAN endpoint is shown twice in the statistics; it is counted as both a LAN outbound call and a WAN inbound call. The counters Call rejected no bandwidth report the number of calls rejected by Call Admission Control [see “Call Admission Control (CAC)” (page 236)].
MGCP Configuration Changing the Endpoint Timeout The following example specifies the server profile name (Sylantro) and changes the endpoint timer value to 1800 seconds: > config mgcp sc settings server Sylantro eptimeout 1800 *> save Show Endpoint Timer Value To show the endpoint timer value, enter the following command: > show mgcp sc settings MGCP Session Controller settings: Server Wan Rx Port Lan Rx Port Keep Alive EP Timeout Max Calls Signaling QoS Group Sylantro 2427 2427 0 sec 1800 sec 500 VoIP
This value represents the number of seconds before the registration expires. The initial value is taken from the eptimeout setting. The value is decremented each second. MGCP Gateway The integrated MGCP gateway (also known as the user agent) is the software in the BSGX4e device that allows an analog device such as a telephone or fax machine to use VoIP connections to place and receive calls. You must connect the analog device to the FXS port of the device as described in the installation guide.
MGCP Configuration MGCP Gateway Settings Command To configure the MGCP protocol settings for the gateway, enter the following command: > config mgcp ua settings Table 72 describes the parameters for config mgcp ua settings. Table 72. MGCP Gateway Parameters Parameter Description domainformat Format of MGCP endpoint domain names. Currently, the only format supported is by MAC address (MACAddr). maxretxcount Maximum number of successive retransmissions when a request does not receive an answer.
Configuration Restraints Before you configure the gateway, you must configure the MGCP session controller, and the gateway settings for the MGCP protocol and the FXS port. See “MGCP Session Controller Configuration” (page 215), “Configuring MGCP Settings for the Gateway” (page 222), and “FXS Port Configuration” (page 238). A codec parameter that is specified as notused acts as a terminator in the preferred codec list; subsequent codecs are ignored.
MGCP Configuration Table 73. MGCP Gateway Configuration Parameters (continued) Parameter Description rfc2833 Indicates whether to use RFC 2833 for DTMF (yes | no). (RFC 2833 provides out of band DTMF event reports.) The default is yes. Distortion from compression and decompression can prevent recognition of pure DTMF tones. Out-of-band DTMF sends the information by separate RTP packets. payload If RFC 2833 is enabled (rfc2833 yes), you can specify the RTP dynamic payload type (96-127).
------------------------------------------------------------0-1 uap1 PCMU_20 G729A_20 yes Off no uap1 PCMA_20 NOTUSED 96 Off yes Delete MGCP Gateway Configuration To delete the MGCP gateway configuration for the FXS port, enter the port number on a del mgcp ua port command. This allows for reconfiguration starting from default values; this is also required if the port is to be reconfigured as a SIP gateway. NOTE: A port currently in use cannot be deleted.
MGCP Configuration 0 7 30008 30016 G711u STARTED 127.0.0.1:14376 127.0.0.1:14378 5 5 1491 1492 The LocalConn and RemoteConn fields report the IP address and RTP port for the local and remote connections. The Codec Type and Codec State fields report that the connection is started and using the CODEC G.711 u-law. The RtcpTx and RtcpRx fields report the number of RTCP packets transmitted and received. The RtpTx and RtpRx fields report the number of RTP packets transmitted and received.
> show mgcp sc endpoints MGCP Session Controller endpoints: Endpoint ID EP Addr EP Port Act Calls Endpoint Name TelNo CA Port Timeout ------------------------------------------------------------4083746017@00152b177677 10.0.1.57 2427 0 Sophia 6017 6017 2432 3436 4083747001@001111111111 127.0.0.1 2429 0 2429 3434 The entry for the MGCP gateway can be distinguished from the other endpoints because its EP Addr is set to the loopback IP address 127.0.0.1.
13 VOIP CONFIGURATION This chapter and the next chapter cover topics common to VoIP configuration for both MGCP and SIP, including: Media connections controlled by the Media Bridge (MBR). Endpoint access controlled by the “Access Control List (ACL)” (page 232). “Cisco Discovery Protocol (CDP)” (page 234) Call admission based on available bandwidth as determined by the “Call Admission Control (CAC)” (page 236).
Table 74. Media Stream Parameters Parameter Description dm Enables use of direct media (RTP) connections between two LAN endpoints. Initially, direct media connections are disabled. rtp Range of RTP ports to use (low#-high#). The RTP range must contain at least 1000 values and must not overlap ports configured for existing services in the device. Normally, two ports in the range are used for each media connection, one for RTP and the other for RTCP. The default is 13000-14999.
VoIP Configuration Media status: Max. cap (max_conn/AudioQos): Port usage (current/highest): Conn usage (current/highest): AudioRate usage (current/highest): 500/890000 0/0 0/0 0/0 Field Description Max. cap Maximum capacity (configured maximum number of connections [maxconn] and the maximum available bandwidth of the quality group managing the VoIP media traffic in bits/second). Port usage Current number of ports in use and the highest number of ports that have been used.
Wan CallID Lan ToTag Lan FromTag Lan CallID Media Mode Media Type Media Conn_b Media Conn_a 3-25-85680fc8-00001e5c@172.29.250.5 3-25-85680fc8-00007b76 000f8f07308800076d578d1c-7d53b8e2 000f8f07-30880004-51dee830-20cc6f3b@10.0.20.2 NORMAL AUDIO 172.29.250.30:29490--172.29.250.5:13006<== ==>10.0.1.1:13006--10.0.20.2:29268 Media Conn_b shows the IP addresses and ports used for the outbound connection. Media Conn_a shows the IP addresses and ports used for the inbound connection.
VoIP Configuration Platform Software version NOTE: The ACL does not require CDP information; the use of information provided by CDP is optional. For more information about CDP, see “Cisco Discovery Protocol (CDP)” (page 234). Access Control List Command To create an entry in the Access Control List (ACL), enter the following command: > config voice acl Table 75 describes the parameters for config voice acl. Omitted authentication parameters are set to any, indicating that all values match.
IP address: 10.0.1.100 Signaling type: MGCP Device ID: MGC000F8F073088 Action: deny > config voice acl new ip 10.0.1.100 type mgcp deviceid MGC000F8F073088 action deny *> save Show ACL To list the current ACL policies, enter the following command: > show voice acl Session Controller - ACL: Id Seq EpId Platform IP MAC Address Action Software DeviceId Type Stats ------------------------------------------------------------1 1 any any 10.0.1.
VoIP Configuration CDP Entry: Device ID: Entry Address: Prefix: Platform: Interface: HoldTme: Version: Duplex: Power: SIP00152B1775ED 192.168.1.10 0.0.0.0 Cisco IP Phone 7960 Port 1 121 P0S3-07-5-00 Full 6300 CDP Entry: Device ID: Entry Address: Prefix: Platform: Interface: HoldTme: Version: Duplex: Power: MGC0009E8812FDB 66.206.164.221 0.0.0.
n n n S: switch H: host I: IGMP capable device Show CDP Statistics To view the statistics for the CDP protocol, enter the following command: > show cdp traffic CDP traffic: Total CDP packets in: CDP checksum errors: CDP Ver1 packets in: CDP Ver2 packets in: 2021 0 0 2021 Call Admission Control (CAC) When the session controller receives a request to place or receive a call, Call Admission Control (CAC) determines if the call can be allowed within the configured limits.
VoIP Configuration The bandwidth allocated for VoIP signaling traffic can administratively limit the number of calls. It is typically defined by the ISP based on the number of users. The bandwidth allocation for VoIP media streams should accommodate the expected call load. If bandwidth is to be available for the maximum number of calls regardless of the level of other traffic on the network, then the audioqos quality group must commit sufficient bandwidth for the maximum connections (maxconn).
> show mgcp sc status MGCP Session Controller MSC Started MSC Server Ready My Wan IpAddr Wan Rx Port Lan Rx Port CAC Max Calls status: Yes Yes 192.168.134.217 2427 2427 500 The field CAC Max Calls reports the maximum number of calls allowed. To see the current VoIP connection and call status, enter the following command: > show media status Media status: Max.
VoIP Configuration Country Code and Unit Name Setting Countries have defined separate telephony standards, including interface requirements, tone definitions, and ringing cadences. You can load the appropriate parameters in to the unit by configuring the country code; only the country code needs to be configured. NOTE: The unit must be restarted for a country code change to take effect. The default unit name is MyUnit. You can change it to any meaningful identifier.
The display shows the country code as CN for China. Jitter Buffer Settings To configure the jitter buffer for the FXS port, enter the following command: > config voice jitterbuffer Table 77 describes the parameters for config voice jitterbuffer. Table 77. Voice Jitter Buffer Configuration Parameters Parameter Description mode Jitter buffer type (fixed | adaptive). maximum Maximum delay introduced by the jitter buffer (ms). This value is used only if mode is adaptive. The default value is 120 ms.
VoIP Configuration Jitter Buffer Stats: Port RxFrames CurrJitter CurrDelay MinDelay MaxDelay Overflowed Underrun OutOfOrder Duplicated LateDropped ---------------------------------------------------------------------1 1786 2 20 20 21 0 0 0 0 0 The following are descriptions of the jitter buffer statistics: Statistic Description RxFrames Number of packets received. CurrJitter Current average jitter detected. CurrDelay Current packet delay due to the jitter buffer (in milliseconds).
Tone Type On-1 Off-1 On-2 Off-2 Freq1 Level1 Freq2 Level2 ------------------------------------------------------------none 0 0 0 0 0 0 0 0 dial 500 0 0 0 350 -24 440 -24 ringback 2000 4000 0 0 440 -24 480 -24 busy 500 500 0 0 480 -24 620 -24 congestion 250 250 0 0 480 -24 620 -24 callwait1 300 300 0 0 440 -24 250 -24 callwait2 300 300 0 0 440 -24 250 -24 reorder 250 250 0 0 480 -24 620 -24 stutter 100 100 0 0 350 -24 440 -24 offhookwarn 250 250 0 0 1430 -24 2500 -24 test 4000 0 0 0 1000 -24 1000 -24 Re-conf
VoIP Configuration *> config voice tones congestion on1 150 off1 150 on2 0 off2 0 freq1 425 level1 -10 freq2 0 level2 0 *> config voice tones callwait1 on1 200 off1 5000 on2 0 off2 0 freq1 425 level1 -10 freq2 0 level2 0 *> config voice tones callwait2 on1 100 off1 1000 on2 0 off2 0 freq1 425 level1 -10 freq2 0 level2 0 *> config voice tones reorder on1 250 off1 250 on2 0 off2 0 freq1 425 level1 -10 freq2 0 level2 0 *> config voice tones stutter on1 400 off1 40 on2 0 off2 0 freq1 425 level1 -10 freq2 0 lev
This commands parameter is as follows: Parameter Description impedance Specialized impedance override setting for the line (automatic | 600 | 900 | 600_luF | 900_2.16uF | 270+750_150nF | 220+820_120nF | 220+820_115nF | 200+680_100nF). The default is automatic.
VoIP Configuration Field Description Line Loop voltage measured across TIP-RING in the range 0-327 V. While the phone is on-hook, the value is expected to be in the range 4-18 V. A value outside this range can indicate a problem. If the phone is not connected, the value is undetermined. Current Current in milliamps. Power Power in milliwatts. Line Fault Testing You can test the electrical status of the FXS port using the GR-909 metallic loop tests.
FXS GR909 foreign voltages (* is a failure) Port dcVtip dcVring dcVloop acVtip acVring acVloop ------------------------------------------------------------1 3 52 -48 0 0 0 If a test fails, an asterisk is shown. Resistance Tests The GR-909 resistance tests are as follows: Resistive faults test This test fails if a Tip/Ring, Tip/Ground, or Ring/Ground on-hook DC resistance less than 150k ohms is measured.
VoIP Configuration For example, the following command runs the off-hook test for FXS port 1: > show voice fxs gr909 offhook FXS GR909 off hook (* is a failure) Port Off-hook ------------------------------------------------------------1 no REN Test The GR-909 ringing equivalency number (REN) value expresses the total loading effect of the equipment on the ringing current generator. The REN test verifies the presence of equipment (including, phone, fax, modem) at the end of the TIP/RING pair.
Excessive bursting R-factor (low quality R-factor lasting a certain period of time) Excessive delay. The alarm levels and the duration of an alarm are also specified. n n Alarms are reported in the system log as INFORM messages. For more information about the system log, see “Show System Operation Summary” (page 323). Monitored Calls The VQM analyser reports statistics for every VoIP media stream that flows through the routing engine.
VoIP Configuration The VQM analyser reports statistics for the following CODECs: G.711 u-law G.711 A-law G.726-32k G.728-class G.729-class (but not G.729D and G.729E) GSM Full-Rate (6.10) VQM Analyser Command To configure the VQM analyser, enter the following command: > config calls analyser Table 79 describes the parameters for config calls analyser. Table 79.
VQM Analyser Example This example configures the VQM analyser as follows: Jitter Buffer type: static Alarm for low quality R-factor: yes Alarm for excessive bursting R-factor: yes Alarm for excessive delay: yes Low R-Factor trigger: 50 Excessive bursting R-factor trigger: 50 Excessive bursting R-factor duration: 1000 ms Excessive delay: 100 ms > config call analyser jb static quality yes burst yes delay yes rquality 50 rburst 50 minburst 1000 maxdelay 100 *> save Show VQM Analyser Configuration To show t
VoIP Configuration --------------------------------------------------------------------nortel.two 4982 4.20 4.18 92 515 0.00 PCMU Field Description EP-ID, EP-Name Source of the VoIP media stream monitored (its endpoint ID and endpoint name). MOS-LQ, Scores for Mean Opinion Score - Listening Quality, Mean Opinion MOS-CQ, Score - Conversation Quality, and R-Factor.
Field Description JB statistics Statistics of the simulated jitter buffer used to deduce how much VoIP traffic is disrupted. (The JB fields do not report information if the CODEC used is not supported by the VQM analyser.) Alarm Log Entries When a triggering threshold is reached, an alarm entry is sent to the system log. For more information about system logging, see “Show System Operation Summary” (page 323).
VoIP Configuration Call Records This section describes commands to list the calls in progress and the call history. These commands are independent of the signaling protocol used to establish calls (SIP or MGCP).
Table 80. Call Record Fields (continued) Field Description Protocol Protocol that the calling party is using. Quality of the stream coming from the WAN. It reports a RTCP-XR derived MOS quality score (MOS-LQ/MOS-CQ). Quality If the field reports Not measured, either the CODEC used is not supported by VQM or RTP traffic is not received. For more information about VQM, see “Voice Quality Monitoring (VQM)” (page 247). Start Time Start time of the call. Duration Time elapsed since the start of the call.
14 LOCAL CALL ROUTING This chapter describes the telephone service that the BSGX4e device can provide without the use of a VoIP call server on the WAN. This service is called local call routing or LCR mode and is available even during a VoIP service interruption. VoIP Service Interruption The BSGX4e device can provide backup phone service even when VoIP phone service is unavailable.
Local Call Routing (LCR) Mode Local call routing (LCR) mode describes the telephone service that the BSGX4e device can provide without the use of a VoIP call server on the WAN. Local call routing is automatically used when VoIP service is interrupted and LAN endpoints cannot receive or place calls using a call server on the WAN. In LCR mode, LAN VoIP phones (and an analog device on the FXS port) can place and receive local calls—calls that do not go out to the WAN.
Local Call Routing LCR Account Command To configure an LCR account, enter the following command: > config lcr accounts Table 81 describes the parameters of config lcr accounts. Table 81. LCR Account Parameters Parameter Description [dn] Phone number of the account. type Signaling protocol used by the endpoint (SIP | MGCP). id ID of the SIP or MGCP endpoint.
Note: MGCP gateways are not supported. The emergency call number. Calls to this number are given special treatment: In LCR mode, emergency calls are established through the FXO port. In connected mode, emergency calls are established through the WAN port with the maximum voice bandwidth allocated even if it affects the quality of existing voice calls. n n The numbering plan settings that allow the device to determine if the call is local or external.
Local Call Routing Example: Local Numbering Plan The following example defines the local numbering plan as follows: prefix for outbound calls: 9 area code: 408 central office prefix: 555 length of extension number: 4 > config lcr settings obaccess 9 areacode 408 coprefix 555 enlength 4 *> save This configuration supports calls as follows: Number dialed Action 2210 Four-digit call so only local accounts are checked. 9411 Outbound prefix so number is interpreted as outbound call for 411.
This commands parameters are as follows: Parameter Description tx Transmit (tx) gain (digital to analog conversion) in decibels. Specify a minus (-) before a negative value. The default is 0 dB. rx Receive (rx) gain (analog to digital conversion) in decibels. Specify a minus (-) before a negative value. The default is 0 dB.
Local Call Routing Parameter hybn, where n = 1-8 Description Hybrid filter n (1 - 8). Eight hybrid filters are provided (for customizing impedance only). Their allowed values are 0 - 255. The default value for each filter is 0. Table 83.
HYB2 HYB3 HYB4 HYB5 HYB6 HYB7 HYB8 0 0 0 0 0 0 0 Show LCR Status The session controller runs either in normal mode (all calls are established through a VoIP server) or in LCR mode (the BSGX4e device provides limited local and PSTN call service). To see whether the session controller is running in LCR mode, enter the status command for the session controller.
15 SIP CONFIGURATION This chapter describes the configuration of the SIP session controller and the SIP gateway. You can configure the BSGX4e device to act as both VoIP session controller and VoIP gateway. The session controller and VoIP gateway can use either the Session Initiation Protocol (SIP) or the Media Gateway Control Protocol (MGCP). Configuration for MGCP is described in “MGCP Configuration” (page 209).
SIP SIPServers Servers IICAD40CAD40 Figure 17. SIP Network Layout SIP Session Controller All VoIP traffic is directed through the session controller, which isolates and controls all VoIP devices on the internal network (LAN). The session controller can handle up to 1000 VoIP endpoints and up to 500 concurrent calls. The session controller provides the following services: 264 NN47928-102 Serves as the interface between SIP endpoints and the SIP call server on the WAN.
SIP Configuration Monitors the registration status of the SIP endpoints on its LAN and times out the endpoint entry if the device becomes unregistered. The SIP registration information is kept in nonvolatile storage, so it can be immediately restored at restart. Manages the Access List Control (ACL) rules. Registration and call requests are accepted or rejected as directed by ACL rules. See “Access Control List (ACL)” (page 232).
SIP Call Server Access This section describes how to configure a server profile, which determines how the session controller accesses SIP proxy servers to provide VoIP service. One of the session controller settings specifies the call server profile that the session controller is to use. A server profile can explicitly specify up to three SIP proxy servers or it can specify no servers.
SIP Configuration The firewall is automatically updated to accept SIP messages from the additional inbound servers. You must specify the additional SIP servers by IP address in the SIP server profile. You can specify a single IP address or a range of addresses on the ibserver1, ibserver2, and ibserver3 parameters. SIP Server Profile Command To configure a SIP server profile, enter the following command: > config sip server settings Table 84 describes the parameters for config sip server settings.
Example Using DNS to Locate the Server The SIP session controller uses DNS to locate a SIP proxy server only if the parameters proxy1, proxy2, and proxy3 are blank. (To clear the proxy parameter values, specify no proxy1 no proxy2 no proxy3.) This example configures the SIP server automatically: Setting name: EMM_Automatic Registrar domain: emm.live.ericsson.net > config sip server settings EMM_Automatic domain emm.live.ericsson.
SIP Configuration > config sip server settings EMM_FailOverMode domain emm.live.ericsson.net proxy1 primary.emm.live.ericsson.net port1 6666 proxy2 secondary.emm.live.ericsson.net port2 6666 retries 4 blacklist 300 *> save Example Specifying an Additional SIP Inbound Server This example configures an additional inbound SIP server: Setting name: EMM_AdditionalServer Registrar domain: emm.live.ericsson.net Proxy server: pcscf.emm.live.ericsson.
Port3 IBServer1 IBServer2 IBServer3 Retries Blacklist 5060 4 600 sec SIP Server "EMM_FailOverMode": Name Domain Proxy1 Port1 Proxy2 Port2 Proxy3 Port3 IBServer1 IBServer2 IBServer3 Retries Blacklist EMM_FailOverMode emm.live.ericsson.net primary.emm.live.ericsson.net 6666 secondary.emm.live.ericsson.net 6666 5060 4 300 sec SIP Server "EMM_AdditionalServer": Name Domain Proxy1 Port1 Proxy2 Port2 Proxy3 Port3 IBServer1 IBServer2 IBServer3 Retries Blacklist EMM_AdditionalServer emm.live.ericsson.
SIP Configuration > show sip server status SIP Server "Example": Name Active Mode Domain Proxy1 Port1 Proxy2 Port2 Proxy3 Port3 IBServer1 IBServer2 IBServer3 Example Yes DNS-SRV emm.live.ericsson.net proxy1.emm.live.ericsson.net (In-use) 6666 proxy1.emm.live.ericsson.net (Ready) 6666 0 The display shows the information specified by the profile. It also shows the following status information: Field Description Active Yes: This server profile is in use. Mode DNS-SRV: DNS locates the proxies.
Feature Description Configuration Command Endpoint Status Handling (ESH) Enables and disables LAN endpoints. See “Endpoint Status Handling (ESH)” (page 277). Call Admission Control (CAC) Controls whether a call can be placed or received. See “Call Admission Control (CAC)” (page 236). Voice Quality Reports the quality of calls. Monitoring (VQM) config calls analyzer (see “Voice Quality Monitoring (VQM)” (page 247)).
SIP Configuration Table 85. SIP Session Controller Parameters Parameter Description server Name of the SIP call server setting to be used. To see the configured server profiles, enter show sip server settings. lcdomain Local domain for LAN endpoints. SIP messages that do not match the domain are discarded. wanrxport Port on which to listen for SIP signaling messages from the WAN. The default is 5060. lanrxport Port on which to listen for SIP signaling messages from the LAN. The default is 5060.
Server Local Domain Wan Rx Port Lan Rx Port Timer T1 Timer T2 Timer B Timer F Timer C Max Calls Signaling QoS Group EMM 5060 5060 500 msec 4000 msec 16 sec 32 sec 180 sec 500 VoIP Show SIP Session Controller Status To show the status of the SIP session controller, enter the following command: > show sip sc status SIP Session Controller status: SSC Started SSC Server Ready My Wan IpAddr Wan Rx Port Lan Rx Port CAC Max Calls Yes Yes 172.29.250.
SIP Configuration WanMsgRecvCount WanMsgProcCount 100 100 WanMsgDropDataErr WanMsgDropNoBufErr WanReqCacRejErr WanReqDropSecFail WanReqDropDataErr WanRspDropDataErr WanRspDropStateErr LanMsgRecvCount LanMsgProcCount 0 0 0 0 0 0 0 100 100 LanMsgDropDataErr LanMsgDropSecErr LanMsgDropNoBufErr LanReqEacRejErr LanReqCacRejErr LanReqDropSecFail LanReqDropDataErr LanRspDropDataErr LanRspDropStateErr 0 0 0 0 0 0 0 0 0 The count fields (WanMsgRecvCount, WanMsgProcCount, LanMsgRecvCount, and LanMsgProcCount)
- Called dest busy: - Others causes: 0 0 Total inbound calls from WAN: Calls on going: Calls succeeded: Calls failed: - Call rejected no bandwidth: - Call cancelled: - Call redirected: - Call forbidden: - Call not found: - Called dest busy: - Others causes: 1 0 0 1 0 1 0 0 0 0 0 The first section, Total outbound calls from LAN, applies to calls that originate from LAN endpoints. The second section, Total inbound calls from WAN, applies to calls that originate from the SIP server.
SIP Configuration > show sip sc endpoints SIP Session Controller endpoints: Endpoint ID EP Addr EP Port Act Calls Endpoint Name TelNo Lan Domain Timeout --------------------------------------------------------------------nortel.two 10.0.1.12 5060 1 4982 nortel.two 10.0.1.1 1626 nortel.four 127.0.0.1 5065 0 4984 nortel.four local 3578 nortel.five 10.0.20.1 5060 0 4985 nortel.five 10.0.1.
SIP Gateway The SIP gateway (also known as the user agent, or UA) is the software that allows an analog device such as a telephone or fax machine to use VoIP connections to place and receive calls. You must connect the analog device to the FXS port of the device as described in the installation guide. This integrated SIP gateway is configured as if it is a VoIP SIP phone located on the LAN.
SIP Configuration NOTE: The SIP gateway attempts to register with the SIP server as soon as it is started; the SIP gateway cannot function until it is successfully registered. SIP Gateway Settings Command To configure the SIP protocol settings for the gateway, enter the following command: > config sip ua settings Table 86 describes the parameters for config sip ua settings. Table 86. SIP Gateway Parameters Parameter Description timert1 Minimum retransmission time interval (in milliseconds).
MIN-SE timer: 500 seconds Session expire timer: 600 seconds > config sip ua settings seenable yes setimer 600 minsetimer 500 *> save Show SIP Gateway Settings To show the SIP settings for the gateway, enter the following command: > show sip ua settings SIP Protocol Settings: Timer T1 Timer T2 Timer B RegExpire SE Enable SE Timer MIN-SE Timer On-Hold Timer No-Answer Timer 500 4000 msec 32000 msec 1800 sec yes 600 sec 500 sec 180 sec 60 sec SIP Gateway Configuration To configure the gateway, the following
SIP Configuration A codec parameter that is specified as notused acts as a terminator in the preferred codec list; subsequent codecs are ignored. For example, if the codec parameters are set as below, codec3 and codec4 are ignored; they are not proposed in negotiations: codec1 PCMU_10 codec2 notused codec3 PCMU_20 codec4 PCMA_20 Currently, Fax T.38 is not supported.
Table 87. SIP Gateway Configuration Parameters (continued) Parameter Description payload If RFC 2833 is enabled (rfc2833 yes), you can specify the RTP dynamic payload type (96-127). The default is 101. mls Feature currently not supported. (Enables multi-line support (yes | no). Specify yes if the FXS port is connected to a multi-line phone or Private Branch Exchange (PBX). The default is no.) mpt Enables modem pass-through and forces media to G.711 echo cancellation (off | on).
SIP Configuration ------------------------------------------------------------------0-1 uap1 uap1 PCMU_20 G729A_20 yes no Off yes uap1 PCMA_20 NOTUSED 96 Off no Delete SIP Gateway Configuration To delete the SIP gateway configuration for the FXS port, enter the port number on a del sip ua port command. This allows for reconfiguration starting from default values; it is also required if the port is to be reconfigured as an MGCP gateway. NOTE: A port currently in use cannot be deleted.
Chan LocalNumber CodecType LocalConn RtcpTx RtpTx Port RemoteNumber CodecState RemoteConn RtcpRx RtpRx ---------------------------------------------------------------------5 1001 G711a 172.29.3.11:13008 0 0 0 2720 STARTED 172.29.11.120:16384 0 0 The LocalConn and RemoteConn fields report the local and remote IP addresses and port numbers used by RTP for the connection. The CodecType and CodecState fields report the status of the media stream.
SIP Configuration Table 88. SIP Numbering Plan Parameters (continued) Parameter Description type Indicates whether the entry is for a number or a service code (number | service). feature Feature type if type is service.
NOTE: The hash character (#) is required to activate a service entry. Assuming these codes are processed by the SIP server, code *78 tells the SIP server to mark the SIP gateway as busy, so the server returns the appropriate error code if it is called. Code *79 tells the SIP server to release the SIP gateway from the busy state.
SIP Configuration This example configures two numbering plan entries to enable the use of the Call Forwarding-No Answer feature: To forward unanswered calls to another phone, the entry is *93, followed by the phone number and the hash character (#). For example, to forward unanswered calls to phone 4985, the entry is *934985#. To clear unanswered call forwarding for a phone, the entry is *94#. NOTE: The hash character (#) is required to activate a service entry.
*78 *79 *80 *90 *91 *93 *94 1 Service Service Service Service Service Service Service Number SDND CDND BXFER SFWA CFWA SFWNA CFWNA None 0 0 0 0 0 0 0 9 0 0 0 0 0 0 0 0 0 SIP Endpoints This section provides guidelines to configure the SIP endpoints to be managed by the BSGX4e device. To enable a SIP endpoint to place and receive calls, it must be: Allowed access by the Access Control List (ACL). See “Access Control List (ACL)” (page 232).
SIP Configuration domain: LAN IP address of the BSGX4e device Verify Endpoint Registration To verify that the endpoints are correctly registered, enter the following command: > show sip sc endpoints SIP Session Controller endpoints: Endpoint ID EP Addr EP Port Act Calls Endpoint Name TelNo Lan Domain Timeout ------------------------------------------------------------------nortel.two 10.0.1.12 5060 1 4982 nortel.two 10.0.1.1 1626 nortel.four 127.0.0.1 5065 1 nortel.four nortel.
Configuring SIP This section describes the steps for setting up the SIP Session Controller and SIP User Agent of the BSGX4e for use with LAN VoIP phones and an analog fax machine. 290 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
SIP Configuration Table 89 describes network information, and Table 90 describes server information Table 89. Network Information LAN IP range Access router 10.0.0.0/16 10.0.1.1 (BSGX4e) WAN range Access router 172.29.250.0/24 172.29.250.1 Table 90. Server Information S1 DHCP Server dhcpserver.isp.com - 66.19.9.160 (the access router acting as a DHCP relay between the BSGX4e and the DHCP server) S2 HTTP Server Httpserver.isp.com - 66.19.9.161 S3 SIP Server Sipserver.com - 66.19.9.
2. Upgrade their firmware if necessary. 3. Download a configuration file. 4. Get the clock time from the network. 5. Display a logo on their screen. 6. Register with the SIP server. The second objective is to configure the SIP UA so that the fax machine can make calls. Once these two objectives are covered, this document shows the steps to configure a VoIP phone, check the overall configuration, and make calls.
SIP Configuration 3. Configuring the default IP gateway. The default IP gateway is automatically configured if the DHCP server provides a default gateway option. Otherwise, it must be manually configured. *BSG*> config route table default gw 172.29.250.1 *BSG*> show route table Destination Netmask Gateway Interface -------------------------------------------------------------------------0.0.0.0 0.0.0.0 172.29.250.1 eth0 10.0.0.0 255.255.0.0 10.0.1.1 eth1 127.0.0.0 255.0.0.0 127.0.0.
Ping the SIP server. *BSG*> ping sipserver.isp.com Pinging sipserver.isp.com (66.19.9.162): 56 data bytes Reply from 66.19.9.162: bytes=56 icmp_seq=0 time=190ms Reply from 66.19.9.162: bytes=56 icmp_seq=1 time=180ms Reply from 66.19.9.162: bytes=56 icmp_seq=2 time=170ms Reply from 66.19.9.162: bytes=56 icmp_seq=3 time=200ms ----- sipserver.isp.com ping statistics ----4 packets transmitted, 4 packets received, 0.0% packet loss Round-trip times: min/avg/max=170/185/200ms Ping the SNTP server.
SIP Configuration Server 1 ntpserver.isp.com Server 2 0.0.0.0 Server 3 0.0.0.0 Server 4 0.0.0.0 Gmt Offset +09:00 Sync Interval 7 days Last Sync MON FEB 27 02:30:11 2006 Next Sync MON MAR 06 02:30:11 2006 *BSG*> time MON FEB 27 02:30:25 2006 7. Configuring the LAN IP address of the unit. Assign the IP address 10.0.1.1/16 to LAN interface eth1. *BSG*> config interface eth1 ip 10.0.1.
*BSG*> show qos group QoS Quality Groups: Name Link QG Type Committed Burst IPToS COS -------------------------------------------------------------------------VoIP eth0 A1 policed 877600 0 no no NOTE: The specified committed rate takes into account the Ethernet header. NOTE: The other traffic types will be managed in Best Effort mode (for example, with higher delay or loss). Data service configuration for the LAN VoIP phones: DHCP, SNTP, and TFTP 9.
SIP Configuration TFTP 10.0.1.1 Filename Domain NTP1 10.0.1.1 NTP2 0.0.0.0 Timezone GMT Offset +9 [hh:mm] 150 10.0.1.1 151 0.0.0.0 160 0.0.0.0 161 0.0.0.0 10. Configuring the relay functions for DNS, SNTP, and TFTP for LAN VoIP phones. Configure the DNS relay so the BSGX4e relays DNS requests and replies between LAN VoIP phones and the DNS server located in the WAN. *BSG*> config relay dns settings enabled yes dns1 66.19.9.
*BSG*> config sip server settings SipProxy domain sip.net *BSG*> show sip server settings SIP Server "SipProxy": Name SipProxy Domain sip.net Proxy1 Port1 5060 Proxy2 Port2 5060 Proxy3 Port3 5060 IBServer1 IBServer2 IBServer3 Retries 4 Blacklist 600 sec Display the results of the DNS-SRV process. *BSG*> show sip server status SIP Server "SipProxy": Name SipProxy Active Yes Mode DNS-SRV Domain sip.net Proxy1 sipserver.isp.
SIP Configuration Lan Rx Port 5060 Timer T1 500 msec Timer T2 4000 msec Timer B 16 sec Timer F 32 sec Timer C 180 sec Max Calls 500 Signaling QoS Group VoIP 13.Configuring Access List Control. By default, all LAN VoIP phones are allowed to make calls.
-------------------------------------------------------------------------0-1 Fax Fax PCMU_20 G729A_20 yes no Fax Fax PCMA_20 NOTUSED 96 Off no On Yes Step 3-Configure LAN VoIP phones (Example using Cisco 7960) 1. Preparing a LAN VoIP phone for data services. DHCP must be enabled. DNS, SNTP, and TFTP server requests from the LAN phone must be configured to use the LAN IP address of the BSGX4e. The HTTP server must be set to httpserver.isp.
SIP Configuration 3. Connecting the VoIP phone to a LAN port of the BSGX4e. The VoIP phone should: Get an IP address. Upgrade its firmware if necessary. Download a configuration file. Get the clock time from the network. Display a logo on its screen. Register with the SIP server. Step 4-Check the overall configuration 1. Checking the status of the SIP UA. Check that the SIP UA is correctly registered to the SIP server.
4. Checking the status of the SIP SC. Check that the SIP SC reports the SIP endpoints registered to the SIP server (SIP UA and LAN SIP phone). BSG> show sip sc endpoints SIP Session Controller endpoints: Endpoint ID EP Addr EP Port Act Calls Endpoint Name Phone Number Lan Domain Reg Timeout -------------------------------------------------------------------------1234 10.0.1.100 5060 0 1234 1234 10.0.1.1 1602 Fax 127.0.0.
SIP Configuration Annex A-Configuration example for Cisco 7960 SIP phone # SIP Default Configuration File # Image Version image_version: P0S3-07-5-00 # SIP Configuration Generic File # Line 1 appearance line1_name: 1234 # Line 1 Registration Authentication line1_authname: 1234 # Line 1 Registration Password line1_password: 1234 # Phone Label (Text desired to be displayed in upper right corner) phone_label: 1234; Has no effect on SIP messaging # Line 1 Display Name (Display name to use for SIP messaging) li
# TOS bits in media stream [0-5] (Default - 5) tos_media: 5 # Inband DTMF Settings (0-disable, 1-enable (default)) dtmf_inband: 1 # Out of band DTMF Settings #(none-disable, avt-avt enable (default), avt_always-always avt) dtmf_outofband: avt # DTMF dB Level Settings #(1-6dB down, 2-3db down, 3-nominal (default), 4-3db up, 5-6dB up) dtmf_db_level: 3 # SIP Timers timer_t1: 500; Default 500 msec timer_t2: 4000; Default 4 sec sip_retx: 10; Default 10 sip_invite_retx: 6; Default 6 timer_invite_expires: 180 ; De
SIP Configuration dst_auto_adjust: 1; Enable(1-Default)/Disable(0) DST automatic adjustment time_format_24hr: 1; Enable(1 - 24Hr Default)/Disable(0 - 12Hr) # Do Not Disturb Control #(0-off (default), 1-on, 2-off with no user control, 3-on with no user control) dnd_control: 0; # Caller ID Blocking #(0-disabled, 1-enabled, 2-disabled no user control, 3-enabled no user control) callerid_blocking: 0; (Default is 0 - disabled and sending all calls as anonymous) # Anonymous Call Blocking #(0-disabled, 1-enabled,
outbound_proxy_port: 5060; default is 5060 # Allow for the bridge on a 3way call to join remaining parties upon hangup cnf_join_enable: 1; 0-Disabled, 1-Enabled (default) # Allow Transfer to be completed while target phone is still ringing semi_attended_transfer: 1; 0-Disabled, 1-Enabled (default) # Telnet Level (enable or disable the ability to Telnet into the phone) telnet_level: 2; 0-Disabled (default), 1-Enabled, 2-Privileged # XML URLs services_url: ""; URL for external Phone Services directory_url: ""
SIP Configuration 2. When the 200 OK is received (assuming use of the G.729a CODEC), the SC adjusts the bandwidth to 51 200 bps (100 pps x 64 bytes x 8 bits). 3. When the media is started (assuming the observed packet time is G.729a 20ms), the SC adjusts the bandwidth to 29 600 bps (50 pps x 74 bytes x 8 bits). To ensure use of all available bandwidth, the Session Controller makes an additional adjustment when the remaining bandwidth is insufficient for a G.711 10ms call.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
16 VOIP SERVICES AND RELAYS This chapter describes services that the BSGX4e device can provide for the VoIP phones and other devices on its LAN. Each user device on the LAN (such as IP phones and PCs) can be configured, either manually or through DHCP, to use the BSGX4e as its DNS, SNTP, and TFTP server. To perform these server functions, the BSGX4e intelligently relays requests from clients on the LAN to servers on the WAN. This makes it easier to provision and manage multiple user devices.
DNS2 0.0.0.0 TFTP Filename Domain NTP1 0.0.0.0 NTP2 0.0.0.0 Timezone GMT Offset 0 [hh:mm] 150 0.0.0.0 151 0.0.0.0 160 0.0.0.0 161 0.0.0.0 DHCP Server Configuration Command To change the DHCP server configuration, enter the following command: > config dhcps pool Table 91 describes the parameters for config dhcps pool. Table 91.
VoIP Services and Relays DHCP Server Configuration Example This example configures the DHCP server, so it can provide DNS, TFTP, and SNTP relay services for the LAN devices. The IP address of the eth1 interface of the BSGX4e device is 10.0.1.1. > config dhcps pool eth1 Entering interactive mode ctrl^z | 'exit', ctrl^c | 'quit' *dhcps-pool-eth1#*> subnet 10.0.1.0 *dhcps-pool-eth1#*> netmask 255.255.255.0 *dhcps-pool-eth1#*> ip 10.0.1.100 - 10.0.1.200 *dhcps-pool-eth1#*> broadcast 10.0.1.
151 160 161 10.0.1.1 10.0.1.1 10.0.1.1 Show DHCP Leases To view the DHCP leases, enter the following command: > show dhcps lease DHCP Leases: IP StartTime Hostname Expired EndTime MAC --------------------------------------------------------------------192.168.1.55 2006/08/28 15:13:28 NA * 2006/08/28 15:15:28 00:0f:8f:07:2d:3d 192.168.1.52 2006/08/28 14:48:44 hyeres * 2006/08/28 14:50:44 00:11:43:29:2d:ed The IP field lists the IP address of the device that holds the lease.
VoIP Services and Relays Table 92. DHCP Relay Parameters (continued) Parameters Description server DHCP server on the WAN to which LAN DHCP messages are relayed. DHCP Relay Example The following example enables the DHCP relay function and specifies the DHCP server at IP address 192.168.134.200: > config relay dhcp settings enabled yes server 192.168.134.
Table 93. DNS Relay Parameters Parameters Description enabled Indicates whether the DNS relay is enabled (Boolean). The initial setting is no (disabled). dns1 IP address of the primary external DNS server. dns2 IP address of an optional second external DNS server. dhcp Indicates whether the DNS server addresses are provided by the DHCP client on the WAN interface of the BSGX4e (on | off). The initial setting is off.
VoIP Services and Relays > show relay dns cache DNS Relay Cache: Index Name IP address TTL ------------------------------------------------------------1 tftpserver.wan.com 192.168.134.161 56 SNTP Relay The SNTP relay function relays the SNTP messages between clients located on the LAN and a single server located on the WAN. From the viewpoint of the clients on the LAN, the BSGX4e appears to be the server. From the viewpoint of the server on the WAN, the BSGX4e appears to be the client.
Show SNTP Settings To verify the SNTP settings, enter the following command: > show relay sntp settings SNTP Relay Settings: Enabled Server DHCP GMT on 192.168.134.160 off 0 hours Show SNTP Sessions To show the current SNTP sessions exchanged through the BSGX4e, enter the following command: > show relay sntp sessions SNTP Relay Sessions: Index Client Relay Duration ------------------------------------------------------------1 10.0.2.51:123 192.168.134.
VoIP Services and Relays Table 95. TFTP Relay Configuration Parameters (continued) Parameter Description server IP address or FQDN of external TFTP server. dhcp Indicates whether the TFTP server address is provided by the DHCP client on the WAN interface of the BSGX4e (on | off). The initial setting is off. allow Types of TFTP messages to relay (get | all). The default is get. sessions Maximum number of concurrent TFTP sessions. This ensures that the CPU is not monopolized by TFTP packet relays.
TFTP File Cache The TFTP cache feature allows copies of frequently requested files to be temporarily stored on the BSGX4e. If a file requested by a LAN device is found in the cache, it can be immediately sent to the client.
VoIP Services and Relays NOTE: Only files that are specified by this command are cached. Table 97 describes the parameters for config relay tftp files. Table 97. TFTP Files Configuration Parameters Parameters Description [index] File index. name Name of file for caching. TFTP Cache Example The following example configures the TFTP cache: Size of the cache: 16 MB Refresh interval: 960 minutes (16 hours) Download mode: auto Files cached: SIPDefault.
Delete Files to be Cached To delete an entry from the list of files to be cached, specify the entry index on the command del relay tftp files. For example, the following command deletes the entry for index 1: > del relay tftp files 1 Clear TFTP Cache To clear the TFTP file cache of its contents, enter the following command: > clear relay tftp cache After the cache is cleared, new copies of the files are downloaded. 320 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
17 MONITORING This chapter describes the information that the BSGX4e device collects so that the system can be monitored. The BSGX4e device provides the following monitoring information: Information displays System exceptions System hardware System status System operations summary n n n n System logs: audit logging and module logging Port statistics IP stack statistics Show System Exceptions If a system error occurs, an exception is triggered and saved in nonvolatile memory.
Table 98. System Exception Information Fields (continued) Field Description Time Time at which the exception occurred. Vector Exception vector. Program Counter Exception program counter. Access Address Address accessed to cause exception. Status Register Exception status register. Cause Register Exception cause register. Show Hardware Information When reporting a problem, it is important to provide both system information (show system info) and hardware information about the unit.
Monitoring Bootcode Ver App. Ver System Type Memory MAC 0 MAC 1 Serial Country Temp Up time 1.10.00010 BSG T2 2.02.0138 BSGX4e 89/128 MB 00:22:11:44:33:04 00:22:11:44:33:05 United States of America (US) Unsupported 0y 0d 4h 33m 20s Show System Operation Summary To see a summary of BSGX4e operations, enter the following command: > summary System Summary: System: Application: Boot: Model: Uptime: Date: CPU Busy: Memory Usage: BSG Series 2.00.1002 1.10.
IDS Attacks: NAT: 4340719 Enabled Interfaces: eth0 eth1 vif0 vif1 vpn0 2.3.4.5 (NAT) 0.0.0.0 10.1.1.1 192.168.134.192 100.100.100.191 The Avg. MOS statistic is calculated based on the MOS of the last 30 calls. Data statistics include: Routing Current load of the system—the number of packets routed per second. Forwarded Cumulative number of packets routed through the IP stack. DHCP Leases Number of IP addresses assigned by the DHCP server to LAN devices. IDS attacks Number of attacks detected by IDS.
Monitoring Audit Log: Enabled no Show Audit Log Entries To see the entries currently in the audit log, enter the following command: > show audit log Audit log: Message -----------------------------------------------------------16:16:02: root CONFIG switch qos setting 16:16:02: root CONFIG interface ip eth0 The following examples show entries for two configuration changes.
Console UDP server Syslog server n n n Table 99 lists the severity and default destination of each message level. Table 99. Message Severity Severity Message Level Level Description Default Destination 0 emerg Emergency operation error. Internal buffer. 1 alert Alert level operation error. Internal buffer. 2 crit Critical operation error. Internal buffer. 3 error Low-level operation error. Internal buffer. 4 warn Warnings, such as a system attack. Internal buffer.
Monitoring Logging Level Example The following example specifies that debug and trace messages are to be logged, and inform messages are not to be logged for module VQM: > config logging modules VQM map +debug +trace *> config logging modules VQM map -inform *> save Show Logging Levels To show the logging level for system modules, enter the show logging modules command. To show the logging level for a specific module, specify the module on the command.
NOTE: To include a specific destination in the map for a message type, use a plus (+) prefix; to exclude a destination, use a minus (-) prefix. Table 101. Log Destination Map Parameters Parameter Description emerg Destinations for Emergency messages (all | console + udp + syslog + internal + file | none). The default is internal. alert Destinations for Alert messages (all | console + udp + syslog + internal + file | none). The default is internal.
Monitoring Alert Map Critical Map Error Map Warning Map Notice Map Inform Map Debug Map Trace Map internal internal internal internal internal Show Module Log Entries If one of the logging destinations for a message is internal (for internal buffer) or file (for an internal file retrievable after a restart), you can display the messages by using a command.
Table 102. Log Server Parameters Destination Description udpip (For a UDP destination) IP address of a standard UDP receiver. udpport (For a UDP destination) Port of the receiving UDP logger. sysip (For a Syslog destination) IP address of a receiving Syslog daemon. sysport (For a Syslog destination) Port of a receiving Syslog daemon. facility (For a Syslog destination) Syslog facility to use (localn, where n is 0-7).
Monitoring LogRxCount Errors 96 0 Ethernet Interface Statistics The BSGX4e device records layer 1 and layer 2 Ethernet statistics for its Ethernet interfaces. To show the statistics for an Ethernet interface, specify the interface on the stats interface ip command.
IP Statistics IP statistics report counters about the traffic routed through the IP stack.
Monitoring Table 103. IP Statistics (continued) Counter Description Odropped Lost packets due to no buffers. Output fragments Output fragments created. Fragmented Datagrams successfully fragmented. Bad options Error in options processing. Cannot Fragment Do not fragment flag is set. Bad Version IP version not equal to 4. No Route Packets discarded due to no route. Too Long IP length is greater than maximum IP packet size. Raw Out Total raw IP packets generated.
Table 104. ICMP Statistics 334 NN47928-102 Counter Description Echo Reply Out ICMP Echo Reply messages (ICMP: Msg 0). Echo Reply In ICMP Echo Reply messages (ICMP: Msg 0). Dest Unrch Out ICMP Destination Unreachable messages (ICMP: Msg 3). Dest Unrch In ICMP Destination Unreachable messages (ICMP: Msg 3). Src Quench Out ICMP Source Quench messages (ICMP: Msg 4). Src Quench In ICMP Source Quench messages (ICMP: Msg 4). Redirect Out IICMP Redirect messages (ICMP: Msg 5).
Monitoring Table 104. ICMP Statistics (continued) Counter Description Reflect Number of responses. Errors ICMP had a problem dealing with the packet. BMcast Time Drop Broadcast / multicast timestamp requests dropped. UDP Statistics UDP statistics report counters about UDP traffic that terminates at the IP stack.
TCP Stats: Connections Accepted Connections Dropped Connections Closed RTT Updated Timeout Drop Persistent Timeouts Keepalive Probes Total Sent Bytes Sent 1 0 2 600 0 0 0 635 44888 Connections Attempted Connections Established Emb Conn Dropped Segments Timed Delayed Acks Retransmit Timeouts Keepalive Timeouts Keepalive Drops Packets Sent 0 1 0 600 35 0 0 0 599 Bytes Retransmitted Probes Sent Window Update Sent Total Received Bytes Received Offset Error Duplicate Packets Part Duplicate Packets Out-of-ord
Monitoring Table 106. TCP Statistics (continued) Counter Description Timeout Drop Connections dropped in retransmit timeout. Delayed Acks Delayed acks sent. Persistent Timeouts Persistent timeouts. Retransmit Timeouts Retransmit timeouts. Keepalive Probes Keepalive probes sent. Keepalive Timeouts Keepalive timeouts. Total Sent Total packets sent. Keepalive Drops Connections dropped in keepalive. Bytes Sent Data bytes sent. Packets Sent Data packets sent.
Table 106. TCP Statistics (continued) 338 NN47928-102 Counter Description Unsent Data Ack Packets Total ack packets received for unsent data. Window Update Total window update packets received. Ack Bytes Total ack bytes. Predicate ack Total times header predicate OK for acks. PAWS Dropped Total segments dropped due to Protect Against Wrapped Segments (PAWS). Cache Missed Total times cache missed. Predicate Data Total times header predicate OK for data packets.
18 MONITORING TOOLS This chapter describes the tools provided for monitoring the operations of the BSGX4e device. The BSGX4e device supports the following monitoring tools: Port mirroring Protocol monitoring (PMON) tool Netflow exporter SNMP agent TCPdump command Ping and traceroute commands Port Mirroring Port mirroring duplicates traffic from one or several source ports to a destination port.
Table 107. Mirroring Parameters Parameter Description [port] Port for which traffic is mirrored (1 - 4). mirror Destination port where the mirrored traffic is sent (1 - 4). If mirroring is currently occurring, the default is the current destination port. dir Direction of traffic to mirror (both | out | none). The default is both. Specify none to suspend mirroring.
Monitoring Tools Packet rate Bit rate PMON creates traces by applying filters to the traffic received on the WAN interface. The filters can apply to: Port (source or destination) IP address (source or destination) IP ToS tag value VLAN ID IP protocol MAC address (source or destination) Interface When more than one filter is specified, a logical AND is applied. PMON records statistics in five-minute intervals over a 24-hour period, thus recording 288 intervals.
Table 108. PMON Trace Parameters Parameter Description [TraceName] Name of the trace to add or change. sourceport Source port to monitor. destport Destination port to monitor. srcip Source IP address to monitor. dstip Destination IP address to monitor. tos ToS tag value to monitor. vlanid VLAN ID value to monitor. ipproto IP protocol to monitor (any | udp | tcp | icmp). The default is any. srcmac Source MAC address to monitor. dstmac Destination MAC address to monitor.
Monitoring Tools Source IP Dest IP ToS Vlanid IP Proto Source MAC Dest MAC Interface ANY ANY 248 ANY ANY ANY ANY ANY Show PMON Trace Statistics To see the statistics recorded by a PMON trace, specify the trace name on a stats pmon trace command.
To classify traffic into the flow to be monitored, the Netflow exporter applies filters to the traffic received on the WAN interface. The filters can apply to: Port (source or destination) IP address (source or destination) IP ToS tag value IP protocol Ethernet protocol MAC address (source or destination) Interface When more than one filter is specified, a logical AND is applied.
Monitoring Tools Table 109. Netflow Agent Configuration Parameters (continued) Parameter Description port Port of the Netflow collector. The default is 2055. version Netflow version (1 | 5 | 9). The default is 9. interval Interval for which Netflow exports statistics (in seconds). The default is 10 seconds. v9template Number of Netflow packets sent before a version 9 template is sent. The default is 10 packets sent before a template is sent.
*> save Show Netflow Status To show the configuration and status of the Netflow agent, enter the following command: > show netflow agent Status: Enabled Collector IP Collector Port Version Export Interval V9 Template Interval yes 192.168.134.167 3000 9 10 10 Show Netflow Filters To show the Netflow filters, enter the following command: > show netflow filter Netflow Filter: Source Port Dest Port Source IP Dest IP ToS IP Proto Eth Proto Source MAC Dest MAC Interface any any 10.0.1.
Monitoring Tools > clear netflow agent SNMP Agent The BSGX4e device implements an SNMP agent. Its Management Information Bases (MIB) are described in Internet Engineering Task Force (IETF) Request for Comments (RFC) 1213; SNMP traps are supported. The SNMP agent replies only to SNMP version 2c requests. Apart from the system group, all MIBs are in read-only mode in this version; you cannot configure the BSGX4e through SNMP.
Table 111. SNMP Agent Configuration Parameters (continued) Parameter Description sysdesc SNMP system description (sysDescr MIB). sysloc SNMP system location (sysLocation MIB)—physical location of the hardware. Empty when the hardware is shipped from the factory, this field is usually configured when the hardware is first installed. syscon SNMP system contact (sysContact MIB)—contact person for this hardware.
Monitoring Tools Show SNMP Agent Configuration To show the configuration of the SNMP agent, enter the following command: > show snmp agent SNMP Agent: Enabled Port SysDesc SysLoc SysCon SysName on 161 Nortel BSGX4e; SW version BSG T2 2.02.0227 Table 113 shows the relationship of the CLI data fields and SNMP group objects, and their access modes. Table 113.
In TotalSetVars In GetNexts In GetResponses Out TooBigs Out GenErrs Out GetNexts Out GetResponses Enable AuthenTraps 0 402277 0 0 0 0 0 1 In TotalReqVars In GetRequests In SetRequests In Traps Out NoSuchNames Out GetRequests Out SetRequests Out Traps Silent Drops 402277 402277 0 0 0 0 0 3379 0 Table 114 describes the statistics of the SNMP agent. Table 114. SNMP Agent Statistics Statistic Description Out Pkts Total number of Out SNMP messages. In Pkts Total number of In SNMP messages.
Monitoring Tools Table 114. SNMP Agent Statistics (continued) Statistic Description Out NoSuchNames Total number of Out Messages with nosuchName in error-status field. Out GetNexts Total SNMP Get-Next PDUs generated. Out GetRequests Total SNMP Get-Request PDUs generated. Out GetResponses Total SNMP Get-Response PDUs generated. Out SetRequests Total SNMP Set-Request PDUs generated. Enable AuthenTraps Permission to generate authentication-failure traps, enabled (1), disabled (2).
Show SNMP Trap Configuration To show the configuration of the SNMP traps, enter the following command: > show snmp traps SNMP Traps: Enabled Comm IP yes public 192.168.134.161 Copying Trap MIB Data Use the maintenance command trapmib to display or store the contents of the trap mib file.
Monitoring Tools Table 116. TCPDump Options Option Description -c Number of packets to display. Specify a count to limit the capture. Otherwise, enter ^C to stop the capture. -i Interface for which traffic is displayed, such as eth0, eth1, or vifn. -s Number of data bytes to snarf snaplen from each packet. The default value is 68. -T Forces the packets selected by expression to be interpreted as the specified type. Currently known types are cnfp, rpc, rtp, rtcp, snmp, and tftp.
Table 116. TCPDump Options (continued) Option Description D: Prints the list of network interfaces available on the system and on which interfaces tcpdump can capture packets. The number and interface name are printed, possibly followed by a text description of the interface. The interface name or number can be supplied to the -i option, which specifies on which interface to capture packets. e: Prints the link-level header on each dump line.
Monitoring Tools Unlimited Capture Example If the capture is not limited by a packet count specified on the -c option, and you want to stop the capture, enter ^C as shown below: > tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes 16:16:11.294000 IP 192.168.22.60.1583 > 192.168.134.155.Telnet: . ack 2203345 win 65269 16:16:11.295000 IP 192.168.134.155.Telnet > 192.168.22.60.
Ping Example The following example launches a ping to determine if 192.168.134.1 can be reached: > ping 102.168.134.1 Pinging 192.168.134.1 (192.168.134.1): 56 data bytes Reply Reply Reply Reply from from from from 192.168.134.1: 192.168.134.1: 192.168.134.1: 192.168.134.1: bytes=56 bytes=56 bytes=56 bytes=56 icmp_seq=0 icmp_seq=1 icmp_seq=2 icmp_seq=3 time<1ms time=5ms time<1ms time<1ms ----- 192.168.134.1 ping statistics ----4 packets transmitted, 4 packets received, 0.
Monitoring Tools Traceroute Example The following example launches a traceroute to determine the path to www.yahoo.com: > traceroute www.yahoo.com traceroute to www.yahoo.com (66.94.230.49), 30 hops max, 40 byte packets 1 192.168.134.1 (192.168.134.1) 2.0 ms 2.0 ms 2.0 ms 2 192.168.6.254 (192.168.6.254) 2.0 ms 3.0 ms 2.0 ms 3 81.255.3.174 (81.255.3.174) 5.0 ms 3.0 ms 4.0 ms 4 81.54.113.133 (81.54.113.133) 5.0 ms 4.0 ms 5.0 ms 5 POS-1-1.MARG1.Marseille.transitip.raei.francetelecom.net (81.52.11.70) 9.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
19 SOFTWARE UPGRADES This chapter provides information for upgrading the BSGX4e software. It describes: the file system and its navigation commands. how to save and restore the device configuration. how to upgrade the device software (application and/or bootloader): using the Web user interface. using an SFTP session. n n how to list the current configuration. File System The BSGX4e device is equipped with a compact flash memory of at least 128 Mb.
Both absolute and relative paths are supported. To list the contents of a directory, enter: > ls Both absolute and relative paths are supported. Table 119 describes the ls options. Table 119. Ls Configuration Options Option Description -l Prints details. [filename1] File or directory to print. [filename2] Other file or directory to print.
Software Upgrades Table 120. rm Parameters Parameter Description -d Specify if the object to remove is a directory. path1 Object (file or directory) to remove. [path2] Object (file or directory) to remove.
- # of hidden sectors: 0 - first cluster is in sector # 381 - directory structure: VFAT - root dir start sector: - # of sectors per root: - max # of entries in root: FAT handler information: ------------------------ allocation group size: - free space on volume: 349 32 512 5 clusters 90,273,792 bytes Example 2 The following example creates a directory and makes it the current directory, and then copies a file into a new file in the new directory: > mkdir test > cd test > cp /cf0usr/textfile textfile > l
Software Upgrades Then click. Bootcode and application versions in use Web UI Upgrade Procedure This section describes how to upgrade the application or bootloader software from a workstation on the Internet or on the LAN. It assumes that the BSGX4e is physically installed in the network and is operational.
Then click. 3. On the System Configuration screen, select the Save/Restore tab and then click Download. Click to save the configuration. Click the Download button to download the configuration. 364 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
Software Upgrades 4. The browser displays a window from which you can save the configuration file (mob.ccfg.cpy) to disk. Click to save the configuration in a file. Click OK to continue. 5. Click OK to save the file mob.cfg.cpy to disk. You can now perform a software upgrade (see “Upgrade Software through Web UI” (page 365)). Upgrade Software through Web UI 1.Log on to the Web user interface of the device. See “Logging on to the Web UI” (page 380). 2.
Then click. Final upload message 3. In the upper half of the Software tab, select the software to be upgraded: Slot 1 and Slot 2 represent the application software images that are present in the BSGX4e unit. Note: The slot that is upgraded is automatically set as the default image that is run when the device restarts. You can change the default image after the upload. (see “Change Default Application Image” (page 368)). n n Bootloader represents the application that loads in the new image.
Software Upgrades 6. When the upgrade is complete, a message directs you to reload the system. IMPORTANT: Do not restart the device until after the message to reload the system appears. 7. To complete the upgrade, restart the device. To do so, under Operations in the lower left corner of the screen select Reload System. 8. When the unit restarts, the connection to the workstation is lost. Use your browser to reconnect to the unit and then log on again to verify the software upgrade. 9.
Then click. 10.On the lower half of the Software Upgrade screen under Application image to boot from, the current image files are listed under Detail. The highlighted button under Default indicates which image is the current default. The slot with the latest upgrade is the default application image unless a change is made. Change Default Application Image 1.Display the Software Upgrade screen.
Software Upgrades 2. On the lower half of the screen under the heading Application image to boot from, click the button by the desired default image. 3. Click Apply. View Bootloader Version 1.If you are already logged on, proceed to the next step. Otherwise, log on to the device through the Web UI. See “Logging on to the Web UI” (page 380). 2. On the menu bar at the top of the window, select System and then select Overview from the left menu. Click. Current version of the bootloader. 3.
Then click. 3. From the System Configuration screen, select the Save/Restore tab. 4. Click the Browse button and find the configuration file to be uploaded. To restore the configuration that was saved before the software upgrade, find the mob.cfg.cpy file . 5. Click the Restore button. Click to restore the configuration. Click the Browse button to find the configuration file and then click Restore. 6. The configuration file is uploaded. When the upload is complete, you are directed to reload the system.
Software Upgrades 7. To reload the system, in the Operations Menu in the lower left corner of the screen, click Reload System. The reload sends the following message. 8. The reload causes the connection to the workstation to be lost. If desired, use the browser to reconnect to the device. SFTP Upgrade Procedure Upgrading software using an SFTP session: 1.Connect the SFTP server by using an SFTP client (such as CoreFTP). BSGX4e Business Gateway User Guide Release 01.
2. Click Yes to accept the SSH certificate. 372 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
Software Upgrades 3. The SFTP server is now connected. 4. Browse the server and go to /cf0sys. 5. Go in the directory flash. 6. Select the image to upgrade. To upgrade application image 1, go to directory 1. To upgrade application image 2, go to directory 2. To upgrade the bootloader, go to directory boot. 7. Rename the software upgrade file if needed. An application image must be file app.bin; a bootloader image must be file boot.bin. 8. Drag and drop the new application software. 9. Restart the unit.
Listing the Configuration To see the current configuration settings for a unit, do either of the following: Enter the dump command from a terminal session. Display the System Configuration screen from the Web UI in a browser session. To do this, select System from the top menu bar and then from the left menu select, Configuration. Click. Drag the scroll bar to see the complete listing. 374 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
Software Upgrades The following is an example of a configuration listing: BSGX4e Business Gateway User Guide Release 01.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
Software Upgrades BSGX4e Business Gateway User Guide Release 01.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
A WEB USER INTERFACE This appendix introduces the Web User Interface (Web UI) for the BSGX4e device. The Web UI is a graphic, full-screen interactive interface accessible through a Web browser. This allows for interactive administration and monitoring of device functions and it is accessed through either HTTP or HTTPS protocols. For more information about Web access, see “Web Server” (page 38). NOTE: The Web UI supports most, but not all BSGX4e features. You must use CLI commands for some options.
Web UI Features This section summarizes the features of the Web UI. Browser Support The Web UI can be used through the following Web browsers: Microsoft Internet Explorer (IE) Mozilla FireFox n n User Interface The Web UI provides a visual and intuitive user interface. Options and information for each system area are shown as a separate screen. Functions are available by selecting (clicking) the desired feature.
Web User Interface Access Requirements A Web UI log on has these requirements: A workstation set up to access the Internet. Its Web browser must be either Microsoft Internet Explorer or Mozilla FireFox The IP address of the BSGX4e device. From the LAN, use the eth1 address (default, 192.168.1.1); from the WAN, use the eth0 address. The name and password of a user account configured in the BSGX4e unit.
Web UI Screen Structure This section describes the structure of the Web UI screens, including the menu bar, help icons, and left side menu. Menus The strip at the top of every WebUI screen identifies the unit and displays a menu bar. IP address used to access unit. Logo. Menu bar. Unit name. Each button on the menu bar displays a menu of links on the left side of the screen. The Web UI opens with the System menu displayed.
Web User Interface Help and User Mode Information Information: Clicking on the i icon opens a second web page to an informational site. Help: Clicking on the ? provides a summary of Web UI capabilities. User Mode: Clicking on S/A selects the desired user mode. Click on S for simple mode, in which field explanations are provided. Click on A for advanced mode; field explanations are not provided. Operations Menu The Operations menu is shown in the lower left corner of the screen.
Note: After the default configuration is reloaded, all IP addresses are reset to their default values. For a browser to connect to the eth1 interface from the LAN, it must use the default IP address 192.168.1.1. If the browser cannot connect to the default IP address, then the IP address must be reset from the other interface or from a console session.
Web User Interface Table 121. Web UI Menus System System operations, including services, user accounts, DHCP, RADIUS, TACACS+, SNMP, SSL. From this menu, you can perform software upgrades and list the existing configuration. You can also change the messages logged and their destinations. Data Data interfaces, relays, IP routing, and the LAN switch, including layer 2 QoS. BSGX4e Business Gateway User Guide Release 01.
Table 121. Web UI Menus 386 NN47928-102 Quality Features to ensure quality service, including Call Quality Monitoring, and configuration of Layer 3 GoS (Guarantee of Service). Security Security services, including firewall policies, NAT, ALG, IDS (Intrusion Detection Service), and Voice ACL (Access Control List), and VPN configuration (IPSec and IKE).
Web User Interface Table 121. Web UI Menus Monitor Performance and activity information: the PMon (Protocol Monitoring) tool, CDP (Cisco Discovery Protocol), Netflow monitoring, call statistics, packet statistics for each protocol, and audit logging. Wizards A wizard is a step-by-step configuration guide. Wizards are available to configure data interfaces, Quality of Service (GoS), the session controller (MGCP and SIP), firewall policies, VoIP phones. and VPNs.
Configuration Example The following section shows an example of configuration using the Web UI. The example configures a new user account. For more information about configuring User Accounts, see “User Accounts” (page 61). 1.From the menu bar at the top of the screen, select System. 2.From the System menu on the left of the screen, select User Accounts. 3.The User Accounts tabs are displayed in the body of the screen. The Users tab lists the existing user accounts.
Web User Interface Click Update to save the new user account. 6.Select the appropriate options for the new user. (Pull-down menus list the available options): Access: Check the access methods that the user account should be allowed. Auth: Select the authentication method. Group1 – Group 5: Select the user groups to which the account belongs. Password: If the account uses internal authentication, enter its initial password. Inherit: Select yes if the user inherits the permissions of the selected Group.
Monitoring Example The following example shows how to monitor IP statistics from the Web UI. 1.On the menu bar at the top of the screen, select Monitor and then, from the Monitor menu on the left of the screen, under Statistics, select IP. Click. Then click. Click Refresh to update the display. Click Clear to reset the statistics to zero. 390 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
Web User Interface Wizards Example This section shows an example of using a Wizard to configure a data interface. 1.On the menu bar at the top of the screen, select the Wizards button and then select Interface in the left Wizards menu. Interface 2.The first window summarizes interface configuration. To start the configuration, click Next. BSGX4e Business Gateway User Guide Release 01.
. 3.The next window offers a choice of interfaces. For this example, select the LAN button. Then press the Next button at the bottom of the window. 4.In the next window, select the LAN Ethernet interface eth1. Then press the Next button at the bottom of the window. 392 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
Web User Interface 5.Enter the IP address information and then press Next. DHCP: If a DHCP server can provide the IP address, select yes. Otherwise, enter the IP Address and IP Mask values. n n 6.On the next window, select the status (up or down) and the Speed option and then press Next. n 7.To complete the configuration, verify the configuration options. BSGX4e Business Gateway User Guide Release 01.
Click Apply to confirm the interface configuration. 8.If the configuration is correct and should take place, select Apply. Otherwise: Select Previous one or more times to display the previous windows and edit any settings. Select Cancel to cancel the configuration change. n n 9.On the final window, click Finish to return to the Web UI screen. 10.The interface configuration takes effect as soon as the Apply button is clicked.
Web User Interface BSGX4e Business Gateway User Guide Release 01.
Exit Web UI To ensure a secure system, log out of the Web UI when your work is complete. 1.To exit the Web UI, select the Log Out button in the Operations menu in the lower left corner of the screen. 2.The login screen appears. 396 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
Web User Interface 3.Close the Web browser and logout is complete. BSGX4e Business Gateway User Guide Release 01.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
B THIRD PARTY SOFTWARE This appendix provides information about third-party software that you can use with the device. This software can be useful for installation, configuration, and the reading of files. Software Applications Acrobat Reader www.acrobat.com Used for reading the PDF files provided on the CD that is shipped with the BSGX4e. DHCP server http://tftpd32.jounin.net/ Used for software installation through network connection.
Used for local software installation. WinSCP is an open source SFTP client for Windows. Its main function is to secure file transfer between a local computer and a remote computer by using SSH. 400 NN47928-102 BSGX4e Business Gateway User Guide Release 01.
C SSH FUNCTIONALITY This chapter provides information about the SSH server, SFTP, and the subsystems SSH-TRANS, SSH-AUTH, and SSH-CONNECT. Introduction SSH provides secure Internet access to the BSGX4e CLI, which enables system administration to log on remotely, and securely configure and monitor the BSGX4e over an insecure network. SSH consists of three components: The Transport Layer Protocol [SSH-TRANS] provides server authentication, confidentiality, and integrity.
You cannot set the SSH server to run on a port in use by another TCP service, such as Telnet or HTTP. The SSH server can be enabled or disabled. Current SSH client connections are not dropped when the SSH port is changed or the SSH server is stopped. SFTP SFTP provides secure file transfer between an SFTP client and the BSGX4e. This enables the secure upload of binary applications to the BSGX4e file system.
SSH Functionality After the user is authenticated, the SSH client requests the desired SSH service: SSH secure remote log on or SFTP. You can configure which SSH services are offered. See “SSH Server” (page 36). Host Keys When an SSH client connects, the SSH server negotiates a method to securely encrypt the data transport between itself and the SSH client (cipher selection) and to identify itself to the client (host key exchange).
SFTP Service SFTP service can be enabled or disabled. When SFTP service is enabled, authenticated SFTP clients are allowed to begin an SFTP session. When the SFTP service is disabled, existing SFTP sessions are not affected. At a minimum, SFTP is compatible with recent versions of the OpenSSH SFTP client and the WinSCP SFTP client.
SSH Functionality During key exchange, the SSH-TRANS subsystem identifies the SSH server by using the current host keys in memory. The SSH-TRANS subsystem stores one set of 640-bit DSA host keys in memory. A randomly seeded algorithm generates the first set of host keys the first time that the BSGX4e is booted. To generate new host keys, existing host keys can be deleted. Host key generation can take up to 30 minutes. The host keys are stored on the file system: /cf0sys/ssh/dsakey.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
D TCPDUMP EXPRESSIONS This appendix provides information about expression options for the tcpdump command. The command is described in “TCPdump Command” (page 352). Introduction You can specify expression on the debug command tcpdump. An expression selects which packets are dumped. If no expression is given, all packets on the net are dumped. Otherwise, only packets for which expression is true are dumped. Expressions The expression consists of one or more primitives.
More complex filter expressions are built up by combing primitives with the following operations: and, or not. Example: host foo and not port ftp and not port ftp-data. Identical qualifier lists can be omitted. Example: entering tcp dst port ftp or ftp-data or domain is the same as entering tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain.
TCPdump Expressions True if the packet has a source port value of port. port port True if either the source or destination port of the packet is port. less length True if the packet has a length less than or equal to length. greater length True if the packet has a length greater than or equal to length. ip proto protocol True if the packet is an IP packet of protocol type protocol. Protocol can be a number or one of the following names—icmp, udp, or tcp.
tcp, udp, icmp Abbreviations for ip proto p where p is one of the above protocols. expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of integer constants, the normal binary operators [+, -, *, /, &, |, <<, >>], a length operator, and special packet data accessors. To access data inside the packet, use the following syntax: proto [expr: size].
E STANDARDS COMPLIANCE This appendix lists the standards to which the BSGX4e device complies. Data Standards Switching Table 122. Switching Standard Description IEEE 802.3 Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications. IEEE 802.3x IEEE 802.3 Full Duplex Operation. IEEE 802.1D MAC Media Access Control (MAC) Bridges. IEEE 802.1Q Virtual Bridged Local Area Networks. Routing Table 123.
Security Table 124. NAT Security IETF RFC Description 1631 The IP Network Address Translator (NAT) 2663 IP Network Address Translator (NAT) Terminology and Considerations 2767 Address Translation - Protocol Translation (NAT-PT) 3022 Traditional IP Network Address Translator (Traditional NAT). Table 125.
Standards Compliance Services Table 128. Services Service IETF RFC Description Telnet 854 Telnet Protocol Specification FTP 959 File Transfer Protocol DNS 1034 Domain names—concepts and facilities DNS 1035 Domain names—implementation and specification NTP 1305 Network Time Protocol (Version 3) Specification, Implementation TFTP 1350 The TFTP protocol (Revision 2) HTTP 1945 Hypertext Transfer Protocol, HTTP/1.
Table 129.
Standards Compliance Table 130. SIP Session Controller (continued) Standard Description IETF RFC 3892 The Session Initiation Protocol (SIP) Referred-By Mechanism IETF RFC 3966 The tel Uniform Resource Identifier (URI) for Telephone Numbers IETF RFC 4028 Session Timers in the Session Initiation Protocol (SIP) IETF draft-ietf-sipping-torture-tests-00: SIP torture tests ITU T.38 Procedures for Real-time Group 3 facsimile communication over IP networks ITU P.800 Mean Opinion Score (MOS) ITU P.
Table 132.
Standards Compliance Table 133. MGCP User Agent (continued) Standard ITU G.711 aLaw/uLaw Description Pulse code modulation (PCM) of voice frequencies ITU G.729 A/B Coding of speech at 8 kbit/s using conjugate ITU G.168 ITU T.30 BSGX4e Business Gateway User Guide Release 01.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
F RULE COMPLIANCE This appendix lists telecommunication rule compliance information for the BSGX4e device. FCC Compliance (U.S.) This device complies with part 15 of the FCC Rules.
The Facility Interface Codes (FIC) and the Service Order Codes (SOC) for this device (BSGX4e) are 02LS2. The REN# for this device (BSGX4e) is 0.0. The REN is used to determine the number of devices that can be connected to a telephone line. Excessive RENs on a telephone line can result in the devices not ringing in response to an incoming call. In most but not all areas, the sum of RENs should not exceed five (5.0). To be certain of the total RENs, contact the local telephone company.
Rule Compliance Equipment Attachment Regulations (Canada) NOTICE: The industry Canada label identifies certified equipment. This certification means that the equipment meets telecommunications network protective, operational and safety requirements as prescribed in the appropriate Terminal Equipment Technical Requirements document(s). The Department does not guarantee the equipment will operate to the user’s satisfaction.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
G COPYRIGHT INFORMATION This appendix lists important copyright Information and acknowledgments. GoAhead Software, Inc. Copyright © 2005 GoAhead Software, Inc. All Rights Reserved. The Regents of the University of California Portions of this product are: Copyright © 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 The Regents of the University of California. All rights reserved.
2.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the NetBSD Foundation, Inc. and its contributors. 4.
Copyright Information Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies and supporting documentation, the name of Lars Fenneberg not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Lars Fenneberg.
License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing the derived work. RSA Data Security, Inc.
Copyright Information 2.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARDS TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
H GLOSSARY 3PCC 3rd Party Call Control. ALG Application Layer Gateway. ARL Address Resolution Logic. CAC Call Admission Control. CAS Channel Associated Signaling. CDP Cisco Discovery Protocol. CLI Command Line Interface. CO Central Office; refers to the connection to the PSTN. DHCP Dynamic Host Configuration Protocol; used to assign and manage IP addresses for a network. DLCI Data Link Connection Identifier: defines the destination of packet. Used by PVC. DNS Domain Name Server.
NN47928-102 FXS Foreign Exchange Station. Device interface that connects to an analog device such as a telephone or fax machine. GoSTM Guarantee of Service. IDS Intrusion Detection System; defends the device from attacks arriving from the WAN. IKE Internet Key Exchange; protocol used to negotiate the initial security association between gateways of a VPN tunnel. IPsec Internet Protocol Security; protocol used to secure VPNs across an IP network. ISDN Integrated Services Digital Network.
Glossary SIP UA SIP User Agent. SLIC Subscriber Line Interface Circuit. SNTP Simple Network Time Protocol. An adaptation of the Network Time Protocol (NTP) used to synchronize computer clocks in the Internet. SRV DNS method/messages for location of services. Stateful Maintains the last-known or current status of an application. TDM Time Division Multiplex. TFTP Trivial File Transfer Protocol. UDP User Datagram Protocol.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.
INDEX A AC impedance register for FxO port 260 Access Control List 232 access method limitation 58 access rights inheritance 62 access rights settings 61 account configuration 61 acknowledgments 423 ACL. See Access Control List Acrobat Reader 399 active user listing 60 address forwarding 138 NAT 134 Address Resolution Logic. See ARL Address Resolution Protocol.
entry configuration 122 flood protection 144 table flushing 123 listing 122 traffic protection 123, 191 attack protection, IDS 140 audio quality group 230 audit logging 324 AUEP requests 211 authentication ACL endpoint 232 IPsec 153 RADIUS client 68, 71 Radius client 68, 71 SIP account 281 SSH 36 TACACS+ client 74 user password 62, 65 authenticationfail 347 authority debug commands 88 maintenance commands 86 settings 61 user management 57 autorun commands 80 B back pressure 98 backup call servers MGCP 212
Index Call Admission Control 236 call limit MGCP 217 SIP 273 call progress tone configuration 241 call quality 247 call records 231 call history 254 calls in progress 253 MGCP 220 SIP 276 call server MGCP 212 call statistics 231 MGCP 219 CAR policing 184 CDP 234 flood protection 144 central office prefix 258 change password 58, 59 Cisco Discovery Protocol 234 Cisco SIP phone 7960 288 CLI debug commands online help 81 interactive mode 82 keyword all 85 no 84 maintenance commands online help 81 online help 8
debug commands 88 keywords all 85 no 84 maintenance commands 86 parameter values 84 committed access rate. See CAR policing.
Index device features 30 device name change 239 DH group 159 DHCP eth0 interface 92 flood protection 145 leases 312 option 42 315 option 6 313 option 66 316 relay 312 server 309 Diffie-Hellman group 159 DiffServ/ToS tags layer 2 QoS 109 digit maps 211 direct media connections 229 directory commands 359 DNS client 50 flood protection 145 relay 313 relay cache 314 session listing 314 SRV 266 documentation feedback 2 downgraded packets 187 dropped packets 187 DSA host keys 36 regenerate 37 DSP gain settings F
MGCP configuration 227 MGCP ID 224 phone numbers 256 SIP registration expiration 277 SIP registration list 276 timer MGCP 221 SIP 277 Endpoint Status Handling.
Index flood protection 143 flood thresholds 145 flow control 98 disabled for layer 2 QoS 98 layer 2 QoS constraints 107 foreign voltages test 245 formatting memory commands 361 forwarding NAT by address 138 by port 137 forwarding database ARL 104 fragment overlap anomaly 142 fragment overrun anomaly 142 FTP ALG support 140 connection timeout 133 download files 318 FXO port 31 FxO port call routing 256 FXS port 31 FxS port configuration 238 electrical status 244 tone configuration 241 G gain settings FxO
H hardware information 322 hazardous voltage test 245 help CLI commands 81 debug commands 88 maintenance commands 86 hook flash 211 host keys, SSH server 36 HTTP web server access 38 HTTP connection timeout 133 HTTPS web server access 38 hybrid filters for FxO port 261 I IAD 211 ICMP attack protection 141 flood protection 143 scan protection 146 statistics 333 IDS anomaly protection 141 configuration 140 flood protection 143 log 150 log entries 150 scan protection 146 spoof protection 147 statistics 149
Index NAT enabling 135 VLAN 114 Internet Key Exchange 154 Internet Protocol. See IP Intrusion Detection Service.
layer 2 QoS 106 packet classification 107 port mapping 108 priority queues 107 queuing mechanisms 107 scheduling methods 107 tag mapping DiffServ/ToS 109 tag mappng IEEE 802.
Index M MAC address ARL mapping 104 device interfaces 323 priority queues 104 main mode IKE negotiation 156 maintenance commands 86 authority 86 listing 86 online help 81, 86 syntax 86 Man-in-the-Middle attacks 144 map ARL 104 MAC addresses to LAN ports 104 MBR (see Media Bridge) 229 Media Bridge 229 media connections limit 230 settings 229 Media Gateway Control Protocol.
mii0 WAN port 91 mirroring traffic 339 mob.cfg.
Index no keyword 84 O object access 61 off-hook test 246 On Hold timer 279 online comand help debug commands 81 online command help 81 debug commands debug command help 88 general 81 interactive mode 82 maintenance commands 81, 86 specific 81 operations monitoring tools 339 summary 323 outbound access prefix digit 258 over-contract region 184, 185 P PABX connection MGCP gateway 211 packet anomaly protection 141 packet capture (tcpdump) 352 packet loss 188 packet processing for security 129 parameter
IKE 155 IPsec 160 NAT 135 listing 139 policing methods 183 pools, DHCP 309 port FxS configuration 238 LAN switch 97 VLAN assignment 111 WAN 91 mii0 91 speed 92 statistics 331 port forwarding 137 NAT 134 port mirroring 339 port scan protection 146 prefix digit 258 prefixes for commands 83 preshared key records 156 primary key for a command 82 priority queues ARL 104 layer 2 QoS 107 prompt changing 79 proposals, IPsec 160 protocol connection 401 Transport Layer 401 user authentication 401 Protocol Monitoring.
Index configuration 187 default (best effort) 188 definition 182 GoS security policy 192 listing 190 MGCP signaling traffic 217 SIP signaling traffic 273 traffic flow assignment 190 Quality of Service.
route listing 127 RIP daemon starting 126 route configuration 124 route table listing 125 routing static 124 VPN tunnel 163 routing configuration 121 routing daemon definition 121 Routing Information Protocol. See RIP RSA key 40 RSIP 211 RTP attack protection 141 rules firewall 130 rx port MGCP 217 SIP 273 rx setting FxO port 260 FxS port 243 S sanity check 130 SAs 153 save command 79 saving the configuration 79 scan protection, IDS 146 scheduling methods, layer 2 QoS 107 SDP 264 Secure Shell.
Index self-signed certificate 43 serial number 323 server DHCP 309 log destination 329 MGCP call server 212 Radius 68, 71 SIP call server additional inbound 266 SSH 36 TACACS+ 74 telnet 34 web 38 service codes 285 session controller MGCP 210, 215 SIP 264 Session Description Protocol 264 Session Initiation Protocol.
user agent 265 SIP Signalling Proxy.
Index eth0 interface 94 Ethernet interfaces 331 GoS 193 cumulative 193 instantaneous 195 ICMP traffic 333 IDS 149 IKE 158 IP stack 331 IPsec 163 jitter buffer 240 LAN switch ports 100 log servers 330 media connections 231 MGCP session controller calls 219 signaling 218 Netflow exporter activity 346 PMON traces 343 SIP call records 276 SIP calls 275 SIP signaling 274 SNMP agent 349 TCP traffic 335 UDP traffic 335 voice quality 250 voice quality detail 251 web server 40 status media connections 230 strict po
T TACACS+ client 74 tagging VLAN ID 112 TCP attack protection 141 connection timeout 133 statistics 335 SYN scan protection 147 tcpdump command 352 telephone features MGCP 211 SIP 265 telephony interfaces 31 Telnet access 34 client 34 command 35 connection timeout 133 port 35 server 34 session example 35 start 35 traffic security policy 34 Tera Term Pro 399 terminal emulator 32 terminal session settings 78 TFTP ALG support 140 download files 318 file cache 318 flood protection 145 relay 316 session listing
Index ICMP 333 IP stack 332 mirroring 339 security processing 129 TCP 335 trace 340 traffic flow assignment to quality groups 190 traffic policing 183 traffic protection ARP 191 VoIP 191 Transport Layer Protocol 401 tunnel interface 153 tx setting FxO port 260 FxS port 243 U UDP attack protection 141 flood protection 143 log server 329 log server example 330 logging destination 327 port scan protection 146 statistics 335 unit name change 239 untagged packets 112 upgrading software 359 via Web UI 363 upli
SIP 225, 282 variable-length subnet masks 126 vid VLAN 112 vif interface 114 virtual LAN.
Index WinSCP3 399 wire speed 97 X X509 CSR 41 BSGX4e Business Gateway User Guide Release 01.
NN47928-102 BSGX4e Business Gateway User Guide Release 01.