WEB UI Operation Guide BSGX4e Business Services Gateway NN47928-502 Software Release 2.1.
BSGX4e 1.2 Business Services Gateway Document Status: Standard Document Version: 01.01 Document Number: NN47928-502 Date: July 2008 Copyright © 2008 Nortel Networks, All Rights Reserved The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty.
CONTENTS About this guide 15 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Documentation . . . . . . . . . . . . . . . . . .
System > Overview > System Information panel . . . . . . . . . . . . . . . . . . . . System > Overview > Shell panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System > Overview > System Hardware panel . . . . . . . . . . . . . . . . . . . . . Services page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System > Services > Web Configuration panel . . . . . . . . . . . . . . . . . . . . . System > Services > Telnet Configuration panel . . .
System > SSL > Cert Reqs tab . . . . . . . . . System > SSL > Certificates tab. . . . . . . . Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System > Upgrade . . . . . . . . . . . . . . . . . . . . Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . System > Configuration > Save/Restore. . . . Save . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restore . . . . . . . . . . . . . . . . . . . . . . . . . . License . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data > Routing > ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ARP Table tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proxy ARP tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data > Routing > RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Functional characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration . . . . . . . . . . . .
5 Security pages 123 Security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Technical reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Default security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Additional security policies . . . . . . . . . . . . . . . .
6 Voice pages Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Voice > Media > Settings . . . . . . . . . . . . . . . . . . . . Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . Voice > Media > Gain . . . . . . . . . . . . . . . . . . . . . . . Voice > Media > Local Jitter Buffer. . . . . . . . . . . . . Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . Stats tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session control . . . .
Appendix 12–Quality of service Configuration summary . . . . . . . . SIP/MGCP Traffic . . . . . . . . . . Other traffic. . . . . . . . . . . . . . . QoS overview . . . . . . . . . . . . . . . . Quality of service – Layer 2 . . . Priority classification. . . . . . Priority scheduling . . . . . . . Guarantee of service – Layer 3 . Functional characteristics . . Media and control signals . . Managing other traffic . . . . . . . Call capacity . . . . . . . . . . . . . . . . 189 . . . . . . . . . . . . . . . .
NN47928-502
List of figures LIST OF FIGURES Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure NN47928-502 1 Components of the Web UI page . . . . . . . . . . . . . . 2 Status page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Overview page . . . . . . . . . . . . . . . . . . . . . . . . . .
List of figures Figure Figure Figure Figure Figure Figure Figure Figure 12 39 40 41 42 43 44 45 46 IDS page . . . . . . . . . . . . . . . . . . . Voice ACL page . . . . . . . . . . . . . . IPSec page . . . . . . . . . . . . . . . . . . IKE page . . . . . . . . . . . . . . . . . . . Layer 2 QoS contention . . . . . . . . Layer 2 QoS Application Scenarios GoS Quality Class Matrix . . . . . . . GoS process flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of tables LIST OF TABLES Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table Table NN47928-502 1 Web UI operation guide organization . . . . . . . . . . 2 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 System > Status > System panel information . . . . 4 User rights permissions . . . . . . . . . . . . . . . . . . . . 5 System message severity . . . . . . . . . . . . . . . . . . .
List of tables 14 NN47928-502
About this guide Introduction ABOUT THIS GUIDE This section provides information about the intended audience for this guide, how this guide is organized, typographical conventions, and how to get help. Introduction This document describes the operation of the Web User Interface (Web UI) for the BSGX4e model. For a list of all BSGX4e technical documents, see Documentation on page 17. The BSGX4e device is deployed as customer premise equipment and provides a unified solution for voice and data services.
About this guide Organization Organization The following table describes the organization and content of this Web User Interface (UI) Operation Guide.
About this guide Text conventions Text conventions This guide uses the ftext font conventions described in the following table. Table 2 Text conventions Font Purpose NOTE: Emphasizes information to improve product use. Caution: Indicates how to avoid equipment damage or faulty application. Warning Issues warnings to avoid personal injury. : italic Shows book titles, special terms, or emphasis. label Shows on-screen labels and commands.
About this guide How to get help How to get help This section explains how to get help for Nortel products and services. Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
About this guide How to get help Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.
About this guide 20 How to get help NN47928-502
1 Web UI introduction 1 WEB UI INTRODUCTION This chapter describes the layout, organization, and navigation features of the BSGX4e Web User Interface (Web UI). The Web UI is a graphical, interactive interface accessible through a Web browser. It allows for interactive administration and monitoring of the BSGX4e functions and is accessed through either HTTP or HTTPS protocols. For more information about remote Web access, see System > Services > Web Configuration panel on page 34.
Window components 1 Web UI introduction Window components This section describes the main components that are visible in the Web UI window. Figure 1 Components of the Web UI page Assistance Icons: • Home Page Button Bar • Information • Help Unit Name and Adress • User Mode Menu Pane Page Display Pane Operations Pane Panel within the DisplayPane Button bar Each button represents a category of functions, which appear as links in the menu pane on the left side of the window.
1 Web UI introduction Window components Menu pane Click a link in the menu pane to load a corresponding configuration page in the display pane. A list of menus changes appears with each button on the button bar.
Window components 1 Web UI introduction Operations pane The following links perform system operations for the current session: z Log Out – Logs out the user and returns to the log in screen. Unsaved configuration changes are kept unless the unit restarts. z z Save Changes – Saves configuration changes to nonvolatile memory. (When configuration changes are pending, the Save Changes button turns red.
1 Web UI introduction Usage notes Usage notes This section provides helpful notes on using the Web UI. Browser Requirements The BSGX4e has been tested with Microsoft®‚ Internet Explorer®‚ and Mozilla® FireFox® browsers. Internet Explorer must have the Adobe®‚ Shockwave®‚ Flash Object add-on. Firefox must have the Adobe Flash Player plugin. Use the browser’s Manage Add-ons (Explorer) or Add-ons (FireFox) command to obtain the plugin.
Usage notes 1 Web UI introduction Entering numerical data The underlying architecture of the Web UI allows you enter numerical data in decimal, hexadecimal, or octal format. If you enter configuration data in hexadecimal or octal and then view the corresponding display page, you see the number has been converted to decimal. This can cause confusion for an ID field where the number is used only to identify a record or profile. Nortel recommends that you use decimal numbers in these fields.
2 System pages 2 SYSTEM PAGES This chapter describes the configuration and status pages available from the System button on the button bar. The functional topics of the pages are listed in the menu pane of the Web UI window, as shown in the figure on the left. The System > Status page is the home page of the Web UI and is the page appears when you log in.
2 System pages z SNMP (page 56) Configuration for remote monitoring of the system. z SSL (page 59) Configure key and certificates for SSL encryption. z Upgrade (page 62) Load software and bootloader upgrades. Switch between software configurations. z Configuration (page 63) Display current system configuration parameters. Export or import a configuration file. z License (page 64) Copyright statements from developers whose code is used in the Web UI.
2 System pages Status page Status page Figure 2 Status page The system status page is display-only, there are no configuration items. Descriptions of the panels in the display pane follow. System > Status > Current Calls panel This panel is a speedometer-type display that gives visual indication of the current call load. You can change the scale of the display by setting the maximum calls parameter in the Session Controller, located under the Voice button in the Web UI.
Status page 2 System pages System > Status > System panel This panel displays the information shown in the following table. Table 3 System > Status > System panel information Application The software version running in the unit. IDS attacks The number of attempted attacks detected by the Intrusion Detection System. DHCP leases The number of IP address leases issued when the BSGX4e functions as a DHCP server to LAN devices.
2 System pages Overview page Warning Overview page The system overview page displays system information, and it contains the following configurable parameters: the unit name displayed on the Web UI (left of the button bar) the country of operation, which affects telephony settings configuration of the CLI command shell Figure 3 Overview page The panels in the display pane are described in the following sections.
Overview page 2 System pages System > Overview > System Information panel The System Information panel shows various high-level system configuration items. Further detail for some of the items: Bootcode Ver – Version of the bootloader program App.
2 System pages Services page Services page The services page is where you enable and configure various network services: Web server – Enabled by default Telnet server – Enabled by default SNTP client – Disabled by default SSH server – Enabled by default DNS servers – Disabled by default Dynamic DNS client – Disabled by default Figure 4 Services page Note that with some of these services (DNS, SNTP, DHCP), rather than having the BSGX4e act as the service client, you can configure
Services page 2 System pages System > Services > Web Configuration panel The Web server allows remote administration of the BSGX4e using the Web UI connected through the WAN or LAN ports. The server supports HTTP and HTTPS (HTTP over SSL) protocols. The BSGX4e Web server is enabled by default and is configured to use the standard ports 80 (HTTP) and 443 (HTTPS). The Web UI uses the HTTP port by default. You can disable the server or change the access ports with the Modify button.
2 System pages Services page System > Services > SNTP Configuration panel You can use the SNTP client to automatically set the time in the BSGX4e. The SNTP client is disabled by default, requiring the time to be set manually. Use the Initial Setup Wizard to set the time manually. Rather than using this client service, you can configure the BSGX4e as an SNTP relay. See Data > Relays > SNTP page on page 83 for the SNTP relay function.
Services page 2 System pages System > Services > DNS Configuration panel The Domain Name Service (DNS) client in the BSGX4e sends requests to a DNS server on the WAN. A DNS request is used to obtain an IP address required by the BSGX4e, such as the IP address of a server that was specified by an FQDN. Two DNS servers can be configured: a primary server and a secondary. The DNS client is always active.
2 System pages Services page The DNS client determines the DNS configuration to use based on the current value of its Source parameter: user The DNS client retrieves the latest address/domain entered by the user. dhcp The DNS client uses the address provided by an external DHCP server that was discovered by the BSGX4e’s DHCP client. The DHCP client must be enabled on the interface where the DHCP server is located. If a DHCP server cannot provide an address, the DNS1 and DNS2 fields are set to 0.0.0.0.
Services page z 2 System pages If Source is set to user, you must enter an address into the DNS1 field. The DNS client does not perform any further address searches. Application scenario – DNS backup configuration This example shows how a user configuration can be stored as a backup while using the auto-DHCP or auto-PPP configuration. If a DHCP or PPP server cannot be provide a DNS address, the user configuration is automatically implemented by the DNS client. 1.
2 System pages Services page System > Services > Dynamic DNS Settings Attention: Dynamic DNS is not yet supported. The Dynamic DNS service allows a remote host on the Internet to stay connected to the BSGX4e WAN port. When the BSGX4e is configured with a dynamic IP address on its WAN port, remote hosts cannot stay connected as the address of the BSGX4e changes. Dynamic DNS allows the domain name data held in a name server to be updated in real time.
Services page 2 System pages When configured and enabled, the display panel appears, similar to the Dynamic DNS Settings panel in the figure to the right. Most of the fields are self-explanatory. The Status field displays the following comments: z z z z z 40 GOOD GOOD: Additional nochg updates cause the hostname to become blocked. ERROR: The hostname specified is not a fullyqualified domain name. ERROR: The hostname specified does not exist or in not in this user account.
2 System pages User accounts page User accounts page This page is where you manage the user account security features of the BSGX4e. The user accounts determine who can access the BSGX4e and what permissions they are granted. Figure 5 User Accounts Page Technical reference This section contains technical descriptions and reference information.
User accounts page 2 System pages Default configuration User interface with the BSGX4e is managed with user accounts, user groups, and user rights. The BSGX4e is delivered with following predefined configurations: z z z Two user groups – One for administrators (admins) and one for other users (users). The admins user group is granted all access modes, and the users user group is granted only Web and CLI access. Two user accounts – One for administrators (admin) and one for other users (user).
2 System pages User accounts page Passwords Passwords are set in the User Account configuration page. You are advised to change the default passwords during setup of the BSGX4e. The default passwords are: admin user = admin user user = netcat Password authentication can be internal (SHA) or external (RADIUS and TACACS+). For external authentication, you must also configure the RADIUS or TACACS+ client (page 53) after configuring the user account.
User accounts page 2 System pages Fill in the fields as follows, click Update when finished: Name Log in name of new account being added, or modification of existing account.
2 System pages User accounts page System > User Accounts > Groups tab With the Groups tab active on the User Accounts page, click New to create a profile. To modify an existing profile, click the profile name, then click Modify. To remove a group profile, select the check box next to the profile name, then click Delete. Fill in the fields as follows, click Update when finished: NN47928-502 Name Name of the new user group to be added or the existing user group to be modified.
User accounts page 2 System pages System > User Accounts > Rights NOTE: The two permissions (Access mode) allowed are read and write. The execute permission is not used. As explained in the section Rights on page 42, the permissions for any given command are defined by the combination of the rights identifier and the object name in the command’s authority parameter. Each page in the Web UI is the equivalent of a command.
2 System pages DHCP server DHCP server The DHCP server in the BSGX4e provides dynamic IP addresses to hosts connected to its LAN ports. This service is enabled by default. Optionally, you can assign static addresses to LAN hosts. For clarification, the BSGX4e also includes two other DHCP features: DHCP relay (page 85) – Rather than having the DHCP server providing addresses to LAN hosts, the relay service receives the host’s DHCP request and proxies it to an external server.
DHCP server 2 System pages Functional characteristics The DHCP server, as implemented in the BSGX4e, has the following characteristics: Supports one address range per LAN interface (eth1 or vifn). Up to four virtual interfaces (vif) can be configured on the LAN ports, one on each port. Address range must be within the subnet of the interface. Up to four servers can be configured—one on each interface configured on the LAN ports. Up to 500 IP addresses can be configured on each server.
2 System pages DHCP server [interface] (1) The BSGX4e interface for which the server supplies addresses. Default is eth1 (LAN). Enabled (1) Enables or disables the DHCP server for the designated interface. Default is enabled. Subnet (1) The subnet that is to be served. Must be a subnet of the interface. Default is 192.168.1.0. Netmask (1) The netmask for the subnet. Default is 255.255.255.0. IP(1) The beginning address for the range of IP addresses that the server can assign to hosts.
DHCP server z z z z 2 System pages A group cannot be deleted if it is referenced by another configuration entry on the Pool or Host pages. A group cannot be renamed if it is referenced by another configuration entry on the Pool or Host pages. A group cannot be modified after being created. If you need to change the group option parameters, you must delete the option and create a new one. An option code can be assigned to different groups with the same or different value for each group.
2 System pages Value DHCP server Enter an appropriate value for the selected code: bootfile-name Text. Identifies a bootstrap file. domain-name Text. The domain name the client must use when resolving host names through a DNS. domain-nameservers IP address. A list of DNS servers available to the client. Enter multiple servers separated by a comma (,). List the servers in order of preference. NOTE: Read the DNS entry under the Functional characteristics on page 48 for reference.
DHCP server 2 System pages System > DHCP Server > Host tab The configuration parameters on this page are optional. Use them to reserve a specific IP address for a given MAC address and assign an option group to that address. Click New to open the configuration page. You can modify existing host profiles by clicking the Id number on the display page. You can delete host profiles by activating the check box next to the profile on the display page, then click Delete.
2 System pages RADIUS and TACACS+ RADIUS and TACACS+ The BSGX4e includes both the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) clients to establish external authentication security, rather than using the default internal SHA method. To use either service, you must first establish an account on a RADIUS or TACACS+ server. That can be your company’s server or a commercial service provider.
RADIUS and TACACS+ 2 System pages Configuration Perform the following steps to create a RADIUS or TACACS+ authentication record. NOTE: A user account (page 43) must be configured for external authentication before the corresponding authentication record is created. System > Radius The Radius page displays existing authentication records and contains the buttons for adding a new record or deleting an existing record.
2 System pages RADIUS and TACACS+ System >TACACS+ The TACACS+ page displays existing authentication records and contains the buttons for adding a new record or deleting an existing record. Configure a TACACS+ authentication record, click New to open the configuration page. You can modify an existing record by clicking the User name on the display page. You can delete a record by activating the check box next to the profile on the display page, then click Delete.
SNMP 2 System pages SNMP The BSGX4e contains an SNMP agent that allows for remote monitoring. The BSGX4e cannot be configured through SNMP in the current version. Figure 7 SNMP agent configuration SNMP uses a Management Information Base (MIB) database. The MIBs are described in IETF RFC 1213. SNMP traps are supported. The SNMP agent replies only to SNMP version 2c requests. Apart from the system group, which can be configured with write permissions, all MIBs are in read-only mode in this version.
2 System pages SNMP Configuration The SNMP agent is enabled by default but not configured. Traps are disabled by default, and no community is configured. System > SNMP > Agent tab Click Modify to configure the SNMP agent: Enabled Enables the agent (boolean). The agent is initially enabled. Port Port on which the agent listens. The default is port 161. (range to) DO NOT USE. This field is removed in the next release. SysLoc SNMP system location (sysLocation MIB); physical location of the hardware.
SNMP 2 System pages System > SNMP > Statistics tab The statistic page is a read-only display of the SNMP agent performance. You can update the display with the Refresh button, and delete accumulated statistics with the Clear button. Field definitions are as follows: Out Pkts Total number of Out SNMP messages. In Pkts Total number of In SNMP messages. In BadCommunityNames Total number of In messages with an unknown community name.
2 System pages SSL SSL This section describes configuring the Secure Socket Layer (SSL). SSL provides a secure connection to any device contacting the BSGX4e on well-known port 443 with TCP protocol. This applies primarily to the WAN interface, but is also applicable to the LAN interface. Traffic over an SSL connection is encrypted and authenticated to prevent eavesdropping, tampering, or forgery.
SSL 2 System pages During the time that a profile is being regenerated, a new SSL connections cannot be established. The Status field on the Keys page displays generating during the generation process, and displays OK when the process completes. The Cert Reqs and Certificates tabs also have a status field. Configuration As explained above, the default SSL configuration is applicable in most situations.
2 System pages SSL System > SSL > Cert Reqs tab This page is where you can create a new Certificate Signing Request (CSR), if needed. A valid key must first be configured. A CSR exists by default. It is an X509 certificate and is self-signed by the SSL module. To generate a new CSR, modify any of the parameters on this page. Alternately, you can delete the CSR with the CLI command del ssl csr x509.
Upgrade 2 System pages Upgrade Figure 9 Upgrade system image Use the Upgrade page to import new system software image files and bootloader files. You can store two image files and define which to use for booting the system. The manual configuration and user settings you made persist through an image upgrade. You acquire system update files at Nortel’s support Web site. System > Upgrade Perform the following steps to import a new software image: 1.
2 System pages Configuration Configuration The Configuration page has two tabs: Text Based shows a display of the current user configurations. These are listed as CLI commands. Save/Restore is where you import and export a configuration file.
License 2 System pages License This is a display page that lists the copyrights of other companies’ products used in the BSGX4e. Logging information Figure 11 Logging information The BSGX4e logs event and error messages to various internal and external destinations. Most of these logs are intended to assist in troubleshooting during a technical support session and do not provide useful information for normal operations.
2 System pages Logging information System > Logging Info > Logging Destination panel This panel is where you configure the external server to receive UDP and/or syslog messages. Log messages are compliant with the syslog protocol. The UDP section can also be configured to send raw UDP messages to a PC that is reachable from the BSGX4e. External logging is not configured by default. Click the Modify button to open the configuration page: UDP Logger IP For messages with UDP destination.
Logging information 2 System pages System > Logging Info > Logging Map panel This page is where you configure each message type for one or more destinations, or no destination. As described in the next section, each functional module in the BSGX4e can be configured for which message types it sends. Message types are defined by severity level. Click the Modify button to open the configuration page.
2 System pages Logging modules Table 5 describes the message severity levels and shows the default destinations. Table 5 Severity Level System message severity Message Level Description Default Destination 0 Emergency Emergency operation error Internal buffer. 1 Alert Alert level operation error Internal buffer. 2 Critical Critical operation error Internal buffer. 3 Error Low-level operation error Internal buffer. 4 Warning Warnings, such as a system attack. Internal buffer.
Logging modules 68 2 System pages NN47928-502
3 Data pages 3 DATA PAGES This chapter describes the configuration and status pages available from the Data button on the button bar. The functional topics of the pages are listed in the menu pane of the Web UI window, as shown on the left here. The Data pages consist of various status and statistics displays, and configuration pages related to the WAN and LAN (switch) interfaces, relayed network services, and traffic routing.
WAN 3 Data pages WAN This section is where you configure the BSGX4e network (WAN) interface. Your choices are: Ethernet (eth0) [default] PPP (pppn) VLAN (vifn) The BSGX4e has an eth0 interface configured by default. To modify this interface or to add the other interface types, see the next section, Interfaces. Interfaces The Interfaces section is where you configure the WAN and LAN interface protocols.
3 Data pages Interfaces IP display pane The display pane (Figure 12 above) shows the parameters of each WAN or LAN interface. This is also where you configure new interfaces and delete existing entries. Most of the fields are self-explanatory. Below are a few fields that need some explanation: z z z The Lease obtained and Lease expires columns display N/A if DHCP is off or DHCP has not assigned an IP address to eth0. Otherwise, the columns describe the DHCP lease for the IP address assigned.
Interfaces 3 Data pages Speed Applicable only to the eth0 interface on the BSGX4e. Whether the speed and duplex mode for the interface is auto-negotiated or explicitly specified. For auto-negotiation, choose Auto (default).
3 Data pages Interfaces VLAN configuration As part of the VLAN configuration process, the Data > Interfaces > IP page is where you configure the virtual interface (vifn) as an IP interface. NOTE: You must have created the virtual interface before performing this task. See Data > Interfaces > VLAN on page 75 for VLAN process details. Procedure: Follow the instructions under the IP configuration heading above. Select vifn from the Interface drop-down list on the configuration page.
Interfaces 3 Data pages PPP configuration summary You must perform the following process to establish a functioning PPP link as the WAN interface: 1. Disable the DHCP client on the eth0 (WAN) interface. [page 71] 2. Create a PPP profile. This displays as the ppp0 IP interface. [this section] 3. Create security policies for the ppp0 interface. [page 127] 4. Enable NAT for the ppp0 interface. [page 134] 5. Create a QoS group to protect the PPP control signal.
3 Data pages Interfaces SelfIP/Mask Optional static IP address and subnet mask (1.2.3.4/8) for the pppn interface. Enter any if none is provided. Default is any. MTU Maximum Transmission Unit (MTU) of the interface (296-1492 bytes). The default is 1492 bytes. MRU Maximum Receive Unit (MRU) of the interface (296-1492 bytes). The default is 1492 bytes. RestartTime Time interval before a request is re-sent (in milliseconds). The default is 3000 (3 seconds).
Interfaces 3 Data pages Technical reference The VLAN function in the BSGX4e has the following characteristics: z z The BSGX4e supports IEEE 801.Q, which allows up to 64 VLANs across the four LAN switch ports. Up to 16 virtual interfaces (vif0 - vif15) can be created on the Interface > IP configuration page. VLANs are integrated into the host IP stack as separate layer 2 Ethernet interfaces. A VLAN is most commonly created on the LAN (eth1) interface.
3 Data pages Interfaces Configuration procedure – Virtual interface Perform the following procedure on the Data > Interfaces > VLAN page to create a virtual interface profile for a VLAN. Virtual interfaces are displayed as vif(n), where n is 0 through 15. A VLAN cannot be configured on a PPP (pppn) WAN interface. 1. Click New to open the configuration page. 2. Fill in the fields: VID Specify the VID that was created on the Switch > VLAN page (See the NOTE above). interface This parameter is required.
Relays 3 Data pages Relays This section describes using the BSGX4e as a relay for devices on its LAN that request DNS, TFTP, SNTP, or DHCP services. The BSGX4e acts as a proxy and forwards any such requests to the servers on the WAN specified by the services’ configurations. To a LAN device, the BSGX4e appears to be a server; to the WAN server, the BSGX4e appears to be a client. All relays are disabled by default. The DNS relay is enabled by default. All other relays are disabled.
3 Data pages Relays The BSGX4e maintains a cache of successful DNS exchanges. If a DNS request is already in the cache, the BSGX4e can reply to the request without referencing a DNS server. As described below, if the DNS relay configuration source is set to auto, the actual configuration used depends on the settings of the DNS client. See System > Services > DNS Configuration panel on page 36 for DNS client configuration.
Relays 3 Data pages Table 8 Sources for DNS relay configuration Source Parameter Setting DNS Relay DNS Client Can DHCP/PPP provide DNS configuration? Did user provide DNS Client configuration? user any or null -- -- User settings in DNS Relay auto DHCP or PPP yes -- DHCP or PPP auto DHCP or PPP no -- User settings in DNS Relay auto user -- yes User settings in DNS Client auto user -- no User settings in DNS Relay auto auto yes -- DHCP or PPP auto auto no yes User se
3 Data pages Figure 16 Relays Relay – TFTP page You can cache frequently requested files. If the requested file is in the cache, the BSGX4e can reply to the request without contacting the server. File caching provides the following benefits: z z Avoiding unnecessary WAN bandwidth usage for frequently requested files, especially if there are several user devices, such as VoIP phones.
Relays 3 Data pages Settings tab To configure the TFTP relay, click Modify on the Settings tab page, fill in the fields as follows, and click Update when finished: Enabled Enables the TFTP relay. Default is off. Server IP address or FQDN of the external TFTP server. If using the DHCP client option, leave this field blank. DHCP Enable to have the TFTP server address provided by the DHCP client on the WAN interface of the BSGX4e {on | off}.
3 Data pages Relays Files tab All files that you want to cache have to be named specifically. This page is where you specify the files, and where you view all existing cached files. The cache can list up to 50 files. To specify files for caching, click New on the Files tab page, fill in the fields as follows, and click Update when finished. To delete an entry, enable the check box next to the Index number on the display page, then click Delete.
Relays 3 Data pages Settings tab To configure the DNS relay, click Modify on the Settings tab page, fill in the fields as follows, and click Update when finished: Enabled Yes to enable. Default is no. Source The source of the SNTP relay’s configuration. Your choices here are: • user – The last server specified for the Server parameter. • auto – The actual source depends on the choice made here combined with the Source field of the SNTP client (page 35), even if it is disabled.
3 Data pages Relays Data > Relays > DHCP page Figure 18 Relay – DHCP page The DHCP relay proxies requests from devices on the BSGX4e LAN to a server located on the WAN. To the devices on the LAN, the BSGX4e appears as a server; to the server on the WAN, the BSGX4e appears as a client. For clarification: z z The BSGX4e has a DHCP client that obtains an IP addresses for the unit from an external DHCP server. This client is normally enabled on the WAN interface.
Routing 3 Data pages Routing This section describes the routing configuration options in the BSGX4e, which consists of a routing protocol table and an Address Resolution Protocol (ARP) table. When a network node sends data to an IP address on its subnet segment, it broadcasts an ARP request to resolve the IP address to an Ethernet MAC address. Technical reference The configuration topics in this section refer to three separate protocols that each maintain their own data structure.
3 Data pages Routing Data > Routing > Routes Table View dynamic routes and configure static routes in the routing table on this page. Figure 19 Routing Table page Dynamic routes are automatically created when IP interface are created or enabled. It is possible to delete dynamic routes, but this is not recommended. Use the following procedure to create a static route: 1. Click New to open the configuration page. 2.
Routing 3 Data pages Data > Routing > ARP Address Resolution Protocol (ARP) is a network layer protocol that automatically maps IP addresses to hardware Media Access Control (MAC) addresses. Use the ARP page to manually create an ARP table entry, to delete an entry, to flush the table of all entries, and to configure an ARP proxy. NOTE: ARP traffic is essential for the maintenance of the ARP table.
3 Data pages Routing Proxy ARP tab Figure 21 Proxy ARP page Proxy ARP enables the BSGX4e to transparently connect hosts that belong to different networks without having to configure default gateways, routes, or other network parameters. This section describes the general proxy ARP configuration process. It also includes an application scenario where a BSGX4e is inserted into an existing network that used a firewall/router/NAT appliance as its WAN interface.
Routing 3 Data pages Works with static or dynamic WAN IP address assignments, depending on the configuration. The more standard configurations–like that in Configuration example 1–can use a dynamic address. More specialized configurations–like that in Configuration example 2–require a static address. Automatically creates dynamic ARP route table entries and firewall security policies as needed.
3 Data pages Routing Configuration example 1 The diagram in Figure 22 shows two proxies established (one in each direction) between a subnet on the WAN and a subnet on the BSGX4e LAN. The two proxies would be configured as follows: Field Value (Proxy 1) Value (Proxy 2) Id From eth0 eth1 To eth1 eth0 IP 192.168.152.0/24 192.168.2.0/24 Enable yes yes Figure 22 Proxy ARP – General configuration example Subnet A 192.168.2.0/24 WAN (Eth0) ARP request to 192.168.2.0.
Routing 3 Data pages Configuration example 2 The diagram in Figure 23 shows the scenario where a BSGX4e has been inserted into a existing network that was using a firewall appliance for WAN interface. The result of this configuration is that the firewall still functions as if connected directly to the Internet. In this configuration, you cannot have VoIP devices connected to the LAN side of the firewall in the data VLAN (Vif1). VoIP devices must be connected directly to the BSGX4e LAN.
3 Data pages Routing Figure 23 Proxy ARP – Subnet with firewall INTERNET Proxy ARP Parameters From To Address Eth0 Vif1 1.1.1.2/255.255.255.255 Vif1 Eth0 1.1.1.0/255.255.255.0 Proxy ARP 1.1.1.0/24 1.1.1.1/24 WAN (Eth0) TECHNOLOGIES ETHERN Vif0 VoIP VLAN 192.168.3.0/24 ICAD4x ET 10/100 BUSINESS GATEWAY STATUS LAN (Eth1) WAN 1 2 3 4 Vif1 Data VLAN 192.168.2.0/24 Firew all 1.1.1.
Routing 3 Data pages Data > Routing > RIP Figure 24 RIP page The BSGX4e executes dynamic routing by enabling RIP (Routing Information Protocol). RIP is a simple routing protocol that is part of the TCP/IP protocol suite. The BSGX4e supports RIP versions 1 and 2. The RIP daemon is disabled by default and must be started manually. When started, it listens for RIP messages on the WAN interface and uses that information to store routes in a table.
3 Data pages Switch On the Daemon tab of the RIP page, click Modify to open the configuration page and change the settings as needed. The Routes tab displays the routes that the RIP daemon has stored. NOTE: You must create a firewall policy to allow RIP responses into the BSGX4e. See RIP security policy on page 129. Switch The LAN switch in the BSGX4e implements a non-blocking switch fabric, enabling packet switching at wire speed over all ports.
Switch 3 Data pages Port page This page is where you configure the BSGX4e LAN ports and view port related statistics. Figure 26 LAN ports page This page has three tabs: Port tab is where you configure the LAN switch ports. Mirror tab is a diagnostic tool where you can mirror one port to another. Stats tab displays port statistics. Data > Switch > Ports tab All ports are configured by default for auto negotiation of speed and duplex mode; flow control is disabled; and the port is enabled.
3 Data pages Switch Port Display only. The port being configured. Speed The speed and duplex mode: • Auto – Auto-negotiate speed and duplex mode • 10Half – 10Base T speed; half duplex • 10Full – 10Base T; full duplex • 100Half – 100Base T speed; half duplex • 100Full – 100Base T; full duplex Default is auto. Enabled Port is enabled or disabled. Default is yes (enabled). Flow Ctrl When enabled, provides back pressure (forced collision) for half duplex mode and pause frames for full duplex mode.
Switch 3 Data pages QoS page The LAN switch in the BSGX4e unit provides a layer 2 Quality of Service (QoS) feature. This feature enables prioritization of network traffic coming into the BSGX4e through its LAN ports. See the relevant sections in the chapter 4 Quality pages on page 105 for layer 3 QoS. This page has four tabs: IEEE tab maps IEEE 802.1p (CoS) bit values to priority queues. Port tab sets a priority level applied to all traffic through the port.
3 Data pages Switch Figure 28 Layer 2 QoS functionality Routing Engine 100 Mbps BSGX4e LAN Switch Layer 2 QoS LOWESTQ LAN Ports HIGHQ ► Port Number ► Weighted Fair Queuing 4 2 1 LOWQ Incoming packets are classified by either: 8 HIGHESTQ WFQ Weights Priority scheduling is performed by either: 1 2 3 4 ► Fixed Priority ► 802.
Switch 3 Data pages Data > Switch > IEEE tab This classification type is used with VLANs and relies on priority bits in the VLAN header to indicate the priority. The priority bits need to be set in the LAN device that is part of the VLAN. Use Table 10, above, to determine the value to set. See the network configuration examples in Figure 44 on page 193. This IEEE 802.1p priority notation is commonly called CoS (class of service). It is three bits in the User field of the ISL frame header.
3 Data pages Switch NOTE: To guarantee uninterrupted service for a critical application, such as VoIP, use fixed scheduling and assign that service to the HIGHESTQ queue. To change the classification type or scheduling method, perform these steps: 1. Click Modify to open the configuration page. 2. Select the desired classification type from the Type drop-down list. 3. Select the desired scheduling method from the Scheduling drop-down list. 4. Click Update when finished.
Switch 3 Data pages z Static Entries You can add entries to the ARL table. The entries created are static entries; static entries are not aged out of the table. Static entries remain in the table until the table is manually flushed with the Clear button. z Prioritizing Traffic by MAC Address You can prioritize specific LAN traffic with static ARL entries (but not with dynamic entries). Four priority queues are available: LOWESTQ, LOWQ, HIGHQ, and HIGHESTQ.
3 Data pages Switch Data > Switch > VLAN This section describes the procedure for assigning the BSGX4e LAN ports to VLANs. This is the first part of the entire VLAN configuration process, which is detailed under Data > Interfaces > VLAN on page 75. Figure 30 VLAN – LAN switch Technical reference z A port is configured as tagged or untagged when it is assigned to the VLAN.
Switch 3 Data pages Configuration procedure The following procedure creates a VLAN ID, assigns a port to that VLAN, and configures the tagging characteristics of the port. 1. Click New to open the configuration page. 2. Fill in the fields as follows: VID VLAN identification number (1 - 4094). VLAN name Name or description of the VLAN. It can be up to 32 alphanumeric characters.
4 Quality pages Introduction 4 QUALITY PAGES This chapter describes the configuration and status pages available from the Quality button on the button bar. The functional topics of the pages are listed in the menu pane of the Web UI window, as shown on the left here. The Quality pages consist of various status and statistics displays, and configuration pages related to QoS and Downstream QoS.
Calls page 4 Quality pages Calls page The Quality > Calls page has three tabs: Quality – Displays various quality statistics, including MoS scores, by endpoint ID number. Alarms – Displays statistics on quality, burst and delay alarms. Analyser – Configures voice quality monitoring including alarms and thresholds.
4 Quality pages Calls page Quality > Calls > Quality tab The Quality tab page is display only and appears as shown above in Figure 31 when calls are active in the BSGX4e. Terminology EP-ID/EP-Name – Endpoint (LAN phone) identification number or name. MOS-LQ/MOS-CQ/R Fact – Mean Opinion Score - Listening Quality; Mean Opinion Score - Conversation Quality; and R-Factor. These values depend on the codec used and the level of traffic disruption, for example packet loss, delay, and jitter.
Calls page 4 Quality pages The Calls Analyser reports statistics for VoIP media streams that flow through the routing engine in the external → internal, and internal → internal directions. Whether or not Direct Media is enabled also affects which flows are analyzed. As shown below in Figure 32, flows measured by the Calls Analyser are: z z External calls – Inbound flows from WAN to LAN and from WAN to User Agent. Local calls – Flows between LAN phones, and flows from LAN to analog phones.
4 Quality pages Calls page Calls analyser configuration Open the configuration page by clicking the Modify button. Change the default values as needed: JB Type Whether to emulate a static or adaptive jitter buffer {static | adaptive}. Default is static. JB Minimum Minimum size of the simulated jitter buffer. Default is 10. JB Maximum Maximum size of the simulated jitter buffer. Default is 60. JB Nominal Nominal level of the simulated jitter buffer. Default is 30.
Link page 4 Quality pages Link page The Quality > Link page is where you specify the upstream bandwidth for the QoS link. This relates to the quality groups you configure for QoS in the section, Group page on page 112, which is next. The total bandwidth of all quality groups cannot exceed 90% of the link rate. See also Appendix 12–Quality of service for a technical description of QoS implementation in the BSGX4e. This section relates to layer 3 QoS functions.
4 Quality pages Link page Configure the QoS link as follows: 1. Click New to open the configuration page. 2. The appropriate Interface normally displays by default. Select it from the drop-down list if necessary. 3. Enter the network connection rate in bits per second (bps) into the Max field. This is normally the uplink rate indicated by your network service provider. However, if your actual rate is significantly different than the indicated rate, use the actual.
Group page 4 Quality pages Group page The Quality > Group page has three tabs: Group – Create and configure the quality groups used in QoS. Stats – Cumulative performance statistics for quality groups. Live – Instantaneous performance statistics for quality groups. Figure 34 Quality group page Quality > Group > Group tab The Group page is where you create and configure the quality groups used in QoS.
4 Quality pages z Group page SIP video Protecting SIP video stream under QoS requires special considerations due to the characteristics of the stream. Video has a moderate average rate but experiences high peaks that can reach 3 Mbps. z Use only with high-bandwidth installations of at least 1.5 Mbps. SIP video is detected by the session controller and assigned to a quality group named “video.” This is a special name that the session controller recognizes.
Group page 4 Quality pages Configuring a new quality group If you need to create a new quality group, click New in the Group tab page and fill in the fields as described below. Click Update when finished. To modify an existing group, click the Name in the display to open the properties page, then Modify to open the configuration page. To delete an entry, enable the check box next to the group name on the display page, then click Delete. Name Name of the quality group to be created.
4 Quality pages COS Group page CoS value to be written into each packet assigned to this quality group (decimal, 0-7). Enter no if no CoS value is to be written. If supported by the upstream router, the CoS value can notify the router if VLAN traffic is to be prioritized (as defined by the IEEE 802.1p standard). DownstreamQoS Reserves incoming bandwidth for non-TCP traffic. Intended primarily for the voice and control quality groups. See page 118.
Group page 4 Quality pages QoS defaults If the wizard was used with the Default button, the various pages under the Quality button in the Web UI displays the settings in the following tables. These pages are where you can modify the default settings.
4 Quality pages Group page Quality > Group > Live You can view instantaneous performance statistics (one-second interval) for quality groups on the Live tab of the Group page. The displayed statistics are as follows: Input rate Offered rate to the quality group. Output rate Overall output rate of the quality group, including protected and downgraded traffic. Primary output rate Output rate of the protected traffic. Downgrade output rate Output rate of downgraded (non-protected) traffic.
Downstream QoS page 4 Quality pages Downstream QoS page Attention: Downstream QoS is not yet supported. Downstream QoS manages WAN link inbound bandwidth to provide quality protection for specified incoming data streams. This is intended primarily to ensure adequate bandwidth for incoming VoIP and ARP/PPP control streams. It is applied by enabling the Downstream QoS field in a quality group. Downstream QoS functions differently than the upstream QoS described in the preceding sections.
4 Quality pages Figure 35 Downstream QoS page Downstream QoS page Quality > Downstream QoS > Link tab The link tab is where you specify the downstream link rate and encapsulation type. The BSGX4e uses the encapsulation type to add overhead bandwidth to the downstream link calculation. NOTE: The network device directly upstream from BSGX4e can affect overhead, as described in the next paragraph. Select an encapsulation type that accommodates this device.
Downstream QoS page 4 Quality pages Table 13 WAN encapsulation options BSGX4e WAN encapsulation Network device encapsulation • Ethernet • VLAN • PPPoE pppoa_vc pppoa_llc pppohdlc fr Terminology: LLC = Logical Link Control VC(MUX) = Virtual Circuit Multiplexing Quality > Downstream QoS > Status tab The status tab indicates whether or not Downstream QoS is enabled in a quality group. Note that you must configure the Downstream QoS link before you can enable this feature in a quality group.
4 Quality pages ARP/PPP page ARP/PPP page Both ARP (address resolution protocol) and PPP (point-to-point protocol) use a control signal to establish and maintain their traffic flow through the WAN port. If you are using either or both of these protocols, you can experience traffic stoppage if the control signal is interrupted at times of heavy traffic load through the WAN. Therefore, these control signals must be protected from packet loss. This is accomplished by protecting them with a QoS quality group.
ARP/PPP page 4 Quality pages Configuration This page is where you assign the ARP/PPP control signals to a quality group. However, you must have first created that quality group. The complete process to put control signals under QoS requires the following two steps: 1. Create a quality group as described under Quality > Group > Group tab on page 112. Use the following values: Name Link eth0 QG A2 Type CAR Committed 64000 Burst 200000 IPToS no COS no DownstreamQoS yes 2.
5 Security pages 5 SECURITY PAGES This chapter describes the configuration and status pages available from the Security button on the button bar. The functional topics of the pages are listed in the menu pane of the Web UI window, as shown here on the left. The Security pages consist of various status and statistics displays, and configuration pages related to the firewall, intrusion detection, and various network security technologies.
Security overview 5 Security pages Security overview The BSGX4e security features enabled: firewall, IDS, and NAT/ALG. These security features process each incoming packet as follows: 1. Incoming packets are sorted by the information in the packet. The information used from layer 2, layer 3, and layer 4 is listed in Table 14.
5 Security pages Policy Policy This page is where you configure new firewall security policies and view existing policies. As described below, the BSGX4e factory configuration has a basic set of firewall policies defined. Additionally, you are required or advised to create new policies for some of the features that you enable. The section, Additional security policies, provides those instructions. Technical reference The BSGX4e firewall is initially set to block all traffic by default.
Policy 5 Security pages Default security policies This section describes the basic set of firewall security policies needed for the WAN interface. The following notes apply to the tables in this section: Parameters not shown in the table are populated with “any” or a null value. The “From - To” fields in the security policies use this terminology: eth0/ppp0 = WAN eth1/vif(n) = LAN self = BSGX4e Table 15 shows a summary of the default policies for the BSGX4e.
5 Security pages Policy Source IP 10.10.10.120 Source (port) 7750 QoS credit Other elements that can be used to identify a data stream are destination IP, destination port, protocol, and type of service (ToS) value. Also, consider wether or not the protected traffic should have downstream QoS enabled, which provides bandwidth for incoming non-TCP traffic. PPP interfaces If you configure a PPP WAN interface, it needs security polices similar to the eth0 default policies shown above.
Policy 5 Security pages Table 18 Firewall Policies for SNMP From To IP Address DPort Protocol eth0 ppp0 self any 161 UDP DHCP relay security policy If you are using the DHCP relay rather than the default DHCP server for LAN devices, you must create the firewall policy defined in Table 19. See Data > Relays > DHCP page on page 85 for reference.
5 Security pages Policy Relay security policies If you want to protect relay traffic (see Relays on page 78) with QoS, you must create a security policy (see Table 21) to identify the relay traffic and assign it to the designated quality group: Table 21 Security policies for relay From To Destination IP QoS BSGX4e eth0/ppp0/frn/vpn/ hdlc/atm RIP security policy The RIP routing daemon (see Data > Routing > RIP on page 94) listens for messages on por
Policy 5 Security pages Security > Policy page This page is where you view existing policies and configure new ones. The page has two tabs: Static and Dynamic. Dynamic policies are those created automatically by applications running on the BSGX4e. Static policies are created manually or by the Initial Setup Wizard. Security > Policy > Static tab This page is where you create new security policies.
5 Security pages Policy QoS Name of a QoS quality group. Change this field only if this security policy is used to identify a traffic stream for QoS management. See Quality > Group > Group tab on page 112. ToS IP ToS tag value (decimal byte). This field is ignored if ToS is specified in firewall and NAT policies. This is used only if the preceding QoS parameter is configured. Sequence Position of the new policy within the policy sequence (Begin | End | Position).
NAT 5 Security pages NAT Network Address Translation (NAT) provides security by hiding the internal addresses of the LAN private network from the public Internet and it provides economy by mapping multiple private addresses or ports to one public address. The basic purpose of NAT as applied in the BSGX4e is to multiplex traffic from the internal network and present it to the Internet as if it was coming from a single IP address.
5 Security pages z NAT Default configurations: The WAN port is pre-configured with an Ethernet (eth0) interface. NAT is enabled and provides global address translation for outbound sessions initiated from the LAN. The private LAN addresses are translated to the public address of the WAN port. A default firewall policy allows all traffic from LAN (eth1) to WAN (eth0). If you need a VLAN, PPP, or VPN, for the interface, you must manually configure it and apply NAT.
NAT 5 Security pages Security > NAT > Interfaces tab This tab page is where you enable NAT on the selected WAN interface. This page also displays any interfaces on which NAT has been configured. Click New to open the configuration page. Fill in the fields as follows: Interface Select the interface. All configured interfaces are available from the dropdown list: • eth0 (BSGX4e; NAT on by default) • ppp(n) • vif(n) • vpn(n) NOTE: Do not select eth1 (LAN). This option is to be removed in future releases.
5 Security pages NAT Security > NAT > Public tab This tab page is where you assign public IP addresses to the WAN interface. Up to 16 addresses can be assigned. Fill in the fields as follows: Address The public address to be assigned to the WAN interface. The beginning address when specifying a range. (range to) The ending address when specifying a range. Interface Select “none” (default) if the public address you entered is within the subnet range of the WAN.
NAT 5 Security pages Application scenarios The following examples demonstrate how to configure common NAT application scenarios. See the section Technical reference on page 132 for existing defaults. 1. Redirect address example This example maps a private LAN address to a specific public WAN address. This policy allows incoming traffic from a specific public address on the WAN to a private address on the BSGX4e LAN. a. On the Interfaces tab, click New then select the interface and enable NAT.
5 Security pages NAT 2. Redirect port example This example maps a Web server on the LAN to a port on the public WAN. A request sent from any public address on the WAN using port 12999 is forwarded to the Web server on the BSGX4e LAN. a. On the Interfaces tab, click New then select the interface and enable NAT. We use eth0 in this example. b. On the Policy tab, click New to open the configuration page.
NAT 5 Security pages 3. Static NAT example This policy maps an address on the LAN to an address on the WAN for outgoing traffic. This configuration is opposite of the redirect NAT examples above. Here, the public address is in the NAT policy and the private address is in the firewall policy. a. On the Interfaces tab, click New then select the interface and enable NAT. We use eth0 in this example. b. On the Public tab, click New to open the configuration page.
5 Security pages ALG ALG The Application Layer Gateway (ALG) allows FTP, TFTP, and PPTP through the firewall and NAT as trusted traffic. This precludes the need for an administrator to create firewall and NAT policies for the affected protocols. ALG is enabled by default for all three protocols. ALG works by creating dynamic holes in the firewall and changing IP addresses in application protocol headers.
IDS 5 Security pages QoS and PPTP If you are planning to put the PPTP service under QoS management to give priority to VPN traffic, you must create a quality group and a new outbound firewall policy that associates that quality group. See the section Policy on page 125 for creating firewall policies. If you define the firewall policy to capture all PPTP traffic on its well known port 1723, you capture both the signal and control traffic and route it to the quality group.
5 Security pages z IDS Spoof – Protects the LAN network and the unit from intrusion. IDS spoof protection is applicable for all configured untrusted interfaces. Table 24 lists the protocols that are inspected.
IDS 5 Security pages Table 25 Packet anomaly attacks IP ICMP TCP RTP Version Length Header fragmentation SSRC ID TTL (Time to Live) Flags Checksum Length Options Security > IDS > Protection tab This page enables/disables protection against flood attacks, scans, and spoofing. These threats can be used in denial of service attacks. All protection types are enabled by default.
5 Security pages z z z z z z z IDS arpflood — In an ARP flood, 250 ARP request per second are accepted. Over this limit indicates a potential DoS attack. synflood — SYN (synchronization) packets are repeatedly sent to every port on the server, using fake IP addresses. SYN flooding can result in denial of service. espflood — Encapsulated Security Payload (ESP) flood. An ESP flood sends bad IPsec traffic. Packets are discarded after the threshold rate limit is reached.
IDS 5 Security pages IDS scan IDS scan protection is activated for ICMP pings, UDP port, and TCP SYN messages. A threshold value determines the number of messages sent that constitute an attack. When IDS detects a scan attack, it bans traffic for that protocol for the timeout interval. All scan types are enabled by default. You can disable a scan type or changes the timeout value. Click the scan name on the page to open the properties page, then click Modify.
5 Security pages Voice ACL Security > IDS > Attacks tab This is a display-only page that lists a count of the various attacks the IDS has detected. The Refresh button updates the statistics. The Clear button resets the counters to 0. NOTE: To protect itself from being overwhelmed by a denial of service attack, the IDS counter is limited to reporting 64 packets per second. Thus, the actual packet rate can be greater than the value reported by the IDS counter.
Voice ACL 5 Security pages Configuration In the display pane, click New to open the configuration page. Fill in the fields as shown below. Click Update when finished. To delete an entry, enable the check box next to the Id number on the display page, then click Delete. 146 Id Enter a numeric identifier of the policy, or enter “new” for autonumbering MAC Address MAC address of the endpoint in xx:xx:xx:xx:xx format. EpId Endpoint identifier in alphanumeric format.
5 Security pages IPSec/IKE and VPN IPSec/IKE and VPN The BSGX4e supports Virtual Private Networks (VPNs) using the IP security (IPsec) protocol. An IPsec VPN serves as a point-to-point tunnel interface. See page 152 for the VPN configuration process. IPsec uses the Internet Key Exchange (IKE) protocol to set up its security associations (SAs). SAs determine how data is encrypted, decrypted, and authenticated by the secure gateways. When configured, the BSGX4e can function as a secure gateway.
IPSec/IKE and VPN 5 Security pages Name Enter a unique name for this VPN. Gateway Enter the IP address of the remote secure gateway. Local Enter a local IP address secured by the VPN. Typically, this is a subnetwork of the BSGX4e LAN (192.168.1.0/24). Valid entries are addresses specified as a range or as a subnet (x.x.x.x/yy). If specifying a range, enter the beginning address. (range to) If specifying a range for the local IP, enter the ending address.
5 Security pages IPSec/IKE and VPN Authentication Specify an authentication method. Your options are: • MD5 • SHA Security > IPSec > Parameters tab Define the IPsec parameters for lifetimes of an IPsec security association and the DiffieHellman (DH) group to use for session key exchange. The BSGX4e has two pre-defined lifetime parameters: Lifetime - The initial value used for negotiations with the remote host. Maximum Lifetime - The maximum value the BSGX4e accepts during negotiations.
IPSec/IKE and VPN 5 Security pages IKE The Internet Key Exchange (IKE) protocol provides utility services for IPSec. It defines how pairs of secure gateways negotiate IKE security associations (IKE SAs). The IKE SAs that the BSGX4e negotiates are determined by the configuration of IKE preshared keys and IKE parameters. Figure 42 IKE page Security > IKE > Policy tab An IKE policy is a set of security parameters used when negotiating an IKE SA with a remote secure gateway.
5 Security pages IPSec/IKE and VPN Every IKE SA negotiation refers to a preshared key record to get the key value shared with the peer, that is, the remote secure gateway. Usually, each VPN has its own preshared key record. The same preshared key value must be configured at the remote secure gateway. All IKE negotiations run over UDP on port 500. A firewall security policy must be configured to allow incoming UDP traffic to destination port 500 from the remote secure gateway.
IPSec/IKE and VPN 5 Security pages Security > IKE > SA tab This tab page displays negotiated security associations. You can clear the display with the Clear button. VPN A VPN is a method of creating a secure private network over a shared insecure public network. A VPN is established by creating all the security (IPsec and IKE), routing and firewall policies between the peer hosts. The IPSec policy contains the network information that connects the peers of the VPN.
5 Security pages IPSec/IKE and VPN You need the following network information to accomplish this task. The values shown are used in the example. Shared key value: x359QWa78b3l12. Main office IP addresses: Main office gateway: 195.178.11.11 Main office LAN subnet: 192.168.1.0/24 Branch office IP addresses: Branch office gateway: 194.23.7.34 Branch office LAN subnet: 192.168.2.0/24 Configuration: 1. Configure IPSec policy: Security > IPSec Main Office Branch Office Name Main Branch Gateway 194.23.7.
IPSec/IKE and VPN 5 Security pages 3. Configure the vpn(n) interface as a WAN IP interface. Data > IP Main office Branch office Interface value vpn0 (from Step 1.) vpn0 IP Addr/Mask 10.10.10.1/24 10.10.10.2/24 MTU 1500 (default) 1500 (default) DHCP client off (default) off (default) Status up (default) up (default) Speed auto (default) auto (default) 4.
5 Security pages IPSec/IKE and VPN Branch office Policy 1 Policy 2 Policy 3 Index new new new From eth1 eth0 eth0 To vpn0 self self Source IP (range to) any 195.178.11.11 195.178.11.11 Dest IP (range to) any any any Source port (range to) any any any Dest port (range to) any 500 any Proto any udp esp NAT 0 0 0 ToS any any any Sequence begin begin begin action allow allow allow QoS 5. Create a route table entry for vpn0.
IPSec/IKE and VPN 5 Security pages Configuration: 1. Configure IPSec policy: Security > IPSec Name Tunnel Gateway 10.254.254.254 Local 192.168.100.1 (range to) Remote 192.168.100.2 (range to) Proposal VPN-A Note the Interface designator shown on the display page. You need this in Step 3. 2. Configure the IKE pre-shared key. Security > IKE Peer 10.254.254.254 Key x232skd24scefk3o 3. Configure the vpn(n) interface as a WAN IP interface. Data > IP Interface Value vpn1 (from Step 1.
5 Security pages IPSec/IKE and VPN 5. Create firewall policies for: LAN → vpn(n) all traffic WAN → BSGX4e for security associations (source IP; UDP dport 500) WAN → BSGX4e for ESP traffic (source IP; ESP prot) VPN → BSGX4e for ICMP protocol (ping) Security > Policy Policy 1 Policy 2 Policy 3 Policy 4 Index new new new new From eth1 eth0 eth0 vpn0 To vpn0 self self self Source IP (range to) any 10.254.254.254 10.254.254.
IPSec/IKE and VPN 158 5 Security pages NN47928-502
6 Voice pages 6 VOICE PAGES This chapter describes configuring the various settings for the SIP/MGCP servers and controllers, the User Agent, local call routing, and other IP telephony related settings. These pages are also where you associate the QoS quality groups with the SIP/MGCP servers and controllers.
6 Voice pages SIP / MGCP statistics (page 171/page 174) Displays cumulative operational statistics for control signal messages and call traffic. SIP LAN gateway (page 171) Configures the LAN for a gateway connection. z User agent (BSGX4e) (page 175) SIP/MGCP (page 176/page 179) Configures the SIP or MGCP User Agent for analog devices. Numbering plan (page 181) Configures the User Agent for number-based special features.
6 Voice pages Media Media Voice > Media > Settings This page configures various parameters for processing video and VoIP media streams, including associating the VoIP QoS quality group with the session controller. VoIP control signals are associated in the session controller settings (page 167). You must create the quality groups before proceeding with this section (See the section, Group page on page 112.).
Media 6 Voice pages Voice > Media > Gain The Gain page of the BSGX4e 2xx series models has two tabs: FXO Gain and FXS Gain. These settings modify the DSP gain for the PHONE (FXS) and LINE (FXO) ports. The BSGX4e 4xx models do not have a PHONE port so the do not have an FXS Gain tab. Impedance can also be modified with the Command Line Interface. The LINE port connects the BSGX4e to the PSTN and provides limited backup phone service if SIP or MGCP servers are not available, and 911 service.
6 Voice pages Media Stats tab The following statistics are available on the Stats page: NN47928-502 Port 1 – Phone (FXS) 2 – Line (FXO) RxFrames Number of packets received. CurrJitter Current average jitter detected. CurrDelay Current packet delay due to the jitter buffer (ms). MinDelay Minimum packet delay due to the jitter buffer (ms). MaxDelay Maximum packet delay due to the jitter buffer (ms). Overflowed Number of packets dropped due to overflow.
Session control 6 Voice pages Session control This sections is where you configure SIP and MGCP servers, the session controller, and the SIP LAN gateway if needed. These pages also display SIP/MGCP statistics. To configure either SIP or MGCP session control functions, perform this sequence of tasks: 1. Configure access to one or more SIP/MGCP servers. 2. Configure the SIP/MGCP session controller. 3. Configure the SIP/MGCP user agent. 4. Configure any SIP/MGCP devices connected to the LAN ports.
6 Voice pages Session control Configuration tab Click New to open the configuration page. There are technical notes below the table discussing proxy servers and inbound servers. The configuration parameters for the SIP server profile are as follows: Name Enter a name for the server profile being created. Domain Registrar domain for registering SIP phones (FQDN | IP address). This parameter is required. Proxy1 First SIP proxy server (either a fully qualified domain name [FQDN] or an IP address).
Session control 6 Voice pages Server failover Server failover prevents VoIP service interruption by accessing backup proxy servers, if configured in the server profile. The session controller detects that the call server might be down if it: Cannot connect to the call server (WAN interface unplugged, no IP route, and so on.) Does not receive SIP replies from it. When a proxy server might be down, the session controller attempts some number of retries before it marks the server as down.
6 Voice pages Session control Voice > Session Control > SIP Control The Session Control page contains configuration and display tabs for processing VoIP control signals. The page has four tabs: Control – Configuration parameters for control signal processing, and association of the QoS signaling quality group. (QoS media streams are detected by the media settings (page 161).) Status – SIP session controller operational status display.
Session control 6 Voice pages Max Calls Call Admission Control. Maximum number of SIP calls allowed simultaneously. Default is 50. Change this default per your license agreement. The number of allowable calls is defined by your license agreement. Your choices are: BSGX4e – 10 or 30 calls NOTE: This field also sets the display scale on the System > Status page. See System > Status > Current Calls panel on page 29. Signaling QoS Group The QoS quality group for protection of the SIP signaling messages.
6 Voice pages Session control Any incoming SIP call for a given user is then routed by the SIP server to all of that user's registered endpoints with that phone number. Forking also applies to an analog phone connected to the BSGX4e User Agent. The session controller registers the phone as an endpoint associated with a given user. The maximum number of forked lines a user can have is determined by the configuration of the SIP server.
Session control 6 Voice pages Endpoints register with the SIP server through the session controller. To be able to be registered, the SIP endpoints must be configured as follows: SIP registration must be enabled. The SIP proxy must be the LAN IP address of the BSGX4e. The SIP domain must be the LAN IP address of the BSGX4e. The SIP proxy port must be the one configured as the LAN Rx port in the SIP session controller. See Control tab on page 167. No SIP outbound proxy is needed.
6 Voice pages Session control Voice > Session Control > SIP Statistics This page shows cumulative operational statistics for SIP signaling control messages on the Messages tab, and calls status on the Calls tab.
Session control 6 Voice pages Configuration tab Click New to open the configuration page. The configuration parameters for the MGCP server profile are as follows: Name Name of the server profile to be created. MGC1 First Media Gateway Controller (either a fully qualified domain name [FQDN] or an IP address). Port1 Port number for mgc1. Default is 2727. MGC2 Optional second Media Gateway Controller (FQDN | IP address). Port2 Port number for mgc2. Default is 2727.
6 Voice pages Session control Click Modify to open the configuration page: Server Select the name of the MGCP server profile to be used from the drop-down list. This is the server configured on the MGCP Server page (page 171). WAN Rx Port Port on which to listen for MGCP signaling messages from the WAN. Enter the port number, or the beginning number of a range. Default is 2427. (range to) Ending number of the WAN port range.
Session control 6 Voice pages The fields are mostly self-explanatory. CA Port Port to which call signals are sent; extracted from the last MGCP message received from the MGCP server including a Notified Entity. Act Calls Currently active calls for the endpoint. It is incremented each time the LAN endpoint places or receives a call. It is decremented when the call is torn down. EP Timeout Number of seconds before the registration expires. The initial value is taken from the EP timeout setting.
6 Voice pages User agent User agent NOTE: The User agent applies to only the BSGX4e. The BSGX4e can act as a VoIP gateway allowing analog devices to use either SIP or MGCP. In the BSGX4e, this gateway is called a User Agent. The User agent allows an analog device (phone, modem, or fax machine) to use VoIP as its communication media. The analog device must be connected to the BSGX4e’s Phone (FXS) port.
User agent 6 Voice pages SIP page The SIP User Agent window has three tabbed pages: Configuration – Parameters of the User Agent port. Settings – Protocols and parameters of the User Agent. Status – Operational status of the User Agent. Read the section introduction on page 175 for reference. Voice > User Agent > SIP > Configuration tab This page configures the parameters for the SIP User Agent.
6 Voice pages NN47928-502 User agent RFC2833 Enable/disable RFC 2833 for DTMF. Default is yes. RFC 2833 provides “out of band DTMF” event reports. Distortion from compression and decompression can prevent recognition of pure DTMF tones. Out-of-band DTMF sends the information by separate RTP packets. Payload If RFC 2833 is enabled, the RTP dynamic payload type can be specified. The payload code indicates the payload format (per RFC 1889). Range is 96-127. Default is 101.
User agent 6 Voice pages Voice > User Agent > SIP > Settings tab This page modifies the SIP protocol as it applies to the User Agent. These settings do not apply to the Session Controller. Click Modify to open the configuration page. Fill in the fields as follows. Click Update when finished: Timer T1 Minimum retransmission time interval (milliseconds), per RFC 3261. The default is 500 milliseconds. Timer T2 Maximum retransmission time interval (milliseconds), per RFC 3261.
6 Voice pages User agent Voice > User Agent > SIP > Status tab This page displays the status of the SIP User Agent. The field entries are as follows: RegStatus Reports if the User Agent is correctly registered with the SIP server. Line 1 Possible messages are: Idle – The analog device is on-hook. OB (OutBound) Calling – The analog device is off-hook or a phone number is being dialed. OB (OutBound) Proceeding – The remote party is ringing. IB (InBound) Proceeding – The analog device is ringing.
User agent 6 Voice pages Fill in the fields as follows. Click Update when finished: Port Number of the FXS port. Name Name for this User Agent profile. UserID Authentication information required by the MGCP server. Codec1 Most preferred codec and packet time selection (PCMU_10 | PCMU_20 | PCMA_10 | PCMA_20 | G729A_10 | G729A_20 | NOTUSED). Default is PCMU_20. Codec2 Second preferred codec and packet time selection (PCMU_10 | PCMU_20 | PCMA_10 | PCMA_20 | G729A_10 | G729A_20 | NOTUSED).
6 Voice pages User agent Voice > User Agent > MGCP > Status tab This page displays the status of the SIP User Agent. The LineStatus field entries are as follows: Inactive The port is not up. Idle The analog device is on-hook. OB (OutBound) Calling The analog device is off-hook or a phone number is being dialed. OB (OutBound) Proceeding The remote party is ringing. IB (InBound) Proceeding The analog device is ringing. Disconnecting The remote party is disconnected.
User agent 6 Voice pages Configuration In the display pane, click New to open the configuration page. Fill in the fields as shown below. Click Update when finished. If a numbering plan has already been defined, click the Number in the display to open the Properties page, then Modify to open the configuration page. To delete an entry, enable the check box next to the Number in the display page, then click Delete. Number String translated by this entry.
6 Voice pages User agent Do not disturb This example configures two numbering plan entries to enable/disable use of the Do Not Disturb feature, such that: To set Do Not Disturb for a phone, enter *78#. To clear the Do Not Disturb state for a phone, enter *79#.
User agent 6 Voice pages Forward no answer This example configures two numbering plan entries to enable/disable use of the Call Forwarding-No Answer feature, such that: To forward unanswered calls to another phone, the entry is *93, followed by the phone number and the hash character (#). For example, to forward unanswered calls to phone extension 4985, enter *934985#. To clear unanswered call forwarding for a phone, enter *94#.
6 Voice pages Local call routing Local call routing The Local Call Routing page has three tabs: Account – Create an account that identifies the dialing number of a phone on the LAN. Connection – Displays existing local calls. Settings – Configuration parameters for the Line port. The BSGX4e can provide backup PSTN phone service if VoIP service is unavailable.
Local call routing 6 Voice pages Configuration In the display pane, click New to open the configuration page. Fill in the fields as shown below. Click Update when finished. To delete an entry, enable the check box next to the DN number on the display page, then click Delete. DN Phone number of the account. A 4-digit extension for local calls is acceptable. Type Signaling protocol used by the endpoint (SIP | MGCP). ID ID of the SIP or MGCP endpoint.
6 Voice pages Local call routing The following example defines the local numbering plan as follows: prefix for outbound calls (OBAccess): 9 area code: 408 central office prefix (COPrefix): 555 length of extension number (ENLength): 4 This configuration supports calls as follows: NN47928-502 Number dialed Action 2210 Four-digit call so only local accounts are checked. 9411 Outbound prefix so number is interpreted as outbound call for 411.
Local call routing 6 Voice pages 188 NN47928-502
Appendix 12–Quality of service Configuration summary APPENDIX 12–QUALITY OF SERVICE This Appendix provides a technical description of the theory and application of QoS (Quality of Service) in the BSGX4e. QoS is a method to reserve bandwidth and establish transmission priorities for critical services during those times when your Internet link is at full capacity. The most common application of QoS in the BSGX4e is for VoIP, where it provides uninterrupted service.
QoS overview Appendix 12–Quality of service Other traffic The configuration procedure for any other traffic stream to which you want to apply QoS is basically the same except for Step 6. Rather than associating the quality group to the session controller, you must create a firewall policy and specify the quality group there. Be cautious about enabling Downstream QoS in too many quality groups (see Downstream QoS page on page 118).
Appendix 12–Quality of service QoS overview Quality of service – Layer 2 Traffic contention on the LAN side of the BSGX4e is caused by the four 100 Mbps LAN ports feeding a single 100 Mbps router. This contention is managed by routing traffic into four priority queues, which are labeled HIGHESTQ, HIGHQ, LOWQ, and LOWESTQ. Figure 43 shows this contention and the priority queues.
QoS overview Appendix 12–Quality of service ToS (type of service)/DiffServ bit Configure the LAN devices to set the appropriate ToS priority bit value (8 bits in the IP header) for the desired priority level. The BSGX4e associates that value with a priority queue. See Figure 44 on page 193 for application scenario examples. NOTE: A static ARL map assigns a priority to a specific MAC address/LAN port combination. That priority setting applies regardless of the priority settings made in this section.
Appendix 12–Quality of service Figure 44 QoS overview Layer 2 QoS Application Scenarios Guarantee of service – Layer 3 The BSGX4e implements QoS through a patented process called GoS™ (Guarantee of Service), which applies to outbound (LAN → WAN) traffic.
QoS overview Appendix 12–Quality of service applications, and it uses a matrix of ten quality classes that combine different levels of prioritizing based on latency (delay) and loss (discarded data) characteristics (see Figure 45). Loss and latency are used to calculate the most intelligent queuing priorities to achieve the highest quality transmission for all media types.
Appendix 12–Quality of service Figure 46 QoS overview GoS process flow Functional characteristics Functional characteristics of GoS include: z z z The sum total of bandwidth allocated to all quality groups can be up to 90% of available WAN bandwidth. The minimum bandwidth allocation to any quality group is 64 Kbps. Bandwidth allocated to a quality group is guaranteed. This means bandwidth is taken from BE and reserved for the quality group as needed per session, up to the specified limit.
QoS overview Appendix 12–Quality of service Media and control signals Various devices and functions use both a media (payload) stream and a control signal stream. For a critical device or function, you protect the media stream by putting it under QoS management. But, in many cases, the media stream does not transmit if the control signal is interrupted, so the control signal must also be protected from packet loss by assigning it to a quality group.
Appendix 12–Quality of service QoS overview Managing other traffic Any media stream can be placed under QoS management if the stream can be uniquely identified. For any given media stream to be processed by QoS, the BSGX4e must be able to distinguish that stream from all others, and it must be able to identify the type of communication it contains (voice, video or data).
Call capacity Appendix 12–Quality of service Call capacity A common question is how many calls can be supported by a particular BSGX4e model with a given interface type. The call capacity varies with such factors as the interface, encapsulation, codec, and available bandwidth. Table 26 provides a call bandwidth value for the various interfaces of BSGX4e and the most common codecs. The available WAN bandwidth can be affected by numerous factors.
Appendix 13–Glossary APPENDIX 13–GLOSSARY 3PCC 3rd Party Call Control ACL Access Control List–policies that determine which LAN endpoints can place and receive calls ADC Analog/Digital Converter ALG Application Layer Gateway ARL Address Resolution Logic ARP Address Resolution Protocol–protocol to automatically map IP addresses to hardware MAC addresses CAC Call Admission Control CDP Cisco Discovery Protocol CLI Command Line Interface CO Central Office–refers to the connection to the PST
Appendix 13–Glossary FQDN Fully Qualified Domain Name, consisting of host and domains, for example www.yahoo.com. The host is www, the second-level domain is yahoo, and the top-level domain is com.
Appendix 13–Glossary PoE Power over Ethernet–transmission of DC power over an Ethernet cable by carrying power in the unused 4/5 and 7/8 wires. PoE allows devices to be installed at remote locations where there is no external power source.
Appendix 13–Glossary Stateful Maintains the last-known or current status of an application TACACS+ Terminal Access Controller Access-Control System Plus is a protocol that provides access control for routers, network access servers, and other networked computing devices with one or more centralized servers. TACACS+ provides separate authentication, authorization, and accounting services and uses the TCP protocol.
Index INDEX Numerics 802.
Index failover, MGCP 171 failover, SIP 166 fax 175, 177, 180 firewall security policies 125 session controller 164 timer 131 Fixed Queuing 192 flood attack 142 FXO port 162 FXS port 162, 175 G gateway on Phone port 171 gateway, analog 175 GoS defined 193 functional characteristics 195 H hardware components 32 I IDS flood attack 142 packet anomalies 141 scan attacks 144 spoof attacks 144 IDS (Intrusion Detection System) 140 IKE (Internet Key Exchange) configuration 150 description 147 firewall policy 151
Index P packet fragment attacks 141 packet size, see MTU password 43 authentication 44, 45 PAT (port address translation) 132 permissions 46 permissions, read/write 42 Phone port 162, 175 Phone port gateway 171 phone, analog 175 point-to-point tunnel 147 policing 194 port mirroring 97 PPP link 73 QoS 121 PPTP 139, 140 prioritize traffic 194 priority queues 191 proxy ARP 89 PSTN 162 Q QoS ARP/PPP 121 call bandwidth 198 control signal 121, 167, 172 downstream 118 initial config wizrd 115 Layer 2 and 3 190 l
Index Certificate Signing Request 61 intro 59 key 59, 60 static IP address 25 statistics, cumulative downstream QoS 120 IP interface 72 QoS link, best effort 111 quality groups 116 statistics, instant call quality 107 quality groups 117 status, system overview 29 subnet 135 survivability 30 syslog 65 system information 31 system log 64 destinations 66 external server 65 severity levels 67 T tagged VLAN 103 technical support session 64 Telnet 34 TFTP relay 80 ToS (type of service) 100, 192 traps (SNMP) 56
