3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0

7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0

http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 1/316

Alcatel-Lucent

7510-SFW IMS Peering SIP Firewall | Release 3.0

CLI Reference Guide

Alcatel-Lucent — ProprietaryUse pursuant to applicable agreements

3FZ 08139 ACAA PCZZA

July 2015Edition 07



Alcatel-Lucent — ProprietaryUse pursuant to applicable agreements

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respectiveowners.

The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.

Copyright © 2015 Alcatel-Lucent. All Rights Reserved.

Contains proprietary/trade secret information which is the property of Alcatel-Lucent and must not be made available to, or copied or used by anyone outside

Alcatel-Lucent without its written authorization.

Limited warranty

Alcatel-Lucent provides a limited warranty to this product.



3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary iii Edition 07 Use pursuant to applicable agreementsJuly 2015

Contents

About this document xi

Purpose ..................................................................................................................................................... xi

Reason for revision.................................................................................................................................. xii

Intended audience .................................................................................................................................... xii

Conventions used ................................................................................................................................... xiii

Related information ................................................................................................................................ xiii

Technical support ................................................................................................................................... xiii

How to comment .................................................................................................................................... xiii

1

Introduction 15

SFW location in the IMS architecture ..................................................................................................... 16

SFW high level functionalities ................................................................................................................ 17

SIP Firewall main features ...................................................................................................................... 19

SIP stateless Record-Route Proxy Firewall with dialog and transaction tracking .................................. 19

SIP features ............................................................................................................................................. 20

2

SFW prerequisite 23

Procedure 1: Checking presence of sitecfg.sfw on SCM ........................................................................ 23

Procedure 2: SFW OAM IP address configuration ................................................................................. 25

Procedure 3: How to get access to the SFW CLI .................................................................................... 26

3

Vlan Management 27

Summary of the CLI for Vlan management ............................................................................................ 29

vlan vid {trusted | untrusted} subnet ip_address mask ................................................................... 30

vlan vid subnet ip_address/len ................................................................................................... 34

vlan vid [router ip_address [rip | no rip]] ...................................................................................... 35

vlan vid no [ipv4 | ipv6] router .............................................................................................................. 36

vlan vid gw ip_address ................................................................................................................... 37

vlan vid no [ipv4 | ipv6] gw .................................................................................................................. 38

vlan vid name description ............................................................................................................. 39

vlan vid no name ................................................................................................................................... 40

vlan vid mac mac_address ............................................................................................................... 41

no vlan vid ............................................................................................................................................. 42

show vlan ................................................................................................................................................ 43

4

Local Point Of Contact (LPOC) 44



Contents

iv Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07

July 2015

Trusted interface definition ...................................................................................................................... 44

Untrusted interface definition .................................................................................................................. 45

Local Point Of Contact definition ............................................................................................................ 45

Summary of the CLI for Trusted and Untrusted LPOC ........................................................................... 46

lpoc untrusted poc_id ........................................................................................................................... 47

lpoc untrusted poc_id no ipv6 .............................................................................................................. 49

lpoc untrusted poc_id no ipv4 .............................................................................................................. 49

lpoc untrusted poc_id no {udp | tcp | sctp | tls} ................................................................................... 50

no lpoc untrusted poc_id ...................................................................................................................... 50

lpoc trusted poc_id ............................................................................................................................... 51

lpoc trusted poc_id no ipv6 .................................................................................................................. 53

lpoc trusted poc_id no ipv4 .................................................................................................................. 53

no lpoc trusted poc_id .......................................................................................................................... 54

show lpoc ................................................................................................................................................. 55

ip defrag ................................................................................................................................................... 56

show ip defrag .......................................................................................................................................... 57

5

Peer Networks 58

Summary of the CLI for Peer Network management .............................................................................. 59

peer-net netid ....................................................................................................................................... 60

peer-net netid filter filter_id ip address/mask ................................................................... 61

peer-net netid filter filter_id rpoc ............................................................................................. 62

peer-net netid no filter .......................................................................................................................63

peer-net netid rpoc peering_point_id ip ................................................................................. 64

peer-net netid rpoc peering_point_id no ipv4 .......................................................................68

peer-net netid rpoc peering_point_id no ipv6 .......................................................................68

peer-net netid rpoc peering_point_id no {udp | tcp | sctp | tls} .............................................. 69

peer-net netid rpoc peering_point_id name fqdn .................................................................. 70

peer-net netid rpoc peering_point_id no name ........................................................................ 71

peer-net netid rpoc peering_point_id nat ................................................................................. 72

peer-net netid rpoc peering_point_id port-forwarding ............................................................ 74

peer-net netid rpoc peering_point_id no port-forwarding ....................................................... 75

peer-net netid no rpoc peering_point_id ................................................................................ 76

peer-net netid lpoc untrusted_lpoc_id .................................................................................... 77

peer-net netid no lpoc untrusted_lpoc_id .............................................................................. 78

peer-net netid security-profile security_profile_id .............................................................. 79

peer-net netid load-balancing-group group_id ............................................................................. 80



Contents

3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary v Edition 07 Use pursuant to applicable agreementsJuly 2015

peer-net netid vlan vid ..................................................................................................................... 81

peer-net netid no vlan ....................................................................................................................... 82

peer-net netid max call duration call_duration ........................................................................ 83

peer-net netid polling ping {enable | disable} .................................................................................... 84

peer-net netid polling ping period interval.................................................................................. 85

peer-net netid dscp dscp_value .................................................................................................... 86

peer-net netid dscp default ................................................................................................................. 87

dscp default default_dscp ................................................................................................................ 88

show dscp default .................................................................................................................................... 89

peer-net netid tls-profile tlsprofileid ....................................................................................... 90

peer-net netid no tls-pr ofile ................................................................................................................ 91

no peer-net netid .................................................................................................................................. 92

show peer-net .......................................................................................................................................... 93

show peer-net netid lpoc .................................................................................................................... 95

show peer-net [netid ] filter................................................................................................................. 96

show peer-net [netid ] rpoc ................................................................................................................. 97

show peer-net connectivity .................................................................................................................... 99

show peer-net [netid ] statistics [trusted | untrusted] ........................................................................ 102

6

Security Profile 118

Summary of the CLI for Security Profile management......................................................................... 120

security-profile profile_id ............................................................................................................. 121

security-profile profile_id invite dialog setup-rate........................................................................ 123

security-profile profile_id invite in-dialog transaction-rate .......................................................... 124

security-profile profile_id invite in-dialog method accept ............................................................ 125

security-profile profile_id invite in-dialog no method accept ....................................................... 126

security-profile profile_id out-of-dialog method-rate ................................................................... 127

security-profile profile_id out-of-dialog no method-rate .............................................................. 129

security-profile profile_id sip thig ................................................................................................ 130

security-profile profile_id route-reorder ....................................................................................... 133

security-profile profile_id ringing-timer duration ................................................................... 134

security-profile profile_id clone profile_id .......................................................................... 135

security-profile profile_id fqdn-in-from thig ................................................................................ 136

security-profile profile_id sip route-mode .................................................................................... 137

security-profile profile_id private_ip ............................................................................................ 138

no security-profile profile_id ........................................................................................................ 139

show security-profile profile_id .................................................................................................... 140



Contents

vi Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07

July 2015

7

TLS feature overview 141

Introduction ............................................................................................................................................ 141

Reference documents ............................................................................................................................. 141

Feature Overview ................................................................................................................................... 142

TLS Feature Description ........................................................................................................................ 143

8

TLS Profile 146

Summary of the CLI for TLS-Profile management ............................................................................... 147

tls-profile tlsprofileid local-cert ca-check renegotiation-period ................................................. 148

tls-profile tlsprofileid no renegotiation-period ........................................................................... 149

tls-profile tlsprofileid ca-cert-list certid1 … [certid8] .................................................... 151

tls-profile tlsprofileid no ca-cert-list certid1 … [certid8] ...............................................152

9

CA certificates 153

Summary of the CLI for CA certificates management .......................................................................... 154

import certificate ca ca-certid [name description] ................................................................ 155

certificate ca ca-certid name description ............................................................................... 156

no certificate ca ca-certid ............................................................................................................... 157

show certificate ca pem ca-certid ................................................................................................... 158

show certificate ca details ca-certid ................................................................................................159

show certificate ca ca-certid ........................................................................................................... 160

show certificate ca ................................................................................................................................. 161

10

Local X509 certificates and Privates Keys 162

Summary of the CLI for SFW local certificates management ............................................................... 163

import certificate local certid [name description] ................................................................... 164

import certificate local privatekey certid [ password pwd ] ...................................................... 165

certificate local certid name description .................................................................................. 167

no certificate local certid .................................................................................................................. 168

show certificate local pem certid ...................................................................................................... 169

show certificate local details certid ................................................................................................... 170

show certificate local certid .............................................................................................................. 171

show certificate local ............................................................................................................................. 172

certificate local certid request ........................................................................................................... 173

11

Internal DNS server 176

Summary of the CLI for the internal DNS management ....................................................................... 177

dns-internal dns-entry-id name peer-net ip ............................................................................... 178

dns-internal dns-entry-id name rpoc-name .......................................................................... 179

dns-internal dns-entry-id peer-net netid ............................................................................... 180



Contents

3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary vii Edition 07 Use pursuant to applicable agreementsJuly 2015

dns-internal dns-entry-id ip address .................................................................................... 181

dns-internal dns-entry-id no ipv4 .............................................................................................. 182

dns-internal dns-entry-id no ipv6 .............................................................................................. 182

show dns-internal .................................................................................................................................. 183

12

Load Balancing Group 185

Summary of the CLI for Load-Balancing-Group management ............................................................ 187

load-balancing-group groupId ........................................................................................................... 188

load-balancing-group groupId rpoc.................................................................................................. 189

load-balancing-grou p groupId rpoc no ipv4 .................................................................................... 193

load-balancing-group groupId rpoc no ipv6 .................................................................................... 194

load-balancing-group groupId rpoc poc_id no {udp | tcp | sctp | tls} .......................................... 195

load-balancing-group groupId no rpoc poc_id ............................................................................. 196

load-balancing-group groupId lpoc trusted_lpoc_id ............................................................. 197

load-balancing-group groupId no lpoc trusted_lpoc_id ........................................................ 198

load-balancing-group groupId vlan vid .......................................................................................... 199

load-balancing-group groupId no vlan ........................................................................................... 200

load-balancing-group groupId polling period interval .............................................................. 201

load-balancing-group groupId rpoc poc_id call rate ............................................................................ 202

load-balancing-group groupId rpoc poc_id transaction rate ....................................................... 204

no load-balancing-group groupId ...................................................................................................... 205

show load-balancing-group ................................................................................................................... 206

show load-balancing-group rpoc .......................................................................................................... 207

show load-balancing-group connectivity ............................................................................................. 208

13

Tcp Syn Flood Protection 211

Summary of the CLI for TCP SYN Flood management ....................................................................... 212

tcp syn oam rate syn_per_sec ......................................................................................................... 212

tcp syn untrusted rate syn_per_sec ................................................................................................. 213

tcp syn trusted rate syn_per_sec ..................................................................................................... 213

show tcp syn .......................................................................................................................................... 214

show tcp statistics .................................................................................................................................. 215

14

Interfaces (Ge Ports) & Trunks 217

Summary of the CLI for Ge Interfaces and Trunks management ......................................................... 218

show interfaces ...................................................................................................................................... 219

trunk {trusted|untrusted} mode [linkagg | act-stdy] ............................................................................. 221

show trunk ............................................................................................................................................. 223

show trunk port ..................................................................................................................................... 223



Contents

viii Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07

July 2015

15

SIP Message Management 225

Summary of the CLI for SIP Message Management ............................................................................. 225

sip-header max-forwards {enable|disable} ............................................................................................ 226

show sip-header ..................................................................................................................................... 227

16

SNMP Management 228

Summary of the CLI for SNMP Management ....................................................................................... 229

Alarms Management .............................................................................................................................. 230

snmp station stationId ip ip_address ..................................................................................... 242

snmp station stationId {enable | disable} .................................................................................... 243

no snmp station stationId .............................................................................................................. 243

show snmp station .................................................................................................................................. 244

show snmp alarm thresholds .................................................................................................................. 245

snmp alarm modify threshold threshold_id ................................................................................... 247

show snmp trap config ........................................................................................................................... 248

snmp trap trap_id filter-delay delay .............................................................................................. 250

snmp trap trap_id {enable | disable} ................................................................................................ 251

snmp trap restore default ........................................................................................................................ 251

show snmp alarm active ......................................................................................................................... 252

17

Users Management 253

Summary of the CLI for Users Management ......................................................................................... 253

user username password ................................................................................................................... 254

user username level {adm | ope | viewer} ......................................................................................... 255

user username no snmp ..................................................................................................................... 256

user username auth { sha | md5} priv {aes | des} ............................................................................. 257

no user username ................................................................................................................................ 258

show user cmd [adm|ope|viewer] ........................................................................................................... 258

show user [adm|ope|viewer] ................................................................................................................... 261

18

Syslog Management 262

Summary of the CLI for Syslog Management ....................................................................................... 262

syslog-server oam ip ip-address ..................................................................................................... 263

syslog-server trusted ip ip-address ................................................................................................. 264

syslog-server [ip] [port] [vlan] [lpoc] .................................................................................................... 265

syslog [rate] [length] [facility] [rfc3164 | rfc5424] ................................................................................ 266

no syslog-server ..................................................................................................................................... 267

show syslog ............................................................................................................................................ 268

19

NTP servers Management 269



Contents

3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary ix Edition 07 Use pursuant to applicable agreementsJuly 2015

Summary of the CLI for Syslog Management ...................................................................................... 269

ntp server serverId ip ip-address .............................................................................................. 270

no ntp server serverId ...................................................................................................................... 270

show ntp server...................................................................................................................................... 271

20

Monitoring SIP messages dropped 272

Summary of the CLI for Monitoring-Host Management ...................................................................... 272

monitoring-host trusted ip ip-address port ipPort ..................................................................... 273

monitoring-host oam ip ip-address port ipPort ......................................................................... 275

-> monitoring-host oam ip 192.168.2.110 port 5060 rate 10 ...................... 275

show monitoring-host ............................................................................................................................ 276

21

Configuration Management 278

Summary of the CLI for Configuration Management ........................................................................... 278

copy running working ........................................................................................................................... 279

copy working certified .......................................................................................................................... 279

show configuration ................................................................................................................................ 280

show running-directory ......................................................................................................................... 281

show configuration consistency ............................................................................................................ 282

switchover ............................................................................................................................................. 283

configuration retrieve ............................................................................................................................ 284

show system .......................................................................................................................................... 285

system location ...................................................................................................................................... 287

show sfw status ..................................................................................................................................... 288

22

CLI Session Management 290

Summary of the CLI for Configuration Management ........................................................................... 290

cli session timeout ................................................................................................................................. 291

show cli session ..................................................................................................................................... 291

23

How to configure the SFW SITE specific parameters 292

How to update the SITECFG.SFW configuration file .......................................................................... 293

Install the SITECFG.SFW configuration file on the SFW .................................................................... 295

A

IP Configuration example 297

IP Configuration Introduction ............................................................................................................... 298

Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode .............................................. 299

Untrusted side IP connectivity with VRF support ................................................................................. 300

Untrusted side IP connectivity without VRF support ........................................................................... 302

Trusted side IP connectivity, case 1 ...................................................................................................... 304

Trusted side IP connectivity, case 2 ...................................................................................................... 305



Contents

x Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07

July 2015

B

IPv6 support 308

create and modify IPv4/IPv6 objects ..................................................................................................... 308

IPv6 Q&A .............................................................................................................................................. 310

C

Configuration backup & restore 312

Backup configuration on the SFW ......................................................................................................... 312

Restore configuration to the SFW.......................................................................................................... 313

24

Glossary 316



3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary xi Edition 07 Use pursuant to applicable agreementsJuly 2015

About this document

Purpose

This document is the SFW SIP firewall Command Line Interface User’s Guide. It

provides detailed information on the configuration of the SIP Firewall, dedicated to IMS

SIP peering and protecting the IBCF (MGC8).



About this document

xii Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07

July 2015

Reason for revision

The following table shows the revision history of this document.

Location Revision Issue

• Creation of this document for the SFW release 3.0

• New features introduced in R3.0:

o TLS support on Untrusted side.

o Far-End NAT Traversal

o 2047 Peer Network

Ed01

2011/12

• The IP Filter index range is modified to 1..32

•

New CLIs have been added no be able to set theVlan Name without setting the Vlan Subnet.

• Add reference for 3FZ-08141-AC AA-PCZZA "SFW -

sfwStaticConf.xls , sitec fg.sfw template for release

R3.0"

Ed02

2012/01

• Default passwords must not be given in the

customer documentation. Contact your account or technicalsupport representative for information about default passwords.

Ed03

2012/02

• The range of the parameter “name” for the

following objec ts is changed to 0..31

o Peer-network

o Load-Balancing-Group

o Vlan

o Security-Profile

Ed04

2012/02

• Add ‘sip-header ‘ command. Ed05

2013/09

Intended audience

The target audience of this manual is network administrators and Information Systems professionals who maintain IMS equipments.

This manual assumes that the administrator of the 7510-SFW is knowledgeable about theconcepts, network topologies, and Local Area Network (LAN) and SIP protocol discussedin this manual.



About this document

3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary xiii Edition 07 Use pursuant to applicable agreementsJuly 2015

Conventions used

This guide uses the following typographical conventions:

Appearance Description

graphical user interface text Text that is displayed in a graphical userinterface or in a hardware label

variable A value or command-line parameter that the user

provides

[ ] Text or a value that is optional

{ value1 | value2 }

{variable1 | variable2 }

A choice of values or variables from which one

value or variable is used

Related information

This guide has to be used in conjunction with the 7510-SFW documentation listed in thetable hereafter.

Product Part Number Product Description

Getting Started

with SFW

3FZ 08140 A BAA

PCZZAThis document provides tips to deploy the

SFW R2.0.6 and further releases.

sfwStaticConf.xls 3FZ-08141-AC AA -

PCZZAThis document provide an excel template to

build the sitecfg.sfw file for SFW releaseR3.0.

The sitecfg.sfw file allows configuration of

site specific attributes that cannot be

provisionned via CLI or OMCP management.

Technical support

For technical support, contact your local Alcatel-Lucent customer support team. See theAlcatel-Lucent Support web site (http://alcatel-lucent.com/support/) for contactinformation.

How to comment

To comment on this document, go to the Online Comment Form (http://infodoc.alcatel-

lucent.com/comments/) or e-mail your comments to the Comments Hotline([email protected]).

http://alcatel-lucent.com/support/

http://infodoc.alcatel-lucent.com/comments/


mailto:[email protected]

mailto:[email protected]



http://alcatel-lucent.com/support/





3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 15 Edition 07 Use pursuant to applicable agreementsJuly 2015

1 Introduction

Overview

Purpose

Before going through the description of the Command Line Interface, the chapter 1 of thisdocument presents the 7510-SFW “SIP Firewall for IMS Peering”.

Contents

This chapter covers these topics.

SFW location in the IMS architecture 16

SFW high level functionalities 17

SIP Firewall main features 19





Introduction SFW high level functionalities


SFW high level functionalities

Alcatel-Lucent’s BGW has an internal firewall functionality to protect the bearer networkfrom external attacks, but a separate signaling firewall is needed to protect the IBCF from

SIP signaling attacks. This document describes the features of the SIP Signaling firewall.

Figure 1 shows the Alcatel-Lucent border solution. The SFW (Signaling Firewall) sits onthe edge of the network in front of the IBCF.

Only the SIP signaling messages pass through the SFW; bearer packets go directly to a

BGW. The border solution could include several BGWs. Each BGW might only connectto a subset of the peering networks, so the IBCF must choose the appropriate BGW for

each incoming/outgoing call. The internal network elements might be end offices, wirelessMSCs, IMS systems, voice mail systems, announcement servers, etc.

High-level functionalities of the SFW :

o Network Address/Port Translation

o Load Sharing among IBCF CCS

o n-tuple Filtering

o SIP Supporto Malicious Attack Prevention

o Realm Separation

o Per SIP method Rate Limiting

o IBCF Geographic Redundancy Support

o Overlapping IP Address Support

o Topology Hiding



Introduction SFW high level functionalities

18 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07

July 2015

Figure 2 - SFW high level functionalities





Introduction SIP Firewall main features


July 2015

SIP features

SIP Parser Attack Prevention

Only the SIP header is analyzed by the SIP Firewall, the SDP is not analyzed.

SFW accepts only SIP messages that are properly formatted.

Only mandatory SIP headers are parsed.

SFW checks the SIP message maximum sizes (header and total message size).

Protection against SIP DoS and Distributed DoS attacks

Rate limitation per types of messages

It is the first level of protection, when the unstrusted SIP message is out of its rate, it is

dropped by the SIP firewall. The rate limiters are configurable per untrusted sources (Peer Network).

Transaction tracking

The SIP firewall is aware of the transactions and can drop out of sequence messages aswell the duplicate messages.

The transaction tracking is also used in the load balancing and overload control to adapt

the transaction rate towards the local IBCF . That feature permits to the SIP firewall to beaware of the number of SIP transaction that are in progress and the average time the I-BCFtakes for processing it.

Dialog tracking

Dialog tracking is provided for INVITE dialog only. It permits to track transaction inside a

dialog. Transactions that are out of sequence are blocked, for example it may block blindCANCEL or BYE attacks.

The dialog tracking is also used in the load balancing and the overload control to adapt theload of the call setup and to reject new INVITE when the number of established callsreaches a limit. The limit is configurable per peer.

Initial Request Flooding attack detection

The SIP firewall is able to detect a transaction flooding attacks and to isolate SIP messagesthat correspond to the signature of the attacker. Note that in that case some legitimate SIPtraffic might be affected because they match the same signature.

DDOS attack mitigation on initial INVITE

When all the fields uses for flooding detection changes on each SIP message the SIPfirewall is not able to detect the source of the attack by just analysis the SIP message. The

detection is based on a threshold of bad response for a given signature by tracking the

behavior of the transaction. When that threshold is reached, all initial INVITEs matchingthat signature have their rate downgraded. That downgrade remains until the bad response

counters drop below the normal threshold. That mechanism will impact legitimate traffic





that match the same signature, but avoids setting up the source IP address in quarantine

and by the way blocking an entire peer. Typically, in case of IP spoofing attack if the SIPfirewall puts the source IP in quarantine the attack is successful, because the SIP firewall

blocks the legitimate source.

Remote SIP ports replication on trusted side

In terms of SIP ports (IP address and port) it provides as many SIP ports that the trusted I-

BCF can reach on the untrusted side (that are also called peering points). When the trustedI-BCF has to sends a SIP request towards a remote I-BCF, it has to resolve the IP address

and the port of that next hop SIP either by a local routing table or thanks to DNS.

The local routing table or the DNS provides an IP address and port that does not designatethe remote I-BCF, but rather a SIP port provided by the SIP firewall on the trusted side.

On the other hand, the SIP firewall is configured with a routing table that permits to perform the mapping between the trusted SIP port and the SIP port of the remote i-BCF onthe untrusted side. This is 1:1 mapping.

For local I-BCF outgoing requests, the SIP firewall does not take any decision about thenext SIP hop, it just follows the information of the SIP routing table.

Transparent to forking

When the local I-BCF decides to fork, the SIP firewall is transparent. However if a forkingtakes place after the remote I-BCF, it might be possible that several 200 OK replies are

sent back to the local I-BCF. That case is detected by the SIP firewall, and all the 200 OK

responses are forwarded to the SIP port from which the initial INVITE was coming from.

Single Point of Contact

On the untrusted side the SFW can be configured to be the single point of contact for theremote peers while operating in a networking environment that provides separation among

the peer networks.

For the case of the trusted side, the SFW provide a single point of Contact for the local

IBCF for reaching all the peering points. This avoids updating the network configurationof the trusted side when more peering points are added.

Untrusted SIP ports

For the untrusted side it provides as many untrusted SIP ports (IP@ and port) as theremote I-BCFs may address. However it is not required to provide as many SIP ports as

the local I-BCF provides.

Local IBCF partitioning

When a local IBCF is deployed in the IMS core network as a centralized component, the

SFW provides the ability to partition the local IBCF in smaller subsets. That partitioningapplied to a centralized I-BCF make the solution equivalent to a distributed model:





July 2015

It provides an isolation of remote I-BCFs (VPN) on different SIP service blades of thelocal I-BCF by affecting remote IBCF to different partitions

it permits to limit DDOS attacks not detected by the SIP firewall to only a subset of thelocal I-BCF.

Load Balancing and overload control

That feature permits to balance the load of the SIP traffic among SIP service blades of the

local I-BCF belonging to the same partition.

It provides a Qos feature that permits to allocate a bandwidth for the SIP requests that is proportional to the weight of the remote IBCF as well as a number a simultaneous calls.

For the case of the simultaneous calls, a remote IBCF might use more that its strict

proportional share of the total simultaneous call capacity when the partition is not loaded.This information is configurable and expressed as a percentage of the total call capacity.

The SIP message rate of each remote IBCF is adapted to the aggregate rate of the partitionto which it belongs. Typically, if the rate for a particular SIP method is not reached for a

given IBCF, the SIP message might still be dropped because the maximum aggregate ratefor the method has been reached.

Redundancy

The SIP firewall operates in 1+1 redundancy mode. It provides redundancy for theestablished calls but not for the transaction inside or outside a dialog.

L2/L3/L4 SIP-aware firewalling

The SIP firewall provides L2/L3/L4 firewalling which is SIP aware on the untrusted sideand thus does not require any external firewall. That solution provides better performances

versus a solution with an external L2/L3/L4 firewall; in case of overloading, the drop is

performed at SIP level and not at L3 or L4 level. There avoids dropping legitimate SIPtraffic, that is not the case with SIP firewalls that separate the L2/L3/L4 firewalling and

the SIP firewalling.

IP V4 address overlapping

The IP address overlapping is supported on the untrusted side thanks to the usage of

802.1Q tag to separate Peer Network that have same IP addresses.

VPN separation

VPN separation is provided thanks the usage of 802.1Q.

Reliable Transport

Only TCP is supported in that release. TCP connections are terminated at SIP firewalllevel.



Alcatel-Lucent — Proprietary 23 Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZAEdition 07 July 2015

2 SFW prerequisite

On the first 7510-SFW installation, prior doing anything else, you need to pay attention to thefollowing points:

Item Purpose How to check

1 sitecfg.sfw This file must be present on

both SCM hosting primary and

backup DHSPP4.

Follow procedure 1

described below.

2 SFW CLI

login

Prior accessing to the SFW

CLI session you need to:- Configure the SFW

OAM IP address on

the 7510

- Know the initial login /

password

Follow procedure 2 and 3

described below.

Procedure 1: Checking presence of sitecfg.sfw on SCM

When to use

On the first 7510-SFW installation you need to check the presence of the file

sitecfg.sfw on both SCM (primary and backup) hosting both DHSPP4 of theSIP Firewall (SFW).

If this file is not present the SIP Firewall application will fail to

be loaded.

This file must contain the name of the SIP Firewall (SFW). The SFW name is

not configurable via CLI commands. It’s quite important to configure the SFWname because:





SFW prerequisite Procedure 2: SFW OAM IP address configuration


Procedure 2: SFW OAM IP address configuration

When to use

The SFW is hosted by the 7510. It is the 7510 who allocates the SFW OAM IP

address. The following 7510 procedure allows configuration of the SFW OAMIP address:

Steps

1 Log in to the 7510

Contact your account or technical support representative for

information about default login/password.

2 Configure the OAM IP address using the ui commands:

define sfw ip <oam-ip-address> <oam-ip-mask> <default-route-ip-address>

3 Check the OAM IP address configuration.

view sfw ip

E N D O F S T E P S



SFW prerequisite Procedure 3: How to get access to the SFW CLI


July 2015

Procedure 3: How to get access to the SFW CLI

When to use

SFW configuration via CLI requires to open a SSH tunnel.

Steps

1 Open a SSH tunnel to the SFW

ssh cli@oam-ip-address (e.g. [email protected])

2 Open the CLI session with the initial login / password

Contact your account or technical support representative for

information about default login / password.

3 Then you have the ability to change the root password.

-> user <login> password <new-password>

E N D O F S T E P S





3 Vlan Management

Purpose

This paragraph provides information about the Vlan management in the SFW.

Introduction

The main purpose of the Vlan Management is to provide the ability to isolatethe Peer Network and to address the case of the IP V4 address overlapping.

Each Peer Network can have its own VLAN, however it is still possible thatseveral Peer Networks share the same VLAN. In that last case, they share thesame broadcast domain and there is no possible IP address overlapping.

Before going further it’s necessary to define the following acronyms thatappear throughout this document:

LPOC : a lpoc is a Local Point of Contact. This means it’s an IP address of thefirewall in charge of the SIP Signaling messages. There are LPOC on the

untrusted side of the firewall, facing the Peer-Networks, and LPOC on thetrusted side of the firewall, facing the MGC8 IBCF.

RPOC: a rpoc is a Remote Point of Contact. This means it’s an IP address of

SIP Signaling entity either on the untrusted side of the firewall or on thetrusted side of the firewall.



Vlan Management


July 2015

The Vlan management allows supporting various IP configurations:

1. The SFW LPOC and the RPOC are in the same subnet.

In that case the Vlan configuration will define only an IPsubnet/mask

2. The SFW LPOC and the RPOC are in different subnets.

In that case, a default gateway needs to be added in the vlanconfiguration to be able to reach the RPOC subnet.

3. The SFW LPOC and the Vlan Subnet are in different subnets.

For example, this case exists when several Peer-Networks

(isolated through different vlans) share a single Point Of

Contact. In that case a “pseudo-router” needs to be added in theVlan configuration.

The IP configurations capabilities described above apply for both Untrustedand Trusted sides. Remember that:

• LPOC designates either a SFW Local Point of Contact on theUntrusted or on the Trusted side.

• RPOC, Remote Point of Contact, designates either a peering-

point of a Peer-Network or Signaling entity (CCS) of the MGC8IBCF.

The appendix “SFW IP configuration” at the end of that document illustrates

the various IP configuration mentioned above through examples.

When a “pseudo-router” has been added to a vlan, The Peer-Network using

that Vlan must have a LPOC in a different subnet.

In order to simplify the configuration of the next hop router, the VLAN

Management can be configured to perform RIP announcement of the localPOC IP addresses that are accessible through the “pseudo-router”.

The SIP FW supports up to 4096 (0..4095) vlan values. A Vlan is eithertrusted or untrusted, as a consequence it is not possible to use the same VLAN

number for the trusted and untrusted side.

The vlan 0 and vlan 4095 have special meanings.

The vlan 0 is used to specify an untagged vlan for the Trusted side.

The vlan 4095 is used to specify an untagged vlan for the Untrusted side.

All other vlans (1..4094) are 802.1q tagged vlans.



Vlan Management Summary of the CLI for Vlan management


Summary of the CLI for Vlan management

Vlan management

vlan vid {trusted | untrusted} [enable | disable] [name description]subnet ip_address/len [router ip_address [rip | no rip]] [gw ip_address]

vlan vid subnet ip_address/len

vlan vid router ip_address [rip | no r ip]

vlan vid no [ipv4 | ipv6] router

vlan vid gw ip_address

vlan vid no [ipv4 | ipv6] gw

vlan vid name description

vlan vid no name

vlan vid no ipv4

vlan vid no ipv6

vlan vid mac mac_address

vlan vid v4mac mac_address


vlan vid no mac

vlan vid no v4mac

vlan vid no v6mac

no vlan vid

show vlan [vid]



Vlan Management vlan vid {trusted | untrusted} subnet ip_address mask


July 2015

vlan vid {trusted | untrusted} subnet ip_address mask

Purpose

The purpose of that command is the creation of a vlan. This vlan will be later

associated with either a Peer-Network or a Load-Balancing-Group to provide IP

connectivity with these remote entities.

In the case of the association with the Peer-Network it will allow realm separation and

IP v4 addresses overlapping.

Command

vlan vid {trusted | untrusted} [enable | disable] [name description]

subnet ip_address mask ip_address

[router ip_address [rip | no rip]] [gw ip_address]

Arguments

vid

This is the identifier of the vlan.

The vlan 0 and vlan 4095 have special meanings.

The vlan 0 is used to specify an untagged vlan for the Trusted side.

The vlan 4095 is used to specify an untagged vlan for the Untrusted side.

All other vlans (1..4094) are 802.1q tagged vlans.

trusted | untrusted

This keyword indicates the SFW interface that owns the vlan. Even if the SIP

firewall is connected to different switch/routers, the firewall does not allowthe use the same vlan on the trusted and untrusted side.

enable | disable

Provides the ability to change the operational status of the vlan.

description

Description of the vlan (31 characters)

subnet ip_address/len

These parameters describe the IP subnet and IP mask that are associated withthe vlan.





Vlan Management vlan vid {trusted | untrusted} subnet ip_address mask


July 2015

The consistency of the configuration can also be checked via the CLI

command “show configuration consistency”.

The consistency checking are the following ones:

• If a peering-point IP address (rpoc) associated with a Peer-

Network doesn’t belong to the vlan subnet associated with thisPeer-Network, then a “gateway” must have been defined for thevlan.

• If a MGC8 IBCF CCS IP addresses (rpoc) associated with a

Load-Balancing-Group doesn’t belong to the vlan subnet

associated with this Load-Balancing-Group, then a “gateway”must have been defined for the vlan.

• If a vlan “gateway” has been defined, its IP address must belong

to the vlan subnet

• If a Local Point of Contact (lpoc) associated with a Peer-

Network doesn’t belong to the vlan subnet associated with this

Peer-Network, then a “router” must have been defined for thevlan.

• If a Local Point of Contact (lpoc) associated with a Load-

Balancing-Group doesn’t belong to the vlan subnet associated

with this Load-Balancing-Group, then a “router” must have been defined for the vlan.

• If a vlan “router” has been defined, its IP address must belong

to the vlan subnet

• Within a Peer-Network, IP overlapping between Peering-PointIP addresses (rpoc) must not exist.

• Within a Peer-Network, IP overlapping between Peering-PointIP addresses (rpoc) and IP filters must not exist.

• Within a Load-Balancing-Group, IP overlapping between CCSIP addresses (rpoc) must not exist.

• If a Vlan is assigned to more than one Peer-Network, IP

overlapping between Peering-Point IP addresses (rpoc) must notexist.

• If a Vlan is assigned to more than one Peer-Network, IP

overlapping between Peering-Point IP addresses (rpoc) and IPfilters must not exist.





Vlan Management vlan vid subnet ip_address/len


July 2015


Purpose

The purpose of that command is to modify the “subnet” IP address for an existing vlan.

Command


Arguments

vid

This is the identifier of the vlan to be modified.

subnet ip_address/len

These parameters describe the IP subnet and IP mask length that are

associated with the vlan.

It can be an IPv4 or IPv6 subnet.

Example

-> vlan 8 subnet 2001:b8::/64

-> vlan 200 subnet 192.168.2.0/24



Vlan Management vlan vid [router ip_address [rip | no rip]]


vlan vid [router ip_address [rip | no rip]]

Purpose

The purpose of that command is to add or modify the “router” IP address for an

existing vlan. Optionally, in case of Ipv4, the RIP protocol can be activated for this

vlan.

Command

vlan vid [router ip_address [rip | no rip]]

Arguments

vid


router

This parameter defines the “pseudo-router” providing accessibility to a LPOC

created in a different subnet. The IP address of this “pseudo-router” must be

in the subnet defined when creating the vlan.

It can be an IPv4 or IPv6 address.

rip | no rip

If a “pseudo-router” has been configured on the vlan it is possible to advertise

via the RIP protocol the LPOC which are accessed through this pseudo-router.

By default rip is not activated. When “no rip” is configured, static routes

should be configured on the next hop router to be able to reach the LPOC.

Example

-> vlan 8 router 172.23.8.3 rip

-> vlan 8 router 2001:b8::172:23:8:3



Vlan Management vlan vid no [ipv4 | ipv6] router


July 2015


Purpose

The purpose of that command is to remove the “router” IP address for an existing vlan.

Command


Arguments

vid


no [ipv4|ipv6] router

This parameter defines the “pseudo-router” providing accessibility to a LPOC

created in a different subnet.

You have the ability to remove only the IPv4 router or the IPv6 router.

Example

-> vlan 8 no router

-> vlan 15 no ipv4 router

-> vlan 20 no ipv6 router





Vlan Management vlan vid no [ipv4 | ipv6] gw


July 2015


Purpose

The purpose of that command is to remove the “gateway” IP address for an existing

vlan.

Command

vlan vid no [ipv4|ipv6] gw

Arguments

vid


no gw

This attribute defines a default gateway. This default gateway is required

when the remote POC IP address is not in the vlan subnet.

You have the ability to remove only the IPv4 gateway or the IPv6 gateway.

Example

-> vlan 4 no gw

-> vlan 8 no ipv4 gw

-> vlan 20 no ipv6 gw





Vlan Management vlan vid no name


July 2015

vlan vid no name

Purpose

The purpose of that command is to delete the name of an existing vlan.

Command

vlan vid no name

Arguments

vid


Example

-> vlan 4 no name



Vlan Management vlan vid mac mac_address



Purpose

The purpose of that command is to specify the MAC address of the “gateway”.

When a MAC address is specified for the vlan gateway, the SFW bypass the ARP (or

ND) resolution to set the MAC address in IP frames sent to the gateway. This avoids a

man-in-the-middle attack, the IP frames cannot be sent to the attacker who would

have stolen the IP address of the gateway.

The command “vlan vid mac mac_address” assigns a unique MAC address for

both IPv4 and IPv6 gateways of the Vlan.

You can assign different MAC addresses for IPv4 and IPv6 gateways via the CLI

“vlan vid v4mac mac_address [v6mac mac_address]”

This command is allowed only if a “gateway” has been previously configured via the

CLI command “vlan vid gw ip_address”.

The CLI command “show vlan vid ” returns the MAC address configured for the

gateway but also the MAC address learned from the ARP (or ND) resolution.

Command




Arguments

vid


mac_address

This is the MAC address of the gateway.

Example

-> vlan 8 mac 00:d0:95:ff:94:74

-> vlan 9 v4mac 00:e0:b1:7c:48:4c

-> vlan 10 v6mac 00:d0:95:fe:33:26



Vlan Management no vlan vid


July 2015

no vlan vid

Purpose

The purpose of that command is to delete an existing vlan.

Command

no vlan vid

Arguments

vid

This is the identifier of the vlan to be deleted.

The vlan cannot be deleted if it still associated with a Peer-Network or a

Load-Balancing-Group.

There is no command “peer-network netid no vlan”, to remove the association

between a Peer-Network and a vlan, it is necessary to associate a new vlan to

the Peer-Network. Then the unused vlan can be deleted.

There is no command “load-balancing-group group_id no vlan”, to remove

the association between a Load-Balancing-Group and a vlan, it is necessary to

associate a new vlan to the Load-Balancing-Group. Then the unused vlan can be deleted.

Example

-> no vlan 4







Local Point Of Contact (LPOC) Untrusted interface definition


SIP messages, received from the local IBCF on the SIP firewall trusted lpoc,

are sent to the peering points according to the IP ports where the SIP messageare received.

The static mapping between the listening IP port on the trusted interface and

peering points IP addresses is described later in that document in the “Peer Networks” section.

Untrusted interface definition

The untrusted interface is facing the peer networks.

The configuration of the SIP firewall provides the ability to configure a single point of contact for all peer networks to reach the trusted IBCF.

However, it is still possible to define more that one point of contacts on the

untrusted side.

The configuration of the “untrusted lpoc” IP addresses and IP ports is

described below.

Local Point Of Contact definition

A Local Point a Contact (LPOC) is defined by the following attributes:

o A lpoc reference (1..128)

o An IP address (Ipv6 or Ipv4 )

o The type of the interface to which the LPOC must be bound

The SIP firewall provides the ability to declare up to 128 LPOC per interfacetype (trusted or untrusted).



Local Point Of Contact (LPOC) Summary of the CLI for Trusted and Untrusted LPOC


July 2015

Summary of the CLI for Trusted and Untrusted LPOC

Trusted and Untrusted LPOC

lpoc untrusted poc_id [ip ip_address] [enable | disable] [name description]

lpoc untrusted poc_id [ ip ip_address] [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]]

lpoc untrusted poc_id no ipv4


lpoc untrusted poc_id no {udp | tcp | sctp | tls}

no lpoc untrusted poc_id

lpoc trusted poc_id [ip ip_address] [enable | disable] [ name description]

lpoc trusted poc_id no ipv4


no lpoc trusted poc_id

show lpoc [trusted [ poc_id ]| untrusted [poc_id]]



Local Point Of Contact (LPOC) lpoc untrusted poc_id


lpoc untrusted poc_id

Purpose

Creates an Untrusted LPOC.

Command

lpoc untrusted poc_id [ip ip_address] [enable | disable] [name sfw-

fqdn]

lpoc untrusted poc_id [ip ip_address] [udp[ port] | tcp[ port] |

sctp[ port] | tls[ port]]

Arguments

poc_id

The poc_id, referencing the untrusted LPOC, is later associated with one or

several “peer-networks”.

ip_address

IPv4 or IPv6 address of the LPOC.

A LPOC can be dual-stack IPv4/IPv6. In that case the CLI must be run twice,

once to specify the IPv4 address, once to specify the IPv6 address.

It is possible to change the IP address of the LPOC without disabling it.

The lpoc creation is rejected if there is already a poc_id with the same IP

address.

sfw-fqdn

Optionally, it is possible to specify a name for the LPOC (63 characters max.)

If the peering-point sends SIP messages to the SFW with a pre-loaded Route

header using a FQDN, the name of the lpoc must match this FQDN.

This FQDN represents the public IP address of the firewall.

port

Udp, tcp, sctp or tls listening port of the LPOC. Note that the TLS port must

be different from the TCP port.

enable | disable

By default the LPOC is created in the enable state. In the LPOC is created in

the disable state, any Peer Network that reference that LPOC will be

unreachable until it moves to the enable state.



Local Point Of Contact (LPOC) lpoc untrusted poc_id


July 2015

If the LPOC is in disable state, all the IP frames with a destination IP

matching the LPOC IP address are filtered by the SIP firewall

Example

-> lpoc untrusted 8 enable name mgc8.ims32.alcatel-lucent.com

-> lpoc untrusted 8 ip 10.7.8.5

-> lpoc untrusted 8 ip 2001:b8::10:7:8:5

-> lpoc untrusted 8 udp 5060

-> lpoc untrusted 8 tcp 5060

-> lpoc untrusted 8 tls 5061

In the above example, if a SIP Invite received on the SFW lpoc address:port

10.7.8.5:5060 contains the following pre-loaded Route header.

Route: <sip:[email protected];lr>

The FQDN of the pre-loaded Route matches the lpoc name and the address :port on

which the message has been received. In that case the SIP message is accepted by

the firewall.

If the FQDN was unknown, the SIP message would be dropped by the firewall.











Local Point Of Contact (LPOC) lpoc trusted poc_id no ipv6



Purpose

Removes the IPv6 address from an LPOC.

Command


Arguments

poc_id

The poc_id, referencing the trusted LPOC.

no ipv6

Specifies the IP protocol version to be removed from the LPOC.

Example

-> lpoc trusted 1 no ipv6


Purpose

Removes the IPv4 address from an LPOC.

Command


Arguments

poc_id

The poc_id, referencing the trusted LPOC.

no ipv6

Specifies the IP protocol version to be removed from the LPOC.

Example

-> lpoc trusted 1 no ipv4























Peer Networks peer-net netid rpoc peering_point_id ip


July 2015

peer-net netid rpoc peering_point_id ip

Purpose

The purpose of that command is to define the IP address of a host that is in the scope

of the remote Peer Network.

Command

peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] |

sctp[ port] | tls[ port]]

peer-net netid rpoc peering_point_id {udp[ port] | tcp[ port] | sctp[ port] |

tls[ port]}

Arguments

netid

This is the identifier of the Peer network.

peering_point_id

The number of peering points per Peer Network differs according to the Peer

Network identifier:

o when the netid is in the range [1..500] up to 63 peering points

may be defined by Peer Network.

o When the netid is in the range [501..2047] only 2 peering

points can be defined by Peer Network.

The same peering_point_id value can be used for different Peer Network. The

uniqueness of the peering point is guarantee by the combination of the local

peering_point_id and the reference of the Peer Network (netid).

ip_address

Defines the IPv4 or IPv6 address of the peering point.

A peering point can be dual-stack IPv4/IPv6. In that case the CLI must be run

twice, once to specify the IPv4 address, once to specify the IPv6 address.

port







Peer Networks peer-net netid rpoc peering_point_id ip


The following table is an example of the routing table used by the SIP firewall when it

has to route an initial SIP Request initiated by the trusted IBCF to find out the remote

POC.

Trusted Untrusted

Peer Network and Peering Point (rpoc) provisioning

Listening port on

lpoc trusted

netid peering_

point_id

ip_address udp tcp tls sctp

10101 1 1 10.0.10.1

2001:31::10:1

5060 5060 0 0

10102 1 2 10.0.10.2

2001:31::10:2

5060 5060 0 0

10201 2 1 20.0.10.1

2001:42::20:1

8080 8080 0 0

10202 2 2 20.0.10.2

2001:42::20:2

8080 8080 0 0

The associated CLI are:

-> peer-net 1 rpoc 1 ip 10.0.10.1 udp 5060

-> peer-net 1 rpoc 1 ip 2001:31::10:1

-> peer-net 1 rpoc 1 tcp


-> peer-net 1 rpoc 2 ip 2001:31::10:2




-> peer-net 2 rpoc 1 ip 2001:42::20:1


-> peer-net 2 rpoc 2 ip 2001:42::20:2

->peer-net 2 rpoc 2 tcp



Peer Networks peer-net netid rpoc peering_point_id no ipv4


July 2015

peer-net netid rpoc peering_point_id no ipv4

Purpose

The purpose of that command is to delete the IPv4 address of a peering point within a

Peer-Network.

Command


Arguments

netid


peering_point_id

This is the identifier of the peering point within the Peer-Network.

Example

-> peer-net 20 rpoc 15 no ipv4


Purpose

The purpose of that command is to delete the IPv6 address of a peering point within a

Peer-Network.

Command


Example

-> peer-net 20 rpoc 15 no ipv6















Peer Networks peer-net netid rpoc peering_point_id no port-forwarding


peer-net netid rpoc peering_point_id no port-forwarding

Purpose

The purpose of that command is to delete the port-forwarding configuration

previously defined for the natted peering-point.

Command

peer-net netid rpoc peering_point_id no port-forwarding

Arguments

netid


peering_point_id

This is the identifier of the Peering Point within the Peer Network.

Example

-> peer-net 3 rpoc 3 no port-forwarding





















































Peer Networks show peer-net connectivity


There is no IPv6 subnet in the definition of the vlan associated

with the Peer-Network whereas there is at least one IPv6 RPOCassociated with that Peer-Network.

• “NO ROUTER IP” means that the configuration is not

consistent.An IP router address is required in the definition of the vlanassociated with the Peer-Network otherwise the LPOC is

unreachable. A router is required in the vlan definition as soonas the vlan and the LPOC are not in the same subnet.

• “ROUTER IP NOT IN SUBNET” means that the configurationis not consistent. The router IP address in the definition of the

vlan, associated with the Peer-Network, is not in the vlan subnet.

• “NO DEFAULT GW” means that the configuration is not

consistent. An IP gateway address is required in the definitionof the vlan associated with the Peer-Network otherwise the

RPOC is unreachable. A gateway is required in the vlan

definition as soon as the vlan and the RPOC are not in the samesubnet.

• “GATEWAY IP NOT IN SUBNET” means that theconfiguration is not consistent. The gateway IP address in the

definition of the vlan, associated with the Peer-Network, is notin the vlan subnet.

• “NO RESP” means that the configuration is consistent. TheMAC address of the RPOC is known but the SFW does not getany response to the ping requests.

• “TRUNK DOWN” means that the configuration is consistent.The untrusted trunk is down.

• “V6 ONLY” means that configuration is consistent but LPOCor RPOC are IPv6 only, thus ping v4 cannot be performed.

• “V4 ONLY” means that configuration is consistent but LPOCor RPOC are IPv4 only, thus ping v6 cannot be performed.











Peer Networks show peer-net [netid] statistics [trusted | untrusted]


July 2015

Counters Definitions Valid for

Untrusted

Valid for

Trusted

Level 2 : Pass 1 success per SIP operation This table contains Level 2 statistics.

It provides details on the messages counted in pass1SipSuccess of the “Level 1”

statistics.

pass1SipSuccessInitialInvite number of initial INVITE that has

been successful in Pass 1 yes yespass1SipSuccessInitialNonInvite number of initial Non INVITE that has

been succ essful in Pass 1 (Out of

dialog) yes yespass1SipSuccessSubsequentReq number of subsequent transaction

that has been successful in Pass 1 (in

dialog) yes yespass1SipSuccessResponse number of Response that has been

successful in Pass 1 ( In & Out of

dialog) yes yes

Level 2 : Pass 2 drop per reason

This table contains Level 2 statistics for dropped messages.

It provides details on the messages counted in pass2Drop of the “Level 1” statistics.

pass2DropRateLimiting Number of out of dialog transaction

dropped due to method rate limiting

(all Qos and Method yes nopass2DropMalformed Number of SIP messages dropped

due to malformed header: parsing

error, mandatory header Missing,

etc.. yes yespass2DropConfigMismatch Number of SIP frames dropped due

to configuration mismatch. yes yespass2DropSuspicious Number of SIP messages dropped

due to suspect format : e.g. oai

missing or unknown yes yespass2DropAdmControlRejec t Number of SIP messages rejec ted by

the admission control (all Qos and

messages types) yes no pass2DropFsmCheckOOSequence Number of SIP messages rejec ted

because considered Out Of

Sequence. yes yespass2DropFsmCheckRetryCounterExhausted Number of SIP messages dropped

because the maximum retries has

been reached yes yespass2DropInDialogOutOfResources Number of SIP In-Dialog messages

rejected because problem of

ressources. yes yespass2DropInDialogOverRate Number of SIP In-Dialog messages

rejected because considered as

over-rate. yes no pass2DropCheckHeaderRegeneration SIP message dropped due to error

while parsing the header that are

changed by the Firewall yes yes

Level 3 : Pass 2 drop suspicious

This table contains the Level 3 statistics for dropped messages.

It provides details on the messages counted in pass2DropSuspicious of the “Level2:

Pass2 drop per reason” statistics.

pass2DropSuspic iousInitialInvite Number of SIP INVITE messages

dropped due to suspect format :

e.g. oai missing or unknown yes yespass2DropSuspiciousInitialNonInvite Number of SIP non-INVITE messages

dropped due to suspect format :

e.g. oai missing or unknown yes yes













Counters Definitions Valid for

Untrusted

Valid for

Trusted

Level 2 : Pass 2 Admission Control Invite per QoS

This table contains Level 2 statistics for INVITE messages received and submitted to

the Admission Control.

It provides details on the messages counted in pass2AdmCtlCall of the “Level 1”

statistics, per QOS level.

pass2AdmCtlCallQos0 Number of SIP message submitted to

the admission c ontrol for initial INVITE in

QOS0. yes nopass2AdmCtlCallQos1 Number of SIP message submitted to


QOS1. yes no pass2AdmCtlCallQos2 Number of SIP message submitted to



the admission c ontrol for initial INVITE inQOS3. yes no

pass2AdmCtlCallQos4 Number of SIP message submitted to








QOS7. yes no

Level 2 : Pass 2 Admission Control Invite drop perQoS

This table contains the Level 2 statistics for messages received and submitted to the

Admission Control and dropped.

It provides details on the messages counted in pass2AdmCtlCall of the “Level 1”

statistics, per QOS level.

pass2AdmCtlCallDropQ os0 Number of Call rejected bec ause

invite rate is greater than the available

rate on trusted side for QOS0. yes nopass2AdmCtlCallDropQ os1 Number of Call rejected bec ause


rate on trusted side for QOS1. yes no pass2AdmCtlCallDropQ os2 Number of Call rejected bec ause

invite rate is greater than the availablerate on trusted side for QOS2. yes nopass2AdmCtlCallDropQ os3 Number of Call rejected bec ause






rate on trusted side for QOS5. yes nopass2AdmCtlCallDropQ os6 Number of Call rejected bec ause



invite rate is greater than the availablerate on trusted side for QOS7. yes no















Example

-> show peer-net statistics untrusted

UNTRUSTED SIDE LEVEL 1 STATISTICS

...

pass1Drop : 313

...

pass2Drop : 964

...

pass2MethodRateDrop : 260

...

Level 2 statistics pass1Drop

pass1Drop : 313

pass1DropMalformed : 209

pass1DropSuspicious : 104

Level 3 pass1DropSuspicious

pass1DropSuspicious : 104

pass1DropSuspiciousSubsequentReq : 1

pass1DropSuspiciousResponse : 2

pass1DropSuspiciousBYE : 100

pass1DropSuspiciousCANCEL : 1

Level 2 statistics pass2Drop per reason

pass2Drop : 964

pass2DropRateLimiting : 260

pass2DropMalformed : 704

Level 2 statistics pass2MethodRateDrop per SIP method


pass2MethodRateDropInvite : 260

Level 2 statistics pass2MethodRateDrop per QOS


pass2MethodRateDropQos0 : 260





















Security Profile security-profile profile_id out-of-dialog method-rate


security-profile profile_id out-of-dialog method-rate

Purpose

The following CLI command has several purposes:

• it configures the SIP method rate limit for transactions that take place out of a

dialog. This can be the case for REGISTER, INFO, MESSAGE, OPTIONS,

PUBLISH, NOTIFY.

• it configures the transaction rate limit for non-INVITE dialogs. This can be thecase for RCS scenarios with SUBSCRIBE, REFER, NOTIFY.

• it configures the SIP transaction rate per method applied when the dialog trackingcontext has been removed from the SFW. This situation may happen either

because a switchover occurred or because of dialog tracking aging due to resourcelimitation.

Command

security-profile profile_id out-of-dialog method-rate all messages_per_sec

security-profile profile_id out-of-dialog method-rate

{ register messages_per_sec | info messages_per_sec |

message messages_per_sec | notify messages_per_sec |

options messages_per_sec | publish messages_per_sec |

subscribe messages_per_sec | refer messages_per_sec |

update messages_per_sec | bye messages_per_sec |

prack messages_per_sec }

Arguments

profile_id

This is the identifier of the Security-Profile.

all

Specifies that all SIP methods listed above, outside an INVITE dialog, have the same rate

limiter. If “all” is not specified, then it is possible to define a specific rate limiter per

method.





Security Profile security-profile profile_id out-of-dialog no method-rate


security-profile profile_id out-of-dialog no method-rate

Purpose

The following CLI command remove the SIP method rate limiter applied previously.

Command

security-profile profile_id out-of-dialog no method-rate all

security-profile profile_id out-of-dialog no method-rate

{ register | info | message | notify | options | publish | subscribe | refer |

update | bye | prack }

Arguments

profile_id

This is the identifier of the Security-Profile.

all

Specifies that all SIP methods listed above, outside an INVITE dialog, have their rate

limiter removed. This means that the default value 0 is applied for all SIP methods and

thus forbidden.

If the attribute “all” is not specified, it is possible to remove the rate limiter for aspecific SIP method.

Example

-> security-profile 2 out-of-dialog no method-rate register



Security Profile security-profile profile_id sip thig


July 2015

security-profile profile_id sip thig

Purpose

The purpose of this command is to enable or disable the Topology Hiding.

The SIP Firewall performs topology hiding (THIG) on all SIP Request and response that

are initiated by the private network so that peering networks cannot see IP addresses, port

numbers, host names of internal network elements.

THIG is performed by ciphering all private URIs found in the outgoing SIP messages.Similarly, all ciphered headers found in incoming SIP messages are deciphered.

For the SIP headers Via, Route, Record-Route, a fixed pattern is appended to the end ofeach ciphered text: “tokenized-by=sfw.net”.

The domain name “sfw.net” is the default value. It can be modified via a configuration

specified in the sitecfg.sfw. See the paragraph Part I:23 How to configure the SFW SITE

specific parameters

Command

security-profile profile_id sip thig

security-profile profile_id no sip thig

Arguments

profile_id

This is the identifier of the Security-Profile. Remember that a Security-Profile and a Peer-

Network are associated via the CLI command “peer-network netid security-profile

profile_id ”.

sip thig

Enable THIG towards the Peer-Networks associated with the specified profile_id .

no sip thig

Disable THIG towards the Peer-Networks associated with the specified profile_id .





Complementary Information

1. For the following headers: Request-Line, From, To, Diversion, History Info, P-

Asserted-Identity, only the host-port part of the URI (either a host-name or an IPaddress) is ciphered.

Example:

Before THIG:

From: Alice <sip:[email protected]:50001;p=abc>;tag=dftghjhg

After THIG:

From: Alice

<sip:alice@5ZW02glU6kTzZkpYJdXK2vQMTEf;p=abc>;tag=dftghjhg

2. For the Contact header, the whole addr-spec value is ciphered and the public IP

address of the SIP Firewall is appended. This allows routing of subsequent requestscoming from the untrusted side using the REQUEST-URI.

Example:

Before THIG:

Contact: "Mr Smith" <sip:[email protected];transport=tcp>;q=0.7;

expires=3600

After THIG, it will give:

Contact: "Mr Smith"

<sip:[email protected]>;q=0.7;

expires=3600

3. For the following headers: Via, Route, Record-Route, Path, Service-Route, the whole

field value is ciphered. Moreover, multiple headers with the same field name are

ciphered in a single one. This allows to follow Section 5.10.4 of 3GPP 24.229 for topology hiding requirements.

Example:

Before THIG:

Via: SIP/2.0/UDP 10.7.8.5:5060;branch=z9hG4bK-14755-1-

0;oai=yyyy7vbsKa+53ryUDHyyyy7y+mY4y

Via: SIP/2.0/UDP 192.168.2.50:50001;branch=z9hG4bK-9119-1-0

After THIG, it will give a single header line. This is possible as long as the resulting

string is short enough to be contained in a single header line:





July 2015

Via: SIP/2.0/UDP 5P0gx7l4PkTRfgTy-

gHyujyYr.TghRgrESXpmMDg0zhQ1BP3s8CDoft4Fsg2bBe-

sxARl.SD7YU2Mf;tokenized-by=sfw.net;branch=z9hG4bK-45

List of (de-)ciphered Headers

Ciphering or deciphering of headers depends on the message origin, the kind of message

(Request/Response), and the dialog originator. The following table shows the list ofciphered/deciphered headers according to each of the preceding condition.

Ciphering in outgoing messages Deciphering in incomingmessages

Headers request response request response

Request-Line X

Contact X X

From if dialog origin

is trusted

X

To if dialog origin

is trusted

X

Record-Route X X X X

Route X X

Via X X X

Diversion X X X

History-Info X X X

P-Asserted-

Identity

X



Security Profile security-profile profile_id route-reorder


security-profile profile_id route-reorder

Purpose

The purpose of this command is to enable or disable the option to allow disordered Routeheaders in the subsequent request from peer networks.

There must be Route headers in subsequent request from peer network as SIP firewall has

already informed the route set in previous transaction through Record-Route headers. In

the request from peer networks, the Route headers should be in order, the top one pointsto the lpoc at untrusted side of SIP Firewall, the second one points to the rpoc at trustedside of SIP Firewall.

Unfortunately, some external SIP devices do not follow RFC 3261 very well, they may

send the subsequent requests with disordered Route headers. To tolerate this kind of behavior, the option route-reorder it added.

Command

security-profile profile_id route-reorder

security-profile profile_id no route-reorder

Arguments

profile_id



profile_id ”.

route-reorder

Enable the option to accept disordered Route headers in subsequent requests from Peer-

Networks associated with the specified profile_id .

no route-reorder

Disable the option to accept disordered Route headers in subsequent requests from Peer-

Networks associated with the specified profile_id .



Security Profile security-profile profile_id ringing-timer duration


July 2015

security-profile profile_id ringing-timer duration

Purpose

The purpose of this command is to configure, in seconds, the maximum duration of theringing time. This is the duration an initial INVITE transaction can stay in the Ringingstate waiting for a final response.

This setting becomes effective when the security-profile is associated with the peer-network.

Command

security-profile profile_id ringing-timer duration

Arguments

profile_id



profile_id ”.

duration

The Ringing timer can be set, in seconds, in the range from 30 to 300.

The default value is 180 seconds.

Example

-> security-profile 20 duration 360



Security Profile security-profile profile_id clone profile_id


security-profile profile_id clone profile_id

Purpose

The following CLI command allows creation of a new security-profile copying anexisting one.

Command

security-profile profile_id2 clone profile_id1

Arguments

profile_id2

This is the identifier of the new Security-Profile to be created.

The identifier must be in the range 1-32.

profile_id1

This is the identifier of the already existing Security-Profile used as template to create the

clone.

Example

-> security-profile 20 clone 19



Security Profile security-profile profile_id fqdn-in-from thig


July 2015

security-profile profile_id fqdn-in-from thig

Purpose

The purpose of this command is to enable or disable the Topology Hiding for From and P-Asserted-Identify headers when their host part is a host-name.

When host part is IP address, From and P-Asserted-Identify headers will always beciphered.

“fqdn-in-from thig” only take effect when “sip thig” is enabled.

Command

security-profile profile_id fqdn-in-from thig

security-profile profile_id no fqdn-in-from thig

Arguments

profile_id



profile_id ”.

fqdn-in-from thig

Enable THIG for From and P-Asserted-Identify headers whose host part is a host namewhen sending message to Peer-Networks associated with the specified profile_id .

no fqdn-in-from thig

Disable THIG for From and P-Asserted-Identify headers whose host part is a host

name when sending message to Peer-Networks associated with the specified profile_id .



Security Profile security-profile profile_id sip route-mode


security-profile profile_id sip route-mode

Purpose

The purpose of this command is to specify if SFW will add Record-Route headers inmessages sent to Peer-Networks.

If SFW doesn’t send Record-Route headers to Peer-Networks, oai will be contained inContact header. To ensure subsequence in-dialog request can successfully arrive at SFW

from Peer-Networks, if SIP THIG is disabled, SFW untrusted lpoc IP will be put into host

part of Contact header. The original host part will be saved as a private parameter ofContact header.

Command

security-profile profile_id sip route-mode record-route

security-profile profile_id sip route-mode contact

Arguments

profile _id

This is the identifier of the Security-Profile. Remember that a Security-Profile and

a Peer-Network are associated via the CLI command “peer-network netid

security-profile profile_id ”.

sip route-mode record-route

Messges sent to Peer-Networks associated with the specified profile_id have

Record-Route headers.

sip route-mode contact

Messges sent to Peer-Networks associated with the specified profile_id don’t

have Record-Route headers. Oai is put into Contact header.



Security Profile security-profile profile_id private_ip


July 2015

security-profile profile_id private_ip

Purpose

The purpose of this command is to specify if SFW will add private ip(lpoc untrusted ip) inFrom/P-AID/To/ Contact headers in messages sent to Peer-Networks.

For requests (e.g., INVITE/re-INVITE/UPDATE/ACK/BYE/PRACK/CANCEL) sentfrom trusted side to un-trusted side, which currently contain From/P-AID/Contact header

with MGC-8 private IP/port in host part, SFW should put SFW public IP/port into host

part, and put MGC-8 private IP/port as From/P-AID/Contact URI parameter when thig isdisabled.

For requests (e.g., INVITE/re-INVITE/UPDATE/ACK/BYE/PRACK/CANCEL) sent

from trusted side to un-trusted side, which currently contain From/P-AID header withtokenized string in host part, SFW should put SFW public IP/port into host part, and puttokenized string as From/P-AID URI parameter when thig is enabled.

For responses (1xx-6xx) (to initial INVITE from un-trusted to trusted) received fromMGC-8, which contain Contact header with MGC-8 private IP/port in host port, SFW

should put SFW public IP/port into host part, and put MGC-8 private IP/port as ContactURI parameter.

Command

security-profile profile_id private_ipsecurity-profile profile_id no private_ip

Arguments

profile_id

This is the identifier of the Security-Profile. Remember that a Security-Profile and

a Peer-Network are associated via the CLI command “peer-network netid security- profile profile_id”.

private_ip

Add private ip in From/P-AID/To headers in messages sent to Peer-Networks.

no private_ip

Do not add private ip in From/P-AID/To headers in messages sent to Peer-

Networks..





Security Profile show security-profile profile_id


July 2015

show security-profile profile_id

Purpose

Displays the Security-Profile configuration.

Command

show security-profile [ profile_id ]

Arguments

profile_id

This is the identifier of the Security-Profile to be displayed. If profile_id is not specified,

all Security Profiles are displayed.

Example

-> show security-profile 19Profile id : 19Name :INVITE in-dialog accepted methods : INFO MESSAGE NOTIFY

PUBLISH SUBSCRIBE OPTIONSINVITE in-dialog forbidden methods :REGISTER out-of-dialog rate : 1000INFO out-of-dialog rate : 1000MESSAGE out-of-dialog rate : 1000NOTIFY out-of-dialog rate : 1000PUBLISH out-of-dialog rate : 1000SUBSCRIBE out-of-dialog rate : 1000REFER out-of-dialog rate : 1000UPDATE out-of-dialog rate : 1000BYE out-of-dialog rate : 1000PRACK out-of-dialog rate : 1000OPTIONS out-of-dialog rate : 1000INVITE dialog setup rate : 1000INVITE in-dialog transaction rate : 10

T1 timer : 100INVITE fork-response : 32INVITE fork-timer (TM) : 64THIG : yes





7 TLS feature overview

Introduction

TLS usage rational

The primary goal of the TLS protocol is to provide privacy and data integrity for the SIPflows exchanged between the SIP firewall and remote SIP entities on its untrusted side.

It also provides mutual authentication of both peers through the verification of their

respective X509 certificates.

Reference documents

Standard

[SIP connect] SIP-PBX / Service Provider Interoperability - "SIPconnect 1.1 TechnicalRecommendation" - SIP Forum Document Number: TWG-2

Main RFC's

[RFC2246] The TLS Protocol Version 1.0

[RFC3280] Internet X.509 Public Key Infrastructure Certificate and CertificateRevocation List (CRL) Profile



TLS feature overview Feature Overview


July 2015

Feature Overview

Standards and algorithms supported

The SIP firewall supports TLS v1.0 (RFC 2246) and X.509v3 certificates (RFC 3280) based on RSA key (up to 4096 bits).

SSLv2 and SSLv3 are not supported due to their related vulnerabilities.

Certificate revocation with OCSP (Online Certificate Status Protocol) or with staticallyconfigured list of certificate is not supported.

List of algorithms supported:

• For key exchange: Diffie–Hellman, RSA,

• For authentication: RSA (maximum key size = 4096 bits),

• For symmetric ciphering: AES128, AES256, 3DES, RC4,

• For integrity: SHA1.

Compression is not supported.

Main Feature List

The following main features are supported:

• TLS v1.0 handshake, change cipher, alert and record protocol

• Automatic TLS connection handling toward rpoc entity

• X509 certificates management (CLI interface)

• Local certificate management

o Importation in PEM Base64 of public certificate and its private key(SSLeay format)

o Support of Certificate Signing Request (CSR) procedure. The

generated CSR is in PKCS#10 format.o Content display

o Suppression

• Certificate Authority (CA) certificate management

o Importation in PEM Base64 format

o Content display

o Suppression





TLS feature overview TLS Feature Description


July 2015

Local certificates may be also managed through the Certificate Signing Request (CSR) procedure:

In CSR procedure, a public/private key pair is generated locally to the SFW(step1) and a corresponding CSR is generated in PEM/Base64 format toward the

Certificate Authority (step 2). The CA sends back the corresponding X509certificate (signed by the CA). This X509 certificate is then imported in the SFW(step3). With the CSR procedure the private key is always kept on the SFW: this is

more secure than a private key importation.

Local Certificate(s)

Cert.part

Privatekey part

SFW

Certification Authority

Rootuser

1/ Certificate request creation

2/ Certificate signing request (CSR)

3/ Certificate importation

Figure 1 - Certificate Signing Request (CSR) handling

TLS domain handling per VPN through TLS profile usage

In the SIP firewall a peer network entity may be associated to a particular VPN through itsVLAN id. A TLS profile may be also configured per peer network entity: This allows to

have particular TLS configuration (the one of the TLS profile) per VPN. This particularTLS configuration will be applied to all rpoc of the related peer network entity.

VLAN w (corresponding to VPN x) <- Peer-net y -> TLS profile z

Each TLS profile contains:

• a description name

• the id of the local certificate to use for the SFW,

• the list of id of trusted CA certificates,







8 TLS Profile

Purpose

This paragraph provides information about the configuration of the TLS profiles.

Introduction : TLS connections and TLS Profile handling

A new TLS permanent connection is established with a RPOC (2 connections if RPOC isdual-stack IPv4/IPv6) when:

• Transport is set to TLS for this RPOC. See the CLI command “peer-netnetid rpoc peering_point_id”

• Transport is set to TLS for the LPOC associated with the Peer Network.See the CLI command “peer-net netid lpoc poc_id”

• A TLS-profile is associated with the Peer Network. See the CLIcommand “peer-net netid tls-profile tls_profile_id”

• The TLS profile is valid. This means that:

• The SFW local certificate and its associated private key arematching.

• If “ca-check” has been set for this TLS profile, it must exist a listof CA associated with the TLS Profile. This allows to check the

peering point certificate against the CA signing chain.



TLS Profile Summary of the CLI for TLS-Profile management


Summary of the CLI for TLS-Profile management

TLS Profile

tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check] [renegotiation-period period_in_hours][name description]

tls-profile tlsprofileid name description

tls-profile tlsprofileid local-cert certid

tls-profile tlsprofileid {no-ca-check|ca-check}

tls-profile tlsprofileid renegotiation-period period_in_hours

tls-profile tlsprofileid no renegotiation-period

tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] … [certid8]

tls-profile tlsprofileid no ca-cert-list certid

no tls-profile tlsprofileid show tls-profile



TLS Profile tls-profile tlsprofileid local-cert ca-check renegotiation-period


July 2015

tls-profile tlsprofileid local-cert ca-check renegotiation-period

Purpose

The purpose of that command is to create a TLS Profile.




• the list of ids of trusted CA certificates,

• optionally: the fact to check or not the validity of the peer certificate. If notspecified during the creation of the TLS profile, checking the validity of the peer certificate is the default behavior.

• optionally: the renegotiation period (in hour) to force a new TLS handshake

periodically (not activated by default). This option should be used to take intoaccount CA certificates updates on already established TLS connection.

The TLS Profile needs to be associated with a Peer-Network to become effective.

Command

tls-profile tlsprofileid [local-cert certid ] [no-ca-check|ca-check]

[renegotiation-period period_in_hours] [name description]

Arguments

tlsprofileid

This is the identifier of the TLS Profile.

Up to 32 TLS Profiles can be created.

local-cert

Identifies the SFW local certificate.

no-ca-check | ca-check

Specifies whether or not the peer certificate needs to be checked against the CA certificate

signing chain.

renegotiation-period



TLS Profile tls-profile tlsprofileid no renegotiation-period


If renegotiation-period is set in TLS profile, the ongoing TLS connections arerenegotiated (TLS handshake) every renegotiation-period value.

name

Description of the TLS Profile (32 characters).

Example

-> tls-profile 2 local-cert 1 ca-check renegotiation-period 1name tls-prof-operator1

tls-profile tlsprofileid no renegotiation-period

Purpose

The purpose of that command is to create a TLS Profile.




• the list of id of trusted CA certificates,

• optionally: the fact to check or not the validity of the peer certificate. If notspecified during the creation of the TLS profile, checking the validity of the peer

certificate is the default behavior.

• optionally: the renegotiation period (in hour) to force a new TLS handshake

periodically (not activated by default). This option should be used to take intoaccount CA certificates updates on already established TLS connection.

The TLS Profile needs to be associated with a Peer-Network to become effective.

Command

tls-profile tlsprofileid [local-cert certid ] [no-ca-check|ca-check]

[renegotiation-period period_in_hours] [name description]

Arguments

tlsprofileid



TLS Profile tls-profile tlsprofileid no renegotiation-period


July 2015


Up to 32 TLS Profiles can be created.

local-cert

Identifies the SFW local certificate.

no-ca-check | ca-check

Specifies whether or not the peer certificate needs to be checked against the CA certificate

signing chain.

renegotiation-period

If renegotiation-period is set in TLS profile, the ongoing TLS connections are

renegotiated (TLS handshake) every renegotiation-period value.

name

Description of the TLS Profile (32 characters).

Example

-> tls-profile 2 local-cert 1 ca-check renegotiation-period 1





TLS Profile


July 2015

tls-profile tlsprofileid no ca-cert-list certid1 … [certid8]

Purpose

The purpose of that command is to remove a list of trusted CA certificates ids from a TLS profile.

Command

tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] … [certid8]

Arguments

tlsprofileid


ca-cert-list

This is the list of CA certificates ids that needs to be removed from the TLS profile.

The above command limits the list of certificate ids to 8.

As described in the example, if more than 8 certificate ids need to be removed from a TLS

profile this is done running the CLI command several times.

Example

-> tls-profile 2 no ca-cert-list 1 2 3 4 5 6 7 8-> tls-profile 2 no ca-cert-list 9 10

-> show tls-profile+---------+----------------------+-------+---------------+-------+-----------------------+! TLS ! Name ! Local ! Renegotiation ! CA ! CA !! profile ! ! cert. ! period ! check ! cert. !

! id ! ! id ! (hours) ! ! id(s) !+---------+----------------------+-------+---------------+-------+-----------------------+! 1 ! tls-prof-doamain1 ! 1 ! 1 ! Yes ! 1 !! 2 ! tls-prof-sipp-server ! 1 ! 1 ! Yes ! !+---------+----------------------+-------+---------------+-------+-----------------------+

tls-profile tlsprofileid no ca-cert-list certid1 … [certid8]





9 CA certificates

Purpose

The SFW supports TLS with mutual authentication (each side must present its X509certificate). This is the typical authentication mode in SIP peering (cf static mode of [SIPconnect] referenced document).

Two types of X509v3 certificates are handled by the SFW:

• Local certificate used to identify the SFW,

• CA certificates used to check the validity of the rpoc certificates:

All the CA certificates of the rpoc "signing chain" must be imported on the SFWin order to check the validity of the rpoc certificate.

This paragraph provides information about the management of the X509 certificates of the

Certification Authority (CA). It describes how to import a CA certificate, how to checkthe content of the imported CA certificate and how to check the SFW configuration

related with CA certificates.



CA certificates Summary of the CLI for CA certificates management


July 2015

Summary of the CLI for CA certificates management

CA certificates

import certificate ca ca-certid [name description ]

certificate ca ca-certid name description

no certificate ca ca-certid

show certificate ca pem ca-certid

show certificate ca details ca-certid

show certificate ca ca-certid

show certificate ca

Remark about the “show” commands:

The following CLI commands :

“show certificate ca details ca-certid” ,

“show certificate ca ca-certid” ,

“ show certificate ca”

allow the operator to read attributes of the X509 certificates such as “Subject Common Name”, “Issuer Common Name” , “validity dates” etc.

When SFW is managed by an OMC-P such details will be taken into account by aCertificate Manager residing on the OMC-P that may bring more added values.

However, the SNMP interface between OMC-P and SFW allows the OMC-P to retrievethe CA certificates in PEM base64 format in the same way that the command “ show

certificate ca pem ca-certid”.



CA certificates import certificate ca ca-certid [name description]


import certificate ca ca-certid [name description]

Purpose

This command allows the operator to import on the SFW a CA (Certification Authority)

certificate in PEM base64 format.

Command

Import certificate ca ca-certid [name description] <Copy/Paste certificate>

Arguments

ca-certid

This is the identifier of the CA certificate.

Up to 64 CA certificates can be imported.

name

This attribute is optional. If omitted during the import phase, the name of the CA

certificate can be later specified via the command “certificate ca ca-certid name

description”. The description of the CA certificate is limited to 32 characters.

<Copy/Paste certificate>

When the operator hits the carriage-return he has the ability to copy paste the certificate in

PEM base64 format.

Example

-> import certificate ca 64Please copy and then paste below the certificate in PEM Base64SSLeay format ...-----BEGIN CERTIFICATE-----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNVCM5btYl6pzhv89v3rfniPlCOle+IfFkgFi8cYhaB5p1txfvY5oTBC5Fm6lVzqBKv AgMBAAGjgeIwgd8wHQYDVR0OBBYEFH0WXCkG/Kve4CxF2jrIrZM3WKujMIGvBgNVEDAOBgNVBAMTB25ld3lvcmuCCQDSl0t794lbpzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOhFLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLMIhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA-----END CERTIFICATE-----Command successful



CA certificates certificate ca ca-certid name description


July 2015


Purpose

This command allows the operator to add or modify the name of a CA (Certification Authority)

certificate previously imported.

Command


Arguments

ca-certid


name

The description of the CA certificate is limited to 32 characters.

Example

-> certificate ca 64 name alcatel-lucent.cert



CA certificates no certificate ca ca-certid



Purpose

This command allows the operator to suppress a CA (Certification Authority) certificate

previously imported.

Command


Arguments

ca-certid


Example

-> no certificate ca 64



CA certificates show certificate ca pem ca-certid


July 2015


Purpose

This command allows the operator to retrieve a CA certificate in PEM base64 format.

It provides also information such as the name associated with the CA certificate and its validity

period.

Command


Arguments

ca-certid


Example

-> show certificate ca pem 1

----- Cert Id=1; Cert Name= CA1.crt -----

Certificate in PEM Base64 format:-----BEGIN CERTIFICATE-----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNVBAoTA0FMVTEqMCgGA1UECxMhU0ZXIHRlc3RiZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAwDgYDVQQDEwduZXd5b3JrMB4XDTExMDkwNzA5NTEzNFoXDTE2MDkwNTA5NTEzNFowfDELMAkGA1UEBhMCRnIxDzANBgNVBAgTBkZyYW5jZTEQMA4GA1UEBxMHT3J2YXVsdDEMMAoGA1UEChMDQUxVMSowKAYDVQQLEyFTRlcgdGVzdGJlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAMTB25ld3lvcmswgZ8wDQYJKoZIhvcNSIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOhFLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLMIhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA-----END CERTIFICATE-----

Certificate dates validity checking is OK : notBefore=Sep 709:51:34 2011 GMT < current date=Oct 19 10:03:12 2011 <notAfter=Sep 5 09:51:34 2016 GMT

Command successful



CA certificates show certificate ca details ca-certid



Purpose

This command allows the operator to decode a CA certificate, previously imported in PEM format,

and check that it contains the correct information.

Command


Arguments

ca-certid


Example -> show certificate ca details 2

----- Cert Id=2; Cert Name= CA2.crt -----Certificate:

Data:Version: 3 (0x2)Serial Number: 5 (0x5)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=Fr, ST=France, L=Orvault, O=ALU, OU=SFW testbed Certificate Authority,

CN=newyorkValidity

Not Before: Sep 13 12:05:36 2011 GMTNot After : Sep 12 12:05:36 2012 GMT

Subject: C=Fr, ST=France, O=CA2, CN=myCA2Subject Public Key Info:

Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)

Modulus (1024 bit):00:a9:3f:9e:12:5e:40:97:ff:5f:55:a2:b1:56:6b:40:18:b4:2b:1d:4e:c4:5e:ac:42:8c:85:fa:83:96:1c:4f:55:8e:03:42:f1:b1:f8:61:d8:ca:e2:7f:81:6d:56:6d:fb:a9:d0:9c:88:e2:a7:3c:22:47:c0:bb:fa:4d:de:90:fd:80:26:95:72:a7:9a:cc:34:3a:42:f8:43:39:c6:2c:c7:61:ba:65

Exponent: 65537 (0x10001)X509v3 extensions:

X509v3 Basic Constraints:CA:FALSE

Netscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:

10:00:CE:58:D3:A1:9E:54:D1:AC:AE:E2:96:48:9F:D1:D3:E8:D6:0DX509v3 Authority Key Identifier:

keyid:7D:16:5C:29:06:FC:AB:DE:E0:2C:45:DA:3A:C8:AD:93:37:58:AB:A3

Signature Algorithm: sha1WithRSAEncryption39:41:bd:2d:52:2e:dc:b1:96:35:b0:74:ed:fa:bc:1e:8e:2c:73:7d:17:da:01:71:04:4a:f1:ab:a3:9d:74:6d:a6:20:92:be:ed:67:51:a4:68:a3:55:ad:41:c0:84:b2:29:67:bd:84:69:49:00:66

Certificate dates validity checking is OK : notBefore=Sep 13 12:05:36 2011 GMT < currentdate=Oct 19 11:55:58 2011 < notAfter=Sep 12 12:05:36 2012 GMT

Command successful



CA certificates show certificate ca ca-certid


July 2015


Purpose

This command allows the operator to read the main attributes of a CA certificate.

Command


Arguments

ca-certid


Example -> show certificate ca 2+-------+---------+---------+---------+----------+----------+! CA ! Cert. ! Subject ! Issuer ! Dates ! Private !! cert. ! Name ! Common ! Common ! Validity ! key !! id ! ! Name ! Name ! ! matching !+-------+---------+---------+---------+----------+----------+! 2 ! CA2.crt ! myCA2 ! newyork ! OK ! n/s !+-------+---------+---------+---------+----------+----------+1 elements

Subject C/ST/L : Fr/France/Subject /O/OU/Email : /CA2//Issuer C/ST/L : Fr/France/OrvaultIssuer /O/OU/Email : /ALU/SFW testbed Certificate Authority/

X509v3 Subject Alternative Name(s) :Command successful



CA certificates show certificate ca


show certificate ca

Purpose

This command allows the operator to list all CA certificates imported on the SFW with there main

attributes.

Command

show certificate ca

Example -> show certificate ca+-------+----------------+---------+---------+----------+----------+! CA ! Cert. ! Subject ! Issuer ! Dates ! Private !! cert. ! Name ! Common ! Common ! Validity ! key !! id ! ! Name ! Name ! ! matching !+-------+----------------+---------+---------+----------+----------+! 1 ! CA1.crt ! newyork ! newyork ! OK ! n/s !! 2 ! CA2.crt ! myCA2 ! newyork ! OK ! n/s !! 3 ! CA3.crt ! myCA3 ! myCA2 ! OK ! n/s !! 4 ! CA4.crt ! myCA4 ! myCA3 ! OK ! n/s !! 5 ! CA5.crt ! myCA5 ! myCA4 ! OK ! n/s !! 6 ! CA6.crt ! myCA6 ! myCA5 ! OK ! n/s !! 7 ! CA7.crt ! myCA7 ! myCA6 ! OK ! n/s !! 8 ! CA8.crt ! myCA8 ! myCA7 ! OK ! n/s !! 9 ! CA9.crt ! myCA9 ! myCA8 ! OK ! n/s !! 10 ! CA10.crt ! myCA10 ! myCA9 ! OK ! n/s !! 11 ! CA11.crt ! myCA11 ! myCA10 ! OK ! n/s !+-------+----------------+---------+---------+----------+----------+Command successful





10 Local X509 certificates

and Privates Keys

Purpose

The SFW supports TLS with mutual authentication (each side must present its X509

certificate). This is the typical authentication mode in SIP peering (cf static mode of [SIPconnect] referenced document).

Two types of X509v3 certificates are handled by the SFW:

• Local certificate used to identify the SFW,

• CA certificates used to check the validity of the rpoc certificates:

All the CA certificates of the rpoc "signing chain" must be imported on the SFWin order to check the validity of the rpoc certificate.

This paragraph provides information about the management of the local X509 certificates.

It describes how to import and check the content of a local certificate and its relatedPrivate Key.

The local X509 certificates may result from a CSR (Certificate Signing Request)

generated on the SFW. This avoids exposing the related Private Key.



Local X509 certificates and Privates Keys Summary of the CLI for SFW local certificates management


Summary of the CLI for SFW local certificates management

SFW Local certificates

import certificate local certid [name description ]

import certificate local privatekey certid [password pwd] [name description ]

certificate local certid name description

no certificate local certid

show certificate local pem certid

show certificate local details certid

show certificate local certidshow certificate local

certificate local certid request common-name common_name email email_address countrycountry_name state state_or_province_name locality locality_name organization organization_name organizational-unit organizational_unit_name [subject-alt-name subject_alt_name] [name description]

Remark about the “show” commands:

The following CLI commands :

“show certificate local details certid” ,

“show certificate local certid” ,

“ show certificate local”

allow the operator to read attributes of the local X509 certificates such as “Subject

Common Name”, “Issuer Common Name” , “validity dates” etc.

When SFW is managed by an OMC-P such details will be taken into account by a

Certificate Manager residing on the OMC-P that may bring more added values.

However, the SNMP interface between OMC-P and SFW allows the OMC-P to retrieve

the local certificates in PEM base64 format in the same way that the command “ show

certificate local pem certid”.



Local X509 certificates and Privates Keys import certificate local certid [name description]


July 2015

import certificate local certid [name description]

Purpose

This command allows the operator to import on the SFW a local X509 certificate in PEM base64

format.

A SFW local certificate authenticates the SFW side of the TLS connection whereas a CA

certificate authenticates a peer.

Importation of a local X509 certificate must be followed or preceded by the importation of its

related Private Key. There is an exception, when the local X509 results from a CSR (Certificate

Signing Request) locally generated on the SFW, the importation of the related Private Key is not

required.

The operator may import first the certificate of the private key. Both will be tied by the same

certid .

Command

import certificate local certid [name description] <Copy/Paste certificate>

Arguments

certid

This is the identifier of the SFW local certificate and its related Private Key.

Up to 32 local certificates can be imported.

name

This attribute is optional. If omitted during the import phase, the name of the local

certificate can be later specified via the command “certificate local certid name

description”. The description of the local certificate is limited to 32 characters.


When the operator hits the carriage-return he has the ability to copy paste the certificate in

PEM base64 format.

Example

-> import certificate local 2 name sfw-westfordPlease copy and then paste below the certificate in PEM Base64SSLeay format ...-----BEGIN CERTIFICATE-----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV-----END CERTIFICATE-----



Local X509 certificates and Privates Keys import certificate local privatekey certid [password pwd]


import certificate local privatekey certid [ password pwd ]

Purpose

This command allows the operator to import on the SFW a Private Key in PEM base64 format

related to a local X509 certificate.

Importation of a Private Key must be followed or preceded by the importation of its related local

X509 certificate. Both will be tied by the same certid .

Command

import certificate local privatekey certid [password pwd ] [name description]


Arguments

certid

This is the identifier of the SFW local certificate and its related Private Key.

Up to 32 local certificates can be imported.

name

This attribute is optional. It provides a name for the local certificate related to the privatekey currently imported.

If omitted during the import phase of the private key, the name of the local certificate can

be later specified either during the importation of the local certificate or via the command

“certificate local certid name description. The description of the local

certificate is limited to 32 characters.

password

If the Private Key is encrypted the password must be supplied during the importation of

the private Key.


When the operator hits the carriage-return he has the ability to copy paste the Private Key

in PEM base64 format.

Example

-> import certificate local privatekey 2Please copy and then paste below the certificate in PEM Base64

SSLeay format ...-----BEGIN RSA PRIVATE KEY-----



Local X509 certificates and Privates Keys import certificate local privatekey certid [password pwd]


July 2015

MIICXQIBAAKBgQDFCbmOTEaVD3dJ26QSWKZ92TaDFfobxfjdnFVxYhi3hWPGD3ukDDjqhWnV1BQsEHfGXpvyV/WNUnoI2hZpsjL8XgjWy5ZA/SASpptGfnXwbd6K4FGu29azGKD+WGKd+oPljlqp3+9rLNnD53fqlNWobM/RO2Pfp9r0Py19ugk3vQJBAK7f+eTEKS2/ZlwGuRgVAMBhkzwnTasZkChhQpBRNN0cdLfVnE0P3VrkDGa+MaoDL9zYl4xdMnjjXqa3FRve77ECQQCKZKudL7a6XrZRZl+2T3PpM8gOQ8sLqzG4J2+VkzByP/JXZxrJX1oXifJPtWd5y6z5Wjc7JXyYUtatWB3WY2g0

-----END RSA PRIVATE KEY-----

Remark

Note that the private keys are not stored in the SFW configuration file as they have been imported.

The Private Keys are ciphered and cannot be exported via the output of a “show” command.



Local X509 certificates and Privates Keys certificate local certid name description



Purpose

This command allows the operator to add or modify the name of a local certificate previously

imported.

Command


Arguments

certid

This is the identifier of the SFW local certificate.

name

The description of the local certificate is limited to 32 characters.

Example

-> certificate local 1 name sfw5.cert



Local X509 certificates and Privates Keys no certificate local certid


July 2015

no certificate local certid

Purpose

This command allows the operator to suppress a local certificate previously imported. This

command suppresses at the same time the Private Key with the same certid .

Command

no certificate ca certid

Arguments

ca-certid


Example

-> no certificate local 1



Local X509 certificates and Privates Keys show certificate local pem certid



Purpose

This command allows the operator to retrieve a local certificate in PEM base64 format.

The X509 part of the local certificate can then be exported. However the Private Key part in PEM

format is ciphered and cannot be encrypted.

This command provides also information such as the name associated with the local certificate, its

validity period and the validity of the local certificate against its Private Key.

Command


Arguments

ca-certid

This is the identifier of the local certificate.

Example

-> show certificate local pem 1

----- Cert Id=1; Cert Name= sfw5.cert -----Certificate in PEM Base64 format:-----BEGIN CERTIFICATE-----MIIC8TCCAlqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJGcjEPZbCgF7CYoX6C1Xm6q6E5ct1eAdDkZaYuyo6hkPOJn3MnnJ1erw==-----END CERTIFICATE-----

Certificate dates validity checking is OK : notBefore=Oct 6 15:31:24 2011GMT < current date=Oct 19 13:33: 5 15:31:24 2012 GMT

Private Key in PEM Base64 format:

-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,E28F48920FAD24FA

QpzjZSVF1Iu2GRirxUfvUiNAWZmGaWwzXo4wP02EMwYi1uQkwlT7JCrcHsaI9+XPeyMx00YdgcWieN269iGQGm9wPSa9ms2qfXrw/RolQynEZsr7vxwzr2G/gD/tOc8zHitDDsEgFTutDVxG/kzkNWT099p/dWXFzUzqspt2Dwvzzuye1HrBP0GFlJ/fXzKJCXv4ctyO6U3nblu7szWK21Cez+5xizaptrWs+APQ0qMMlSQXE4EjYg==-----END RSA PRIVATE KEY-----

Key modulus of certificate public key is matching with the one of thePrivate Key



Local X509 certificates and Privates Keys show certificate local details certid


July 2015


Purpose

This command allows the operator to decode a CA certificate, previously imported in PEM format,

and check that it contains the correct information.

Command


Arguments

certid


Example -> show certificate local details 1

----- Cert Id=1; Cert Name= sfw5.cert -----Certificate:

Data:Version: 3 (0x2)Serial Number: 6 (0x6)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=Fr, ST=France, L=Orvault, O=ALU, OU=SFW testbed Certificate Authority,

CN=newyorkValidity

Not Before: Oct 6 15:31:24 2011 GMTNot After : Oct 5 15:31:24 2012 GMT

Subject: C=Fr, ST=France, L=Orvault, O=ALU, OU=SFW_testbed,CN=sfw5/[email protected]

Subject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)

Modulus (1024 bit):00:c5:09:b9:8e:4c:46:95:0f:77:49:db:a4:12:58:a6:7d:d9:36:83:15:fa:1b:c5:f8:dd:9c:55:71:62:46:a3:09:94:00:c4:65:ed:0a:44:d8:bf:61:27:0c:6d:83:55:6c:84:be:83:6b:2f

Exponent: 65537 (0x10001)X509v3 extensions:

X509v3 Basic Constraints:CA:FALSE

Netscape Comment:

OpenSSL Generated CertificateX509v3 Subject Key Identifier:84:15:47:37:C8:BE:E9:A6:81:2C:24:E9:67:18:F4:ED:C4:C6:BE:B6

X509v3 Authority Key Identifier:keyid:7D:16:5C:29:06:FC:AB:DE:E0:2C:45:DA:3A:C8:AD:93:37:58:AB:A3

Signature Algorithm: sha1WithRSAEncryption74:a5:c2:d4:06:4a:93:23:f1:ad:2e:fa:c2:b9:83:40:ab:83:f6:65:b0:a0:17:b0:98:a1:7e:82:d5:79:ba:ab:a1:39:72:dd:5e:01:d0:e4:65:a6:2e:ca:8e:a1:90:f3:89:9f:73:27:9c:9d:5e:af

Certificate dates validity checking is OK : notBefore=Oct 6 15:31:24 2011 GMT < currentdate=Oct 19 14:05:40 2011 < notAfter=Oct 5 15:31:24 2012 GMT

Key modulus of certificate public key is matching with the one of the Private KeyCommand succesfulsfw5> show certificate ca pem 1

----- Cert Id=1; Cert Name= CA1.crt -----

Certificate in PEM Base64 format:-----BEGIN CERTIFICATE-----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV



Local X509 certificates and Privates Keys show certificate local certid


BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNVQUxVMSowKAYDVQQLEyFTRlcgdGVzdGJlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAMTB25ld3lvcmuCCQDSl0t794lbpzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOhFLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLMIhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA-----END CERTIFICATE-----

Certificate dates validity checking is OK : notBefore=Sep 7 09:51:34 2011 GMT < current

date=Oct 19 14:08:13 2011 < notAfter=Sep 5 09:51:34 2016 GMT

Command succesful

show certificate local certid

Purpose

This command allows the operator to read the main attributes of a local certificate.

It permits also to check that the local certificate and its private key are matching.

Command

show certificate local certid

Arguments

ca-certid


Example show certificate local 1+-------+-----------+---------+---------+----------+----------+! Local ! Cert. ! Subject ! Issuer ! Dates ! Private !! cert. ! Name ! Common ! Common ! Validity ! key !! id ! ! Name ! Name ! ! matching !+-------+-----------+---------+---------+----------+----------+! 1 ! sfw5.cert ! sfw5 ! newyork ! OK ! matching !+-------+-----------+---------+---------+----------+----------+1 elements

Subject C/ST/L : Fr/France/OrvaultSubject /O/OU/Email : /ALU/SFW_testbed/[email protected] C/ST/L : Fr/France/OrvaultIssuer /O/OU/Email : /ALU/SFW testbed Certificate Authority/

X509v3 Subject Alternative Name(s) :Command successful



Local X509 certificates and Privates Keys show certificate local


July 2015

show certificate local

Purpose

This command allows the operator to list all local certificates imported on the SFW with there

main attributes.

Command

show certificate local

Example -> show certificate local+-------+-----------+---------+---------+----------+----------+! Local ! Cert. ! Subject ! Issuer ! Dates ! Private !! cert. ! Name ! Common ! Common ! Validity ! key !! id ! ! Name ! Name ! ! matching !+-------+-----------+---------+---------+----------+----------+! 1 ! sfw5.cert ! sfw5 ! newyork ! OK ! matching !! 2 ! sfw6.cert ! sfw6 ! newyork ! OK ! matching !! 3 ! sfw7.cert ! sfw7 ! newyork ! OK ! matching !+-------+-----------+---------+---------+----------+----------+Command successful



Local X509 certificates and Privates Keys certificate local certid request


certificate local certid request

Purpose

This command formats a certificate signing request (CSR), in PEM base64 format, for a local

certificate. It also generates an associated RSA private key of 2048 bits if a key not already exists

for this cert id. The PEM base64 part, displayed by the output of this command, can be

copied/pasted in a file to be sent to the relevant certification authority that may sign it. The

resulting signed certificate must be imported through the standard importation procedure (import

certificate local certid ) with the same cert id in order to be consistent with the private key part.

Local Certificate(s)

Cert.part

Privatekey part

SFW

Certification Authority

Rootuser

1/ Certificate request creation

2/ Certificate signing request (CSR)

3/ Certificate importation

Command

certificate local certid request common-name common_name email email_address

country country_name state state_or_province_name locality locality_name

organization organization_name organizational-unit organizational_unit_name

[subject-alt-name subject_alt_name] [name description]





July 2015

Arguments

ca-certid


common-name

The fully qualified domain name (FQDN) of your SFW.

email

An email address used to contact your organization.

country

The two-letter ISO code for the country where your organization is located.

state

The state/region where your organization is located. This shouldn't be abbreviated.

locality

The city where your organization is located.

organization

The legal name of your organization. This should not be abbreviated and should

include suffixes such as Inc, Corp, or LLC.

organizational-unit

The division of your organization handling the certificate.

subject-alt-name

The subject alternative name extension allows various literal values. These include

email (an email address) URI (a uniform resource indicator), DNS (a DNSdomain name), IP (an IP address).

In case of interconnection with a IP-PBX and to be compliant with the “SIPconnect” recommendation

“SIP-PBX / Service Provider Interoperability - "SIPconnect 1.1 Technical”,

the recommended format for the subject-alt-name is the SIP URI formatted as inthe following example:

Example: URI:sip:sfw4. alcatel-lucent.com





Example

-> certificate local 4 request common-name sfw4 [email protected] country Fr state France locality Orvaultorganization ALU organizational-unit SFW-Testbed subject-alt-nameURI : si p: sf w4. al cat el - l ucent . com name sfw4.cert

... generating private key for this local certificate (noneexisting)Certification request for this local certificate in PEM Base64format:-----BEGIN CERTIFICATE REQUEST-----MIIC5TCCAc0CAQAwgYMxDTALBgNVBAMTBHNmdzQxHjAcBgkqhkiG9w0BCQEWD3NmdzRAb3J2YXVsdC5mcjELMAkGA1UEBhMCRnIxDzANBgNVBAgTBkZyYW5jZTEQMA4G A1UEBxMHT3J2YXVsdDEMMAoGA1UEChMDQUxVMRQwEgYDVQQLEwtTRlctVGVzdGJlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5SSaCQ8yzs8NtF0Qqb/Peu8fA8TZwjH0WEFrvZe03qeFH568CdnxGSqUoskgx3CQDogfMRPqsEsUSf0nX894+XTW2HJn2r/WyZbKOO9XtC+ZSmplXE60EHs5vCcqjlg0u2VAHfVYmG9E5ZMORL7THfom5RrYzFHOFV8yzEjBgNKvjWQE52qjjyYePI68+ZxWGYHIVUyOSaxFLnJV9zNuClEGRDmAkvw1mLmT+VbCoQErX0xbg7hZVfx04uHUxHThiV8hsDlI40n7WXArwMdCgGChU5wLDbww9iISe9b9ZaZD71t/0mrpz/KtWNIFPBlx5d8Hf+UK/0jPA0yqlkYDW3rKuTvWQJInDHPIaIZlIVc/oxLKOlzA==-----END CERTIFICATE REQUEST-----

Command successful





11 Internal DNS server

Purpose

This paragraph provides information about the configuration of the SFW internal DNSserver intended to resolve names of Untrusted Peering-Points.

Introduction

With the current release, SFW doesn’t perform DNS requests toward an external DNSserver to resolve FQDN that may appear in SIP headers.

SFW implements its own internal DNS server.

FQDN in Incoming messages received from Peer-Networks

SFW checks that FQDN included in top Record-Route and top Via headers can beresolved via the SFW internal DNS server. This checking ensures that SIP responses andsubsequent request coming from the MGC8 IBCF will be routable.

SFW doesn’t check that FQDN included in Route header or Req-URI can be resolved via

its internal DNS server. In that case a FQDN doesn’t prevent the MGC8 IBCF CCSselection.

FQDN in Outgoing messages received from the MGC8

In case of SIP request, after removing its own Routes, SFW checks that FQDN included inthe top Route, if any, can be resolved via the SFW internal DNS server.

In case of SIP request, after removing its own Routes, SFW checks that FQDN included in

the Request-Line, if there is no more Route header, can be resolved via the SFW internalDNS server. This ensures that the SIP message will be properly routed.

In case of SIP response, after removing its own Via, SFW checks that FQDN included in

the top Via can be resolved via the SFW internal DNS server.



Internal DNS server Summary of the CLI for the internal DNS management


Summary of the CLI for the internal DNS management

SFW internal DNSdns-internal dns-entry-id name rpoc-name peer-net netid ip address

dns-internal dns-entry-id name rpoc-name

dns-internal dns-entry-id peer-net netid

dns-internal dns-entry-id ip address

dns-internal dns-entry-id no ipv4

dns-internal dns-entry-id no ipv6

show dns-internal



Internal DNS server dns-internal dns-entry-id name peer-net ip


July 2015

dns-internal dns-entry-id name peer-net ip

Purpose

The purpose of that command is to create a DNS entry in the internal DNS server of the SFW.

Command

dns-internal dns-entry-id name rpoc-name peer-net netid ip address

Arguments

dns-entry-id

This is the identifier of the DNS entry. Up to 2047 DNS entries can be created.

rpoc-name

This is the FQDN of the Remote POC.

netid

This is the identifier of the Peer Network.

address

This is the IP address, IPv4 or IPv6, matching the FQDN specified for that entry.

Note that in case of dual stack IPv4/IPv6, you need to specify one address at the creation

of the DNS entry and then add the other address via the CLI command

“dns-internal dns-entry-id ip address”.

Example

-> dns-internal 1 name proxyA.biloxy.com peer-net 20 ip 172.23.8.9

-> dns-internal 1 ip 2001:8::172:23:8:9



Internal DNS server dns-internal dns-entry-id name rpoc-name



Purpose

The purpose of that command is to modify the FQDN of a DNS entry in the internal DNS server of

the SFW.

Command


Arguments

dns-entry-id

This is the identifier of the DNS entry.

rpoc-name

This is the FQDN of the Remote POC.

Example

-> dns-internal 1 name B2B.biloxy.com



Internal DNS server dns-internal dns-entry-id peer-net netid


July 2015


Purpose

The purpose of that command is to modify the Peer Network identifier of a DNS entry in the

internal DNS server of the SFW.

Command


Arguments

dns-entry-id


netid

This is the Peer-Network identifier.

Example

-> dns-internal 1 peer-net 20



Internal DNS server dns-internal dns-entry-id ip address



Purpose

The purpose of that command is to modify the IP address associated with a FQDN in a DNS entry

in the internal DNS server of the SFW.

Command


Arguments

dns-entry-id


address

This is the IP address, IPv4 or IPv6, matching the FQDN specified for that entry.

Note that in case of dual stack IPv4/IPv6, you need to specify one address at the creation

of the DNS entry and then add the other address via this CLI command.

Example

-> dns-internal 1 ip 2001:7::182:13:21:4





Internal DNS server show dns-internal


show dns-internal

Purpose

The purpose of that command is to display the configuration of the internal DNS server.

Command

dns-internal [peer-net netid ]

Arguments

netid

Optionally this identifier of a Peer-Network can be specified to display only DNS

entries related to that Peer-Network.

Output Definition

Name & IP address

Display the possible resolution of FQDN representing peering-points on the Untrusted side

of the firewall

Validity

To be used during FQDN resolution, an IP address configured in the SFW internal DNS

must match an IP address configured as peering-point (rpoc) for the specified peer-net.

o “invalid” means that the address is not yet configured as peering-point inthe peer-network.

o “V4 only” means that the IPv4 address match a peering-point whereas the

IPv6 address, if any, is not yet configured as peering-point.

o “V6 only” means that the IPv6 address match a peering-point whereas the

IPv4 address, if any, is not yet configured as peering-point.

o “V4 and V6” means that both IP addresses V4 and V6 are matchingthe peering-point configuration.



Internal DNS server show dns-internal


July 2015

Example

-> show dns-internal

+-----+----------+-------------------+---------------------------------------+----------+

! idx ! peer-net ! name ! IP address ! Validity !

+-----+----------+-------------------+---------------------------------------+----------+

! 1 ! 20 ! proxyA.biloxy.com ! 172.23.8.9 2001:8::172:23:8:9 ! V4 & V6 !

! 2 ! 7 ! proxyA.biloxy.com ! 172.22.7.35 ! V4 only !


! 6 ! 10 ! proxyA.biloxy.com ! 172.24.90.10 2001:90::172:24:90:10 ! V6 only !

! 8 ! 3 ! proxyA.biloxy.com ! 172.18.3.9 ! invalid !




+-----+----------+-------------------+---------------------------------------+----------+

-> show dns-internal peer-net 7

+-----+----------+-------------------+-------------+----------+

! idx ! peer-net ! name ! IP address ! Validity !

+-----+----------+-------------------+-------------+----------+


+-----+----------+-------------------+-------------+----------+





12 Load Balancing Group

Purpose

This paragraph provides information about:

•What is the Load-Balancing-Group object.

• CLIs to configure the Load-Balancing-Group object.

Introduction

The main features provided by the Load Balancing Group are the following:

Configuration of a set of IP address and Port belonging to the IBCF

A Load-Balancing-Group contains the IP information that allows the SIP firewall to reachthe trusted IBCF it protects.

The IBCF can contain several processors for SIP signaling, each of which can supportmultiple processes (called CCS’s). Currently, all these processes share the same IP address,

but use different signaling port numbers. In a future release, this is expected to change toseparate IP addresses per processor.

In the Load-Balancing-Group object a CCS is referenced as an rpoc: remote point ofcontact on the trusted side of the SIP firewall.

To address any kind of IBCF architecture, the SIP firewall accepts any combination of IP

address and port (i.e.: one unique IP address and one port per service blade, or one IP

address per service blade and one unique port).A Peer Network MUST have a Load Balancing group assigned.

A Load-Balancing-Group can be shared by several Peer Networks.

Load balancing of initial untrusted SIP requests

For the incoming initial SIP message received on the Untrusted side (new INVITE or a

transaction out of an INVITE dialog), the SIP firewall uses the load balancing group

associated with the Peer Network to select one of the remote POC (IBCF CCS). Once

selected, the trusted remote POC won’t change anymore for the whole SIP dialog or theout-of-dialog SIP transaction.



Load Balancing Group show dns-internal


July 2015

Overload Control and rate limiters

The Load-Balancing-Group provides an Overload Control feature thanks to theconfiguration of the call and transaction rate limiters.

These rate limiters are applied per remote POC (CCS) to be able to assign differentweights on the IBCF processes.

From rate limiting standpoint, the rate limiters of the remote POCs, within a LoadBalancing Group, are applied after the one associated to the remote Peer Network (see

Security Profile). Since the sum of the rate limiters of the Peer Network associated to the

Load Balancing group can exceed the rate defined for the Load-Balancing-Group, the SIPfirewall processes fair load balancing among the Peer Networks.

Geographical Redundancy

The SIP firewall can protect a geographically redundant IBCF.

To address this case, active and standby remote POCs (CCSs) are similarly declared in theLoad Balancing Group object.

The SFW sends heartbeats (SIP OPTIONS) periodically to each CCS to keep track ofwhich ones are active. It doesn’t send any new INVITEs to a CCS that is not responding to

the heartbeat.

This addresses active/standby IBCF configuration as well as active/active IBCF

configuration.

Load Balancing group and Trusted Local POC association

One Trusted Local POC needs to be associated with each Load-Balancing-Group.

The IP address of the trusted lpoc is the source IP address of the SIP messages sent to theIBCF CCSs (rpoc).



Load Balancing Group Summary of the CLI for Load-Balancing-Group management


Summary of the CLI for Load-Balancing-Group management

Load-Balancing-Group

load-balancing-group groupId [enable | disable] [name description]

load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port]| tls[ port]]

load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port] | tls[ port]}

load-balancing-group GroupId rpoc poc_id no ipv4


load-balancing-group GroupId rpoc poc_id no {udp| tcp | sctp | tls}

load-balancing-group GroupId no rpoc poc_id

load-balancing-group GroupId lpoc trusted_lpoc_id

load-balancing-group GroupId no lpoc trusted_lpoc_id

load-balancing-group GroupId vlan vid

load-balancing-group GroupId polling period interval

load-balancing-group GroupId rpoc poc_id call rate call_rate delay sip_msg_delay

load-balancing-group GroupId rpoc poc_id transaction rate trans_rate delay sip_trans_delay

no load-balancing-group groupId

show load-balancing-group [GroupId]show load-balancing-group [GroupId] rpoc [poc_id] show load-balancing-group [GroupId] connectivity





Load Balancing Group load-balancing-group groupId rpoc


load-balancing-group groupId rpoc

Purpose

The purpose of that command is to associate an IBCF remote POC (MGC8 CCS process) with a


The Load-Balancing-Group is a collection of CCSs. This command requires to be ran once for

each CCS.

Command

load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]]

load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port]

| tls[ port]}

Arguments

groupId

This is the identifier of the Load-Balancing-Group.

poc_id

This is the identifier of the remote POC (MGC8 CCS process) within a Load-Balancing-

Group. Up to 32 rpoc can be defined per Load-Balancing-Group. The same poc_id can be

used for different Load-Balancing-Group.

ip_address

Defines the IPv4 or IPv6 address of the remote POC.

A remote POC can be dual-stack IPv4/IPv6. In that case the CLI must be run twice, once

to specify the IPv4 address, once to specify the IPv6 address.

port

Optionally the listening port and transport mode of the remote POC can be specified. If

this option is not specified, the port 5060 and UDP transport are configured by default.

It is still possible to modify the listening ports with the following command:

load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port] | tls[

port]}

If the transport mode is specified but the port value is omitted then the port will be

assigned automatically. It will be set to 5060 if there is no other transport mode configured







Complementary information

Hereafter is a networking example based on the MGC-8 case where the service blades(CCS modules) share the same IP address but use different Port numbers to provide SIP

service.

The primary IBCF is configured with a unique IP address (192.168.10.10), and provides 2

SIP service blades on the following ports: 5061, 5062.

The backup IBCF is configured with a unique IP address (192.168.10.20), and provides 2

SIP service blades on the following ports: 5061, 5062.

From the SIP Firewall point of view, these 2 addresses and 4 ports are seen as remotePOCs.

In order to achieve geographical redundancy, the 4 remote POCs (CCSs in MGC8

terminology) are gathered in the same Load Balancing Group 1.

The SIP firewall performs heartbeat request towards the remote POCs sending SIP

OPTIONS messages.

Only available remote POCs are intended to reply to the SIP OPTIONS. Thus, the SIP

firewall may know which processes on the MGC8 are ready to receive SIP Traffic.

This allows support of IBCF processes in an active/standby mode as well as in anactive/active mode.





July 2015

The resulting CLI commands are:

-> lpoc trusted 1 ip 192.168.20.1 enable name LPOC_TRUSTED_1

-> vlan 20 trusted enable name TRUSTED_VLAN_20-> vlan 20 subnet 192.168.20.0 mask 255.255.255.252 gw192.168.20.2 no rip

-> load-balancing-group 1 enable name LBG_1-> load-balancing-group 1 vlan 20-> load-balancing-group 1 lpoc 1-> load-balancing-group 1 rpoc 1 ip 192.168.10.10 udp 5061-> load-balancing-group 1 rpoc 2 ip 192.168.10.10 udp 5062-> load-balancing-group 1 rpoc 3 ip 192.168.10.20 udp 5061-> load-balancing-group 1 rpoc 4 ip 192.168.10.20 udp 5062

-> peer-net 1 load-balancing-group 1



Load Balancing Group load-balancing-group groupId rpoc no ipv4


load-balancing-group groupId rpoc no ipv4

Purpose

The purpose of that command is to delete the IPv4 address of an IBCF remote POC (MGC8 CCS

process) within a Load-Balancing-Group.

Command


Arguments

groupId


poc_id


Group.

Example

-> load-balancing-group 2 rpoc 1 no ipv4



Load Balancing Group load-balancing-group groupId rpoc no ipv6


July 2015

load-balancing-group groupId rpoc no ipv6

Purpose

The purpose of that command is to delete the IPv6 address of an IBCF remote POC (MGC8 CCS

process) within a Load-Balancing-Group.

Command


Arguments

groupId


poc_id


Group.

Example

-> load-balancing-group 2 rpoc 13 no ipv6



Load Balancing Group load-balancing-group groupId rpoc poc_id no {udp | tcp | sctp | tls}


load-balancing-group groupId rpoc poc_id no {udp | tcp |sctp | tls}

Purpose

The purpose of that command is to remove a transport mode from a remote POC associated with a


Command

load-balancing-group groupId rpoc poc_id no {udp| tcp| sctp| tls}

Arguments

groupId


poc_id


Group.

no {udp | tcp | sctp | tls}

Specifies the transport type to be removed from the RPOC.

Example

-> load-balancing-group 2 rpoc 1 ip 192.168.2.50 tcp 5060

Configures the tcp port value to 5060 and also implicitly the udp port value to

5060.

-> load-balancing-group 2 rpoc 1 no udp

Disables the udp transport mode for the remote POC 1 of the Load-Balancing-Group 2.



Load Balancing Group load-balancing-group groupId no rpoc poc_id


July 2015

load-balancing-group groupId no rpoc poc_id

Purpose

The purpose of that command is to remove the association between a remote POC (MGC8 CCS

process) and a Load-Balancing-Group.

Command


Arguments

groupId


poc_id

This is the identifier of the remote POC (MGC8 CCS process) within the Load-Balancing-

Group.

Example

-> load-balancing-group 1 no rpoc 2



Load Balancing Group load-balancing-group groupId lpoc trusted_lpoc_id


load-balancing-group groupId lpoc trusted_lpoc_id

Purpose

The purpose of that command is to associate a Trusted Local Point of Contact (lpoc) with a Load-

Balancing-Group.

Command

load-balancing-group groupId lpoc trusted_lpoc_id

Arguments

groupId


trusted_lpoc_id

This is the identifier of the Trusted LPOC that has been previously created via the

command “ lpoc t rusted poc_id ”.

Example

-> load-balancing-group 1 lpoc 1

Associates the Trusted LPOC 1 with the Load-Balancing-Group 1.



Load Balancing Group load-balancing-group groupId no lpoc trusted_lpoc_id


July 2015

load-balancing-group groupId no lpoc trusted_lpoc_id

Purpose

The purpose of that command is to remove the association between a Trusted Local Point of

Contact (lpoc) and a Load-Balancing-Group.

Command


Arguments

groupId


trusted_lpoc_id

This is the identifier of the Trusted LPOC that has been previously associated with the


Example

-> load-balancing-group 1 no lpoc 1

Removes the association between the Trusted LPOC 1 and the Load-Balancing-Group 1.



Load Balancing Group load-balancing-group groupId vlan vid


load-balancing-group groupId vlan vid

Purpose

The purpose of that command is to associate a Vlan with a Peer Network.

Command

load-balancing-group groupId vlan vid

Arguments

groupId


vid

This is the identifier of the Vlan that has been previously created with the command “vlan

vid”.

Example

-> load-balancing-group 1 vlan 20

Create an association between the Load-Balancing-Group 1 and the Vlan 20.



Load Balancing Group load-balancing-group groupId no vlan


July 2015

load-balancing-group groupId no vlan

Purpose

The purpose of that command is to remove the association between a Vlan and a Load-Balancing-

Group.

Command

load-balancing-group groupId no vlan

Arguments

groupId


Example

-> load-balancing-group 1 no vlan



Load Balancing Group load-balancing-group groupId polling period interval


load-balancing-group groupId polling period interval

Purpose

In order to check the IP/SIP connectivity on the trusted side between the LPOC and RPOCs

associated within the same Load-Balancing-Group there are two polling mechanism:

• A Ping polling is issued periodically sending ICMP requests from the LPOC to the

RPOCs (IBCF’s CCSs).

• A SIP polling is issued periodically sending SIP OPTIONS from the LPOC to the

RPOCs (IBCF’s CCSs).

The purpose of that command is to modify the period of the Ping and SIP polling occurring

between the LPOC and RPOCs of a Load-Balancing-Group. By default Ping requests and SIP

OPTIONS are sent each 4 seconds.

ICMP requests and SIP OPTIONS are sent for both IPv4 and IPv6 protocols according to the

RPOC/LPOC configuration.

The status of the CCSs connectivity on the trusted side can be retrieved via the CLI command

“show load-balancig-group connectivity”.

Command

load-balancing-group groupId polling period interval

Arguments

groupId


interval

Sets the value, in seconds, of the polling period interval.

Example

-> load-balancing-group 1 polling period 10



Load Balancing Group load-balancing-gro groupId rpocup poc_id call rate


July 2015

load-balancing-group groupId rpoc poc_id call rate

Purpose

The purpose of that command is to configure the Call Admission Control per remote POC(rpoc) associated with a Load Balancing Group. In the MGC8 terminology the rpoc

represents the CCS entity.

The call admission control applies to Initial INVITE SIP messages and allows

dimensioning of the transmit queue depth (call setup queue) that is associated with eachCCS.

By configuring a call setup rate limiter on a Peer Network (thanks the configuration of aSIP Security Profile), one can limit the rate of one source, but there is no way (on the

Peer-Network configuration) to control that the sum of all the sources does not overloadthe IBCF CCSs where all the sources converge.

So to avoid such a situation, the following command defines:

o the call setup rate that is supported per rpoc (CCS)

o the maximum delay that a SIP message can stay in the transmit queue associated with the rpoc (CCS)

The transmit queue depth, in SIP messages, is computed according to the value ofcall_rate and sip_msg_delay parameters

Command

load-balancing-group groupId rpoc poc_id call rate call_rate delay sip_msg_delay

Arguments

groupId


poc_id


Group.

call_rate

Call setup rate per seconds. The value should be between 0 and 100000.



Load Balancing Group load-balancing-group groupId rpoc poc_id call rate


sip_msg_delay

Defines the time a SIP message can remain in the transmit queue of the SIP firewall before being dropped. The delay is set in milliseconds in the range 1-2000.

Example

-> load-balancing-group 3 rpoc 1 call rate 10000 delay 300



Load Balancing Group load-balancing-group groupId rpoc poc_id transaction rate


July 2015

load-balancing-group groupId rpoc poc_id transaction rate

Purpose

The purpose of that command is to allows dimensioning of the non-INVITE transactionqueue per remote POC (rpoc) associated with a Load-Balancing-Group. In the MGC8terminology the rpoc represents the CCS entity.

The transaction rate applies to non-INVITE SIP messages.

The transaction delay limits the maximum time the SIP firewall can delay a non-invite SIPmessage within the non-invite transmission queue associated with a rpoc.

Command

load-balancing-group groupId rpoc poc_id transaction rate trans_rate delay

sip_trans_delay

Arguments

groupId


poc_id


Group.

trans_rate

This is the maximum number of transactions per seconds. The value should be between 0

and 100000.

sip_trans_delay

Defines the time a SIP message can remain in the transmit queue of the SIP firewall before being dropped. The delay is set in milliseconds in the range 1-2000.

Example

-> load-balancing-group 3 rpoc 1 transaction rate 10000 delay 300



Load Balancing Group no load-balancing-group groupId



Purpose

The purpose of that command is to delete a Load-Balancing-Group.

Before deleting a Load-Balancing-Group it is necessary to remove the existing

associations between this Load-Balancing-Group and its RPOC and LPOC via thecommands:



Command


Arguments

groupId


Example

-> load-balancing-group 3 no lpoc 2

-> load-balancing-group 3 no rpoc 1

-> no load-balancing-group 3



Load Balancing Group show load-balancing-group


July 2015

show load-balancing-group

Purpose

The purpose of that command is to display the Load-Balancing-Group configuration andits operational status.

Command

show load-balancing-group [groupId]

Arguments

groupId

This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load

Balancing Groups are displayed.

Example

-> show load-balancing-group

+----------+-----------------+--------+------+-------+

! Group Id ! Name ! Status ! Lpoc ! Vlan !

+----------+-----------------+--------+------+-------+

! 1 ! LBG_1 ! up ! 1 ! 200 !

! 2 ! LBG_2 ! up ! 1 ! 200 !

! 3 ! LBG-Tokyo ! up ! 1 ! 200 !

! 4 ! LBG4-Mexico ! up ! 1 ! 200 !

+----------+-----------------+--------+------+-------+

Output Definition

Status

The Load-Balancing-Group status is:

• “up” if at least one rpoc (MGC8 CCS) is seen alive via the SIP OPTIONSheartbeat mechanism.

• “down” if all rpoc (MGC8 CCS) failed to answer to the SIP OPTIONS

sent by the SIP Firewall.



Load Balancing Group show load-balancing-group rpoc


show load-balancing-group rpoc

Purpose

The purpose of that command is to display, on the trusted side, the Remote POCconfigurations and their operational status.

Command

show load-balancing-group [groupId] rpoc [poc_id]

Arguments

groupId



Example

-> show load-balancing-group rpoc

+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+

! LBG ! rpoc ! Ope state ! IP Address ! Udp ! Tcp ! Sctp ! Tls ! call/sec ! Tx/sec !

+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+

! 1 ! 1 ! up ! 192.168.2.50 2001:200::192:168:2:50 ! 50001 ! 50001 ! n/s ! n/s ! 10000 ! 10000 !

! 2 ! 1 ! up ! 192.168.2.9 ! 50001 ! 50001 ! n/s ! n/s ! 10000 ! 10000 !

! 3 ! 1 ! up ! 192.168.2.33 ! 50001 ! 50001 ! n/s ! n/s ! 10000 ! 10000 !

! 4 ! 1 ! up ! 192.168.2.35 2001:200::192:168:2:35 ! 50001 ! 50001 ! n/s ! n/s ! 10000 ! 10000 !

! 5 ! 1 ! up ! 192.168.2.37 ! 5060 ! 5060 ! n/s ! n/s ! 10000 ! 10000 !

+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+

Output Definition

Ope State

The rpoc (MGC8 CCS) status rely on the SIP OPTIONS heartbeat mechanism. The rpoc

is:

• “up” if the rpoc successfully responds to the SIP OPTIONS sent by the SIPFirewall.

• “down” if the rpoc fails to answer to the SIP OPTIONS sent by the SIPFirewall.



Load Balancing Group show load-balancing-group connectivity


July 2015

show load-balancing-group connectivity

Purpose

The purpose of that command is to check, on the trusted side, the IP and SIP connectivity between the trusted LPOC and the remote POCs (IBCF’s CCSs).

The IP connectivity is checked issuing periodically ICMP requests from the LPOC to the

RPOC associated within the Load-Balancing-Group. By default a Ping request is issued

each 5 seconds. ICMP requests are sent for both IPv4 and IPv6 protocols according to theRPOC/LPOC configuration.

The SIP connectivity is checked according to the SIP OPTIONS heartbeat mechanism.The SFW sents periodically SIP OPTIONS from the LPOC to the RPOC associated within

the Load-Balancing-Group. By default a SIP OPTIONS is sent each 5 seconds. Dependingon the RPOC/LPOC configuration the SIP OPTIONS mechanism is activated either over

IPv4 or IPv6 or both protocols.

The polling period, applying for both Ping and SIP OPTIONS, can be modified via theCLI command “load-balancing-group GroupId polling period interval”

Command

show load-balancing-group [groupId] connectivity

Arguments

groupId



Example

-> show load-balancing-group connectivity

+----------+------+------+--------+--------+---------+--------+-----------------+

! Group Id ! rpoc ! lpoc ! period ! SIP v4 ! PING v4 ! SIP v6 ! PING v6 !

+----------+------+------+--------+--------+---------+--------+-----------------+

! 1 ! 1 ! 1 ! 4 ! up ! PING UP ! down ! PING UP !

! 2 ! 1 ! 1 ! 4 ! up ! PING UP ! down ! V4 ONLY !

! 3 ! 1 ! 1 ! 4 ! up ! PING UP ! down ! V4 ONLY !

! 4 ! 1 ! 1 ! 4 ! up ! PING UP ! down ! NO RESP !

! 5 ! 1 ! 1 ! 4 ! up ! NO MAC ! down ! V4 ONLY !

+----------+------+------+--------+--------+---------+--------+-----------------+





Output Definition

SIP v4

The “SIP v4” status relies on the SIP OPTIONS heartbeat mechanism over IPv4 protocol.

• “up” means that the rpoc successfully responds to the SIP OPTIONS sent by the SIP Firewall using IPv4 protocol.

• “down” means that the rpoc fails to answer to the SIP OPTIONS sent bythe SIP Firewall using IPv4 protocol.

SIP v6

The “SIP v6” status relies on the SIP OPTIONS heartbeat mechanism over IPv6 protocol.

• “up” means that the rpoc successfully responds to the SIP OPTIONS sent

by the SIP Firewall using IPv6 protocol.

• “down” means that the rpoc fails to answer to the SIP OPTIONS sent bythe SIP Firewall using IPv6 protocol.

PING v4 and PING v6

The “PING v4” status reflects the IP V4 connectivity between LPOC and RPOC of a


The “PING v6” status reflects the IP V6 connectivity between LPOC and RPOC of a


• “PING UP” means that the rpoc successfully responds to the ICMPRequests sent by the SIP Firewall.

• “NO MAC” means that the configuration is consistent but the RPOCdestination MAC address has not been yet resolved.

• “NO LPOC” means that the configuration is not consistent. There is no

LPOC associated with the Load-Balancing-Group whereas there is at leasta RPOC and a Vlan associated with that Load-Balancing-Group.

• “NO LPOC IP ADDR” means that the configuration is not consistent.

The LPOC associated with the Load-Balancing-Group has no IPv4 addresswhereas there is at least one IPv4 RPOC associated with that Load-

Balancing-Group.

The LPOC associated with the Load-Balancing-Group has no IPv6 address

whereas there is at least one IPv6 RPOC associated with that Load-Balancing-Group.





July 2015

• “NO VLAN” means that the configuration is not consistent. There is noVlan associated with the Load-Balancing-Group.

• “NO VLAN SUBNET” means that the configuration is not consistent.

There is no IPv4 subnet in the definition of the vlan associated with the

Load-Balancing-Group whereas there is at least one IPv4 RPOC associated with that Load-Balancing-Group.

There is no IPv6 subnet in the definition of the vlan associated with the

Load-Balancing-Group whereas there is at least one IPv6 RPOC associated with that Load-Balancing-Group.

• “NO ROUTER IP” means that the configuration is not consistent.

An IP router address is required in the definition of the vlan associated with

the Load-Balancing-Group otherwise the LPOC is unreachable. A router is

required in the vlan definition as soon as the vlan and the LPOC are not inthe same subnet.

• “ROUTER IP NOT IN SUBNET” means that the configuration is not

consistent. The router IP address in the definition of the vlan, associated with the Load-Balancing-Group, is not in the vlan subnet.

• “NO DEFAULT GW” means that the configuration is not consistent. An IP

gateway address is required in the definition of the vlan associated with the

Load-Balancing-Group otherwise the RPOC is unreachable. A gateway isrequired in the vlan definition as soon as the vlan and the RPOC are not in

the same subnet.• “GATEWAY IP NOT IN SUBNET” means that the configuration is not

consistent. The gateway IP address in the definition of the vlan, associated with the Load-Balancing-Group, is not in the vlan subnet.

• “NO RESP” means that the configuration is consistent. The MAC addressof the RPOC is known but the SFW does not get any response to the pingrequests.

• “TRUNK DOWN” means that the configuration is consistent. The trusted trunk is down.

• “V6 ONLY” means that configuration is consistent but LPOC or RPOC areIPv6 only, thus ping v4 cannot be performed.

• “V4 ONLY” means that configuration is consistent but LPOC or RPOC areIPv4 only, thus ping v6 cannot be performed.





13 Tcp Syn Flood Protection

Purpose

This paragraph provides information about the SFW configuration preventing from TCPSYN flooding.

Introduction

TCP SYN are filtered out according to predefine thresholds depending on the interfacetype.

The default thresholds values are the following ones:

o OAM interface: 10 TCP SYN per sec

o Trusted interface: 1000 TCP SYN per sec

o Untrusted interface: 2000 TCP SYN per sec

When the TCP SYN rate exceeds the above thresholds the SFW suspects that an attack isongoing and enters in TCP SYN regulation mode.

In that state the TCP SYN are filtered out to prevent the attack. However TCP connectionestablishment is still possible for non-attackers.

When activated the TCP SYN regulation mode will last at least 30 seconds.

The default TCP SYN threshold values can be adjusted via the CLI commands listed below.

The “show tcp syn” command provides useful information about the TCP SYN flood parameters and current status.





Tcp Syn Flood Protection tcp syn untrusted rate syn_per_sec


tcp syn untrusted rate syn_per_sec

Purpose

The purpose of that command is to modify the default value applied for TCP SYN flood

protection on the Untrusted interface of the firewall. The default value is set to 2000 TCP SYN per second.

Command

tcp syn untrusted rate syn_per_sec

Arguments

syn_per_sec

Defines the acceptable TCP SYN rate on the Untrusted interface. This rate cannot be set

higher than 10000 TCP SYN per second.

Example

-> tcp syn untrusted rate 5000

tcp syn trusted rate syn_per_sec

Purpose

The purpose of that command is to modify the default value applied for TCP SYN flood

protection on the Trusted interface of the firewall. The default value is set to 1000 TCP SYN persecond.

Command

tcp syn trusted rate syn_per_sec

Arguments

syn_per_sec

Defines the acceptable TCP SYN rate on the Untrusted interface. This rate cannot be set

higher than 10000 TCP SYN per second.



Tcp Syn Flood Protection show tcp syn


July 2015

show tcp syn

Purpose

The purpose of that command is to display the TCP SYN flood configuration and check if the

SFW has been or is currently under TCP SYN attacks

Command

show tcp syn

Output Definition

rate

This is the maximum rate of TCP SYN per second before entering in TCP SYN regulation

mode.

status

Off: There is no TCP SYN flood attack ongoing.

On: There is a TCP SYN flood attack ongoing.

Attack counter

Counts the number of TCP SYN attacks.

Example

-> show tcp syn

+-----------+------+--------+----------------+

! interface ! rate ! status ! attack counter !

+-----------+------+--------+----------------+

! oam ! 10 ! off ! 0 !

! trusted ! 1000 ! off ! 0 !

! untrusted ! 2000 ! off ! 0 !

+-----------+------+--------+----------------+



Tcp Syn Flood Protection show tcp statistics


show tcp statistics

Purpose

The purpose of that command is to display the TCP statistics per interface type.

Command

show tcp statistics

Output Definition

tcpActiveOpens Active connections openings

tcpPassiveOpens Passive connection openings tcpAttemptFails Failed connection attempts tcpEstabResets Connection resets received

tcpCurrEstab Connections established

tcpInSegs Segments received

tcpOutSegs Segments send out tcpRetransSegs Segments retransmitted

tcpInErrs TCP segment received in error

tcpOutRsts TCP Resets sent

tcpSynRcv TCP SYN received

tcpSynDropped TCP SYN dropped tcpOutOfSeqResets TCP RST dropped because bad sequence number

.

Example

-> show tcp statistics

CUMULATED UNTRUSTED TCP STATISTICS

tcpActiveOpens : 16523

tcpPassiveOpens : 2tcpCurrEstab : 3

tcpInSegs : 18894

tcpOutSegs : 30190

tcpSynRcv : 2

CUMULATED TRUSTED TCP STATISTICS

tcpActiveOpens : 261153

tcpCurrEstab : 31

tcpInSegs : 243029tcpOutSegs : 384744



Tcp Syn Flood Protection show tcp statistics


July 2015

OAM TCP STATISTICS

tcpActiveOpens : 34

tcpPassiveOpens : 32

tcpAttemptFails : 1

tcpCurrEstab : 3

tcpInSegs : 1965

tcpOutSegs : 1753

tcpRetransSegs : 1





14 Interfaces (Ge Ports) &

Trunks

Purpose

This paragraph provides information about the management of the Gigabits Ethernet physical ports of the SIP Firewall.

Introduction

The SIP firewall is made of 2 DHSPP4 boards running in Active/Standby mode for theSIP Firewalling application.

Each DHSPP4 is hosted in a different 7510 SCM2 board (slot 10 and slot 11)

Each DHSPP4 provides 8 gigabits Ethernet physical ports (Ge0..Ge7).Four interfaces per DHSPP4 are available in the front panel (Ge0..Ge3) for

• Ge0 interfaces are dedicated to the cabling towards the Untrusted networks

• Ge3 interfaces are dedicated to the cabling towards the Trusted networks

• Ge1 and Ge2 are used to interconnect Active and Standby DHSPP4

Two interfaces per DHSPP4, not accessible on the front panel but via the SCM, are usedfor OAM (Ge4) and SCM/DHSPP4 (Ge5) supervision.



Interfaces (Ge Ports) & Trunks Summary of the CLI for Ge Interfaces and Trunks management


July 2015

Summary of the CLI for Ge Interfaces and Trunks management

Ge Interfaces and Trunks management

show interfaces

show interfaces slot[/port]

trunk {trusted|untrusted} mode [linkagg | act-stdy]

show trunk [trusted|untrusted]

show trunk [trusted|untrusted] port



Interfaces (Ge Ports) & Trunks show interfaces


show interfaces

Purpose

The purpose of the following commands is to provide information about the Giga Ethernet

interfaces of the SIP Firewall.

Commands

show interfaces

show interfaces slot[/port]

Arguments

slot

This is the identifier of the SCM slot hosting the DHSPP4. It’s either 10 or 11.

port

Optionally the Giga Ethernet port number can be specified.

Example

-> show interfaces

+-----------------------------+--------------+--------------------+

! Slot/Port ! Admin Status ! Operational Status !

+-----------------------------+--------------+--------------------+

! 10/Ge0 external untrusted ! up ! up !

! 10/Ge1 external inter-HSPP ! up ! up !


! 10/Ge3 external trusted ! up ! up !

! 10/Ge4 internal OAM ! up ! up !

! 10/Ge5 internal supervision ! up ! up !

! 11/Ge0 external untrusted ! up ! up !



! 11/Ge3 external trusted ! up ! up !

! 11/Ge4 internal OAM ! up ! up !

! 11/Ge5 internal supervision ! up ! up !

+-----------------------------+--------------+--------------------+



Interfaces (Ge Ports) & Trunks show interfaces


July 2015

-> show interfaces 10/0

Slot/Port : 10/0

Description : 10/Ge0 external untrusted

Operational Status : up

Last Time Link Changed : 54:03:47

Type : Ethernet

MAC Address : 00:11:3F:C7:DD:2D

Rx :

Bytes Received : 1298954

Unicast Frames : 2209

Broadcast/Multicast Frames : 11750

Error Frames : 943

Discarded frames : 0

Tx :Bytes Xmitted : 202216

Unicast Frames : 4396

Broadcast/Multicast Frames : 0

Queued Frames : 0



Interfaces (Ge Ports) & Trunks trunk {trusted|untrusted} mode [linkagg | act-stdy]



Purpose

Trusted and Untrusted interfaces are connected to the next-hop IP using either

• Static Link Aggregation (802.3ad), without LACP. This is the preferred configuration

but it requires the PE Router to be carrier grade. Or,

• Active/Standby configuration. If the PE router is not carrier grade this is the

configuration to be chosen. In that case both interfaces must belong to the same vlan and alayer 2 switching must be configured between both switch-routers.

The purpose of that command is to configure the trunk mode according to the PE Routercapability:

Static Link Aggregation (802.3ad) configuration with carrier grade router.

Active/Standby configuration in case of Switch-Routers that are not carrier grade.



Interfaces (Ge Ports) & Trunks trunk {trusted|untrusted} mode [linkagg | act-stdy]


July 2015

Commands


Arguments

{trusted|untrusted} The operator can only change the mode of the trusted and untrusted trunk. OAM and

inter-DHSPP4 trunks have predefined setup.

linkagg

Configure the trunk in Static Link Aggregation mode (802.3ad). Static LAGG means that

there is no LACP protocol. This must be taken into account on the PE-Router where

LACP could be activated by default when configuring a Ling Aggregation. LACP must be

disabled on the PE-Router for this LAGG.

Act-stdy

Configure the trunk in Active-Standby mode. Remember that in that case both

interfaces must belong to the same vlan and a layer 2 switching must beconfigured between both switch-routers.

Example

-> trunk trusted mode linkagg

-> trunk untrusted mode linkagg



Interfaces (Ge Ports) & Trunks show trunk


show trunk

Purpose

The following command displays information about the configuration and the status of thetrunks. Additional information can be retrieved with the command “show trunk port”

Commands

show trunk [trusted|untrusted]

Output Definition

Trunk-group

This is the trunk alias.

Oper State

Operational state of the trunk (up/down).

Mode

Networking mode configured.

Att/Up ports

Number of attached ports and number of ports UP.

Example

-> show trunk

+-------------+------------+----------+--------+-------+

! Trunk-group ! Oper State ! Mode ! Att/Up ! ports !

+-------------+------------+----------+--------+-------+

! trusted ! up ! linkagg ! 2 ! 2 !

! untrusted ! up ! linkagg ! 2 ! 2 !

! inter-DHSPP ! up ! linkagg ! 2 ! 2 !

! oam ! up ! act-stdy ! 2 ! 2 !

+-------------+------------+----------+--------+-------+

show trunk port







15 SIP Message Management

Purpose

This paragraph provides information about options whether perform check on some SIP

headers and configuration on the SIP firewall.

Introduction

The SFW by default performs check on SIP mandatory headers. If any mandatory headeris missing, the SIP message will be rejected. But some SIP UEs may send message

without some mandatory header since they are following obsolete specification. To

support such kind of SIP behavior, SFW has configuration on whether or not accept theSIP message without the specific mandatory header.

Summary of the CLI for SIP Message Management

SIP header management

sip-header max-forwards {enable|disable}

show sip-header



SIP Message Management sip-header max-forwards {enable|disable}


July 2015


Purpose

The following command provides a option to allow invite request from un-trusted sidewithout of max-forwards header pass through the sip firewall.

Commands


Arguments

{enable|disable}

Enable will allow incoming INVITE without Max-Forwards header pass through sip

firewall, it also insert a default max-forward header to invite request to trust side, if the

receiving invite request from un-trusted side doesn't contain max-forwards header.

Disable will reject the INVITE without Max-Forwards header. In default, the argument is

disable.

Example

-> sip-header max-forwards enable



SIP Message Management show sip-header


show sip-header

Purpose

The following command provides information about the configuration of SIP headermanagement.

Commands

show sip-header

Output Definition

max forwards

Current status of backward support on Max-Forwards header.

Example

-> show sip-header

+--------------+

! max forwards !

+--------------+! enabled !

+--------------+

1 elements





16 SNMP Management

Purpose

This paragraph provides information about the SNMP support and configuration on the

SIP firewall.

Introduction

The SFW current release supports SNMP as follow:

o SFW sends traps in V2c only.

o SNMP set and get are by default expected in SNMP V3. This is the preferred mode. Refer to the “user management” section to see how to

configure authentication and encryption parameters for SNMP V3.

o SNMP set and get in V2c are possible via a specific configuration in the

sitecfg.sfw. Please refer to the Appendix “How to configure the SFW siteSpecific parameters” if you want to perform SNMP set/get in V2c.

o SNMP get/set V2c and V3 can both be done at the same time

o SFW supports an “Active Alarm Table” to be able to retrieve the SNMPalarms that are currently active. This allows the OMC-P to know the SFW

alarms status even if traps have been lost.

The “Active Alarms” are returned doing an SNMP “get table” on the table

“ActiveAlarmsTable” of the mib ALCATEL-OMCCN-

ALARMMANAGEMENT-MIB.

The SFW supports the following MIBs:

o Standard MIB : RFC 1213 parts

mib-2 system oids

mib-2 interfaces oids

o ALU-SFW-MANAGEMENT-MIB

This is the SFW proprietary Mib used for SFW provisioning and SFWPerformance Management.





SNMP Management Alarms Management


July 2015

Alarms Management

Hereafter are the Alarms and Events that are sent by the SFW SNMP agent.

Table 1 SFW SNMP TRAPS

Trap name Trap id Descript ion Severity

sfwLinkDown 1001When raised this alarms meansthat one of the interfacesconfigured on the SFW wentdown.

When cleared this alarms meansthat one of the interfacesconfigured on the SFW came up.

major

sfwBoardActLossStbSupervision 1002When raised this alarm meansthat SFW active DHSPP4 boardlosses supervision of standbyDHSPP4 board.

When cleared this alarm meansthat SFW active DHSPP4 boardrecovers supervision of standbyDHSPP4 board.

major

sfwIbcfCcsStatusChange 1003When raised this alarms meansthat the SFW detected, via SIPOPTION heartbeat mechanism,that a CCS of the local IBCF became unreachable.

When cleared this alarms means

that the SFW detected, via SIPOPTION heartbeat mechanism,that a CCS of the local IBCFrecovered reachability.

warning

sfwLoadBalancingGroupStatusChange 1004When raised this alarms meansthat the SFW detected, via SIPOPTION heartbeat mechanism,that all CCS belonging to a LoadBalancing Group becameunreachable.

When cleared this alarms meansthat the SFW detected, via SIPOPTION heartbeat mechanism,that at least one CCS belonging toa Load Balancing Group

recovered reachability.

major

sfwBoardTemperatureTooHigh 1005When raised this alarms meansthat one SFW board temperaturehas crossed a threshold.

When cleared this alarms meansthat the temperature has gone below a threshold.

Threshold 1 major

Threshold 2 critical

sfwHealthMonCpuAlert 1006When raised this alarms meansthat one SFW board CPU hascrossed a threshold.

When cleared this alarms meansthat the CPU has gone below athreshold.

Threshold 1 major


sfwHealthMonMemAlert 1007When raised this alarms meansthat one SFW board Memory

Threshold 1 major






item has crossed a threshold.

When cleared this alarms meansthat all Memory items are belowa threshold.


sfwUntrLowLayerDrop 1008When raised this alarms meansthat the counter"sfwUntrustedLowLayerDrop"has exceeded a threshold.

When cleared this alarms meansthat the counter"sfwUntrustedLowLayerDrop"has decreased below a threshold.

The counter"sfwUntrustedLowLayerDrop"counts the number of packetsdropped on the Untrusted side because of ARP error, IP error,Fragmentation error, UDP error,

ICMP error, N-Tupleclassification error, Minimumsize error.

Threshold 1warning

Threshold 2 minor

sfwUntrSipPass1Drop 1009When raised this alarms meansthat the counter "pass1Drop", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.

When cleared this alarms meansthat the counter "pass1Drop", forthe Peer Network identified by"peerNetIndex", has decreased below a threshold.

The counter "pass1Drop" counts

the number of packets dropped onthe Untrusted side during the SIPPass1 checks.

Threshold 1

warning

Threshold 2 minor

sfwUntrSipPass1SuspectDrop 1010When raised this alarms meansthat the counter"pass1DropSipSuspicious", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.

When cleared this alarms meansthat the counter"pass1DropSipSuspicious", forthe Peer Network identified by"peerNetIndex", has decreased below a threshold.

The counter"pass1DropSipSuspicious" countsthe number of packets dropped onthe Untrusted side during thePass1 checks due to suspectformat.

Threshold 1

warning

Threshold 2 minor

sfwUntrSipPass2MethodRateInQos0 1011When raised this alarms meansthat the counter"pass2MethodRateInQos0", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.

When cleared this alarms meansthat the counter

"pass2MethodRateInQos0", forthe Peer Network identified by"peerNetIndex", has decreased

Threshold 1warning

Threshold 2 minor





July 2015


below a threshold.

The counter"pass2MethodRateInQos0"counts the number of packets on

the Untrusted side downgraded toQOS0 during the Pass2 checks. ASIP message is downgraded toQOS0 when abnormal behaviorhas been observed for a SIP flowwith same IP/SIP signature.

sfwUntrSipPass2Drop 1012When raised this alarms meansthat the counter "pass2Drop", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.

When cleared this alarms meansthat the counter "pass2Drop", forthe Peer Network identified by"peerNetIndex", has decreased

below a threshold.

The counter "pass2Drop" countsthe number of packets dropped onthe Untrusted side during the SIPPass2 checks.

Threshold 1

warning

Threshold 2 minor

sfwUntrSipMethodRateDrop 1013When raised this alarms meansthat the counter associated with pass2MethodRateDrop, reportingthe number of messages dropped because of rate limitation, hasexceeded a threshold.

When cleared this alarms meansthat the counter associated with pass2MethodRateDrop has

decreased below a threshold.This alarm applies for a specificPeer Network identified by theobject peerNetIndex.

Threshold 1

warning

Threshold 2 minor

sfwUntrSipAdmCtlCallDrop 1014When raised this alarms meansthat the counter associated with pass2AdmCtlCallDrop, reportingthe number of messages dropped because of INVITE rate greaterthan the available rate on trustedside, has exceeded a threshold.

When cleared this alarms meansthat the counter associated with pass2AdmCtlCallDrop has

decreased below a threshold.This alarm applies for a specificPeer Network identified by theobject peerNetIndex.

Threshold 1

warning

Threshold 2 minor

sfwUntrIpFragAttackPrevented 1015 Notify that the SFW detected a IPFragmentation attack and prevented it. i.e. :

- IP fragment overlapped

- IP fragmentation buffer full

- IP fragment overrun

- IP fragment overwrite…etc…

This alarm is raised when the

countersfwUntrustedLowLayerDropFrag

Threshold 1warning

Threshold 2 minor






has exceeded a threshold.

This alarm is cleared when thecountersfwUntrustedLowLayerDropFrag

has decreased below a threshold.

sfwUntrArpAttackPrevented 1016 Notify that the SFW detected anARP attack and prevented it. i.e. :

- ARP cache exhausting and poisoning prevention

- Forged ARP request prevention

- ARP flooding prevention

This alarm is raised when thecountersfwUntrustedLowLayerDropArphas exceeded a threshold.

This alarm is cleared when thecountersfwUntrustedLowLayerDropArphas decreased below a threshold.

Threshold 1

warning

Threshold 2 minor

sfwUntrIcmpAttackPrevented 1017 Notify that the SFW detected anICMP attack and prevented it.

This alarm is raised when thecountersfwUntrustedLowLayerDropIcmphas exceeded a threshold.

This alarm is cleared when thecountersfwUntrustedLowLayerDropIcmphas decreased below a threshold.

Threshold 1

warning

Threshold 2 minor

sfwTrustedLowLayerDrop 1018

When raised this alarms means

that the counter"sfwTrustedLowLayerDrop" hasexceeded a threshold.

When cleared this alarms meansthat the counter"sfwTrustedLowLayerDrop" hasdecreased below a threshold.

The counter"sfwTrustedLowLayerDrop"counts the number of packetsdropped on the Trusted side because of ARP error, IP error,Fragmentation error, UDP error,ICMP error, N-Tupleclassification error, Minimum

size error.

Threshold 1

warning

Threshold 2 minor

sfwTrustedSipPass1Drop 1019When raised this alarms meansthat the counter "pass1Drop", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.


The counter "pass1Drop" countsthe number of packets dropped onthe Trusted side during the SIP

Pass1 checks.

Threshold 1

warning

Threshold 2 minor





July 2015


sfwTrustedSipPass2Drop 1020When raised this alarms meansthat the counter "pass2Drop", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.


The counter "pass2Drop" countsthe number of packets dropped onthe Trusted side during the SIPPass2 checks.

Threshold 1

warning

Threshold 2 minor

sfwTcpSynFlood 1021 When raised this alarmsmeans that a TCP SYN Floodattack has been prevented onone of the interfaces of the

SFW. As soon as the TCP SYNflood is detected a TCP SYNregulation mechanism isstarted on the SFW interfaces.In that state the TCP SYN arefiltered to prevent the attack.However TCP connectionestablishment is still possiblefor non-attackers.

Due to the TCP SYNregulation the alarm will not becleared before 30 sec even ifthe attack was performedduring 1 sec.

warning

sfwTcpResetFlood 1022 When raised this alarmsmeans that the counter"tcpOutOfSeqResets", for thePeer Network identified by"peerNetIndex", has exceededa threshold.

When cleared this alarmsmeans that the counter"tcpOutOfSeqResets", for thePeer Network identified by"peerNetIndex", hasdecreased below a threshold.

Threshold 1warning

Threshold 2 minor

sfwTcpErrorsFlood 1023 When raised this alarmsmeans that the counter

"tcpInErrs", for the PeerNetwork identified by"peerNetIndex", has exceededa threshold.

When cleared this alarmsmeans that the counter"tcpInErrs", for the PeerNetwork identified by"peerNetIndex", hasdecreased below a threshold.

Threshold 1

warning

Threshold 2 minor

sfwConfigurationChanged 1101 This trap is sent when theSFW configuration has been"certified".

The configuration is "certified"with one of the followingoperations :

- either via CLI : "copy working

warning






certified" , note that thisoperation is allowed only aftera "copy running working".

- or via SNMP set on the

objectsfwConfigMgmtCopyToFlashwith the valuecopyWorkingCertified(2) in thebranch sfwConfigMgmt of theSFW mib ALU-SFW-MANAGEMENT-MIB.

The SFW raises and clears most of its alarms, sending snmp traps, when observationcounters (or gauges) exceed predefined thresholds.

For this kind of alarms, there are 2 thresholds per object. This allows monitoring of the

system behavior with 2 different severities per alarm.To easily correlate the counters (or gauges) thresholds and their related alarms, thresholdsidentifiers and traps identifiers have common ids.

Table 2 SFW SNMP TRAPS Thresholds

Thresholds names Threshold

id

Description Associated Alarm Trap id

sfwBoardTemperatureTooHighTh1

sfwBoardTemperatureTooHighTh2

1005.1

1005.2

Thresholds on the

board temperature.When crossed analarm is raised orcleared.

sfwBoardTemperatureT

ooHigh

1005

sfwHealthMonCpuAlertTh1sfwHealthMonCpuAlertTh2

1006.11006.2

Thresholds on theboard CPU. Whencrossed an alarm israised or cleared

sfwHealthMonCpuAlert 1006

sfwHealthMonMemAlertTh1sfwHealthMonMemAlertTh2

1007.11007.2

Thresholds on theboard Memory. Whencrossed an alarm israised or cleared

sfwHealthMonMemAlert 1007

sfwUntrLowLayerDropTh1sfwUntrLowLayerDropTh2

1008.11008.2

Thresholds on thecounter of droppedmessages on theUntrusted interface

due to the followingreasons:• ARP error • Invalid IP

packet• IP

fragmentation error

• Invalid UDPpacket

• InvalidICMPpacket

• Unknownsource IPaddress

•

InvaliddestinationIP:port

sfwUntrLowLayerDrop 1008





July 2015


id


• UDP packetlengthbelowminimumsize

sfwUntrSipPass1DropTh1sfwUntrSipPass1DropTh2

1009.11009.2

Thresholds on thecounter of droppedmessages during SIPpass1 checking on theUntrusted interfacedue to the followingreasons:

• Configurationmismatch

• Outputoverloading

• No RPOCavailable

within a load balancinggroup

• No Token bucket

• Out Of Sequence SIPmessage

• Maximumretries has been reached

• Malformed header

• Suspiciousheader format

• Lack of resources

sfwUntrSipPass1Drop 1009

sfwUntrSipPass1SuspectDropTh1sfwUntrSipPass1SuspectDropTh2

1010.11010.2

Thresholds on thecounter of droppedmessages during SIPpass1 parsing due tosuspicious headerformat.

sfwUntrSipPass1SuspectDrop

1010

sfwUntrSipPass2MethodRateInQos0Th1sfwUntrSipPass2MethodRateInQos0Th2

1011.11011.2

Thresholds on thecounter of packets onthe Untrusted sidedowngraded to QOS0

during the Pass2checks. A SIPmessage isdowngraded to QOS0when abnormalbehavior has beenobserved for a SIPflow with same IP/SIPsignature.

sfwUntrSipPass2MethodRateInQos0

1011

sfwUntrSipPass2DropTh1sfwUntrSipPass2DropTh2

1012.11012.2


•

Method ratelimitation

• Malformed

sfwUntrSipPass2Drop

1012






id


header



• AdmissionControl




• SIPP parsingerror duringregenerationof the SIPmessage

sfwUntrSipMethodRateDropTh1sfwUntrSipMethodRateDropTh2

1013.11013.2

Thresholds on thecounter of droppedmessages during SIPpass2 checking due torate limitation per SIPmethod.

sfwUntrSipMethodRateDrop

1013

sfwUntrSipAdmCtlCallDropTh1sfwUntrSipAdmCtlCallDropTh2

1014.11014.2

Thresholds on thecounter of droppedmessages during SIP

pass2 checking due to Admission Control.Invite rate is greaterthan the available rateon trusted side.

sfwUntrSipAdmCtlCallDrop

1014

sfwUntrustedLowLayerDropFragTh1sfwUntrustedLowLayerDropFragTh2

1015.11015.2

Thresholds on thecounter of droppedmessages due to IPfragmentation errors.

sfwUntrIpFragAttackPrevented

1015

sfwUntrArpAttackPreventedTh1sfwUntrArpAttackPreventedTh2

1016.11016.2

Thresholds on thecounter of ARP errors.

sfwUntrArpAttackPrevented

1016

sfwUntrIcmpAttackPreventedTh1sfwUntrIcmpAttackPreventedTh1

1017.11017.2

Thresholds on thecounter of ICMPerrors.

sfwUntrIcmpAttackPr evented

1017

sfwTrustedLowLayerDropTh1

sfwTrustedLowLayerDropTh2

1018.1

1018.2

Thresholds on thecounter of droppedmessages on theTrusted interface dueto the followingreasons:

• ARP error • Invalid IP

packet• IP

fragmentation error

• Invalid UDPpacket

• InvalidICMPpacket

•

Unknownsource IPaddress

sfwTrustedLowLayer

Drop

1018





July 2015


id


• InvaliddestinationIP:port

•

UDP packetlengthbelowminimumsize

sfwTrustedSipPass1DropTh1sfwTrustedSipPass1DropTh2

1019.11019.2








sfwTrustedSipPass1Drop

1019

sfwTrustedSipPass2DropTh1sfwTrustedSipPass2DropTh2

1020.11020.2

Thresholds on thecounter of dropped

messages during SIPpass2 checking on theUntrusted interfacedue to the followingreasons:




• Out Of

Sequence SIPmessage



• SIPP parsingerror duringregenerationof the SIPmessage

sfwTrustedSipPass2Drop

1020

sfwTcpResetFloodTh1sfwTcpResetFloodTh2 1022.11022.2Thresholds on thecounter of TCP resetdetected as out-of-

sfwTcpResetFlood 1022






id


sequence.

sfwTcpInErrsTh1sfwTcpInErrsTh2

1023.11023.2

Thresholds on thecounter of TCPsegments received inerror and dropped bythe firewall.

sfwTcpErrorsFlood 1023



SNMP Management


July 2015

Table 3 SFW SNMP TRAPS format

SFW sends SNMP traps using the following X733 format. This format is also the one described in

the “Active Alarm Table” of the Mib ALCATEL-OMCCN-ALARMMANAGEMENT-MIB.

Field Description

TrapSequenceNumber This is the sequence number of the sent trap

Identifier Identifies the trap sent.

ManagedObjectClass Identifies the SFW Object Class on which the trap applies.

ManagedObjectInstance Identifies the SFW Object Instance on which the trap applies.

FriendlyName Identifies the name of the SFW sending the trap.

EventType Enum value corresponding with event type according to X.733.

EventTime The date and time at which the event indicated in the trap occurred.

Severity Enum value corresponding with severity for the event reported in the trap.Critical = 1Major = 2Minor = 3

Warning = 4Cleared = 5

3GPPProbableCause Enum value indicate the probable cause according to 3GPP.

SpecificProblem Provides additional information on the meaning of the trap.

AdditionnalText Identifies the 7510 hosting the SFW.

ThresholdInfoAttribute Identifies the name of SFW counters monitored to send the trap.

ThresholdInfoValue Value of the SFW counters which kick off the trap.

ThresholdInfoDirection

ThresholdInfoTriggerHigh Higher Threshold on the SFW counter identified by “ThresholdInfoAttribute”

ThresholdInfoTriggerLow Lower Threshold on the SFW counter identified by “ThresholdInfoAttribute”

UserLabel This text field explains clearly the meaning of the trap.

ProposedRepairAction This field explains the actions that could be done to solve the problemreported by this trap.

AdditionnalInfoName1 Provides additional information on the reason of the trap.

AdditionnalInfoValue1 Provides additional information on the reason of the trap.AdditionnalInfoName2 Provides additional information on the reason of the trap.

AdditionnalInfoValue2 Provides additional information on the reason of the trap.







Alarms Management



SNMP Management


SFW Alarm content example :

Field sfwLinkDown sfwBoardTemperatureTooHigh

TrapSequenceNumber

Identifier 1001 1005ManagedObjectClass ifTable boardTableManagedObjectInstance ifIndex boardIndexFriendlyName sysName sysNameEventType equipment equipmentEventTime

Severity major major 3GPPProbableCause linkFailure temperatureUnacceptableSpecificProblem ifOperStatus noneAdditionnalText sfw7510Name sfw7510NameThresholdInfoAttribute none boardTemperature

ThresholdInfoValue none BoardTemperature valueThresholdInfoDirection none Up | down

ThresholdInfoTriggerHigh none sfwBoardTemperatureTooHighTh2value

ThresholdInfoTriggerLow none SfwBoardTemperatureTooHighTh1value

UserLabel Link Status Change Board Temperature Too High

ProposedRepairAction See alarm description in SFWproprietary Mib.

See alarm description in SFWproprietary Mib.

AdditionnalInfoName1 ifDescr none

AdditionnalInfoValue1 ifDescr value none

AdditionnalInfoName2 ifAdminStatus none

AdditionnalInfoValue2 IfAdminStatus value none

AdditionnalInfoName3 none none

AdditionnalInfoValue3 none none





Alarms Management



SNMP Management snmp station stationId ip ip_address


July 2015

snmp station stationId ip ip_address

Purpose

The purpose of the following command is to create or modify a SNMP station to receive the traps

sent by the firewall.

Commands

snmp station stationId ip ip_address [port port_num] community {community_string |

username} version {v2c | v3} [enable | disable]

Arguments

stationId

This is the identifier of the SNMP station. Up to 5 SNMP stations can be configured.

ip_address

This is the IP address to which SNMP unicast traps will be sent.

port_num

This is the listening UDP port of the SNMP station. This parameter is optional. The

default value is 162.

community_stringThis is the community string used when sending traps in V2c. This string must between 1and 32 characters.

username

This is the username used when sending traps in V3.

version

With this release traps can be sent in V2c only.

enable | disable

If this parameter is set to “disable” the SNMP trap will not be sent towards the SNMPstation.

Example

-> snmp station 1 ip 139.54.128.9 port 163 community public version v2c

enable



SNMP Management snmp station stationId {enable | disable}


snmp station stationId {enable | disable}

Purpose

The purpose of the following command is to disable the SNMP trap forwarding towards a

configured SNMP station.

Commands

snmp station stationId {enable | disable}

Arguments

stationId

This is the identifier of the SNMP station.

enable | disable

If this parameter is set to “disable” the SNMP trap will not be sent towards the SNMPstation.

Example

-> snmp station 1 disable

no snmp station stationId

Purpose

The purpose of the following command is to delete a SNMP station.

Commands

no snmp station stationId

Arguments

stationId

This is the identifier of the SNMP station.

Example

-> no snmp station 1



SNMP Management show snmp station


July 2015

show snmp station

Purpose

The purpose of the following command is to display the SNMP stations configuration.

Commands

show snmp station

Example

-> show snmp station

+------------+--------------------+--------+----------+-----------+

! Station Id ! IpAddress/udpPort ! Status ! Protocol ! Community !

+------------+--------------------+--------+----------+-----------+! 1 ! 139.54.128.9/162 ! Enable ! v2c ! public !

! 2 ! 139.54.128.112/162 ! Enable ! v2c ! public !

+------------+--------------------+--------+----------+-----------+



SNMP Management show snmp alarm thresholds


show snmp alarm thresholds

Purpose

The purpose of the following command is to display the current configuration of the alarm

thresholds.

Refer to the Table 1 “SFW SNMP TRAPS” and the Table 2 “SFW SNMP TRAPS Thresholds”

described at the beginning of this section to get a detailed description of the SNMP alarms

managed by the SFW.

Commands

show snmp alarm thresholds

Outputs information

Ids

There are to thresholds per alarm. If needed, the threshold Id will identify the threshold to

be modified with the command “snmp alarm modify threshold threshold_id value

new_value”

Thresholds names

The name of the threshold is provided to easily correlate the threshold with the relatedSNMP trap.

Values

This is the threshold value.

Example

-> show snmp alarm thresholds

+--------+------------------------------------+--------+

! Ids ! Thresholds names ! values !

+--------+------------------------------------+--------+

! 1005.1 ! sfwBoardTemperatureTooHighTh1 ! 67 !

! 1005.2 ! sfwBoardTemperatureTooHighTh2 ! 70 !

! 1006.1 ! sfwHealthMonCpuAlertTh1 ! 90 !

! 1006.2 ! sfwHealthMonCpuAlertTh2 ! 95 !

! 1007.1 ! sfwHealthMonMemAlertTh1 ! 85 !

! 1007.2 ! sfwHealthMonMemAlertTh2 ! 95 !

! 1008.1 ! sfwUntrLowLayerDropTh1 ! 10000 !

! 1008.2 ! sfwUntrLowLayerDropTh2 ! 50000 !

! 1009.1 ! sfwUntrSipPass1DropTh1 ! 1000 !

+--------+------------------------------------+--------+



SNMP Management show snmp alarm thresholds


July 2015


+--------+------------------------------------+--------+


! 1010.1 ! sfwUntrSipPass1SuspectDropTh1 ! 100 !


! 1011.1 ! sfwUntrSipPass2MethodRateInQos0Th1 ! 100 !

! 1011.2 ! sfwUntrSipPass2MethodRateInQos0Th2 ! 500 !



! 1013.1 ! sfwUntrSipMethodRateDropTh1 ! 100 !

! 1013.2 ! sfwUntrSipMethodRateDropTh2 ! 500 !

! 1014.1 ! sfwUntrSipAdmCtlCallDropTh1 ! 100 !

! 1014.2 ! sfwUntrSipAdmCtlCallDropTh2 ! 500 !

! 1015.1 ! sfwUntrIpFragAttackPreventedTh1 ! 1000 !

! 1015.2 ! sfwUntrIpFragAttackPreventedTh2 ! 5000 !! 1016.1 ! sfwUntrArpAttackPreventedTh1 ! 1000 !

! 1016.2 ! sfwUntrArpAttackPreventedTh2 ! 5000 !

! 1017.1 ! sfwUntrIcmpAttackPreventedTh1 ! 1000 !

! 1017.2 ! sfwUntrIcmpAttackPreventedTh2 ! 5000 !

! 1018.1 ! sfwTrustedLowLayerDropTh1 ! 1000 !

! 1018.2 ! sfwTrustedLowLayerDropTh2 ! 5000 !

! 1019.1 ! sfwTrustedSipPass1DropTh1 ! 100 !



! 1020.2 ! sfwTrustedSipPass2DropTh2 ! 500 !! 1022.1 ! sfwTcpResetFloodTh1 ! 100 !

! 1022.2 ! sfwTcpResetFloodTh2 ! 500 !

! 1023.1 ! sfwTcpErrorFloodTh1 ! 100 !

! 1023.2 ! sfwTcpErrorFloodTh2 ! 500 !

+--------+------------------------------------+--------+



SNMP Management snmp alarm modify threshold threshold_id


snmp alarm modify threshold threshold_id

Purpose

The purpose of the following command is to modify a threshold value associated with an SNMP

trap. This operation must be done with caution because the SFW raises or clears alarms based on

the fact that counters or gauges are crossing thresholds.

Commands

snmp alarm modify threshold threshold_id value new_value

Arguments

threshold_id

This is the identifier of the Alarm threshold to be modified. The command “show snmp

alarm thresholds” allows retrieving the Thresholds Ids. There are 2 thresholds per alarm to

manage 2 severities per alarm.

new_value

For alarm 1005 the thresholds are given in °Celsius.

For alarms 1006 and 1007, the thresholds represent a percentage of CPU or memory.

For other alarms, the thresholds represent a number of events per seconds.

For example :

+--------+------------------------------------+--------+


+--------+------------------------------------+--------+


The alarm 1010 is raised when the gauge associated with the counter

"pass1DropSipSuspicious" exceeds the threshold value 100.

The gauge is the variation of the counter during one second.

Refer to the Table 1 “SFW SNMP TRAPS” and the Table 2 “SFW SNMP TRAPS

Thresholds” described at the beginning of this section to get a detailed description

of the SNMP alarms managed by the SFW.

Example

-> snmp alarm modify threshold 1010.1 value 200



SNMP Management show snmp trap config


July 2015

show snmp trap config

Purpose

The purpose of the following command is to display information about the traps managed by

the SFW.

Commands

show snmp trap config

Outputs information

Traps list

SNMP traps name attempt to be meaningful.

Id

This is the identifier of the snmp trap.

Severity

This is the alarm severity associated with the snmp trap.

Most of the alarms are managed with 2 thresholds. This allows managing 2 severities. The

severity displayed with “show snmp trap config” is the severity associated with the lower

threshold”.

Refer to the Table 1 “SFW SNMP TRAPS” and the Table 2 “SFW SNMP TRAPSThresholds” described at the beginning of this section to get a detailed descriptionof the SNMP alarms managed by the SFW.

Filter-delay

By default most of the traps are absorbed with a delay of 2 seconds but this value can be

modified with the command “snmp trap trap_id filter-delay delay”.

Status

“enable” means that the SNMP trap will be sent if the corresponding event occurs.

By default all traps are enabled but can be disabled with the command “snmp traptrap_id {enable | disable}”



SNMP Management show snmp trap config


Example

-> show snmp trap config

+-----------------------------------+------+----------+--------------+--------+

! Traps list ! Id ! Severity ! Filter-delay ! Status !

+-----------------------------------+------+----------+--------------+--------+

! sfwLinkDown ! 1001 ! major ! 1 ! enable !

! sfwBoardActLossStbSupervision ! 1002 ! major ! 2 ! enable !

! sfwIbcfCcsStatusChange ! 1003 ! warning ! 4 ! enable !

! sfwLoadBalancingGroupStatusChange ! 1004 ! major ! 4 ! enable !

! sfwBoardTemperatureTooHigh ! 1005 ! major ! 10 ! enable !

! sfwHealthMonCpuAlert ! 1006 ! major ! 10 ! enable !

! sfwHealthMonMemAlert ! 1007 ! major ! 10 ! enable !

! sfwUntrLowLayerDrop ! 1008 ! warning ! 2 ! enable !

! sfwUntrSipPass1Drop ! 1009 ! warning ! 2 ! enable !

! sfwUntrSipPass1SuspectDrop ! 1010 ! warning ! 2 ! enable !

! sfwUntrSipPass2MethodRateInQos0 ! 1011 ! warning ! 2 ! enable !

! sfwUntrSipPass2Drop ! 1012 ! warning ! 2 ! enable !

! sfwUntrSipMethodRateDrop ! 1013 ! warning ! 2 ! enable !

! sfwUntrSipAdmCtlCallDrop ! 1014 ! warning ! 2 ! enable !

! sfwUntrIpFragAttackPrevented ! 1015 ! warning ! 2 ! enable !

! sfwUntrArpAttackPrevented ! 1016 ! warning ! 2 ! enable !

! sfwUntrIcmpAttackPrevented ! 1017 ! warning ! 2 ! enable !

! sfwTrustedLowLayerDrop ! 1018 ! warning ! 2 ! enable !

! sfwTrustedSipPass1Drop ! 1019 ! warning ! 2 ! enable !

! sfwTrustedSipPass2Drop ! 1020 ! warning ! 2 ! enable !

! sfwTcpSynFlood ! 1021 ! warning ! 2 ! enable !

! sfwTcpResetFlood ! 1022 ! warning ! 2 ! enable !

! sfwTcpErrorFlood ! 1023 ! warning ! 2 ! enable !

! sfwConfigMgmtCopyToFlash ! 1101 ! warning ! 2 ! enable !

+-----------------------------------+------+----------+--------------+--------+



SNMP Management snmp trap trap_id filter-delay delay


July 2015

snmp trap trap_id filter-delay delay

Purpose

The SFW SNMP agent is polling objects (counters, gauges, status) to check if a condition is

reached and if so it sends the appropriate SNMP traps to report Alarms or Events. The default

polling timer is 1, 2, 4 or 10 seconds depending on the trap id.

For example the trap “sfwBoardTemperatureTooHigh” has a default filter delay of 10 seconds.

This means that the temperature is checked each 10 seconds.

This polling interval value can be modified for each trap.

Commands

snmp trap trap_id filter-delay delay

Arguments

trap_id

This is the identifier of the trap to be modified. The command “show snmp trap config”

allows retrieving the Trap Ids.

delay

This is the new filtering delay in seconds.

Example

-> snmp trap 1011 filter-delay 5



SNMP Management snmp trap trap_id {enable | disable}


snmp trap trap_id {enable | disable}

Purpose

The purpose of the following command is to enable or disable the sending of a trap. By default all

traps are enabled.

Commands

snmp trap trap_id {enable | disable}

Arguments

trap_id

This is the identifier of the trap to be modified. The command “show snmp trap config”

allows retrieving the Trap Ids.

Example

-> snmp trap 1011 disable

snmp trap restore default

Purpose

The purpose of the following command is to restore the default values, filtering delay and status,

for the trap management.

Commands

snmp trap restore default



SNMP Management show snmp alarm active


July 2015

show snmp alarm active

Purpose

The purpose of the following command is to display the alarms currently active, this meansthe alarms that have been raised by sending an SNMP trap but not yet cleared.

This CLI provides the same information than a SNMP get on the table

“activeAlarmsTable” of the proprietary MIB ALCATEL-OMCCN-ALARMMANAGEMENT-MIB.

Commands

show snmp alarm active

Outputs information

Sequence number

This is the trapSequenceNumber set in the corresponding SNMP traps.

trap id & trap name

Identify the alarm.

MIB object

Identifies the SFW object causing the alarm.

Example

-> show snmp alarm active

+----------+------+----------------------------+---------------+----------------------+----------+

! Sequence ! trap ! trap name ! MIB object ! date and time ! severity !

! number ! id ! ! ! ! !

+----------+------+----------------------------+---------------+----------------------+----------+

! 27 ! 1005 ! sfwBoardTemperatureTooHigh ! boardTable.10 ! 2011 Jul 12 9:40:58 ! major !

! 26 ! 1005 ! sfwBoardTemperatureTooHigh ! boardTable.11 ! 2011 Jul 12 9:40:58 ! major !

! 13 ! 1001 ! sfwLinkDown ! ifTable.117 ! 2011 Jul 12 2:21:50 ! major !




+----------+------+----------------------------+---------------+----------------------+----------+





17 Users Management

Purpose

This paragraph provides information about Users Management on the SIP firewall.

Introduction

The User Management CLI commands allow you to create, modify or delete users thatwill be authorized to manage the SFW firewall via CLI.

Additionally, with the commands listed hereafter, CLI commands partition management is performed according the ”user level” parameter.

Summary of the CLI for Users Management

Users management

user username password

user username level {adm|ope|viewer}

user username no-snmp user username auth {sha | md5} priv {aes | des}

no user username

show user [adm|ope|viewer]

show user cmd [adm|ope|viewer]



Users Management user username password


July 2015


Purpose

The purpose of the following command is to create a user entry in the local user database. Youmust be logged with “Administrator” privilege to be authorized to run this command.

Additionally this command allows the operator to modify a user’s password.

Users with “Administrator” privileges can change the password of everybody.

Users with “operator” or “viewer” privileges can change only their own password.

By default, a new user is created with “operator” privileges. This can be modified laterwith the CLI command “ user username level {adm|ope|viewer} “.

Commands


Arguments

username

This is the name of the user used for logging into the SFW.password

The password is not displayed in cleared text and must be entered twice for security

reason.

-> user sfwUser password

enter password : *********

password again : *********

Command successful

The password minimum length is 8 alphanumeric characters.

These characters must be chosen within the following 4 categories:

• Digits [0-9]

• Lower case letters [a-z]

• Upper case letters [A-Z].

• Special characters [[!"#$%&')*+,-./;<=>?@\^_`|}~]]

The password must contain characters from at least 3 of these categories.



Users Management user username level {adm | ope | viewer}


user username level {adm | ope | viewer}

Purpose

The purpose of the following command is to modify the privileges of a user and thus theauthorized CLI domains. By default, users are created with “operator” privileges.

You must be logged with “Administrator” privilege to be authorized to run this command.

Commands

user username level {adm|ope|viewer}

Arguments

level

There are three types of users with different level of privileges.

level viewer

This is the lower level. It gives limited privileges to the user.

Such user will be able to run only CLI commands “show” to display the SFW config.

The command “show user cmd viewer” provides the list of commands authorized for this

level.

level ope

This is the intermediate level. It gives operator privileges to the user.

This means that the user will be able to run all CLI commands except the command to

create, modify or delete “users”

The command “show user cmd ope” provides the list of commands authorized for this

level in addition to the lower level.

level adm

This is the higher level. It gives administrator privileges to the user.

This means that the user will be able to run all CLI commands.

The command “show user cmd adm” provides the list of commands authorized for this

level in addition to the lower levels.

Example

-> user visitor level viewer



Users Management user username no snmp


July 2015

user username no snmp

Purpose

The purpose of the following command is to deny SNMP access to the switch for thespecified user.

Commands

user username no snmp

Arguments

username

This is the name of the user.

Example

-> user visitorCLI no snmp



Users Management user username auth { sha | md5} priv {aes | des}


user username auth { sha | md5} priv {aes | des}

Purpose

The purpose of the following command is to configure SNMP V3 authentication andencryption algorithms for a given user.

Commands

user username auth {sha | md5} priv {aes | des}

Arguments

username

This is the name of the user.

auth

Specifies that the SHA or MD5 authentication algorithm should be used for authenticating

SNMP PDU for the user.

priv

Specifies that the AES or DES encryption standard should be used for encrypting SNMPPDU for the user.

Example

-> user admin auth sha priv des



Users Management no user username


July 2015

no user username

Purpose

The purpose of the following command is to delete a user entry in the local user database.You must be logged with “Administrator” privilege to be authorized to run this command.

Commands

no user username

Arguments

username

This is the name of the user to be deleted.

Example

-> no user visitor

show user cmd [adm|ope|viewer]

Purpose

The purpose of the following command is to display the list of CLI commands allowedfor a given user-level in addition to the authorized commands of the lower level.

This means, for example, that running the command “show user cmd ope” the output will

not display the “show” commands that are inherited from the lower user-level “viewer”.If the user-level is not provided all CLI commands are displayed with their respective

level.

Commands

show user cmd [adm | ope | viewer]



Users Management show user cmd [adm|ope|viewer]


Example

->show user cmd viewer

+--------+------+----------------------------------------------------------+

! Level ! Mode ! CLI !

+--------+------+----------------------------------------------------------+

! viewer ! All ! show snmp trap active !

! viewer ! All ! show snmp alarm active !

! viewer ! All ! show monitoring-host statistics !

! viewer ! All ! show dscp default !

! viewer ! All ! show certificate local [<1..32>] !

! viewer ! All ! show certificate ca [<1..64>] !

! viewer ! All ! show certificate local {details|pem} <1..32> !

! viewer ! All ! show certificate ca {details|pem} <1..64> !

! viewer ! All ! show tls-profile [<1..32>] !

! viewer ! All ! show dns-internal [peer-net <1..2047>] !

! viewer ! All ! show sfw status !

! viewer ! All ! show peer-net [<1..2047>] connectivity !

! viewer ! All ! show load-balancing-group [<1..32>] connectivity !

! viewer ! All ! show ntp server !

! viewer ! All ! show tcp statistics oam !

! viewer ! All ! show tcp statistics untrusted [<1..2047>] !

! viewer ! All ! show tcp statistics trusted [<1..2047>] !

! viewer ! All ! show tcp statistics !

! viewer ! All ! show tcp syn !

! viewer ! All ! show system !

+--------+------+----------------------------------------------------------+


+--------+------+----------------------------------------------------------+

! viewer ! All ! show syslog !

! viewer ! All ! show snmp community !

! viewer ! All ! show snmp station !

! viewer ! All ! show snmp alarm config !

! viewer ! All ! show snmp trap config !

! viewer ! All ! show configuration consistency !

! viewer ! All ! show snmp trap thresholds !

! viewer ! All ! show snmp alarm thresholds !

! viewer ! All ! show monitoring-host !

! viewer ! All ! show user cmd [adm|ope|viewer] !

! viewer ! All ! show running-directory !

! viewer ! All ! show peer-net <1..2047> lpoc !

! viewer ! All ! show trunk [trusted|untrusted|oam|inter-dhspp4] port !

! viewer ! All ! show configuration {running|working|certified} !

! viewer ! All ! show interfaces [S/P] !

! viewer ! All ! show load-balancing-group [<1..32>] rpoc [<1..32>] !

! viewer ! All ! show vlan [<0..4095>] !



Users Management show user cmd [adm|ope|viewer]


July 2015

! viewer ! All ! show trunk [trusted|untrusted|oam|inter-dhspp4] !

! viewer ! All ! show security-profile [<1..32>] !

! viewer ! All ! show peer-net [<1..2047>] rpoc [<1..63>] !

+--------+------+----------------------------------------------------------+


+--------+------+----------------------------------------------------------+

! viewer ! All ! show peer-net [<1..2047>] !

! viewer ! All ! show peer-net [<1..2047>] statistics [trusted|untrusted] !

! viewer ! All ! show lpoc [untrusted [<1..128>]] !

! viewer ! All ! show lpoc [trusted [<1..128>]] !

! viewer ! All ! show port [untrusted [<1..128>]] !

! viewer ! All ! show port [trusted [<1..128>]] !

! viewer ! All ! show load-balancing-group [<1..32>] !

! viewer ! All ! show peer-net [<1..2047>] filter [<1..32>] !

! viewer ! CLI ! history !! viewer ! CLI ! quit !

+--------+------+----------------------------------------------------------+



Users Management show user [adm|ope|viewer]


show user [adm|ope|viewer]

Purpose

The purpose of the following command is to display the existing users.

Commands

show user [adm | ope| viewer]

Example

-> show user

+-----------------+-------+------+------+

! name ! level ! auth ! priv !

+-----------------+-------+------+------+

! root ! admin ! none ! none !

! sfwNonRegTester ! admin ! sha ! des !

+-----------------+-------+------+------+





18 Syslog Management

Purpose

This paragraph provides information about Syslog Management on the SIP firewall.

Introduction

The SFW supports sending SYSLOG messages in accordance to RFC 3164 and RFC

5424. SYSLOG messages are transmitted using the UDP transport, according to RFC5426.

SYSLOG messages can be sent either on the oam interface, or on the trusted interface.

Summary of the CLI for Syslog Management

Syslog management

syslog-server oam ip ip-address [port port-nb]

syslog-server trusted ip ip-address [port port-nb] vlan vlan-id lpoc lpoc-id

syslog-server [ip ip-address] [port port-nb] [vlan vlan-id] [lpoc lpoc-id]

syslog [rate messages-per-seconds] [length max-message-length] [facility facility-code][rfc3164|rfc5424]

no syslog-server

show syslog



Syslog Management syslog-server oam ip ip-address


syslog-server oam ip ip-address

Purpose

The purpose of the following command is to define a syslog-server accessible via the OAMinterface, this means via the Ethernet port used for accessing the SFW CLI sessionthrough the SCM board.

In that case the source IP address of the Syslog messages is the OAM IP address of theSFW.

Commands

syslog-server oam ip ip-address [port port-nb]

Arguments

ip-address

This is the IPv4 address of the Syslog server.

port-nb

This is the UDP listening port of the Syslog server. If port-nb is not specified, the default

SYSLOG UDP port number is 514.

Example

-> syslog-server oam ip 155.132.232.30



Syslog Management syslog-server trusted ip ip-address


July 2015

syslog-server trusted ip ip-address

Purpose

The purpose of the following command is to define a syslog-server accessible via the trustedinterface.

Commands

syslog-server trusted ip ip-address [port port-nb] vlan vlan-id lpoc lpoc-id

Arguments

ip-address


port-nb



vlan-id

This is the Vlan identifier on the trusted side of the firewall on which the Syslog messageshave to be sent to reach the syslog server.

lpoc-id

The lpoc-id allows setting of the source IP address for the Syslog messages to be sent. It

must be a “trusted” lpoc. Run the command “show lpoc trusted” to choose the lpoc-id

according the source IPv4 address you want to get for Syslog messages.

Example

-> syslog-server trusted ip 192.168.2.33 port 514 vlan 200 lpoc 128



Syslog Management syslog-server [ip] [port] [vlan] [lpoc]


syslog-server [ip] [port] [vlan] [lpoc]

Purpose

The purpose of the following command is to modify the attributes of a syslog-server.

Commands

syslog-server [ip ip-address] [port port-nb] [vlan vlan-id] [lpoc lpoc-id]

Arguments

ip-address


port-nb



vlan-id

This is the Vlan identifier on the trusted side of the firewall on which the Syslog messages

have to be sent to reach the syslog server. The modification of the vlan-id is only possibleif the syslog-server has been defined as accessible via the “trusted” interface via the

command “syslog-server trusted ip”.

lpoc-id

The lpoc-id allows setting of the source IP address for the Syslog messages to be sent. It

must be a “trusted” lpoc. Run the command “show lpoc trusted” to choose the lpoc-id

according the source IPv4 address you want to get for Syslog messages. The modification

of the lpoc-id is only possible if the syslog-server has been defined as accessible via the

“trusted” interface via the command “syslog-server trusted ip”

Example

-> syslog-server ip 192.168.2.34

-> syslog-server port 512

-> syslog-server vlan 201



Syslog Management syslog [rate] [length] [facility] [rfc3164 | rfc5424]


July 2015

syslog [rate] [length] [facility] [rfc3164 | rfc5424]

Purpose

The behavior of SYSLOG client on SFW can be modified using the following command.

Commands

syslog [rate messages-per-seconds] [length max-message-length] [facility facility-code]

[rfc3164|rfc5424]

Arguments

messages-per-seconds

Output rate for SYSLOG messages [0 – 100]. If messages-per-seconds is not

specified, a default value of 50 is used.

max-message-length

Maximum SYSLOG message length [480 – 8000]. If max-message-length is notspecified, a default value of 1024 is used.

facility-code

SYSLOG facility code [0..23]. facility-code value is taken from the System MessageFacilities list of the RFC 5424. It is used to build the PRI field of SYSLOG

message. If not specified, a default value of 1 (user-level messages) is used. Numerical Code Facility

0 ker nel messages1 user - l evel messages2 mai l syst em3 syst em daemons4 secur i t y/ aut hor i zat i on messages5 messages gener at ed i nt er nal l y by sysl ogd6 l i ne pr i nt er subsyst em7 net wor k news subsyst em8 UUCP subsyst em

9 cl ock daemon10 secur i t y/ aut hor i zat i on messages11 FTP daemon12 NTP subsyst em13 l og audi t14 l og al er t15 cl ock daemon ( not e 2)16 l ocal use 0 ( l ocal 0)17 l ocal use 1 ( l ocal 1)18 l ocal use 2 ( l ocal 2)19 l ocal use 3 ( l ocal 3)20 l ocal use 4 ( l ocal 4)21 l ocal use 5 ( l ocal 5)22 l ocal use 6 ( l ocal 6)

23 l ocal use 7 ( l ocal 7)



Syslog Management no syslog-server


rfc3164 | rfc5424

To conform SYSLOG message format to RFC3164 or RFC5424. The defaultSYSLOG message format conforms to RFC3164.

Example

-> syslog rate 10 length 512 facility 1

no syslog-server

Purpose

The following command delete the SYSLOG server configuration.

Commands

no syslog-server



Syslog Management show syslog


July 2015

show syslog

Purpose

The following command displays SYSLOG server and client configuration.

Commands

show syslog

Example -> show syslogInterface : trustedServer IP address : 192.168.2.234Server Port : 514lpoc : 1Vlan : 1rate : 50length : 1024rfc : rfc5424facility : 1

-> show syslogInterface : oamServer IP address : 192.168.10.104Server Port : 514lpoc : 0Vlan : 0rate : 50length : 1024rfc : rfc3164facility : 11





19 NTP servers Management

Purpose

This paragraph provides information about the configuration of the NTP servers on theSFW.

Summary of the CLI for Syslog Management

NTP servers management

ntp server serverId ip ip_address no ntp server serverId

show ntp server



NTP servers Management ntp server serverId ip ip-address


July 2015

ntp server serverId ip ip-address

Purpose

The purpose of the following command is to define a NTP server. They must accessible viathe OAM interface, this means via the Ethernet port used for accessing the SFW CLIsession through the SCM board.

Commands

ntp server serverId ip ip_address

Arguments

serverId

This is the identifier of the NTP server. Up to 3 NTP servers can be created.

ip-address

This is the IPv4 address of the NTP server.

Example

-> ntp server 1 ip 155.132.232.21

no ntp server serverId

Purpose

The purpose of the following command is to delete a ntp server.

Commands

no ntp server serverId

Arguments

serverId



NTP servers Management show ntp server


This is the identifier of the NTP server to be deleted.

Example

-> no ntp server 1

show ntp server

Purpose

The purpose of the following command is to display the NTP servers configuration.

Commands

show ntp server

Example

3FZ-08139-AAAA-PCZZA! 135.117.121.10 !

! 3 ! 155.132.232.30 !

+-----------+----------------+

http://oraweb.alcatel.com/pls/webappdad/control_gui.information?name=3FZ08139AAAA_PCZZA&edition=02P01

http://oraweb.alcatel.com/pls/webappdad/control_gui.information?name=3FZ08139AAAA_PCZZA&edition=02P01





20 Monitoring SIP messages

dropped

Purpose

To be able to track SIP Packets rejected by the firewall either because of a DOS attack or a

misconfiguration, you have the ability to define a host where these packets will be forwarded.

The Monitoring-Host can be either reachable via the OAM interface or via the Trusted interface of

the firewall.

Summary of the CLI for Monitoring-Host Management

Monitoring-Host management

monitoring-host trusted ip ipAddress port ipPort lpoc trustedLpoc vlan vlanId rate msgsec

monitoring-host oam ip ipAddress port ipPort rate msgsec

monitoring-host [ip ipAddress] [port ipPort] [ lpoc <1..128>] [vlan vlanId] [ rate msgsec ]

show monitoring-host



Monitoring SIP messages dropped monitoring-host trusted ip ip-address port ipPort


monitoring-host trusted ip ip-address port ipPort

Purpose

The purpose of the following command is to define a Monitoring-Host, reachable via theTrusted interface of the firewall, where the SIP packets detected as invalid and droppedwill be forwarded.

Commands

monitoring-host trusted ip ipAddress port ipPort lpoc trustedLpoc vlan vlanId rate msgsec

Arguments

ip-address

This is the IPv4 address of the Monitoring-Host. It must be located on the trusted side of

the firewall.

ipPort

This is the destination port for the packets sent to the Monitoring-Host.

trustedLpoc

The source IP address of the packets sent to the Monitoring-Host will be the IP address

assigned to the “Trusted LPOC” mentioned here. Run the command “show lpoc trusted”

to get the list of LPOC and related IP addresses. Any trusted LPOC can be selected. A

specific trusted LPOC can also be configured to assign a dedicated source IP address for

the messages sent to the Monitoring-Host.

vlan

This is the vlan identifier, on the trusted side, allowing to reach the Monitoring-Host.

rate

This is the rate limiter associated with the monitoring feature to limit the number or

forwarded messages. The rate limiter must be set between 1 and 10 messages per second.

The default value is 10.

Example

-> monitoring-host trusted ip 192.168.2.110 port 5060 lpoc 128 vlan 200 rate

10



Monitoring SIP messages dropped monitoring-host trusted ip ip-address port ipPort


July 2015

Additional information

On the monitoring host you just need to run wireshark.

When the SFW dropped a SIP messages two messages are forwarded to the monitoring host:

Both messages can be correlated via the “Identification” field of the IP header.

The INFO message provides the cause of the drop. See an example hereafter.The second message is a copy of the original SIP message that has been rejected by the firewall.

Example of INFO message on the Monitoring-Host

Request-Line: INFO sip:[email protected] SIP/2.0

Message Header

User-Agent: ALU SFW ERROR REPORTING

Contact: <[email protected]>

From: <172.23.8.9:50001>To: <10.7.8.5:5060>

CSeq: 2630 INFO

Warning: Version:1.2.3 file:sfw_dfa_api.cpp line:763

Warning: mark:CallID error:(13)HeaderNotFound



Monitoring SIP messages dropped monitoring-host oam ip ip-address port ipPort


monitoring-host oam ip ip-address port ipPort

Purpose

The purpose of the following command is to define a Monitoring-Host, reachable via theOAM interface of the firewall, where the SIP packets detected as invalid and droppedwill be forwarded.

Commands

monitoring-host oam ip ipAddress port ipPort rate msgsec

Arguments

ip-address

This is the IPv4 address of the Monitoring-Host.

In that case, as “oam” as been specified in the CLI, the Monitoring-Host must be

reachable via the OAM interface of the firewall, this means through the SCM2 hosting the

DHSPP4.

When invalid SIP messages are sent to the Monitoring-host, the source IP address is the

OAM IP address of the firewall.

ipPort


rate


forwarded messages. The rate limiter must be set between 1 and 10 messages per second.

The default value is 10.

Example

-> monitoring-host oam ip 192.168.2.110 port 5060 rate 10



Monitoring SIP messages dropped show monitoring-host


July 2015

show monitoring-host

Purpose

The following command displays the Monitoring-Host configuration.

Depending on the location of the Monitoring-Host, either reachable via the trusted interface or the

oam interface, the output is different.

Commands

Show monitoring-host

Output attributes

IP address

This is the IPv4 address of the Monitoring-Host.

Port


lpoc

This parameter is valid only if the Monitoring-Host has been defined on the Trusted side

of the firewall. It identifies the source IP address for the messages to be sent to the

Monitoring-Host. This IP address is the one assigned to the given trusted LPOC.

vlan

This parameter is valid only if the Monitoring-Host has been defined on the Trusted side

of the firewall. This is the vlan identifier, on the trusted side, allowing to reach the

Monitoring-Host.

rate


forwarded messages.



Monitoring SIP messages dropped show monitoring-host


Example

-> show monitoring-host

IP address : 192.168.2.110

Port : 5060

lpoc : 128Vlan : 200

rate : 10

-> show monitoring-host

interface : OAM

IP address : 139.54.128.34

Port : 5060

rate : 10





21 Configuration Management

Purpose

The Configuration Management CLI commands allow you to manage the SFW

configuration files in the working directory, the certified directory, and the running

configuration.

The working and certified configurations are stored in flash while the runningconfiguration is in RAM.

Beyond the configuration management, few “show” commands listed in that chapter

allow you to monitor the status of the SFW. Pay attention to:

show running directory

show configuration consistency

show system

show sfw status

Summary of the CLI for Configuration Management

Configuration management

copy running working

copy working certified

show configuration { running | working | certified }

show running directory


switchover

configuration retrieve

show system

system location

show sfw status



Configuration Management copy running working



Purpose

The purpose of the following command is to copy the running configuration (in RAM) to theworking directory (in flash).

This command overwrites the config.cfg file of the working directory.

The consistency of the configuration is checked when the configuration is saved via the CLI

commands “copy running working”. The checks are related to the IP configuration, see the

command “show configuration consistency” to get details about the points that are checked.

By default the SFW restarts with the certified configuration. To ensure that the working

configuration is valid it will be possible in a future SFW release to perform the command “reload

working” prior to “copy working certified” to validate the working configuration.

Commands



Purpose

This command is used to overwrite the content of the certified directory with the content of the

working directory.

This should only be done if the contents of the working directory have been verified as the bestversion of the SFW configuration.

In a future release, the command ”reload working” will allow to check the validity of the working

configuration.

Commands




Configuration Management show configuration


July 2015

Warning

With the current release to save the SFW configuration you need to run the followingsteps:

Run the command “copy running working”

Run the command “copy working certified”

There is no way to jump from the “running” configuration to the “certified” configuration.

The SFW always restart from the “certified” configuration. In a future release it will be possible to reload the SFW with the “working” configuration to ensure that this

configuration is good prior to save it in the “certified” directory.

show configuration

Purpose

The purpose of the following command is to display the firewall configuration. Three options are

possible.

• “Show configuration running” displays the current configuration in RAM.

• “Show configuration working” displays the configuration saved in flash in the working

directory via the command “copy running working”.

• “Show configuration certified” displays the configuration saved in flash in the certified

directory via the command “copy working certified”.

Commands

show configuration { running | working | certified }





Configuration Management show configuration consistency


July 2015


Purpose

This commands allows you to detect anomalies in the SFW configuration related to IP

configuration.

The consistency of the configuration is checked when the configuration is saved via the CLI

commands “copy running working”.

The consistency of the configuration can also be checked via the CLI command “show

configuration consistency”.

The consistency checking are the following ones:

•

If a peering-point IP address (rpoc) associated with a Peer-Network doesn’t belong to thevlan subnet associated with this Peer-Network, then a “gateway” must have been defined

for the vlan.

• If a MGC8 IBCF CCS IP addresses (rpoc) associated with a Load-Balancing-Group

doesn’t belong to the vlan subnet associated with this Load-Balancing-Group, then a

“gateway” must have been defined for the vlan.

• If a vlan “gateway” has been defined, its IP address must belong to the vlan subnet

• If a Local Point of Contact (lpoc) associated with a Peer-Network doesn’t belong to the

vlan subnet associated with this Peer-Network, then a “router” must have been defined for

the vlan.

• If a Local Point of Contact (lpoc) associated with a Load-Balancing-Group doesn’t belong

to the vlan subnet associated with this Load-Balancing-Group, then a “router” must have

been defined for the vlan.

• If a vlan “router” has been defined, its IP address must belong to the vlan subnet

• Within a Peer-Network, IP overlapping between Peering-Point IP addresses (rpoc) must

not exist.

• Within a Peer-Network, IP overlapping between Peering-Point IP addresses (rpoc) and IP

filters must not exist.• Within a Load-Balancing-Group, IP overlapping between CCS IP addresses (rpoc) must

not exist.

• If a Vlan is assigned to more than one Peer-Network, IP overlapping between Peering-

Point IP addresses (rpoc) must not exist.

• If a Vlan is assigned to more than one Peer-Network, IP overlapping between Peering-

Point IP addresses (rpoc) and IP filters must not exist.

Commands




Configuration Management switchover


Example -> show configuration consistencyRunning configuration is consistent

-> show configuration consistencyIPv4 ERROR - vlan 10 has a router outside of the vlan subnetRunning configuration is not consistent !

switchover

Purpose

This command performs a switchover. The Active DHSPP4 performs a restart and the Backup

DHSPP4 becomes Active.

A “copy running working” followed by a “copy working certified” may be required before issuing

this command. Run the command “ show running-directory” to get this information.

Commands

switchover

Warning

This command cannot be issued twice in a row without waiting for a minimal delay of 45 seconds.



Configuration Management configuration retrieve


July 2015

configuration retrieve

Purpose

The SFW name is not configurable via a CLI command. It should have been configured during the

SFW first installation via the sitecfg.sfw configuration file.

See the paragraph “How to configure the SFW SITE specific parameters” later in that document to

see how to configure the SFW name.

It’s quite important to configure the SFW name because:

• The SFW name uniquely identifies the SFW. This is particularly important in case of

SCM/DHSPP4 hot-swap. In that case the unique SFW name avoids overwriting the

existing configuration with the one that may exist on the replacement board.

• The SFW name, configured via the sitecfg.sfw, is displayed in all SNMP traps.

• The SFW name is the CLI prompt.

So, if you wish to re-configure the SFW name you need to follow the procedure describedhereafter:

Steps

1 Update the sitecfg.sfw as described in the paragraph “How to configure the SFW SITEspecific parameters”

2 Perform a double switchover to reload the new sitecfg.sfw on both DHSPP4.

3 At this point you will be able to access the CLI only with the initial user/password. Contactyour account or technical support representative for information about defaultlogin / password.

4 You will notice that you restarted without any configuration. l ogi n : rootpassword : ** ****

***********************************************ALCATEL - LUCENT

ATCA- SFW 1. 3. 0 2011/ 02/ 21 11: 43Runni ng conf i gurat i on : WI THOUT CONFI GURATI ON

I n case t he SFWname has been changed i n si t ecf gyou can r un "conf i gur at i on r et r i eve" CLIt o retr i eve f or mer conf i gur at i on

Hel l o r oot !

We st r ongl y r ecommend you to change yourpassword f or a saf er one ! ! !



Configuration Management show system


5 To retrieve the previous configuration you just need to run the CLI “configuration retrieve”.This command will restore the former configuration and you will be disconnected from theCLI session.

6 On the next attempt to access the CLI session you can use your previous user/password .

E N D O F S T E P S

show system

Purpose

The purpose of the following command is to display information about the SFW node you are

managing such as SFW software release, SFW name and location.

Similar information can be retrieved via SNMP by performing a SNMP get on the “system”

objects of the RFC1213 mib.

Commands

show system

Output Information

Description

Provides the SFW software release. This is the sysDescr of the RFC1213 mib.

Object ID

Provides the SNMP oid identifying the SFW node. This is the sysObjectId of the

RFC1213 mib.

Up Time

Provides the times since the SFW is up and running. This is the sysUpTime of the

RFC1213 mib.

Additionally, the number of system boots that occurred from the first SFW installation is

provided. A “switchover” is not counted as a system boot as upon a switchover the SFW

backup DHSPP4 is taking over without restarting.

Contact

Initialized with the Alcatel-Lucent Customer Portal. There is no CLI to modify this object.This is the sysContact of the RFC1213 mib.



Configuration Management show system


July 2015

Name

Initialized with the SFW name. There is no CLI to initialize this object. The SFW name

comes from the sitecfg.sfw file where static configuration is defined at the first SFW

installation.

This attribute is displayed in all SNMP traps sent by the SFW. This is the sysName of the

RFC1213 mib.

Location

Provides information about the location of the SFW. The CLI “system location” allows to

modify this attribute. It can be used to locate the 7510 hosting the SFW. This attribute is

displayed in all SNMP traps sent by the SFW. This is the sysLocation of the RFC1213

mib.

Example -> show systemDescription : 7510-SFW 1.3.0 2011/02/21 18:39Object ID : 1.3.6.1.4.1.637.71.20Up Time : 1 days 01 hours 52 minutes and 20 seconds (boot #14)Contact : Alcatel-Lucent, http://alcatel-lucent.com/wps/portal/Name : sfw5Location : 7510-Orvault-TR34-Baie36Date & Time : Wed Apr 27 10:02:15 2011



Configuration Management system location


system location

Purpose

This command updates the “system location” information. This value is useful to correlate the

SFW node with the 7510 hosting it.

The system location can be then displayed via the command “show system”.

The system location is written in all SNMP traps sent by the SFW in the field AdditionnalText.

Commands

show location text_string

Arguments

text_string

Describes the SFW physical location. For example, 7510-Orvault-TR34-Baie36.

The system location can range from 1 to 53 characters in length.

Example -> system location



Configuration Management show sfw status


July 2015

show sfw status

Purpose

The purpose of the following command is to display information about the status of SFW

DHSPP4 boards such as temperature, CPU and Memory consumption.

Commands

show sfw status

Output Information

! slot ! DHSPP ! SCM ! celsius !

This table allows the operator to know, for each SFW board:

o Which DHSPP4 is currently Active and which one is Standby.

o Which SCM2 is currently Active.

o What is the temperature for each DHSPP4.

CPU Load

This is an average of the CPU load over the 12 cores of the Active DHSPP4.

FPA memory distributor % free

Provides the percentage of free memory for FPA memory areas.

FPAS memory distributor % free

Provides the percentage of free memory for FPAS memory areas.

Example -> show sfw status+------+---------+---------+---------+! slot ! DHSPP ! SCM ! celsius !+------+---------+---------+---------+! 11 ! ACTIVE ! STANDBY ! 59 !! 10 ! STANDBY ! UNKNOWN ! 57 !+------+---------+---------+---------+

0% CPU load

FPA memory distributor % freePACKET BUFFER : 99WORK QUEUE ENTRY : 93DFA RESULT : 100DFA COMMAND : 99PKO COMMAND BUFFER : 96TIMER CHUNKS : 99

FPAS memory distributor % free



Configuration Management show sfw status


IP FLOW : 99COLLISION BLOCK : 99IP FRAGMENT : 100TCP CONTEXT : 99SIP CONTEXT : 99

ARP CACHE : 98





22 CLI Session Management

Purpose

The SFW accepts simultaneously up to 20 SSH CLI sessions.

Refer to the paragraph “SFW prerequisite” at the beginning of that document to knowhow to open a CLI session via a SSH tunnel.

The CLI listed below allow to modify the default CLI session timeout and to display thecurrently opened sessions.

Summary of the CLI for Configuration Management

CLI Session management

cli session timeout

show cli session



CLI Session Management cli session timeout


cli session timeout

Purpose

The purpose of the following command is to modify the default CLI session timeout (5mn).

Commands

cli session timeout time_in_mn

Arguments

time_in_mn

The default timeout range is between 1 and 1440 minutes.

show cli session

Purpose

The purpose of the following command is to display the currently opened CLI sessions.

Commands

Show cli session

example

-> show cli session

CLI session timeout : 60 minutes

+------+-------------+------------+---------------------+! user ! status ! inactivity ! origin !+------+-------------+------------+---------------------+! root ! established ! 0 seconds ! 139.54.128.34:47156 !! root ! established ! 21 minutes ! 139.54.128.34:48218 !+------+-------------+------------+---------------------+





23 How to configure the SFW

SITE specific parameters

Purpose

With the SFW release R2.0 there are some SFW objects that cannot be yet configurable via CLI.

• SFW name

• Trusted Domain Name

• SIP Status mode and extension

• SNMP V2c Client community name

The configuration of these objects is done via the file sitecfg.sfw. After updating this file

according to your site-specific data you need to upload it to the SCM boards and reboot theDHSPP4.



How to configure the SFW SITE specific parameters How to update the SITECFG.SFW configuration file


How to update the SITECFG.SFW configuration file

The sitecfg.sfw can be created from an excel template available on the Customer Portal in the

“Manuals and Guides” section of the 7510 MGW product.

# SFW nameSFW-site1

#

Trusted domainname

atlanta.com

# SIP status mode# list of choice all

restricted restricted

# SIP status extension

# SNMPv2

#communityname

public

# EOF

Steps

1 Go to the Alcatel-Lucent Customer and Business Partner Portal :

o https://market.alcatel-lucent.com/release/jsp/sso/login.jsp

o After a successful login, within the box “Technical Content for”, select the product

7510 MGW (Media Gateway).

o Select the “Manuals and Guides” link

o Download the document 3FZ-08141-ACAA-PCZZA “SFW - sfwStaticConf.xls ,sitecfg.sfw template for release R3.0”



How to configure the SFW SITE specific parameters How to update the SITECFG.SFW configuration file


July 2015

2 According to your site configuration, update the above sfwStaticConf-R20x.xls excel file.

3 Modify the SFW name. This will affect the CLI prompt.

4 Modify the Trusted Domain Name. This will replace the default domain name “sfw.net”

appended during topology hiding in the “tokenized-by=sfw.net”.

5 Select the “SIP Status Mode”:

o Restricted : the list of SIP response code is restricted to the list define

by http://www.voip-info.org/wiki/view/SIP+response+codes

o All : the list of SIP response codes is not restricted. All codes are accepted.

6 Optionally configure the section “SIP Status Extension”. If the “SIP Status Mode” has beenset to “restricted”, you have the ability to extend the list of authorized response codes.

7 If needed, configures the SNMP V2 community name. This is required if you want to performSNMP V2 set/get from the OMC-P as the CLI only allows you to configure SNMP V3

parameters.

8 Save the Excel file in sfwStaticConf.xls format for further modifications.

9 Save the Excel file in sfwStaticConf.csv format to allow its parsing by the SFW application

10 Rename the sfwStaticConf.csv file as sitecfg.sfw

11 Then follow the next procedure “Install the sitecfg.sfw configuration file on the SFW”

E N D O F S T E P S

http://www.voip-info.org/wiki/view/SIP+response+codes

http://www.voip-info.org/wiki/view/SIP+response+codes



How to configure the SFW SITE specific parameters Install the SITECFG.SFW configuration file on the SFW


Install the SITECFG.SFW configuration file on the SFW

Follow the procedure below to apply on the SFW the configuration described above.

Steps

1 copy the sitecfg.sfw on your tftp server. Warning, this file must be in CSV format (NOT inXLS format).

2 Log in to the 7510

Contact your account or technical support representative for information aboutdefault login/password.

3 "tftp get" the sitecfg.sfw on the Active SCM.

ACT- SCM: 1. 10( r 0) > tftp get 1. 2. 3. 4: / 7510/ sf w- 7510. 1. 1. 0/ sitecfg.sfw

4 "tftp get" the sitecfg.sfw on the Standby SCM.

ACT-SCM:1.10( r 0) > rc 1 11

Setting up remote console to [01][11]STB-SCM:1.11( r 0) > tftp get 1. 2. 3. 4: / 7510/ sf w7510. 1. 0. 1/ sitecfg.sfw STB-SCM:1.11( r 0) > exit

5 Enable both DHSPP4 cards (this step is only required during the first SFW/DHSPP4installation)

ACT-SCM:1.10(r0)> enable module gw.1.10.amc.1 ACT-SCM:1.10(r0)> enable module gw.1.11.amc.1 ACT-SCM:1.10(r0)> save (safe for reboot)

6 Reset both DHSPP4 (this step is not required during the first SFW/DHSPP4 installation)

ACT-SCM:1.10(r0)> reset module 1 10 amc ACT-SCM:1.10(r0)> reset module 1 11 amc

E N D O F S T E P S







A IP Configuration example

Overview

Purpose

This appendix provides, through few examples, a quick overview of the SFW IP

configuration.

Contents

This appendix covers these topics.

IP Configuration Introduction 298

Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode 299

Untrusted side IP connectivity with VRF support 300

Untrusted side IP connectivity without VRF support 302

Trusted side IP connectivity, case 1 304

Trusted side IP connectivity, case 2 305



IP Configuration example IP Configuration Introduction


July 2015

IP Configuration Introduction

• The SIP firewall is made of 2 DHSPP4 running in Active/Standby mode for the

SIP Firewalling application.

• Each DHSPP4 is hosted in a different 7510 SCM2 board (slot 10 and slot 11)

• The standby DHSPP4 operates in layer 2 pass-through mode for the SIP signaling

traffic.

• A trunk between the 2 DHSPP4 operates SIP frame relay between Active/Standby.

• Trusted and Untrusted interfaces are connected to the next-hop IP using either

o Static Link Aggregation (802.3ad). This is the preferred configuration butit requires the PE Router to be carrier grade.

Or

o Active/Standby configuration. If the PE router is not carrier grade this isthe configuration to be chosen.

• Peer Networks realm separation is achieved using 802.1q tagged vlans

• Overlapping IP addresses of peering points is supported but requires the PE router to support VRF feature.

• A single Point of Contact (POC) can be defined for all peer networks.

• If single POC and realm separation are both needed the PE router must supportVRF



IP Configuration example Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode


Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode

• 2 network configurations are possible depending on Switch/Router capability:

Static Link Aggregation (802.3ad) configuration with carrier grade router.

Active/Standby configuration in case of Switch-Routers that are not carrier grade.



IP Configuration example Untrusted side IP connectivity with VRF support


July 2015

Untrusted side IP connectivity with VRF support

Assumption : PE Router is supporting VRF.

• Realm separation using different Vlan tags

• Single point of contact for all Peer Networks. The PE Router must support VRF.

•

SFW LPOC and Peer Network in different subnets• Overlapping IP addresses for peering points is possible as the PE router is

supporting VRF.

CLI Configuration

! *** trunkstrunk untrusted mode linkagg

! *** Poc untrusted

lpoc untrusted 1 enable name LPOC_UNTRUSTED_1lpoc untrusted 1 ip 160.0.20.1 udp 5060

! *** vlans

vlan 11 untrusted enable name UNTRUSTED_VLAN_11vlan 11 subnet 192.168.11.0 mask 255.255.255.252 router192.168.11.2 rip gw 192.168.11.1vlan 12 untrusted enable name UNTRUSTED_VLAN_12vlan 12 subnet 192.168.12.0 mask 255.255.255.252 router192.168.12.2 rip gw 192.168.12.1

! *** peer networks

peer-net 1 enable name PEER_1



IP Configuration example Untrusted side IP connectivity with VRF support


peer-net 1 lpoc 1peer-net 1 vlan 11peer-net 1 rpoc 1 ip 150.0.40.1 udp 5060peer-net 1 rpoc 2 ip 150.0.40.2 udp 5060



• Ping from the router (src IP 192.168.11.1 or 192.168.12.1 ) to the untrusted lpoc160.0.20.1 must be successful

• Ping from the peering-points (rpoc) to the untrusted lpoc 160.0.20.1 must be successful



IP Configuration example Untrusted side IP connectivity without VRF support


July 2015

Untrusted side IP connectivity without VRF support

Assumption : PE Router is not supporting VRF.

• Realm separation using different Vlan tags

• One point of contact per Peer Network.

• SFW LPOC and Peer Network in different subnets

• Overlapping IP addresses for peering points is not possible because the PE router is not supporting VRF.

CLI Configuration

! *** trunkstrunk untrusted mode linkagg

! *** Poc untrusted

lpoc untrusted 1 enable name LPOC_UNTRUSTED_1lpoc untrusted 1 ip 192.168.11.2 udp 5060lpoc untrusted 2 enable name LPOC_UNTRUSTED_2lpoc untrusted 2 ip 192.168.12.2 udp 5060

! *** vlans

vlan 11 untrusted enable name UNTRUSTED_VLAN_11vlan 11 subnet 160.11.20.0 mask 255.255.255.252 no rip gw160.11.20.1vlan 12 untrusted enable name UNTRUSTED_VLAN_12vlan 12 subnet 160.12.20.0 mask 255.255.255.252 no rip gw160.12.20.1

! *** peer networkspeer-net 1 enable name PEER_1



IP Configuration example Untrusted side IP connectivity without VRF support





• Ping from the router to the untrusted lpoc 160.11.20.2 and 160.12.20.2 must besuccessful

• Ping from the peering-points (rpoc) to the untrusted lpoc must be successful



IP Configuration example Trusted side IP connectivity, case 1


July 2015

Trusted side IP connectivity, case 1

• CCSs addresses and Trusted lpoc in different subnets

• Single Point of Contact on the trusted side

CLI Configuration

! *** trunkstrunk trusted mode linkagg

! *** Poc trusted

lpoc trusted 1 ip 192.168.20.1 enable name LPOC_TRUSTED_1

! *** vlans

vlan 20 trusted enable name TRUSTED_VLAN_20vlan 20 subnet 192.168.20.0 mask 255.255.255.252 gw 192.168.20.2

no rip

! *** load balancing group

load-balancing-group 1 enable name LBG_1load-balancing-group 1 vlan 20load-balancing-group 1 lpoc 1load-balancing-group 1 rpoc 1 ip 192.168.10.10 udp 5061load-balancing-group 1 rpoc 2 ip 192.168.10.10 udp 5062load-balancing-group 1 rpoc 3 ip 192.168.10.20 udp 5061load-balancing-group 1 rpoc 4 ip 192.168.10.20 udp 5062

! *** load balancing group and peer-network association

peer-net 1 load-balancing-group 1





peer-net 2 load-balancing-group 1

• Ping from the router (src IP 192.168.20.2 ) to the trusted lpoc 192.168.20.1 must besuccessful

• Ping from the CCSs (rpoc) to the trusted lpoc must be successful

Trusted side IP connectivity, case 2

• CCSs addresses and Trusted lpoc in the same subnet

• Single Point of Contact on the trusted side

CLI Configuration

! *** trunkstrunk trusted mode linkagg

! *** Poc trusted

lpoc trusted 1 ip 192.168.10.1 enable name LPOC_TRUSTED_1

! *** vlans

vlan 10 trusted enable name TRUSTED_VLAN_20vlan 10 subnet 192.168.10.0 mask 255.255.255.0

! *** load balancing group

load-balancing-group 1 enable name LBG_1load-balancing-group 1 vlan 10





July 2015

load-balancing-group 1 lpoc 1load-balancing-group 1 rpoc 1 ip 192.168.10.10 udp 5061load-balancing-group 1 rpoc 2 ip 192.168.10.10 udp 5062load-balancing-group 1 rpoc 3 ip 192.168.10.20 udp 5061load-balancing-group 1 rpoc 4 ip 192.168.10.20 udp 5062

! *** load balancing group and peer-network associationpeer-net 1 load-balancing-group 1peer-net 2 load-balancing-group 1

• Ping from the CCSs (rpoc) to the trusted lpoc 192.168.10.1 must be successful

• Ping from the switch to the trusted lpoc cannot be performed







B IPv6 support

Overview

Purpose

This appendix is only focused on the areas impacted by IP v6 configuration.

The CLI commands are not explained in details and the purpose here is to get an overviewof what has changed since the previous release that was only supporting IPv4.

The detailed description of each command is provided in the previous chapters “LPOC”,

“Peer-Network”, “Load-Balancing-Group” and “Vlan”.

create and modify IPv4/IPv6 objects

SFW supports IPv6 and IPv4 on trusted and untrusted sides.

All objects related to Trusted and Untrusted sides that were previously IPv4 only are now

dual-stack IPv4/IPv6. This applies to vlan configuration, lpoc configuration, Peer- Network rpoc and Load-Balancing-Group rpoc. This means that these objects can have

simultaneously an IPv4 and an IPv6 address.

The set of CLI commands to configure dual stack IPv4/IPv6 objects is almost the same

than the one you already known for the previous SFW releases and is backwardcompatible with the previous configuration files.

Lpoc and rpoc creation is done with the same set of CLI commands than previously.You just need to specify an IPv6 address with the right format (e.g. 2001:b8::192:168:2:5)

to get an IPv6 stack. If the lpoc or rpoc is dual-stack you need to run the command twice,

once to create the object with an IPv4 (or IPv6) address, and then a second time to add the

IPv6 (or IPv4 address).



IPv6 support create and modify IPv4/IPv6 objects


Examples:

lpoc untrusted 2 ip 172.17.2.5 enable name LPOC_UNTRUSTED_2

lpoc untrusted 2 ip 2001:2::172:17:2:5

peer-net 20 rpoc 15 ip 172.23.8.9

peer-net 20 rpoc 15 ip 2001:8::172:23:8:9

IP address deletion for lpoc and rpoc requires new keywords to know on which IPaddress the CLI needs to be applied.

Examples:

lpoc untrusted 2 no ipv6

peer-net 20 rpoc 15 no ipv4

Vlan creation has been slightly modified to accept IPv6 address format. Previously the IP

mask was written with the IP address format (e.g. 255.255.255.0). Now for both IPv4 andIPv6 the mask has to be defined using the “/length” format.

Examples:

vlan 11 untrusted enable name UNTRUSTED_VLAN_11 subnet 172.16.11.0/24

vlan 11 subnet 2001:11::/64

But a configuration file with the command “vlan 11 … subnet 172.16.11.0 mask255.255.255.0” is still accepted as the compatibility with previous releases is ensured.

IP address deletion for vlan requires new keywords to know on which IP address theCLI needs to be applied.

Examples:

Vlan 11 no ipv6 router

Vlan 11 no ipv6 gw

With dual stack IPv4/IPv6 objects it can become tricky to check end-to-end IP

connectivity. For example, if rpoc are dual stack, then lpoc and vlan must also be dualstack. To facilitate the IP connectivity status, 2 new commands have been introduced:

Show peer-net connectivity

Show load-balancing-group connectivity

These commands, with the help of periodic IP and SIP polling, allow detection ofinconsistencies in the configuration or IP connectivity issue toward the remote poc.



IPv6 support IPv6 Q&A


July 2015

IPv6 Q&A

IPv4 and IPv6 precedence in case of dual-stack.

When IPv6 and IPv4 are both present on one interface, priority is given to IPv6.

Does IPv6 support means modification in Vlan / Peer-Network association?

No, you can still use a single tagged vlan per Peer-Network. IPv4 and IPv6 can work overthe same vlan.

Does IPv6 support means modification in Vlan / Load-Balancing association?

No, you can still use a single tagged vlan per Load-Balancing-Group. IPv4 and IPv6 can

work over the same vlan.

Is there a change in Peering-Point addressing from MGC8 point of view?

No, a dual-stack Peering-Point is reached via the same listening port on the Trusted LocalPOC of the firewall. The LPOC needs to be dual-stack.

Which SFW objects remain IPv4 only?

The following objects remain IPv4 only:

NTP client/server

Syslog client/Server

Monitoring Host

OAM interfaces (CLI and SNMP)



IPv6 support IPv6 Q&A


CLI for IPv6 support

Trusted and Untrusted LPOC

lpoc untrusted poc_id [ip ip_address] [enable | disable] [name description]



lpoc trusted poc_id [ip ip_address] [enable | disable] [ name description]



show lpoc [trusted [ poc_id ]| untrusted [poc_id]]

Vlan

vlan vid {trusted | untrusted} [enable | disable] [name description]subnet ip_address/len [router ip_address [rip | no rip]] [gw ip_address]


vlan vid router ip_address [rip | no rip]

vlan vid gw ip_address

vlan vid no ipv4

vlan vid no ipv6



show vlan

Peer Network

peer-net netid filter filter_id ip address/mask [accept | deny]

peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[port]]



show peer-net [netid] rpoc

show peer-net [netid] connectivity

Load Balancing Group

load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port]| tls[ port]]


load-balancing-group GroupId rpoc poc_id no ipv6show load-balancing-group [GroupId] rpoc [poc_id] show load-balancing-group [GroupId] connectivity




3FZ 08139 ACAAPCZZA Edition 07 July 2015

C Configuration backup &

restore

Backup configuration on the SFWFollow the procedure below to apply on the SFW configuration.

Steps

1 Execute the “copy running working” cli command to save the current configuration.

SFW- XXX> copy running working

Command successf ul

SFW- XXX>

2 Using SFTP SFW OAM IP, get the SFW configuration file “/mnt/mtd0/working/config.cfg” by sftp from the SFW. Username: support. Password: 44700$orvault

$ sftp [email protected]

Connecti ng to x. x. x. x. . .

suppor t @x. x. x. x' s passwor d:

sf t p> get /mnt/mtd0/working/config.cfg

Fet chi ng / mnt / mt d0/ wor ki ng/ conf i g. cf g t o conf i g. cf g

/ mnt / mt d0/ wor ki ng/ conf i g. cf g100% 24KB 23. 9KB/ s 00: 00

sf t p> bye

3 The configuration file will be saved on the remoter server after completing the above twosteps.

E N D O F S T E P S



Configuration backup & restore Restore configuration to the SFW


Restore configuration to the SFW

Follow the procedure below to apply on the SFW configuration.

Steps

1 Put the backup configuration file back to the sfw “/” directory using sftp SFW oam IP fromthe remoter server. Username: support. Password: 44700$orvault.

$ sftp [email protected]

Connecti ng to x. x. x. x. . .

suppor t @x. x. x. x' s passwor d:

sf t p> pwd

Remot e worki ng di r ect ory: /

sf t p> put config.cfg Upl oadi ng conf i g. cf g t o / conf i g. cf g

conf i g. cf g100% 24KB 23. 9KB/ s 00: 00sf t p> bye

2 Execute the “show sfw status” cli command to get the slot number of the active DHSPP.

SFW- XXX> show sf w st at us

+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +

! sl ot ! DHSPP ! SCM ! Temper atur e !

! ! rol e ! rol e ! ( cel si us) !

+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +

! 10 ! ACTI VE ! ACTI VE ! 51 !

! 11 ! STANDBY ! UNKNOWN ! 50 !

+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +

3 Access SFW by ssh SFW OAM IP. Username: support. Password: 44700$orvault.$ ssh [email protected]

support @10. 84. 13. 10' s password:

BusyBox v1. 2. 1 ( 2013. 08. 27- 07: 36+0000) Bui l t - i n shel l ( ash)

Ent er ' hel p' f or a l i st of bui l t - i n commands.

/ $

4 Change the user to “root” by executing “telnet 1.1.1.slot”. In our example, the active slotnumber is 10 based on the output of cli command “show sfw status”.

/ $ telnet 1.1.1.10

Ent er i ng char act er mode

Escape char act er i s ' ]̂ ' .





July 2015

BusyBox v1. 2. 1 ( 2013. 08. 27- 07: 36+0000) Bui l t - i n shel l ( ash)

Ent er ' hel p' f or a l i st of bui l t - i n commands.

~ #

5 Copy the configuration file to the configuration directory.

~ # cp / conf i g. cf g / mnt / mt d0/ wor ki ng/ conf i g. cf g

~ # cp / conf i g. cf g / mnt / mt d0/ cer t i f i ed0/ conf i g. cf g



6 Copy configuration file to the configuration directory on the standby card by rcp. The standbySFW IP is 1.1.1.slot. In our example, the standby slot number is 11 based on the output of clicommand “show sfw status”.

~ # r cp / conf i g. cf g 1. 1. 1. 11: / mnt / mt d0/ wor ki ng/ conf i g. cf g

~ # r cp / conf i g. cf g 1. 1. 1. 11: / mnt / mt d0/ cer t i f i ed0/ conf i g. cf g



7 Execute the “switchover” cli command to switch over SFW.

SFW- XXX> switchover

Runni ng dupl ex mode conf i gurat i on synced. Ar e you sure ( Y/ N) ? y

Command successf ulSFW- XXX>

8 Login to CLI again after the SFW is switched over. Check the SFW status using “show sfwstatus”. When the SFW status becomes active/standby, execute “switchover” again.

SFW- XXX> show sfw status

+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +

! sl ot ! DHSPP ! SCM ! Temperat ur e !

! ! rol e ! rol e ! ( cel s i us) !

+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +

! 11 ! ACTI VE ! STANDBY ! 50 !

! 10 ! STANDBY ! UNKNOWN ! 51 !

+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +

SFW- XXX> switchover

Runni ng dupl ex mode conf i gurat i on synced. Ar e you sure ( Y/ N) ? y

Command successf ul

SFW- XXX>





9 The configuration will be restored after completing the above eight steps

10 The configuration will be restored after completing the above eight steps

E N D O F S T E P S



Documents

3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0