Professional Documents
Culture Documents
Abstract
These Application Notes describe the steps for configuring Juniper Networks ScreenOS based
devices for Auto Connect VPN to support an Avaya Multi-Branch Voice over IP solution.
Auto Connect VPN allows for the dynamic provisioning of VPN tunnels between spoke sites
in a Hub-and-Spoke VPN architecture. This complements the traffic flow patterns of inter-
branch VoIP calls.
There is no need for additional equipment to configure AC-VPN other than the Juniper Networks
ScreenOS based Gateway that have already been deployed as part of a Hub-and-Spoke VPN
architecture. AC-VPN is a software feature that is available as part of Juniper Networks
ScreenOS release 6.0 and above for the SSG, ISG and NS 5000 series, and functions as an
enhancement to the existing Hub-and-Spoke VPN feature set.
1.1. Overview
The sample network used in these Application Notes consists of 3 locations - HQ, Branch, and
Home, with HQ location serving as the VPN Hub while the Branch and Home locations serve as
VPN Spokes. Juniper Networks ScreenOS devices are deployed in each location to provide
WAN connectivity, firewall, and VPN functionality. IP addresses are statically administrated in
order to focus on the necessary AC-VPN configuration. Each VPN spoke location supports 2 IP
sub-networks, one for voice where Avaya IP Telephones are connected and the other for data
where computers are connected. The AC-VPN is configured such that only inter-branch VoIP
traffic generated by Avaya IP Telephones can trigger the establishment and use of the dynamic
VPN tunnel. All data traffic is directed to the ISG 1000, HQ HUB VPN gateway. This is true
for all data traffic whether the destination is the Hub or to another VPN spoke.
Since Spoke locations in the sample network only have a simulated 10Mbps connection to the
Internet, policy based traffic shaping is enabled and configured for VoIP traffic. This will
preserve the quality of phone calls from competing data traffic. Through the use of policy based
traffic shaping, specific bandwidth is allocated for both signaling and media traffic for Avaya
VoIP calls.
Local voice and data networks in each site are assigned to the Trust zone with the VPN tunnel
assigned to the VPN zone to allow for greater control in writing security policies.
The configuration required for each device is broken up into the following 3 sub-sections:
Quality of Service (QoS) - Provide steps in configuring policy based traffic shaping for
Avaya VoIP traffic
Instead of completing the entire configuration one device at a time before verification, it may be
beneficial to implement each sub-section for each of the devices in the network first and ensure it
is working before moving on to the next sub-section. This will minimize complexity in
verification and troubleshooting.
login: username
password:*******
nsisg1000->
4. To facilitate referencing, the sample network defined user friendly names to identify the
different networks.
6. Define the VPN gateways. Two VPN gateways are defined at the ISG 1000 – Branch-
SSG20 which points to the Branch’s SSG20, and Home-SSG5 which points to the
Home’s SSG5.
• The sample network uses a pre-shared string of “1234567890”. The same pre-shared
string must also be used at the Branch’s SSG20 and Home’s SSG 5 in Section 4.2.1,
Step 6 and Section 4.3.1, Step 6 respectively. It is advisable to use a more robust
pre-shared key in a production environment.
7. Configure 2 VPN tunnels, one to the Branch and the other to the Home using the gateway
defined in Step 6 and bind the VPN tunnels to the tunnel interface.
8. Enable routing protocol and route re-distribution. The ISG 1000 in the sample network
uses 2 routing protocols, OSPF and RIP. OSPF is enabled on the internal Trust interface
to exchange routing information within the Core IP network. RIP is enabled on the
tunnel interface to exchange routing information between VPN Hub and the Spokes.
Routes learned from RIP are re-distributed into the OSPF network and routes learned
from OSPF are re-distributed into RIP network. Access lists are configured to define
what IP sub-networks are re-distributed.
9. Define the necessary policy to allow traffic to traverse between the different zones.
Logging is enabled to facilitate troubleshooting and analysis.
set policy id 11 from Trust to vpn CLAN-1 Any Avaya-Sgl-To-Spoke permit log
traffic priority 2 dscp value 0
set policy id 11
set src-address CLAN-2
exit
set policy id 12 from Trust to vpn Local-voice Any Avaya-RTP permit log traffic
priority 2 dscp value 0
set policy id 13 from Trust to vpn Any Any ANY permit log
set policy id 14 from Trust to vpn Any Any ANY deny log
set policy id 21 from vpn to Trust all-internal-net CLAN-1 Avaya-Sgl-Fm-Spoke
permit log traffic priority 2
set policy id 21
set dst-address CLAN-2
exit
set policy id 22 from vpn to Trust all-internal-net Any Avaya-RTP permit log
traffic priority 2
set policy id 23 from vpn to Trust all-internal-net Any ANY permit log
set policy id 24 from vpn to Trust Any Any ANY deny log
set policy id 31 from Trust to Untrust Any Any ANY permit log
set policy id 32 from Trust to Untrust Any Any ANY deny log
set policy id 41 from Untrust to Trust Any Any ANY deny log
2. Configure the ac-vpn tunnel. The AC-VPN tunnel in the sample network is configured
for automatically tear-down after 1 minute of in-activity. This parameter is configured
via the idletime option. This idle time parameter will be downloaded to and used by the
Spoke gateways when establishing the AC-VPN tunnel.
3. Enable and configure Next Hop Routing Protocol (NHRP) and bind it to the tunnel
interface. VPN spoke gateways rely on the NHRP protocol to learn the IP addresses of
the peer spokes which is needed to dynamically establish the spoke to spoke tunnels.
1. Enable and configure policy based traffic shaping for voice traffic. As part of Section
4.3.1, Step 9, these policies should already be in place. This step is to amend the security
policy to enable the traffic shaping option for the Avaya VoIP related policies.
Although it may seem unnecessary from a security stand point, it is absolutely essential
to have corresponding policies configured from TrustÆVPN and VPNÆTrust zones with
traffic shaping enabled and configured. Depending on which direction VoIP traffic starts,
policies from either direction may be activated.
set policy id 11 from Trust to vpn CLAN-1 Any Avaya-Sgl-To-Spoke permit log
traffic priority 2 dscp value 0
set policy id 11
set src-address CLAN-2
exit
set policy id 12 from Trust to vpn Local-voice Any Avaya-RTP permit log
traffic priority 2 dscp value 0
set policy id 21 from vpn to Trust all-internal-net CLAN-1 Avaya-Sgl-Fm-Spoke
permit log traffic priority 2
set policy id 21
set dst-address CLAN-2
exit
set policy id 22 from vpn to Trust all-internal-net Any Avaya-RTP permit log
traffic priority 2
login: username
password:*******
ssg20-wlan->
• The sample configuration uses Ethernet port ethernet0/1 as the management port
with an IP address of 172.16.254.111 to manage the device. This configuration is
optional.
• “ping” is allowed on external Untrust interface ethernet0/0 to facility
troubleshooting.
4. To facilitate referencing, the sample network defined user friendly name to identify the
different networks.
6. Define the VPN gateways. Two VPN gateways are defined at the ISG 1000 – Branch-
SSG20 which points to the Branch’s SSG20, and Home-SSG5 which points to the
Home’s SSG5.
• The sample network uses a pre-shared string of 1234567890. The same pre-shared
string must also be used at the HQ’s ISG 1000 and Home’s SSG 5 in Section 4.1.1,
Step 6 and Section 4.3.1, Step 6. It is advisable to use a more robust pre-shared key
in a production environment.
7. Configure the VPN tunnels to the HQ location using the gateway defined in Step 6 and
bind the VPN tunnels to the tunnel interface.
set vpn To_HQ gateway HQ-ISG1000 no-replay tunnel idletime 0 sec-level standard
set vpn To_HQ id 3 bind interface tunnel.1
8. Enable and configure the RIP routing protocol. RIP is enabled on the tunnel interface to
exchange routing information between the VPN Hub and Spokes. Access lists are
configured to definite what IP sub-networks are learned and advertised.
9. Define the necessary policy to allow traffic to traverse between the different zones.
Logging is enable to facilitate troubleshooting and analysis.
set policy id 11 from Trust to VPN Local-voice CLAN-1 Avaya-Sgl-up permit log
set policy id 11
set dst-address CLAN-2
exit
set policy id 12 from Trust to VPN Local-voice all-internal-net Avaya-RTP
permit log
set policy id 13 from Trust to VPN Local-data all-internal-net ANY permit log
set policy id 14 from Trust to VPN Any Any ANY deny log
set policy id 21 from VPN to Trust CLAN-1 Any Avaya-Sgl-dn permit log
set policy id 21
set src-address CLAN-2
exit
set policy id 22 from VPN to Trust all-internal-net Local-voice Avaya-RTP
permit log
set policy id 23 from VPN to Trust all-internal-net Local-data ANY permit log
set policy id 24 from VPN to Trust Any Any ANY deny log
set policy id 31 from Trust to Untrust Any Any ANY permit log
set policy id 32 from Trust to Untrust Any Any ANY deny log
set policy id 41 from Untrust to Trust Any Any ANY deny log
4. Enable and configure Next Hop Routing Protocol (NHRP) and bind it to the tunnel
interface. VPN spoke gateways rely on the NHRP protocol to learn the IP addresses of
the peer spokes which is needed to dynamically establish the spoke to spoke tunnels.
1. Define the bandwidth for the external Untrust Ethernet interface and bandwidth
allocation for the logical tunnel interface.
The available bandwidth for the Ethernet connection between ethernet0/0 and the
simulated Internet is 10Mbps; therefore the sample network defines the Maximum
Bandwidth (mbw) as 10000 kbps. Out of this total 1000 kbps bandwidth 8000 kbps is
guaranteed for the tunnel interface with a maximum of 10000 kbps. The guaranteed
bandwidth of 8000 kbps will be used by all incoming and outgoing voice and data traffic
traversing any VPN tunnel.
2. Enable and configure policy based traffic shaping for voice traffic. As part of Section
4.2.1, Step 9, these policies should already be in place. This step is to amend the security
policy to enable the traffic shaping option for the Avaya VoIP related policies.
Although it may seem unnecessary from a security stand point, it is absolutely essential
to have corresponding policies configured from TrustÆVPN and VPNÆTrust zones with
traffic shaping enabled and configured. Depending on which direction VoIP traffic start,
policies from either direction may be activated.
The table below shows the bandwidth allocation for the Avaya VoIP traffic used in the
sample network. This allocation is for demonstration purpose only; actual bandwidth
allocation should take into account the total number of all outbound simultaneous call as
well as audio codec used. The allocation should be able to accommodate approximately
10 simultaneous call using G.711 codec.
The screen capture below provides a quick view of traffic shaping for each of the policies. The
icon indicates that traffic shaping is enabled for that particular security policy. This screen
can be accessed by selecting Reports Æ Policies from the left panel menu in the WebUI.
login: username
password:*******
ssg5-serial-wlan->
2. Create a new security zone called vpn.
• The sample configuration uses Ethernet port ethernet0/1 as the management port
with an IP address of 172.16.254.107 to manage the device. This configuration is
optional.
• ping is allowed on external Untrust interface ethernet0/0 to facility
troubleshooting.
4. To facilitate referencing, the sample network defined user friendly name to identify the
different networks.
6. Define the VPN gateways. Two VPN gateways are defined at the ISG 1000 – Branch-
SSG20 which points to the Branch’s SSG20, and Home-SSG5 which points to the
Home’s SSG5.
• The sample network uses a pre-shared string of 1234567890. The same pre-shared
string must also be use at the Branch’s SSG20 and Home’s SSG 5 in Section 4.1.1,
Step 6 and Section 4.2.1, Step 6. It is advisable to use a more robust pre-shared key
in a production environment.
7. Configure the VPN tunnels to the HQ location using the gateway defined in Step 6 and
bind the VPN tunnels to the tunnel interface.
set vpn To_HQ gateway HQ_ISG1000 no-replay tunnel idletime 0 sec-level standard
set vpn To_HQ id 3 bind interface tunnel.1
8. Enable and configure the RIP routing protocol. RIP is enabled on the tunnel interface to
exchange routing information between the VPN Hub and. Access lists are configured to
definite what IP sub-networks are advertised.
9. Define the necessary policy to allow traffic traverse between the different zones.
Logging is enable to facilitate troubleshooting and analysis.
set policy id 11 from Trust to vpn Local-voice CLAN-1 Avaya-Sgl-up permit log
set policy id 11
set dst-address CLAN-2
exit
set policy id 12 from Trust to vpn Local-voice all-internal-net UDP-ANY permit
log
set policy id 13 from Trust to Local-data all-internal-net ANY permit log
set policy id 14 from Trust to vpn Any Any ANY deny log
set policy id 21 from vpn to Trust CLAN-1 Local-voice Avaya-Sgl-dn permit log
set policy id 21
set src-address CLAN-2
exit
set policy id 22 from vpn to Trust all-internal-net Local-voice Avaya-RTP
permit log
set policy id 23 from vpn to Trust all-internal-net Local-data ANY permit log
set policy id 24 from vpn to Trust Any Any ANY deny log
set policy id 31 from Trust to Untrust Any Any ANY permit
set policy id 32 from Trust to Untrust Any Any ANY deny log
set policy id 41 from Untrust to Trust Any Any ANY deny log
5. Enable and configure Next Hop Routing Protocol (NHRP) and bind it to the tunnel
interface. VPN spoke gateways rely on the NHRP protocol to learn the IP addresses of
the peer spokes which is needed to dynamically establish the spoke to spoke tunnels.
1. Define the bandwidth for the external Untrust Ethernet interface and bandwidth
allocation for the logical tunnel interface.
The available bandwidth for the Ethernet connection between ethernet0/0 and the
simulated Internet is 10Mbps; therefore the sample network defines the Maximum
Bandwidth (mbw) as 10000 kbps. Out of this total 1000 kbps bandwidth 8000 kbps is
guaranteed for the tunnel interface with a maximum of 10000 kbps. The guaranteed
bandwidth of 8000 kbps will be used by all incoming and outgoing voice and data traffic
traversing any VPN tunnel.
2. Enable and configure policy based traffic shaping for voice traffic. As part of Section
4.3.1, Step 9, these policies should already be in place. This step is to amend the security
policy to enable the traffic shaping option for the Avaya VoIP related policies.
Although it may seem unnecessary from a security stand point, it is absolutely essential
to have corresponding policies configured from TrustÆVPN and VPNÆTrust zones with
traffic shaping enabled and configured. Depending on which direction VoIP traffic start,
policies from either direction may be activated.
The table below shows the bandwidth allocation for the Avaya VoIP traffic used in the
sample network. This allocation is for demonstration purpose only; actual bandwidth
allocation should take into account the total number of all outbound simultaneous call as
well as audio codec used. The allocation should be able to accommodate approximately
10 simultaneous call using G.711 codec.
set policy id 11 from Trust to vpn Local-voice CLAN-1 Avaya-Sgl-up permit log
traffic gbw 5 priority 2 mbw 10
set policy id 11
set dst-address CLAN-2
exit
set policy id 12 from Trust to vpn Local-voice all-internal-net UDP-ANY permit
log traffic gbw 1000 priority 2 mbw 1100
set policy id 21 from vpn to Trust CLAN-1 Local-voice Avaya-Sgl-dn permit log
traffic gbw 5 priority 2 mbw 10
set policy id 21
set src-address CLAN-2
The screen capture below shows provides a quick view of whether traffic shaping is enabled for
each of the policy. The icon indicates that traffic shaping is enabled for that particular
security policy. This screen can be accessed by selecting Reports Æ Policies from the left panel
menu in the WebUI.
1. Use the ip-network-region form to display the UDP ports used for Avaya VoIP Media
traffic. The sample network uses the UDP port range of 2048 – 3329 for Avaya VoIP
Media traffic. Verify that Intra-region IP-IP Direct Audio is set to yes to allow for
direct media exchange between Avaya IP Telephones.
display ip-network-region 1 Page 1 of 19
IP NETWORK REGION
Region: 1
Location: Authoritative Domain: interop.com
Name:
MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes
Codec Set: 1 Inter-region IP-IP Direct Audio: yes
UDP Port Min: 2048 IP Audio Hairpinning? n
UDP Port Max: 3329
2. Use the display station form to verify whether Direct IP-IP Audio connections is set to
y. This allows for direction media exchange between Avaya IP Telephones.
display station 11011 Page 2 of 5
STATION
FEATURE OPTIONS
LWC Reception: spe Auto Select Any Idle Appearance? n
LWC Activation? y Coverage Msg Retrieval? y
LWC Log External Calls? n Auto Answer: none
CDR Privacy? n Data Restriction? n
Redirect Notification? y Idle Appearance Preference? n
Per Button Ring Control? n Bridged Idle Line Preference? n
Bridged Call Alerting? n Restrict Last Appearance? y
Active Station Ringing: single
EMU Login Allowed? n
H.320 Conversion? n Per Station CPN - Send Calling Number?
Service Link Mode: as-needed
Multimedia Mode: enhanced Audible Message Waiting? n
MWI Served User Type: qsig-mwi Display Client Redirection? n
Select Last Used Appearance? n
Coverage After Forwarding? s
6. Conclusion
These Application Notes have described the administrative steps required to configure the
Juniper Networks ScreenOS based devices for Auto Connect VPN to support an Avaya VoIP
solution.
2. Verify all VPN tunnels and VPN gateways are configured with the same phase I and
phase II security proposal for tunnel establishment. Incompatible phase I and/or phase II
security proposal will prevent VPN tunnels from being established. The get ike gateway
and get vpn commands can be used to list the proposals selected for each gateway and
VPN tunnel.
nsisg1000-> get ike gateway
Id Name Gateway Address Gateway ID Mode Proposals
---- --------------- --------------- --------------- ---- ---------
0 Home-SSG5 10.10.230.6 Main pre-g2-3des-sha,pre-
g2-aes128-sh
a
1 Branch-SSG20 10.10.220.6 Main pre-g2-3des-sha,pre-
g2-aes128-sh
a
2 ac-vpn-hub none (profile acvpn) Aggr rsa-g2-3des-sha,rsa-
g2-aes128-sh
a,dsa-g2-3des-sha,dsa-g2-aes128-sha
Total Gateways: 3 (3 including dynamic peers)
3. Use the get sa active command to verify whether the VPN tunnel is active.
The following is an output from the ISG 1000 showing 2 active VPN tunnels.
nsisg1000-> get sa active
Total active sa: 2
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID
vsys
00000002< 10.10.230.6 500 esp:3des/sha1 31e96159 2048 unlim A/U -1 0
00000002> 10.10.230.6 500 esp:3des/sha1 b7be3c94 2048 unlim A/U -1 0
00000001< 10.10.220.6 500 esp:3des/sha1 31e96158 2036 unlim A/U -1 0
00000001> 10.10.220.6 500 esp:3des/sha1 c96fd8ec 2036 unlim A/U -1 0
The following is an output from the Branch’s SSG 20 showing 2 active VPN tunnel. One
to the HQ’s ISG 1000 and the other one to the Home’s SSG 5 that was dynamically
provisioned.
ssg20-wlan-> get sa active
Total active sa: 2
total configured sa: 3
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID
vsys
00000003< 10.10.210.5 500 esp:3des/sha1 c96fd948 1499 unlim A/U -1 0
00000003> 10.10.210.5 500 esp:3des/sha1 425c5093 1499 unlim A/U -1 0
00008006< 10.10.230.6 500 esp:3des/sha1 c96fd94a 3572 unlim A/- -1 0
00008006> 10.10.230.6 500 esp:3des/sha1 b7be3cf4 3572 unlim A/- -1 0
4. Use the get vrouter trust-vr protocol nhrp command to verify whether NHRP is
running and configured properly in all ScreenOS device configured with AC-VPN.
The following is an output from the ISG 1000 showing that NHRP is enabled and
running on the tunnel.1 interface.
5. Use the get vrouter trust-vr protocol nhrp peer command to verify any established
NHRP peer.
The following is an output from the ISG 1000 showing two NHRP peers – Branch and
Home along with their respective IP address.
The following are two outputs from the SSG 20. The first output shows no NHRP peer
when the AC-VPN tunnel is in-active. The second output shows a newly discovered
NHRP peer with an IP address of 172.172.0.3 and an ID of Home which is the SSG 5 in
the sample network after the AC-VPN tunnel has been established.
6. Use the get vrouter trust-vr protocol nhrp cache command to verify whether the
appropriate IP sub-network is being advertised by the NHRP peer.
The following is an output from the ISG 1000 showing the 2 hosts and 2 IP sub-networks
it learns from its NHRP peers along with the IP addresses to reach these hosts and sub-
networks.
nsisg1000-> get vrouter trust-vr protocol nhrp cache
-------------------------------------------------------------------------------
flags: R-registered, C-cached, L-replied, P-pushed, S-static, I-imported,
F-in FIB, D-being deleted.
-------------------------------------------------------------------------------
Prefix nhop-public-IP nhop-private-IP Pref Flags Expire(in sec)
-------------------------------------------------------------------------------
172.172.0.2/32 10.10.220.6 172.172.0.2 128 C 284
172.172.0.3/32 10.10.230.6 172.172.0.3 128 C 282
172.220.0.0/24 10.10.220.6 172.172.0.2 128 RF 284
172.230.0.0/24 10.10.230.6 172.172.0.3 128 RF 282
The following are 2 outputs from the SSG 20. The first output shows the IP network that
is being advertised to other NHRP peer. The second output shows an IP sub-network
172.230.0.0/24 the SSG 20 learned through NHRP after an AC-VPN tunnel has been
established. In this sample output the AC-VPN tunnel is established between the Branch
and Home locations.
-------------------------------------------------------------------------------
Prefix nhop-public-IP nhop-private-IP Pref Flags Expire(in sec)
-------------------------------------------------------------------------------
172.220.0.0/24 0.0.0.0 0.0.0.0 128 S 300
-------------------------------------------------------------------------------
Prefix nhop-public-IP nhop-private-IP Pref Flags Expire(in sec)
-------------------------------------------------------------------------------
172.220.0.0/24 0.0.0.0 0.0.0.0 128 S 300
172.230.0.0/24 10.10.230.6 172.172.0.3 0 PF 251
The following is an abbreviated output from the SSG 20 when the AC-VPN tunnel is in-
active. Noticed there is only one RIP advertised route to each of the IP sub-networks for
the Home location.
Ssg20-wlan-> get route
The following is an abbreviated output from the SSG 20 after the AC-VPN tunnel has
been established. Noticed in addition to the RIP advertised route for the Home location
IP sub-networks, there is an additional NHRP route to the Home’s voice IP sub-network.
This new NHRP route points to the to Home’s SSG 5 tunnel interface’s IP address as the
gateway instead of the ISG 1000’s. Because of this NHRP route lower Preference
number, traffic destined to the Home’s voice IP sub-network will be routed to the
Home’s SSG 5 gateway directly over the AC-VPN tunnel.
------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
-------------------------------------------------------------------------------
* 11 0.0.0.0/0 eth0/0 10.10.220.1 SP 100 1 Root
* 10 172.172.0.2/32 tun.1 0.0.0.0 H 0 0 Root
* 1 10.10.220.0/24 eth0/0 0.0.0.0 C 0 0 Root
* 4 172.16.254.111/32 eth0/1 0.0.0.0 H 0 0 Root
* 50 172.28.11.0/24 tun.1 172.172.0.1 R 100 11 Root
* 49 172.28.10.0/24 tun.1 172.172.0.1 R 100 11 Root
* 6 172.221.0.1/32 eth0/4 0.0.0.0 H 0 0 Root
* 8 172.220.0.1/32 bgroup0 0.0.0.0 H 0 0 Root
* 5 172.221.0.0/24 eth0/4 0.0.0.0 C 0 0 Root
* 7 172.220.0.0/24 bgroup0 0.0.0.0 C 0 0 Root
* 40 172.231.0.0/24 tun.1 172.172.0.1 R 100 12 Root
* 52 172.230.0.0/24 tun.1 172.172.0.3 N 35 0 Root
39 172.230.0.0/24 tun.1 172.172.0.1 R 100 12 Root
* 3 172.16.254.0/24 eth0/1 0.0.0.0 C 0 0 Root
* 42 172.28.240.0/24 tun.1 172.172.0.1 R 100 11 Root
* 2 10.10.220.6/32 eth0/0 0.0.0.0 H 0 0 Root
* 9 172.172.0.0/24 tun.1 0.0.0.0 C 0 0 Root
The following is an abbreviated output from SSG 20 showing that policy 12, 21 and 22,
which is enabled and configured with traffic shaping, are being used by Avaya VoIP
traffic.
The following is an output from SSG 20 for policy 22 during an active Avaya VoIP call.
The output shows the policy, bandwidth utilization (in and outside the tunnel), and
guarantee/maximum bandwidth settings along with other statistics.
[1] Administrator Guide for Avaya Communication Manager, Doc # 03-300509, Issue 3.1,
February 2007
[2] Avaya Communication Manager Advanced Administration Quick Reference, Doc # 03-
300364, Issue 3, February 2007
[3] Administration for Network Connectivity for Avaya Communication Manager, Doc # 555-
233-504, Issue 12, February 2007
[4] Concepts & Examples ScreenOS Reference Guide, Volume 1: Overview, Release 6.1.0 Rev.
01, Part Number 530-022543-01, Revision 01
[5] Concepts & Examples ScreenOS Reference Guide, Volume 2: Fundamentals, Release 6.1.0
Rev. 01, Part Number 530-022530-01, Revision 01
[6] Concepts & Examples ScreenOS Reference Guide, Volume 3: Administration, Release 6.1.0
Rev. 01, Part Number 530-022531-01, Revision 01
[7] Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks,
Release 6.1.0 Rev. 01, Part Number 530-022533-01, Revision 01
Please e-mail any questions or comments pertaining to these Application Notes along with the
full title name and filename, located in the lower right corner, directly to the Avaya Solution &
Interoperability Test Lab at interoplabnotes@list.avaya.com