You are on page 1of 316

Alcatel-Lucent

7510-SFW IMS Peering SIP Firewall | Release 3.0
CLI Reference Guide

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
July 2015
Edition 07

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective
owners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright © 2015 Alcatel-Lucent. All Rights Reserved.
Contains proprietary/trade secret information which is the property of Alcatel-Lucent and must not be made available to, or copied or used by anyone outside
Alcatel-Lucent without its written authorization.
Limited warranty
Alcatel-Lucent provides a limited warranty to this product.

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

Contents
About this document

xi 

Purpose ..................................................................................................................................................... xi 
Reason for revision.................................................................................................................................. xii 
Intended audience.................................................................................................................................... xii 
Conventions used ................................................................................................................................... xiii 
Related information ................................................................................................................................ xiii 
Technical support ................................................................................................................................... xiii 
How to comment .................................................................................................................................... xiii 

Introduction

15 

SFW location in the IMS architecture ..................................................................................................... 16 
SFW high level functionalities ................................................................................................................ 17 
SIP Firewall main features ...................................................................................................................... 19 
SIP stateless Record-Route Proxy Firewall with dialog and transaction tracking .................................. 19 
SIP features ............................................................................................................................................. 20 

23 

SFW prerequisite

Procedure 1: Checking presence of sitecfg.sfw on SCM ........................................................................ 23 
Procedure 2: SFW OAM IP address configuration ................................................................................. 25 
Procedure 3: How to get access to the SFW CLI .................................................................................... 26 

27 

Vlan Management

Summary of the CLI for Vlan management ............................................................................................ 29 
vlan vid {trusted | untrusted} subnet ip_address mask ................................................................... 30 
vlan vid subnet ip_address/len................................................................................................... 34 
vlan vid [router ip_address [rip | no rip]] ...................................................................................... 35 
vlan vid no [ipv4 | ipv6] router.............................................................................................................. 36 
vlan vid gw ip_address ................................................................................................................... 37 
vlan vid no [ipv4 | ipv6] gw .................................................................................................................. 38 
vlan vid name description ............................................................................................................. 39 
vlan vid no name ................................................................................................................................... 40 
vlan vid mac mac_address ............................................................................................................... 41 
no vlan vid ............................................................................................................................................. 42 
show vlan ................................................................................................................................................ 43 

Local Point Of Contact (LPOC)

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

44 
iii

Contents

Trusted interface definition ...................................................................................................................... 44 
Untrusted interface definition .................................................................................................................. 45 
Local Point Of Contact definition ............................................................................................................ 45 
Summary of the CLI for Trusted and Untrusted LPOC ........................................................................... 46 
lpoc untrusted poc_id ........................................................................................................................... 47 
lpoc untrusted poc_id no ipv6 .............................................................................................................. 49 
lpoc untrusted poc_id no ipv4 .............................................................................................................. 49 
lpoc untrusted poc_id no {udp | tcp | sctp | tls} ................................................................................... 50 
no lpoc untrusted poc_id ...................................................................................................................... 50 
lpoc trusted poc_id ............................................................................................................................... 51 
lpoc trusted poc_id no ipv6 .................................................................................................................. 53 
lpoc trusted poc_id no ipv4 .................................................................................................................. 53 
no lpoc trusted poc_id .......................................................................................................................... 54 
show lpoc ................................................................................................................................................. 55 
ip defrag ................................................................................................................................................... 56 
show ip defrag .......................................................................................................................................... 57 

Peer Networks

58 

Summary of the CLI for Peer Network management .............................................................................. 59 
peer-net netid ....................................................................................................................................... 60 
peer-net netid filter filter_id ip address/mask ................................................................... 61 
peer-net netid filter filter_id rpoc ............................................................................................. 62 
peer-net netid no filter ....................................................................................................................... 63 
peer-net netid rpoc peering_point_id ip ................................................................................. 64 
peer-net netid rpoc peering_point_id no ipv4 ....................................................................... 68 
peer-net netid rpoc peering_point_id no ipv6 ....................................................................... 68 
peer-net netid rpoc peering_point_id no {udp | tcp | sctp | tls} .............................................. 69 
peer-net netid rpoc peering_point_id name fqdn .................................................................. 70 
peer-net netid rpoc peering_point_id no name ........................................................................ 71 
peer-net netid rpoc peering_point_id nat ................................................................................. 72 
peer-net netid rpoc peering_point_id port-forwarding ............................................................ 74 
peer-net netid rpoc peering_point_id no port-forwarding ....................................................... 75 
peer-net netid no rpoc peering_point_id ................................................................................ 76 
peer-net netid lpoc untrusted_lpoc_id .................................................................................... 77 
peer-net netid no lpoc untrusted_lpoc_id .............................................................................. 78 
peer-net netid security-profile security_profile_id .............................................................. 79 
peer-net netid load-balancing-group group_id ............................................................................. 80 
iv

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Contents

peer-net netid vlan vid ..................................................................................................................... 81 
peer-net netid no vlan ....................................................................................................................... 82 
peer-net netid max call duration call_duration ........................................................................ 83 
peer-net netid polling ping {enable | disable} .................................................................................... 84 
peer-net netid polling ping period interval .................................................................................. 85 
peer-net netid dscp dscp_value .................................................................................................... 86 
peer-net netid dscp default ................................................................................................................. 87 
dscp default default_dscp ................................................................................................................ 88 
show dscp default .................................................................................................................................... 89 
peer-net netid tls-profile tlsprofileid ....................................................................................... 90 
peer-net netid no tls-profile ................................................................................................................ 91 
no peer-net netid .................................................................................................................................. 92 
show peer-net .......................................................................................................................................... 93 
show peer-net netid lpoc .................................................................................................................... 95 
show peer-net [netid] filter................................................................................................................. 96 
show peer-net [netid] rpoc ................................................................................................................. 97 
show peer-net connectivity .................................................................................................................... 99 
show peer-net [netid] statistics [trusted | untrusted] ........................................................................ 102 

Security Profile

118 

Summary of the CLI for Security Profile management......................................................................... 120 
security-profile profile_id ............................................................................................................. 121 
security-profile profile_id invite dialog setup-rate........................................................................ 123 
security-profile profile_id invite in-dialog transaction-rate .......................................................... 124 
security-profile profile_id invite in-dialog method accept ............................................................ 125 
security-profile profile_id invite in-dialog no method accept ....................................................... 126 
security-profile profile_id out-of-dialog method-rate ................................................................... 127 
security-profile profile_id out-of-dialog no method-rate .............................................................. 129 
security-profile profile_id sip thig ................................................................................................ 130 
security-profile profile_id route-reorder ....................................................................................... 133 
security-profile profile_id ringing-timer duration ................................................................... 134 
security-profile profile_id clone profile_id.......................................................................... 135 
security-profile profile_id fqdn-in-from thig ................................................................................ 136 
security-profile profile_id sip route-mode .................................................................................... 137 
security-profile profile_id private_ip ............................................................................................ 138 
no security-profile profile_id ........................................................................................................ 139 
show security-profile profile_id .................................................................................................... 140 
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

v

Contents

TLS feature overview

141 

Introduction ............................................................................................................................................ 141 
Reference documents ............................................................................................................................. 141 
Feature Overview ................................................................................................................................... 142 
TLS Feature Description ........................................................................................................................ 143 

TLS Profile

146 

Summary of the CLI for TLS-Profile management ............................................................................... 147 
tls-profile tlsprofileid local-cert ca-check renegotiation-period ................................................. 148 
tls-profile tlsprofileid no renegotiation-period ........................................................................... 149 
tls-profile tlsprofileid ca-cert-list certid1 … [certid8] .................................................... 151 
tls-profile tlsprofileid no ca-cert-list certid1 … [certid8]............................................... 152 

CA certificates

153 

Summary of the CLI for CA certificates management .......................................................................... 154 
import certificate ca ca-certid [name description] ................................................................ 155 
certificate ca ca-certid name description ............................................................................... 156 
no certificate ca ca-certid ............................................................................................................... 157 
show certificate ca pem ca-certid ................................................................................................... 158 
show certificate ca details ca-certid................................................................................................ 159 
show certificate ca ca-certid ........................................................................................................... 160 
show certificate ca ................................................................................................................................. 161 
10 

Local X509 certificates and Privates Keys

162 

Summary of the CLI for SFW local certificates management ............................................................... 163 
import certificate local certid [name description] ................................................................... 164 
import certificate local privatekey certid [password pwd] ...................................................... 165 
certificate local certid name description .................................................................................. 167 
no certificate local certid .................................................................................................................. 168 
show certificate local pem certid ...................................................................................................... 169 
show certificate local details certid................................................................................................... 170 
show certificate local certid .............................................................................................................. 171 
show certificate local ............................................................................................................................. 172 
certificate local certid request ........................................................................................................... 173 
11 

Internal DNS server

176 

Summary of the CLI for the internal DNS management ....................................................................... 177 
dns-internal dns-entry-id name peer-net ip ............................................................................... 178 
dns-internal dns-entry-id name rpoc-name .......................................................................... 179 
dns-internal dns-entry-id peer-net netid ............................................................................... 180 
vi

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

............................... 219  trunk {trusted|untrusted} mode [linkagg | act-stdy] ..................................................................... 199  load-balancing-group groupId no vlan ................................................................................................................................................................................ 207  show load-balancing-group connectivity .............................................................Contents dns-internal dns-entry-id ip address ................................................................ 195  load-balancing-group groupId no rpoc poc_id ................ 215  14  Interfaces (Ge Ports) & Trunks 217  Summary of the CLI for Ge Interfaces and Trunks management ................................................................................................................... 221  show trunk ........................................................................................................ 214  show tcp statistics ..................................................................................................................................................................... 193  load-balancing-group groupId rpoc no ipv6 ................................................................................................................. 188  load-balancing-group groupId rpoc................................ 182  show dns-internal ................................................................................................................................................................................................... 187  load-balancing-group groupId ............................................................................. 183  12  Load Balancing Group 185  Summary of the CLI for Load-Balancing-Group management ....................................................................................................................................... 223  show trunk port ................................... 198  load-balancing-group groupId vlan vid.......................... 213  show tcp syn ................................. 205  show load-balancing-group ..................................................... 223  3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements vii ............................. 196  load-balancing-group groupId lpoc trusted_lpoc_id ........................... 200  load-balancing-group groupId polling period interval ....................................................... 201  load-balancing-group groupId rpoc poc_id call rate ... 197  load-balancing-group groupId no lpoc trusted_lpoc_id ........................................................................................................................................................... 218  show interfaces ................................ 208  13  Tcp Syn Flood Protection 211  Summary of the CLI for TCP SYN Flood management ........................................................................................................................................................ 213  tcp syn trusted rate syn_per_sec ............................................................... 182  dns-internal dns-entry-id no ipv6 ......... 202  load-balancing-group groupId rpoc poc_id transaction rate ............................. 206  show load-balancing-group rpoc ............................................................................................................................................................................................. 212  tcp syn oam rate syn_per_sec .............................................................................................................................................................................. 212  tcp syn untrusted rate syn_per_sec ........... 189  load-balancing-group groupId rpoc no ipv4 .............................................................................................................................................................................................................................................................................................................................................................................................................................. 194  load-balancing-group groupId rpoc poc_id no {udp | tcp | sctp | tls}............................................................................................................... 181  dns-internal dns-entry-id no ipv4 .......... 204  no load-balancing-group groupId ...................................................................................

.......... 261  18  262  Syslog Management Summary of the CLI for Syslog Management ................................................................................................ 243  no snmp station stationId ......................................................... 225  sip-header max-forwards {enable|disable} ................................................................................................................................ 258  show user cmd [adm|ope|viewer] ................................... 244  show snmp alarm thresholds ............................................................................................................................................................................................................................................................................................. 226  show sip-header ................................................ 247  show snmp trap config ............. 257  no user username........................... 250  snmp trap trap_id {enable | disable} .............................. 256  user username auth { sha | md5} priv {aes | des} ........................................................................................................................................................................................................................... 267  show syslog .................................................................................... 255  user username no snmp......................................... 242  snmp station stationId {enable | disable}.... 230  snmp station stationId ip ip_address .......................................................................................................................................................................... 254  user username level {adm | ope | viewer}....... 266  no syslog-server .......................................................................................................... 253  user username password ................................ 265  syslog [rate] [length] [facility] [rfc3164 | rfc5424] ................................................................................................................................................................................................................................................................................................. 243  show snmp station ........................................ 248  snmp trap trap_id filter-delay delay .................................................................................................................................................... 262  syslog-server oam ip ip-address .............................................................................................................................................................................................. 252  17  Users Management 253  Summary of the CLI for Users Management .............. 251  snmp trap restore default.................... 263  syslog-server trusted ip ip-address ................................................................................................................................ 264  syslog-server [ip] [port] [vlan] [lpoc] ................................................................................................................................................................................................................................................... 245  snmp alarm modify threshold threshold_id............................................................... 268  19  viii NTP servers Management 269  Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 ..................................................................................................................... 227  16  228  SNMP Management Summary of the CLI for SNMP Management ................................................................................................................................................................................................................................................................................. 229  Alarms Management .................................................................................................................................................... 251  show snmp alarm active ........................................................................................................................... 258  show user [adm|ope|viewer]....................................Contents 15  SIP Message Management 225  Summary of the CLI for SIP Message Management ...........................

...................................................................................................................... 302  Trusted side IP connectivity...................................................................... Link Aggregate or Active/Standby mode ................................... 305  3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements ix ................................................................................................................. 283  configuration retrieve ......................................................... 282  switchover ... 269  ntp server serverId ip ip-address ........................................................... 293  Install the SITECFG.............Contents Summary of the CLI for Syslog Management ...................................................... 300  Untrusted side IP connectivity without VRF support .................... 288  22  CLI Session Management 290  Summary of the CLI for Configuration Management ......................................................................................... 298  Untrusted/Trusted Interfaces.............................................................................................................................................................. case 1 ..................... 280  show running-directory ......................................................................................................... 295  A  IP Configuration example 297  IP Configuration Introduction ................2................................................................................................................. 275  -> monitoring-host oam ip 192.........168.. 299  Untrusted side IP connectivity with VRF support........................... 272  monitoring-host trusted ip ip-address port ipPort ......................................................................................................................................................................... 281  show configuration consistency .....................................................................................................SFW configuration file .................................................................................................................................................................................................................................................... 279  copy working certified .................................................... 275  show monitoring-host..................................... 304  Trusted side IP connectivity...........................SFW configuration file on the SFW .................................................................................. 291  23  How to configure the SFW SITE specific parameters 292  How to update the SITECFG....................................................................................................................................................................................................................... 284  show system .................................................................................................................................................................................................................................................................................................................................................................................................. 271  20  Monitoring SIP messages dropped 272  Summary of the CLI for Monitoring-Host Management ........ 287  show sfw status .................................... 270  show ntp server............... 291  show cli session ............................................................. 285  system location ..................................................................................................................... 278  copy running working ..................................................................... 270  no ntp server serverId .............................................................................................. 279  show configuration ............................................................................................................................ 290  cli session timeout ...... 276  21  Configuration Management 278  Summary of the CLI for Configuration Management ........................................ 273  monitoring-host oam ip ip-address port ipPort ............................................................ case 2 ..........110 port 5060 rate 10 ...........................................................................................................

........ 312  Restore configuration to the SFW.................................................................................................................................................... 310  C  Configuration backup & restore 312  Backup configuration on the SFW ........................... 308  IPv6 Q&A ..................................................Contents B  IPv6 support 308  create and modify IPv4/IPv6 objects ......................................................... 313  24  x 316  Glossary Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .....................................................................................................................................................................

About this document Purpose This document is the SFW SIP firewall Command Line Interface User’s Guide. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements xi . It provides detailed information on the configuration of the SIP Firewall. dedicated to IMS SIP peering and protecting the IBCF (MGC8).

This manual assumes that the administrator of the 7510-SFW is knowledgeable about the concepts.31 Ed04 • Ed02 2012/01 2012/02 • o Peer-network o Load-Balancing-Group o Vlan o Security-Profile Add ‘sip-header ‘ command.0" • Default passwords must not be given in the customer documentation. Ed05 2013/09 Intended audience The target audience of this manual is network administrators and Information Systems professionals who maintain IMS equipments. • Add reference for 3FZ-08141-ACAA-PCZZA "SFW sfwStaticConf. 2012/02 The range of the parameter “name” for the following objects is changed to 0.xls .sfw template for release R3. sitecfg. and Local Area Network (LAN) and SIP protocol discussed in this manual. xii Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .About this document Reason for revision The following table shows the revision history of this document.0 Ed01 • New features introduced in R3. Location Revision Issue • Creation of this document for the SFW release 3. Contact your account or technical Ed03 support representative for information about default passwords. network topologies..32 • New CLIs have been added no be able to set the Vlan Name without setting the Vlan Subnet. o Far-End NAT Traversal o 2047 Peer Network 2011/12 • The IP Filter index range is modified to 1.0: o TLS support on Untrusted side..

How to comment To comment on this document.About this document Conventions used This guide uses the following typographical conventions: Appearance Description graphical user interface text Text that is displayed in a graphical user interface or in a hardware label variable A value or command-line parameter that the user provides [] Text or a value that is optional { value1 | value2 } A choice of values or variables from which one value or variable is used {variable1 | variable2 } Related information This guide has to be used in conjunction with the 7510-SFW documentation listed in the table hereafter.sfw file allows configuration of site specific attributes that cannot be provisionned via CLI or OMCP management. contact your local Alcatel-Lucent customer support team.com). go to the Online Comment Form (http://infodoc.com/comments/) or e-mail your comments to the Comments Hotline (comments@alcatel-lucent.sfw file for SFW release R3. sfwStaticConf.com/support/) for contact information.xls 3FZ-08141-ACAAPCZZA This document provide an excel template to build the sitecfg. Product Part Number Product Description Getting Started with SFW 3FZ 08140 ABAA PCZZA This document provides tips to deploy the SFW R2. See the Alcatel-Lucent Support web site (http://alcatel-lucent.6 and further releases.0. The sitecfg.0.alcatellucent. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements xiii . Technical support For technical support.

.

1 Introduction Overview Purpose Before going through the description of the Command Line Interface. Contents This chapter covers these topics. SFW location in the IMS architecture 16 SFW high level functionalities 17 SIP Firewall main features 19 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 15 . the chapter 1 of this document presents the 7510-SFW “SIP Firewall for IMS Peering”.

Figure 1 . The MGC-8 also supports class 4 functionality that can be used by the service provider to more efficiently route incoming. o A BGW that supports the RTP bearer functionality. This document applies to the 7510 MG as the BGW. This document applies to the 5020 MGC-8 as the IBCF. The 7510 can also support TDM trunks to support TDM carriers and internal network elements that are not SIP-capable. and transit calls (between two internal network elements).SFW location in the IMS architecture Introduction SFW location in the IMS architecture Alcatel-Lucent provides a border architecture consisting of: o An IBCF that supports SIP signaling interworking.Alcatel-Lucent border solution 16 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . outgoing.

Introduction SFW high level functionalities SFW high level functionalities Alcatel-Lucent’s BGW has an internal firewall functionality to protect the bearer network from external attacks. Only the SIP signaling messages pass through the SFW. The internal network elements might be end offices. The border solution could include several BGWs. voice mail systems. This document describes the features of the SIP Signaling firewall. The SFW (Signaling Firewall) sits on the edge of the network in front of the IBCF. Figure 1 shows the Alcatel-Lucent border solution. so the IBCF must choose the appropriate BGW for each incoming/outgoing call. High-level functionalities of the SFW : o Network Address/Port Translation o Load Sharing among IBCF CCS o n-tuple Filtering o SIP Support o Malicious Attack Prevention o Realm Separation o Per SIP method Rate Limiting o IBCF Geographic Redundancy Support o Overlapping IP Address Support o Topology Hiding 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 17 . etc. announcement servers. IMS systems. bearer packets go directly to a BGW. Each BGW might only connect to a subset of the peering networks. wireless MSCs. but a separate signaling firewall is needed to protect the IBCF from SIP signaling attacks.

SFW high level functionalities 18 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Introduction SFW high level functionalities Figure 2 .

The 7510-SFW SIP firewall does not follow that model. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 19 .Introduction SIP Firewall main features SIP Firewall main features Most firewalls provide SIP firewalling by implementing an ALG. From a networking standpoint they can operate either in transparent Mode or Routed Mode with or without performing NAT. it owns at least one IP interface on the trusted side and one or more IP interfaces on the untrusted side depending on the deployment model. For that purpose that SIP firewall inserts itself in the route (inserts via and record-route headers) and provides Topology Hiding for the I-BCF it protects. It is the next SIP hop for that IBCF. Transaction/dialog tracking SIP method Rate limiters Load Balancer SIP routing Table SIP stateless Proxy Firewall Trusted SIP ports Local IBCF TCP/UDP unTrusted SIP ports TCP/UDP IP IP « host » IP interface « pseudo router » IP interface (optional) Remote IBCF L2/L3/L4 firewall SIP Firewall (DHSPP4) Site A IP core Network SIP Trusted ~14000 msg/s SIP untrusted ~730000 msg/port/s Remote IBCF Site B IP Peering Network Site C SIP stateless Record-Route Proxy Firewall with dialog and transaction tracking The SIP firewall is built around a SIP stateless Proxy that has been enhanced to be able to track dialogs and transactions. Since it operates as a stateless Proxy.

the SDP is not analyzed. The dialog tracking is also used in the load balancing and the overload control to adapt the load of the call setup and to reject new INVITE when the number of established calls reaches a limit. it is dropped by the SIP firewall.SIP Firewall main features Introduction SIP features SIP Parser Attack Prevention Only the SIP header is analyzed by the SIP Firewall. That feature permits to the SIP firewall to be aware of the number of SIP transaction that are in progress and the average time the I-BCF takes for processing it. Dialog tracking Dialog tracking is provided for INVITE dialog only. all initial INVITEs matching that signature have their rate downgraded. When that threshold is reached. SFW accepts only SIP messages that are properly formatted. DDOS attack mitigation on initial INVITE When all the fields uses for flooding detection changes on each SIP message the SIP firewall is not able to detect the source of the attack by just analysis the SIP message. Only mandatory SIP headers are parsed. SFW checks the SIP message maximum sizes (header and total message size). The limit is configurable per peer. for example it may block blind CANCEL or BYE attacks. It permits to track transaction inside a dialog. Transactions that are out of sequence are blocked. That mechanism will impact legitimate traffic 20 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Transaction tracking The SIP firewall is aware of the transactions and can drop out of sequence messages as well the duplicate messages. The rate limiters are configurable per untrusted sources (Peer Network). That downgrade remains until the bad response counters drop below the normal threshold. when the unstrusted SIP message is out of its rate. Protection against SIP DoS and Distributed DoS attacks Rate limitation per types of messages It is the first level of protection. The detection is based on a threshold of bad response for a given signature by tracking the behavior of the transaction. Initial Request Flooding attack detection The SIP firewall is able to detect a transaction flooding attacks and to isolate SIP messages that correspond to the signature of the attacker. Note that in that case some legitimate SIP traffic might be affected because they match the same signature. The transaction tracking is also used in the load balancing and overload control to adapt the transaction rate towards the local IBCF .

This avoids updating the network configuration of the trusted side when more peering points are added. but avoids setting up the source IP address in quarantine and by the way blocking an entire peer. Remote SIP ports replication on trusted side In terms of SIP ports (IP address and port) it provides as many SIP ports that the trusted IBCF can reach on the untrusted side (that are also called peering points). On the other hand. That case is detected by the SIP firewall. the SIP firewall does not take any decision about the next SIP hop. Typically. and all the 200 OK responses are forwarded to the SIP port from which the initial INVITE was coming from. When the trusted I-BCF has to sends a SIP request towards a remote I-BCF. Single Point of Contact On the untrusted side the SFW can be configured to be the single point of contact for the remote peers while operating in a networking environment that provides separation among the peer networks. the SFW provides the ability to partition the local IBCF in smaller subsets. it has to resolve the IP address and the port of that next hop SIP either by a local routing table or thanks to DNS. Local IBCF partitioning When a local IBCF is deployed in the IMS core network as a centralized component. The local routing table or the DNS provides an IP address and port that does not designate the remote I-BCF. the SIP firewall is configured with a routing table that permits to perform the mapping between the trusted SIP port and the SIP port of the remote i-BCF on the untrusted side. the SIP firewall is transparent. However it is not required to provide as many SIP ports as the local I-BCF provides.Introduction SIP Firewall main features that match the same signature. This is 1:1 mapping. the SFW provide a single point of Contact for the local IBCF for reaching all the peering points. in case of IP spoofing attack if the SIP firewall puts the source IP in quarantine the attack is successful. it might be possible that several 200 OK replies are sent back to the local I-BCF. For local I-BCF outgoing requests. For the case of the trusted side. However if a forking takes place after the remote I-BCF. Transparent to forking When the local I-BCF decides to fork. Untrusted SIP ports For the untrusted side it provides as many untrusted SIP ports (IP@ and port) as the remote I-BCFs may address. because the SIP firewall blocks the legitimate source. but rather a SIP port provided by the SIP firewall on the trusted side. That partitioning applied to a centralized I-BCF make the solution equivalent to a distributed model: 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 21 . it just follows the information of the SIP routing table.

Reliable Transport Only TCP is supported in that release. the drop is performed at SIP level and not at L3 or L4 level. That solution provides better performances versus a solution with an external L2/L3/L4 firewall. VPN separation VPN separation is provided thanks the usage of 802. a remote IBCF might use more that its strict proportional share of the total simultaneous call capacity when the partition is not loaded. the SIP message might still be dropped because the maximum aggregate rate for the method has been reached. Load Balancing and overload control That feature permits to balance the load of the SIP traffic among SIP service blades of the local I-BCF belonging to the same partition. There avoids dropping legitimate SIP traffic. This information is configurable and expressed as a percentage of the total call capacity. if the rate for a particular SIP method is not reached for a given IBCF. The SIP message rate of each remote IBCF is adapted to the aggregate rate of the partition to which it belongs. in case of overloading.1Q tag to separate Peer Network that have same IP addresses. It provides a Qos feature that permits to allocate a bandwidth for the SIP requests that is proportional to the weight of the remote IBCF as well as a number a simultaneous calls. 22 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Redundancy The SIP firewall operates in 1+1 redundancy mode. that is not the case with SIP firewalls that separate the L2/L3/L4 firewalling and the SIP firewalling.1Q. For the case of the simultaneous calls. L2/L3/L4 SIP-aware firewalling The SIP firewall provides L2/L3/L4 firewalling which is SIP aware on the untrusted side and thus does not require any external firewall. Typically.SIP Firewall main features Introduction It provides an isolation of remote I-BCFs (VPN) on different SIP service blades of the local I-BCF by affecting remote IBCF to different partitions it permits to limit DDOS attacks not detected by the SIP firewall to only a subset of the local I-BCF. It provides redundancy for the established calls but not for the transaction inside or outside a dialog. IP V4 address overlapping The IP address overlapping is supported on the untrusted side thanks to the usage of 802. TCP connections are terminated at SIP firewall level.

prior doing anything else. 2 SFW CLI login Prior accessing to the SFW CLI session you need to: Follow procedure 2 and 3 described below. Follow procedure 1 described below.sfw This file must be present on both SCM hosting primary and backup DHSPP4. It’s quite important to configure the SFW name because: 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 23 . you need to pay attention to the following points: Item Purpose How to check 1 sitecfg. The SFW name is not configurable via CLI commands.sfw on SCM When to use On the first 7510-SFW installation you need to check the presence of the file sitecfg. This file must contain the name of the SIP Firewall (SFW). - Configure the SFW OAM IP address on the 7510 - Know the initial login / password Procedure 1: Checking presence of sitecfg. If this file is not present the SIP Firewall application will fail to be loaded.2 SFW prerequisite On the first 7510-SFW installation.sfw on both SCM (primary and backup) hosting both DHSPP4 of the SIP Firewall (SFW).

please refer to the Appendix at the end of that guide “How to configure SFW site specific parameters” to know how to configure and load this file on the SCM boards. is displayed in all SNMP traps.sfw and not configurable via CLI commands.184 11-29-2010 If the file sitecfg. you may have some objects that are configurable only via the sitecfg. 2 Check the presence of the file on the primary SCM ACT-SCM:1. Steps 1 Log in to the 7510 Contact your account or technical support representative for information about default login/password. END OF STEPS 24 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .sfw Volume currently in device: 977 MB FLASH SITECFG 4 SFW 2.sfw. • The SFW name. In that case the unique SFW name avoids overwriting the existing configuration with the one that may exist on the replacement board.10(r0) # rc 1 11 Setting up remote console to [01][11] STB-SCM:1.184 11-29-2010 3 3:59p -V--- 3:59p -V--- Access the backup SCM and repeat the same checking ACT-SCM:1.sfw Volume currently in device: 977 MB FLASH SITECFG SFW 2. This is particularly important in case of SCM/DHSPP4 hot-swap.sfw on SCM • The SFW name uniquely identifies the SFW.sfw is missing on one or the other board. • The SFW name is the CLI prompt Moreover.sfw • Which objects needs to be configured via this file. • How to load this file on the SCM boards.10 # ls *. Refer to the Appendix at the end of that guide “How to configure SFW site specific parameters” to know: • Where to get a template of the sitecfg.11 # ls *.SFW prerequisite Procedure 1: Checking presence of sitecfg. depending on which 7510 release is loaded. configured via the sitecfg.

2 Configure the OAM IP address using the ui commands: define sfw ip <oam-ip-address> <oam-ip-mask> <defaultroute-ip-address> 3 Check the OAM IP address configuration. It is the 7510 who allocates the SFW OAM IP address. view sfw ip END OF STEPS 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 25 . The following 7510 procedure allows configuration of the SFW OAM IP address: Steps 1 Log in to the 7510 Contact your account or technical support representative for information about default login/password.SFW prerequisite Procedure 2: SFW OAM IP address configuration Procedure 2: SFW OAM IP address configuration When to use The SFW is hosted by the 7510.

128. Steps 1 Open a SSH tunnel to the SFW ssh cli@oam-ip-address cli@139.54. ssh Open the CLI session with the initial login / password Contact your account or technical support representative for information about default login / password.SFW prerequisite Procedure 3: How to get access to the SFW CLI Procedure 3: How to get access to the SFW CLI When to use SFW configuration via CLI requires to open a SSH tunnel.40) 2 (e. -> user <login> password <new-password> END OF STEPS 26 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .g. 3 Then you have the ability to change the root password.

This means it’s an IP address of SIP Signaling entity either on the untrusted side of the firewall or on the trusted side of the firewall. Each Peer Network can have its own VLAN. This means it’s an IP address of the firewall in charge of the SIP Signaling messages. There are LPOC on the untrusted side of the firewall. RPOC: a rpoc is a Remote Point of Contact. Before going further it’s necessary to define the following acronyms that appear throughout this document: LPOC : a lpoc is a Local Point of Contact. facing the MGC8 IBCF. and LPOC on the trusted side of the firewall. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 27 . however it is still possible that several Peer Networks share the same VLAN. Introduction The main purpose of the Vlan Management is to provide the ability to isolate the Peer Network and to address the case of the IP V4 address overlapping. In that last case.3 Vlan Management Purpose This paragraph provides information about the Vlan management in the SFW. they share the same broadcast domain and there is no possible IP address overlapping. facing the Peer-Networks.

. as a consequence it is not possible to use the same VLAN number for the trusted and untrusted side. The Peer-Network using that Vlan must have a LPOC in a different subnet. 3. For example. The appendix “SFW IP configuration” at the end of that document illustrates the various IP configuration mentioned above through examples.1q tagged vlans. The SFW LPOC and the RPOC are in different subnets. Remote Point of Contact. The vlan 0 and vlan 4095 have special meanings. All other vlans (1. The vlan 4095 is used to specify an untagged vlan for the Untrusted side. • RPOC. In that case a “pseudo-router” needs to be added in the Vlan configuration. In order to simplify the configuration of the next hop router. The SIP FW supports up to 4096 (0..Vlan Management The Vlan management allows supporting various IP configurations: 1. The vlan 0 is used to specify an untagged vlan for the Trusted side. A Vlan is either trusted or untrusted. When a “pseudo-router” has been added to a vlan. The IP configurations capabilities described above apply for both Untrusted and Trusted sides.4095) vlan values. The SFW LPOC and the RPOC are in the same subnet. The SFW LPOC and the Vlan Subnet are in different subnets. a default gateway needs to be added in the vlan configuration to be able to reach the RPOC subnet. designates either a peeringpoint of a Peer-Network or Signaling entity (CCS) of the MGC8 IBCF. the VLAN Management can be configured to perform RIP announcement of the local POC IP addresses that are accessible through the “pseudo-router”. In that case the Vlan configuration will define only an IP subnet/mask 2.4094) are 802. this case exists when several Peer-Networks (isolated through different vlans) share a single Point Of Contact. 28 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Remember that: • LPOC designates either a SFW Local Point of Contact on the Untrusted or on the Trusted side. In that case.

Vlan Management Summary of the CLI for Vlan management Summary of the CLI for Vlan management Vlan management vlan vid {trusted | untrusted} [enable | disable] [name description] subnet ip_address/len [router ip_address [rip | no rip]] [gw ip_address] vlan vid subnet ip_address/len vlan vid router ip_address [rip | no rip] vlan vid no [ipv4 | ipv6] router vlan vid gw ip_address vlan vid no [ipv4 | ipv6] gw vlan vid name description vlan vid no name vlan vid no ipv4 vlan vid no ipv6 vlan vid mac mac_address vlan vid v4mac mac_address vlan vid v6mac mac_address vlan vid no mac vlan vid no v4mac vlan vid no v6mac no vlan vid show vlan [vid] 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 29 .

Even if the SIP firewall is connected to different switch/routers.4094) are 802.1q tagged vlans. Command vlan vid {trusted | untrusted} [enable | disable] [name description] subnet ip_address mask ip_address [router ip_address [rip | no rip]] [gw ip_address] Arguments vid This is the identifier of the vlan. The vlan 0 is used to specify an untagged vlan for the Trusted side. the firewall does not allow the use the same vlan on the trusted and untrusted side. The vlan 0 and vlan 4095 have special meanings. description Description of the vlan (31 characters) subnet ip_address/len These parameters describe the IP subnet and IP mask that are associated with the vlan. 30 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Vlan Management vlan vid {trusted | untrusted} subnet ip_address mask vlan vid {trusted | untrusted} subnet ip_address mask Purpose The purpose of that command is the creation of a vlan.. enable | disable Provides the ability to change the operational status of the vlan. trusted | untrusted This keyword indicates the SFW interface that owns the vlan. In the case of the association with the Peer-Network it will allow realm separation and IP v4 addresses overlapping. This vlan will be later associated with either a Peer-Network or a Load-Balancing-Group to provide IP connectivity with these remote entities. All other vlans (1. The vlan 4095 is used to specify an untagged vlan for the Untrusted side.

In that case the CLI must be run twice. static routes should be configured on the next hop router to be able to reach the LPOC. In that case the CLI must be run twice. The same vlan can be used for IPv4 and IPv6. The consistency of the configuration is checked when the configuration is saved via the CLI commands “copy running working”. By default rip is not activated. once to specify the IPv6 router address. once to specify the IPv4 gateway address. once to specify the IPv6 gateway address. On the trusted side. the vlan is associated with a Peer-Network or a LoadBalancing-Group. router This parameter defines the “pseudo-router” providing accessibility to a LPOC created in a different subnet. The IP address of this “pseudo-router” must be in the subnet defined by the previous attribute “subnet”. Complementary information Once created. The same vlan can be used for IPv4 and IPv6. The same vlan can be used for IPv4 and IPv6. and several RPOC are associated with the Peer-Network. This default gateway is required when the remote POC IP address is not in the vlan subnet. The vlan IP addresses parameters must be consistent with the LPOC and RPOC that are bind together under the Peer-Network object or the LoadBalancing-Group object. In that case the CLI must be run twice. When “no rip” is configured. once to specify the IPv6 subnet address and its mask length. At the same time an untrusted LPOC. a trusted LPOC and several RPOC are associated with the Load-Balancing-Group. rip | no rip If an IPv4 “pseudo-router” has been configured on the vlan it is possible to advertise via the RIP protocol the LPOC which are accessed through this pseudo-router. The default gateway IP address MUST belong to the vlan subnet. once to specify the IPv4 subnet address and its mask length. once to specify the IPv4 router address. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 31 .Vlan Management vlan vid {trusted | untrusted} subnet ip_address mask It can be an IPv4 or IPv6 subnet. gw This attribute defines a default gateway.

• Within a Load-Balancing-Group. then a “router” must have been defined for the vlan. IP overlapping between Peering-Point IP addresses (rpoc) and IP filters must not exist. The consistency checking are the following ones: 32 • If a peering-point IP address (rpoc) associated with a PeerNetwork doesn’t belong to the vlan subnet associated with this Peer-Network. IP overlapping between CCS IP addresses (rpoc) must not exist. Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Vlan Management vlan vid {trusted | untrusted} subnet ip_address mask The consistency of the configuration can also be checked via the CLI command “show configuration consistency”. • If a vlan “router” has been defined. IP overlapping between Peering-Point IP addresses (rpoc) must not exist. its IP address must belong to the vlan subnet • Within a Peer-Network. its IP address must belong to the vlan subnet • If a Local Point of Contact (lpoc) associated with a PeerNetwork doesn’t belong to the vlan subnet associated with this Peer-Network. • If a Local Point of Contact (lpoc) associated with a LoadBalancing-Group doesn’t belong to the vlan subnet associated with this Load-Balancing-Group. IP overlapping between Peering-Point IP addresses (rpoc) and IP filters must not exist. then a “gateway” must have been defined for the vlan. • If a vlan “gateway” has been defined. • If a MGC8 IBCF CCS IP addresses (rpoc) associated with a Load-Balancing-Group doesn’t belong to the vlan subnet associated with this Load-Balancing-Group. • Within a Peer-Network. • If a Vlan is assigned to more than one Peer-Network. then a “router” must have been defined for the vlan. IP overlapping between Peering-Point IP addresses (rpoc) must not exist. then a “gateway” must have been defined for the vlan. • If a Vlan is assigned to more than one Peer-Network.

254 -> vlan 8 subnet 2001:8::/64 gw 2001:8::172:23:8:254 router 2001:8::172:23:8:5 -> vlan 200 trusted enable subnet 192.Vlan Management vlan vid {trusted | untrusted} subnet ip_address mask Example -> vlan 4 untrusted enable name vlan4 subnet 172.0/24 no rip gw 172.0/24 no rip -> vlan 8 untrusted enable name UNTRUSTED_VLAN_8 subnet 172.254 -> vlan 5 untrusted enable name UNTRUSTED_VLAN_5 subnet 172.5 no rip gw 172.23.23.8.168.4.2.8.8.0/24 router 172.19.0/24 no rip 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 33 .23.5.20.19.4.

0/24 34 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . It can be an IPv4 or IPv6 subnet. Example -> vlan 8 subnet 2001:b8::/64 -> vlan 200 subnet 192.168.Vlan Management vlan vid subnet ip_address/len vlan vid subnet ip_address/len Purpose The purpose of that command is to modify the “subnet” IP address for an existing vlan. subnet ip_address/len These parameters describe the IP subnet and IP mask length that are associated with the vlan.2. Command vlan vid subnet ip_address/len Arguments vid This is the identifier of the vlan to be modified.

When “no rip” is configured. The IP address of this “pseudo-router” must be in the subnet defined when creating the vlan. Command vlan vid [router ip_address [rip | no rip]] Arguments vid This is the identifier of the vlan to be modified. Optionally. the RIP protocol can be activated for this vlan. By default rip is not activated. static routes should be configured on the next hop router to be able to reach the LPOC. It can be an IPv4 or IPv6 address. rip | no rip If a “pseudo-router” has been configured on the vlan it is possible to advertise via the RIP protocol the LPOC which are accessed through this pseudo-router. in case of Ipv4.Vlan Management vlan vid [router ip_address [rip | no rip]] vlan vid [router ip_address [rip | no rip]] Purpose The purpose of that command is to add or modify the “router” IP address for an existing vlan. Example -> vlan 8 router 172. router This parameter defines the “pseudo-router” providing accessibility to a LPOC created in a different subnet.3 rip -> vlan 8 router 2001:b8::172:23:8:3 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 35 .8.23.

Command vlan vid no [ipv4 | ipv6] router Arguments vid This is the identifier of the vlan to be modified.Vlan Management vlan vid no [ipv4 | ipv6] router vlan vid no [ipv4 | ipv6] router Purpose The purpose of that command is to remove the “router” IP address for an existing vlan. no [ipv4|ipv6] router This parameter defines the “pseudo-router” providing accessibility to a LPOC created in a different subnet. Example -> vlan 8 no router -> vlan 15 no ipv4 router -> vlan 20 no ipv6 router 36 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . You have the ability to remove only the IPv4 router or the IPv6 router.

This default gateway is required when the remote POC IP address is not in the vlan subnet. The default gateway IP address MUST belong to the vlan subnet. Example -> vlan 4 gw 172.4. gw This attribute defines a default gateway.Vlan Management vlan vid gw ip_address vlan vid gw ip_address Purpose The purpose of that command is to add or modify the “gateway” IP address for an existing vlan. Command vlan vid gw ip_address Arguments vid This is the identifier of the vlan to be modified.254 -> vlan 4 gw 2001:4::172:19:4:254 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 37 .19. It can be an IPv4 or IPv6 address.

Example -> vlan 4 no gw -> vlan 8 no ipv4 gw -> vlan 20 no ipv6 gw 38 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Command vlan vid no [ipv4|ipv6] gw Arguments vid This is the identifier of the vlan to be modified. no gw This attribute defines a default gateway. You have the ability to remove only the IPv4 gateway or the IPv6 gateway.Vlan Management vlan vid no [ipv4 | ipv6] gw vlan vid no [ipv4 | ipv6] gw Purpose The purpose of that command is to remove the “gateway” IP address for an existing vlan. This default gateway is required when the remote POC IP address is not in the vlan subnet.

name Description of the vlan (31 characters) Example -> vlan 4 name vlan_untrusted_4 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 39 . or to modify it. Command vlan vid name description Arguments vid This is the identifier of the vlan to be modified.Vlan Management vlan vid name description vlan vid name description Purpose The purpose of that command is to give a name to an existing vlan.

Example -> vlan 4 no name 40 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Vlan Management vlan vid no name vlan vid no name Purpose The purpose of that command is to delete the name of an existing vlan. Command vlan vid no name Arguments vid This is the identifier of the vlan to be modified.

You can assign different MAC addresses for IPv4 and IPv6 gateways via the CLI “vlan vid v4mac mac_address [v6mac mac_address]” This command is allowed only if a “gateway” has been previously configured via the CLI command “vlan vid gw ip_address”. the IP frames cannot be sent to the attacker who would have stolen the IP address of the gateway. Command vlan vid mac mac_address vlan vid v4mac mac_address vlan vid v6mac mac_address Arguments vid This is the identifier of the vlan to be modified. The CLI command “show vlan vid” returns the MAC address configured for the gateway but also the MAC address learned from the ARP (or ND) resolution. Example -> vlan 8 mac 00:d0:95:ff:94:74 -> vlan 9 v4mac 00:e0:b1:7c:48:4c -> vlan 10 v6mac 00:d0:95:fe:33:26 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 41 . the SFW bypass the ARP (or ND) resolution to set the MAC address in IP frames sent to the gateway. When a MAC address is specified for the vlan gateway. The command “vlan vid mac mac_address” assigns a unique MAC address for both IPv4 and IPv6 gateways of the Vlan. mac_address This is the MAC address of the gateway.Vlan Management vlan vid mac mac_address vlan vid mac mac_address Purpose The purpose of that command is to specify the MAC address of the “gateway”. This avoids a man-in-the-middle attack.

There is no command “peer-network netid no vlan”. Then the unused vlan can be deleted. to remove the association between a Load-Balancing-Group and a vlan. it is necessary to associate a new vlan to the Load-Balancing-Group. it is necessary to associate a new vlan to the Peer-Network. Example -> no vlan 4 42 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . to remove the association between a Peer-Network and a vlan. Then the unused vlan can be deleted. There is no command “load-balancing-group group_id no vlan”.Vlan Management no vlan vid no vlan vid Purpose The purpose of that command is to delete an existing vlan. Command no vlan vid Arguments vid This is the identifier of the vlan to be deleted. The vlan cannot be deleted if it still associated with a Peer-Network or a Load-Balancing-Group.

0/24 2001:10::/64 172.25. Command show vlan [vid] Arguments vid This is the identifier of the vlan. If vid is not specified. Example -> show vlan Vlan id Name Vlan status Vlan side Vlan IP subnet IP gateway 2001:10::172:25:10:254 configured v4&v6 MAC gateway resolved v4&v6 MAC gateway 00:e0:b1:7c:48:4c RIP IP MTU Vlan id Name Vlan status Vlan side Vlan IP subnet IP MTU 3FZ 08139 ACAA PCZZA Edition 07 July 2015 : : : : : : : : : : : : 10 UNTRUSTED_VLAN_10 up untrusted 172.254 : : no V4 MAC / no V6 MAC 00:e0:b1:7c:48:4c / : : disable 1500 200 TRUSTED_VLAN_200 up trusted 192.0/24 2001:200::/64 1500 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 43 .Vlan Management show vlan show vlan Purpose The purpose of that command is to display the vlans configuration.2.25. all vlan information is displayed.10.10.168.

trusted and untrusted. The binding of the physical Gigabit ports with the trusted or untrusted interface is implicit in the SIP firewall. is made of 2 physical Gigabit ports. See the “Trunk” section later in that document to get details about the mode configuration. • What is the SFW Untrusted Interface. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 44 . This is the “trusted lpoc” IP address. • What are the SFW Local Points of Contact. In order to reach the SIP firewall from the IMS core network. the operator must configure at least one IP address on the trusted interface. “lpoc” stands for “local point of contact”. The “trusted lpoc” IP address is the destination IP address for SIP messages coming from the local IBCF and sent to the peer networks through the SIP firewall. They can operate either in active/standby mode or in link aggregation mode. Trusted interface definition The trusted interface is facing the IBCF that sits on the IMS core network. There is no way to change that association. Introduction The SIP firewall provides one interface for the trusted side and one interface for the untrusted side.4 Local Point Of Contact (LPOC) Purpose This paragraph provides information about: • What is the SFW Trusted Interface. Each interface. • CLIs to configure the objects mentioned above. The only operation permitted is the choice of the network mode.

Local Point Of Contact (LPOC) Untrusted interface definition SIP messages.. are sent to the peering points according to the IP ports where the SIP message are received. received from the local IBCF on the SIP firewall trusted lpoc. The configuration of the “untrusted lpoc” IP addresses and IP ports is described below. However. Untrusted interface definition The untrusted interface is facing the peer networks. Local Point Of Contact definition A Local Point a Contact (LPOC) is defined by the following attributes: o A lpoc reference (1.128) o An IP address (Ipv6 or Ipv4 ) o The type of the interface to which the LPOC must be bound The SIP firewall provides the ability to declare up to 128 LPOC per interface type (trusted or untrusted). it is still possible to define more that one point of contacts on the untrusted side. The static mapping between the listening IP port on the trusted interface and peering points IP addresses is described later in that document in the “Peer Networks” section. The configuration of the SIP firewall provides the ability to configure a single point of contact for all peer networks to reach the trusted IBCF. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 45 .

Local Point Of Contact (LPOC) Summary of the CLI for Trusted and Untrusted LPOC Summary of the CLI for Trusted and Untrusted LPOC Trusted and Untrusted LPOC lpoc untrusted poc_id [ip ip_address] [enable | disable] [name description] lpoc untrusted poc_id [ ip ip_address] [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]] lpoc untrusted poc_id no ipv4 lpoc untrusted poc_id no ipv6 lpoc untrusted poc_id no {udp | tcp | sctp | tls} no lpoc untrusted poc_id lpoc trusted poc_id [ip ip_address] [enable | disable] [ name description] lpoc trusted poc_id no ipv4 lpoc trusted poc_id no ipv6 no lpoc trusted poc_id show lpoc [trusted [ poc_id ]| untrusted [poc_id]] 46 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

sfw-fqdn Optionally. once to specify the IPv4 address. It is possible to change the IP address of the LPOC without disabling it. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 47 . Command lpoc untrusted poc_id [ip ip_address] [enable | disable] [name sfwfqdn] lpoc untrusted poc_id [ip ip_address] [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]] Arguments poc_id The poc_id. Note that the TLS port must be different from the TCP port. This FQDN represents the public IP address of the firewall. the name of the lpoc must match this FQDN. ip_address IPv4 or IPv6 address of the LPOC.) If the peering-point sends SIP messages to the SFW with a pre-loaded Route header using a FQDN.Local Point Of Contact (LPOC) lpoc untrusted poc_id lpoc untrusted poc_id Purpose Creates an Untrusted LPOC. sctp or tls listening port of the LPOC. In that case the CLI must be run twice. port Udp. any Peer Network that reference that LPOC will be unreachable until it moves to the enable state. referencing the untrusted LPOC. once to specify the IPv6 address. enable | disable By default the LPOC is created in the enable state. is later associated with one or several “peer-networks”. it is possible to specify a name for the LPOC (63 characters max. tcp. The lpoc creation is rejected if there is already a poc_id with the same IP address. A LPOC can be dual-stack IPv4/IPv6. In the LPOC is created in the disable state.

7.5 -> lpoc untrusted 8 ip 2001:b8::10:7:8:5 -> lpoc untrusted 8 udp 5060 -> lpoc untrusted 8 tcp 5060 -> lpoc untrusted 8 tls 5061 In the above example. If the FQDN was unknown.com.8. 48 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .ims32.5:5060 contains the following pre-loaded Route header.lr> The FQDN of the pre-loaded Route matches the lpoc name and the address :port on which the message has been received. Route: <sip:+33132133301@mgc8.ims32. all the IP frames with a destination IP matching the LPOC IP address are filtered by the SIP firewall Example -> lpoc untrusted 8 enable name mgc8. if a SIP Invite received on the SFW lpoc address:port 10.8.alcatel-lucent. the SIP message would be dropped by the firewall.Local Point Of Contact (LPOC) lpoc untrusted poc_id If the LPOC is in disable state. In that case the SIP message is accepted by the firewall.7.alcatel-lucent.com -> lpoc untrusted 8 ip 10.

no ipv6 Specifies the IP protocol version to be removed from the LPOC. Command lpoc untrusted poc_id no ipv4 Arguments poc_id The poc_id. Example -> lpoc untrusted 8 no ipv6 lpoc untrusted poc_id no ipv4 Purpose Removes the IPv4 address from an LPOC. referencing the untrusted LPOC. Command lpoc untrusted poc_id no ipv6 Arguments poc_id The poc_id. referencing the untrusted LPOC. Example -> lpoc untrusted 8 no ipv4 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 49 . no ipv6 Specifies the IP protocol version to be removed from the LPOC.Local Point Of Contact (LPOC) lpoc untrusted poc_id no ipv6 lpoc untrusted poc_id no ipv6 Purpose Removes the IPv6 address from an LPOC.

referencing the untrusted LPOC. Example -> no lpoc untrusted 8 50 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . no {udp | tcp | sctp | tls} Specifies the transport type to be removed from the LPOC. Command lpoc untrusted poc_id no {udp | tcp | sctp | tls} Arguments poc_id The poc_id.Local Point Of Contact (LPOC) lpoc untrusted poc_id no {udp | tcp | sctp | tls} lpoc untrusted poc_id no {udp | tcp | sctp | tls} Purpose Removes a transport type from an Untrusted LPOC. referencing the untrusted LPOC. this should be done carefully because all Peer Network objects that reference that LPOC will not be operational anymore. Once remove. Example -> lpoc untrusted 8 no tcp no lpoc untrusted poc_id Purpose Deletes an Untrusted LPOC. Command no lpoc untrusted poc_id Arguments poc_id The poc_id. As a consequence. . the lpoc IP address becomes unreachable.

The lpoc creation is rejected if there is already an poc_id with the same IP address. any Peer Network that reference that LPOC will be unreachable until it moves to the enable state.168. If the LPOC is in disable state. is later associated with one or several “load-balancing-group”. Command lpoc trusted poc_id [ip ip_address] [enable | disable] [name description] Arguments poc_id The poc_id referencing the untrusted LPOC. In the LPOC is created in the disable state.205 enable name lpoc_trusted_1 Additional information: Routing of initial SIP messages received on the trusted side. A LPOC can be dual-stack IPv4/IPv6. it is possible to specify a name for the LPOC (63 characters max.2. once to specify the IPv6 address.Local Point Of Contact (LPOC) lpoc trusted poc_id lpoc trusted poc_id Purpose Creates a Trusted LPOC. description Optionally. all the IP frames with a destination IP matching the LPOC IP address are filtered by the SIP firewall Example -> lpoc trusted 1 ip 192.) enable | disable By default the LPOC is created in the enable state. It is possible to change the IP address of the LPOC without disabling it. ip_address IPv4 or IPv6 address of the LPOC. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 51 . In that case the CLI must be run twice. once to specify the IPv4 address.

can be used for any of the transport protocol supported by the remote IBCF. an example is provided to clarify the comprehension of the static mapping between IP ports of the trusted side and Peering Points. where the SIP message is received from the local IBCF. 52 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . an initial SIP message received on the trusted side on the port 12015 will be forwarded to the peering point 15 of the peer-network 20. This routing table performs a static mapping between the IP listening port on the lpoc trusted. In the chapter describing the command “Peer-net netid rpoc peering_point_id ip”. That table is build according to : • A port base equal to 10000 • Peer Network identifiers (netid) • Peering Point identifiers (peering_poing_id) Note that the same port. on the trusted lpoc. The command “ lpoc trusted poc_id [ip ip_address] ” command doesn’t specified any port because the listening port on the lpoc trusted is automatically built as follow: Listening IP port on lpoc trusted = 10000 + (netid * 100) + peering_point_id For example.Local Point Of Contact (LPOC) lpoc trusted poc_id The SIP firewall owns a routing table that permits to route incoming initial SIP message on the trusted side to the remote IBCF (peering points) located of the untrusted side. and the Peering Point where the SIP message is forwarded.

Example -> lpoc trusted 1 no ipv6 lpoc trusted poc_id no ipv4 Purpose Removes the IPv4 address from an LPOC. Command lpoc trusted poc_id no ipv4 Arguments poc_id The poc_id. referencing the trusted LPOC. no ipv6 Specifies the IP protocol version to be removed from the LPOC. Example -> lpoc trusted 1 no ipv4 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 53 . referencing the trusted LPOC. no ipv6 Specifies the IP protocol version to be removed from the LPOC.Local Point Of Contact (LPOC) lpoc trusted poc_id no ipv6 lpoc trusted poc_id no ipv6 Purpose Removes the IPv6 address from an LPOC. Command lpoc trusted poc_id no ipv6 Arguments poc_id The poc_id.

Once remove. . the lpoc IP address becomes unreachable. this should be done carefully because all Peer Network objects that reference that LPOC will not be operational anymore. Command no lpoc trusted poc_id Arguments poc_id The poc_id referencing the trusted LPOC. Example -> no lpoc trusted 1 54 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .no lpoc trusted poc_id Local Point Of Contact (LPOC) no lpoc trusted poc_id Purpose Deletes a Trusted LPOC. As a consequence.

17.205 2001:200::192:168:2:205 ! up ! n/s ! n/s ! n/s ! n/s ! ! untrusted ! LPOC_UNTRUSTED_2 ! 172.18.2. Command show lpoc [trusted [ poc_id ]| untrusted [poc_id]] Arguments poc_id The poc_id. is later associated with one or several “load-balancing-group”.2.168. trusted | untrusted If trusted or untrusted is not specified.5 2001:2::172:17:2:5 ! up ! 5060 ! n/s ! n/s ! n/s ! ! untrusted ! LPOC_UNTRUSTED_3 ! 172.3. Remark : Listening port on trusted ports are provided by the command “ show peer-net netid rpoc [peering_point_id] ” Example -> show lpoc +--------+-----------+------------------------+-----------------------------------------+--------+------+------+------+-----+ ! Poc id ! Side ! Name ! IP Address ! Status ! Udp ! Tcp ! Sctp ! Tls ! +--------+-----------+------------------------+-----------------------------------------+--------+------+------+------+-----+ ! 1 ! trusted ! 2 ! 3 ! LPOC_TRUSTED_1 ! 192.5 2001:3::172:18:3:5 ! up ! 5060 ! n/s ! n/s ! n/s ! +--------+-----------+------------------------+-----------------------------------------+--------+------+------+------+-----+ 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 55 . referencing the trusted or untrusted LPOC.Local Point Of Contact (LPOC) show lpoc show lpoc Purpose Displays the list of LPOC. information is displayed for all lpoc.

Example -> ip defrag order -> ip defrag disorder 56 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . There are two values: order or disorder. in switch level. how to process the fragmented UDP packets received from both untrusted and trusted sides.Local Point Of Contact (LPOC) ip defrag ip defrag Purpose The purpose of this command is to configure the LPOCs. disorder SFW reassembles the fragmented UDP packets with random order. Commands ip defrag {order|disorder} Arguments order SFW only reassembles the fragmented UDP packets with sequential order. By default the SFW has order value.

Command show ip defrag Example -> show ip defrag +--------------------+ ! IP defragmentation ! +--------------------+ ! disorder ! +--------------------+ 1 elements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 57 .Local Point Of Contact (LPOC) show ip defrag show ip defrag Purpose This command returns the SFW value that indicates how to process fragmented UPD packets received from both untrusted and trusted sides.

A Peer Network object contains the following attributes • a set of IP filter: The purpose of that IP filter is to defined the set of hosts of the Peer Network that are authorized or not authorized to communicate with the IBCF protected by the SIP firewall • a set of remote POC A remote POC references a peering point IP address and IP port. The SIP firewall handles up to 2047 Peer Networks. • CLIs to configure the Peer Network object. That local POC can be either shared between all Peer Networks or reserved for a single Peer Network. Introduction This object is used to describe a Peer Network that is in relation with the IBCF protected by the SIP firewall. A peering point may be defined behind a NAT.5 Peer Networks Purpose This paragraph provides information about: • What is the Peer Network object. By default one local POC is sufficient. • a SIP security profile • a Load Balancing Group •a TLS profile 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 58 . • a set of local POC The local POC defines the IP address for which the SIP firewall provides SIP service for the external Peer Networks.

Peer Networks Summary of the CLI for Peer Network management Summary of the CLI for Peer Network management Peer Network peer-net netid [enable | disable] [name description] peer-net netid filter filter_id ip address/mask_length [accept | deny] peer-net netid filter filter_id rpoc peering_point_id peer-net netid no filter filter_id peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]] peer-net netid rpoc peering_point_id {udp[ port] | tcp[ port] | sctp[ port] | tls[ port]} peer-net netid rpoc peering_point_id no {udp | tcp | sctp | tls} peer-net netid rpoc peering_point_id name peer-net netid rpoc peering_point_id no name peer-net netid rpoc peering_point_id nat ip_address /mask_length peer-net netid rpoc peering_point_id port-forwarding port peer-net netid rpoc peering_point_id no port-forwarding peer-net netid rpoc peering_point_id nat ip_address /mask_length port-forwarding port peer-net netid no rpoc peering_point_id peer-net netid lpoc untrusted_lpoc_id peer-net netid no lpoc untrusted_lpoc_id peer-net netid security-profile security_profile_id peer-net netid load-balancing-group group_id peer-net netid vlan vid peer-net netid max call duration call_duration peer-net netid polling ping {enable | disable} peer-net netid polling period interval peer-net netid dscp default peer-net netid dscp dscp_value dscp default default_dscp show dscp default peer-net netid tls-profile tlsprofileid peer-net netid no tls-profile no peer-net netid show peer-net [netid] show peer-net netid lpoc show peer-net [netid] filter show peer-net [netid] rpoc show peer-net [netid] connectivity show peer-net [netid] statistics [trusted | untrusted] 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 59 .

Command peer-net netid [enable | disable] [name description] Arguments netid This is the identifier of the Peer Network. description Description of the Peer Network (31 characters) enable | disable By default the Peer Network is created in the disable state.peer-net netid Peer Networks peer-net netid Purpose The purpose of that command is the creation of a Peer Network. Up to 2047 Peer Network can be configured. Example -> peer-net 2 enable name PNET_2 60 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

For example. if the RPOC is the entry point of a peer-network acting only as a load balancer between several IBCF.20. an RPOC is not necessarily adding its Record-Route in the initial SIP messages and thus subsequent messages won’t go though it. Address/mask IP address and mask defining the subnet to be filtered out or accepted. Each Peer Network can support up to 32 IP filters.This may occur. Example -> peer-net 5 filter 1 ip 172. The IP address may an IPv4 or IPv6 address.5.Peer Networks peer-net netid filter filter_id ip address/mask peer-net netid filter filter_id ip address/mask Purpose By default the SIP firewall drops all IP packets coming from an unknown source. The deny action has always priority over the accept action.0/24 accept -> peer-net 5 filter 2 ip 2001:5::172:20:5:36/128 accept 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 61 . Once created the filter must be associated with an RPOC to become effective. Only Peering Points (RPOC) defined in Peer networks are known sources. Command peer-net netid filter filter_id ip address/mask [accept | deny] Arguments netid This is the identifier of the Peer network. So there is a need to accept SIP packets coming from behind an RPOC and that’s the purpose of the “peer-net filter” defined hereafter. for example. filter_id This is the identifier of the Filter. However there are few scenarios where a SIP message may come from a valid source without being known as a peering Point. accept | deny Action to be applied on the IP subnet defined by the previous attributes.

the filter must be associated with an RPOC to become effective. peering_point_id This is the identifier of the peering point (rpoc) within the peer-network. filter_id This is the identifier of the Filter. The RPOC has been previously created with the following command: peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]] 62 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Peer Networks peer-net netid filter filter_id rpoc peer-net netid filter filter_id rpoc Purpose Once created. Each Peer Network can support up to 128 IP filters. with the command “peer-net netid filter filter_id ip address/mask”. the association between the filter and the rpoc allows subsequent SIP requests matching the filter to be accepted by the SIP firewall even if the source IP addresses of these subsequent requests are not defined as peering-points. As described above. Command peer-net netid filter filter_id rpoc peering_point_id Arguments netid This is the identifier of the Peer network.

filter_id This is the identifier of the IP Filter to be removed from the Peer-Network. Example -> peer-net 5 no filter 1 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 63 .Peer Networks peer-net netid no filter peer-net netid no filter Purpose The purpose of that command is to remove the association between a Peer-Network and an IP filer previously defined. Command peer-net netid no filter filter_id Arguments netid This is the identifier of the Peer network.

peering_point_id The number of peering points per Peer Network differs according to the Peer Network identifier: o when the netid is in the range [1. once to specify the IPv6 address. A peering point can be dual-stack IPv4/IPv6. Command peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]] peer-net netid rpoc peering_point_id {udp[ port] | tcp[ port] | sctp[ port] | tls[ port]} Arguments netid This is the identifier of the Peer network. In that case the CLI must be run twice... o When the netid is in the range [501. once to specify the IPv4 address. port 64 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Peer Networks peer-net netid rpoc peering_point_id ip peer-net netid rpoc peering_point_id ip Purpose The purpose of that command is to define the IP address of a host that is in the scope of the remote Peer Network. The same peering_point_id value can be used for different Peer Network. ip_address Defines the IPv4 or IPv6 address of the peering point.500] up to 63 peering points may be defined by Peer Network. The uniqueness of the peering point is guarantee by the combination of the local peering_point_id and the reference of the Peer Network (netid).2047] only 2 peering points can be defined by Peer Network.

0. -> peer-net 1 rpoc 1 ip 2001:40::150:0:40:1 Configures the IPv6 address of the peering point. affects the port value for all transport modes. Example -> peer-net 1 rpoc 1 ip 150. This means that all listening port values are equal for a peering point. the port 5060 and UDP transport are configured by default. whatever the transport mode. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 65 .1 Configures the IPv4 address of the peering point and implicitly the udp port 5060.2 udp 5061 Configures IP address and UDP listening port of a peering-point in a single command. As a consequence other transport mode already configured are also implicitly configured with the same port value. It will be set to 5060 if there is no other transport mode configured or it will be set automatically to the same value than the one set for other transport mode already configured.40. A modification of the port value.0. -> peer-net 1 rpoc 2 ip 150.40. -> peer-net 1 rpoc 1 udp 50001 Modifies the udp port value. If this option is not specified.Peer Networks peer-net netid rpoc peering_point_id ip Optionally the listening port and transport mode of the peering point can be specified. It is still possible to modify the listening ports with the following command: peer-net netid rpoc peering_point_id tls[ port]} {udp[ port] | tcp[ port] | sctp[ port] | If the transport mode is specified but the port value is omitted then the port will be assigned automatically. -> peer-net 1 rpoc 1 tcp Configures the tcp port with the port value equal to the udp port value.

.500] : Listening IP port on lpoc trusted = 10000 + (netid * 100) + peering_point_id When the netid is in the range [501.2047] : Listening IP port on lpoc trusted = ((netid -501) * 3) + 10 + peering_point_id The following network diagram shows an example with 2 Peer Networks where each of them owns two Peering Points (POC).. 66 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Peer Networks peer-net netid rpoc peering_point_id ip Additional information: The peering_point_id and the netid are computed as follow to get the listening port on the lpoc trusted : When the netid is in the range [1.

2 2001:42::20:2 The associated CLI are: -> peer-net 1 rpoc 1 ip 10.1 udp 5060 -> peer-net 1 rpoc 1 ip 2001:31::10:1 -> peer-net 1 rpoc 1 tcp -> peer-net 1 rpoc 2 ip 10.1 5060 5060 0 0 5060 5060 0 0 8080 8080 0 0 8080 8080 0 0 point_id 1 1 2001:31::10:1 10102 1 2 10.0.10.0.10.1 2001:42::20:1 10202 2 2 20.10.10.10.0.10.Peer Networks peer-net netid rpoc peering_point_id ip The following table is an example of the routing table used by the SIP firewall when it has to route an initial SIP Request initiated by the trusted IBCF to find out the remote POC.2 udp 5060 -> peer-net 1 rpoc 2 ip 2001:31::10:2 -> peer-net 1 rpoc 2 tcp -> peer-net 2 rpoc 1 ip 20.0.0.0.0.10.2 udp 8080 -> peer-net 2 rpoc 2 ip 2001:42::20:2 ->peer-net 2 rpoc 2 tcp 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 67 . Trusted Untrusted Peer Network and Peering Point (rpoc) provisioning Listening port on netid lpoc trusted 10101 peering_ ip_address udp tcp tls sctp 10.10.0.2 2001:31::10:2 10201 2 1 20.1 udp 8080 -> peer-net 2 rpoc 1 tcp -> peer-net 2 rpoc 1 ip 2001:42::20:1 -> peer-net 2 rpoc 2 ip 20.

peering_point_id This is the identifier of the peering point within the Peer-Network. Command peer-net netid rpoc peering_point_id no ipv6 Example -> peer-net 20 rpoc 15 no ipv6 68 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Command peer-net netid rpoc peering_point_id no ipv4 Arguments netid This is the identifier of the Peer network. Example -> peer-net 20 rpoc 15 no ipv4 peer-net netid rpoc peering_point_id no ipv6 Purpose The purpose of that command is to delete the IPv6 address of a peering point within a Peer-Network.Peer Networks peer-net netid rpoc peering_point_id no ipv4 peer-net netid rpoc peering_point_id no ipv4 Purpose The purpose of that command is to delete the IPv4 address of a peering point within a Peer-Network.

Peer Networks peer-net netid rpoc peering_point_id no {udp | tcp | sctp | tls} peer-net netid rpoc peering_point_id no {udp | tcp | sctp | tls} Purpose The purpose of that command is to disable a transport mode from a peering point.0.2 tcp 5060 Configures the tcp port value to 5060 and also implicitly the udp port value to 5060. peering_point_id This is the identifier of the Peering Point within the Peer Network. -> peer-net 1 rpoc 2 no udp Disables the udp transport mode for the peering point 2 of the Peer Network 1 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 69 . Example -> peer-net 1 rpoc 2 ip 150. Command peer-net netid rpoc peering_point_id no {udp| tcp|sctp | tls} Arguments netid This is the identifier of the Peer network.40.

Example -> peer-net 3 rpoc 1 name 39. This allows. Command peer-net netid rpoc peering_point_id name fqdn Arguments netid This is the identifier of the Peer network.atlanta. Request URI or Routes headers of outgoing SIP messages. fqdn This is the fully qualified domain name of the peering point. in association with the IP address of the peering-point.Peer Networks peer-net netid rpoc peering_point_id name fqdn peer-net netid rpoc peering_point_id name fqdn Purpose The purpose of that command is to specify a FQDN for a peering point. peering_point_id This is the identifier of the Peering Point within the Peer Network.example. to resolve FQDN that may appear in Via. However in case of Far-end NAT Traversal the dns-internal was not appropriate to solve the FQDN resolution of outgoing SIP message.com 70 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . This attributes seems to have the same purpose that the previously configured dnsinternal. thus the introduction of this new attribute.

peering_point_id This is the identifier of the Peering Point within the Peer Network. Example -> peer-net 3 rpoc 1 no name 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 71 .Peer Networks peer-net netid rpoc peering_point_id no name peer-net netid rpoc peering_point_id no name Purpose The purpose of that command is to remove the FQDN associated with a peering-point. Command peer-net netid rpoc peering_point_id no name Arguments netid This is the identifier of the Peer network.

Actually. Depending on the configuration of the NAT/PAT box a “port-forwarding” may be defined. Optionally. the FQDN of the peering-point can be configured with the command “peer-net netid rpoc peering_point_id name fqdn”. behind the NAT. However for an initial outgoing SIP request the PAT is not yet learned that’s why the port-forwarding configuration is usefull. behind the NAT. Command peer-net netid rpoc peering_point_id nat ip_address/mask_length 72 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . The “port-forwarding” configuration is required to be able to send SFW outgoing IP frames toward a natted peering-points when no IP frames has been received yet from the peering-point. the private IP address inserted by the peeringpoint in the SIP Via header is compared with the IP address configured by the command “peer-net netid rpoc peering_point_id ip ip_address”. The public IP address of the peering-point must be defined with the CLI command “peer-net netid rpoc peering_point_id nat ip_address/mask_length” 2. The private IP address of the peering-point. 5. when an incoming SIP frames is received from a natted peering-point. 6. must be defined with the command “peer-net netid rpoc peering_point_id ip ip_address” 3.Peer Networks peer-net netid rpoc peering_point_id nat peer-net netid rpoc peering_point_id nat Purpose When a peering-point is located behind a box providing NAT (Network Address Translation) and PAT (Port Address Translation) the following points needs to be taken into account for the configuration of the peering-point: 1. Remark : The SIP firewall is able to detect that the peering-point is behind a NAT (far-end NAT traversal). The ports and protocol supported by the peering-point. must be defined by the command “peer-net netid rpoc peering_point_id {udp|tcp|tls} port”. This means that the ALG (Application Layer Gateway) that may exist in the NAT box needs to de-activated if the SIP firewall NAT detection capability is configured. When a SIP message is received from a NAT IP address. 4. the SIP firewall is able to learn the PAT and will send back SIP frames to the peering-point with the configured NAT address and the learned IP port.

18.Peer Networks peer-net netid rpoc peering_point_id nat Arguments netid This is the identifier of the Peer network.atlanta.10 -> peer-net 3 rpoc 3 tcp 50003 -> peer-net 3 rpoc 3 udp 5000 -> peer-net 3 rpoc 3 name 310.2.com 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 73 . ip_address/mask_length This is the public IP address of the peering_point.3. Note that if a subnet is defined the port-forwarding configuration won’t be accepted. A subnet can be specified if the NAT box distributes IP addresses from a subnet IP pool.example. The mask length must be consistent with the type of IP address.3.5/32 -> peer-net 3 rpoc 3 port-forwarding 3333 -> peer-net 3 rpoc 3 ip 172. The IP address defined here can an IPv4 or IPv6 address. Example -> peer-net 3 rpoc 3 nat 1. As a consequence with a NAT configured as a subnet it is not possible to send an outgoing IP packet from the SIP firewall to the NAT box until an incoming IP packet has been received from the NAT box to learn the PAT. peering_point_id This is the identifier of the Peering Point within the Peer Network.

18.atlanta.Peer Networks peer-net netid rpoc peering_point_id port-forwarding peer-net netid rpoc peering_point_id portforwarding Purpose The purpose of that command is to specify the port mapping expected by the NAT box.3. See also the description of the command “peer-net netid rpoc peering_point_id nat ip_address/mask_length” for complementary information. peering_point_id This is the identifier of the Peering Point within the Peer Network.example.10 -> peer-net 3 rpoc 3 tcp 50003 -> peer-net 3 rpoc 3 udp 5000 -> peer-net 3 rpoc 3 name 310. Note that if the NAT IP address is defined as a subnet with the command “peer-net netid rpoc peering_point_id nat ip_address/mask_length” then the port-forwarding cannot be configured. port This is the “port forwarding” defined on the NAT box of the peering-point. which allows IP packets send to the public IP address and port-forwading port of the natted peering-point to be forwarded to the private IP address and listening port of the peering-point behind the NAT/PAT.3.com 74 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Example -> peer-net 3 rpoc 3 nat 1. Command peer-net netid rpoc peering_point_id port-forwarding port Arguments netid This is the identifier of the Peer network. also called port-forwarding.5/32 -> peer-net 3 rpoc 3 port-forwarding 3333 -> peer-net 3 rpoc 3 ip 172.2.

Command peer-net netid rpoc peering_point_id no port-forwarding Arguments netid This is the identifier of the Peer network.Peer Networks peer-net netid rpoc peering_point_id no port-forwarding peer-net netid rpoc peering_point_id no portforwarding Purpose The purpose of that command is to delete the port-forwarding configuration previously defined for the natted peering-point. Example -> peer-net 3 rpoc 3 no port-forwarding 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 75 . peering_point_id This is the identifier of the Peering Point within the Peer Network.

Command peer-net netid no rpoc peering_point_id Arguments netid This is the identifier of the Peer network.Peer Networks peer-net netid no rpoc peering_point_id peer-net netid no rpoc peering_point_id Purpose The purpose of that command is to delete a peering point. 76 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Example -> peer-net 1 no rpoc 2 Deletes the Peering Point 2 of the Peer Network 1. peering_point_id This is the identifier of the Peering Point within the Peer Network.

untrusted_lpoc_id This is the identifier of the Untrusted LPOC that has been previously created via the command “ lpoc untrusted poc_id ”. Command peer-net netid lpoc untrusted_lpoc_id Arguments netid This is the identifier of the Peer network. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 77 . Example -> peer-net 1 lpoc 1 Associates the Untrusted LPOC 1 with the Peer Network 1.Peer Networks peer-net netid lpoc untrusted_lpoc_id peer-net netid lpoc untrusted_lpoc_id Purpose The purpose of that command is to associate an Untrusted Local Point of Contact (lpoc) with a Peer Network.

untrusted_lpoc_id This is the identifier of the Untrusted LPOC that has been previously associated with the Peer Network. Example -> peer-net 1 no lpoc 1 Removes the association between the Untrusted LPOC 1 and the Peer Network 1.Peer Networks peer-net netid no lpoc untrusted_lpoc_id peer-net netid no lpoc untrusted_lpoc_id Purpose The purpose of that command is to remove the association between an Untrusted Local Point of Contact (lpoc) and a Peer Network. 78 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Command peer-net netid no lpoc untrusted_lpoc_id Arguments netid This is the identifier of the Peer network.

Peer Networks peer-net netid security-profile security_profile_id peer-net netid security-profile security_profile_id Purpose The purpose of that command is to associate a Peer Network with a Security Profile. security_profile_id This is the identifier of the Security Profile that has been previously created with the command “security-profile security_profile_id”. Command peer-net netid security-profile security_profile_id Arguments netid This is the identifier of the Peer network. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 79 . Example -> peer-net 1 security-profile 20 Create an association between the Peer Network 1 and the Security Profile 20.

Peer Networks peer-net netid load-balancing-group group_id peer-net netid load-balancing-group group_id Purpose The purpose of that command is to associate a Load-Balancing-Group with a Peer Network. Command peer-net netid load-balancing-group group_id Arguments netid This is the identifier of the Peer network. group_id This is the identifier of the Load-Balancing-Group that has been previously created with the command “load-balancing-group group_id”. 80 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Example -> peer-net 1 load-balancing-group 2 Create an association between the Peer Network 1 and the Load-BalancingGroup 2.

3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 81 .Peer Networks peer-net netid vlan vid peer-net netid vlan vid Purpose The purpose of that command is to associate a Vlan with a Peer Network. Command peer-net netid vlan vid Arguments netid This is the identifier of the Peer network. Example -> peer-net 1 vlan 11 Create an association between the Peer Network 1 and the Vlan 11. vid This is the identifier of the Vlan that has been previously created with the command “vlan vid”.

Command peer-net netid no vlan Arguments netid This is the identifier of the Peer Network. Example -> peer-net 12 no vlan 82 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Peer Networks peer-net netid no vlan peer-net netid no vlan Purpose The purpose of that command is to remove the association between a Vlan and a Peer Network.

call_duration The maximum call duration is set in hours. Command peer-net netid max call duration call_duration Arguments netid This is the identifier of the Peer network. The call duration is measured from the time where the dialog has been opened. Example -> peer-net 20 max call duration 24 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 83 .Peer Networks peer-net netid max call duration call_duration peer-net netid max call duration call_duration Purpose The purpose of that command is to set or modify the maximum call duration in hours. The default value is 168 hours. Beyond that delay any SIP request/dialog cannot be trusted as belonging to an existing SIP dialog.

Peer Networks peer-net netid polling ping {enable | disable} peer-net netid polling ping {enable | disable} Purpose The purpose of that command is to enable or disable the Ping polling mechanism between the LPOCs and RPOCs of a Peer-Network. Example -> peer-net 20 polling ping enable -> peer-net 11 polling ping disable 84 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . By default a Ping request is issued each 4 seconds. By default the Ping polling is enabled. The Ping polling period can be modified via the CLI command “peer-net netid polling ping interval”. Command peer-net netid polling ping {enable | disable} Arguments netid This is the identifier of the Peer network. This Ping polling mechanism allows checking the IP connectivity with the peering points on the untrusted side of the firewall. The status of the peer-point connectivity can be retrieved via the CLI command “show peer-net connectivity”. ICMP requests are sent for both IPv4 and IPv6 protocols according to the RPOC/LPOC configuration.

Example -> peer-net 20 polling ping period 60 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 85 .Peer Networks peer-net netid polling ping period interval peer-net netid polling ping period interval Purpose The purpose of that command is to modify the period of the Ping polling occurring between the LPOCs and RPOCs of a Peer-Network. By default a Ping request is issued each 4 seconds. ICMP requests are sent for both IPv4 and IPv6 protocols according to the RPOC/LPOC configuration. The default value is 4. Command peer-net netid polling ping period interval Arguments netid This is the identifier of the Peer network. interval The Ping polling period interval is set in seconds. This Ping polling mechanism allows checking the IP connectivity with the peering points on the untrusted side of the firewall. The status of the peer-point connectivity can be retrieved via the CLI command “show peer-net connectivity”.

Command peer-net netid dscp dscp_value Arguments netid This is the identifier of the Peer network. The value specified here is encoded in the DSCP field of the IP headers for outgoing SIP messages sent by the firewall on the Untrusted side. Example -> peer-net 2 dscp 14 -> peer-net 3 dscp 38 86 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . dscp_value The dscp_value ranges from 0 to 63. on a per peer-network basis. the DSCP value (Differentiated Services Code Point or DiffServ) that is encoded in the DSCP field of the IP headers for outgoing SIP messages sent by the firewall on the Untrusted side.Peer Networks peer-net netid dscp dscp_value peer-net netid dscp dscp_value Purpose The purpose of that command is to configure.

Peer Networks peer-net netid dscp default peer-net netid dscp default Purpose The purpose of that command is to specify that the SFW default DSCP value is used to encode the DSCP field (Differentiated Services Code Point or DiffServ) of the IP headers for outgoing SIP messages sent on the Untrusted side. Command peer-net netid dscp default Arguments netid This is the identifier of the Peer network. The default DSCP value can be configured via the CLI command “dscp default default_dscp”. This value applies for all peer-networks unless a specific DSCP value has been configured for a given peer-network via the command “peer-net netid dscp dscp_value”. Example -> peer-net 2 dscp default 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 87 . default The default DSCP value can be changed with the CLI command “dscp default default_dscp”.

Command dscp default default_dscp Arguments Default_dscp The default_dscp ranges from 0 to 63. Example -> dscp default 14 88 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . The value specified here is encoded in the DSCP field of the IP headers for outgoing SIP messages sent by the firewall on the Untrusted side for the peernetwork with no specific DSCP value configured. The default_dscp value for the SFW can be retrieved via the command “show dscp default”.Peer Networks dscp default default_dscp dscp default default_dscp Purpose This command allows the operator to configure the SFW Default DSCP value that is encoded in the DSCP field (Differentiated Services Code Point or DiffServ) of the IP headers for outgoing SIP messages sent on the Untrusted side. The default value for default_dscp is zero. This command has an impact for all peer-networks unless a specific DSCP value has been configured for a given peer-network via the command “peer-net netid dscp dscp_value”.

Peer Networks show dscp default show dscp default Purpose This command returns the SFW default DSCP value. The SFW default DSCP value has an impact for all peer-networks unless a specific DSCP value has been configured for a given peer-network via the command “peer-net netid dscp dscp_value”. The SFW Default DSCP value is encoded in the DSCP field (Differentiated Services Code Point or DiffServ) of the IP headers for outgoing SIP messages sent on the Untrusted side. Command show dscp default Example -> show dscp default DSCP default value 3FZ 08139 ACAA PCZZA Edition 07 July 2015 : 0 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 89 .

Command peer-net netid tls-profile tlsprofileid Arguments netid This is the identifier of the Peer network. This particular TLS configuration will be applied to all rpoc of the related peer network entity. Refer to the description of the CLI command “tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check] [renegotiation-period period_in_hours] [name description]“ to see the how a TLS profile is created and modified. A TLS profile may be also configured per peer network entity: This permits to have particular TLS configuration (the one of the TLS profile) per VPN. Example -> peer-net 4 tls-profile 2 90 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . In the SIP firewall a peer network entity may be associated to a particular VPN through its VLAN id. tlsprofileid This is the identifier of the TLS profile.Peer Networks peer-net netid tls-profile tlsprofileid peer-net netid tls-profile tlsprofileid Purpose This command allows the operator to associate a TLS profile with a Peer Network.

Command peer-net netid no tls-profile Arguments netid This is the identifier of the Peer network.Peer Networks peer-net netid no tls-profile peer-net netid no tls-profile Purpose This command allows the operator to remove the association between a TLS profile and a Peer Network. Example -> peer-net 4 no tls-profile 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 91 .

Peer Networks no peer-net netid no peer-net netid Purpose The purpose of that command is to delete a Peer Network. Example -> no peer-net 20 Deletes the Peer Network 20. Command no peer-net netid Arguments netid This is the identifier of the Peer network. 92 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

Max call duration Specifies the maximum call duration in hours. If the netid is specified. Command show peer-net [netid ] Arguments netid This is the identifier of the Peer network.. information is displayed for all Peer Networks. The “max call duration” can be changed with the CLI “peer-net netid max call duration call-duration” 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 93 . If the netid is not specified. Sec Prof Identifies the Security Profile associated with the Peer Network. Beyond that delay any SIP request/dialog cannot be trusted as belonging to an existing SIP dialog. Vlan Identifies the Vlan associated with the Peer Network. LBG Identifies the Load Balancing Group associated with the Peer Network.Peer Networks show peer-net show peer-net Purpose The purpose of that command is to display the configuration of the Peer Networks. complementary outputs are provided: • IP Filter associated with the Peer Network • Untrusted LPOC associated with the Peer Network • rpoc associated with the Peer Network Output Definition Lpoc Identifies the list of “untrusted lpoc” associated with the Peer Network.

Peer Networks

show peer-net

The call duration is measured from the time where the dialog has been
opened.
DSCP
Specifies the DSCP value configured for the Peer-Network.
Example
-> show peer-net
+-------+----------------+---------+------+-------+-----+------+----------+---------+-------+
! Netid ! Name
! Status ! Lpoc ! Sec. ! LBG ! Vlan ! Max call ! DSCP
! TLS
!
!
!
!
!
! prof. !
!
! duration !
! prof. !
+-------+----------------+---------+------+-------+-----+------+----------+---------+-------+
! 2
! Peer2-london
! created ! 2
! 2
! 1
! 2
! 3600
! default ! none !
! 3
! Peer3-Newyork ! created ! 3
! 2
! 1
! 3
! 3600
! default ! none !
! 4
! Peer4-Mexico
! created ! 4
! 2
! 1
! 4
! 3600
! default ! none !
! 5
! Peer5-Tokyo
! created ! 5
! 2
! 4
! 5
! 3600
! default ! none !
+-------+----------------+---------+------+-------+-----+------+----------+---------+-------+

show peer-net 3
+-------+---------------+---------+------+-------+-----+------+----------+---------+-------+
! Netid ! Name
! Status ! Lpoc ! Sec. ! LBG ! Vlan ! Max call ! DSCP
! TLS
!
!
!
!
!
! prof. !
!
! duration !
! prof. !
+-------+---------------+---------+------+-------+-----+------+----------+---------+-------+
! 3
! Peer3-Newyork ! created ! 3
! 2
! 1
! 3
! 3600
! default ! 2
!
+-------+---------------+---------+------+-------+-----+------+----------+---------+-------+
1 elements
+-----+------+------------------+--------------+-------+-------+-------+---------+-----------------------+
! Net ! rpoc ! NAT
! IP Addresses ! Udp
! Tcp
! Tls
! Listen. ! Name
!
! id ! id
!
!
!
!
!
! trusted !
!
!
!
!
!
!
!
!
! port
!
!
+-----+------+------------------+--------------+-------+-------+-------+---------+-----------------------+
! 3
! 1
! 1.2.3.4/32:50001 ! 172.18.3.9
! n/s
! n/s
! 50001 ! 10301
! 39.atlanta.example.co !
!
!
!
!
!
!
!
!
! m
!
! 3
! 2
! 10.203.1.2/32
! 192.168.1.6 ! 50002 ! 50002 ! n/s
! 10302
!
!
! 3
! 3
! 1.2.3.5/32:50003 ! 172.18.3.10 ! 50003 ! 50003 ! n/s
! 10303
! 310.atlanta.example.c !
!
!
!
!
!
!
!
!
! om
!
+-----+------+------------------+--------------+-------+-------+-------+---------+-----------------------+
3 elements
+------+-----------+-------------------------------+------------+--------+------+------+------+------+
! Lpoc ! Side
! Name
! IP Address ! Status ! Udp ! Tcp ! Sctp ! Tls !
! id
!
!
!
!
!
!
!
!
!
+------+-----------+-------------------------------+------------+--------+------+------+------+------+
! 3
! untrusted ! mgc8.ims32.alcatel-lucent.com ! 160.0.3.5 ! up
! 5060 ! 5060 ! n/s ! 5061 !
+------+-----------+-------------------------------+------------+--------+------+------+------+------+
1 elements

Vlan id
Name
Vlan status
Vlan side
Vlan IP subnet
SFW router
IP gateway
configured v4&v6 MAC gateway
resolved v4&v6 MAC gateway
RIP
IP MTU

94

:
:
:
:
:
:
:
:
:
:
:

3
UNTRUSTED_VLAN_3
up
untrusted
172.16.3.0/24
172.16.3.5
172.16.3.254
no V4 MAC
/ no V6 MAC
00:d0:95:ff:94:74 / no IP V6 gateway
disable
1500

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Peer Networks

show peer-net netid lpoc

show peer-net netid lpoc
Purpose
The purpose of that command is to display the association between a Peer Network
and its LPOC on the untrusted interface of the firewall.

Command
show peer-net netid lpoc
Arguments
netid
This is the identifier of the Peer network.
Output Definition
Untrusted lpoc
Identifies the Untrusted LPOC associated with the Peer Network.
Example
-> show peer-net 4 lpoc

+-------+----------+----------------+
! Netid ! Name

! Untrusted lpoc !

+-------+----------+----------------+
! 4

! peerNet4 ! 4

!

! 4

! peerNet4 ! 5

!

+-------+----------+----------------+

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

95

Peer Networks

show peer-net [netid] filter

show peer-net [netid] filter
Purpose
The purpose of that command is to display the IP filters associated with the Peer
Networks.
See the command “peer-net [netid] filter” to get complementary information about
the IP filters.

Command
show peer-net [netid] filter
Arguments
netid
This is the identifier of the Peer network.
Example
-> show peer-net 5 filter
+-------+-----------+--------------------------+--------+
! Netid ! Filter Id ! IP Address

! Action !

+-------+-----------+--------------------------+--------+
! 5

! 1

! 2001:5::172:20:5:36/128

! accept !

! 5

! 2

! 172.20.5.35/32

! accept !

+-------+-----------+--------------------------+--------+

96

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Peer Networks

show peer-net [netid] rpoc

show peer-net [netid] rpoc
Purpose
The purpose of that command is to display the Peering Points associated with the Peer
Networks and their configuration.
See the command “peer-net [netid] filter” to get complementary information about
the IP filters.

Command
show peer-net [netid] filter
Arguments
netid
This is the identifier of the Peer network. If this parameter is omitted the
output returns information for all Peer Networks
Output Definition
Peer net
This is the identifier of the Peer network.
Poc id
Identifies the Peering Point within the Peer Network.
ip_address
Displays the IP address of the Peering Point.
Udp Tcp Sctp Tls
Displays listening port values of the Peering Point.
Listening trusted port
Displays the listening port value on the trusted interface of the firewall that
matches the remote Peering Point on the untrusted interface of the firewall.
Reread the paragraph describing the command “peer-net netid rpoc
peering_point_id ip” to understand the relationship between Peering Point
and listening port on the Trusted interface.

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

97

Peer Networks

show peer-net [netid] rpoc

Example
->

show peer-net rpoc

+-------+------+----------------------------------------+-------+-------+------+-----+------------------------+
! Netid ! rpoc ! IP Address

! Udp

! Tcp

! Sctp ! Tls ! Listening trusted port !

+-------+------+----------------------------------------+-------+-------+------+-----+------------------------+
! 2

! 1

! 172.17.2.50

2001:2::172:17:2:50

! 50001 ! n/s

! n/s

! n/s ! 10201

!

! 3

! 1

! 172.18.3.9

2001:3::172:18:3:9

! 50001 ! 50001 ! n/s

! n/s ! 10301

!

! 4

! 1

! 172.19.4.35

2001:4::172:19:4:35

! 50001 ! n/s

! n/s

! n/s ! 10401

!

! 5

! 1

! 172.20.5.33

2001:5::172:20:5:33

! 50001 ! 50001 ! n/s

! n/s ! 10501

!

! 5

! 2

! 172.20.5.34

! 50002 ! 50002 ! n/s

! n/s ! 10502

!

! 5

! 3

! 2001:5::172:20:5:35

! 50003 ! 50003 ! n/s

! n/s ! 10503

!

! 5

! 7

! 172.20.5.37

2001:5::172:20:5:37

! 5060

! n/s

! n/s ! 10507

!

! 20

! 15

! 172.23.8.9

2001:8::172:23:8:9

! 50001 ! 50001 ! n/s

! n/s ! 12015

!

! 5060

+-------+------+----------------------------------------+-------+-------+------+-----+------------------------+

98

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Peer Networks

show peer-net connectivity

show peer-net connectivity
Purpose

The purpose of that command is to check, on the untrusted side the IP
connectivity between the untrusted LPOC and the remote POCs (peering
points of the Peer-Network).
The IP connectivity is checked issuing periodically ICMP requests from the
LPOC to the RPOC associated within the Peer-Network. By default a Ping
request is issued each 4 seconds. ICMP requests are sent for both IPv4 and
IPv6 protocols according to the RPOC/LPOC configuration.
The Ping polling can be enabled or disabled via the CLI command “peer-net
netid polling ping {enable | disable}”. By default the Ping is enabled.
The Ping polling period can be modified via the CLI command “peer-net
netid polling ping interval”.

Command
show peer-net [netid] connectivity
Arguments
netid
This is the identifier of the Peer network. If this parameter is omitted the
output returns information for all Peer Networks
Example
-> show peer-net connectivity
+-------+------+------+--------+--------+---------+---------+---------+---------+----------------+
! Netid ! rpoc ! lpoc ! period ! PING

! SIP

! SIP v4

! PING v4 ! SIP v6

! PING v6

!

+-------+------+------+--------+--------+---------+---------+---------+---------+----------------+
! 2

! 1

! 2

! 4

! enable ! disable ! Unknown ! PING UP ! Unknown ! NO VLAN SUBNET !

! 4

! 1

! 4

! 4

! enable ! disable ! Unknown ! PING UP ! Unknown ! PING UP

!

! 5

! 2

! 5

! 4

! enable ! disable ! Unknown ! PING UP ! Unknown ! V4 ONLY

!

! 5

! 3

! 5

! 4

! enable ! disable ! Unknown ! V6 ONLY ! Unknown ! PING UP

!

! 9

! 1

! 9

! 4

! enable ! disable ! Unknown ! NO RESP ! Unknown ! NO MAC

!

! 10

! 1

! 10

! 4

! enable ! disable ! Unknown ! PING UP ! Unknown ! PING UP

!

! 20

! 15

! 8

! 10

! enable ! disable ! Unknown ! PING UP ! Unknown ! PING UP

!

+-------+------+------+--------+--------+---------+---------+---------+---------+----------------+

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

99

• “NO LPOC” means that the configuration is not consistent. • “PING UP” means that the rpoc successfully responds to the ICMP Requests sent by the SIP Firewall.Peer Networks show peer-net connectivity Output Definition SIP v4 and SIP v6 • The “SIP v4” and “SIP v6” are meaningless with the current SFW release. There is no LPOC associated with the Peer-Network whereas there is at least a RPOC and a Vlan associated with that PeerNetwork. • “NO LPOC IP ADDR” means that the configuration is not consistent. There is no Vlan associated with the Peer-Network. • “NO MAC” means that the configuration is consistent but the RPOC destination MAC address has not been yet resolved. • “NO VLAN SUBNET” means that the configuration is not consistent. The LPOC associated with the Peer-Network has no IPv4 address whereas there is at least one IPv4 RPOC associated with that Peer-Network. In a future release a SIP OPTIONS polling mechanism will be activated optionally to check the SIP processes status in the same way that what is already available on the trusted side between the lpoc and the rpoc (IBCF’s CCSs) PING v4 and PING v6 The “PING v4” status reflects the IP V4 connectivity between LPOC and RPOC of a Peer-Network. The LPOC associated with the Peer-Network has no IPv6 address whereas there is at least one IPv6 RPOC associated with that Peer-Network. • “NO VLAN” means that the configuration is not consistent. 100 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . The “PING v6” status reflects the IP V6 connectivity between LPOC and RPOC of a Peer-Network. There is no IPv4 subnet in the definition of the vlan associated with the Peer-Network whereas there is at least one IPv4 RPOC associated with that Peer-Network.

• “TRUNK DOWN” means that the configuration is consistent. thus ping v4 cannot be performed. • “NO DEFAULT GW” means that the configuration is not consistent. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 • “ROUTER IP NOT IN SUBNET” means that the configuration is not consistent. is not in the vlan subnet. A gateway is required in the vlan definition as soon as the vlan and the RPOC are not in the same subnet.Peer Networks show peer-net connectivity There is no IPv6 subnet in the definition of the vlan associated with the Peer-Network whereas there is at least one IPv6 RPOC associated with that Peer-Network. The MAC address of the RPOC is known but the SFW does not get any response to the ping requests. associated with the Peer-Network. Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 101 . is not in the vlan subnet. An IP gateway address is required in the definition of the vlan associated with the Peer-Network otherwise the RPOC is unreachable. • “V4 ONLY” means that configuration is consistent but LPOC or RPOC are IPv4 only. A router is required in the vlan definition as soon as the vlan and the LPOC are not in the same subnet. • “V6 ONLY” means that configuration is consistent but LPOC or RPOC are IPv6 only. thus ping v6 cannot be performed. associated with the Peer-Network. • “NO ROUTER IP” means that the configuration is not consistent. • “GATEWAY IP NOT IN SUBNET” means that the configuration is not consistent. • “NO RESP” means that the configuration is consistent. The router IP address in the definition of the vlan. The untrusted trunk is down. The gateway IP address in the definition of the vlan. An IP router address is required in the definition of the vlan associated with the Peer-Network otherwise the LPOC is unreachable.

• Trusted side statistics: Count SIP messages. sent to the IBCF (RPOC of Load-Balancing-Group) and coming from a Peer Network (identified by the netid). on the Trusted interface of the firewall. on the Trusted interface of the firewall. The statistics are split in two main categories: • Untrusted side statistics: Count SIP messages sent to a Peer-Network on the Untrusted interface of the firewall. Count SIP messages received from a Peer-Network on the Untrusted interface of the firewall. If this parameter is omitted the output returns information for all Peer Networks trusted | untrusted Optionally you may display statistics for only one side of the firewall. Count SIP messages. Note that only non-zero values are displayed. Command show peer-net [netid] statistics [trusted | untrusted] Arguments netid This is the identifier of the Peer network. received from the IBCF (RPOC of Load-Balancing-Group) and to be sent to a Peer-Network . 102 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Peer Networks show peer-net [netid] statistics [trusted | untrusted] show peer-net [netid] statistics [trusted | untrusted] Purpose The purpose of that command is to display SFW SIP statistics sorted by the Peer Network identifiers.

Peer Networks

show peer-net [netid] statistics [trusted | untrusted]

Output Definition
Statistics are sorted by category. The “level 1” provides high-level counters. The
“level 2” provides more detailed statistics over “Level 1”. Then the “level 3” allows to
get details over the “layer 2” statistics.

Counters

Definitions

Valid for

Valid

Untrusted

for
Trusted

Level 1
This table contains the “Level 1” statistics per Peer Networks
Number of packets dropped because
frameTooSmall
of UDP size is below minimum
acceptable size.
Number of potential SIP messages
tokenizerMsgIn
provided to the SIP hardware assist
tokenizer
Number of potential SIP messages for
tokenizerMsgErr
which there was not SIP Tokenizer
resources
Number of potential SIP messages
tokenizerMsgOut
returned by the SIP Tokenizer and
Provided to the Pass1 of SIP parsing
Should be the same as
pass1MsgIn
TokenizerMsgOut
Number of SIP or non-SIP messages
pass1Drop
dropped during pass 1 processing
Number of SIP messages that has been
pass1SipSuccess
successful in Pass 1
Should be the same as Pass1SipSuccess
pass2SipIn

pass2Drop
pass2MethodRateIn

pass2MethodRateDrop
pass2AdmCtlCall
pass2AdmCtlCallDrop
pass2AdmCtlOther
pass2AdmCtlOtherDrop

regenerationIn
regenerationDrop
leakyBucketIn
leakyBucketDrop
sendIn
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Number of SIP messages dropped
during pass 2 processing
Number of SIP messages submitted to
the method rate limiter (initial request
only or in-dialog transaction
for which there was no on-going dialog
context).
Number of Sip Message drop because
of the excessive rate
Number of SIP message submitted to
the admission control for initial INVITE
Number of Call rejected because invite
rate is greater than the available rate
on trusted side
Number of SIP messages submitted to
the admission control for non Invite, in
dialog transaction and response.
Number of Call rejected because
aggregate transaction/response rate is
greater than the available rate on
trusted side.
Number of SIP message submitted for
regeneration.
Number of SIP messages for which the
SIP regeneration has failed
Number of SIP messages submitted to
the Leaky buckets of the trusted side
Number of SIP messages rejected by
the Leaky bucket (typically leaky
bucket full)
Number of SIP message submitted to
the ouput (trusted or untrusted)
Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes
yes

yes
yes

yes

yes

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

yes

yes

yes

yes

no

yes

no

yes

yes
103

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid

Untrusted

for
Trusted

sendDrop
sendSuccess

104

Number of SIP message dropped while
in the output stage
Number of SIP messages that has been
successfully sent.

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

yes

yes

yes

yes

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid

Untrusted

for
Trusted

Level 2 : Pass 1 drop per reason
This table contains the Level 2 statistics for dropped messages.
It provides details on the messages counted in pass1Drop of the “Level 1” statistics.
pass1DropConfigMismatch
Number of packets dropped
because of UDP size is below
minimum acceptable size.
pass1DropAdmControlReject
Number of SIP frames dropped due to
configuration mismatch.
pass1DropInitialNoRpocUnt
Number of SIP messages dropped
due to output overloading
pass1DropInitialNoTokenBucket
Number of initial SIP requests dropped
because there is no RPOC available
within a load balancing group
pass1DropFsmCheckOOSequence
Number of initial SIP requests dropped
because no Token bucket is
configured for the method (conf.
Issue)
pass1DropFsmCheckRetryCounterExhausted Number of SIP messages detected in
"Out Of Sequence" state.
pass1DropInDialogOverRate
SIP messages dropped because the
maximum retries has been reached
pass1DropMalformed
Number of SIP In-Dialog messages
dropped due to over rate.
pass1DropSuspicious
Number of SIP messages dropped
due to malformed header: parsing
error, mandatory header Missing,
etc..
pass1DropOutofResources
Number of SIP messages dropped
due to suspect format : e.g. oai
missing or unknown

yes

yes

yes

no

yes

no

yes

no

yes

yes

yes

yes

yes

no

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

Level 3 : Pass 1 drop suspicious
This table the Level 3 statistics for dropped messages.
It provides details on the messages counted in pass1Suspicious of the “Level 2: Pass1
drop per reason” statistics.
pass1DropSuspiciousInitialInvite
Number of SIP INVITE messages
dropped due to suspect format : e.g.
oai missing or unknown
pass1DropSuspiciousInitialNonInvite
Number of SIP non-INVITE messages
dropped due to suspect format : e.g.
oai missing or unknown
pass1DropSuspiciousSubsequentReq
Number of SIP subsequent requests
dropped due to suspect format : e.g.
oai missing or unknown
pass1DropSuspiciousResponse
Number of SIP responses dropped
due to suspect format : e.g. oai
missing or unknown
pass1DropSuspiciousBye
Number of SIP BYE messages dropped
due to suspect format : e.g. oai
missing or unknown
pass1DropSuspiciousCancel
Number of SIP CANCEL messages
dropped due to suspect format : e.g.
oai missing or unknown

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

105

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid for

Untrusted

Trusted

Level 2 : Pass 1 success per SIP operation
This table contains Level 2 statistics.
It provides details on the messages counted in pass1SipSuccess of the “Level 1”
statistics.
pass1SipSuccessInitialInvite
number of initial INVITE that has
been successful in Pass 1
pass1SipSuccessInitialNonInvite
number of initial Non INVITE that has
been successful in Pass 1 (Out of
dialog)
pass1SipSuccessSubsequentReq
number of subsequent transaction
that has been successful in Pass 1 (in
dialog)
pass1SipSuccessResponse
number of Response that has been
successful in Pass 1 ( In & Out of
dialog)

yes

yes

yes

yes

yes

yes

yes

yes

yes

no

yes

yes

yes

yes

yes

yes

yes

no

yes

yes

yes

yes

yes

yes

yes

no

yes

yes

yes

yes

yes

yes

Level 2 : Pass 2 drop per reason
This table contains Level 2 statistics for dropped messages.
It provides details on the messages counted in pass2Drop of the “Level 1” statistics.
pass2DropRateLimiting
Number of out of dialog transaction
dropped due to method rate limiting
(all Qos and Method
pass2DropMalformed
Number of SIP messages dropped
due to malformed header: parsing
error, mandatory header Missing,
etc..
pass2DropConfigMismatch
Number of SIP frames dropped due
to configuration mismatch.
pass2DropSuspicious
Number of SIP messages dropped
due to suspect format : e.g. oai
missing or unknown
pass2DropAdmControlReject
Number of SIP messages rejected by
the admission control (all Qos and
messages types)
pass2DropFsmCheckOOSequence
Number of SIP messages rejected
because considered Out Of
Sequence.
pass2DropFsmCheckRetryCounterExhausted Number of SIP messages dropped
because the maximum retries has
been reached
pass2DropInDialogOutOfResources
Number of SIP In-Dialog messages
rejected because problem of
ressources.
pass2DropInDialogOverRate
Number of SIP In-Dialog messages
rejected because considered as
over-rate.
pass2DropCheckHeaderRegeneration
SIP message dropped due to error
while parsing the header that are
changed by the Firewall

Level 3 : Pass 2 drop suspicious
This table contains the Level 3 statistics for dropped messages.
It provides details on the messages counted in pass2DropSuspicious of the “Level2:
Pass2 drop per reason” statistics.
pass2DropSuspiciousInitialInvite
Number of SIP INVITE messages
dropped due to suspect format :
e.g. oai missing or unknown
pass2DropSuspiciousInitialNonInvite
Number of SIP non-INVITE messages
dropped due to suspect format :
e.g. oai missing or unknown
106

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Peer Networks

pass2DropSuspiciousSubsequentReq

pass2DropSuspiciousResponse

pass2DropSuspiciousBye

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

show peer-net [netid] statistics [trusted | untrusted]

Number of SIP subsequent requests
dropped due to suspect format :
e.g. oai missing or unknown
Number of SIP responses dropped
due to suspect format : e.g. oai
missing or unknown
Number of SIP BYE messages
dropped due to suspect format :
e.g. oai missing or unknown

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

yes

yes

yes

yes

yes

yes

107

Peer Networks

pass2DropSuspiciousCancel

Counters

show peer-net [netid] statistics [trusted | untrusted]

Number of SIP CANCEL messages
dropped due to suspect format : e.g.
oai missing or unknown

yes

yes

Definitions

Valid for

Valid

Untrusted

for
Trusted

Level 2 : Pass 2 rate per SIP method
This table contains the Level 2 statistics for messages received and submitted to the
Rate Limiter.
It provides details on the messages counted in pass2MethodRateIn of the “Level 1”
statistics, per SIP method.
pass2MethodRateInAck
Number of SIP ACK messages
submitted to the method rate limiter.
pass2MethodRateInBye
Number of SIP BYE messages submitted
to the method rate limiter.
pass2MethodRateInCancel
Number of SIP CANCEL messages
submitted to the method rate limiter.
pass2MethodRateInInfo
Number of SIP INFO messages
submitted to the method rate limiter.
pass2MethodRateInInvite
Number of SIP INVITE messages
submitted to the method rate limiter.
pass2MethodRateInMessage
Number of SIP MESSAGE messages
submitted to the method rate limiter.
pass2MethodRateInNotify
Number of SIP NOTIFY messages
submitted to the method rate limiter.
pass2MethodRateInOptions
Number of SIP OPTIONS messages
submitted to the method rate limiter.
pass2MethodRateInPrack
Number of SIP PRACK messages
submitted to the method rate limiter.
pass2MethodRateInPublish
Number of SIP PUBLISH messages
submitted to the method rate limiter.
pass2MethodRateInRefer
Number of SIP REFER messages
submitted to the method rate limiter.
pass2MethodRateInRegister
Number of SIP REGISTER messages
submitted to the method rate limiter.
pass2MethodRateInSubscribe
Number of SIP SUBSCRIBE messages
submitted to the method rate limiter.
pass2MethodRateInUpdate
Number of SIP UPDATE messages
submitted to the method rate limiter.
pass2MethodRateInOther
Number of SIP other messages
submitted to the method rate limiter.

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes
yes

no
no

Level 2 : Pass 2 rate per QoS
This table contains Level 2 statistics for messages received and submitted to the Rate
Limiter.
It provides details on the messages counted in pass2MethodRateIn of the “Level 1”
statistics, per QOS level.
pass2MethodRateInQos0
Number of SIP messages submitted to
the method rate limiter for QOS0.
pass2MethodRateInQos1
Number of SIP messages submitted to
the method rate limiter for QOS1.
pass2MethodRateInQos2
Number of SIP messages submitted to
the method rate limiter for QOS2.
pass2MethodRateInQos3
Number of SIP messages submitted to
the method rate limiter for QOS3.
pass2MethodRateInQos4
Number of SIP messages submitted to
the method rate limiter for QOS4.
pass2MethodRateInQos5
Number of SIP messages submitted to
the method rate limiter for QOS5.
pass2MethodRateInQos6
Number of SIP messages submitted to
the method rate limiter for QOS6.
pass2MethodRateInQos7
Number of SIP messages submitted to
108

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Peer Networks show peer-net [netid] statistics [trusted | untrusted] the method rate limiter for QOS7. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 109 .

It provides details on the messages counted in pass2MethodRateDrop of the “Level 1” statistics. pass2MethodRateDropInfo Number of SIP INFO messages dropped by the method rate limiter. pass2MethodRateDropPrack Number of SIP PRACK messages dropped by the method rate limiter. per SIP method. pass2MethodRateDropPublish Number of SIP PUBLISH messages dropped by the method rate limiter. pass2MethodRateDropAck Number of SIP INFO messages dropped by the method rate limiter. pass2MethodRateDropNotify Number of SIP NOTIFY messages dropped by the method rate limiter.Peer Networks Counters show peer-net [netid] statistics [trusted | untrusted] Definitions Valid for Valid for Untrusted Trusted Level 2 : Pass 2 rate drop per SIP method This table contains the Level 2 statistics for messages received and submitted to the Rate Limiter and dropped. pass2MethodRateDropCancel Number of SIP CANCEL messages dropped by the method rate limiter. yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no Level 2 : Pass 2 rate drop per QoS This table contains the Level 2 statistics for messages received and submitted to the Rate Limiter and dropped. pass2MethodRateDropInvite Number of SIP INVITE messages dropped by the method rate limiter. pass2MethodRateDropUpdate Number of SIP UPDATE messages dropped by the method rate limiter. pass2MethodRateDropBye Number of SIP BYE messages dropped by the method rate limiter. per QOS level. It provides details on the messages counted in pass2MethodRateDrop of the “Level 1” statistics. pass2MethodRateDropMessage Number of SIP MESSAGE messages dropped by the method rate limiter. pass2MethodRateDropRegister Number of SIP REGISTER messages dropped by the method rate limiter. pass2MethodRateDropOptions Number of SIP OPTIONS messages dropped by the method rate limiter. pass2MethodRateDropQos0 Number of Sip message drop because of the excessive rate in QOS0 pass2MethodRateDropQos1 Number of Sip message drop because of the excessive rate in QOS1 pass2MethodRateDropQos2 Number of Sip message drop because of the excessive rate in QOS2 pass2MethodRateDropQos3 Number of Sip message drop because of the excessive rate in QOS3 pass2MethodRateDropQos4 Number of Sip message drop because of the excessive rate in QOS4 pass2MethodRateDropQos5 Number of Sip message drop because of the excessive rate in QOS5 pass2MethodRateDropQos6 Number of Sip message drop because of the excessive rate in QOS6 pass2MethodRateDropQos7 Number of Sip message drop because of the excessive rate in QOS7 110 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . pass2MethodRateDropSubscribe Number of SIP SUBSCRIBE messages dropped by the method rate limiter. pass2MethodRateDropOther Number of SIP other messages dropped by the method rate limiter. pass2MethodRateDropRefer Number of SIP REFER messages dropped by the method rate limiter.

pass2AdmCtlCallDropQos5 Number of Call rejected because invite rate is greater than the available rate on trusted side for QOS5. pass2AdmCtlCallDropQos1 Number of Call rejected because invite rate is greater than the available rate on trusted side for QOS1. pass2AdmCtlCallQos1 Number of SIP message submitted to the admission control for initial INVITE in QOS1. pass2AdmCtlCallDropQos2 Number of Call rejected because invite rate is greater than the available rate on trusted side for QOS2. pass2AdmCtlCallDropQos6 Number of Call rejected because invite rate is greater than the available rate on trusted side for QOS6. It provides details on the messages counted in pass2AdmCtlCall of the “Level 1” statistics. pass2AdmCtlCallDropQos3 Number of Call rejected because invite rate is greater than the available rate on trusted side for QOS3. It provides details on the messages counted in pass2AdmCtlCall of the “Level 1” statistics. per QOS level. pass2AdmCtlCallQos3 Number of SIP message submitted to the admission control for initial INVITE in QOS3.Peer Networks Counters show peer-net [netid] statistics [trusted | untrusted] Definitions Valid for Valid for Untrusted Trusted yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no Level 2 : Pass 2 Admission Control Invite per QoS This table contains Level 2 statistics for INVITE messages received and submitted to the Admission Control. pass2AdmCtlCallDropQos4 Number of Call rejected because invite rate is greater than the available rate on trusted side for QOS4. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 111 . pass2AdmCtlCallQos5 Number of SIP message submitted to the admission control for initial INVITE in QOS5. pass2AdmCtlCallQos0 Number of SIP message submitted to the admission control for initial INVITE in QOS0. pass2AdmCtlCallQos6 Number of SIP message submitted to the admission control for initial INVITE in QOS6. pass2AdmCtlCallQos4 Number of SIP message submitted to the admission control for initial INVITE in QOS4. pass2AdmCtlCallQos7 Number of SIP message submitted to the admission control for initial INVITE in QOS7. pass2AdmCtlCallDropQos7 Number of Call rejected because invite rate is greater than the available rate on trusted side for QOS7. pass2AdmCtlCallDropQos0 Number of Call rejected because invite rate is greater than the available rate on trusted side for QOS0. per QOS level. pass2AdmCtlCallQos2 Number of SIP message submitted to the admission control for initial INVITE in QOS2. Level 2 : Pass 2 Admission Control Invite drop per QoS This table contains the Level 2 statistics for messages received and submitted to the Admission Control and dropped.

Number of SIP messages submitted to the admission control for non Invite. Number of SIP messages submitted to the admission control for non Invite. Level 2 : Pass 2 Admission Control Non-Invite drop per QoS This table contains the Level 2 statistics for non-INVITE messages received and dropped by Admission Control. in dialog transaction and response. pass2AdmCtlOtherDropQos1 Number of non-INVITE rejected because aggregate transaction/response rate is greater than the available rate on trusted side. pass2AdmCtlOtherDropQos2 Number of non-INVITE rejected because aggregate transaction/response rate is greater than the available rate on trusted side.Peer Networks Counters show peer-net [netid] statistics [trusted | untrusted] Definitions Valid for Valid for Untrusted Trusted yes no yes no yes no yes no yes no yes no yes no yes no yes no yes no yes yes no no Level 2 : Pass 2 Admission Control Non-Invite per QoS This table contains the Level 2 statistics for non-INVITE messages received and submitted to the Admission Control. for QOS7. in dialog transaction and response. for QOS3. in dialog transaction and response. per QOS level. pass2AdmCtlOtherQos0 pass2AdmCtlOtherQos1 pass2AdmCtlOtherQos2 pass2AdmCtlOtherQos3 pass2AdmCtlOtherQos4 pass2AdmCtlOtherQos5 pass2AdmCtlOtherQos6 pass2AdmCtlOtherQos7 Number of SIP messages submitted to the admission control for non Invite. for QOS2. for QOS6. for QOS4. in dialog transaction and response. pass2AdmCtlOtherDropQos3 Number of non-INVITE rejected 112 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . for QOS0. It provides details on the messages counted in pass2AdmCtlCall of the “Level 1” statistics. in dialog transaction and response. per QOS level. Number of SIP messages submitted to the admission control for non Invite. Number of SIP messages submitted to the admission control for non Invite. for QOS1. for QOS1. for QOS5. Number of SIP messages submitted to the admission control for non Invite. in dialog transaction and response. in dialog transaction and response. for QOS0. for QOS2. pass2AdmCtlOtherDropQos0 Number of non-INVITE rejected because aggregate transaction/response rate is greater than the available rate on trusted side. Number of SIP messages submitted to the admission control for non Invite. Number of SIP messages submitted to the admission control for non Invite. in dialog transaction and response. It provides details on the messages counted in pass2AdmCtlOtherDrop of the “Level 1” statistics.

Alcatel-Lucent — Proprietary Use pursuant to applicable agreements yes no yes no 113 . Number of non-INVITE rejected because aggregate transaction/response rate is greater than the available rate on trusted side. for QOS5. Number of non-INVITE rejected because aggregate transaction/response rate is greater than the available rate on trusted side. for QOS3.Peer Networks pass2AdmCtlOtherDropQos4 pass2AdmCtlOtherDropQos5 3FZ 08139 ACAA PCZZA Edition 07 July 2015 show peer-net [netid] statistics [trusted | untrusted] because aggregate transaction/response rate is greater than the available rate on trusted side. for QOS4.

per SIP operation. for QOS7. per SIP operation. Level 2 : Regeneration Drop Per SIP operation This table contains the description of the Level 2 statistics for SIP messages received on one interface and dropped because message regeneration failed. for QOS6. leakyBucketDropInitialInvite Number of SIP INVITE messages rejected by the Leaky bucket (typically leaky bucket full) leakyBucketDropOther Number of SIP non-INVITE messages 114 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . It provides details on the messages counted in leakyBucketIn of the “Level 1” statistics. per SIP operation. Number of non-INVITE rejected because aggregate transaction/response rate is greater than the available rate on trusted side. Valid for Valid for Untrusted Trusted yes no yes no yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes Level 2 : Regeneration Per SIP operation This table contains the description of the Level 2 statistics for SIP messages received on one interface and submitted for regeneration before being sent on the other interface. per SIP operation. regenerationDropInitialInvite Number of SIP INVITE messages for which the SIP regeneration failed regenerationDropInitialNonInvite Number of SIP non-INVITE messages for which the SIP regeneration failed regenerationDropSubsequentReq Number of SIP Subsequent requests for which the SIP regeneration failed regenerationDropResponse Number of SIP responses for which the SIP regeneration failed Level 2 : Leaky Bucket Per SIP operation This table contains the description of the Level 2 statistics for SIP messages received on one interface and submitted to the leaky buckets. regenerationInInitialInvite Number of SIP INVITE message submitted for regeneration. regenerationInResponse Number of SIP response submitted for regeneration. regenerationInInitialNonInvite Number of SIP non-INVITE message submitted for regeneration.Peer Networks Counters pass2AdmCtlOtherDropQos6 pass2AdmCtlOtherDropQos7 show peer-net [netid] statistics [trusted | untrusted] Definitions Number of non-INVITE rejected because aggregate transaction/response rate is greater than the available rate on trusted side. regenerationInSubsequentReq Number of SIP subsequent requests submitted for regeneration. It provides details on the messages counted in leakyBucketDrop of the “Level 1” statistics. It provides details on the messages counted in regenerationIn counter of the “Level 1” statistics. It provides details on the messages counted in regenerationDrop of the “Level 1” statistics. leakyBucketInInitialInvite Number of SIP INVITE messages submitted to the Leaky buckets of the trusted side leakyBucketInOther Number of SIP non-INVITE messages submitted to the Leaky buckets of the trusted side Level 2 : Leaky Bucket Drop Per SIP operation This table contains the description of the Level 2 statistics for SIP messages received on one interface and rejected by the leaky buckets.

Peer Networks show peer-net [netid] statistics [trusted | untrusted] rejected by the Leaky bucket (typically leaky bucket full) 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 115 .

It provides details on the messages counted in sendSuccess of the “Level 1” statistics. sendSuccessInitialNonInviteUnt Number of SIP non-INVITE messages that has been successfully sent. per SIP operation. It provides details on the messages counted in sendDrop of the “Level 1” statistics. sendSuccessResponseUnt Number of SIP responses that has been successfully sent. sendSuccessSubsequentReqUnt Number of SIP subsequent requests that has been successfully sent. It provides details on the messages counted in sendIn of the “Level 1” statistics. sendInInitialInviteUnt Number of SIP INVITE message submitted to the output (trusted or untrusted) sendInInitialNonInviteUnt Number of SIP non-INVITE message submitted to the output (trusted or untrusted) sendInSubsequentReqUnt Number of SIP subsequent requests submitted to the output (trusted or untrusted) sendInResponseUnt Number of SIP responses submitted to the output (trusted or untrusted) Level 2 : Send Drop per cause This table contains the description of the Level 2 statistics for SIP messages received on one interface and dropped during the output stage.Peer Networks Counters show peer-net [netid] statistics [trusted | untrusted] Definitions Valid for Valid for Untrusted Trusted yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes Level 2 : Send Per SIP operation This table contains the description of the Level 2 statistics for SIP messages received on one interface and submitted to the other interface. sendSuccessInitialInviteUnt Number of SIP INVITE messages that has been successfully sent. 116 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . sendDropL2errorUnt Number of SIP message dropped due to Layer 2 error while in the output stage sendDropNoMacAddressUnt Number of SIP message dropped due to unknown destination MAC@ while in the output stage Level 2 : Send Success per SIP operation This table contains the description of the Level 2 statistics for SIP messages received on one interface and successfully submitted to the other interface.

. Level 2 statistics pass1Drop pass1Drop : 313 pass1DropMalformed : 209 pass1DropSuspicious : 104 Level 3 pass1DropSuspicious pass1DropSuspicious : 104 pass1DropSuspiciousSubsequentReq : 1 pass1DropSuspiciousResponse : 2 pass1DropSuspiciousBYE : 100 pass1DropSuspiciousCANCEL : 1 Level 2 statistics pass2Drop per reason pass2Drop : 964 pass2DropRateLimiting : 260 pass2DropMalformed : 704 Level 2 statistics pass2MethodRateDrop per SIP method pass2MethodRateDrop : 260 pass2MethodRateDropInvite : 260 Level 2 statistics pass2MethodRateDrop per QOS pass2MethodRateDrop : 260 pass2MethodRateDropQos0 : 260 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 117 .....Peer Networks show peer-net [netid] statistics [trusted | untrusted] Example -> show peer-net statistics untrusted UNTRUSTED SIDE LEVEL 1 STATISTICS .. pass2MethodRateDrop . pass2Drop .. pass1Drop : 313 : 964 : 260 ..

This limitation applies to the methods that may appear outside a dialog: REGISTER. This limitation applies to the methods UPDATE. This limitation applies to the method INVITE creating a new dialog. This limitation applies to all SIP methods within an established INVITE dialog. In the case the SIP request methods mentioned above will allow to recreate the SIP dialog. • SIP RCS dialog setup rate limitation. BYE. Introduction A Security-Profile. This limitation applies to the non-Invite methods SUBSCRIBE.6 Security Profile Purpose This paragraph provides information about the Security-Profile. MESSAGE. Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 118 . NOTIFY. ACK and PRACK when a SIP dialog needs to be rebuilt. The purpose of the Security-Profile is to protect the IBCF from SIP messages overload coming from the Peer-Network. OPTION. INFO. • Message rate limitation in case of dialog context re-creation. The SIP dialog may also be cleaned up following a switchover. PUBLISH. The SIP dialog may have be cleaned up from the firewall due to aging when the firewall needs to make room for new calls and would have ran out of SIP context otherwise. • SIP out-of-dialog messages rate limitation per method. associated with a Peer-Network. allows setting of the following parameters involved in admission control on the Untrusted Interface: 3FZ 08139 ACAA PCZZA Edition 07 July 2015 • SIP call setup rate limitation. • SIP transaction rate limitation within INVITE dialogs. REFER creating a new dialog and also to the NOTIFY dialog within a SUBSCRIBE dialog or REFER dialog.

This setting permits to configure the duration an initial INVITE transaction can stay in the Ringing state waiting for a final response. This setting permits to accept or reject a specific SIP method within an established INVITE dialog. • Ringing Timer.Security Profile show peer-net [netid] statistics [trusted | untrusted] Moreover the Security-Profile allows setting the following parameters: 3FZ 08139 ACAA PCZZA Edition 07 July 2015 • SIP method allow/deny within INVITE dialogs. • Topology Hiding (THIG) enabling/disabling. Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 119 .

0.Security Profile Summary of the CLI for Security Profile management Summary of the CLI for Security Profile management Security Profile security-profile profile_id [name description] security-profile profile_id invite dialog setup-rate messages_per_sec security-profile profile_id invite in-dialog transaction-rate messages_per_sec security-profile profile_id invite in-dialog method-accept all security-profile profile_id invite in-dialog no method-accept all security-profile profile_id invite in-dialog method-accept { info | message | notify | options | publish | subscribe } security-profile profile_id invite in-dialog no method-accept { info | message | notify | options | publish | subscribe } security-profile profile_id out-of-dialog method-rate all messages_per_sec security-profile profile_id out-of-dialog method-rate { register messages_per_sec | info messages_per_sec | message messages_per_sec | notify messages_per_sec | options messages_per_sec | publish messages_per_sec | subscribe messages_per_sec | refer messages_per_sec | update messages_per_sec | bye messages_per_sec | prack messages_per_sec } security-profile profile_id out-of-dialog no method-rate all security-profile profile_id out-of-dialog no method-rate { register | info | message | notify | options | publish | subscribe | refer | update | bye | prack } security-profile profile_id sip thig security-profile profile_id sip no thig security-profile profile_id route-reorder security-profile profile_id no route-reorder security-profile profile_id ringing-timer duration security-profile profile_id sip route-mode {contact | record-route} security-profile profile_id private_ip security-profile profile_id no private_ip security-profile profile_id fqdn-in-from thig security-profile profile_id no fqdn-in-from thig security-profile profile_id clone profile_id no security-profile profile_id show security-profile profile_id V3.14 add the following new commands: security-profile profile_id sip route-mode {contact | record-route} security-profile profile_id private_ip security-profile profile_id no private_ip security-profile profile_id fqdn-in-from thig security-profile profile_id no fqdn-in-from thig 120 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

Security Profile security-profile profile_id security-profile profile_id Purpose The purpose of that command is to create a Security-Profile. description Description of the Security-Profile (31 characters) Example -> security-profile 2 name SecProf2 Complementary Information By default. Command security-profile profile_id [name description] Arguments profile_id This is the identifier of the Security-Profile. Once created the parameters of the Security-Profile needs to be modified to adjust the rate limiters according to your needs. the default values are the following: -> security-profile 10 -> show security-profile 10 Profile id : Name INVITE in-dialog accepted methods PUBLISH SUBSCRIBE OPTIONS INVITE in-dialog forbidden methods REGISTER out-of-dialog rate INFO out-of-dialog rate MESSAGE out-of-dialog rate NOTIFY out-of-dialog rate PUBLISH out-of-dialog rate SUBSCRIBE out-of-dialog rate 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements : 10 : INFO MESSAGE NOTIFY : : : : : : : 0 0 0 0 0 0 121 . Up to 32 Security-Profile can be created. Finally the Security-Profile needs to be associated with a Peer-Network to become effective. creating a new security-profile.

BYE. you may need to adjust the “INVITE In-dialog transaction rate”: -> security-profile 10 invite in-dialog transaction-rate 20 You need also to set the Method rate limitation used in case of dialog context re-creation. ACK and PRACK when a SIP dialog needs to be rebuilt (e. -> security-profile 10 out-of-dialog method-rate bye 1000 -> security-profile 10 out-of-dialog method-rate prack 1000 Optionally. -> security-profile 10 out-of-dialog method-rate subscribe 500 -> security-profile 10 out-of-dialog method-rate refer 500 Finally you need to associate the security-profile with the peer-network. This limitation applies to the methods UPDATE.Security Profile security-profile profile_id REFER out-of-dialog rate UPDATE out-of-dialog rate BYE out-of-dialog rate PRACK out-of-dialog rate OPTIONS out-of-dialog rate INVITE dialog setup rate INVITE in-dialog transaction rate ringing timer THIG : : : : : : : : : 0 0 0 0 0 0 10 180 yes So. you may need to set the RCS dialog setup rate for the methods SUBSCRIBE. after creating a new security-profile. -> peer-net 10 security-profile 10 122 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .g. you need to set the “INVITE dialog setup rate” according to your need: -> security-profile 10 invite dialog setup-rate 1000 Optionally. REFER and NOTIFY. context recreation may appear after a switchover).

3000. 450. 20. 1400.Security Profile security-profile profile_id invite dialog setup-rate security-profile profile_id invite dialog setup-rate Purpose The purpose of that command is to define the acceptable initial INVITE rate from an untrusted peer network. 1000. 100. 700. 2600. creating a dialog. 2000. 2200. 300. Example -> security-profile 2 invite dialog setup-rate 2000 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 123 . 200. 250. 800. 40. 500. messages_per_sec Rate in messages per second for the method INVITE. 1800. 1600. 50. 30. 3200. 10. 1200. 350. 3800. 150. The 32 configurable values are the following: 0. 600. Command security-profile profile_id invite dialog setup-rate messages_per_sec Arguments profile_id This is the identifier of the Security-Profile. 5. 2800. 400. 3600. 3400. received from the untrusted side. 2400. 900.

350. 200. The 32 configurable values are the following: 0. 3200. 250. Once the SIP firewall has started to track an INVITE dialog. 1000. Command security-profile profile_id invite in-dialog transaction-rate messages_per_sec Arguments profile_id This is the identifier of the Security-Profile. 2400. 400. 1200. 2600. 20. 10. 1400. 450. Example -> security-profile 2 invite in-dialog transaction-rate 10 124 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . 3000. 3800. 600. 30. 800. 2800. 500. 900. 40. 50. 2200. messages_per_sec Defines the transaction rate in messages per second within an established dialog. 1800. 150.Security Profile security-profile profile_id invite in-dialog transaction-rate security-profile profile_id invite in-dialog transaction-rate Purpose The purpose of that command is to configure the rate limiter applying for all SIP methods within a dialog. 100. it uses the transaction-rate limiter for all methods within the dialog. 700. 1600. 300. 5. 3600. 3400. 2000.

{ info | message | notify | options | publish | subscribe } The accepted SIP methods within an INVITE dialog can be selected individually. all Specifies that all SIP methods are allowed within an INVITE dialog.Security Profile security-profile profile_id invite in-dialog method accept security-profile profile_id invite in-dialog method accept Purpose The purpose of that command is to configure the accepted SIP methods within an INVITE dialog. Example -> security-profile 2 invite in-dialog method-accept info -> security-profile 2 invite in-dialog method-accept message -> security-profile 2 invite in-dialog method-accept options 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 125 . Command security-profile profile_id invite in-dialog method-accept all security-profile profile_id invite in-dialog method-accept { info | message | notify | options | publish | subscribe } Arguments profile_id This is the identifier of the Security-Profile.

{ info | message | notify | options | publish | subscribe } The forbidden SIP methods within an INVITE dialog can be selected individually.security-profile profile_id invite in-dialog no method accept Security Profile security-profile profile_id invite in-dialog no method accept Purpose The purpose of that command is to configure the forbidden SIP methods within an INVITE dialog. all Specifies that all SIP methods are forbidden within an INVITE dialog. Example -> security-profile 2 invite in-dialog no method-accept subscribe -> security-profile 2 invite in-dialog no method-accept publish 126 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Command security-profile profile_id invite in-dialog no method-accept all security-profile profile_id invite in-dialog no method-accept { info | message | notify | options | publish | subscribe } Arguments profile_id This is the identifier of the Security-Profile.

• it configures the SIP transaction rate per method applied when the dialog tracking context has been removed from the SFW. MESSAGE. This can be the case for REGISTER. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 127 . NOTIFY. If “all” is not specified. all Specifies that all SIP methods listed above. OPTIONS. have the same rate limiter. NOTIFY. Command security-profile profile_id out-of-dialog method-rate all messages_per_sec security-profile profile_id out-of-dialog method-rate { register messages_per_sec | info messages_per_sec | message messages_per_sec | notify messages_per_sec | options messages_per_sec | publish messages_per_sec | subscribe messages_per_sec | refer messages_per_sec | update messages_per_sec | bye messages_per_sec | prack messages_per_sec } Arguments profile_id This is the identifier of the Security-Profile. This can be the case for RCS scenarios with SUBSCRIBE. then it is possible to define a specific rate limiter per method. PUBLISH.Security Profile security-profile profile_id out-of-dialog method-rate security-profile profile_id out-of-dialog method-rate Purpose The following CLI command has several purposes: • it configures the SIP method rate limit for transactions that take place out of a dialog. INFO. • it configures the transaction rate limit for non-INVITE dialogs. This situation may happen either because a switchover occurred or because of dialog tracking aging due to resource limitation. REFER. outside an INVITE dialog.

Security Profile security-profile profile_id out-of-dialog method-rate messages_per_sec Defines the per method rate in messages per second. 5. 2200. 3800. 700. 350. The 32 configurable values are the following: 0. Example -> -> -> -> -> security-profile security-profile security-profile security-profile security-profile 2 2 2 2 2 out-of-dialog out-of-dialog out-of-dialog out-of-dialog out-of-dialog method-rate method-rate method-rate method-rate method-rate register 1000 info 1000 message 1000 notify 1000 publish 1000 -> security-profile 2 out-of-dialog method-rate subscribe 500 -> security-profile 2 out-of-dialog method-rate refer 500 -> -> -> -> security-profile security-profile security-profile security-profile 2 2 2 2 out-of-dialog out-of-dialog out-of-dialog out-of-dialog method-rate method-rate method-rate method-rate update 2000 bye 2000 prack 2000 options 2000 Complementary Information The methods SUBSCRIBE and REFER create RCS (Rich Communication Service) dialogs. A rate limit of 0 indicates that the method is blocked. 300. 200. 450. 3000. 2000. 20. 30. for methods that appeared outside an INVITE dialog. 500. 3200. 40. 3400. as not correct. 600. Nevertheless the above command applies also for RCS until a better wording can be developed such as “security-profile profile_id rcs-dialog method-rate”. 1000. 800. 900. So the attribute “out-of-dialog” of the CLI command may be considered. 250. 10. 150. 100. 1600. 3600. 1200. 1400. rightly. 2400. 128 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . 2600. By default each method rate limiter is set to 0. 50. 1800. NOTIFY appears also in RCS dialogs. 400. 2800.

Example -> security-profile 2 out-of-dialog no method-rate register 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 129 . all Specifies that all SIP methods listed above. have their rate limiter removed. If the attribute “all” is not specified.Security Profile security-profile profile_id out-of-dialog no method-rate security-profile profile_id out-of-dialog no method-rate Purpose The following CLI command remove the SIP method rate limiter applied previously. Command security-profile profile_id out-of-dialog no method-rate all security-profile profile_id out-of-dialog no method-rate { register | info | message | notify | options | publish | subscribe | refer | update | bye | prack } Arguments profile_id This is the identifier of the Security-Profile. This means that the default value 0 is applied for all SIP methods and thus forbidden. it is possible to remove the rate limiter for a specific SIP method. outside an INVITE dialog.

For the SIP headers Via. 130 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . host names of internal network elements. See the paragraph Part I:23 How to configure the SFW SITE specific parameters Command security-profile profile_id sip thig security-profile profile_id no sip thig Arguments profile_id This is the identifier of the Security-Profile. all ciphered headers found in incoming SIP messages are deciphered. Record-Route. The domain name “sfw.Security Profile security-profile profile_id sip thig security-profile profile_id sip thig Purpose The purpose of this command is to enable or disable the Topology Hiding. Route.sfw.net”. Remember that a Security-Profile and a PeerNetwork are associated via the CLI command “peer-network netid security-profile profile_id”. THIG is performed by ciphering all private URIs found in the outgoing SIP messages. no sip thig Disable THIG towards the Peer-Networks associated with the specified profile_id. sip thig Enable THIG towards the Peer-Networks associated with the specified profile_id. It can be modified via a configuration specified in the sitecfg. The SIP Firewall performs topology hiding (THIG) on all SIP Request and response that are initiated by the private network so that peering networks cannot see IP addresses.net” is the default value. Similarly. port numbers. a fixed pattern is appended to the end of each ciphered text: “tokenized-by=sfw.

7.tag=dftghjhg After THIG: From: Alice <sip:alice@5ZW02glU6kTzZkpYJdXK2vQMTEf. Diversion. This allows routing of subsequent requests coming from the untrusted side using the REQUEST-URI.7.10.0. Service-Route.branch=z9hG4bK-14755-10. For the Contact header. For the following headers: Via. Route.Security Profile security-profile profile_id sip thig Complementary Information 1.tag=dftghjhg 2.229 for topology hiding requirements.q=0.p=abc>. only the host-port part of the URI (either a host-name or an IP address) is ciphered. expires=3600 3. the whole field value is ciphered.5>.p=abc>. To.q=0.branch=z9hG4bK-9119-1-0 After THIG. Example: Before THIG: Contact: "Mr Smith" <sip:smith@192. PAsserted-Identity.2. From. multiple headers with the same field name are ciphered in a single one. Example: Before THIG: From: Alice <sip:alice@192.168. Example: Before THIG: Via: SIP/2.0/UDP 10. Record-Route.8.oai=yyyy7vbsKa+53ryUDHyyyy7y+mY4y Via: SIP/2.5:5060.7.2.0/UDP 192. Moreover.2.168. it will give: Contact: "Mr Smith" <sip:t4M0WHcpYBP7F9xLGHbPIGjlhsYvCDRuf@10.168.50:50001. For the following headers: Request-Line. expires=3600 After THIG.transport=tcp>. History Info.8.4 of 3GPP 24. it will give a single header line.50:50001. This allows to follow Section 5. Path. the whole addr-spec value is ciphered and the public IP address of the SIP Firewall is appended. This is possible as long as the resulting string is short enough to be contained in a single header line: 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 131 .7.

TghRgrESXpmMDg0zhQ1BP3s8CDoft4Fsg2bBesxARl. and the dialog originator. Ciphering in outgoing messages Headers request response Request-Line Contact From X X if dialog origin is trusted X if dialog origin is trusted X X X X X X X X X X X X X X Diversion 132 response X Route Via request X To Record-Route Deciphering in incoming messages History-Info X P-AssertedIdentity X Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .branch=z9hG4bK-45 List of (de-)ciphered Headers Ciphering or deciphering of headers depends on the message origin. the kind of message (Request/Response).tokenized-by=sfw. The following table shows the list of ciphered/deciphered headers according to each of the preceding condition.Security Profile security-profile profile_id sip thig Via: SIP/2.SD7YU2Mf.0/UDP 5P0gx7l4PkTRfgTygHyujyYr.net.

There must be Route headers in subsequent request from peer network as SIP firewall has already informed the route set in previous transaction through Record-Route headers. the second one points to the rpoc at trusted side of SIP Firewall. Command security-profile profile_id route-reorder security-profile profile_id no route-reorder Arguments profile_id This is the identifier of the Security-Profile. no route-reorder Disable the option to accept disordered Route headers in subsequent requests from PeerNetworks associated with the specified profile_id. route-reorder Enable the option to accept disordered Route headers in subsequent requests from PeerNetworks associated with the specified profile_id. some external SIP devices do not follow RFC 3261 very well. Unfortunately.Security Profile security-profile profile_id route-reorder security-profile profile_id route-reorder Purpose The purpose of this command is to enable or disable the option to allow disordered Route headers in the subsequent request from peer networks. the top one points to the lpoc at untrusted side of SIP Firewall. Remember that a Security-Profile and a PeerNetwork are associated via the CLI command “peer-network netid security-profile profile_id”. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 133 . To tolerate this kind of behavior. the Route headers should be in order. the option route-reorder it added. In the request from peer networks. they may send the subsequent requests with disordered Route headers.

in seconds. in seconds. duration The Ringing timer can be set. The default value is 180 seconds.Security Profile security-profile profile_id ringing-timer duration security-profile profile_id ringing-timer duration Purpose The purpose of this command is to configure. Example -> security-profile 20 duration 360 134 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Remember that a Security-Profile and a PeerNetwork are associated via the CLI command “peer-network netid security-profile profile_id”. This is the duration an initial INVITE transaction can stay in the Ringing state waiting for a final response. This setting becomes effective when the security-profile is associated with the peernetwork. Command security-profile profile_id ringing-timer duration Arguments profile_id This is the identifier of the Security-Profile. the maximum duration of the ringing time. in the range from 30 to 300.

The identifier must be in the range 1-32. Command security-profile profile_id2 clone profile_id1 Arguments profile_id2 This is the identifier of the new Security-Profile to be created. profile_id1 This is the identifier of the already existing Security-Profile used as template to create the clone.Security Profile security-profile profile_id clone profile_id security-profile profile_id clone profile_id Purpose The following CLI command allows creation of a new security-profile copying an existing one. Example -> security-profile 20 clone 19 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 135 .

Security Profile security-profile profile_id fqdn-in-from thig security-profile profile_id fqdn-in-from thig Purpose The purpose of this command is to enable or disable the Topology Hiding for From and PAsserted-Identify headers when their host part is a host-name. Remember that a Security-Profile and a PeerNetwork are associated via the CLI command “peer-network netid security-profile profile_id”. 136 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . “fqdn-in-from thig” only take effect when “sip thig” is enabled. fqdn-in-from thig Enable THIG for From and P-Asserted-Identify headers whose host part is a host name when sending message to Peer-Networks associated with the specified profile_id. When host part is IP address. no fqdn-in-from thig Disable THIG for From and P-Asserted-Identify headers whose host part is a host name when sending message to Peer-Networks associated with the specified profile_id. Command security-profile profile_id fqdn-in-from thig security-profile profile_id no fqdn-in-from thig Arguments profile_id This is the identifier of the Security-Profile. From and P-Asserted-Identify headers will always be ciphered.

Command security-profile profile_id sip route-mode record-route security-profile profile_id sip route-mode contact Arguments profile_id This is the identifier of the Security-Profile. The original host part will be saved as a private parameter of Contact header. If SFW doesn’t send Record-Route headers to Peer-Networks. if SIP THIG is disabled. Remember that a Security-Profile and a Peer-Network are associated via the CLI command “peer-network netid security-profile profile_id”. SFW untrusted lpoc IP will be put into host part of Contact header. sip route-mode contact Messges sent to Peer-Networks associated with the specified profile_id don’t have Record-Route headers. To ensure subsequence in-dialog request can successfully arrive at SFW from Peer-Networks. oai will be contained in Contact header. sip route-mode record-route Messges sent to Peer-Networks associated with the specified profile_id have Record-Route headers. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 137 .Security Profile security-profile profile_id sip route-mode security-profile profile_id sip route-mode Purpose The purpose of this command is to specify if SFW will add Record-Route headers in messages sent to Peer-Networks. Oai is put into Contact header.

which currently contain From/P-AID/Contact header with MGC-8 private IP/port in host part. Command security-profile profile_id private_ip security-profile profile_id no private_ip Arguments profile_id This is the identifier of the Security-Profile. and put MGC-8 private IP/port as From/P-AID/Contact URI parameter when thig is disabled. which contain Contact header with MGC-8 private IP/port in host port. and put MGC-8 private IP/port as Contact URI parameter. For requests (e.. and put tokenized string as From/P-AID URI parameter when thig is enabled. SFW should put SFW public IP/port into host part.g.. 138 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .. no private_ip Do not add private ip in From/P-AID/To headers in messages sent to PeerNetworks. INVITE/re-INVITE/UPDATE/ACK/BYE/PRACK/CANCEL) sent from trusted side to un-trusted side. SFW should put SFW public IP/port into host part. Remember that a Security-Profile and a Peer-Network are associated via the CLI command “peer-network netid securityprofile profile_id”.Security Profile security-profile profile_id private_ip security-profile profile_id private_ip Purpose The purpose of this command is to specify if SFW will add private ip(lpoc untrusted ip) in From/P-AID/To/ Contact headers in messages sent to Peer-Networks. For requests (e. which currently contain From/P-AID header with tokenized string in host part. INVITE/re-INVITE/UPDATE/ACK/BYE/PRACK/CANCEL) sent from trusted side to un-trusted side. SFW should put SFW public IP/port into host part. For responses (1xx-6xx) (to initial INVITE from un-trusted to trusted) received from MGC-8. private_ip Add private ip in From/P-AID/To headers in messages sent to Peer-Networks.g.

Example -> no security-profile 20 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 139 . Then the unused Security-Profile can be deleted.Security Profile no security-profile profile_id no security-profile profile_id Purpose The purpose of this command is to delete a Security-Profile. it is necessary to associate a new Security-Profile to the Peer-Network. There is no command “peer-network netid no security-profile”. Command no security-profile profile_id Arguments profile_id This is the identifier of the Security-Profile to be deleted. to remove the association between a Peer-Network and a Security-Profile. A Security-Profile cannot be deleted if it still associated with a Peer-Network.

Command show security-profile [profile_id] Arguments profile_id This is the identifier of the Security-Profile to be displayed. all Security Profiles are displayed.Security Profile show security-profile profile_id show security-profile profile_id Purpose Displays the Security-Profile configuration. Example -> show security-profile 19 Profile id Name INVITE in-dialog accepted methods PUBLISH SUBSCRIBE OPTIONS INVITE in-dialog forbidden methods REGISTER out-of-dialog rate INFO out-of-dialog rate MESSAGE out-of-dialog rate NOTIFY out-of-dialog rate PUBLISH out-of-dialog rate SUBSCRIBE out-of-dialog rate REFER out-of-dialog rate UPDATE out-of-dialog rate BYE out-of-dialog rate PRACK out-of-dialog rate OPTIONS out-of-dialog rate INVITE dialog setup rate INVITE in-dialog transaction rate T1 timer INVITE fork-response INVITE fork-timer (TM) THIG 140 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements : : : 19 INFO MESSAGE NOTIFY : : : : : : : : : : : : : : : : : : 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 10 100 32 64 yes 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . If profile_id is not specified.

"SIPconnect 1.1 Technical Recommendation" . Reference documents Standard [SIP connect] SIP-PBX / Service Provider Interoperability .7 TLS feature overview Introduction TLS usage rational The primary goal of the TLS protocol is to provide privacy and data integrity for the SIP flows exchanged between the SIP firewall and remote SIP entities on its untrusted side.SIP Forum Document Number: TWG-2 Main RFC's [RFC2246] The TLS Protocol Version 1.0 [RFC3280] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 141 . It also provides mutual authentication of both peers through the verification of their respective X509 certificates.

3DES. Compression is not supported. RC4. o Content display o Suppression • Certificate Authority (CA) certificate management o Importation in PEM Base64 format o Content display o Suppression 142 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Certificate revocation with OCSP (Online Certificate Status Protocol) or with statically configured list of certificate is not supported. • For symmetric ciphering: AES128.0 (RFC 2246) and X. List of algorithms supported: • For key exchange: Diffie–Hellman. • For integrity: SHA1. The generated CSR is in PKCS#10 format.TLS feature overview Feature Overview Feature Overview Standards and algorithms supported The SIP firewall supports TLS v1. • For authentication: RSA (maximum key size = 4096 bits). SSLv2 and SSLv3 are not supported due to their related vulnerabilities. AES256. RSA. alert and record protocol • Automatic TLS connection handling toward rpoc entity • X509 certificates management (CLI interface) • Local certificate management o Importation in PEM Base64 of public certificate and its private key (SSLeay format) o Support of Certificate Signing Request (CSR) procedure. change cipher. Main Feature List The following main features are supported: • TLS v1.0 handshake.509v3 certificates (RFC 3280) based on RSA key (up to 4096 bits).

This is the typical authentication mode in SIP peering (cf static mode of [SIP connect] referenced document). Local certificates (and their private key) and CA certificates may be imported through root account using multi-line CLI commands: Copy/Paste is used to import X509 certificates or private key in PEM/Base64 format. • CA certificates used to check the validity of the rpoc certificates: All the CA certificates of the rpoc "signing chain" must be imported on the SFW in order to check the validity of the rpoc certificate.TLS Feature Description TLS feature overview • TLS domain handling per VPN through TLS profile usage • TLS profile management o Creation/Modification o Content display o Suppression Dimensioning The SIP firewall supports the following dimensioning concerning TLS: o Maximum Local certificate(s): 32 o Maximum CA certificate(s): 64 o Maximum TLS profile(s): 32 o Maximum CA identifier per profile: 64 TLS Feature Description X509 certificate handling (CLI interface) The SFW supports TLS with mutual authentication (each side must present its X509 certificate). A private key is only required for local certificate (it is recommended to protect it by a password). 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 143 . Two types of X509v3 certificates are handled by the SFW: • Local certificate used to identify the SFW.

This X509 certificate is then imported in the SFW (step3). VLAN w (corresponding to VPN x) <.Certificate Signing Request (CSR) handling TLS domain handling per VPN through TLS profile usage In the SIP firewall a peer network entity may be associated to a particular VPN through its VLAN id. With the CSR procedure the private key is always kept on the SFW: this is more secure than a private key importation. The CA sends back the corresponding X509 certificate (signed by the CA).Peer-net y -> TLS profile z Each TLS profile contains: 144 • a description name • the id of the local certificate to use for the SFW. This particular TLS configuration will be applied to all rpoc of the related peer network entity. a public/private key pair is generated locally to the SFW (step1) and a corresponding CSR is generated in PEM/Base64 format toward the Certificate Authority (step 2).TLS Feature Description TLS feature overview Local certificates may be also managed through the Certificate Signing Request (CSR) procedure: In CSR procedure.part Private key part 2/ Certificate signing request (CSR) Figure 1 . • the list of id of trusted CA certificates. A TLS profile may be also configured per peer network entity: This allows to have particular TLS configuration (the one of the TLS profile) per VPN. Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . SFW Local Certificate(s) 3/ Certificate importation 1/ Certificate request creation Root user Certification Authority Cert.

its transport layer must be configured in TLS mode. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 145 . If the CA certificate list of the TLS profile used by the connection is modified. The SFW also accepts incoming TLS connection from this rpoc using the same certificate model. the TLS connection is reestablished with the new one. it will launch a full TLS disconnection/reconnection.TLS Feature Description TLS feature overview • optionally: the fact to check the validity of the peer certificate (CA check flag that is set to Yes by default). the other transport layers are no more relevant: only TLS can be used with this rpoc. the peer-network of the rpoc must be configured with a valid TLS profile. • optionally: the renegotiation period (in hour) to force a new TLS handshake periodically (not activated by default). The renegotiation will work only for TLS peers that support RFC 5746. it will be taken into account on the existing TLS connection if the optional parameter "renegotiation period timeout" is set on the TLS profile. For the other peers. When TLS is configured for this rpoc. If the local certificate used by the TLS connection is modified. The SFW automatically establishes and maintains a TLS connection toward this rpoc using the local certificate of the TLS profile as its certificate and using the CA certificates referenced in the TLS profile to validate the rpoc certificate. TLS connection handling When TLS secured connection is required with a rpoc. Moreover. This option should be used to take into account CA certificates updates on already established TLS connection.

Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 146 .8 TLS Profile Purpose This paragraph provides information about the configuration of the TLS profiles. This allows to check the peering point certificate against the CA signing chain. it must exist a list of CA associated with the TLS Profile. This means that: • The SFW local certificate and its associated private key are matching. • If “ca-check” has been set for this TLS profile. Introduction : TLS connections and TLS Profile handling A new TLS permanent connection is established with a RPOC (2 connections if RPOC is dual-stack IPv4/IPv6) when: 3FZ 08139 ACAA PCZZA Edition 07 July 2015 • Transport is set to TLS for this RPOC. See the CLI command “peer-net netid rpoc peering_point_id” • Transport is set to TLS for the LPOC associated with the Peer Network. See the CLI command “peer-net netid tls-profile tls_profile_id” • The TLS profile is valid. See the CLI command “peer-net netid lpoc poc_id” • A TLS-profile is associated with the Peer Network.

TLS Profile Summary of the CLI for TLS-Profile management Summary of the CLI for TLS-Profile management TLS Profile tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check] [renegotiation-period period_in_hours] [name description] tls-profile tlsprofileid name description tls-profile tlsprofileid local-cert certid tls-profile tlsprofileid {no-ca-check|ca-check} tls-profile tlsprofileid renegotiation-period period_in_hours tls-profile tlsprofileid no renegotiation-period tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] … [certid8] tls-profile tlsprofileid no ca-cert-list certid no tls-profile tlsprofileid show tls-profile 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 147 .

This option should be used to take into account CA certificates updates on already established TLS connection.TLS Profile tls-profile tlsprofileid local-cert ca-check renegotiation-period tls-profile tlsprofileid local-cert ca-check renegotiation-period Purpose The purpose of that command is to create a TLS Profile. local-cert Identifies the SFW local certificate. checking the validity of the peer certificate is the default behavior. Up to 32 TLS Profiles can be created. renegotiation-period 148 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . The TLS Profile needs to be associated with a Peer-Network to become effective. • optionally: the renegotiation period (in hour) to force a new TLS handshake periodically (not activated by default). If not specified during the creation of the TLS profile. no-ca-check | ca-check Specifies whether or not the peer certificate needs to be checked against the CA certificate signing chain. • optionally: the fact to check or not the validity of the peer certificate. Each TLS profile contains: • a description name • the id of the local certificate to use for the SFW. Command tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check] [renegotiation-period period_in_hours] [name description] Arguments tlsprofileid This is the identifier of the TLS Profile. • the list of ids of trusted CA certificates.

checking the validity of the peer certificate is the default behavior. • optionally: the fact to check or not the validity of the peer certificate. The TLS Profile needs to be associated with a Peer-Network to become effective.tls-profile tlsprofileid no renegotiation-period TLS Profile If renegotiation-period is set in TLS profile. Each TLS profile contains: • a description name • the id of the local certificate to use for the SFW. If not specified during the creation of the TLS profile. name Description of the TLS Profile (32 characters). Command tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check] [renegotiation-period period_in_hours] [name description] Arguments tlsprofileid 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 149 . • the list of id of trusted CA certificates. This option should be used to take into account CA certificates updates on already established TLS connection. the ongoing TLS connections are renegotiated (TLS handshake) every renegotiation-period value. • optionally: the renegotiation period (in hour) to force a new TLS handshake periodically (not activated by default). Example -> tls-profile 2 local-cert 1 ca-check renegotiation-period 1 name tls-prof-operator1 tls-profile tlsprofileid no renegotiation-period Purpose The purpose of that command is to create a TLS Profile.

the ongoing TLS connections are renegotiated (TLS handshake) every renegotiation-period value. Example -> tls-profile 2 local-cert 1 ca-check renegotiation-period 1 150 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .TLS Profile tls-profile tlsprofileid no renegotiation-period This is the identifier of the TLS Profile. Up to 32 TLS Profiles can be created. no-ca-check | ca-check Specifies whether or not the peer certificate needs to be checked against the CA certificate signing chain. local-cert Identifies the SFW local certificate. name Description of the TLS Profile (32 characters). renegotiation-period If renegotiation-period is set in TLS profile.

! period ! check ! cert. If the option “ca-check” has been set for the given TLS profile. As described in the example. ! ! id ! ! id ! (hours) ! ! id(s) ! +---------+----------------------+-------+---------------+-------+-----------------------+ ! 1 ! tls-prof-doamain1 ! 1 ! 1 ! Yes ! 1 ! ! 2 ! tls-prof-sipp-server ! 1 ! 1 ! Yes ! 1 2 3 4 5 6 7 8 9 10 ! +---------+----------------------+-------+---------------+-------+-----------------------+ 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 151 . However the above command limits the number of certificate ids to 8.TLS Profile tls-profile tlsprofileid ca-cert-list certid1 … [certid8] tls-profile tlsprofileid ca-cert-list certid1 … [certid8] Purpose The purpose of that command is to associate a list of trusted CA certificates ids with a TLS profile. Command tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] … [certid8] Arguments tlsprofileid This is the identifier of the TLS Profile. if more than 8 certificate ids need to be associated with a TLS profile this is done running the CLI command several times. Example -> tls-profile 2 ca-cert-list 1 2 3 4 5 6 7 8 -> tls-profile 2 ca-cert-list 9 10 -> show tls-profile +---------+----------------------+-------+---------------+-------+-----------------------+ ! TLS ! Name ! Local ! Renegotiation ! CA ! CA ! ! profile ! ! cert. the validity of the peer certificate will be checked against this list of CA certificates. ca-cert-list Up to 64 CA certificates ids can be associated with a TLS profile.

The above command limits the list of certificate ids to 8. Command tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] … [certid8] Arguments tlsprofileid This is the identifier of the TLS Profile. ! ! id ! ! id ! (hours) ! ! id(s) ! +---------+----------------------+-------+---------------+-------+-----------------------+ ! 1 ! tls-prof-doamain1 ! 1 ! 1 ! Yes ! 1 ! ! 2 ! tls-prof-sipp-server ! 1 ! 1 ! Yes ! ! +---------+----------------------+-------+---------------+-------+-----------------------+ 152 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Example -> tls-profile 2 no ca-cert-list 1 2 3 4 5 6 7 8 -> tls-profile 2 no ca-cert-list 9 10 -> show tls-profile +---------+----------------------+-------+---------------+-------+-----------------------+ ! TLS ! Name ! Local ! Renegotiation ! CA ! CA ! ! profile ! ! cert. if more than 8 certificate ids need to be removed from a TLS profile this is done running the CLI command several times.tls-profile tlsprofileid no ca-cert-list certid1 … [certid8] TLS Profile tls-profile tlsprofileid no ca-cert-list certid1 … [certid8] Purpose The purpose of that command is to remove a list of trusted CA certificates ids from a TLS profile. ! period ! check ! cert. As described in the example. ca-cert-list This is the list of CA certificates ids that needs to be removed from the TLS profile.

It describes how to import a CA certificate. This paragraph provides information about the management of the X509 certificates of the Certification Authority (CA). • CA certificates used to check the validity of the rpoc certificates: All the CA certificates of the rpoc "signing chain" must be imported on the SFW in order to check the validity of the rpoc certificate. Two types of X509v3 certificates are handled by the SFW: • Local certificate used to identify the SFW. how to check the content of the imported CA certificate and how to check the SFW configuration related with CA certificates.9 CA certificates Purpose The SFW supports TLS with mutual authentication (each side must present its X509 certificate). This is the typical authentication mode in SIP peering (cf static mode of [SIP connect] referenced document). 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 153 .

When SFW is managed by an OMC-P such details will be taken into account by a Certificate Manager residing on the OMC-P that may bring more added values. “validity dates” etc.CA certificates Summary of the CLI for CA certificates management Summary of the CLI for CA certificates management CA certificates import certificate ca ca-certid [name description ] certificate ca ca-certid name description no certificate ca ca-certid show certificate ca pem ca-certid show certificate ca details ca-certid show certificate ca ca-certid show certificate ca Remark about the “show” commands: The following CLI commands : “show certificate ca details ca-certid” . However. “show certificate ca” allow the operator to read attributes of the X509 certificates such as “Subject Common Name”. 154 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . “Issuer Common Name” . the SNMP interface between OMC-P and SFW allows the OMC-P to retrieve the CA certificates in PEM base64 format in the same way that the command “show certificate ca pem ca-certid”. “show certificate ca ca-certid” .

Example -> import certificate ca 64 Please copy and then paste below the certificate in PEM Base64 SSLeay format . Command Import certificate ca ca-certid [name description] <Copy/Paste certificate> Arguments ca-certid This is the identifier of the CA certificate. -----BEGIN CERTIFICATE----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV CM5btYl6pzhv89v3rfniPlCOle+IfFkgFi8cYhaB5p1txfvY5oTBC5Fm6lVzqBKv AgMBAAGjgeIwgd8wHQYDVR0OBBYEFH0WXCkG/Kve4CxF2jrIrZM3WKujMIGvBgNV EDAOBgNVBAMTB25ld3lvcmuCCQDSl0t794lbpzAMBgNVHRMEBTADAQH/MA0GCSqG SIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOh FLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLM IhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA -----END CERTIFICATE----Command successful 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 155 .. If omitted during the import phase.. <Copy/Paste certificate> When the operator hits the carriage-return he has the ability to copy paste the certificate in PEM base64 format. The description of the CA certificate is limited to 32 characters. Up to 64 CA certificates can be imported. name This attribute is optional. the name of the CA certificate can be later specified via the command “certificate ca ca-certid name description”.CA certificates import certificate ca ca-certid [name description] import certificate ca ca-certid [name description] Purpose This command allows the operator to import on the SFW a CA (Certification Authority) certificate in PEM base64 format.

CA certificates certificate ca ca-certid name description certificate ca ca-certid name description Purpose This command allows the operator to add or modify the name of a CA (Certification Authority) certificate previously imported. Command certificate ca ca-certid name description Arguments ca-certid This is the identifier of the CA certificate. name The description of the CA certificate is limited to 32 characters.cert 156 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Example -> certificate ca 64 name alcatel-lucent.

CA certificates no certificate ca ca-certid no certificate ca ca-certid Purpose This command allows the operator to suppress a CA (Certification Authority) certificate previously imported. Command no certificate ca ca-certid Arguments ca-certid This is the identifier of the CA certificate. Example -> no certificate ca 64 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 157 .

Cert Name= CA1. It provides also information such as the name associated with the CA certificate and its validity period.Cert Id=1.CA certificates show certificate ca pem ca-certid show certificate ca pem ca-certid Purpose This command allows the operator to retrieve a CA certificate in PEM base64 format.crt ----Certificate in PEM Base64 format: -----BEGIN CERTIFICATE----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV BAoTA0FMVTEqMCgGA1UECxMhU0ZXIHRlc3RiZWQgQ2VydGlmaWNhdGUgQXV0aG9y aXR5MRAwDgYDVQQDEwduZXd5b3JrMB4XDTExMDkwNzA5NTEzNFoXDTE2MDkwNTA5 NTEzNFowfDELMAkGA1UEBhMCRnIxDzANBgNVBAgTBkZyYW5jZTEQMA4GA1UEBxMH T3J2YXVsdDEMMAoGA1UEChMDQUxVMSowKAYDVQQLEyFTRlcgdGVzdGJlZCBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAMTB25ld3lvcmswgZ8wDQYJKoZIhvcN SIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOh FLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLM IhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA -----END CERTIFICATE----Certificate dates validity checking is OK : notBefore=Sep 09:51:34 2011 GMT < current date=Oct 19 10:03:12 2011 < notAfter=Sep 5 09:51:34 2016 GMT 7 Command successful 158 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Command show certificate ca pem ca-certid Arguments ca-certid This is the identifier of the CA certificate. Example -> show certificate ca pem 1 ----.

O=CA2. CN=newyork Validity Not Before: Sep 13 12:05:36 2011 GMT Not After : Sep 12 12:05:36 2012 GMT Subject: C=Fr. Example -> show certificate ca details 2 ----. and check that it contains the correct information. previously imported in PEM format. L=Orvault.Cert Id=2. CN=myCA2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a9:3f:9e:12:5e:40:97:ff:5f:55:a2:b1:56:6b: 40:18:b4:2b:1d:4e:c4:5e:ac:42:8c:85:fa:83:96: 1c:4f:55:8e:03:42:f1:b1:f8:61:d8:ca:e2:7f:81: 6d:56:6d:fb:a9:d0:9c:88:e2:a7:3c:22:47:c0:bb: fa:4d:de:90:fd:80:26:95:72:a7:9a:cc:34:3a:42: f8:43:39:c6:2c:c7:61:ba:65 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:00:CE:58:D3:A1:9E:54:D1:AC:AE:E2:96:48:9F:D1:D3:E8:D6:0D X509v3 Authority Key Identifier: keyid:7D:16:5C:29:06:FC:AB:DE:E0:2C:45:DA:3A:C8:AD:93:37:58:AB:A3 Signature Algorithm: sha1WithRSAEncryption 39:41:bd:2d:52:2e:dc:b1:96:35:b0:74:ed:fa:bc:1e:8e:2c: 73:7d:17:da:01:71:04:4a:f1:ab:a3:9d:74:6d:a6:20:92:be: ed:67:51:a4:68:a3:55:ad:41:c0:84:b2:29:67:bd:84:69:49: 00:66 Certificate dates validity checking is OK : notBefore=Sep 13 12:05:36 2011 GMT < current date=Oct 19 11:55:58 2011 < notAfter=Sep 12 12:05:36 2012 GMT Command successful 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 159 .CA certificates show certificate ca details ca-certid show certificate ca details ca-certid Purpose This command allows the operator to decode a CA certificate. O=ALU. Command show certificate ca details ca-certid Arguments ca-certid This is the identifier of the CA certificate. ST=France. Cert Name= CA2. ST=France.crt ----Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: sha1WithRSAEncryption Issuer: C=Fr. OU=SFW testbed Certificate Authority.

! Subject ! Issuer ! Dates ! Private ! ! cert.crt ! myCA2 ! newyork ! OK ! n/s ! +-------+---------+---------+---------+----------+----------+ 1 elements Subject C/ST/L Subject /O/OU/Email Issuer C/ST/L Issuer /O/OU/Email : : : : Fr/France/ /CA2// Fr/France/Orvault /ALU/SFW testbed Certificate Authority/ X509v3 Subject Alternative Name(s) Command successful 160 : Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . ! Name ! Common ! Common ! Validity ! key ! ! id ! ! Name ! Name ! ! matching ! +-------+---------+---------+---------+----------+----------+ ! 2 ! CA2. Command show certificate ca ca-certid Arguments ca-certid This is the identifier of the CA certificate. Example -> show certificate ca 2 +-------+---------+---------+---------+----------+----------+ ! CA ! Cert.CA certificates show certificate ca ca-certid show certificate ca ca-certid Purpose This command allows the operator to read the main attributes of a CA certificate.

crt ! myCA4 ! myCA3 ! OK ! n/s ! ! 5 ! CA5. ! Subject ! Issuer ! Dates ! Private ! ! cert.crt ! myCA6 ! myCA5 ! OK ! n/s ! ! 7 ! CA7.crt ! myCA3 ! myCA2 ! OK ! n/s ! ! 4 ! CA4.crt ! newyork ! newyork ! OK ! n/s ! ! 2 ! CA2.crt ! myCA8 ! myCA7 ! OK ! n/s ! ! 9 ! CA9.crt ! myCA7 ! myCA6 ! OK ! n/s ! ! 8 ! CA8.crt ! myCA10 ! myCA9 ! OK ! n/s ! ! 11 ! CA11.crt ! myCA2 ! newyork ! OK ! n/s ! ! 3 ! CA3.CA certificates show certificate ca show certificate ca Purpose This command allows the operator to list all CA certificates imported on the SFW with there main attributes. ! Name ! Common ! Common ! Validity ! key ! ! id ! ! Name ! Name ! ! matching ! +-------+----------------+---------+---------+----------+----------+ ! 1 ! CA1.crt ! myCA5 ! myCA4 ! OK ! n/s ! ! 6 ! CA6.crt ! myCA11 ! myCA10 ! OK ! n/s ! +-------+----------------+---------+---------+----------+----------+ Command successful 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 161 . Command show certificate ca Example -> show certificate ca +-------+----------------+---------+---------+----------+----------+ ! CA ! Cert.crt ! myCA9 ! myCA8 ! OK ! n/s ! ! 10 ! CA10.

3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 162 . This is the typical authentication mode in SIP peering (cf static mode of [SIP connect] referenced document). This paragraph provides information about the management of the local X509 certificates. This avoids exposing the related Private Key.10 Local X509 certificates and Privates Keys Purpose The SFW supports TLS with mutual authentication (each side must present its X509 certificate). It describes how to import and check the content of a local certificate and its related Private Key. Two types of X509v3 certificates are handled by the SFW: • Local certificate used to identify the SFW. • CA certificates used to check the validity of the rpoc certificates: All the CA certificates of the rpoc "signing chain" must be imported on the SFW in order to check the validity of the rpoc certificate. The local X509 certificates may result from a CSR (Certificate Signing Request) generated on the SFW.

3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 163 . the SNMP interface between OMC-P and SFW allows the OMC-P to retrieve the local certificates in PEM base64 format in the same way that the command “show certificate local pem certid”. However. “show certificate local certid” . “Issuer Common Name” .Local X509 certificates and Privates Keys Summary of the CLI for SFW local certificates management Summary of the CLI for SFW local certificates management SFW Local certificates import certificate local certid [name description ] import certificate local privatekey certid [password pwd] [name description ] certificate local certid name description no certificate local certid show certificate local pem certid show certificate local details certid show certificate local certid show certificate local certificate local certid request common-name common_name email email_address country country_name state state_or_province_name locality locality_name organization organization_name organizational-unit organizational_unit_name [subject-alt-name subject_alt_name] [name description] Remark about the “show” commands: The following CLI commands : “show certificate local details certid” . “show certificate local” allow the operator to read attributes of the local X509 certificates such as “Subject Common Name”. “validity dates” etc. When SFW is managed by an OMC-P such details will be taken into account by a Certificate Manager residing on the OMC-P that may bring more added values.

<Copy/Paste certificate> When the operator hits the carriage-return he has the ability to copy paste the certificate in PEM base64 format. Command import certificate local certid [name description] <Copy/Paste certificate> Arguments certid This is the identifier of the SFW local certificate and its related Private Key. The description of the local certificate is limited to 32 characters. There is an exception. The operator may import first the certificate of the private key. name This attribute is optional. when the local X509 results from a CSR (Certificate Signing Request) locally generated on the SFW.. the importation of the related Private Key is not required. Importation of a local X509 certificate must be followed or preceded by the importation of its related Private Key. the name of the local certificate can be later specified via the command “certificate local certid name description”. Both will be tied by the same certid. Up to 32 local certificates can be imported.Local X509 certificates and Privates Keys import certificate local certid [name description] import certificate local certid [name description] Purpose This command allows the operator to import on the SFW a local X509 certificate in PEM base64 format. -----BEGIN CERTIFICATE----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV -----END CERTIFICATE----- 164 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . If omitted during the import phase. A SFW local certificate authenticates the SFW side of the TLS connection whereas a CA certificate authenticates a peer. Example -> import certificate local 2 name sfw-westford Please copy and then paste below the certificate in PEM Base64 SSLeay format ..

the name of the local certificate can be later specified either during the importation of the local certificate or via the command “certificate local certid name description. <Copy/Paste certificate> When the operator hits the carriage-return he has the ability to copy paste the Private Key in PEM base64 format.Local X509 certificates and Privates Keys import certificate local privatekey certid [password pwd] import certificate local privatekey certid [password pwd] Purpose This command allows the operator to import on the SFW a Private Key in PEM base64 format related to a local X509 certificate.. Up to 32 local certificates can be imported. -----BEGIN RSA PRIVATE KEY----3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 165 . Example -> import certificate local privatekey 2 Please copy and then paste below the certificate in PEM Base64 SSLeay format . password If the Private Key is encrypted the password must be supplied during the importation of the private Key. If omitted during the import phase of the private key. Both will be tied by the same certid.. Importation of a Private Key must be followed or preceded by the importation of its related local X509 certificate. The description of the local certificate is limited to 32 characters. name This attribute is optional. It provides a name for the local certificate related to the private key currently imported. Command import certificate local privatekey certid [password pwd] [name description] <Copy/Paste certificate> Arguments certid This is the identifier of the SFW local certificate and its related Private Key.

The Private Keys are ciphered and cannot be exported via the output of a “show” command.Local X509 certificates and Privates Keys import certificate local privatekey certid [password pwd] MIICXQIBAAKBgQDFCbmOTEaVD3dJ26QSWKZ92TaDFfobxfjdnFVxYhi3hWPGD3uk DDjqhWnV1BQsEHfGXpvyV/WNUnoI2hZpsjL8XgjWy5ZA/SASpptGfnXwbd6K4FGu 29azGKD+WGKd+oPljlqp3+9rLNnD53fqlNWobM/RO2Pfp9r0Py19ugk3vQJBAK7f +eTEKS2/ZlwGuRgVAMBhkzwnTasZkChhQpBRNN0cdLfVnE0P3VrkDGa+MaoDL9zY l4xdMnjjXqa3FRve77ECQQCKZKudL7a6XrZRZl+2T3PpM8gOQ8sLqzG4J2+VkzBy P/JXZxrJX1oXifJPtWd5y6z5Wjc7JXyYUtatWB3WY2g0 -----END RSA PRIVATE KEY----Remark Note that the private keys are not stored in the SFW configuration file as they have been imported. 166 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

Local X509 certificates and Privates Keys certificate local certid name description certificate local certid name description Purpose This command allows the operator to add or modify the name of a local certificate previously imported. Command certificate local certid name description Arguments certid This is the identifier of the SFW local certificate.cert 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 167 . name The description of the local certificate is limited to 32 characters. Example -> certificate local 1 name sfw5.

This command suppresses at the same time the Private Key with the same certid.Local X509 certificates and Privates Keys no certificate local certid no certificate local certid Purpose This command allows the operator to suppress a local certificate previously imported. Command no certificate ca certid Arguments ca-certid This is the identifier of the CA certificate. Example -> no certificate local 1 168 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

Local X509 certificates and Privates Keys show certificate local pem certid show certificate local pem certid Purpose This command allows the operator to retrieve a local certificate in PEM base64 format. Command show certificate local pem certid Arguments ca-certid This is the identifier of the local certificate.E28F48920FAD24FA QpzjZSVF1Iu2GRirxUfvUiNAWZmGaWwzXo4wP02EMwYi1uQkwlT7JCrcHsaI9+XP eyMx00YdgcWieN269iGQGm9wPSa9ms2qfXrw/RolQynEZsr7vxwzr2G/gD/tOc8z HitDDsEgFTutDVxG/kzkNWT099p/dWXFzUzqspt2Dwvzzuye1HrBP0GFlJ/fXzKJ CXv4ctyO6U3nblu7szWK21Cez+5xizaptrWs+APQ0qMMlSQXE4EjYg== -----END RSA PRIVATE KEY----Key modulus of certificate public key is matching with the one of the Private Key 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 169 .cert ----Certificate in PEM Base64 format: -----BEGIN CERTIFICATE----MIIC8TCCAlqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJGcjEP ZbCgF7CYoX6C1Xm6q6E5ct1eAdDkZaYuyo6hkPOJn3MnnJ1erw== -----END CERTIFICATE----Certificate dates validity checking is OK : notBefore=Oct 6 15:31:24 2011 GMT < current date=Oct 19 13:33: 5 15:31:24 2012 GMT Private Key in PEM Base64 format: -----BEGIN RSA PRIVATE KEY----Proc-Type: 4. Example -> show certificate local pem 1 ----. its validity period and the validity of the local certificate against its Private Key. This command provides also information such as the name associated with the local certificate. Cert Name= sfw5.ENCRYPTED DEK-Info: DES-EDE3-CBC.Cert Id=1. The X509 part of the local certificate can then be exported. However the Private Key part in PEM format is ciphered and cannot be encrypted.

Cert Name= sfw5. CN=newyork Validity Not Before: Oct 6 15:31:24 2011 GMT Not After : Oct 5 15:31:24 2012 GMT Subject: C=Fr. O=ALU.Cert Id=1. O=ALU.crt ----Certificate in PEM Base64 format: -----BEGIN CERTIFICATE----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV 170 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . previously imported in PEM format. Command show certificate local details certid Arguments certid This is the identifier of the CA certificate.Cert Id=1. ST=France.cert ----Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: sha1WithRSAEncryption Issuer: C=Fr. Cert Name= CA1. OU=SFW_testbed. ST=France.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c5:09:b9:8e:4c:46:95:0f:77:49:db:a4:12:58: a6:7d:d9:36:83:15:fa:1b:c5:f8:dd:9c:55:71:62: 46:a3:09:94:00:c4:65:ed:0a:44:d8:bf:61:27:0c: 6d:83:55:6c:84:be:83:6b:2f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 84:15:47:37:C8:BE:E9:A6:81:2C:24:E9:67:18:F4:ED:C4:C6:BE:B6 X509v3 Authority Key Identifier: keyid:7D:16:5C:29:06:FC:AB:DE:E0:2C:45:DA:3A:C8:AD:93:37:58:AB:A3 Signature Algorithm: sha1WithRSAEncryption 74:a5:c2:d4:06:4a:93:23:f1:ad:2e:fa:c2:b9:83:40:ab:83: f6:65:b0:a0:17:b0:98:a1:7e:82:d5:79:ba:ab:a1:39:72:dd: 5e:01:d0:e4:65:a6:2e:ca:8e:a1:90:f3:89:9f:73:27:9c:9d: 5e:af Certificate dates validity checking is OK : notBefore=Oct 6 15:31:24 2011 GMT < current date=Oct 19 14:05:40 2011 < notAfter=Oct 5 15:31:24 2012 GMT Key modulus of certificate public key is matching with the one of the Private Key Command succesful sfw5> show certificate ca pem 1 ----. CN=sfw5/emailAddress=sfw5@orvault. and check that it contains the correct information.Local X509 certificates and Privates Keys show certificate local details certid show certificate local details certid Purpose This command allows the operator to decode a CA certificate. Example -> show certificate local details 1 ----. L=Orvault. OU=SFW testbed Certificate Authority. L=Orvault.

! Name ! Common ! Common ! Validity ! key ! ! id ! ! Name ! Name ! ! matching ! +-------+-----------+---------+---------+----------+----------+ ! 1 ! sfw5.Local X509 certificates and Privates Keys show certificate local certid BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV QUxVMSowKAYDVQQLEyFTRlcgdGVzdGJlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx EDAOBgNVBAMTB25ld3lvcmuCCQDSl0t794lbpzAMBgNVHRMEBTADAQH/MA0GCSqG SIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOh FLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLM IhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA -----END CERTIFICATE----Certificate dates validity checking is OK : notBefore=Sep 7 09:51:34 2011 GMT < current date=Oct 19 14:08:13 2011 < notAfter=Sep 5 09:51:34 2016 GMT Command succesful show certificate local certid Purpose This command allows the operator to read the main attributes of a local certificate.fr Fr/France/Orvault /ALU/SFW testbed Certificate Authority/ X509v3 Subject Alternative Name(s) Command successful 3FZ 08139 ACAA PCZZA Edition 07 July 2015 : Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 171 . ! Subject ! Issuer ! Dates ! Private ! ! cert. Command show certificate local certid Arguments ca-certid This is the identifier of the CA certificate.cert ! sfw5 ! newyork ! OK ! matching ! +-------+-----------+---------+---------+----------+----------+ 1 elements Subject C/ST/L Subject /O/OU/Email Issuer C/ST/L Issuer /O/OU/Email : : : : Fr/France/Orvault /ALU/SFW_testbed/sfw5@orvault. It permits also to check that the local certificate and its private key are matching. Example show certificate local 1 +-------+-----------+---------+---------+----------+----------+ ! Local ! Cert.

cert ! sfw6 ! newyork ! OK ! matching ! ! 3 ! sfw7. Command show certificate local Example -> show certificate local +-------+-----------+---------+---------+----------+----------+ ! Local ! Cert. ! Name ! Common ! Common ! Validity ! key ! ! id ! ! Name ! Name ! ! matching ! +-------+-----------+---------+---------+----------+----------+ ! 1 ! sfw5. ! Subject ! Issuer ! Dates ! Private ! ! cert.cert ! sfw5 ! newyork ! OK ! matching ! ! 2 ! sfw6.cert ! sfw7 ! newyork ! OK ! matching ! +-------+-----------+---------+---------+----------+----------+ Command successful 172 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Local X509 certificates and Privates Keys show certificate local show certificate local Purpose This command allows the operator to list all local certificates imported on the SFW with there main attributes.

The PEM base64 part. SFW Local Certificate(s) 3/ Certificate importation 1/ Certificate request creation Root user Certification Authority Cert. The resulting signed certificate must be imported through the standard importation procedure (import certificate local certid) with the same cert id in order to be consistent with the private key part. can be copied/pasted in a file to be sent to the relevant certification authority that may sign it. for a local certificate.Local X509 certificates and Privates Keys certificate local certid request certificate local certid request Purpose This command formats a certificate signing request (CSR). It also generates an associated RSA private key of 2048 bits if a key not already exists for this cert id. displayed by the output of this command.part Private key part 2/ Certificate signing request (CSR) Command certificate local certid request common-name common_name email email_address country country_name state state_or_province_name locality locality_name organization organization_name organizational-unit organizational_unit_name [subject-alt-name subject_alt_name] [name description] 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 173 . in PEM base64 format.

These include email (an email address) URI (a uniform resource indicator).Local X509 certificates and Privates Keys certificate local certid request Arguments ca-certid This is the identifier of the CA certificate. subject-alt-name The subject alternative name extension allows various literal values."SIPconnect 1. alcatel-lucent.1 Technical”. Corp. country The two-letter ISO code for the country where your organization is located. This shouldn't be abbreviated. In case of interconnection with a IP-PBX and to be compliant with the “SIP connect” recommendation “SIP-PBX / Service Provider Interoperability . email An email address used to contact your organization. This should not be abbreviated and should include suffixes such as Inc. locality The city where your organization is located. common-name The fully qualified domain name (FQDN) of your SFW. the recommended format for the subject-alt-name is the SIP URI formatted as in the following example: Example: URI:sip:sfw4. state The state/region where your organization is located. or LLC. DNS (a DNS domain name). organization The legal name of your organization.com 174 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . IP (an IP address). organizational-unit The division of your organization handling the certificate.

alcatel-lucent...com name sfw4.Local X509 certificates and Privates Keys certificate local certid request Example -> certificate local 4 request common-name sfw4 email sfw4@orvault.fr country Fr state France locality Orvault organization ALU organizational-unit SFW-Testbed subject-alt-name URI:sip:sfw4. generating private key for this local certificate (none existing) Certification request for this local certificate in PEM Base64 format: -----BEGIN CERTIFICATE REQUEST----MIIC5TCCAc0CAQAwgYMxDTALBgNVBAMTBHNmdzQxHjAcBgkqhkiG9w0BCQEWD3Nm dzRAb3J2YXVsdC5mcjELMAkGA1UEBhMCRnIxDzANBgNVBAgTBkZyYW5jZTEQMA4G A1UEBxMHT3J2YXVsdDEMMAoGA1UEChMDQUxVMRQwEgYDVQQLEwtTRlctVGVzdGJl ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5SSaCQ8yzs8NtF0Qqb /Peu8fA8TZwjH0WEFrvZe03qeFH568CdnxGSqUoskgx3CQDogfMRPqsEsUSf0nX8 94+XTW2HJn2r/WyZbKOO9XtC+ZSmplXE60EHs5vCcqjlg0u2VAHfVYmG9E5ZMORL 7THfom5RrYzFHOFV8yzEjBgNKvjWQE52qjjyYePI68+ZxWGYHIVUyOSaxFLnJV9z NuClEGRDmAkvw1mLmT+VbCoQErX0xbg7hZVfx04uHUxHThiV8hsDlI40n7WXArwM dCgGChU5wLDbww9iISe9b9ZaZD71t/0mrpz/KtWNIFPBlx5d8Hf+UK/0jPA0yqlk YDW3rKuTvWQJInDHPIaIZlIVc/oxLKOlzA== -----END CERTIFICATE REQUEST----Command successful 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 175 .cert .

This checking ensures that SIP responses and subsequent request coming from the MGC8 IBCF will be routable. can be resolved via the SFW internal DNS server. Introduction With the current release. SFW checks that FQDN included in the top Via can be resolved via the SFW internal DNS server. after removing its own Routes. SFW implements its own internal DNS server. FQDN in Outgoing messages received from the MGC8 In case of SIP request. if there is no more Route header. SFW checks that FQDN included in the top Route. This ensures that the SIP message will be properly routed. SFW doesn’t check that FQDN included in Route header or Req-URI can be resolved via its internal DNS server. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 176 . after removing its own Routes. SFW checks that FQDN included in the Request-Line. SFW doesn’t perform DNS requests toward an external DNS server to resolve FQDN that may appear in SIP headers.11 Internal DNS server Purpose This paragraph provides information about the configuration of the SFW internal DNS server intended to resolve names of Untrusted Peering-Points. In case of SIP request. if any. after removing its own Via. In case of SIP response. can be resolved via the SFW internal DNS server. In that case a FQDN doesn’t prevent the MGC8 IBCF CCS selection. FQDN in Incoming messages received from Peer-Networks SFW checks that FQDN included in top Record-Route and top Via headers can be resolved via the SFW internal DNS server.

Internal DNS server Summary of the CLI for the internal DNS management Summary of the CLI for the internal DNS management SFW internal DNS dns-internal dns-entry-id name rpoc-name peer-net netid ip address dns-internal dns-entry-id name rpoc-name dns-internal dns-entry-id peer-net netid dns-internal dns-entry-id ip address dns-internal dns-entry-id no ipv4 dns-internal dns-entry-id no ipv6 show dns-internal 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 177 .

matching the FQDN specified for that entry. rpoc-name This is the FQDN of the Remote POC. IPv4 or IPv6.8.biloxy.Internal DNS server dns-internal dns-entry-id name peer-net ip dns-internal dns-entry-id name peer-net ip Purpose The purpose of that command is to create a DNS entry in the internal DNS server of the SFW. Note that in case of dual stack IPv4/IPv6. Command dns-internal dns-entry-id name rpoc-name peer-net netid ip address Arguments dns-entry-id This is the identifier of the DNS entry. address This is the IP address. Example -> dns-internal 1 name proxyA.23. you need to specify one address at the creation of the DNS entry and then add the other address via the CLI command “dns-internal dns-entry-id ip address”. Up to 2047 DNS entries can be created.com peer-net 20 ip 172. netid This is the identifier of the Peer Network.9 -> dns-internal 1 ip 2001:8::172:23:8:9 178 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

rpoc-name This is the FQDN of the Remote POC.Internal DNS server dns-internal dns-entry-id name rpoc-name dns-internal dns-entry-id name rpoc-name Purpose The purpose of that command is to modify the FQDN of a DNS entry in the internal DNS server of the SFW. Command dns-internal dns-entry-id name rpoc-name Arguments dns-entry-id This is the identifier of the DNS entry.biloxy.com 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 179 . Example -> dns-internal 1 name B2B.

netid This is the Peer-Network identifier.Internal DNS server dns-internal dns-entry-id peer-net netid dns-internal dns-entry-id peer-net netid Purpose The purpose of that command is to modify the Peer Network identifier of a DNS entry in the internal DNS server of the SFW. Command dns-internal dns-entry-id peer-net netid Arguments dns-entry-id This is the identifier of the DNS entry. Example -> dns-internal 1 peer-net 20 180 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

address This is the IP address. IPv4 or IPv6. you need to specify one address at the creation of the DNS entry and then add the other address via this CLI command. Note that in case of dual stack IPv4/IPv6.Internal DNS server dns-internal dns-entry-id ip address dns-internal dns-entry-id ip address Purpose The purpose of that command is to modify the IP address associated with a FQDN in a DNS entry in the internal DNS server of the SFW. matching the FQDN specified for that entry. Command dns-internal dns-entry-id ip address Arguments dns-entry-id This is the identifier of the DNS entry. Example -> dns-internal 1 ip 2001:7::182:13:21:4 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 181 .

Internal DNS server dns-internal dns-entry-id no ipv4 dns-internal dns-entry-id no ipv4 Purpose The purpose of that command is to remove the IP v4 address associated with a FQDN in a DNS entry in the internal DNS server of the SFW. Command dns-internal dns-entry-id no ipv4 Arguments dns-entry-id This is the identifier of the DNS entry. Command dns-internal dns-entry-id no ipv6 Arguments dns-entry-id This is the identifier of the DNS entry. Example -> dns-internal 1 no ipv4 dns-internal dns-entry-id no ipv6 Purpose The purpose of that command is to remove the IP v6 address associated with a FQDN in a DNS entry in the internal DNS server of the SFW. Example -> dns-internal 1 no ipv6 182 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

is not yet configured as peering-point. if any. o “V4 and V6” means that both IP addresses V4 and V6 are matching the peering-point configuration. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 183 . Output Definition Name & IP address Display the possible resolution of FQDN representing peering-points on the Untrusted side of the firewall Validity To be used during FQDN resolution. Command dns-internal [peer-net netid] Arguments netid Optionally this identifier of a Peer-Network can be specified to display only DNS entries related to that Peer-Network. o “V6 only” means that the IPv6 address match a peering-point whereas the IPv4 address. an IP address configured in the SFW internal DNS must match an IP address configured as peering-point (rpoc) for the specified peer-net.Internal DNS server show dns-internal show dns-internal Purpose The purpose of that command is to display the configuration of the internal DNS server. o “invalid” means that the address is not yet configured as peering-point in the peer-network. if any. o “V4 only” means that the IPv4 address match a peering-point whereas the IPv6 address. is not yet configured as peering-point.

com ! 172.biloxy.4.7.3.22.biloxy.33 ! V4 only ! ! 6 ! 10 ! proxyA.biloxy.20.com ! 172.35 ! V4 only ! +-----+----------+-------------------+-------------+----------+ 184 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .5.biloxy.com ! 172.22.16.9 ! 2 ! 7 ! 3 2001:8::172:23:8:9 ! V4 & V6 ! ! proxyA.com ! 172.35 ! V4 only ! ! 5 ! proxyA.18.com ! 172.35 2001:4::172:19:4:35 ! V4 & V6 ! ! 10 ! 6 ! proxyA.50 2001:11::172:16:11:50 ! V4 & V6 ! +-----+----------+-------------------+---------------------------------------+----------+ -> show dns-internal peer-net 7 +-----+----------+-------------------+-------------+----------+ ! idx ! peer-net ! name ! IP address ! Validity ! +-----+----------+-------------------+-------------+----------+ ! 2 ! 7 ! proxyA.com ! 172.23.com ! 172.24.90.19.21.33 2001:6::172:21:6:33 ! V4 & V6 ! ! 12 ! 11 ! proxyA.10 2001:90::172:24:90:10 ! V6 only ! ! 8 ! 3 ! proxyA.6.biloxy.biloxy.com ! 172.biloxy.11.biloxy.Internal DNS server show dns-internal Example -> show dns-internal +-----+----------+-------------------+---------------------------------------+----------+ ! idx ! peer-net ! name ! IP address ! Validity ! +-----+----------+-------------------+---------------------------------------+----------+ ! 1 ! 20 ! proxyA.8.biloxy.7.com ! 172.9 ! invalid ! ! 9 ! 4 ! proxyA.

e. Introduction The main features provided by the Load Balancing Group are the following: Configuration of a set of IP address and Port belonging to the IBCF A Load-Balancing-Group contains the IP information that allows the SIP firewall to reach the trusted IBCF it protects.12 Load Balancing Group Purpose This paragraph provides information about: • What is the Load-Balancing-Group object. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 185 . the SIP firewall uses the load balancing group associated with the Peer Network to select one of the remote POC (IBCF CCS). The IBCF can contain several processors for SIP signaling. each of which can support multiple processes (called CCS’s). Load balancing of initial untrusted SIP requests For the incoming initial SIP message received on the Untrusted side (new INVITE or a transaction out of an INVITE dialog). this is expected to change to separate IP addresses per processor. the trusted remote POC won’t change anymore for the whole SIP dialog or the out-of-dialog SIP transaction. or one IP address per service blade and one unique port). • CLIs to configure the Load-Balancing-Group object. A Peer Network MUST have a Load Balancing group assigned. the SIP firewall accepts any combination of IP address and port (i. all these processes share the same IP address. To address any kind of IBCF architecture. A Load-Balancing-Group can be shared by several Peer Networks. Currently. but use different signaling port numbers. In a future release.: one unique IP address and one port per service blade. In the Load-Balancing-Group object a CCS is referenced as an rpoc: remote point of contact on the trusted side of the SIP firewall. Once selected.

Geographical Redundancy The SIP firewall can protect a geographically redundant IBCF. are applied after the one associated to the remote Peer Network (see Security Profile).Load Balancing Group show dns-internal Overload Control and rate limiters The Load-Balancing-Group provides an Overload Control feature thanks to the configuration of the call and transaction rate limiters. Load Balancing group and Trusted Local POC association One Trusted Local POC needs to be associated with each Load-Balancing-Group. 186 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . These rate limiters are applied per remote POC (CCS) to be able to assign different weights on the IBCF processes. the SIP firewall processes fair load balancing among the Peer Networks. From rate limiting standpoint. The SFW sends heartbeats (SIP OPTIONS) periodically to each CCS to keep track of which ones are active. To address this case. This addresses active/standby IBCF configuration as well as active/active IBCF configuration. Since the sum of the rate limiters of the Peer Network associated to the Load Balancing group can exceed the rate defined for the Load-Balancing-Group. within a Load Balancing Group. the rate limiters of the remote POCs. The IP address of the trusted lpoc is the source IP address of the SIP messages sent to the IBCF CCSs (rpoc). active and standby remote POCs (CCSs) are similarly declared in the Load Balancing Group object. It doesn’t send any new INVITEs to a CCS that is not responding to the heartbeat.

Summary of the CLI for Load-Balancing-Group management Load Balancing Group Summary of the CLI for Load-Balancing-Group management Load-Balancing-Group load-balancing-group groupId [enable | disable] [name description] load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]] load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port] | tls[ port]} load-balancing-group GroupId rpoc poc_id no ipv4 load-balancing-group GroupId rpoc poc_id no ipv6 load-balancing-group GroupId rpoc poc_id no {udp| tcp | sctp | tls} load-balancing-group GroupId no rpoc poc_id load-balancing-group GroupId lpoc trusted_lpoc_id load-balancing-group GroupId no lpoc trusted_lpoc_id load-balancing-group GroupId vlan vid load-balancing-group GroupId polling period interval load-balancing-group GroupId rpoc poc_id call rate call_rate delay sip_msg_delay load-balancing-group GroupId rpoc poc_id transaction rate trans_rate delay sip_trans_delay no load-balancing-group groupId show load-balancing-group [GroupId] show load-balancing-group [GroupId] rpoc [poc_id] show load-balancing-group [GroupId] connectivity 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 187 .

enable | disable Provides the ability to change the operational status of the Load-Balancing-Group. Up to 32 Load-Balancing-Group can be created. Command load-balancing-group groupId [enable | disable] [name description] Arguments groupId This is the identifier of the Load-Balancing-Group. description Description of the Load-Balancing-Group (31 characters) Example -> load-balancing-group 1 enable name LBG_1 188 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Load Balancing Group load-balancing-group groupId load-balancing-group groupId Purpose The purpose of that command is to create a Load-Balancing-Group.

Up to 32 rpoc can be defined per Load-Balancing-Group. the port 5060 and UDP transport are configured by default. poc_id This is the identifier of the remote POC (MGC8 CCS process) within a Load-BalancingGroup. The Load-Balancing-Group is a collection of CCSs. This command requires to be ran once for each CCS. It will be set to 5060 if there is no other transport mode configured 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 189 . port Optionally the listening port and transport mode of the remote POC can be specified. A remote POC can be dual-stack IPv4/IPv6. It is still possible to modify the listening ports with the following command: load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port] | tls[ port]} If the transport mode is specified but the port value is omitted then the port will be assigned automatically.Load Balancing Group load-balancing-group groupId rpoc load-balancing-group groupId rpoc Purpose The purpose of that command is to associate an IBCF remote POC (MGC8 CCS process) with a Load-Balancing-Group. If this option is not specified. In that case the CLI must be run twice. once to specify the IPv6 address. once to specify the IPv4 address. The same poc_id can be used for different Load-Balancing-Group. Command load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]] load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port] | tls[ port]} Arguments groupId This is the identifier of the Load-Balancing-Group. ip_address Defines the IPv4 or IPv6 address of the remote POC.

A modification of the port value.168. This means that all listening port values are equal for a peering point.55 udp 5066 Configures IP address and UDP listening port of a remote POC in a single command. Example -> load-balancing-group 2 rpoc 1 ip 192. -> load-balancing-group 2 rpoc 1 ip 2001:200::192:168:2:50 Configures the IPv6 address of the remote POC. -> load-balancing-group 2 rpoc 1 tcp Configures the tcp port with the port value equal to the udp port value.2.50 Configures the IPv4 address of the remote POC and implicitly the udp port 5060. whatever the transport mode. -> load-balancing-group 2 rpoc 1 udp 5064 Modifies the udp port value.Load Balancing Group load-balancing-group groupId rpoc or it will be set automatically to the same value than the one set for other transport mode already configured.168. affects the port value for all transport modes.2. -> load-balancing-group 2 rpoc 2 ip 192. As a consequence other transport mode already configured are also implicitly configured with the same port value. 190 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

these 2 addresses and 4 ports are seen as remote POCs. and provides 2 SIP service blades on the following ports: 5061.168. In order to achieve geographical redundancy.168.10). 5062. Only available remote POCs are intended to reply to the SIP OPTIONS.Load Balancing Group load-balancing-group groupId rpoc Complementary information Hereafter is a networking example based on the MGC-8 case where the service blades (CCS modules) share the same IP address but use different Port numbers to provide SIP service. 5062. From the SIP Firewall point of view. This allows support of IBCF processes in an active/standby mode as well as in an active/active mode. The primary IBCF is configured with a unique IP address (192. the 4 remote POCs (CCSs in MGC8 terminology) are gathered in the same Load Balancing Group 1. The backup IBCF is configured with a unique IP address (192. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 191 . Thus.10. The SIP firewall performs heartbeat request towards the remote POCs sending SIP OPTIONS messages. the SIP firewall may know which processes on the MGC8 are ready to receive SIP Traffic.20). and provides 2 SIP service blades on the following ports: 5061.10.

Load Balancing Group load-balancing-group groupId rpoc The resulting CLI commands are: -> lpoc trusted 1 ip 192.20 rpoc 4 ip 192.2 no rip -> -> -> -> -> -> -> load-balancing-group load-balancing-group load-balancing-group load-balancing-group load-balancing-group load-balancing-group load-balancing-group 1 1 1 1 1 1 1 enable name LBG_1 vlan 20 lpoc 1 rpoc 1 ip 192.252 gw 192.10 rpoc 2 ip 192.168.168.10.20.20.10.255.1 enable name LPOC_TRUSTED_1 -> vlan 20 trusted enable name TRUSTED_VLAN_20 -> vlan 20 subnet 192.10.168.10 rpoc 3 ip 192.168.168.168.20.168.255.10.20 udp udp udp udp 5061 5062 5061 5062 -> peer-net 1 load-balancing-group 1 192 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .0 mask 255.

Command load-balancing-group GroupId rpoc poc_id no ipv4 Arguments groupId This is the identifier of the Load-Balancing-Group.Load Balancing Group load-balancing-group groupId rpoc no ipv4 load-balancing-group groupId rpoc no ipv4 Purpose The purpose of that command is to delete the IPv4 address of an IBCF remote POC (MGC8 CCS process) within a Load-Balancing-Group. Example -> load-balancing-group 2 rpoc 1 no ipv4 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 193 . poc_id This is the identifier of the remote POC (MGC8 CCS process) within a Load-BalancingGroup.

Load Balancing Group load-balancing-group groupId rpoc no ipv6 load-balancing-group groupId rpoc no ipv6 Purpose The purpose of that command is to delete the IPv6 address of an IBCF remote POC (MGC8 CCS process) within a Load-Balancing-Group. poc_id This is the identifier of the remote POC (MGC8 CCS process) within a Load-BalancingGroup. Command load-balancing-group GroupId rpoc poc_id no ipv6 Arguments groupId This is the identifier of the Load-Balancing-Group. Example -> load-balancing-group 2 rpoc 13 no ipv6 194 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 195 . poc_id This is the identifier of the remote POC (MGC8 CCS process) within a Load-BalancingGroup.2. Example -> load-balancing-group 2 rpoc 1 ip 192.Load Balancing Group load-balancing-group groupId rpoc poc_id no {udp | tcp | sctp | tls} load-balancing-group groupId rpoc poc_id no {udp | tcp | sctp | tls} Purpose The purpose of that command is to remove a transport mode from a remote POC associated with a Load-Balancing-Group. no {udp | tcp | sctp | tls} Specifies the transport type to be removed from the RPOC. Command load-balancing-group groupId rpoc poc_id no {udp| tcp| sctp| tls} Arguments groupId This is the identifier of the Load-Balancing-Group.168.50 tcp 5060 Configures the tcp port value to 5060 and also implicitly the udp port value to 5060. -> load-balancing-group 2 rpoc 1 no udp Disables the udp transport mode for the remote POC 1 of the Load-Balancing-Group 2.

Example -> load-balancing-group 1 no rpoc 2 196 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . poc_id This is the identifier of the remote POC (MGC8 CCS process) within the Load-BalancingGroup.Load Balancing Group load-balancing-group groupId no rpoc poc_id load-balancing-group groupId no rpoc poc_id Purpose The purpose of that command is to remove the association between a remote POC (MGC8 CCS process) and a Load-Balancing-Group. Command load-balancing-group groupId no rpoc poc_id Arguments groupId This is the identifier of the Load-Balancing-Group.

Load Balancing Group load-balancing-group groupId lpoc trusted_lpoc_id load-balancing-group groupId lpoc trusted_lpoc_id Purpose The purpose of that command is to associate a Trusted Local Point of Contact (lpoc) with a LoadBalancing-Group. trusted_lpoc_id This is the identifier of the Trusted LPOC that has been previously created via the command “ lpoc trusted poc_id ”. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 197 . Command load-balancing-group groupId lpoc trusted_lpoc_id Arguments groupId This is the identifier of the Load-Balancing-Group. Example -> load-balancing-group 1 lpoc 1 Associates the Trusted LPOC 1 with the Load-Balancing-Group 1.

198 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . trusted_lpoc_id This is the identifier of the Trusted LPOC that has been previously associated with the Load-Balancing-Group. Example -> load-balancing-group 1 no lpoc 1 Removes the association between the Trusted LPOC 1 and the Load-Balancing-Group 1. Command load-balancing-group groupId no lpoc trusted_lpoc_id Arguments groupId This is the identifier of the Load-Balancing-Group.Load Balancing Group load-balancing-group groupId no lpoc trusted_lpoc_id load-balancing-group groupId no lpoc trusted_lpoc_id Purpose The purpose of that command is to remove the association between a Trusted Local Point of Contact (lpoc) and a Load-Balancing-Group.

3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 199 . Example -> load-balancing-group 1 vlan 20 Create an association between the Load-Balancing-Group 1 and the Vlan 20.Load Balancing Group load-balancing-group groupId vlan vid load-balancing-group groupId vlan vid Purpose The purpose of that command is to associate a Vlan with a Peer Network. vid This is the identifier of the Vlan that has been previously created with the command “vlan vid”. Command load-balancing-group groupId vlan vid Arguments groupId This is the identifier of the Load-Balancing-Group.

Example -> load-balancing-group 1 no vlan 200 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Command load-balancing-group groupId no vlan Arguments groupId This is the identifier of the Load-Balancing-Group.Load Balancing Group load-balancing-group groupId no vlan load-balancing-group groupId no vlan Purpose The purpose of that command is to remove the association between a Vlan and a Load-BalancingGroup.

Load Balancing Group load-balancing-group groupId polling period interval load-balancing-group groupId polling period interval Purpose In order to check the IP/SIP connectivity on the trusted side between the LPOC and RPOCs associated within the same Load-Balancing-Group there are two polling mechanism: • A Ping polling is issued periodically sending ICMP requests from the LPOC to the RPOCs (IBCF’s CCSs). Command load-balancing-group groupId polling period interval Arguments groupId This is the identifier of the Load-Balancing-Group. in seconds. ICMP requests and SIP OPTIONS are sent for both IPv4 and IPv6 protocols according to the RPOC/LPOC configuration. Example -> load-balancing-group 1 polling period 10 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 201 . The status of the CCSs connectivity on the trusted side can be retrieved via the CLI command “show load-balancig-group connectivity”. interval Sets the value. • A SIP polling is issued periodically sending SIP OPTIONS from the LPOC to the RPOCs (IBCF’s CCSs). By default Ping requests and SIP OPTIONS are sent each 4 seconds. The purpose of that command is to modify the period of the Ping and SIP polling occurring between the LPOC and RPOCs of a Load-Balancing-Group. of the polling period interval.

By configuring a call setup rate limiter on a Peer Network (thanks the configuration of a SIP Security Profile). one can limit the rate of one source. poc_id This is the identifier of the remote POC (MGC8 CCS process) within the Load-BalancingGroup. but there is no way (on the Peer-Network configuration) to control that the sum of all the sources does not overload the IBCF CCSs where all the sources converge. the following command defines: o the call setup rate that is supported per rpoc (CCS) o the maximum delay that a SIP message can stay in the transmit queue associated with the rpoc (CCS) The transmit queue depth. The value should be between 0 and 100000. in SIP messages. In the MGC8 terminology the rpoc represents the CCS entity.load-balancing-gro groupId rpocup poc_id call rate Load Balancing Group load-balancing-group groupId rpoc poc_id call rate Purpose The purpose of that command is to configure the Call Admission Control per remote POC (rpoc) associated with a Load Balancing Group. is computed according to the value of call_rate and sip_msg_delay parameters Command load-balancing-group groupId rpoc poc_id call rate call_rate delay sip_msg_delay Arguments groupId This is the identifier of the Load-Balancing-Group. The call admission control applies to Initial INVITE SIP messages and allows dimensioning of the transmit queue depth (call setup queue) that is associated with each CCS. So to avoid such a situation. 202 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . call_rate Call setup rate per seconds.

Load Balancing Group

load-balancing-group groupId rpoc poc_id call rate

sip_msg_delay
Defines the time a SIP message can remain in the transmit queue of the SIP firewall before
being dropped. The delay is set in milliseconds in the range 1-2000.
Example
-> load-balancing-group 3 rpoc 1 call rate 10000 delay 300

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

203

Load Balancing Group

load-balancing-group groupId rpoc poc_id transaction rate

load-balancing-group groupId rpoc poc_id transaction rate
Purpose

The purpose of that command is to allows dimensioning of the non-INVITE transaction
queue per remote POC (rpoc) associated with a Load-Balancing-Group. In the MGC8
terminology the rpoc represents the CCS entity.
The transaction rate applies to non-INVITE SIP messages.
The transaction delay limits the maximum time the SIP firewall can delay a non-invite SIP
message within the non-invite transmission queue associated with a rpoc.

Command
load-balancing-group groupId rpoc poc_id transaction rate trans_rate delay
sip_trans_delay

Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within the Load-BalancingGroup.
trans_rate
This is the maximum number of transactions per seconds. The value should be between 0
and 100000.
sip_trans_delay
Defines the time a SIP message can remain in the transmit queue of the SIP firewall before
being dropped. The delay is set in milliseconds in the range 1-2000.
Example
-> load-balancing-group 3 rpoc 1 transaction rate 10000 delay 300

204

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Load Balancing Group

no load-balancing-group groupId

no load-balancing-group groupId
Purpose

The purpose of that command is to delete a Load-Balancing-Group.
Before deleting a Load-Balancing-Group it is necessary to remove the existing
associations between this Load-Balancing-Group and its RPOC and LPOC via the
commands:
load-balancing-group groupId no rpoc poc_id
load-balancing-group groupId no lpoc trusted_lpoc_id

Command
no load-balancing-group groupId
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
Example
-> load-balancing-group 3 no lpoc 2
-> load-balancing-group 3 no rpoc 1
-> no load-balancing-group 3

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

205

Load Balancing Group

show load-balancing-group

show load-balancing-group
Purpose

The purpose of that command is to display the Load-Balancing-Group configuration and
its operational status.

Command
show load-balancing-group [groupId]
Arguments
groupId
This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load
Balancing Groups are displayed.
Example
-> show load-balancing-group
+----------+-----------------+--------+------+-------+
! Group Id ! Name
! Status ! Lpoc ! Vlan !
+----------+-----------------+--------+------+-------+
! 1
! LBG_1
! up
! 1
! 200
!
! 2
! LBG_2
! up
! 1
! 200
!
! 3
! LBG-Tokyo
! up
! 1
! 200
!
! 4
! LBG4-Mexico
! up
! 1
! 200
!
+----------+-----------------+--------+------+-------+
Output Definition
Status
The Load-Balancing-Group status is:

206

“up” if at least one rpoc (MGC8 CCS) is seen alive via the SIP OPTIONS
heartbeat mechanism.

“down” if all rpoc (MGC8 CCS) failed to answer to the SIP OPTIONS
sent by the SIP Firewall.

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Load Balancing Group

show load-balancing-group rpoc

show load-balancing-group rpoc
Purpose

The purpose of that command is to display, on the trusted side, the Remote POC
configurations and their operational status.

Command
show load-balancing-group [groupId] rpoc [poc_id]
Arguments
groupId
This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load
Balancing Groups are displayed.
Example
->

show load-balancing-group rpoc

+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+
! LBG ! rpoc ! Ope state ! IP Address

! Udp

! Tcp

! Sctp ! Tls ! call/sec ! Tx/sec !

+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+
! 1

! 1

! up

! 192.168.2.50

2001:200::192:168:2:50 ! 50001 ! 50001 ! n/s

! n/s ! 10000

! 10000

!

! 2

! 1

! up

! 3

! 1

! up

! 192.168.2.9

! 50001 ! 50001 ! n/s

! n/s ! 10000

! 10000

!

! 192.168.2.33

! 50001 ! 50001 ! n/s

! n/s ! 10000

! 10000

!

! 4

! 1

! up

! 192.168.2.35

2001:200::192:168:2:35 ! 50001 ! 50001 ! n/s

! n/s ! 10000

! 10000

!

! 5

! 1

! up

! 192.168.2.37

! n/s ! 10000

! 10000

!

! 5060

! 5060

! n/s

+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+

Output Definition
Ope State
The rpoc (MGC8 CCS) status rely on the SIP OPTIONS heartbeat mechanism. The rpoc
is:

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

“up” if the rpoc successfully responds to the SIP OPTIONS sent by the SIP
Firewall.

“down” if the rpoc fails to answer to the SIP OPTIONS sent by the SIP
Firewall.

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

207

Load Balancing Group

show load-balancing-group connectivity

show load-balancing-group connectivity
Purpose

The purpose of that command is to check, on the trusted side, the IP and SIP connectivity
between the trusted LPOC and the remote POCs (IBCF’s CCSs).
The IP connectivity is checked issuing periodically ICMP requests from the LPOC to the
RPOC associated within the Load-Balancing-Group. By default a Ping request is issued
each 5 seconds. ICMP requests are sent for both IPv4 and IPv6 protocols according to the
RPOC/LPOC configuration.
The SIP connectivity is checked according to the SIP OPTIONS heartbeat mechanism.
The SFW sents periodically SIP OPTIONS from the LPOC to the RPOC associated within
the Load-Balancing-Group. By default a SIP OPTIONS is sent each 5 seconds. Depending
on the RPOC/LPOC configuration the SIP OPTIONS mechanism is activated either over
IPv4 or IPv6 or both protocols.
The polling period, applying for both Ping and SIP OPTIONS, can be modified via the
CLI command “load-balancing-group GroupId polling period interval”

Command
show load-balancing-group [groupId] connectivity
Arguments
groupId
This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load
Balancing Groups are displayed.
Example
-> show load-balancing-group connectivity
+----------+------+------+--------+--------+---------+--------+-----------------+
! Group Id ! rpoc ! lpoc ! period ! SIP v4 ! PING v4 ! SIP v6 ! PING v6

!

+----------+------+------+--------+--------+---------+--------+-----------------+
! 1

! 1

! 1

! 4

! up

! PING UP ! down

! PING UP

!

! 2

! 1

! 1

! 4

! up

! PING UP ! down

! V4 ONLY

!

! 3

! 1

! 1

! 4

! up

! PING UP ! down

! V4 ONLY

!

! 4

! 1

! 1

! 4

! up

! PING UP ! down

! NO RESP

!

! 5

! 1

! 1

! 4

! up

! NO MAC

! V4 ONLY

!

! down

+----------+------+------+--------+--------+---------+--------+-----------------+

208

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

• “up” means that the rpoc successfully responds to the SIP OPTIONS sent by the SIP Firewall using IPv4 protocol. • “down” means that the rpoc fails to answer to the SIP OPTIONS sent by the SIP Firewall using IPv6 protocol. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 209 . • “NO LPOC” means that the configuration is not consistent. The LPOC associated with the Load-Balancing-Group has no IPv6 address whereas there is at least one IPv6 RPOC associated with that LoadBalancing-Group. PING v4 and PING v6 The “PING v4” status reflects the IP V4 connectivity between LPOC and RPOC of a Load-Balancing-Group. • “down” means that the rpoc fails to answer to the SIP OPTIONS sent by the SIP Firewall using IPv4 protocol. • “NO LPOC IP ADDR” means that the configuration is not consistent. The “PING v6” status reflects the IP V6 connectivity between LPOC and RPOC of a Load-Balancing-Group. SIP v6 The “SIP v6” status relies on the SIP OPTIONS heartbeat mechanism over IPv6 protocol. • “up” means that the rpoc successfully responds to the SIP OPTIONS sent by the SIP Firewall using IPv6 protocol. • “PING UP” means that the rpoc successfully responds to the ICMP Requests sent by the SIP Firewall.Load Balancing Group show load-balancing-group connectivity Output Definition SIP v4 The “SIP v4” status relies on the SIP OPTIONS heartbeat mechanism over IPv4 protocol. The LPOC associated with the Load-Balancing-Group has no IPv4 address whereas there is at least one IPv4 RPOC associated with that LoadBalancing-Group. • “NO MAC” means that the configuration is consistent but the RPOC destination MAC address has not been yet resolved. There is no LPOC associated with the Load-Balancing-Group whereas there is at least a RPOC and a Vlan associated with that Load-Balancing-Group.

Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . There is no Vlan associated with the Load-Balancing-Group. • “V4 ONLY” means that configuration is consistent but LPOC or RPOC are IPv4 only.Load Balancing Group show load-balancing-group connectivity • “NO VLAN” means that the configuration is not consistent. A router is required in the vlan definition as soon as the vlan and the LPOC are not in the same subnet. • “NO VLAN SUBNET” means that the configuration is not consistent. The router IP address in the definition of the vlan. • “TRUNK DOWN” means that the configuration is consistent. • “V6 ONLY” means that configuration is consistent but LPOC or RPOC are IPv6 only. associated with the Load-Balancing-Group. • “NO RESP” means that the configuration is consistent. A gateway is required in the vlan definition as soon as the vlan and the RPOC are not in the same subnet. associated with the Load-Balancing-Group. 210 • “ROUTER IP NOT IN SUBNET” means that the configuration is not consistent. The gateway IP address in the definition of the vlan. thus ping v6 cannot be performed. The MAC address of the RPOC is known but the SFW does not get any response to the ping requests. An IP gateway address is required in the definition of the vlan associated with the Load-Balancing-Group otherwise the RPOC is unreachable. The trusted trunk is down. • “NO ROUTER IP” means that the configuration is not consistent. is not in the vlan subnet. is not in the vlan subnet. There is no IPv4 subnet in the definition of the vlan associated with the Load-Balancing-Group whereas there is at least one IPv4 RPOC associated with that Load-Balancing-Group. thus ping v4 cannot be performed. There is no IPv6 subnet in the definition of the vlan associated with the Load-Balancing-Group whereas there is at least one IPv6 RPOC associated with that Load-Balancing-Group. An IP router address is required in the definition of the vlan associated with the Load-Balancing-Group otherwise the LPOC is unreachable. • “NO DEFAULT GW” means that the configuration is not consistent. • “GATEWAY IP NOT IN SUBNET” means that the configuration is not consistent.

The default TCP SYN threshold values can be adjusted via the CLI commands listed below. The default thresholds values are the following ones: o OAM interface: 10 TCP SYN per sec o Trusted interface: 1000 TCP SYN per sec o Untrusted interface: 2000 TCP SYN per sec When the TCP SYN rate exceeds the above thresholds the SFW suspects that an attack is ongoing and enters in TCP SYN regulation mode.13 Tcp Syn Flood Protection Purpose This paragraph provides information about the SFW configuration preventing from TCP SYN flooding. Introduction TCP SYN are filtered out according to predefine thresholds depending on the interface type. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 211 . In that state the TCP SYN are filtered out to prevent the attack. However TCP connection establishment is still possible for non-attackers. The “show tcp syn” command provides useful information about the TCP SYN flood parameters and current status. When activated the TCP SYN regulation mode will last at least 30 seconds.

Tcp Syn Flood Protection Summary of the CLI for TCP SYN Flood management Summary of the CLI for TCP SYN Flood management TCP SYN Flood management tcp syn oam rate syn_per_sec tcp syn untrusted rate syn_per_sec tcp syn trustec rate syn_per_sec show tcp syn show tcp statistics [oam | untrusted [netid] | trusted [netid] ] tcp syn oam rate syn_per_sec Purpose The purpose of that command is to modify the default value applied for TCP SYN flood protection on the OAM interface of the firewall. This rate cannot be set higher than 20 TCP SYN per second. Example -> tcp syn oam rate 5 212 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Command tcp syn oam rate syn_per_sec Arguments syn_per_sec Defines the acceptable TCP SYN rate on the OAM interface. The default value is set to 10 TCP SYN per second.

Tcp Syn Flood Protection tcp syn untrusted rate syn_per_sec tcp syn untrusted rate syn_per_sec Purpose The purpose of that command is to modify the default value applied for TCP SYN flood protection on the Untrusted interface of the firewall. This rate cannot be set higher than 10000 TCP SYN per second. The default value is set to 1000 TCP SYN per second. Command tcp syn untrusted rate syn_per_sec Arguments syn_per_sec Defines the acceptable TCP SYN rate on the Untrusted interface. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 213 . The default value is set to 2000 TCP SYN per second. This rate cannot be set higher than 10000 TCP SYN per second. Command tcp syn trusted rate syn_per_sec Arguments syn_per_sec Defines the acceptable TCP SYN rate on the Untrusted interface. Example -> tcp syn untrusted rate 5000 tcp syn trusted rate syn_per_sec Purpose The purpose of that command is to modify the default value applied for TCP SYN flood protection on the Trusted interface of the firewall.

On: There is a TCP SYN flood attack ongoing. Example -> show tcp syn +-----------+------+--------+----------------+ ! interface ! rate ! status ! attack counter ! +-----------+------+--------+----------------+ ! oam ! 10 ! off ! 0 ! ! trusted ! 1000 ! off ! 0 ! ! untrusted ! 2000 ! off ! 0 ! +-----------+------+--------+----------------+ 214 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . status Off: There is no TCP SYN flood attack ongoing.Tcp Syn Flood Protection show tcp syn show tcp syn Purpose The purpose of that command is to display the TCP SYN flood configuration and check if the SFW has been or is currently under TCP SYN attacks Command show tcp syn Output Definition rate This is the maximum rate of TCP SYN per second before entering in TCP SYN regulation mode. Attack counter Counts the number of TCP SYN attacks.

Tcp Syn Flood Protection show tcp statistics show tcp statistics Purpose The purpose of that command is to display the TCP statistics per interface type. Example -> show tcp statistics CUMULATED UNTRUSTED tcpActiveOpens tcpPassiveOpens tcpCurrEstab tcpInSegs tcpOutSegs tcpSynRcv TCP : : : : : : STATISTICS 16523 2 3 18894 30190 2 CUMULATED TRUSTED TCP STATISTICS tcpActiveOpens : 261153 tcpCurrEstab : 31 tcpInSegs : 243029 tcpOutSegs : 384744 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 215 . Command show tcp statistics Output Definition Active connections openings Passive connection openings Failed connection attempts Connection resets received Connections established Segments received Segments send out Segments retransmitted TCP segment received in error TCP Resets sent TCP SYN received TCP SYN dropped TCP RST dropped because bad sequence number tcpActiveOpens tcpPassiveOpens tcpAttemptFails tcpEstabResets tcpCurrEstab tcpInSegs tcpOutSegs tcpRetransSegs tcpInErrs tcpOutRsts tcpSynRcv tcpSynDropped tcpOutOfSeqResets .

Tcp Syn Flood Protection OAM TCP STATISTICS tcpActiveOpens tcpPassiveOpens tcpAttemptFails tcpCurrEstab tcpInSegs tcpOutSegs tcpRetransSegs 216 show tcp statistics : : : : : : : 34 32 1 3 1965 1753 1 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

not accessible on the front panel but via the SCM. Introduction The SIP firewall is made of 2 DHSPP4 boards running in Active/Standby mode for the SIP Firewalling application. Four interfaces per DHSPP4 are available in the front panel (Ge0.Ge3) for • Ge0 interfaces are dedicated to the cabling towards the Untrusted networks • Ge3 interfaces are dedicated to the cabling towards the Trusted networks • Ge1 and Ge2 are used to interconnect Active and Standby DHSPP4 Two interfaces per DHSPP4.14 Interfaces (Ge Ports) & Trunks Purpose This paragraph provides information about the management of the Gigabits Ethernet physical ports of the SIP Firewall. are used for OAM (Ge4) and SCM/DHSPP4 (Ge5) supervision. Each DHSPP4 is hosted in a different 7510 SCM2 board (slot 10 and slot 11) Each DHSPP4 provides 8 gigabits Ethernet physical ports (Ge0. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 217 ..Ge7)..

Interfaces (Ge Ports) & Trunks Summary of the CLI for Ge Interfaces and Trunks management Summary of the CLI for Ge Interfaces and Trunks management Ge Interfaces and Trunks management show interfaces show interfaces slot[/port] trunk {trusted|untrusted} mode [linkagg | act-stdy] show trunk [trusted|untrusted] show trunk [trusted|untrusted] port 218 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

Interfaces (Ge Ports) & Trunks show interfaces show interfaces Purpose The purpose of the following commands is to provide information about the Giga Ethernet interfaces of the SIP Firewall. It’s either 10 or 11. Example -> show interfaces +-----------------------------+--------------+--------------------+ ! Slot/Port ! Admin Status ! Operational Status ! +-----------------------------+--------------+--------------------+ ! 10/Ge0 external untrusted ! up ! up ! ! 10/Ge1 external inter-HSPP ! up ! up ! ! 10/Ge2 external inter-HSPP ! up ! up ! ! 10/Ge3 external trusted ! up ! up ! ! 10/Ge4 internal OAM ! up ! up ! ! 10/Ge5 internal supervision ! up ! up ! ! 11/Ge0 external untrusted ! up ! up ! ! 11/Ge1 external inter-HSPP ! up ! up ! ! 11/Ge2 external inter-HSPP ! up ! up ! ! 11/Ge3 external trusted ! up ! up ! ! 11/Ge4 internal OAM ! up ! up ! ! 11/Ge5 internal supervision ! up ! up ! +-----------------------------+--------------+--------------------+ 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 219 . port Optionally the Giga Ethernet port number can be specified. Commands show interfaces show interfaces slot[/port] Arguments slot This is the identifier of the SCM slot hosting the DHSPP4.

Interfaces (Ge Ports) & Trunks show interfaces -> show interfaces 10/0 Slot/Port Description Operational Status Last Time Link Changed Type MAC Address Rx Bytes Received Unicast Frames Broadcast/Multicast Frames Error Frames Discarded frames Tx Bytes Xmitted Unicast Frames Broadcast/Multicast Frames Queued Frames 220 : : : : : : : : : : : : : : : : : 10/0 10/Ge0 external untrusted up 54:03:47 Ethernet 00:11:3F:C7:DD:2D 1298954 2209 11750 943 0 202216 4396 0 0 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

without LACP. If the PE router is not carrier grade this is the configuration to be chosen. This is the preferred configuration but it requires the PE Router to be carrier grade. Or.3ad) configuration with carrier grade router. Active/Standby configuration in case of Switch-Routers that are not carrier grade. The purpose of that command is to configure the trunk mode according to the PE Router capability: Static Link Aggregation (802.Interfaces (Ge Ports) & Trunks trunk {trusted|untrusted} mode [linkagg | act-stdy] trunk {trusted|untrusted} mode [linkagg | act-stdy] Purpose Trusted and Untrusted interfaces are connected to the next-hop IP using either • Static Link Aggregation (802. • Active/Standby configuration. In that case both interfaces must belong to the same vlan and a layer 2 switching must be configured between both switch-routers. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 221 .3ad).

Interfaces (Ge Ports) & Trunks trunk {trusted|untrusted} mode [linkagg | act-stdy] Commands trunk {trusted|untrusted} mode [linkagg | act-stdy] Arguments {trusted|untrusted} The operator can only change the mode of the trusted and untrusted trunk. Remember that in that case both interfaces must belong to the same vlan and a layer 2 switching must be configured between both switch-routers. Static LAGG means that there is no LACP protocol. Example -> trunk trusted mode linkagg -> trunk untrusted mode linkagg 222 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . linkagg Configure the trunk in Static Link Aggregation mode (802. LACP must be disabled on the PE-Router for this LAGG. This must be taken into account on the PE-Router where LACP could be activated by default when configuring a Ling Aggregation.3ad). OAM and inter-DHSPP4 trunks have predefined setup. Act-stdy Configure the trunk in Active-Standby mode.

Mode Networking mode configured. Additional information can be retrieved with the command “show trunk port” Commands show trunk [trusted|untrusted] Output Definition Trunk-group This is the trunk alias. Att/Up ports Number of attached ports and number of ports UP. Example -> show trunk +-------------+------------+----------+--------+-------+ ! Trunk-group ! Oper State ! Mode ! Att/Up ! ports ! +-------------+------------+----------+--------+-------+ ! trusted ! up ! linkagg ! 2 ! 2 ! ! untrusted ! up ! linkagg ! 2 ! 2 ! ! inter-DHSPP ! up ! linkagg ! 2 ! 2 ! ! oam ! up ! act-stdy ! 2 ! 2 ! +-------------+------------+----------+--------+-------+ show trunk port 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 223 .Interfaces (Ge Ports) & Trunks show trunk show trunk Purpose The following command displays information about the configuration and the status of the trunks. Oper State Operational state of the trunk (up/down).

Oper State The current port state (up/down). Commands show trunk port Output Definition Slot/Port The slot/port associated with the trunk group. frame received on the backup port are ignored Example -> show trunk port +-----------+-------------+------------+---------+ ! Slot/Port ! Trunk Group ! Oper state ! Role ! +-----------+-------------+------------+---------+ ! 10/Ge0 ! untrusted ! up ! primary ! ! 11/Ge0 ! untrusted ! up ! backup ! ! 10/Ge3 ! trusted ! up ! primary ! ! 11/Ge3 ! trusted ! up ! backup ! ! 10/Ge1 ! DHSPP4 ! up ! primary ! ! 10/Ge2 ! DHSPP4 ! up ! backup ! ! 10/Ge4 ! oam trunk ! up ! primary ! ! 11/Ge4 ! oam trunk ! up ! backup ! +-----------+-------------+------------+---------+ 224 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Trunk Group The alias of the trunk group associated with the port.Interfaces (Ge Ports) & Trunks show trunk port Purpose The following command provides complementary information about the configuration and the status of the trunks. Role The role of the port within the trunk (primary/backup). Act/stdy mode: only the primary port is used. The interpretation depends of the trunk group mode: Linkagg mode : both port are active however only the primary are used for the case of broadcast.

But some SIP UEs may send message without some mandatory header since they are following obsolete specification. To support such kind of SIP behavior.15 SIP Message Management Purpose This paragraph provides information about options whether perform check on some SIP headers and configuration on the SIP firewall. Introduction The SFW by default performs check on SIP mandatory headers. If any mandatory header is missing. Summary of the CLI for SIP Message Management SIP header management sip-header max-forwards {enable|disable} show sip-header 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 225 . SFW has configuration on whether or not accept the SIP message without the specific mandatory header. the SIP message will be rejected.

if the receiving invite request from un-trusted side doesn't contain max-forwards header. Disable will reject the INVITE without Max-Forwards header. Commands sip-header max-forwards {enable|disable} Arguments {enable|disable} Enable will allow incoming INVITE without Max-Forwards header pass through sip firewall. Example -> sip-header max-forwards enable 226 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . the argument is disable. it also insert a default max-forward header to invite request to trust side. In default.SIP Message Management sip-header max-forwards {enable|disable} sip-header max-forwards {enable|disable} Purpose The following command provides a option to allow invite request from un-trusted side without of max-forwards header pass through the sip firewall.

SIP Message Management show sip-header show sip-header Purpose The following command provides information about the configuration of SIP header management. Commands show sip-header Output Definition max forwards Current status of backward support on Max-Forwards header. Example -> show sip-header +--------------+ ! max forwards ! +--------------+ ! enabled ! +--------------+ 1 elements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 227 .

16 SNMP Management Purpose This paragraph provides information about the SNMP support and configuration on the SIP firewall. This allows the OMC-P to know the SFW alarms status even if traps have been lost. o SNMP set and get are by default expected in SNMP V3. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 228 . The SFW supports the following MIBs: o Standard MIB : RFC 1213 parts mib-2 system oids mib-2 interfaces oids o ALU-SFW-MANAGEMENT-MIB This is the SFW proprietary Mib used for SFW provisioning and SFW Performance Management. Introduction The SFW current release supports SNMP as follow: o SFW sends traps in V2c only.sfw. Refer to the “user management” section to see how to configure authentication and encryption parameters for SNMP V3. This is the preferred mode. Please refer to the Appendix “How to configure the SFW site Specific parameters” if you want to perform SNMP set/get in V2c. The “Active Alarms” are returned doing an SNMP “get table” on the table “ActiveAlarmsTable” of the mib ALCATEL-OMCCNALARMMANAGEMENT-MIB. o SNMP get/set V2c and V3 can both be done at the same time o SFW supports an “Active Alarm Table” to be able to retrieve the SNMP alarms that are currently active. o SNMP set and get in V2c are possible via a specific configuration in the sitecfg.

Summary of the CLI for SNMP Management SNMP Trap management snmp station stationId ip ip_address [port port_num] community community_string version {v2c | v3} [enable | disable] snmp station stationId {enable | disable} no snmp station stationId show snmp station show snmp alarm thresholds snmp alarm modify threshold threshold_id value new_value show snmp trap config snmp trap trap_id filter-delay delay snmp trap trap_id {enable | disable} snmp trap restore default show snmp alarm active SNMP Get and SNMP Set management (these commands are explained in the User management section) user username no-snmp user username auth {sha | md5} priv {aes | des} 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 229 . The SFW is seen as a standalone SNMP node.SNMP Management Summary of the CLI for SNMP Management Snmp branch ::alcatel-lucent(637).sfw(20) o ALCATEL-OMCCN-ALARMMANAGEMENT-MIB This is the Mib for events report and Active Alarm Table.srd(71). independent from the 7510 MGW. Active/Standby SFW boards are seen as a single entity from an SNMP manager with a single IP address.

SNMP Management Alarms Management Alarms Management Hereafter are the Alarms and Events that are sent by the SFW SNMP agent. via SIP OPTION heartbeat mechanism. that at least one CCS belonging to a Load Balancing Group recovered reachability. that a CCS of the local IBCF recovered reachability. major When cleared this alarm means that SFW active DHSPP4 board recovers supervision of standby DHSPP4 board. sfwIbcfCcsStatusChange 1003 When raised this alarms means that the SFW detected. Threshold 1 major Threshold 2 critical When cleared this alarms means that the CPU has gone below a threshold. warning When cleared this alarms means that the SFW detected. that all CCS belonging to a Load Balancing Group became unreachable. sfwLoadBalancingGroupStatusChange 1004 When raised this alarms means that the SFW detected. via SIP OPTION heartbeat mechanism. sfwHealthMonCpuAlert 1006 When raised this alarms means that one SFW board CPU has crossed a threshold. sfwBoardActLossStbSupervision 1002 When raised this alarm means that SFW active DHSPP4 board losses supervision of standby DHSPP4 board. sfwBoardTemperatureTooHigh 1005 When raised this alarms means that one SFW board temperature has crossed a threshold. via SIP OPTION heartbeat mechanism. major When cleared this alarms means that the SFW detected. via SIP OPTION heartbeat mechanism. Threshold 1 major Threshold 2 critical When cleared this alarms means that the temperature has gone below a threshold. Severity major When cleared this alarms means that one of the interfaces configured on the SFW came up. that a CCS of the local IBCF became unreachable. sfwHealthMonMemAlert 230 1007 When raised this alarms means that one SFW board Memory Alcatel-Lucent — Proprietary Use pursuant to applicable agreements Threshold 1 major 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Table 1 SFW SNMP TRAPS Trap name Trap id sfwLinkDown 1001 Description When raised this alarms means that one of the interfaces configured on the SFW went down.

Fragmentation error. N-Tuple classification error. Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "pass1DropSipSuspicious". for the Peer Network identified by "peerNetIndex". has exceeded a threshold. Threshold 2 critical When cleared this alarms means that all Memory items are below a threshold. The counter "pass1DropSipSuspicious" counts the number of packets dropped on the Untrusted side during the Pass1 checks due to suspect format. sfwUntrLowLayerDrop 1008 When raised this alarms means that the counter "sfwUntrustedLowLayerDrop" has exceeded a threshold. Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "sfwUntrustedLowLayerDrop" has decreased below a threshold. The counter "pass1Drop" counts the number of packets dropped on the Untrusted side during the SIP Pass1 checks. has decreased 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 231 . for the Peer Network identified by "peerNetIndex". UDP error. for the Peer Network identified by "peerNetIndex".SNMP Management Alarms Management Trap name Trap id Description Severity item has crossed a threshold. for the Peer Network identified by "peerNetIndex". has exceeded a threshold. IP error. has decreased below a threshold. sfwUntrSipPass1SuspectDrop 1010 When raised this alarms means that the counter "pass1DropSipSuspicious". ICMP error. for the Peer Network identified by "peerNetIndex". for the Peer Network identified by "peerNetIndex". The counter "sfwUntrustedLowLayerDrop" counts the number of packets dropped on the Untrusted side because of ARP error. Minimum size error. sfwUntrSipPass2MethodRateInQos0 1011 When raised this alarms means that the counter "pass2MethodRateInQos0". Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "pass2MethodRateInQos0". has decreased below a threshold. has exceeded a threshold. sfwUntrSipPass1Drop 1009 When raised this alarms means that the counter "pass1Drop". Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "pass1Drop".

has exceeded a threshold. has decreased below a threshold. This alarm applies for a specific Peer Network identified by the object peerNetIndex. sfwUntrSipMethodRateDrop 1013 When raised this alarms means that the counter associated with pass2MethodRateDrop. The counter "pass2MethodRateInQos0" counts the number of packets on the Untrusted side downgraded to QOS0 during the Pass2 checks.e. reporting the number of messages dropped because of rate limitation. has exceeded a threshold. sfwUntrSipPass2Drop 1012 When raised this alarms means that the counter "pass2Drop". has exceeded a threshold. Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter associated with pass2AdmCtlCallDrop has decreased below a threshold. reporting the number of messages dropped because of INVITE rate greater than the available rate on trusted side. : .IP fragment overlapped Threshold 1 warning Threshold 2 minor . sfwUntrIpFragAttackPrevented 1015 Notify that the SFW detected a IP Fragmentation attack and prevented it. A SIP message is downgraded to QOS0 when abnormal behavior has been observed for a SIP flow with same IP/SIP signature. for the Peer Network identified by "peerNetIndex".IP fragment overwrite…etc… This alarm is raised when the counter sfwUntrustedLowLayerDropFrag 232 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . This alarm applies for a specific Peer Network identified by the object peerNetIndex. i. sfwUntrSipAdmCtlCallDrop 1014 When raised this alarms means that the counter associated with pass2AdmCtlCallDrop. The counter "pass2Drop" counts the number of packets dropped on the Untrusted side during the SIP Pass2 checks. for the Peer Network identified by "peerNetIndex".IP fragment overrun .SNMP Management Alarms Management Trap name Trap id Description Severity below a threshold. Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter associated with pass2MethodRateDrop has decreased below a threshold.IP fragmentation buffer full . Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "pass2Drop".

has decreased below a threshold.SNMP Management Alarms Management Trap name Trap id Description Severity has exceeded a threshold. Minimum size error. sfwTrustedSipPass1Drop 1019 When raised this alarms means that the counter "pass1Drop". 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 233 . This alarm is raised when the counter sfwUntrustedLowLayerDropIcmp has exceeded a threshold.ARP flooding prevention This alarm is raised when the counter sfwUntrustedLowLayerDropArp has exceeded a threshold. The counter "sfwTrustedLowLayerDrop" counts the number of packets dropped on the Trusted side because of ARP error. i. sfwTrustedLowLayerDrop 1018 When raised this alarms means that the counter "sfwTrustedLowLayerDrop" has exceeded a threshold. ICMP error. Threshold 1 warning Threshold 2 minor This alarm is cleared when the counter sfwUntrustedLowLayerDropIcmp has decreased below a threshold. N-Tuple classification error.ARP cache exhausting and poisoning prevention Threshold 1 warning Threshold 2 minor . sfwUntrArpAttackPrevented 1016 Notify that the SFW detected an ARP attack and prevented it. sfwUntrIcmpAttackPrevented 1017 Notify that the SFW detected an ICMP attack and prevented it. Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "pass1Drop". : . IP error. The counter "pass1Drop" counts the number of packets dropped on the Trusted side during the SIP Pass1 checks.e.Forged ARP request prevention . has exceeded a threshold. UDP error. This alarm is cleared when the counter sfwUntrustedLowLayerDropArp has decreased below a threshold. This alarm is cleared when the counter sfwUntrustedLowLayerDropFrag has decreased below a threshold. Fragmentation error. for the Peer Network identified by "peerNetIndex". Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "sfwTrustedLowLayerDrop" has decreased below a threshold. for the Peer Network identified by "peerNetIndex".

sfwTcpSynFlood 1021 When raised this alarms means that a TCP SYN Flood attack has been prevented on one of the interfaces of the SFW. The counter "pass2Drop" counts the number of packets dropped on the Trusted side during the SIP Pass2 checks. warning The configuration is "certified" with one of the following operations : . has decreased below a threshold. However TCP connection establishment is still possible for non-attackers. has exceeded a threshold.either via CLI : "copy working 234 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . has decreased below a threshold.SNMP Management Alarms Management Trap name Trap id sfwTrustedSipPass2Drop 1020 Description When raised this alarms means that the counter "pass2Drop". In that state the TCP SYN are filtered to prevent the attack. sfwConfigurationChanged 1101 This trap is sent when the SFW configuration has been "certified". for the Peer Network identified by "peerNetIndex". Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "tcpInErrs". Severity Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "pass2Drop". has exceeded a threshold. for the Peer Network identified by "peerNetIndex". Threshold 1 warning Threshold 2 minor When cleared this alarms means that the counter "tcpOutOfSeqResets". sfwTcpResetFlood 1022 When raised this alarms means that the counter "tcpOutOfSeqResets". warning As soon as the TCP SYN flood is detected a TCP SYN regulation mechanism is started on the SFW interfaces. for the Peer Network identified by "peerNetIndex". for the Peer Network identified by "peerNetIndex". sfwTcpErrorsFlood 1023 When raised this alarms means that the counter "tcpInErrs". for the Peer Network identified by "peerNetIndex". has exceeded a threshold. Due to the TCP SYN regulation the alarm will not be cleared before 30 sec even if the attack was performed during 1 sec. decreased below a threshold. for the Peer Network identified by has "peerNetIndex".

For this kind of alarms.2 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 235 .or via SNMP set on the object sfwConfigMgmtCopyToFlash value with the copyWorkingCertified(2) in the branch sfwConfigMgmt of the SFW mib ALU-SFWMANAGEMENT-MIB. sending snmp traps.1 1006. When crossed an alarm is raised or cleared. Table 2 SFW SNMP TRAPS Thresholds Thresholds names Threshold Description Associated Alarm Trap id Thresholds on the board temperature.2 sfwHealthMonMemAlertTh1 sfwHealthMonMemAlertTh2 1007.SNMP Management Alarms Management Trap name Trap id Description Severity certified" . thresholds identifiers and traps identifiers have common ids. The SFW raises and clears most of its alarms. When crossed an alarm is raised or cleared Thresholds on the counter of dropped messages on the Untrusted interface due to the following reasons: ARP error • • Invalid IP packet • IP fragmentatio n error Invalid UDP • packet • Invalid ICMP packet • Unknown source IP address • Invalid destination IP:port sfwBoardTemperatureT ooHigh 1005 sfwHealthMonCpuAlert 1006 sfwHealthMonMemAlert 1007 sfwUntrLowLayerDrop 1008 id sfwBoardTemperatureTooHighTh1 sfwBoardTemperatureTooHighTh2 1005. Thresholds on the board CPU.1 1005.2 sfwHealthMonCpuAlertTh1 sfwHealthMonCpuAlertTh2 1006. when observation counters (or gauges) exceed predefined thresholds. note that this operation is allowed only after a "copy running working".2 sfwUntrLowLayerDropTh1 sfwUntrLowLayerDropTh2 1008. . To easily correlate the counters (or gauges) thresholds and their related alarms. When crossed an alarm is raised or cleared Thresholds on the board Memory. This allows monitoring of the system behavior with 2 different severities per alarm. there are 2 thresholds per object.1 1007.1 1008.

1 1009. Thresholds on the counter of dropped messages during SIP pass2 checking on the Untrusted interface due to the following reasons: • Method rate limitation • 236 Malformed Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .1 1011.2 sfwUntrSipPass2MethodRateInQos0Th1 sfwUntrSipPass2MethodRateInQos0Th2 1011. Thresholds on the counter of packets on the Untrusted side downgraded to QOS0 during the Pass2 checks. A SIP message is downgraded to QOS0 when abnormal behavior has been observed for a SIP flow with same IP/SIP signature.2 UDP packet length below minimum size Thresholds on the counter of dropped messages during SIP pass1 checking on the Untrusted interface due to the following reasons: • Configuration mismatch • Output overloading • No RPOC available within a load balancing group • No Token bucket • Out Of Sequence SIP message • Maximum retries has been reached • Malformed header • Suspicious header format • Lack of resources Thresholds on the counter of dropped messages during SIP pass1 parsing due to suspicious header format.1 1010.2 sfwUntrSipPass1SuspectDropTh1 sfwUntrSipPass1SuspectDropTh2 1010.1 1012.SNMP Management Alarms Management Thresholds names Threshold Description Associated Alarm Trap id sfwUntrSipPass1Drop 1009 sfwUntrSipPass1Suspe ctDrop 1010 sfwUntrSipPass2Metho dRateInQos0 1011 sfwUntrSipPass2Dro p 1012 id • sfwUntrSipPass1DropTh1 sfwUntrSipPass1DropTh2 1009.2 sfwUntrSipPass2DropTh1 sfwUntrSipPass2DropTh2 1012.

1 1015. Thresholds on the counter of ARP errors.2 sfwUntrArpAttackPreventedTh1 sfwUntrArpAttackPreventedTh2 sfwUntrIcmpAttackPreventedTh1 sfwUntrIcmpAttackPreventedTh1 1016.1 1017.1 1018. Thresholds on the counter of dropped messages during SIP pass2 checking due to Admission Control. Thresholds on the counter of dropped messages due to IP fragmentation errors.SNMP Management Alarms Management Thresholds names Threshold Description Associated Alarm Trap id sfwUntrSipMethodRa teDrop 1013 sfwUntrSipAdmCtlCa llDrop 1014 sfwUntrIpFragAttack Prevented 1015 sfwUntrArpAttackPre vented sfwUntrIcmpAttackPr evented 1016 sfwTrustedLowLayer Drop 1018 id header sfwUntrSipMethodRateDropTh1 sfwUntrSipMethodRateDropTh2 1013. Thresholds on the counter of ICMP errors.1 1013.2 sfwUntrSipAdmCtlCallDropTh1 sfwUntrSipAdmCtlCallDropTh2 1014.2 1017. Invite rate is greater than the available rate on trusted side.2 sfwTrustedLowLayerDropTh1 sfwTrustedLowLayerDropTh2 1018.2 3FZ 08139 ACAA PCZZA Edition 07 July 2015 • Configuration mismatch • Suspicious header format • Admission Control • Out Of Sequence SIP message • Maximum retries has been reached • Lack of resources • SIPP parsing error during regeneration of the SIP message Thresholds on the counter of dropped messages during SIP pass2 checking due to rate limitation per SIP method.2 sfwUntrustedLowLayerDropFragTh1 sfwUntrustedLowLayerDropFragTh2 1015.1 1014.1 1016. Thresholds on the counter of dropped messages on the Trusted interface due to the following reasons: ARP error • • Invalid IP packet • IP fragmentatio n error • Invalid UDP packet • Invalid ICMP packet • Unknown source IP address Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 1017 237 .

2 1022.1 1019.1 1022.SNMP Management Alarms Management Thresholds names Threshold Description Associated Alarm Trap id sfwTrustedSipPass1 Drop 1019 sfwTrustedSipPass2 Drop 1020 sfwTcpResetFlood 1022 id • sfwTrustedSipPass1DropTh1 sfwTrustedSipPass1DropTh2 sfwTrustedSipPass2DropTh1 sfwTrustedSipPass2DropTh2 sfwTcpResetFloodTh1 sfwTcpResetFloodTh2 238 1019.1 1020.2 Invalid destination IP:port • UDP packet length below minimum size Thresholds on the counter of dropped messages during SIP pass1 checking on the Untrusted interface due to the following reasons: • Configuration mismatch • Out Of Sequence SIP message • Maximum retries has been reached • Malformed header • Suspicious header format • Lack of resources Thresholds on the counter of dropped messages during SIP pass2 checking on the Untrusted interface due to the following reasons: • Malformed header • Configuration mismatch • Suspicious header format • Out Of Sequence SIP message • Maximum retries has been reached • Lack of resources • SIPP parsing error during regeneration of the SIP message Thresholds on the counter of TCP reset detected as out-of- Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .2 1020.

SNMP Management Thresholds names Alarms Management Threshold Description Associated Alarm Trap id sfwTcpErrorsFlood 1023 id sfwTcpInErrsTh1 sfwTcpInErrsTh2 3FZ 08139 ACAA PCZZA Edition 07 July 2015 1023.2 sequence. Thresholds on the counter of TCP segments received in error and dropped by the firewall.1 1023. Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 239 .

Provides additional information on the reason of the trap. Identifies the 7510 hosting the SFW. Provides additional information on the reason of the trap. Provides additional information on the reason of the trap. This field explains the actions that could be done to solve the problem reported by this trap. 3GPPProbableCause SpecificProblem AdditionnalText ThresholdInfoAttribute ThresholdInfoValue ThresholdInfoDirection ThresholdInfoTriggerHigh ThresholdInfoTriggerLow UserLabel ProposedRepairAction AdditionnalInfoName1 AdditionnalInfoValue1 AdditionnalInfoName2 AdditionnalInfoValue2 AdditionnalInfoName3 AdditionnalInfoValue3 AdditionnalInfoName4 AdditionnalInfoValue4 AdditionnalInfoName5 AdditionnalInfoValue5 240 Higher Threshold on the SFW counter identified by “ThresholdInfoAttribute” Lower Threshold on the SFW counter identified by “ThresholdInfoAttribute” This text field explains clearly the meaning of the trap. Provides additional information on the reason of the trap. Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Provides additional information on the reason of the trap. Enum value corresponding with event type according to X. Identifies the name of the SFW sending the trap. The date and time at which the event indicated in the trap occurred. Critical = 1 Major = 2 Minor = 3 Warning = 4 Cleared = 5 Enum value indicate the probable cause according to 3GPP. Provides additional information on the reason of the trap. Enum value corresponding with severity for the event reported in the trap. Value of the SFW counters which kick off the trap. Provides additional information on the reason of the trap.SNMP Management Table 3 Alarms Management SFW SNMP TRAPS format SFW sends SNMP traps using the following X733 format.733. Identifies the name of SFW counters monitored to send the trap. This format is also the one described in the “Active Alarm Table” of the Mib ALCATEL-OMCCN-ALARMMANAGEMENT-MIB. Provides additional information on the reason of the trap. Identifies the SFW Object Instance on which the trap applies. Provides additional information on the reason of the trap. Provides additional information on the meaning of the trap. Provides additional information on the reason of the trap. Field Description TrapSequenceNumber Identifier ManagedObjectClass ManagedObjectInstance FriendlyName EventType EventTime Severity This is the sequence number of the sent trap Identifies the trap sent. Identifies the SFW Object Class on which the trap applies.

none none none none none none none none none none ThresholdInfoTriggerLow none UserLabel ProposedRepairAction Link Status Change See alarm description in SFW proprietary Mib.Alarms Management SNMP Management SFW Alarm content example : Field TrapSequenceNumber Identifier ManagedObjectClass ManagedObjectInstance FriendlyName EventType EventTime Severity 3GPPProbableCause SpecificProblem AdditionnalText ThresholdInfoAttribute ThresholdInfoValue ThresholdInfoDirection ThresholdInfoTriggerHigh sfwLinkDown sfwBoardTemperatureTooHigh 1001 ifTable ifIndex sysName equipment 1005 boardTable boardIndex sysName equipment major linkFailure ifOperStatus sfw7510Name major temperatureUnacceptable none sfw7510Name none none none none boardTemperature BoardTemperature value Up | down sfwBoardTemperatureTooHighTh2 value SfwBoardTemperatureTooHighTh1 value Board Temperature Too High See alarm description in SFW proprietary Mib. ifDescr ifDescr value ifAdminStatus IfAdminStatus value none none none none none none AdditionnalInfoName1 AdditionnalInfoValue1 AdditionnalInfoName2 AdditionnalInfoValue2 AdditionnalInfoName3 AdditionnalInfoValue3 AdditionnalInfoName4 AdditionnalInfoValue4 AdditionnalInfoName5 AdditionnalInfoValue5 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 241 .

ip_address This is the IP address to which SNMP unicast traps will be sent. Up to 5 SNMP stations can be configured.54. version With this release traps can be sent in V2c only. port_num This is the listening UDP port of the SNMP station. username This is the username used when sending traps in V3.9 port 163 community public version v2c enable 242 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . This parameter is optional. This string must between 1 and 32 characters. The default value is 162. community_string This is the community string used when sending traps in V2c.128. enable | disable If this parameter is set to “disable” the SNMP trap will not be sent towards the SNMP station. Example -> snmp station 1 ip 139. Commands snmp station stationId ip ip_address [port port_num] community {community_string | username} version {v2c | v3} [enable | disable] Arguments stationId This is the identifier of the SNMP station.SNMP Management snmp station stationId ip ip_address snmp station stationId ip ip_address Purpose The purpose of the following command is to create or modify a SNMP station to receive the traps sent by the firewall.

Commands snmp station stationId {enable | disable} Arguments stationId This is the identifier of the SNMP station. Example -> snmp station 1 disable no snmp station stationId Purpose The purpose of the following command is to delete a SNMP station. Commands no snmp station stationId Arguments stationId This is the identifier of the SNMP station. Example -> no snmp station 1 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 243 .SNMP Management snmp station stationId {enable | disable} snmp station stationId {enable | disable} Purpose The purpose of the following command is to disable the SNMP trap forwarding towards a configured SNMP station. enable | disable If this parameter is set to “disable” the SNMP trap will not be sent towards the SNMP station.

Commands show snmp station Example -> show snmp station +------------+--------------------+--------+----------+-----------+ ! Station Id ! IpAddress/udpPort ! Status ! Protocol ! Community ! +------------+--------------------+--------+----------+-----------+ ! 1 ! 139.128.9/162 ! Enable ! v2c ! public ! ! 2 ! 139.54.SNMP Management show snmp station show snmp station Purpose The purpose of the following command is to display the SNMP stations configuration.128.54.112/162 ! Enable ! v2c ! public ! +------------+--------------------+--------+----------+-----------+ 244 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

the threshold Id will identify the threshold to be modified with the command “snmp alarm modify threshold threshold_id value new_value” Thresholds names The name of the threshold is provided to easily correlate the threshold with the related SNMP trap. If needed.1 ! sfwUntrLowLayerDropTh1 ! 10000 ! ! 1008.2 ! sfwBoardTemperatureTooHighTh2 ! 70 ! ! 1006.1 ! sfwBoardTemperatureTooHighTh1 ! 67 ! ! 1005.SNMP Management show snmp alarm thresholds show snmp alarm thresholds Purpose The purpose of the following command is to display the current configuration of the alarm thresholds. Commands show snmp alarm thresholds Outputs information Ids There are to thresholds per alarm. Values This is the threshold value.2 ! sfwHealthMonMemAlertTh2 ! 95 ! ! 1008.1 ! sfwHealthMonMemAlertTh1 ! 85 ! ! 1007. Example -> show snmp alarm thresholds +--------+------------------------------------+--------+ ! Ids ! Thresholds names ! values ! +--------+------------------------------------+--------+ ! 1005.1 ! sfwHealthMonCpuAlertTh1 ! 90 ! ! 1006.1 ! sfwUntrSipPass1DropTh1 ! 1000 ! +--------+------------------------------------+--------+ 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 245 . Refer to the Table 1 “SFW SNMP TRAPS” and the Table 2 “SFW SNMP TRAPS Thresholds” described at the beginning of this section to get a detailed description of the SNMP alarms managed by the SFW.2 ! sfwHealthMonCpuAlertTh2 ! 95 ! ! 1007.2 ! sfwUntrLowLayerDropTh2 ! 50000 ! ! 1009.

2 ! sfwUntrSipMethodRateDropTh2 ! 500 ! ! 1014.2 ! sfwUntrSipPass2DropTh2 ! 500 ! ! 1013.1 ! sfwTrustedSipPass2DropTh1 ! 100 ! ! 1020.1 ! sfwTrustedLowLayerDropTh1 ! 1000 ! ! 1018.2 ! sfwUntrIcmpAttackPreventedTh2 ! 5000 ! ! 1018.2 ! sfwTrustedSipPass1DropTh2 ! 500 ! ! 1020.1 ! sfwUntrArpAttackPreventedTh1 ! 1000 ! ! 1016.1 ! sfwUntrSipPass1SuspectDropTh1 ! 100 ! ! 1010.1 ! sfwUntrIpFragAttackPreventedTh1 ! 1000 ! ! 1015.SNMP Management show snmp alarm thresholds ! Ids ! Thresholds names ! values ! +--------+------------------------------------+--------+ ! 1009.1 ! sfwTcpErrorFloodTh1 ! 100 ! ! 1023.1 ! sfwUntrSipMethodRateDropTh1 ! 100 ! ! 1013.1 ! sfwTrustedSipPass1DropTh1 ! 100 ! ! 1019.2 ! sfwUntrSipPass1SuspectDropTh2 ! 500 ! ! 1011.1 ! sfwUntrSipPass2MethodRateInQos0Th1 ! 100 ! ! 1011.1 ! sfwUntrIcmpAttackPreventedTh1 ! 1000 ! ! 1017.2 ! sfwTrustedSipPass2DropTh2 ! 500 ! ! 1022.2 ! sfwUntrSipPass1DropTh2 ! 5000 ! ! 1010.1 ! sfwTcpResetFloodTh1 ! 100 ! ! 1022.2 ! sfwUntrSipPass2MethodRateInQos0Th2 ! 500 ! ! 1012.2 ! sfwTrustedLowLayerDropTh2 ! 5000 ! ! 1019.2 ! sfwUntrSipAdmCtlCallDropTh2 ! 500 ! ! 1015.2 ! sfwUntrArpAttackPreventedTh2 ! 5000 ! ! 1017.2 ! sfwTcpErrorFloodTh2 ! 500 ! +--------+------------------------------------+--------+ 246 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .2 ! sfwUntrIpFragAttackPreventedTh2 ! 5000 ! ! 1016.1 ! sfwUntrSipAdmCtlCallDropTh1 ! 100 ! ! 1014.1 ! sfwUntrSipPass2DropTh1 ! 100 ! ! 1012.2 ! sfwTcpResetFloodTh2 ! 500 ! ! 1023.

new_value For alarm 1005 the thresholds are given in °Celsius.1 ! sfwUntrSipPass1SuspectDropTh1 ! 100 ! The alarm 1010 is raised when the gauge associated with the counter "pass1DropSipSuspicious" exceeds the threshold value 100. The gauge is the variation of the counter during one second. Commands snmp alarm modify threshold threshold_id value new_value Arguments threshold_id This is the identifier of the Alarm threshold to be modified.SNMP Management snmp alarm modify threshold threshold_id snmp alarm modify threshold threshold_id Purpose The purpose of the following command is to modify a threshold value associated with an SNMP trap. For alarms 1006 and 1007. For example : +--------+------------------------------------+--------+ ! Ids ! Thresholds names ! values ! +--------+------------------------------------+--------+ ! 1010. Example -> snmp alarm modify threshold 1010. the thresholds represent a percentage of CPU or memory.1 value 200 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 247 . This operation must be done with caution because the SFW raises or clears alarms based on the fact that counters or gauges are crossing thresholds. The command “show snmp alarm thresholds” allows retrieving the Thresholds Ids. the thresholds represent a number of events per seconds. For other alarms. Refer to the Table 1 “SFW SNMP TRAPS” and the Table 2 “SFW SNMP TRAPS Thresholds” described at the beginning of this section to get a detailed description of the SNMP alarms managed by the SFW. There are 2 thresholds per alarm to manage 2 severities per alarm.

This allows managing 2 severities. The severity displayed with “show snmp trap config” is the severity associated with the lower threshold”. Most of the alarms are managed with 2 thresholds. Id This is the identifier of the snmp trap.SNMP Management show snmp trap config show snmp trap config Purpose The purpose of the following command is to display information about the traps managed by the SFW. Severity This is the alarm severity associated with the snmp trap. Refer to the Table 1 “SFW SNMP TRAPS” and the Table 2 “SFW SNMP TRAPS Thresholds” described at the beginning of this section to get a detailed description of the SNMP alarms managed by the SFW. Filter-delay By default most of the traps are absorbed with a delay of 2 seconds but this value can be modified with the command “snmp trap trap_id filter-delay delay”. Status “enable” means that the SNMP trap will be sent if the corresponding event occurs. By default all traps are enabled but can be disabled with the command “snmp trap trap_id {enable | disable}” 248 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Commands show snmp trap config Outputs information Traps list SNMP traps name attempt to be meaningful.

SNMP Management show snmp trap config Example -> show snmp trap config +-----------------------------------+------+----------+--------------+--------+ ! Traps list ! Id ! Severity ! Filter-delay ! Status ! +-----------------------------------+------+----------+--------------+--------+ ! sfwLinkDown ! 1001 ! major ! 1 ! enable ! ! sfwBoardActLossStbSupervision ! 1002 ! major ! 2 ! enable ! ! sfwIbcfCcsStatusChange ! 1003 ! warning ! 4 ! enable ! ! sfwLoadBalancingGroupStatusChange ! 1004 ! major ! 4 ! enable ! ! sfwBoardTemperatureTooHigh ! 1005 ! major ! 10 ! enable ! ! sfwHealthMonCpuAlert ! 1006 ! major ! 10 ! enable ! ! sfwHealthMonMemAlert ! 1007 ! major ! 10 ! enable ! ! sfwUntrLowLayerDrop ! 1008 ! warning ! 2 ! enable ! ! sfwUntrSipPass1Drop ! 1009 ! warning ! 2 ! enable ! ! sfwUntrSipPass1SuspectDrop ! 1010 ! warning ! 2 ! enable ! ! sfwUntrSipPass2MethodRateInQos0 ! 1011 ! warning ! 2 ! enable ! ! sfwUntrSipPass2Drop ! 1012 ! warning ! 2 ! enable ! ! sfwUntrSipMethodRateDrop ! 1013 ! warning ! 2 ! enable ! ! sfwUntrSipAdmCtlCallDrop ! 1014 ! warning ! 2 ! enable ! ! sfwUntrIpFragAttackPrevented ! 1015 ! warning ! 2 ! enable ! ! sfwUntrArpAttackPrevented ! 1016 ! warning ! 2 ! enable ! ! sfwUntrIcmpAttackPrevented ! 1017 ! warning ! 2 ! enable ! ! sfwTrustedLowLayerDrop ! 1018 ! warning ! 2 ! enable ! ! sfwTrustedSipPass1Drop ! 1019 ! warning ! 2 ! enable ! ! sfwTrustedSipPass2Drop ! 1020 ! warning ! 2 ! enable ! ! sfwTcpSynFlood ! 1021 ! warning ! 2 ! enable ! ! sfwTcpResetFlood ! 1022 ! warning ! 2 ! enable ! ! sfwTcpErrorFlood ! 1023 ! warning ! 2 ! enable ! ! sfwConfigMgmtCopyToFlash ! 1101 ! warning ! 2 ! enable ! +-----------------------------------+------+----------+--------------+--------+ 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 249 .

This means that the temperature is checked each 10 seconds. status) to check if a condition is reached and if so it sends the appropriate SNMP traps to report Alarms or Events. delay This is the new filtering delay in seconds. The default polling timer is 1. For example the trap “sfwBoardTemperatureTooHigh” has a default filter delay of 10 seconds. This polling interval value can be modified for each trap. gauges.SNMP Management snmp trap trap_id filter-delay delay snmp trap trap_id filter-delay delay Purpose The SFW SNMP agent is polling objects (counters. 4 or 10 seconds depending on the trap id. Example -> snmp trap 1011 filter-delay 5 250 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . The command “show snmp trap config” allows retrieving the Trap Ids. Commands snmp trap trap_id filter-delay delay Arguments trap_id This is the identifier of the trap to be modified. 2.

The command “show snmp trap config” allows retrieving the Trap Ids.SNMP Management snmp trap trap_id {enable | disable} snmp trap trap_id {enable | disable} Purpose The purpose of the following command is to enable or disable the sending of a trap. filtering delay and status. for the trap management. Commands snmp trap trap_id {enable | disable} Arguments trap_id This is the identifier of the trap to be modified. By default all traps are enabled. Commands snmp trap restore default 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 251 . Example -> snmp trap 1011 disable snmp trap restore default Purpose The purpose of the following command is to restore the default values.

Example -> show snmp alarm active +----------+------+----------------------------+---------------+----------------------+----------+ ! Sequence ! trap ! trap name ! MIB object ! date and time ! severity ! ! number ! ! ! ! id ! ! +----------+------+----------------------------+---------------+----------------------+----------+ ! 27 ! 1005 ! sfwBoardTemperatureTooHigh ! boardTable.106 ! 2011 Jul 12 2:21:50 ! major ! +----------+------+----------------------------+---------------+----------------------+----------+ 252 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .117 ! 2011 Jul 12 2:21:50 ! major ! ! 12 ! 1001 ! sfwLinkDown ! ifTable.SNMP Management show snmp alarm active show snmp alarm active Purpose The purpose of the following command is to display the alarms currently active.10 ! 2011 Jul 12 9:40:58 ! major ! ! 26 ! 1005 ! sfwBoardTemperatureTooHigh ! boardTable.107 ! 2011 Jul 12 2:21:50 ! major ! ! 7 ! 1001 ! sfwLinkDown ! ifTable.116 ! 2011 Jul 12 2:21:50 ! major ! ! 8 ! 1001 ! sfwLinkDown ! ifTable. this means the alarms that have been raised by sending an SNMP trap but not yet cleared. MIB object Identifies the SFW object causing the alarm. Commands show snmp alarm active Outputs information Sequence number This is the trapSequenceNumber set in the corresponding SNMP traps. trap id & trap name Identify the alarm. This CLI provides the same information than a SNMP get on the table “activeAlarmsTable” of the proprietary MIB ALCATEL-OMCCNALARMMANAGEMENT-MIB.11 ! 2011 Jul 12 9:40:58 ! major ! ! 13 ! 1001 ! sfwLinkDown ! ifTable.

Additionally. CLI commands partition management is performed according the ”user level” parameter.17 Users Management Purpose This paragraph provides information about Users Management on the SIP firewall. modify or delete users that will be authorized to manage the SFW firewall via CLI. Introduction The User Management CLI commands allow you to create. with the commands listed hereafter. Summary of the CLI for Users Management Users management user username password user username level {adm|ope|viewer} user username no-snmp user username auth {sha | md5} priv {aes | des} no user username show user [adm|ope|viewer] show user cmd [adm|ope|viewer] 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 253 .

Commands user username password Arguments username This is the name of the user used for logging into the SFW.<=>?@\^_`|}~]] The password must contain characters from at least 3 of these categories. Additionally this command allows the operator to modify a user’s password. Users with “operator” or “viewer” privileges can change only their own password. These characters must be chosen within the following 4 categories: • Digits [0-9] • Lower case letters [a-z] • Upper case letters [A-Z]. -> user sfwUser password enter password : ********* password again : ********* Command successful The password minimum length is 8 alphanumeric characters. • Special characters [[!"#$%&')*+.Users Management user username password user username password Purpose The purpose of the following command is to create a user entry in the local user database. a new user is created with “operator” privileges.-./. Users with “Administrator” privileges can change the password of everybody. 254 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . This can be modified later with the CLI command “ user username level {adm|ope|viewer} “. password The password is not displayed in cleared text and must be entered twice for security reason. You must be logged with “Administrator” privilege to be authorized to run this command. By default.

user username level {adm | ope | viewer}

Users Management

user username level {adm | ope | viewer}
Purpose
The purpose of the following command is to modify the privileges of a user and thus the

authorized CLI domains. By default, users are created with “operator” privileges.
You must be logged with “Administrator” privilege to be authorized to run this command.
Commands
user username level {adm|ope|viewer}
Arguments
level
There are three types of users with different level of privileges.

level viewer
This is the lower level. It gives limited privileges to the user.
Such user will be able to run only CLI commands “show” to display the SFW config.
The command “show user cmd viewer” provides the list of commands authorized for this
level.

level ope
This is the intermediate level. It gives operator privileges to the user.
This means that the user will be able to run all CLI commands except the command to
create, modify or delete “users”
The command “show user cmd ope” provides the list of commands authorized for this
level in addition to the lower level.

level adm
This is the higher level. It gives administrator privileges to the user.
This means that the user will be able to run all CLI commands.
The command “show user cmd adm” provides the list of commands authorized for this
level in addition to the lower levels.
Example
-> user visitor level viewer

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

255

Users Management

user username no snmp

user username no snmp
Purpose

The purpose of the following command is to deny SNMP access to the switch for the
specified user.

Commands
user username no snmp
Arguments
username
This is the name of the user.
Example
-> user visitorCLI no snmp

256

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Users Management

user username auth { sha | md5} priv {aes | des}

user username auth { sha | md5} priv {aes | des}
Purpose

The purpose of the following command is to configure SNMP V3 authentication and
encryption algorithms for a given user.

Commands
user username auth {sha | md5} priv {aes | des}
Arguments
username
This is the name of the user.
auth
Specifies that the SHA or MD5 authentication algorithm should be used for authenticating
SNMP PDU for the user.
priv
Specifies that the AES or DES encryption standard should be used for encrypting SNMP
PDU for the user.
Example
-> user admin auth sha priv des

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

257

Users Management

no user username

no user username
Purpose

The purpose of the following command is to delete a user entry in the local user database.
You must be logged with “Administrator” privilege to be authorized to run this command.
Commands
no user username
Arguments
username
This is the name of the user to be deleted.
Example
-> no user visitor

show user cmd [adm|ope|viewer]
Purpose

The purpose of the following command is to display the list of CLI commands allowed
for a given user-level in addition to the authorized commands of the lower level.
This means, for example, that running the command “show user cmd ope” the output will
not display the “show” commands that are inherited from the lower user-level “viewer”.
If the user-level is not provided all CLI commands are displayed with their respective
level.
Commands
show user cmd [adm | ope | viewer]

258

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

show user cmd [adm|ope|viewer]

Users Management

Example
->show user cmd viewer
+--------+------+----------------------------------------------------------+
! Level

! Mode ! CLI

!

+--------+------+----------------------------------------------------------+
! viewer ! All

! show snmp trap active

!

! viewer ! All

! show snmp alarm active

!

! viewer ! All

! show monitoring-host statistics

!

! viewer ! All

! show dscp default

!

! viewer ! All

! show certificate local [<1..32>]

!

! viewer ! All

! show certificate ca [<1..64>]

!

! viewer ! All

! show certificate local {details|pem} <1..32>

!

! viewer ! All

! show certificate ca {details|pem} <1..64>

!

! viewer ! All

! show tls-profile [<1..32>]

!

! viewer ! All

! show dns-internal [peer-net <1..2047>]

!

! viewer ! All

! show sfw status

!

! viewer ! All

! show peer-net [<1..2047>] connectivity

!

! viewer ! All

! show load-balancing-group [<1..32>] connectivity

!

! viewer ! All

! show ntp server

!

! viewer ! All

! show tcp statistics oam

!

! viewer ! All

! show tcp statistics untrusted [<1..2047>]

!

! viewer ! All

! show tcp statistics trusted [<1..2047>]

!

! viewer ! All

! show tcp statistics

!

! viewer ! All

! show tcp syn

!

! viewer ! All

! show system

!

+--------+------+----------------------------------------------------------+
! Level

! Mode ! CLI

!

+--------+------+----------------------------------------------------------+
! viewer ! All

! show syslog

!

! viewer ! All

! show snmp community

!

! viewer ! All

! show snmp station

!

! viewer ! All

! show snmp alarm config

!

! viewer ! All

! show snmp trap config

!

! viewer ! All

! show configuration consistency

!

! viewer ! All

! show snmp trap thresholds

!

! viewer ! All

! show snmp alarm thresholds

!

! viewer ! All

! show monitoring-host

!

! viewer ! All

! show user cmd [adm|ope|viewer]

!

! viewer ! All

! show running-directory

!

! viewer ! All

! show peer-net <1..2047> lpoc

!

! viewer ! All

! show trunk [trusted|untrusted|oam|inter-dhspp4] port

!

! viewer ! All

! show configuration {running|working|certified}

!

! viewer ! All

! show interfaces [S/P]

!

! viewer ! All

! show load-balancing-group [<1..32>] rpoc [<1..32>]

!

! viewer ! All

! show vlan [<0..4095>]

!

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

259

Users Management

show user cmd [adm|ope|viewer]

! viewer ! All

! show trunk [trusted|untrusted|oam|inter-dhspp4]

!

! viewer ! All

! show security-profile [<1..32>]

!

! viewer ! All

! show peer-net [<1..2047>] rpoc [<1..63>]

!

+--------+------+----------------------------------------------------------+
! Level

! Mode ! CLI

!

+--------+------+----------------------------------------------------------+
! viewer ! All

! show peer-net [<1..2047>]

!

! viewer ! All

! show peer-net [<1..2047>] statistics [trusted|untrusted] !

! viewer ! All

! show lpoc [untrusted [<1..128>]]

!

! viewer ! All

! show lpoc [trusted [<1..128>]]

!

! viewer ! All

! show port [untrusted [<1..128>]]

!

! viewer ! All

! show port [trusted [<1..128>]]

!

! viewer ! All

! show load-balancing-group [<1..32>]

!

! viewer ! All

! show peer-net [<1..2047>] filter [<1..32>]

!

! viewer ! CLI

! history

!

! viewer ! CLI

! quit

!

+--------+------+----------------------------------------------------------+

260

Alcatel-Lucent — Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Users Management show user [adm|ope|viewer] show user [adm|ope|viewer] Purpose The purpose of the following command is to display the existing users. Commands show user [adm | ope| viewer] Example -> show user +-----------------+-------+------+------+ ! name ! level ! auth ! priv ! +-----------------+-------+------+------+ ! root ! admin ! none ! none ! ! sfwNonRegTester ! admin ! sha ! des ! +-----------------+-------+------+------+ 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 261 .

or on the trusted interface. SYSLOG messages can be sent either on the oam interface. Introduction The SFW supports sending SYSLOG messages in accordance to RFC 3164 and RFC 5424. according to RFC 5426. SYSLOG messages are transmitted using the UDP transport.18 Syslog Management Purpose This paragraph provides information about Syslog Management on the SIP firewall. Summary of the CLI for Syslog Management Syslog management syslog-server oam ip ip-address [port port-nb] syslog-server trusted ip ip-address [port port-nb] vlan vlan-id lpoc lpoc-id syslog-server [ip ip-address] [port port-nb] [vlan vlan-id] [lpoc lpoc-id] syslog [rate messages-per-seconds] [length max-message-length] [facility facility-code] [rfc3164|rfc5424] no syslog-server show syslog 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 262 .

port-nb This is the UDP listening port of the Syslog server.30 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 263 . the default SYSLOG UDP port number is 514. Commands syslog-server oam ip ip-address [port port-nb] Arguments ip-address This is the IPv4 address of the Syslog server.132.Syslog Management syslog-server oam ip ip-address syslog-server oam ip ip-address Purpose The purpose of the following command is to define a syslog-server accessible via the OAM interface. If port-nb is not specified. In that case the source IP address of the Syslog messages is the OAM IP address of the SFW.232. Example -> syslog-server oam ip 155. this means via the Ethernet port used for accessing the SFW CLI session through the SCM board.

Run the command “show lpoc trusted” to choose the lpoc-id according the source IPv4 address you want to get for Syslog messages. the default SYSLOG UDP port number is 514. Commands syslog-server trusted ip ip-address [port port-nb] vlan vlan-id lpoc lpoc-id Arguments ip-address This is the IPv4 address of the Syslog server. lpoc-id The lpoc-id allows setting of the source IP address for the Syslog messages to be sent. It must be a “trusted” lpoc. port-nb This is the UDP listening port of the Syslog server.2. vlan-id This is the Vlan identifier on the trusted side of the firewall on which the Syslog messages have to be sent to reach the syslog server.33 port 514 vlan 200 lpoc 128 264 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . If port-nb is not specified. Example -> syslog-server trusted ip 192.Syslog Management syslog-server trusted ip ip-address syslog-server trusted ip ip-address Purpose The purpose of the following command is to define a syslog-server accessible via the trusted interface.168.

168. port-nb This is the UDP listening port of the Syslog server.Syslog Management syslog-server [ip] [port] [vlan] [lpoc] syslog-server [ip] [port] [vlan] [lpoc] Purpose The purpose of the following command is to modify the attributes of a syslog-server. Run the command “show lpoc trusted” to choose the lpoc-id according the source IPv4 address you want to get for Syslog messages. It must be a “trusted” lpoc.2. vlan-id This is the Vlan identifier on the trusted side of the firewall on which the Syslog messages have to be sent to reach the syslog server. The modification of the lpoc-id is only possible if the syslog-server has been defined as accessible via the “trusted” interface via the command “syslog-server trusted ip” Example -> syslog-server ip 192. Commands syslog-server [ip ip-address] [port port-nb] [vlan vlan-id] [lpoc lpoc-id] Arguments ip-address This is the IPv4 address of the Syslog server. The modification of the vlan-id is only possible if the syslog-server has been defined as accessible via the “trusted” interface via the command “syslog-server trusted ip”. If port-nb is not specified.34 -> syslog-server port 512 -> syslog-server vlan 201 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 265 . lpoc-id The lpoc-id allows setting of the source IP address for the Syslog messages to be sent. the default SYSLOG UDP port number is 514.

a default value of 50 is used. a default value of 1 (user-level messages) is used. If max-message-length is not specified.23]. max-message-length Maximum SYSLOG message length [480 – 8000]. Numerical Code 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 kernel messages user-level messages mail system system daemons security/authorization messages messages generated internally by syslogd line printer subsystem network news subsystem UUCP subsystem clock daemon security/authorization messages FTP daemon NTP subsystem log audit log alert clock daemon (note 2) local use 0 (local0) local use 1 (local1) local use 2 (local2) local use 3 (local3) local use 4 (local4) local use 5 (local5) local use 6 (local6) 23 266 Facility local use 7 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements (local7) 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . facility-code value is taken from the System Message Facilities list of the RFC 5424. Commands syslog [rate messages-per-seconds] [length max-message-length] [facility facility-code] [rfc3164|rfc5424] Arguments messages-per-seconds Output rate for SYSLOG messages [0 – 100]. If messages-per-seconds is not specified.. If not specified. facility-code SYSLOG facility code [0. It is used to build the PRI field of SYSLOG message. a default value of 1024 is used.Syslog Management syslog [rate] [length] [facility] [rfc3164 | rfc5424] syslog [rate] [length] [facility] [rfc3164 | rfc5424] Purpose The behavior of SYSLOG client on SFW can be modified using the following command.

Example -> syslog rate 10 length 512 facility 1 no syslog-server Purpose The following command delete the SYSLOG server configuration.Syslog Management no syslog-server rfc3164 | rfc5424 To conform SYSLOG message format to RFC3164 or RFC5424. The default SYSLOG message format conforms to RFC3164. Commands no syslog-server 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 267 .

234 514 1 1 50 1024 rfc5424 1 -> show syslog Interface Server IP address Server Port lpoc Vlan rate length rfc facility : : : : : : : : : oam 192.168.10. Commands show syslog Example 268 -> show syslog Interface Server IP address Server Port lpoc Vlan rate length rfc facility : : : : : : : : : trusted 192.2.104 514 0 0 50 1024 rfc3164 11 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Syslog Management show syslog show syslog Purpose The following command displays SYSLOG server and client configuration.168.

Summary of the CLI for Syslog Management NTP servers management ntp server serverId ip ip_address no ntp server serverId show ntp server 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 269 .19 NTP servers Management Purpose This paragraph provides information about the configuration of the NTP servers on the SFW.

132. Example -> ntp server 1 ip 155. Commands no ntp server serverId Arguments serverId 270 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Up to 3 NTP servers can be created. this means via the Ethernet port used for accessing the SFW CLI session through the SCM board.21 no ntp server serverId Purpose The purpose of the following command is to delete a ntp server.232. They must accessible via the OAM interface. ip-address This is the IPv4 address of the NTP server.NTP servers Management ntp server serverId ip ip-address ntp server serverId ip ip-address Purpose The purpose of the following command is to define a NTP server. Commands ntp server serverId ip ip_address Arguments serverId This is the identifier of the NTP server.

232.NTP servers Management show ntp server This is the identifier of the NTP server to be deleted.10 ! ! 3 ! 155.117.30 ! +-----------+----------------+ 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 271 .132. Example -> no ntp server 1 show ntp server Purpose The purpose of the following command is to display the NTP servers configuration.121. Commands show ntp server Example 3FZ-08139-AAAA-PCZZA! 135.

20 Monitoring SIP messages dropped Purpose To be able to track SIP Packets rejected by the firewall either because of a DOS attack or a misconfiguration. The Monitoring-Host can be either reachable via the OAM interface or via the Trusted interface of the firewall..128>] [vlan vlanId] [rate msgsec ] show monitoring-host 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 272 . Summary of the CLI for Monitoring-Host Management Monitoring-Host management monitoring-host trusted ip ipAddress port ipPort lpoc trustedLpoc vlan vlanId rate msgsec monitoring-host oam ip ipAddress port ipPort rate msgsec monitoring-host [ip ipAddress] [port ipPort] [lpoc <1. you have the ability to define a host where these packets will be forwarded.

2. vlan This is the vlan identifier.110 port 5060 lpoc 128 vlan 200 rate 10 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 273 . on the trusted side. ipPort This is the destination port for the packets sent to the Monitoring-Host.Monitoring SIP messages dropped monitoring-host trusted ip ip-address port ipPort monitoring-host trusted ip ip-address port ipPort Purpose The purpose of the following command is to define a Monitoring-Host. The rate limiter must be set between 1 and 10 messages per second.168. reachable via the Trusted interface of the firewall. Any trusted LPOC can be selected. trustedLpoc The source IP address of the packets sent to the Monitoring-Host will be the IP address assigned to the “Trusted LPOC” mentioned here. A specific trusted LPOC can also be configured to assign a dedicated source IP address for the messages sent to the Monitoring-Host. allowing to reach the Monitoring-Host. Example -> monitoring-host trusted ip 192. It must be located on the trusted side of the firewall. where the SIP packets detected as invalid and dropped will be forwarded. The default value is 10. Commands monitoring-host trusted ip ipAddress port ipPort lpoc trustedLpoc vlan vlanId rate msgsec Arguments ip-address This is the IPv4 address of the Monitoring-Host. Run the command “show lpoc trusted” to get the list of LPOC and related IP addresses. rate This is the rate limiter associated with the monitoring feature to limit the number or forwarded messages.

The second message is a copy of the original SIP message that has been rejected by the firewall. See an example hereafter.23.7.2.168.8.cpp line:763 Warning: mark:CallID error:(13)HeaderNotFound 274 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .Monitoring SIP messages dropped monitoring-host trusted ip ip-address port ipPort Additional information On the monitoring host you just need to run wireshark.205> From: <172.SFW. The INFO message provides the cause of the drop.8.ERROR SIP/2.9:50001> To: <10.0 Message Header User-Agent: ALU SFW ERROR REPORTING Contact: <SFW-5. Example of INFO message on the Monitoring-Host Request-Line: INFO sip:peernet8@ALU.3 file:sfw_dfa_api. When the SFW dropped a SIP messages two messages are forwarded to the monitoring host: Both messages can be correlated via the “Identification” field of the IP header.slot11@192.10.5:5060> CSeq: 2630 INFO Warning: Version:1.

ipPort This is the destination port for the packets sent to the Monitoring-Host. the Monitoring-Host must be reachable via the OAM interface of the firewall. The default value is 10. The rate limiter must be set between 1 and 10 messages per second.2. rate This is the rate limiter associated with the monitoring feature to limit the number or forwarded messages. When invalid SIP messages are sent to the Monitoring-host. where the SIP packets detected as invalid and dropped will be forwarded. In that case. Commands monitoring-host oam ip ipAddress port ipPort rate msgsec Arguments ip-address This is the IPv4 address of the Monitoring-Host. reachable via the OAM interface of the firewall. this means through the SCM2 hosting the DHSPP4. as “oam” as been specified in the CLI.168.110 port 5060 rate 10 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 275 . the source IP address is the OAM IP address of the firewall. Example -> monitoring-host oam ip 192.Monitoring SIP messages dropped monitoring-host oam ip ip-address port ipPort monitoring-host oam ip ip-address port ipPort Purpose The purpose of the following command is to define a Monitoring-Host.

the output is different. Port This is the destination port for the packets sent to the Monitoring-Host. on the trusted side. It identifies the source IP address for the messages to be sent to the Monitoring-Host. lpoc This parameter is valid only if the Monitoring-Host has been defined on the Trusted side of the firewall. This IP address is the one assigned to the given trusted LPOC. vlan This parameter is valid only if the Monitoring-Host has been defined on the Trusted side of the firewall. This is the vlan identifier. Depending on the location of the Monitoring-Host.Monitoring SIP messages dropped show monitoring-host show monitoring-host Purpose The following command displays the Monitoring-Host configuration. allowing to reach the Monitoring-Host. rate This is the rate limiter associated with the monitoring feature to limit the number or forwarded messages. either reachable via the trusted interface or the oam interface. 276 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Commands Show monitoring-host Output attributes IP address This is the IPv4 address of the Monitoring-Host.

128.110 5060 128 200 10 -> show monitoring-host interface : OAM IP address : 139.Monitoring SIP messages dropped show monitoring-host Example -> show monitoring-host IP address Port lpoc Vlan rate : : : : : 192.168.54.2.34 Port : 5060 rate : 10 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 277 .

The working and certified configurations are stored in flash while the running configuration is in RAM. few “show” commands listed in that chapter allow you to monitor the status of the SFW. and the running configuration.21 Configuration Management Purpose The Configuration Management CLI commands allow you to manage the SFW configuration files in the working directory. the certified directory. Pay attention to: show running directory show configuration consistency show system show sfw status Summary of the CLI for Configuration Management Configuration management copy running working copy working certified show configuration { running | working | certified } show running directory show configuration consistency switchover configuration retrieve show system system location show sfw status 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 278 . Beyond the configuration management.

This command overwrites the config. Commands copy working certified 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 279 . Commands copy running working copy working certified Purpose This command is used to overwrite the content of the certified directory with the content of the working directory.cfg file of the working directory. The checks are related to the IP configuration. This should only be done if the contents of the working directory have been verified as the best version of the SFW configuration. To ensure that the working configuration is valid it will be possible in a future SFW release to perform the command “reload working” prior to “copy working certified” to validate the working configuration. the command ”reload working” will allow to check the validity of the working configuration. see the command “show configuration consistency” to get details about the points that are checked. In a future release.Configuration Management copy running working copy running working Purpose The purpose of the following command is to copy the running configuration (in RAM) to the working directory (in flash). By default the SFW restarts with the certified configuration. The consistency of the configuration is checked when the configuration is saved via the CLI commands “copy running working”.

• “Show configuration running” displays the current configuration in RAM. • “Show configuration certified” displays the configuration saved in flash in the certified directory via the command “copy working certified”. The SFW always restart from the “certified” configuration. Three options are possible.Configuration Management show configuration Warning With the current release to save the SFW configuration you need to run the following steps: Run the command “copy running working” Run the command “copy working certified” There is no way to jump from the “running” configuration to the “certified” configuration. • “Show configuration working” displays the configuration saved in flash in the working directory via the command “copy running working”. In a future release it will be possible to reload the SFW with the “working” configuration to ensure that this configuration is good prior to save it in the “certified” directory. show configuration Purpose The purpose of the following command is to display the firewall configuration. Commands show configuration { running | working | certified } 280 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

Running configuration Configuration may have changed but not yet saved. hosting the current active DHSPP4. A start-up from the certified directory is the normal case. IP configuration consistency The status. The status tells you if the command “copy working certified” needs to run. tells you if inconsistencies have been detected in the IP configuration of the firewall. the exception is the start-up issued via the command “reload working”. Same information can be retrieved with the command “show configuration consistency”. YES or NO. The status tells you if the command “copy running working” needs to run. Certify status Configuration may have been saved in the “working” directory but not yet in the “certified” directory.Configuration Management show running-directory show running-directory Purpose The purpose of the following command is to display information about the status of the configuration. 10 or 11. Example -> show running-directory CONFIGURATION STATUS Current Active DHSPP4 slot Last reload from Running configuration Certify status IP configuration consistency 3FZ 08139 ACAA PCZZA Edition 07 July 2015 : : : : : 11 CERTIFIED copy running working NOT NEEDED copy working certified NOT NEEDED YES Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 281 . Last reload from CERTIFIED or WORKING. Commands show running-directory Output Information Current Active DHSSP4 slot This is the SCM slot.

The consistency of the configuration can also be checked via the CLI command “show configuration consistency”. • If a Vlan is assigned to more than one Peer-Network. its IP address must belong to the vlan subnet • If a Local Point of Contact (lpoc) associated with a Peer-Network doesn’t belong to the vlan subnet associated with this Peer-Network. • If a vlan “router” has been defined. • If a Local Point of Contact (lpoc) associated with a Load-Balancing-Group doesn’t belong to the vlan subnet associated with this Load-Balancing-Group. IP overlapping between PeeringPoint IP addresses (rpoc) and IP filters must not exist. • If a vlan “gateway” has been defined. then a “router” must have been defined for the vlan. Commands show configuration consistency 282 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . then a “gateway” must have been defined for the vlan. The consistency checking are the following ones: • If a peering-point IP address (rpoc) associated with a Peer-Network doesn’t belong to the vlan subnet associated with this Peer-Network. IP overlapping between Peering-Point IP addresses (rpoc) must not exist. • If a Vlan is assigned to more than one Peer-Network. then a “router” must have been defined for the vlan.Configuration Management show configuration consistency show configuration consistency Purpose This commands allows you to detect anomalies in the SFW configuration related to IP configuration. IP overlapping between CCS IP addresses (rpoc) must not exist. IP overlapping between Peering-Point IP addresses (rpoc) and IP filters must not exist. its IP address must belong to the vlan subnet • Within a Peer-Network. • Within a Load-Balancing-Group. The consistency of the configuration is checked when the configuration is saved via the CLI commands “copy running working”. IP overlapping between PeeringPoint IP addresses (rpoc) must not exist. then a “gateway” must have been defined for the vlan. • Within a Peer-Network. • If a MGC8 IBCF CCS IP addresses (rpoc) associated with a Load-Balancing-Group doesn’t belong to the vlan subnet associated with this Load-Balancing-Group.

vlan 10 has a router outside of the vlan subnet Running configuration is not consistent ! switchover Purpose This command performs a switchover. Run the command “ show running-directory” to get this information. Commands switchover Warning This command cannot be issued twice in a row without waiting for a minimal delay of 45 seconds.Configuration Management switchover Example -> show configuration consistency Running configuration is consistent -> show configuration consistency IPv4 ERROR . A “copy running working” followed by a “copy working certified” may be required before issuing this command. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 283 . The Active DHSPP4 performs a restart and the Backup DHSPP4 becomes Active.

LUCENT ATCA-SFW 1. In that case the unique SFW name avoids overwriting the existing configuration with the one that may exist on the replacement board. 3 At this point you will be able to access the CLI only with the initial user/password.0 2011/02/21 11:43 Running configuration : WITHOUT CONFIGURATION In case the SFW name has been changed in sitecfg you can run "configuration retrieve" CLI to retrieve former configuration Hello root ! We strongly recommend you to change your password for a safer one !!! 284 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .sfw as described in the paragraph “How to configure the SFW SITE specific parameters” 2 Perform a double switchover to reload the new sitecfg.3. is displayed in all SNMP traps.Configuration Management configuration retrieve configuration retrieve Purpose The SFW name is not configurable via a CLI command. configured via the sitecfg. • The SFW name is the CLI prompt. Contact your account or technical support representative for information about default login / password.sfw.sfw on both DHSPP4. This is particularly important in case of SCM/DHSPP4 hot-swap. It should have been configured during the SFW first installation via the sitecfg. See the paragraph “How to configure the SFW SITE specific parameters” later in that document to see how to configure the SFW name. • The SFW name. 4 You will notice that you restarted without any configuration. if you wish to re-configure the SFW name you need to follow the procedure described hereafter: Steps 1 Update the sitecfg. login : root password : ****** *********************************************** ALCATEL . It’s quite important to configure the SFW name because: • The SFW name uniquely identifies the SFW.sfw configuration file. So.

SFW name and location. This is the sysObjectId of the RFC1213 mib. Up Time Provides the times since the SFW is up and running. Object ID Provides the SNMP oid identifying the SFW node. Commands show system Output Information Description Provides the SFW software release. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 285 . END OF STEPS show system Purpose The purpose of the following command is to display information about the SFW node you are managing such as SFW software release. Contact Initialized with the Alcatel-Lucent Customer Portal. Similar information can be retrieved via SNMP by performing a SNMP get on the “system” objects of the RFC1213 mib. A “switchover” is not counted as a system boot as upon a switchover the SFW backup DHSPP4 is taking over without restarting. 6 On the next attempt to access the CLI session you can use your previous user/password. the number of system boots that occurred from the first SFW installation is provided. This is the sysDescr of the RFC1213 mib.Configuration Management show system 5 To retrieve the previous configuration you just need to run the CLI “configuration retrieve”. This command will restore the former configuration and you will be disconnected from the CLI session. This is the sysContact of the RFC1213 mib. This is the sysUpTime of the RFC1213 mib. Additionally. There is no CLI to modify this object.

71.6.sfw file where static configuration is defined at the first SFW installation.3. It can be used to locate the 7510 hosting the SFW.3. This attribute is displayed in all SNMP traps sent by the SFW. There is no CLI to initialize this object. This is the sysName of the RFC1213 mib. This is the sysLocation of the RFC1213 mib.20 1 days 01 hours 52 minutes and 20 seconds (boot #14) Alcatel-Lucent. Location Provides information about the location of the SFW. The SFW name comes from the sitecfg.0 2011/02/21 18:39 1. http://alcatel-lucent.Configuration Management show system Name Initialized with the SFW name.637. The CLI “system location” allows to modify this attribute. Example -> show system Description : Object ID : Up Time : Contact : Name : Location : Date & Time : 286 7510-SFW 1.1. This attribute is displayed in all SNMP traps sent by the SFW.4.1.com/wps/portal/ sfw5 7510-Orvault-TR34-Baie36 Wed Apr 27 10:02:15 2011 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .

The system location can range from 1 to 53 characters in length. The system location can be then displayed via the command “show system”. This value is useful to correlate the SFW node with the 7510 hosting it. The system location is written in all SNMP traps sent by the SFW in the field AdditionnalText. For example. Example -> system location 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 287 . 7510-Orvault-TR34-Baie36.Configuration Management system location system location Purpose This command updates the “system location” information. Commands show location text_string Arguments text_string Describes the SFW physical location.

CPU Load This is an average of the CPU load over the 12 cores of the Active DHSPP4. o What is the temperature for each DHSPP4.Configuration Management show sfw status show sfw status Purpose The purpose of the following command is to display information about the status of SFW DHSPP4 boards such as temperature. FPAS memory distributor % free Provides the percentage of free memory for FPAS memory areas. FPA memory distributor % free Provides the percentage of free memory for FPA memory areas. Example -> show sfw status +------+---------+---------+---------+ ! slot ! DHSPP ! SCM ! celsius ! +------+---------+---------+---------+ ! 11 ! ACTIVE ! STANDBY ! 59 ! ! 10 ! STANDBY ! UNKNOWN ! 57 ! +------+---------+---------+---------+ 0% CPU load FPA memory distributor PACKET BUFFER WORK QUEUE ENTRY DFA RESULT DFA COMMAND PKO COMMAND BUFFER TIMER CHUNKS % free : 99 : 93 : 100 : 99 : 96 : 99 FPAS memory distributor % free 288 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Commands show sfw status Output Information ! slot ! DHSPP ! SCM ! celsius ! This table allows the operator to know. for each SFW board: o Which DHSPP4 is currently Active and which one is Standby. CPU and Memory consumption. o Which SCM2 is currently Active.

Configuration Management IP FLOW COLLISION BLOCK IP FRAGMENT TCP CONTEXT SIP CONTEXT ARP CACHE 3FZ 08139 ACAA PCZZA Edition 07 July 2015 show sfw status : : : : : : 99 99 100 99 99 98 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 289 .

Summary of the CLI for Configuration Management CLI Session management cli session timeout show cli session 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 290 . Refer to the paragraph “SFW prerequisite” at the beginning of that document to know how to open a CLI session via a SSH tunnel.22 CLI Session Management Purpose The SFW accepts simultaneously up to 20 SSH CLI sessions. The CLI listed below allow to modify the default CLI session timeout and to display the currently opened sessions.

Commands Show cli session example -> show cli session CLI session timeout : 60 minutes +------+-------------+------------+---------------------+ ! user ! status ! inactivity ! origin ! +------+-------------+------------+---------------------+ ! root ! established ! 0 seconds ! 139. show cli session Purpose The purpose of the following command is to display the currently opened CLI sessions.54.CLI Session Management cli session timeout cli session timeout Purpose The purpose of the following command is to modify the default CLI session timeout (5mn).34:48218 ! +------+-------------+------------+---------------------+ 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 291 .34:47156 ! ! root ! established ! 21 minutes ! 139.128.128.54. Commands cli session timeout time_in_mn Arguments time_in_mn The default timeout range is between 1 and 1440 minutes.

3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 292 . • SFW name • Trusted Domain Name • SIP Status mode and extension • SNMP V2c Client community name The configuration of these objects is done via the file sitecfg. After updating this file according to your site-specific data you need to upload it to the SCM boards and reboot the DHSPP4.sfw.23 How to configure the SFW SITE specific parameters Purpose With the SFW release R2.0 there are some SFW objects that cannot be yet configurable via CLI.

sfwStaticConf.SFW configuration file The sitecfg.com # SIP status mode # list of choice all restricted restricted # SIP status extension # SNMPv2 # community name public # EOF Steps 1 Go to the Alcatel-Lucent Customer and Business Partner Portal : o https://market. o Select the “Manuals and Guides” link o Download the document 3FZ-08141-ACAA-PCZZA “SFW .com/release/jsp/sso/login. within the box “Technical Content for”.SFW configuration file How to update the SITECFG.xls . sitecfg. select the product 7510 MGW (Media Gateway). # SFW name SFW-site1 # Trusted domain name atlanta.0” 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 293 .jsp o After a successful login.How to configure the SFW SITE specific parameters How to update the SITECFG.alcatel-lucent.sfw can be created from an excel template available on the Customer Portal in the “Manuals and Guides” section of the 7510 MGW product.sfw template for release R3.

xls format for further modifications.xls excel file.org/wiki/view/SIP+response+codes o All : the list of SIP response codes is not restricted. configures the SNMP V2 community name.sfw 11 Then follow the next procedure “Install the sitecfg. 4 Modify the Trusted Domain Name. 6 Optionally configure the section “SIP Status Extension”.voip-info.SFW configuration file 2 According to your site configuration. 9 Save the Excel file in sfwStaticConf. 3 Modify the SFW name. If the “SIP Status Mode” has been set to “restricted”. 5 Select the “SIP Status Mode”: o Restricted : the list of SIP response code is restricted to the list define by http://www. All codes are accepted.csv format to allow its parsing by the SFW application 10 Rename the sfwStaticConf. This is required if you want to perform SNMP V2 set/get from the OMC-P as the CLI only allows you to configure SNMP V3 parameters.net”.csv file as sitecfg.How to configure the SFW SITE specific parameters How to update the SITECFG.sfw configuration file on the SFW” END OF STEPS 294 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .net” appended during topology hiding in the “tokenized-by=sfw. you have the ability to extend the list of authorized response codes. This will replace the default domain name “sfw. update the above sfwStaticConf-R20x. 7 If needed. 8 Save the Excel file in sfwStaticConf. This will affect the CLI prompt.

Steps 1 copy the sitecfg. 2 Log in to the 7510 Contact your account or technical support representative for information about default login/password. Warning.1/sitecfg.sfw on your tftp server. ACT-SCM:1. this file must be in CSV format (NOT in XLS format).4:/7510/sfw7510.sfw on the Standby SCM.10.11.SFW configuration file on the SFW Follow the procedure below to apply on the SFW the configuration described above.sfw exit Enable both DHSPP4 cards (this step is only required during the first SFW/DHSPP4 installation) ACT-SCM:1.3. ACT-SCM:1.3.4:/7510/sfw-7510.0.10(r0)> tftp get 1.10(r0)> Setting up remote STB-SCM:1.1.2.1 ACT-SCM:1.1.1.SFW configuration file on the SFW Install the SITECFG.10(r0)> enable module gw.How to configure the SFW SITE specific parameters Install the SITECFG.10(r0)> reset module 1 10 amc ACT-SCM:1.sfw on the Active SCM.11(r0)> 5 rc 1 11 console to [01][11] tftp get 1.amc.11(r0)> STB-SCM:1. 3 "tftp get" the sitecfg.10(r0)> save (safe for reboot) 6 Reset both DHSPP4 (this step is not required during the first SFW/DHSPP4 installation) ACT-SCM:1.sfw 4 "tftp get" the sitecfg.10(r0)> enable module gw.0/sitecfg.1 ACT-SCM:1.1.amc.10(r0)> reset module 1 11 amc END OF STEPS 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 295 .1.2.

.

through few examples. case 1 304 Trusted side IP connectivity. Link Aggregate or Active/Standby mode 299 Untrusted side IP connectivity with VRF support 300 Untrusted side IP connectivity without VRF support 302 Trusted side IP connectivity. a quick overview of the SFW IP configuration.A IP Configuration example Overview Purpose This appendix provides. Contents This appendix covers these topics. case 2 305 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 297 . IP Configuration Introduction 298 Untrusted/Trusted Interfaces.

• Trusted and Untrusted interfaces are connected to the next-hop IP using either o Static Link Aggregation (802. • A trunk between the 2 DHSPP4 operates SIP frame relay between Active/Standby.3ad).1q tagged vlans • Overlapping IP addresses of peering points is supported but requires the PE router to support VRF feature. If the PE router is not carrier grade this is the configuration to be chosen. 298 • Peer Networks realm separation is achieved using 802. This is the preferred configuration but it requires the PE Router to be carrier grade. • Each DHSPP4 is hosted in a different 7510 SCM2 board (slot 10 and slot 11) • The standby DHSPP4 operates in layer 2 pass-through mode for the SIP signaling traffic. • A single Point of Contact (POC) can be defined for all peer networks. Or o Active/Standby configuration. • If single POC and realm separation are both needed the PE router must support VRF Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .IP Configuration example IP Configuration Introduction IP Configuration Introduction • The SIP firewall is made of 2 DHSPP4 running in Active/Standby mode for the SIP Firewalling application.

Link Aggregate or Active/Standby mode Untrusted/Trusted Interfaces. Active/Standby configuration in case of Switch-Routers that are not carrier grade. • Link Aggregate or Active/Standby mode 2 network configurations are possible depending on Switch/Router capability: Static Link Aggregation (802. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 299 .3ad) configuration with carrier grade router.IP Configuration example Untrusted/Trusted Interfaces.

255.1 udp 5060 ! *** vlans vlan 11 untrusted enable name UNTRUSTED_VLAN_11 vlan 11 subnet 192.168.255.255.252 router 192.11.0.0 mask 255.11.12. • SFW LPOC and Peer Network in different subnets • Overlapping IP addresses for peering points is possible as the PE router is supporting VRF.12.168.20. The PE Router must support VRF.168.252 router 192.1 vlan 12 untrusted enable name UNTRUSTED_VLAN_12 vlan 12 subnet 192.168.12.0 mask 255.IP Configuration example Untrusted side IP connectivity with VRF support Untrusted side IP connectivity with VRF support Assumption : PE Router is supporting VRF. CLI Configuration ! *** trunks trunk untrusted mode linkagg ! *** Poc untrusted lpoc untrusted 1 enable name LPOC_UNTRUSTED_1 lpoc untrusted 1 ip 160.2 rip gw 192.255.1 ! *** peer networks peer-net 1 enable name PEER_1 300 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .168.168.2 rip gw 192.11. • Realm separation using different Vlan tags • Single point of contact for all Peer Networks.

0.IP Configuration example Untrusted side IP connectivity with VRF support peer-net peer-net peer-net peer-net 1 1 1 1 lpoc vlan rpoc rpoc peer-net peer-net peer-net peer-net peer-net 2 2 2 2 2 enable name PEER_2 lpoc 1 vlan 12 rpoc 1 ip 150.1 must be successful 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 301 .40.0.40.12.0.1 or 192.0.0.50.1 must be successful Ping from the peering-points (rpoc) to the untrusted lpoc 160.4 udp 5060 • • 1 11 1 ip 150.1 ) to the untrusted lpoc 160.20.50.0.1 udp 5060 2 ip 150.168.2 udp 5060 Ping from the router (src IP 192.11.20.3 udp 5060 rpoc 2 ip 150.168.

12.2 udp 5060 ! *** vlans vlan 11 untrusted enable name UNTRUSTED_VLAN_11 vlan 11 subnet 160.2 udp 5060 enable name LPOC_UNTRUSTED_2 ip 192. • Realm separation using different Vlan tags • One point of contact per Peer Network.11.20.255.1 ! *** peer networks peer-net 1 enable name PEER_1 302 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .255.255.11.11. CLI Configuration ! *** trunks trunk untrusted mode linkagg ! *** Poc untrusted lpoc lpoc lpoc lpoc untrusted untrusted untrusted untrusted 1 1 2 2 enable name LPOC_UNTRUSTED_1 ip 192.168.20.255.252 no rip gw 160.20. • SFW LPOC and Peer Network in different subnets • Overlapping IP addresses for peering points is not possible because the PE router is not supporting VRF.168.0 mask 255.20.1 vlan 12 untrusted enable name UNTRUSTED_VLAN_12 vlan 12 subnet 160.252 no rip gw 160.0 mask 255.12.IP Configuration example Untrusted side IP connectivity without VRF support Untrusted side IP connectivity without VRF support Assumption : PE Router is not supporting VRF.12.

40.12.4 udp 5060 • Ping from the router to the untrusted lpoc 160.0.IP Configuration example Untrusted side IP connectivity without VRF support peer-net peer-net peer-net peer-net 1 1 1 1 lpoc vlan rpoc rpoc 1 11 1 ip 150.2 must be successful • Ping from the peering-points (rpoc) to the untrusted lpoc must be successful 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 303 .40.50.20.2 and 160.0.3 udp 5060 rpoc 2 ip 150.0.50.2 udp 5060 peer-net peer-net peer-net peer-net peer-net 2 2 2 2 2 enable name PEER_2 lpoc 2 vlan 12 rpoc 1 ip 150.1 udp 5060 2 ip 150.20.0.11.

case 1 Trusted side IP connectivity.168.252 gw 192.255.168.1 enable name LPOC_TRUSTED_1 ! *** vlans vlan 20 trusted enable name TRUSTED_VLAN_20 vlan 20 subnet 192.20 rpoc 4 ip 192.20.20 udp udp udp udp 5061 5062 5061 5062 ! *** load balancing group and peer-network association peer-net 1 load-balancing-group 1 304 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .168.255. case 1 • CCSs addresses and Trusted lpoc in different subnets • Single Point of Contact on the trusted side CLI Configuration ! *** trunks trunk trusted mode linkagg ! *** Poc trusted lpoc trusted 1 ip 192.10.2 no rip ! *** load balancing group load-balancing-group load-balancing-group load-balancing-group load-balancing-group load-balancing-group load-balancing-group load-balancing-group 1 1 1 1 1 1 1 enable name LBG_1 vlan 20 lpoc 1 rpoc 1 ip 192.10.IP Configuration example Trusted side IP connectivity.20.10 rpoc 3 ip 192.10.168.0 mask 255.10.168.168.10 rpoc 2 ip 192.168.20.

10.2 ) to the trusted lpoc 192.20.0 mask 255.IP Configuration example Trusted side IP connectivity.255.1 enable name LPOC_TRUSTED_1 ! *** vlans vlan 10 trusted enable name TRUSTED_VLAN_20 vlan 10 subnet 192.10.168.1 must be successful • Ping from the CCSs (rpoc) to the trusted lpoc must be successful Trusted side IP connectivity. case 2 • CCSs addresses and Trusted lpoc in the same subnet • Single Point of Contact on the trusted side CLI Configuration ! *** trunks trunk trusted mode linkagg ! *** Poc trusted lpoc trusted 1 ip 192.168.168.255.0 ! *** load balancing group load-balancing-group 1 enable name LBG_1 load-balancing-group 1 vlan 10 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 305 . case 2 peer-net 2 load-balancing-group 1 • Ping from the router (src IP 192.20.168.

10 192.10.168.10.168.1 must be successful • Ping from the switch to the trusted lpoc cannot be performed Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .168.10 192.IP Configuration example Trusted side IP connectivity.10.10.20 udp udp udp udp 5061 5062 5061 5062 ! *** load balancing group and peer-network association peer-net 1 load-balancing-group 1 peer-net 2 load-balancing-group 1 306 • Ping from the CCSs (rpoc) to the trusted lpoc 192.10.168.20 192. case 2 load-balancing-group load-balancing-group load-balancing-group load-balancing-group load-balancing-group 1 1 1 1 1 lpoc rpoc rpoc rpoc rpoc 1 1 2 3 4 ip ip ip ip 192.168.

.

once to create the object with an IPv4 (or IPv6) address.B IPv6 support Overview Purpose This appendix is only focused on the areas impacted by IP v6 configuration. You just need to specify an IPv6 address with the right format (e.g. The set of CLI commands to configure dual stack IPv4/IPv6 objects is almost the same than the one you already known for the previous SFW releases and is backward compatible with the previous configuration files. PeerNetwork rpoc and Load-Balancing-Group rpoc. This applies to vlan configuration. Lpoc and rpoc creation is done with the same set of CLI commands than previously. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 308 . create and modify IPv4/IPv6 objects SFW supports IPv6 and IPv4 on trusted and untrusted sides. lpoc configuration. The CLI commands are not explained in details and the purpose here is to get an overview of what has changed since the previous release that was only supporting IPv4. This means that these objects can have simultaneously an IPv4 and an IPv6 address. “Load-Balancing-Group” and “Vlan”. and then a second time to add the IPv6 (or IPv4 address). The detailed description of each command is provided in the previous chapters “LPOC”. 2001:b8::192:168:2:5) to get an IPv6 stack. If the lpoc or rpoc is dual-stack you need to run the command twice. “Peer-Network”. All objects related to Trusted and Untrusted sides that were previously IPv4 only are now dual-stack IPv4/IPv6.

16.23.16.0/24 vlan 11 subnet 2001:11::/64 But a configuration file with the command “vlan 11 … subnet 172. with the help of periodic IP and SIP polling.0” is still accepted as the compatibility with previous releases is ensured.17. Examples: Vlan 11 no ipv6 router Vlan 11 no ipv6 gw With dual stack IPv4/IPv6 objects it can become tricky to check end-to-end IP connectivity. then lpoc and vlan must also be dual stack.IPv6 support create and modify IPv4/IPv6 objects Examples: lpoc untrusted 2 ip 172.8. IP address deletion for vlan requires new keywords to know on which IP address the CLI needs to be applied.g.255.0 mask 255.11. 255.255. if rpoc are dual stack. 2 new commands have been introduced: Show peer-net connectivity Show load-balancing-group connectivity These commands.255. For example. Examples: lpoc untrusted 2 no ipv6 peer-net 20 rpoc 15 no ipv4 Vlan creation has been slightly modified to accept IPv6 address format.2. Examples: vlan 11 untrusted enable name UNTRUSTED_VLAN_11 subnet 172. Previously the IP mask was written with the IP address format (e.11. Now for both IPv4 and IPv6 the mask has to be defined using the “/length” format. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 309 .255. To facilitate the IP connectivity status.9 peer-net 20 rpoc 15 ip 2001:8::172:23:8:9 IP address deletion for lpoc and rpoc requires new keywords to know on which IP address the CLI needs to be applied.0). allow detection of inconsistencies in the configuration or IP connectivity issue toward the remote poc.5 enable name LPOC_UNTRUSTED_2 lpoc untrusted 2 ip 2001:2::172:17:2:5 peer-net 20 rpoc 15 ip 172.

you can still use a single tagged vlan per Peer-Network.IPv6 support IPv6 Q&A IPv6 Q&A IPv4 and IPv6 precedence in case of dual-stack. IPv4 and IPv6 can work over the same vlan. The LPOC needs to be dual-stack. a dual-stack Peering-Point is reached via the same listening port on the Trusted Local POC of the firewall. priority is given to IPv6. IPv4 and IPv6 can work over the same vlan. When IPv6 and IPv4 are both present on one interface. Does IPv6 support means modification in Vlan / Peer-Network association? No. Does IPv6 support means modification in Vlan / Load-Balancing association? No. you can still use a single tagged vlan per Load-Balancing-Group. Which SFW objects remain IPv4 only? The following objects remain IPv4 only: NTP client/server Syslog client/Server Monitoring Host OAM interfaces (CLI and SNMP) 310 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 . Is there a change in Peering-Point addressing from MGC8 point of view? No.

IPv6 support IPv6 Q&A CLI for IPv6 support Trusted and Untrusted LPOC lpoc untrusted poc_id [ip ip_address] [enable | disable] [name description] lpoc untrusted poc_id no ipv6 lpoc untrusted poc_id no ipv4 lpoc trusted poc_id [ip ip_address] [enable | disable] [ name description] lpoc trusted poc_id no ipv6 lpoc trusted poc_id no ipv4 show lpoc [trusted [ poc_id ]| untrusted [poc_id]] Vlan vlan vid {trusted | untrusted} [enable | disable] [name description] subnet ip_address/len [router ip_address [rip | no rip]] [gw ip_address] vlan vid subnet ip_address/len vlan vid router ip_address [rip | no rip] vlan vid gw ip_address vlan vid no ipv4 vlan vid no ipv6 vlan vid no [ipv4 | ipv6] router vlan vid no [ipv4 | ipv6] gw show vlan Peer Network peer-net netid filter filter_id ip address/mask [accept | deny] peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]] peer-net netid rpoc peering_point_id no ipv4 peer-net netid rpoc peering_point_id no ipv6 show peer-net [netid] rpoc show peer-net [netid] connectivity Load Balancing Group load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]] load-balancing-group GroupId rpoc poc_id no ipv4 load-balancing-group GroupId rpoc poc_id no ipv6 show load-balancing-group [GroupId] rpoc [poc_id] show load-balancing-group [GroupId] connectivity 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 311 .

cfg Fetching /mnt/mtd0/working/config.x's password: sftp> get /mnt/mtd0/working/config.cfg to config. get the SFW configuration file “/mnt/mtd0/working/config.x.x..x. Password: 44700$orvault $ sftp support@x.C Configuration backup & restore Backup configuration on the SFW Follow the procedure below to apply on the SFW configuration.. support@ x.x.x.cfg /mnt/mtd0/working/config. SFW-XXX> copy running working Command successful SFW-XXX> 2 Using SFTP SFW OAM IP.cfg 100% 24KB 23.x Connecting to x. END OF STEPS 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 312 . Steps 1 Execute the “copy running working” cli command to save the current configuration.cfg” by sftp from the SFW.9KB/s 00:00 sftp> bye 3 The configuration file will be saved on the remoter server after completing the above two steps. Username: support.x.x.

cfg 100% 24KB sftp> bye 2 23. $ sftp support@x.cfg config.1... Username: support.1. $ ssh support@x.x.1 (2013.9KB/s 00:00 Execute the “show sfw status” cli command to get the slot number of the active DHSPP. Password: 44700$orvault.1.x's password: sftp> pwd Remote working directory: / sftp> put config. Password: 44700$orvault.Configuration backup & restore Restore configuration to the SFW Restore configuration to the SFW Follow the procedure below to apply on the SFW configuration.x support@10.x Connecting to x.1.10's password: BusyBox v1.cfg to /config. / $ 4 Change the user to “root” by executing “telnet 1.13. the active slot number is 10 based on the output of cli command “show sfw status”. Steps 1 Put the backup configuration file back to the sfw “/” directory using sftp SFW oam IP from the remoter server.2. / $ telnet 1. In our example.x.slot”.x.08.10 Entering character mode Escape character is '^]'.x.27-07:36+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands.x.x. SFW-XXX> show sfw status +------+---------+---------+-------------+ ! slot ! DHSPP ! SCM ! Temperature ! ! ! role ! (celsius) ! role ! +------+---------+---------+-------------+ ! 10 ! ACTIVE ! ACTIVE ! 51 ! ! 11 ! STANDBY ! UNKNOWN ! 50 ! +------+---------+---------+-------------+ 3 Access SFW by ssh SFW OAM IP.x.cfg Uploading config. support@ x. 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 313 .x.84.x. Username: support.

Configuration backup & restore Restore configuration to the SFW BusyBox v1.cfg 6 Copy configuration file to the configuration directory on the standby card by rcp.11:/mnt/mtd0/certified1/config. ~ # rcp /config.cfg /mnt/mtd0/certified1/config.2. SFW-XXX> switchover Running duplex mode configuration synced.1. When the SFW status becomes active/standby.1 (2013. Are you sure (Y/N) ? y Command successful SFW-XXX> 314 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 3FZ 08139 ACAA PCZZA Edition 07 July 2015 .cfg /mnt/mtd0/certified0/config.11:/mnt/mtd0/working/config.cfg ~ # rcp /config. the standby slot number is 11 based on the output of cli command “show sfw status”. The standby SFW IP is 1.cfg 1.1.cfg ~ # cp /config.1.27-07:36+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands.cfg ~ # rcp /config. Are you sure (Y/N) ? y Command successful SFW-XXX> 8 Login to CLI again after the SFW is switched over. In our example.cfg 1.slot.cfg ~ # rcp /config.cfg 1.11:/mnt/mtd0/certified2/config.cfg /mnt/mtd0/certified2/config.11:/mnt/mtd0/certified0/config.1.cfg /mnt/mtd0/working/config. Check the SFW status using “show sfw status”. ~ # 5 Copy the configuration file to the configuration directory.cfg ~ # cp /config.08. ~ # cp /config.1.1.1.1.1.cfg 1.cfg 7 Execute the “switchover” cli command to switch over SFW.1. execute “switchover” again.cfg ~ # cp /config. SFW-XXX> show sfw status +------+---------+---------+-------------+ ! slot ! DHSPP ! SCM ! Temperature ! ! ! role ! (celsius) ! role ! +------+---------+---------+-------------+ ! 11 ! ACTIVE ! STANDBY ! 50 ! ! 10 ! STANDBY ! UNKNOWN ! 51 ! +------+---------+---------+-------------+ SFW-XXX> switchover Running duplex mode configuration synced.

Configuration backup & restore 9 Restore configuration to the SFW The configuration will be restored after completing the above eight steps 10 The configuration will be restored after completing the above eight steps END OF STEPS 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 315 .

24 Glossary Symbols Numerics A 3FZ 08139 ACAA PCZZA Edition 07 July 2015 Alcatel-Lucent — Proprietary Use pursuant to applicable agreements 316 .