Вы находитесь на странице: 1из 316

Alcatel-Lucent

7510-SFW IMS Peering SIP Firewall | Release 3.0


CLI Reference Guide

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


July 2015
Edition 07

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective
owners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright 2015 Alcatel-Lucent. All Rights Reserved.
Contains proprietary/trade secret information which is the property of Alcatel-Lucent and must not be made available to, or copied or used by anyone outside
Alcatel-Lucent without its written authorization.
Limited warranty
Alcatel-Lucent provides a limited warranty to this product.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

Contents
About this document

xi

Purpose ..................................................................................................................................................... xi
Reason for revision.................................................................................................................................. xii
Intended audience.................................................................................................................................... xii
Conventions used ................................................................................................................................... xiii
Related information ................................................................................................................................ xiii
Technical support ................................................................................................................................... xiii
How to comment .................................................................................................................................... xiii
1

Introduction

15

SFW location in the IMS architecture ..................................................................................................... 16


SFW high level functionalities ................................................................................................................ 17
SIP Firewall main features ...................................................................................................................... 19
SIP stateless Record-Route Proxy Firewall with dialog and transaction tracking .................................. 19
SIP features ............................................................................................................................................. 20
2

23

SFW prerequisite

Procedure 1: Checking presence of sitecfg.sfw on SCM ........................................................................ 23


Procedure 2: SFW OAM IP address configuration ................................................................................. 25
Procedure 3: How to get access to the SFW CLI .................................................................................... 26
3

27

Vlan Management

Summary of the CLI for Vlan management ............................................................................................ 29


vlan vid {trusted | untrusted} subnet ip_address mask ................................................................... 30
vlan vid subnet ip_address/len................................................................................................... 34
vlan vid [router ip_address [rip | no rip]] ...................................................................................... 35
vlan vid no [ipv4 | ipv6] router.............................................................................................................. 36
vlan vid gw ip_address ................................................................................................................... 37
vlan vid no [ipv4 | ipv6] gw .................................................................................................................. 38
vlan vid name description ............................................................................................................. 39
vlan vid no name ................................................................................................................................... 40
vlan vid mac mac_address ............................................................................................................... 41
no vlan vid ............................................................................................................................................. 42
show vlan ................................................................................................................................................ 43
4

Local Point Of Contact (LPOC)

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

44
iii

Contents

Trusted interface definition ...................................................................................................................... 44


Untrusted interface definition .................................................................................................................. 45
Local Point Of Contact definition ............................................................................................................ 45
Summary of the CLI for Trusted and Untrusted LPOC ........................................................................... 46
lpoc untrusted poc_id ........................................................................................................................... 47
lpoc untrusted poc_id no ipv6 .............................................................................................................. 49
lpoc untrusted poc_id no ipv4 .............................................................................................................. 49
lpoc untrusted poc_id no {udp | tcp | sctp | tls} ................................................................................... 50
no lpoc untrusted poc_id ...................................................................................................................... 50
lpoc trusted poc_id ............................................................................................................................... 51
lpoc trusted poc_id no ipv6 .................................................................................................................. 53
lpoc trusted poc_id no ipv4 .................................................................................................................. 53
no lpoc trusted poc_id .......................................................................................................................... 54
show lpoc ................................................................................................................................................. 55
ip defrag ................................................................................................................................................... 56
show ip defrag .......................................................................................................................................... 57
5

Peer Networks

58

Summary of the CLI for Peer Network management .............................................................................. 59


peer-net netid ....................................................................................................................................... 60
peer-net netid filter filter_id ip address/mask ................................................................... 61
peer-net netid filter filter_id rpoc ............................................................................................. 62
peer-net netid no filter ....................................................................................................................... 63
peer-net netid rpoc peering_point_id ip ................................................................................. 64
peer-net netid rpoc peering_point_id no ipv4 ....................................................................... 68
peer-net netid rpoc peering_point_id no ipv6 ....................................................................... 68
peer-net netid rpoc peering_point_id no {udp | tcp | sctp | tls} .............................................. 69
peer-net netid rpoc peering_point_id name fqdn .................................................................. 70
peer-net netid rpoc peering_point_id no name ........................................................................ 71
peer-net netid rpoc peering_point_id nat ................................................................................. 72
peer-net netid rpoc peering_point_id port-forwarding ............................................................ 74
peer-net netid rpoc peering_point_id no port-forwarding ....................................................... 75
peer-net netid no rpoc peering_point_id ................................................................................ 76
peer-net netid lpoc untrusted_lpoc_id .................................................................................... 77
peer-net netid no lpoc untrusted_lpoc_id .............................................................................. 78
peer-net netid security-profile security_profile_id .............................................................. 79
peer-net netid load-balancing-group group_id ............................................................................. 80
iv

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Contents

peer-net netid vlan vid ..................................................................................................................... 81


peer-net netid no vlan ....................................................................................................................... 82
peer-net netid max call duration call_duration ........................................................................ 83
peer-net netid polling ping {enable | disable} .................................................................................... 84
peer-net netid polling ping period interval .................................................................................. 85
peer-net netid dscp dscp_value .................................................................................................... 86
peer-net netid dscp default ................................................................................................................. 87
dscp default default_dscp ................................................................................................................ 88
show dscp default .................................................................................................................................... 89
peer-net netid tls-profile tlsprofileid ....................................................................................... 90
peer-net netid no tls-profile ................................................................................................................ 91
no peer-net netid .................................................................................................................................. 92
show peer-net .......................................................................................................................................... 93
show peer-net netid lpoc .................................................................................................................... 95
show peer-net [netid] filter................................................................................................................. 96
show peer-net [netid] rpoc ................................................................................................................. 97
show peer-net connectivity .................................................................................................................... 99
show peer-net [netid] statistics [trusted | untrusted] ........................................................................ 102
6

Security Profile

118

Summary of the CLI for Security Profile management......................................................................... 120


security-profile profile_id ............................................................................................................. 121
security-profile profile_id invite dialog setup-rate........................................................................ 123
security-profile profile_id invite in-dialog transaction-rate .......................................................... 124
security-profile profile_id invite in-dialog method accept ............................................................ 125
security-profile profile_id invite in-dialog no method accept ....................................................... 126
security-profile profile_id out-of-dialog method-rate ................................................................... 127
security-profile profile_id out-of-dialog no method-rate .............................................................. 129
security-profile profile_id sip thig ................................................................................................ 130
security-profile profile_id route-reorder ....................................................................................... 133
security-profile profile_id ringing-timer duration ................................................................... 134
security-profile profile_id clone profile_id.......................................................................... 135
security-profile profile_id fqdn-in-from thig ................................................................................ 136
security-profile profile_id sip route-mode .................................................................................... 137
security-profile profile_id private_ip ............................................................................................ 138
no security-profile profile_id ........................................................................................................ 139
show security-profile profile_id .................................................................................................... 140
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

Contents

TLS feature overview

141

Introduction ............................................................................................................................................ 141


Reference documents ............................................................................................................................. 141
Feature Overview ................................................................................................................................... 142
TLS Feature Description ........................................................................................................................ 143
8

TLS Profile

146

Summary of the CLI for TLS-Profile management ............................................................................... 147


tls-profile tlsprofileid local-cert ca-check renegotiation-period ................................................. 148
tls-profile tlsprofileid no renegotiation-period ........................................................................... 149
tls-profile tlsprofileid ca-cert-list certid1 [certid8] .................................................... 151
tls-profile tlsprofileid no ca-cert-list certid1 [certid8]............................................... 152
9

CA certificates

153

Summary of the CLI for CA certificates management .......................................................................... 154


import certificate ca ca-certid [name description] ................................................................ 155
certificate ca ca-certid name description ............................................................................... 156
no certificate ca ca-certid ............................................................................................................... 157
show certificate ca pem ca-certid ................................................................................................... 158
show certificate ca details ca-certid................................................................................................ 159
show certificate ca ca-certid ........................................................................................................... 160
show certificate ca ................................................................................................................................. 161
10

Local X509 certificates and Privates Keys

162

Summary of the CLI for SFW local certificates management ............................................................... 163
import certificate local certid [name description] ................................................................... 164
import certificate local privatekey certid [password pwd] ...................................................... 165
certificate local certid name description .................................................................................. 167
no certificate local certid .................................................................................................................. 168
show certificate local pem certid ...................................................................................................... 169
show certificate local details certid................................................................................................... 170
show certificate local certid .............................................................................................................. 171
show certificate local ............................................................................................................................. 172
certificate local certid request ........................................................................................................... 173
11

Internal DNS server

176

Summary of the CLI for the internal DNS management ....................................................................... 177
dns-internal dns-entry-id name peer-net ip ............................................................................... 178
dns-internal dns-entry-id name rpoc-name .......................................................................... 179
dns-internal dns-entry-id peer-net netid ............................................................................... 180
vi

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Contents

dns-internal dns-entry-id ip address .................................................................................... 181


dns-internal dns-entry-id no ipv4 .............................................................................................. 182
dns-internal dns-entry-id no ipv6 .............................................................................................. 182
show dns-internal .................................................................................................................................. 183
12

Load Balancing Group

185

Summary of the CLI for Load-Balancing-Group management ............................................................ 187


load-balancing-group groupId ........................................................................................................... 188
load-balancing-group groupId rpoc.................................................................................................. 189
load-balancing-group groupId rpoc no ipv4 .................................................................................... 193
load-balancing-group groupId rpoc no ipv6 .................................................................................... 194
load-balancing-group groupId rpoc poc_id no {udp | tcp | sctp | tls}.......................................... 195
load-balancing-group groupId no rpoc poc_id ............................................................................. 196
load-balancing-group groupId lpoc trusted_lpoc_id ............................................................. 197
load-balancing-group groupId no lpoc trusted_lpoc_id ........................................................ 198
load-balancing-group groupId vlan vid.......................................................................................... 199
load-balancing-group groupId no vlan ........................................................................................... 200
load-balancing-group groupId polling period interval .............................................................. 201
load-balancing-group groupId rpoc poc_id call rate ............................................................................ 202
load-balancing-group groupId rpoc poc_id transaction rate ....................................................... 204
no load-balancing-group groupId ...................................................................................................... 205
show load-balancing-group ................................................................................................................... 206
show load-balancing-group rpoc .......................................................................................................... 207
show load-balancing-group connectivity ............................................................................................. 208
13

Tcp Syn Flood Protection

211

Summary of the CLI for TCP SYN Flood management ....................................................................... 212
tcp syn oam rate syn_per_sec ......................................................................................................... 212
tcp syn untrusted rate syn_per_sec ................................................................................................. 213
tcp syn trusted rate syn_per_sec ..................................................................................................... 213
show tcp syn .......................................................................................................................................... 214
show tcp statistics .................................................................................................................................. 215
14

Interfaces (Ge Ports) & Trunks

217

Summary of the CLI for Ge Interfaces and Trunks management ......................................................... 218
show interfaces ...................................................................................................................................... 219
trunk {trusted|untrusted} mode [linkagg | act-stdy] ............................................................................. 221
show trunk ............................................................................................................................................. 223
show trunk port ..................................................................................................................................... 223
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

vii

Contents

15

SIP Message Management

225

Summary of the CLI for SIP Message Management ............................................................................. 225


sip-header max-forwards {enable|disable} ............................................................................................ 226
show sip-header ..................................................................................................................................... 227
16

228

SNMP Management

Summary of the CLI for SNMP Management ....................................................................................... 229


Alarms Management .............................................................................................................................. 230
snmp station stationId ip ip_address ..................................................................................... 242
snmp station stationId {enable | disable}.................................................................................... 243
no snmp station stationId .............................................................................................................. 243
show snmp station .................................................................................................................................. 244
show snmp alarm thresholds .................................................................................................................. 245
snmp alarm modify threshold threshold_id................................................................................... 247
show snmp trap config ........................................................................................................................... 248
snmp trap trap_id filter-delay delay .............................................................................................. 250
snmp trap trap_id {enable | disable} ................................................................................................ 251
snmp trap restore default........................................................................................................................ 251
show snmp alarm active ......................................................................................................................... 252
17

Users Management

253

Summary of the CLI for Users Management ......................................................................................... 253


user username password ................................................................................................................... 254
user username level {adm | ope | viewer}......................................................................................... 255
user username no snmp..................................................................................................................... 256
user username auth { sha | md5} priv {aes | des} ............................................................................. 257
no user username................................................................................................................................ 258
show user cmd [adm|ope|viewer] ........................................................................................................... 258
show user [adm|ope|viewer]................................................................................................................... 261
18

262

Syslog Management

Summary of the CLI for Syslog Management ....................................................................................... 262


syslog-server oam ip ip-address ..................................................................................................... 263
syslog-server trusted ip ip-address ................................................................................................. 264
syslog-server [ip] [port] [vlan] [lpoc] .................................................................................................... 265
syslog [rate] [length] [facility] [rfc3164 | rfc5424] ................................................................................ 266
no syslog-server ..................................................................................................................................... 267
show syslog ............................................................................................................................................ 268
19
viii

NTP servers Management

269
Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Contents

Summary of the CLI for Syslog Management ...................................................................................... 269


ntp server serverId ip ip-address .............................................................................................. 270
no ntp server serverId ...................................................................................................................... 270
show ntp server...................................................................................................................................... 271
20

Monitoring SIP messages dropped

272

Summary of the CLI for Monitoring-Host Management ...................................................................... 272


monitoring-host trusted ip ip-address port ipPort ..................................................................... 273
monitoring-host oam ip ip-address port ipPort ......................................................................... 275
-> monitoring-host oam ip 192.168.2.110 port 5060 rate 10 ...................... 275
show monitoring-host............................................................................................................................ 276
21

Configuration Management

278

Summary of the CLI for Configuration Management ........................................................................... 278


copy running working ........................................................................................................................... 279
copy working certified .......................................................................................................................... 279
show configuration ................................................................................................................................ 280
show running-directory ......................................................................................................................... 281
show configuration consistency ............................................................................................................ 282
switchover ............................................................................................................................................. 283
configuration retrieve ............................................................................................................................ 284
show system .......................................................................................................................................... 285
system location ...................................................................................................................................... 287
show sfw status ..................................................................................................................................... 288
22

CLI Session Management

290

Summary of the CLI for Configuration Management ........................................................................... 290


cli session timeout ................................................................................................................................. 291
show cli session ..................................................................................................................................... 291
23

How to configure the SFW SITE specific parameters

292

How to update the SITECFG.SFW configuration file .......................................................................... 293


Install the SITECFG.SFW configuration file on the SFW .................................................................... 295
A

IP Configuration example

297

IP Configuration Introduction ............................................................................................................... 298


Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode .............................................. 299
Untrusted side IP connectivity with VRF support................................................................................. 300
Untrusted side IP connectivity without VRF support ........................................................................... 302
Trusted side IP connectivity, case 1 ...................................................................................................... 304
Trusted side IP connectivity, case 2 ...................................................................................................... 305
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

ix

Contents

IPv6 support

308

create and modify IPv4/IPv6 objects ..................................................................................................... 308


IPv6 Q&A .............................................................................................................................................. 310
C

Configuration backup & restore

312

Backup configuration on the SFW ......................................................................................................... 312


Restore configuration to the SFW.......................................................................................................... 313
24

316

Glossary

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

About this document

Purpose

This document is the SFW SIP firewall Command Line Interface Users Guide. It
provides detailed information on the configuration of the SIP Firewall, dedicated to IMS
SIP peering and protecting the IBCF (MGC8).

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

xi

About this document

Reason for revision

The following table shows the revision history of this document.


Location

Revision

Issue

Creation of this document for the SFW release 3.0

Ed01

New features introduced in R3.0:


o

TLS support on Untrusted side.

Far-End NAT Traversal

2047 Peer Network

2011/12

The IP Filter index range is modified to 1..32

New CLIs have been added no be able to set the


Vlan Name without setting the Vlan Subnet.

Add reference for 3FZ-08141-ACAA-PCZZA "SFW sfwStaticConf.xls , sitecfg.sfw template for release
R3.0"

Default passwords must not be given in the


customer documentation. Contact your account or technical

Ed03

support representative for information about default passwords.

2012/02

The range of the parameter name for the


following objects is changed to 0..31

Ed04

Ed02
2012/01

2012/02

o Peer-network
o Load-Balancing-Group
o Vlan
o Security-Profile
Add sip-header command.

Ed05
2013/09

Intended audience

The target audience of this manual is network administrators and Information Systems
professionals who maintain IMS equipments.
This manual assumes that the administrator of the 7510-SFW is knowledgeable about the
concepts, network topologies, and Local Area Network (LAN) and SIP protocol discussed
in this manual.

xii

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

About this document

Conventions used

This guide uses the following typographical conventions:


Appearance

Description

graphical user interface text

Text that is displayed in a graphical user


interface or in a hardware label

variable

A value or command-line parameter that the user


provides

[]

Text or a value that is optional

{ value1 | value2 }

A choice of values or variables from which one


value or variable is used

{variable1 | variable2 }
Related information

This guide has to be used in conjunction with the 7510-SFW documentation listed in the
table hereafter.

Product

Part Number

Product Description

Getting Started
with SFW

3FZ 08140 ABAA


PCZZA

This document provides tips to deploy the


SFW R2.0.6 and further releases.

sfwStaticConf.xls

3FZ-08141-ACAAPCZZA

This document provide an excel template to


build the sitecfg.sfw file for SFW release
R3.0.
The sitecfg.sfw file allows configuration of
site specific attributes that cannot be
provisionned via CLI or OMCP management.

Technical support

For technical support, contact your local Alcatel-Lucent customer support team. See the
Alcatel-Lucent Support web site (http://alcatel-lucent.com/support/) for contact
information.

How to comment

To comment on this document, go to the Online Comment Form (http://infodoc.alcatellucent.com/comments/) or e-mail your comments to the Comments Hotline
(comments@alcatel-lucent.com).
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

xiii

Introduction

Overview
Purpose

Before going through the description of the Command Line Interface, the chapter 1 of this
document presents the 7510-SFW SIP Firewall for IMS Peering.
Contents

This chapter covers these topics.


SFW location in the IMS architecture

16

SFW high level functionalities

17

SIP Firewall main features

19

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

15

SFW location in the IMS architecture

Introduction

SFW location in the IMS architecture


Alcatel-Lucent provides a border architecture consisting of:
o An IBCF that supports SIP signaling interworking. This document applies to the
5020 MGC-8 as the IBCF. The MGC-8 also supports class 4 functionality that can
be used by the service provider to more efficiently route incoming, outgoing, and
transit calls (between two internal network elements).
o A BGW that supports the RTP bearer functionality. This document applies to the
7510 MG as the BGW. The 7510 can also support TDM trunks to support TDM
carriers and internal network elements that are not SIP-capable.

Figure 1 - Alcatel-Lucent border solution

16

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Introduction

SFW high level functionalities

SFW high level functionalities


Alcatel-Lucents BGW has an internal firewall functionality to protect the bearer network
from external attacks, but a separate signaling firewall is needed to protect the IBCF from
SIP signaling attacks. This document describes the features of the SIP Signaling firewall.
Figure 1 shows the Alcatel-Lucent border solution. The SFW (Signaling Firewall) sits on
the edge of the network in front of the IBCF.

Only the SIP signaling messages pass through the SFW; bearer packets go directly to a
BGW. The border solution could include several BGWs. Each BGW might only connect
to a subset of the peering networks, so the IBCF must choose the appropriate BGW for
each incoming/outgoing call. The internal network elements might be end offices, wireless
MSCs, IMS systems, voice mail systems, announcement servers, etc.

High-level functionalities of the SFW :


o Network Address/Port Translation
o Load Sharing among IBCF CCS
o n-tuple Filtering
o SIP Support
o Malicious Attack Prevention
o Realm Separation
o Per SIP method Rate Limiting
o IBCF Geographic Redundancy Support
o Overlapping IP Address Support
o Topology Hiding

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

17

Introduction

SFW high level functionalities

Figure 2 - SFW high level functionalities

18

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Introduction

SIP Firewall main features

SIP Firewall main features


Most firewalls provide SIP firewalling by implementing an ALG. From a networking
standpoint they can operate either in transparent Mode or Routed Mode with or without
performing NAT.
The 7510-SFW SIP firewall does not follow that model.

Transaction/dialog
tracking

SIP method
Rate limiters

Load Balancer

SIP routing
Table

SIP stateless Proxy Firewall


Trusted SIP ports

Local
IBCF

TCP/UDP

unTrusted SIP ports

TCP/UDP

IP

IP
host
IP interface
pseudo router
IP interface
(optional)

Remote
IBCF

L2/L3/L4
firewall

SIP Firewall
(DHSPP4)

Site A

IP core
Network
SIP Trusted
~14000 msg/s

SIP untrusted
~730000 msg/port/s

Remote
IBCF

Site B

IP Peering
Network
Site C

SIP stateless Record-Route Proxy Firewall with dialog and transaction tracking
The SIP firewall is built around a SIP stateless Proxy that has been enhanced to be able to
track dialogs and transactions. For that purpose that SIP firewall inserts itself in the route
(inserts via and record-route headers) and provides Topology Hiding for the I-BCF it
protects. It is the next SIP hop for that IBCF.
Since it operates as a stateless Proxy, it owns at least one IP interface on the trusted side
and one or more IP interfaces on the untrusted side depending on the deployment model.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

19

SIP Firewall main features

Introduction

SIP features
SIP Parser Attack Prevention

Only the SIP header is analyzed by the SIP Firewall, the SDP is not analyzed.
SFW accepts only SIP messages that are properly formatted.
Only mandatory SIP headers are parsed.
SFW checks the SIP message maximum sizes (header and total message size).
Protection against SIP DoS and Distributed DoS attacks

Rate limitation per types of messages


It is the first level of protection, when the unstrusted SIP message is out of its rate, it is
dropped by the SIP firewall. The rate limiters are configurable per untrusted sources (Peer
Network).
Transaction tracking
The SIP firewall is aware of the transactions and can drop out of sequence messages as
well the duplicate messages.
The transaction tracking is also used in the load balancing and overload control to adapt
the transaction rate towards the local IBCF . That feature permits to the SIP firewall to be
aware of the number of SIP transaction that are in progress and the average time the I-BCF
takes for processing it.
Dialog tracking
Dialog tracking is provided for INVITE dialog only. It permits to track transaction inside a
dialog. Transactions that are out of sequence are blocked, for example it may block blind
CANCEL or BYE attacks.
The dialog tracking is also used in the load balancing and the overload control to adapt the
load of the call setup and to reject new INVITE when the number of established calls
reaches a limit. The limit is configurable per peer.
Initial Request Flooding attack detection
The SIP firewall is able to detect a transaction flooding attacks and to isolate SIP messages
that correspond to the signature of the attacker. Note that in that case some legitimate SIP
traffic might be affected because they match the same signature.
DDOS attack mitigation on initial INVITE
When all the fields uses for flooding detection changes on each SIP message the SIP
firewall is not able to detect the source of the attack by just analysis the SIP message. The
detection is based on a threshold of bad response for a given signature by tracking the
behavior of the transaction. When that threshold is reached, all initial INVITEs matching
that signature have their rate downgraded. That downgrade remains until the bad response
counters drop below the normal threshold. That mechanism will impact legitimate traffic
20

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Introduction

SIP Firewall main features

that match the same signature, but avoids setting up the source IP address in quarantine
and by the way blocking an entire peer. Typically, in case of IP spoofing attack if the SIP
firewall puts the source IP in quarantine the attack is successful, because the SIP firewall
blocks the legitimate source.

Remote SIP ports replication on trusted side

In terms of SIP ports (IP address and port) it provides as many SIP ports that the trusted IBCF can reach on the untrusted side (that are also called peering points). When the trusted
I-BCF has to sends a SIP request towards a remote I-BCF, it has to resolve the IP address
and the port of that next hop SIP either by a local routing table or thanks to DNS.
The local routing table or the DNS provides an IP address and port that does not designate
the remote I-BCF, but rather a SIP port provided by the SIP firewall on the trusted side.
On the other hand, the SIP firewall is configured with a routing table that permits to
perform the mapping between the trusted SIP port and the SIP port of the remote i-BCF on
the untrusted side. This is 1:1 mapping.
For local I-BCF outgoing requests, the SIP firewall does not take any decision about the
next SIP hop, it just follows the information of the SIP routing table.
Transparent to forking

When the local I-BCF decides to fork, the SIP firewall is transparent. However if a forking
takes place after the remote I-BCF, it might be possible that several 200 OK replies are
sent back to the local I-BCF. That case is detected by the SIP firewall, and all the 200 OK
responses are forwarded to the SIP port from which the initial INVITE was coming from.
Single Point of Contact

On the untrusted side the SFW can be configured to be the single point of contact for the
remote peers while operating in a networking environment that provides separation among
the peer networks.
For the case of the trusted side, the SFW provide a single point of Contact for the local
IBCF for reaching all the peering points. This avoids updating the network configuration
of the trusted side when more peering points are added.
Untrusted SIP ports

For the untrusted side it provides as many untrusted SIP ports (IP@ and port) as the
remote I-BCFs may address. However it is not required to provide as many SIP ports as
the local I-BCF provides.
Local IBCF partitioning

When a local IBCF is deployed in the IMS core network as a centralized component, the
SFW provides the ability to partition the local IBCF in smaller subsets. That partitioning
applied to a centralized I-BCF make the solution equivalent to a distributed model:
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

21

SIP Firewall main features

Introduction

It provides an isolation of remote I-BCFs (VPN) on different SIP service blades of the
local I-BCF by affecting remote IBCF to different partitions
it permits to limit DDOS attacks not detected by the SIP firewall to only a subset of the
local I-BCF.
Load Balancing and overload control

That feature permits to balance the load of the SIP traffic among SIP service blades of the
local I-BCF belonging to the same partition.
It provides a Qos feature that permits to allocate a bandwidth for the SIP requests that is
proportional to the weight of the remote IBCF as well as a number a simultaneous calls.
For the case of the simultaneous calls, a remote IBCF might use more that its strict
proportional share of the total simultaneous call capacity when the partition is not loaded.
This information is configurable and expressed as a percentage of the total call capacity.
The SIP message rate of each remote IBCF is adapted to the aggregate rate of the partition
to which it belongs. Typically, if the rate for a particular SIP method is not reached for a
given IBCF, the SIP message might still be dropped because the maximum aggregate rate
for the method has been reached.
Redundancy

The SIP firewall operates in 1+1 redundancy mode. It provides redundancy for the
established calls but not for the transaction inside or outside a dialog.
L2/L3/L4 SIP-aware firewalling

The SIP firewall provides L2/L3/L4 firewalling which is SIP aware on the untrusted side
and thus does not require any external firewall. That solution provides better performances
versus a solution with an external L2/L3/L4 firewall; in case of overloading, the drop is
performed at SIP level and not at L3 or L4 level. There avoids dropping legitimate SIP
traffic, that is not the case with SIP firewalls that separate the L2/L3/L4 firewalling and
the SIP firewalling.
IP V4 address overlapping

The IP address overlapping is supported on the untrusted side thanks to the usage of
802.1Q tag to separate Peer Network that have same IP addresses.
VPN separation

VPN separation is provided thanks the usage of 802.1Q.


Reliable Transport

Only TCP is supported in that release. TCP connections are terminated at SIP firewall
level.

22

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SFW prerequisite

On the first 7510-SFW installation, prior doing anything else, you need to pay attention to the
following points:

Item

Purpose

How to check

sitecfg.sfw

This file must be present on


both SCM hosting primary and
backup DHSPP4.

Follow procedure 1
described below.

SFW CLI
login

Prior accessing to the SFW


CLI session you need to:

Follow procedure 2 and 3


described below.

Configure the SFW


OAM IP address on
the 7510

Know the initial login /


password

Procedure 1: Checking presence of sitecfg.sfw on SCM


When to use

On the first 7510-SFW installation you need to check the presence of the file
sitecfg.sfw on both SCM (primary and backup) hosting both DHSPP4 of the
SIP Firewall (SFW).

If this file is not present the SIP Firewall application will fail to
be loaded.
This file must contain the name of the SIP Firewall (SFW). The SFW name is
not configurable via CLI commands. Its quite important to configure the SFW
name because:
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

23

SFW prerequisite

Procedure 1: Checking presence of sitecfg.sfw on SCM

The SFW name uniquely identifies the SFW. This is particularly important in
case of SCM/DHSPP4 hot-swap. In that case the unique SFW name avoids
overwriting the existing configuration with the one that may exist on the
replacement board.

The SFW name, configured via the sitecfg.sfw, is displayed in all SNMP traps.

The SFW name is the CLI prompt


Moreover, depending on which 7510 release is loaded, you may have some
objects that are configurable only via the sitecfg.sfw and not configurable via
CLI commands.
Refer to the Appendix at the end of that guide How to configure SFW site
specific parameters to know:

Where to get a template of the sitecfg.sfw

Which objects needs to be configured via this file.

How to load this file on the SCM boards.

Steps
1

Log in to the 7510


Contact your account or technical support representative for
information about default login/password.

Check the presence of the file on the primary SCM


ACT-SCM:1.10 # ls *.sfw
Volume currently in device: 977 MB FLASH
SITECFG SFW
2,184
11-29-2010

3:59p

-V---

3:59p

-V---

Access the backup SCM and repeat the same checking


ACT-SCM:1.10(r0) # rc 1 11
Setting up remote console to [01][11]
STB-SCM:1.11 # ls *.sfw
Volume currently in device: 977 MB FLASH
SITECFG

SFW

2,184

11-29-2010

If the file sitecfg.sfw is missing on one or the other board, please refer to the
Appendix at the end of that guide How to configure SFW site specific
parameters to know how to configure and load this file on the SCM boards.

END OF STEPS

24

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SFW prerequisite

Procedure 2: SFW OAM IP address configuration

Procedure 2: SFW OAM IP address configuration


When to use

The SFW is hosted by the 7510. It is the 7510 who allocates the SFW OAM IP
address. The following 7510 procedure allows configuration of the SFW OAM
IP address:
Steps
1

Log in to the 7510


Contact your account or technical support representative for
information about default login/password.

Configure the OAM IP address using the ui commands:


define sfw ip <oam-ip-address> <oam-ip-mask> <defaultroute-ip-address>

Check the OAM IP address configuration.


view sfw ip

END OF STEPS

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

25

SFW prerequisite

Procedure 3: How to get access to the SFW CLI

Procedure 3: How to get access to the SFW CLI


When to use

SFW configuration via CLI requires to open a SSH tunnel.


Steps
1

Open a SSH tunnel to the SFW


ssh cli@oam-ip-address
cli@139.54.128.40)

(e.g. ssh

Open the CLI session with the initial login / password


Contact your account or technical support representative for
information about default login / password.

Then you have the ability to change the root password.


-> user <login> password <new-password>

END OF STEPS

26

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Vlan Management

Purpose

This paragraph provides information about the Vlan management in the SFW.

Introduction

The main purpose of the Vlan Management is to provide the ability to isolate
the Peer Network and to address the case of the IP V4 address overlapping.
Each Peer Network can have its own VLAN, however it is still possible that
several Peer Networks share the same VLAN. In that last case, they share the
same broadcast domain and there is no possible IP address overlapping.
Before going further its necessary to define the following acronyms that
appear throughout this document:
LPOC : a lpoc is a Local Point of Contact. This means its an IP address of the
firewall in charge of the SIP Signaling messages. There are LPOC on the
untrusted side of the firewall, facing the Peer-Networks, and LPOC on the
trusted side of the firewall, facing the MGC8 IBCF.
RPOC: a rpoc is a Remote Point of Contact. This means its an IP address of
SIP Signaling entity either on the untrusted side of the firewall or on the
trusted side of the firewall.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

27

Vlan Management

The Vlan management allows supporting various IP configurations:


1. The SFW LPOC and the RPOC are in the same subnet.
In that case the Vlan configuration will define only an IP
subnet/mask
2. The SFW LPOC and the RPOC are in different subnets.
In that case, a default gateway needs to be added in the vlan
configuration to be able to reach the RPOC subnet.
3. The SFW LPOC and the Vlan Subnet are in different subnets.
For example, this case exists when several Peer-Networks
(isolated through different vlans) share a single Point Of
Contact. In that case a pseudo-router needs to be added in the
Vlan configuration.
The IP configurations capabilities described above apply for both Untrusted
and Trusted sides. Remember that:

LPOC designates either a SFW Local Point of Contact on the


Untrusted or on the Trusted side.

RPOC, Remote Point of Contact, designates either a peeringpoint of a Peer-Network or Signaling entity (CCS) of the MGC8
IBCF.

The appendix SFW IP configuration at the end of that document illustrates


the various IP configuration mentioned above through examples.

When a pseudo-router has been added to a vlan, The Peer-Network using


that Vlan must have a LPOC in a different subnet.
In order to simplify the configuration of the next hop router, the VLAN
Management can be configured to perform RIP announcement of the local
POC IP addresses that are accessible through the pseudo-router.

The SIP FW supports up to 4096 (0..4095) vlan values. A Vlan is either


trusted or untrusted, as a consequence it is not possible to use the same VLAN
number for the trusted and untrusted side.
The vlan 0 and vlan 4095 have special meanings.
The vlan 0 is used to specify an untagged vlan for the Trusted side.
The vlan 4095 is used to specify an untagged vlan for the Untrusted side.
All other vlans (1..4094) are 802.1q tagged vlans.

28

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Vlan Management

Summary of the CLI for Vlan management

Summary of the CLI for Vlan management


Vlan management
vlan vid {trusted | untrusted} [enable | disable] [name description]
subnet ip_address/len [router ip_address [rip | no rip]] [gw ip_address]
vlan vid subnet ip_address/len
vlan vid router ip_address [rip | no rip]
vlan vid no [ipv4 | ipv6] router
vlan vid gw ip_address
vlan vid no [ipv4 | ipv6] gw
vlan vid name description
vlan vid no name
vlan vid no ipv4
vlan vid no ipv6
vlan vid mac mac_address
vlan vid v4mac mac_address
vlan vid v6mac mac_address
vlan vid no mac
vlan vid no v4mac
vlan vid no v6mac
no vlan vid
show vlan [vid]

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

29

Vlan Management

vlan vid {trusted | untrusted} subnet ip_address mask

vlan vid {trusted | untrusted} subnet ip_address


mask
Purpose
The purpose of that command is the creation of a vlan. This vlan will be later
associated with either a Peer-Network or a Load-Balancing-Group to provide IP
connectivity with these remote entities.
In the case of the association with the Peer-Network it will allow realm separation and
IP v4 addresses overlapping.
Command
vlan vid {trusted | untrusted} [enable | disable] [name description]
subnet ip_address mask ip_address
[router ip_address [rip | no rip]] [gw ip_address]
Arguments
vid
This is the identifier of the vlan.
The vlan 0 and vlan 4095 have special meanings.
The vlan 0 is used to specify an untagged vlan for the Trusted side.
The vlan 4095 is used to specify an untagged vlan for the Untrusted side.
All other vlans (1..4094) are 802.1q tagged vlans.

trusted | untrusted
This keyword indicates the SFW interface that owns the vlan. Even if the SIP
firewall is connected to different switch/routers, the firewall does not allow
the use the same vlan on the trusted and untrusted side.
enable | disable
Provides the ability to change the operational status of the vlan.
description
Description of the vlan (31 characters)
subnet ip_address/len
These parameters describe the IP subnet and IP mask that are associated with
the vlan.
30

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Vlan Management

vlan vid {trusted | untrusted} subnet ip_address mask

It can be an IPv4 or IPv6 subnet.


The same vlan can be used for IPv4 and IPv6. In that case the CLI must be
run twice, once to specify the IPv4 subnet address and its mask length, once
to specify the IPv6 subnet address and its mask length.

router
This parameter defines the pseudo-router providing accessibility to a LPOC
created in a different subnet. The IP address of this pseudo-router must be
in the subnet defined by the previous attribute subnet.
The same vlan can be used for IPv4 and IPv6. In that case the CLI must be
run twice, once to specify the IPv4 router address, once to specify the IPv6
router address.

rip | no rip
If an IPv4 pseudo-router has been configured on the vlan it is possible to
advertise via the RIP protocol the LPOC which are accessed through this
pseudo-router. By default rip is not activated. When no rip is configured,
static routes should be configured on the next hop router to be able to reach
the LPOC.
gw
This attribute defines a default gateway. This default gateway is required
when the remote POC IP address is not in the vlan subnet. The default
gateway IP address MUST belong to the vlan subnet.
The same vlan can be used for IPv4 and IPv6. In that case the CLI must be
run twice, once to specify the IPv4 gateway address, once to specify the IPv6
gateway address.

Complementary information
Once created, the vlan is associated with a Peer-Network or a LoadBalancing-Group.
At the same time an untrusted LPOC, and several RPOC are associated with
the Peer-Network.
On the trusted side, a trusted LPOC and several RPOC are associated with the
Load-Balancing-Group.
The vlan IP addresses parameters must be consistent with the LPOC and
RPOC that are bind together under the Peer-Network object or the LoadBalancing-Group object.
The consistency of the configuration is checked when the configuration is
saved via the CLI commands copy running working.
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

31

Vlan Management

vlan vid {trusted | untrusted} subnet ip_address mask

The consistency of the configuration can also be checked via the CLI
command show configuration consistency.
The consistency checking are the following ones:

32

If a peering-point IP address (rpoc) associated with a PeerNetwork doesnt belong to the vlan subnet associated with this
Peer-Network, then a gateway must have been defined for the
vlan.

If a MGC8 IBCF CCS IP addresses (rpoc) associated with a


Load-Balancing-Group doesnt belong to the vlan subnet
associated with this Load-Balancing-Group, then a gateway
must have been defined for the vlan.

If a vlan gateway has been defined, its IP address must belong


to the vlan subnet

If a Local Point of Contact (lpoc) associated with a PeerNetwork doesnt belong to the vlan subnet associated with this
Peer-Network, then a router must have been defined for the
vlan.

If a Local Point of Contact (lpoc) associated with a LoadBalancing-Group doesnt belong to the vlan subnet associated
with this Load-Balancing-Group, then a router must have
been defined for the vlan.

If a vlan router has been defined, its IP address must belong


to the vlan subnet

Within a Peer-Network, IP overlapping between Peering-Point


IP addresses (rpoc) must not exist.

Within a Peer-Network, IP overlapping between Peering-Point


IP addresses (rpoc) and IP filters must not exist.

Within a Load-Balancing-Group, IP overlapping between CCS


IP addresses (rpoc) must not exist.

If a Vlan is assigned to more than one Peer-Network, IP


overlapping between Peering-Point IP addresses (rpoc) must not
exist.

If a Vlan is assigned to more than one Peer-Network, IP


overlapping between Peering-Point IP addresses (rpoc) and IP
filters must not exist.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Vlan Management

vlan vid {trusted | untrusted} subnet ip_address mask

Example

-> vlan 4 untrusted enable name vlan4 subnet


172.19.4.0/24 no rip gw 172.19.4.254
-> vlan 5 untrusted enable name UNTRUSTED_VLAN_5 subnet
172.20.5.0/24 no rip
-> vlan 8 untrusted enable name UNTRUSTED_VLAN_8 subnet
172.23.8.0/24 router 172.23.8.5 no rip gw 172.23.8.254
-> vlan 8 subnet 2001:8::/64
gw 2001:8::172:23:8:254

router 2001:8::172:23:8:5

-> vlan 200 trusted enable subnet 192.168.2.0/24 no rip

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

33

Vlan Management

vlan vid subnet ip_address/len

vlan vid subnet ip_address/len


Purpose
The purpose of that command is to modify the subnet IP address for an existing vlan.
Command
vlan vid subnet ip_address/len
Arguments
vid
This is the identifier of the vlan to be modified.
subnet ip_address/len
These parameters describe the IP subnet and IP mask length that are
associated with the vlan.
It can be an IPv4 or IPv6 subnet.

Example
-> vlan 8 subnet 2001:b8::/64
-> vlan 200 subnet 192.168.2.0/24

34

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Vlan Management

vlan vid [router ip_address [rip | no rip]]

vlan vid [router ip_address [rip | no rip]]


Purpose
The purpose of that command is to add or modify the router IP address for an
existing vlan. Optionally, in case of Ipv4, the RIP protocol can be activated for this
vlan.
Command
vlan vid [router ip_address [rip | no rip]]
Arguments
vid
This is the identifier of the vlan to be modified.
router
This parameter defines the pseudo-router providing accessibility to a LPOC
created in a different subnet. The IP address of this pseudo-router must be
in the subnet defined when creating the vlan.
It can be an IPv4 or IPv6 address.
rip | no rip
If a pseudo-router has been configured on the vlan it is possible to advertise
via the RIP protocol the LPOC which are accessed through this pseudo-router.
By default rip is not activated. When no rip is configured, static routes
should be configured on the next hop router to be able to reach the LPOC.

Example
-> vlan 8 router 172.23.8.3 rip
-> vlan 8 router 2001:b8::172:23:8:3

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

35

Vlan Management

vlan vid no [ipv4 | ipv6] router

vlan vid no [ipv4 | ipv6] router


Purpose
The purpose of that command is to remove the router IP address for an existing vlan.
Command
vlan vid no [ipv4 | ipv6] router
Arguments
vid
This is the identifier of the vlan to be modified.
no [ipv4|ipv6] router
This parameter defines the pseudo-router providing accessibility to a LPOC
created in a different subnet.
You have the ability to remove only the IPv4 router or the IPv6 router.

Example
-> vlan 8 no router
-> vlan 15 no ipv4 router
-> vlan 20 no ipv6 router

36

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Vlan Management

vlan vid gw ip_address

vlan vid gw ip_address


Purpose
The purpose of that command is to add or modify the gateway IP address for an
existing vlan.
Command
vlan vid gw ip_address
Arguments
vid
This is the identifier of the vlan to be modified.
gw
This attribute defines a default gateway. This default gateway is required
when the remote POC IP address is not in the vlan subnet. The default
gateway IP address MUST belong to the vlan subnet.
It can be an IPv4 or IPv6 address.

Example
-> vlan 4 gw 172.19.4.254
-> vlan 4 gw 2001:4::172:19:4:254

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

37

Vlan Management

vlan vid no [ipv4 | ipv6] gw

vlan vid no [ipv4 | ipv6] gw


Purpose
The purpose of that command is to remove the gateway IP address for an existing
vlan.
Command
vlan vid no [ipv4|ipv6] gw
Arguments
vid
This is the identifier of the vlan to be modified.
no gw
This attribute defines a default gateway. This default gateway is required
when the remote POC IP address is not in the vlan subnet.
You have the ability to remove only the IPv4 gateway or the IPv6 gateway.

Example
-> vlan 4 no gw
-> vlan 8 no ipv4 gw
-> vlan 20 no ipv6 gw

38

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Vlan Management

vlan vid name description

vlan vid name description


Purpose
The purpose of that command is to give a name to an existing vlan, or to modify it.
Command
vlan vid name description
Arguments
vid
This is the identifier of the vlan to be modified.
name
Description of the vlan (31 characters)

Example
-> vlan 4 name vlan_untrusted_4

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

39

Vlan Management

vlan vid no name

vlan vid no name


Purpose
The purpose of that command is to delete the name of an existing vlan.
Command
vlan vid no name
Arguments
vid
This is the identifier of the vlan to be modified.

Example
-> vlan 4 no name

40

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Vlan Management

vlan vid mac mac_address

vlan vid mac mac_address


Purpose
The purpose of that command is to specify the MAC address of the gateway.
When a MAC address is specified for the vlan gateway, the SFW bypass the ARP (or
ND) resolution to set the MAC address in IP frames sent to the gateway. This avoids a
man-in-the-middle attack, the IP frames cannot be sent to the attacker who would
have stolen the IP address of the gateway.
The command vlan vid mac mac_address assigns a unique MAC address for
both IPv4 and IPv6 gateways of the Vlan.
You can assign different MAC addresses for IPv4 and IPv6 gateways via the CLI
vlan vid v4mac mac_address [v6mac mac_address]
This command is allowed only if a gateway has been previously configured via the
CLI command vlan vid gw ip_address.
The CLI command show vlan vid returns the MAC address configured for the
gateway but also the MAC address learned from the ARP (or ND) resolution.
Command
vlan vid mac mac_address
vlan vid v4mac mac_address
vlan vid v6mac mac_address
Arguments
vid
This is the identifier of the vlan to be modified.
mac_address
This is the MAC address of the gateway.

Example
-> vlan 8 mac 00:d0:95:ff:94:74
-> vlan 9 v4mac 00:e0:b1:7c:48:4c
-> vlan 10 v6mac 00:d0:95:fe:33:26

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

41

Vlan Management

no vlan vid

no vlan vid
Purpose
The purpose of that command is to delete an existing vlan.
Command
no vlan vid
Arguments
vid
This is the identifier of the vlan to be deleted.
The vlan cannot be deleted if it still associated with a Peer-Network or a
Load-Balancing-Group.
There is no command peer-network netid no vlan, to remove the association
between a Peer-Network and a vlan, it is necessary to associate a new vlan to
the Peer-Network. Then the unused vlan can be deleted.
There is no command load-balancing-group group_id no vlan, to remove
the association between a Load-Balancing-Group and a vlan, it is necessary to
associate a new vlan to the Load-Balancing-Group. Then the unused vlan can
be deleted.

Example
-> no vlan 4

42

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Vlan Management

show vlan

show vlan
Purpose
The purpose of that command is to display the vlans configuration.
Command
show vlan [vid]
Arguments
vid
This is the identifier of the vlan.
If vid is not specified, all vlan information is displayed.

Example
-> show vlan
Vlan id
Name
Vlan status
Vlan side
Vlan IP subnet
IP gateway
2001:10::172:25:10:254
configured v4&v6 MAC gateway
resolved v4&v6 MAC gateway
00:e0:b1:7c:48:4c
RIP
IP MTU
Vlan id
Name
Vlan status
Vlan side
Vlan IP subnet
IP MTU

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

:
:
:
:
:
:

:
:
:
:
:
:

10
UNTRUSTED_VLAN_10
up
untrusted
172.25.10.0/24 2001:10::/64
172.25.10.254

:
:

no V4 MAC
/ no V6 MAC
00:e0:b1:7c:48:4c /

:
:

disable
1500

200
TRUSTED_VLAN_200
up
trusted
192.168.2.0/24 2001:200::/64
1500

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

43

Local Point Of Contact


(LPOC)

Purpose

This paragraph provides information about:

What is the SFW Trusted Interface.

What is the SFW Untrusted Interface.

What are the SFW Local Points of Contact.

CLIs to configure the objects mentioned above.

Introduction

The SIP firewall provides one interface for the trusted side and one interface
for the untrusted side.
Each interface, trusted and untrusted, is made of 2 physical Gigabit ports. The
binding of the physical Gigabit ports with the trusted or untrusted interface is
implicit in the SIP firewall. There is no way to change that association. The
only operation permitted is the choice of the network mode. They can operate
either in active/standby mode or in link aggregation mode. See the Trunk
section later in that document to get details about the mode configuration.

Trusted interface definition


The trusted interface is facing the IBCF that sits on the IMS core network.
In order to reach the SIP firewall from the IMS core network, the operator
must configure at least one IP address on the trusted interface. This is the
trusted lpoc IP address. lpoc stands for local point of contact.
The trusted lpoc IP address is the destination IP address for SIP messages
coming from the local IBCF and sent to the peer networks through the SIP
firewall.
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

44

Local Point Of Contact (LPOC)

Untrusted interface definition

SIP messages, received from the local IBCF on the SIP firewall trusted lpoc,
are sent to the peering points according to the IP ports where the SIP message
are received.
The static mapping between the listening IP port on the trusted interface and
peering points IP addresses is described later in that document in the Peer
Networks section.

Untrusted interface definition


The untrusted interface is facing the peer networks.
The configuration of the SIP firewall provides the ability to configure a single
point of contact for all peer networks to reach the trusted IBCF.
However, it is still possible to define more that one point of contacts on the
untrusted side.
The configuration of the untrusted lpoc IP addresses and IP ports is
described below.

Local Point Of Contact definition


A Local Point a Contact (LPOC) is defined by the following attributes:
o A lpoc reference (1..128)
o An IP address (Ipv6 or Ipv4 )
o The type of the interface to which the LPOC must be bound
The SIP firewall provides the ability to declare up to 128 LPOC per interface
type (trusted or untrusted).

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

45

Local Point Of Contact (LPOC)

Summary of the CLI for Trusted and Untrusted LPOC

Summary of the CLI for Trusted and Untrusted LPOC


Trusted and Untrusted LPOC
lpoc untrusted poc_id [ip ip_address] [enable | disable] [name description]
lpoc untrusted poc_id [ ip ip_address] [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]]
lpoc untrusted poc_id no ipv4
lpoc untrusted poc_id no ipv6
lpoc untrusted poc_id no {udp | tcp | sctp | tls}
no lpoc untrusted poc_id
lpoc trusted poc_id [ip ip_address] [enable | disable] [ name description]
lpoc trusted poc_id no ipv4
lpoc trusted poc_id no ipv6
no lpoc trusted poc_id
show lpoc [trusted [ poc_id ]| untrusted [poc_id]]

46

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local Point Of Contact (LPOC)

lpoc untrusted poc_id

lpoc untrusted poc_id


Purpose
Creates an Untrusted LPOC.
Command
lpoc untrusted poc_id [ip ip_address] [enable | disable] [name sfwfqdn]
lpoc untrusted poc_id [ip ip_address] [udp[ port] | tcp[ port] |
sctp[ port] | tls[ port]]
Arguments
poc_id
The poc_id, referencing the untrusted LPOC, is later associated with one or
several peer-networks.
ip_address
IPv4 or IPv6 address of the LPOC.
A LPOC can be dual-stack IPv4/IPv6. In that case the CLI must be run twice,
once to specify the IPv4 address, once to specify the IPv6 address.
It is possible to change the IP address of the LPOC without disabling it.
The lpoc creation is rejected if there is already a poc_id with the same IP
address.
sfw-fqdn
Optionally, it is possible to specify a name for the LPOC (63 characters max.)
If the peering-point sends SIP messages to the SFW with a pre-loaded Route
header using a FQDN, the name of the lpoc must match this FQDN.
This FQDN represents the public IP address of the firewall.
port
Udp, tcp, sctp or tls listening port of the LPOC. Note that the TLS port must
be different from the TCP port.
enable | disable
By default the LPOC is created in the enable state. In the LPOC is created in
the disable state, any Peer Network that reference that LPOC will be
unreachable until it moves to the enable state.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

47

Local Point Of Contact (LPOC)

lpoc untrusted poc_id

If the LPOC is in disable state, all the IP frames with a destination IP


matching the LPOC IP address are filtered by the SIP firewall

Example
-> lpoc untrusted 8 enable name mgc8.ims32.alcatel-lucent.com
-> lpoc untrusted 8 ip 10.7.8.5
-> lpoc untrusted 8 ip 2001:b8::10:7:8:5
-> lpoc untrusted 8 udp 5060
-> lpoc untrusted 8 tcp 5060
-> lpoc untrusted 8 tls 5061

In the above example, if a SIP Invite received on the SFW lpoc address:port
10.7.8.5:5060 contains the following pre-loaded Route header.
Route: <sip:+33132133301@mgc8.ims32.alcatel-lucent.com;lr>
The FQDN of the pre-loaded Route matches the lpoc name and the address :port on
which the message has been received. In that case the SIP message is accepted by
the firewall.
If the FQDN was unknown, the SIP message would be dropped by the firewall.

48

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local Point Of Contact (LPOC)

lpoc untrusted poc_id no ipv6

lpoc untrusted poc_id no ipv6


Purpose

Removes the IPv6 address from an LPOC.


Command
lpoc untrusted poc_id no ipv6
Arguments
poc_id
The poc_id, referencing the untrusted LPOC.
no ipv6
Specifies the IP protocol version to be removed from the LPOC.
Example
-> lpoc untrusted 8 no ipv6

lpoc untrusted poc_id no ipv4


Purpose

Removes the IPv4 address from an LPOC.


Command
lpoc untrusted poc_id no ipv4
Arguments
poc_id
The poc_id, referencing the untrusted LPOC.
no ipv6
Specifies the IP protocol version to be removed from the LPOC.
Example
-> lpoc untrusted 8 no ipv4

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

49

Local Point Of Contact (LPOC)

lpoc untrusted poc_id no {udp | tcp | sctp | tls}

lpoc untrusted poc_id no {udp | tcp | sctp | tls}


Purpose

Removes a transport type from an Untrusted LPOC.


Command
lpoc untrusted poc_id no {udp | tcp | sctp | tls}
Arguments
poc_id
The poc_id, referencing the untrusted LPOC.
no {udp | tcp | sctp | tls}
Specifies the transport type to be removed from the LPOC.
Example
-> lpoc untrusted 8 no tcp

no lpoc untrusted poc_id


Purpose
Deletes an Untrusted LPOC.
Command
no lpoc untrusted poc_id
Arguments
poc_id
The poc_id, referencing the untrusted LPOC.

Once remove, the lpoc IP address becomes unreachable. As a


consequence, this should be done carefully because all Peer Network
objects that reference that LPOC will not be operational anymore.
.
Example
-> no lpoc untrusted 8

50

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local Point Of Contact (LPOC)

lpoc trusted poc_id

lpoc trusted poc_id


Purpose
Creates a Trusted LPOC.
Command
lpoc trusted poc_id [ip ip_address] [enable | disable] [name
description]
Arguments
poc_id
The poc_id referencing the untrusted LPOC, is later associated with one or
several load-balancing-group.
ip_address
IPv4 or IPv6 address of the LPOC.
A LPOC can be dual-stack IPv4/IPv6. In that case the CLI must be run twice,
once to specify the IPv4 address, once to specify the IPv6 address.
It is possible to change the IP address of the LPOC without disabling it.
The lpoc creation is rejected if there is already an poc_id with the same IP
address.
description
Optionally, it is possible to specify a name for the LPOC (63 characters max.)
enable | disable
By default the LPOC is created in the enable state. In the LPOC is created in
the disable state, any Peer Network that reference that LPOC will be
unreachable until it moves to the enable state.
If the LPOC is in disable state, all the IP frames with a destination IP
matching the LPOC IP address are filtered by the SIP firewall

Example
-> lpoc trusted 1 ip 192.168.2.205 enable name
lpoc_trusted_1

Additional information:

Routing of initial SIP messages received on the trusted side.


3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

51

Local Point Of Contact (LPOC)

lpoc trusted poc_id

The SIP firewall owns a routing table that permits to route incoming initial SIP
message on the trusted side to the remote IBCF (peering points) located of the
untrusted side.
This routing table performs a static mapping between the IP listening port on the lpoc
trusted, where the SIP message is received from the local IBCF, and the Peering Point
where the SIP message is forwarded.
That table is build according to :

A port base equal to 10000

Peer Network identifiers (netid)

Peering Point identifiers (peering_poing_id)

Note that the same port, on the trusted lpoc, can be used for any of the transport
protocol supported by the remote IBCF.

The command lpoc trusted poc_id [ip ip_address] command doesnt


specified any port because the listening port on the lpoc trusted is automatically built
as follow:

Listening IP port on lpoc trusted = 10000 + (netid * 100) + peering_point_id

For example, an initial SIP message received on the trusted side on the port 12015
will be forwarded to the peering point 15 of the peer-network 20.
In the chapter describing the command Peer-net netid rpoc
peering_point_id ip, an example is provided to clarify the comprehension of
the static mapping between IP ports of the trusted side and Peering Points.

52

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local Point Of Contact (LPOC)

lpoc trusted poc_id no ipv6

lpoc trusted poc_id no ipv6


Purpose

Removes the IPv6 address from an LPOC.


Command
lpoc trusted poc_id no ipv6
Arguments
poc_id
The poc_id, referencing the trusted LPOC.
no ipv6
Specifies the IP protocol version to be removed from the LPOC.
Example
-> lpoc trusted 1 no ipv6

lpoc trusted poc_id no ipv4


Purpose

Removes the IPv4 address from an LPOC.


Command
lpoc trusted poc_id no ipv4
Arguments
poc_id
The poc_id, referencing the trusted LPOC.
no ipv6
Specifies the IP protocol version to be removed from the LPOC.
Example
-> lpoc trusted 1 no ipv4

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

53

no lpoc trusted poc_id

Local Point Of Contact (LPOC)

no lpoc trusted poc_id


Purpose
Deletes a Trusted LPOC.
Command
no lpoc trusted poc_id
Arguments
poc_id
The poc_id referencing the trusted LPOC.

Once remove, the lpoc IP address becomes unreachable. As a


consequence, this should be done carefully because all Peer Network
objects that reference that LPOC will not be operational anymore.
.
Example
-> no lpoc trusted 1

54

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local Point Of Contact (LPOC)

show lpoc

show lpoc
Purpose
Displays the list of LPOC.
Command
show lpoc [trusted [ poc_id ]| untrusted [poc_id]]
Arguments
poc_id
The poc_id, referencing the trusted or untrusted LPOC, is later associated
with one or several load-balancing-group.
trusted | untrusted
If trusted or untrusted is not specified, information is displayed for all lpoc.
Remark : Listening port on trusted ports are provided by the command
show peer-net netid rpoc [peering_point_id]

Example

-> show lpoc


+--------+-----------+------------------------+-----------------------------------------+--------+------+------+------+-----+
! Poc id ! Side

! Name

! IP Address

! Status ! Udp

! Tcp

! Sctp ! Tls !

+--------+-----------+------------------------+-----------------------------------------+--------+------+------+------+-----+
! 1

! trusted

! 2
! 3

! LPOC_TRUSTED_1

! 192.168.2.205

2001:200::192:168:2:205 ! up

! n/s

! n/s

! n/s

! n/s !

! untrusted ! LPOC_UNTRUSTED_2

! 172.17.2.5

2001:2::172:17:2:5

! up

! 5060 ! n/s

! n/s

! n/s !

! untrusted ! LPOC_UNTRUSTED_3

! 172.18.3.5

2001:3::172:18:3:5

! up

! 5060 ! n/s

! n/s

! n/s !

+--------+-----------+------------------------+-----------------------------------------+--------+------+------+------+-----+

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

55

Local Point Of Contact (LPOC)

ip defrag

ip defrag
Purpose
The purpose of this command is to configure the LPOCs, in switch level, how to
process the fragmented UDP packets received from both untrusted and trusted sides.
There are two values: order or disorder.
By default the SFW has order value.
Commands
ip defrag {order|disorder}
Arguments
order

SFW only reassembles the fragmented UDP packets with sequential order.
disorder

SFW reassembles the fragmented UDP packets with random order.

Example
-> ip defrag order
-> ip defrag disorder

56

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local Point Of Contact (LPOC)

show ip defrag

show ip defrag
Purpose
This command returns the SFW value that indicates how to process fragmented UPD
packets received from both untrusted and trusted sides.
Command
show ip defrag

Example
-> show ip defrag
+--------------------+
! IP defragmentation !
+--------------------+
! disorder
!
+--------------------+
1 elements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

57

Peer Networks

Purpose

This paragraph provides information about:

What is the Peer Network object.

CLIs to configure the Peer Network object.

Introduction

This object is used to describe a Peer Network that is in relation with the IBCF
protected by the SIP firewall.
The SIP firewall handles up to 2047 Peer Networks.
A Peer Network object contains the following attributes
a set of IP filter:

The purpose of that IP filter is to defined the set of hosts of the Peer
Network that are authorized or not authorized to communicate with the
IBCF protected by the SIP firewall
a set of remote POC

A remote POC references a peering point IP address and IP port.


A peering point may be defined behind a NAT.
a set of local POC

The local POC defines the IP address for which the SIP firewall
provides SIP service for the external Peer Networks. That local POC
can be either shared between all Peer Networks or reserved for a single
Peer Network. By default one local POC is sufficient.
a SIP security profile
a Load Balancing Group
a TLS profile

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

58

Peer Networks

Summary of the CLI for Peer Network management

Summary of the CLI for Peer Network management


Peer Network
peer-net netid [enable | disable] [name description]
peer-net netid filter filter_id ip address/mask_length [accept | deny]
peer-net netid filter filter_id rpoc peering_point_id
peer-net netid no filter filter_id
peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[
port]]
peer-net netid rpoc peering_point_id {udp[ port] | tcp[ port] | sctp[ port] | tls[ port]}
peer-net netid rpoc peering_point_id no {udp | tcp | sctp | tls}
peer-net netid rpoc peering_point_id name
peer-net netid rpoc peering_point_id no name
peer-net netid rpoc peering_point_id nat ip_address /mask_length
peer-net netid rpoc peering_point_id port-forwarding port
peer-net netid rpoc peering_point_id no port-forwarding
peer-net netid rpoc peering_point_id nat ip_address /mask_length port-forwarding port
peer-net netid no rpoc peering_point_id
peer-net netid lpoc untrusted_lpoc_id
peer-net netid no lpoc untrusted_lpoc_id
peer-net netid security-profile security_profile_id
peer-net netid load-balancing-group group_id
peer-net netid vlan vid
peer-net netid max call duration call_duration
peer-net netid polling ping {enable | disable}
peer-net netid polling period interval
peer-net netid dscp default
peer-net netid dscp dscp_value
dscp default default_dscp
show dscp default
peer-net netid tls-profile tlsprofileid
peer-net netid no tls-profile
no peer-net netid
show peer-net [netid]
show peer-net netid lpoc
show peer-net [netid] filter
show peer-net [netid] rpoc
show peer-net [netid] connectivity
show peer-net [netid] statistics [trusted | untrusted]

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

59

peer-net netid

Peer Networks

peer-net netid
Purpose
The purpose of that command is the creation of a Peer Network.
Command
peer-net netid [enable | disable] [name description]
Arguments
netid
This is the identifier of the Peer Network. Up to 2047 Peer Network can be
configured.
description
Description of the Peer Network (31 characters)
enable | disable
By default the Peer Network is created in the disable state.

Example
-> peer-net 2 enable name PNET_2

60

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid filter filter_id ip address/mask

peer-net netid filter filter_id ip address/mask


Purpose
By default the SIP firewall drops all IP packets coming from an unknown source.
Only Peering Points (RPOC) defined in Peer networks are known sources.
However there are few scenarios where a SIP message may come from a valid source
without being known as a peering Point. For example, an RPOC is not necessarily
adding its Record-Route in the initial SIP messages and thus subsequent messages
wont go though it.This may occur, for example, if the RPOC is the entry point of a
peer-network acting only as a load balancer between several IBCF.
So there is a need to accept SIP packets coming from behind an RPOC and thats the
purpose of the peer-net filter defined hereafter.
Once created the filter must be associated with an RPOC to become effective.
Command
peer-net netid filter filter_id ip address/mask [accept | deny]

Arguments
netid
This is the identifier of the Peer network.
filter_id
This is the identifier of the Filter. Each Peer Network can support up to 32 IP
filters.
Address/mask
IP address and mask defining the subnet to be filtered out or accepted.
The IP address may an IPv4 or IPv6 address.
accept | deny
Action to be applied on the IP subnet defined by the previous attributes.
The deny action has always priority over the accept action.
Example
-> peer-net 5 filter 1 ip 172.20.5.0/24

accept

-> peer-net 5 filter 2 ip 2001:5::172:20:5:36/128 accept


3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

61

Peer Networks

peer-net netid filter filter_id rpoc

peer-net netid filter filter_id rpoc


Purpose
Once created, with the command peer-net netid filter filter_id ip
address/mask, the filter must be associated with an RPOC to become effective.
As described above, the association between the filter and the rpoc allows subsequent
SIP requests matching the filter to be accepted by the SIP firewall even if the source
IP addresses of these subsequent requests are not defined as peering-points.
Command
peer-net netid filter filter_id rpoc peering_point_id

Arguments
netid
This is the identifier of the Peer network.
filter_id
This is the identifier of the Filter. Each Peer Network can support up to 128
IP filters.
peering_point_id
This is the identifier of the peering point (rpoc) within the peer-network. The
RPOC has been previously created with the following command:
peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[
port] | sctp[ port] | tls[ port]]

62

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid no filter

peer-net netid no filter


Purpose
The purpose of that command is to remove the association between a Peer-Network
and an IP filer previously defined.

Command
peer-net netid no filter filter_id
Arguments
netid
This is the identifier of the Peer network.
filter_id
This is the identifier of the IP Filter to be removed from the Peer-Network.

Example
-> peer-net 5 no filter 1

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

63

Peer Networks

peer-net netid rpoc peering_point_id ip

peer-net netid rpoc peering_point_id ip


Purpose
The purpose of that command is to define the IP address of a host that is in the scope
of the remote Peer Network.

Command
peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] |
sctp[ port] | tls[ port]]
peer-net netid rpoc peering_point_id {udp[ port] | tcp[ port] | sctp[ port] |
tls[ port]}

Arguments
netid
This is the identifier of the Peer network.
peering_point_id
The number of peering points per Peer Network differs according to the Peer
Network identifier:
o

when the netid is in the range [1..500] up to 63 peering points


may be defined by Peer Network.

When the netid is in the range [501..2047] only 2 peering


points can be defined by Peer Network.

The same peering_point_id value can be used for different Peer Network. The
uniqueness of the peering point is guarantee by the combination of the local
peering_point_id and the reference of the Peer Network (netid).
ip_address
Defines the IPv4 or IPv6 address of the peering point.
A peering point can be dual-stack IPv4/IPv6. In that case the CLI must be run
twice, once to specify the IPv4 address, once to specify the IPv6 address.

port

64

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid rpoc peering_point_id ip

Optionally the listening port and transport mode of the peering point can be
specified. If this option is not specified, the port 5060 and UDP transport are
configured by default.
It is still possible to modify the listening ports with the following command:
peer-net netid rpoc peering_point_id
tls[ port]}

{udp[ port] | tcp[ port] | sctp[ port] |

If the transport mode is specified but the port value is omitted then the port
will be assigned automatically. It will be set to 5060 if there is no other
transport mode configured or it will be set automatically to the same value
than the one set for other transport mode already configured.
A modification of the port value, whatever the transport mode, affects the port
value for all transport modes. This means that all listening port values are
equal for a peering point.

Example
-> peer-net 1 rpoc 1 ip 150.0.40.1

Configures the IPv4 address of the peering point and implicitly the udp
port 5060.
-> peer-net 1 rpoc 1 ip 2001:40::150:0:40:1

Configures the IPv6 address of the peering point.


-> peer-net 1 rpoc 1 tcp

Configures the tcp port with the port value equal to the udp port value.
-> peer-net 1 rpoc 1 udp 50001

Modifies the udp port value. As a consequence other transport mode


already configured are also implicitly configured with the same port
value.

-> peer-net 1 rpoc 2 ip 150.0.40.2 udp 5061

Configures IP address and UDP listening port of a peering-point in a


single command.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

65

Peer Networks

peer-net netid rpoc peering_point_id ip

Additional information:
The peering_point_id and the netid are computed as follow to get the
listening port on the lpoc trusted :

When the netid is in the range [1..500] :


Listening IP port on lpoc trusted = 10000 + (netid * 100) + peering_point_id

When the netid is in the range [501..2047] :


Listening IP port on lpoc trusted = ((netid -501) * 3) + 10 + peering_point_id

The following network diagram shows an example with 2 Peer Networks where each
of them owns two Peering Points (POC).

66

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid rpoc peering_point_id ip

The following table is an example of the routing table used by the SIP firewall when it
has to route an initial SIP Request initiated by the trusted IBCF to find out the remote
POC.

Trusted

Untrusted
Peer Network and Peering Point (rpoc) provisioning

Listening port on

netid

lpoc trusted

10101

peering_

ip_address

udp

tcp

tls

sctp

10.0.10.1

5060

5060

5060

5060

8080

8080

8080

8080

point_id

2001:31::10:1
10102

10.0.10.2
2001:31::10:2

10201

20.0.10.1
2001:42::20:1

10202

20.0.10.2
2001:42::20:2

The associated CLI are:

-> peer-net 1 rpoc 1 ip 10.0.10.1 udp 5060


-> peer-net 1 rpoc 1 ip 2001:31::10:1
-> peer-net 1 rpoc 1 tcp
-> peer-net 1 rpoc 2 ip 10.0.10.2 udp 5060
-> peer-net 1 rpoc 2 ip 2001:31::10:2
-> peer-net 1 rpoc 2 tcp

-> peer-net 2 rpoc 1 ip 20.0.10.1 udp 8080


-> peer-net 2 rpoc 1 tcp
-> peer-net 2 rpoc 1 ip 2001:42::20:1
-> peer-net 2 rpoc 2 ip 20.0.10.2 udp 8080
-> peer-net 2 rpoc 2 ip 2001:42::20:2
->peer-net 2 rpoc 2 tcp

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

67

Peer Networks

peer-net netid rpoc peering_point_id no ipv4

peer-net netid rpoc peering_point_id no ipv4


Purpose
The purpose of that command is to delete the IPv4 address of a peering point within a
Peer-Network.
Command
peer-net netid rpoc peering_point_id no ipv4
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the peering point within the Peer-Network.
Example
-> peer-net 20 rpoc 15 no ipv4

peer-net netid rpoc peering_point_id no ipv6


Purpose
The purpose of that command is to delete the IPv6 address of a peering point within a
Peer-Network.
Command
peer-net netid rpoc peering_point_id no ipv6

Example
-> peer-net 20 rpoc 15 no ipv6

68

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid rpoc peering_point_id no {udp | tcp | sctp | tls}

peer-net netid rpoc peering_point_id no {udp |


tcp | sctp | tls}
Purpose
The purpose of that command is to disable a transport mode from a peering point.

Command
peer-net netid rpoc peering_point_id no {udp| tcp|sctp | tls}
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the Peering Point within the Peer Network.

Example
-> peer-net 1 rpoc 2 ip 150.0.40.2 tcp 5060
Configures the tcp port value to 5060 and also implicitly the udp port value to
5060.
-> peer-net 1 rpoc 2 no udp
Disables the udp transport mode for the peering point 2 of the Peer Network 1

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

69

Peer Networks

peer-net netid rpoc peering_point_id name fqdn

peer-net netid rpoc peering_point_id name fqdn


Purpose
The purpose of that command is to specify a FQDN for a peering point. This allows,
in association with the IP address of the peering-point, to resolve FQDN that may
appear in Via, Request URI or Routes headers of outgoing SIP messages.
This attributes seems to have the same purpose that the previously configured dnsinternal. However in case of Far-end NAT Traversal the dns-internal was not
appropriate to solve the FQDN resolution of outgoing SIP message, thus the
introduction of this new attribute.

Command
peer-net netid rpoc peering_point_id name fqdn
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the Peering Point within the Peer Network.
fqdn
This is the fully qualified domain name of the peering point.

Example
-> peer-net 3 rpoc 1 name 39.atlanta.example.com

70

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid rpoc peering_point_id no name

peer-net netid rpoc peering_point_id no name


Purpose
The purpose of that command is to remove the FQDN associated with a peering-point.

Command
peer-net netid rpoc peering_point_id no name
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the Peering Point within the Peer Network.

Example
-> peer-net 3 rpoc 1 no name

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

71

Peer Networks

peer-net netid rpoc peering_point_id nat

peer-net netid rpoc peering_point_id nat


Purpose
When a peering-point is located behind a box providing NAT (Network Address
Translation) and PAT (Port Address Translation) the following points needs to be
taken into account for the configuration of the peering-point:
1. The public IP address of the peering-point must be defined with the CLI
command peer-net netid rpoc peering_point_id nat ip_address/mask_length
2.

The private IP address of the peering-point, behind the NAT, must be defined
with the command peer-net netid rpoc peering_point_id ip ip_address

3. The ports and protocol supported by the peering-point, behind the NAT, must be
defined by the command peer-net netid rpoc peering_point_id {udp|tcp|tls}
port.

4. Depending on the configuration of the NAT/PAT box a port-forwarding may be


defined. The port-forwarding configuration is required to be able to send SFW
outgoing IP frames toward a natted peering-points when no IP frames has been
received yet from the peering-point. Actually, when an incoming SIP frames is
received from a natted peering-point, the SIP firewall is able to learn the PAT and
will send back SIP frames to the peering-point with the configured NAT address
and the learned IP port. However for an initial outgoing SIP request the PAT is
not yet learned thats why the port-forwarding configuration is usefull.
5. Optionally, the FQDN of the peering-point can be configured with the command
peer-net netid rpoc peering_point_id name fqdn.

6. Remark : The SIP firewall is able to detect that the peering-point is

behind a NAT (far-end NAT traversal). When a SIP message is received


from a NAT IP address, the private IP address inserted by the peeringpoint in the SIP Via header is compared with the IP address configured by
the command peer-net netid rpoc peering_point_id ip ip_address. This
means that the ALG (Application Layer Gateway) that may exist in the
NAT box needs to de-activated if the SIP firewall NAT detection
capability is configured.

Command
peer-net netid rpoc peering_point_id nat ip_address/mask_length

72

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid rpoc peering_point_id nat

Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the Peering Point within the Peer Network.
ip_address/mask_length
This is the public IP address of the peering_point. A subnet can be specified if
the NAT box distributes IP addresses from a subnet IP pool. Note that if a
subnet is defined the port-forwarding configuration wont be accepted. As a
consequence with a NAT configured as a subnet it is not possible to send an
outgoing IP packet from the SIP firewall to the NAT box until an incoming IP
packet has been received from the NAT box to learn the PAT.
The IP address defined here can an IPv4 or IPv6 address. The mask length
must be consistent with the type of IP address.

Example
-> peer-net 3 rpoc 3 nat 1.2.3.5/32
-> peer-net 3 rpoc 3 port-forwarding 3333
-> peer-net 3 rpoc 3 ip 172.18.3.10
-> peer-net 3 rpoc 3 tcp 50003
-> peer-net 3 rpoc 3 udp 5000
-> peer-net 3 rpoc 3 name 310.atlanta.example.com

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

73

Peer Networks

peer-net netid rpoc peering_point_id port-forwarding

peer-net netid rpoc peering_point_id portforwarding


Purpose
The purpose of that command is to specify the port mapping expected by the NAT
box, also called port-forwarding, which allows IP packets send to the public IP
address and port-forwading port of the natted peering-point to be forwarded to the
private IP address and listening port of the peering-point behind the NAT/PAT.
See also the description of the command peer-net netid rpoc peering_point_id nat
ip_address/mask_length for complementary information.

Command
peer-net netid rpoc peering_point_id port-forwarding port
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the Peering Point within the Peer Network.
port
This is the port forwarding defined on the NAT box of the peering-point.
Note that if the NAT IP address is defined as a subnet with the command
peer-net netid rpoc peering_point_id nat ip_address/mask_length then
the port-forwarding cannot be configured.

Example
-> peer-net 3 rpoc 3 nat 1.2.3.5/32
-> peer-net 3 rpoc 3 port-forwarding 3333
-> peer-net 3 rpoc 3 ip 172.18.3.10
-> peer-net 3 rpoc 3 tcp 50003
-> peer-net 3 rpoc 3 udp 5000
-> peer-net 3 rpoc 3 name 310.atlanta.example.com

74

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid rpoc peering_point_id no port-forwarding

peer-net netid rpoc peering_point_id no portforwarding


Purpose
The purpose of that command is to delete the port-forwarding configuration
previously defined for the natted peering-point.

Command
peer-net netid rpoc peering_point_id no port-forwarding
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the Peering Point within the Peer Network.

Example
-> peer-net 3 rpoc 3 no port-forwarding

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

75

Peer Networks

peer-net netid no rpoc peering_point_id

peer-net netid no rpoc peering_point_id


Purpose
The purpose of that command is to delete a peering point.

Command
peer-net netid no rpoc peering_point_id
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the Peering Point within the Peer Network.

Example
-> peer-net 1 no rpoc 2
Deletes the Peering Point 2 of the Peer Network 1.

76

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid lpoc untrusted_lpoc_id

peer-net netid lpoc untrusted_lpoc_id


Purpose
The purpose of that command is to associate an Untrusted Local Point of Contact
(lpoc) with a Peer Network.

Command
peer-net netid lpoc untrusted_lpoc_id
Arguments
netid
This is the identifier of the Peer network.
untrusted_lpoc_id
This is the identifier of the Untrusted LPOC that has been previously created
via the command lpoc untrusted poc_id .

Example
-> peer-net 1 lpoc 1
Associates the Untrusted LPOC 1 with the Peer Network 1.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

77

Peer Networks

peer-net netid no lpoc untrusted_lpoc_id

peer-net netid no lpoc untrusted_lpoc_id


Purpose
The purpose of that command is to remove the association between an Untrusted
Local Point of Contact (lpoc) and a Peer Network.

Command
peer-net netid no lpoc untrusted_lpoc_id
Arguments
netid
This is the identifier of the Peer network.
untrusted_lpoc_id
This is the identifier of the Untrusted LPOC that has been previously
associated with the Peer Network.

Example
-> peer-net 1 no lpoc 1
Removes the association between the Untrusted LPOC 1 and the Peer
Network 1.

78

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid security-profile security_profile_id

peer-net netid security-profile


security_profile_id
Purpose
The purpose of that command is to associate a Peer Network with a Security Profile.

Command
peer-net netid security-profile security_profile_id

Arguments
netid
This is the identifier of the Peer network.
security_profile_id
This is the identifier of the Security Profile that has been previously created
with the command security-profile security_profile_id.

Example
-> peer-net 1 security-profile 20
Create an association between the Peer Network 1 and the Security Profile 20.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

79

Peer Networks

peer-net netid load-balancing-group group_id

peer-net netid load-balancing-group group_id


Purpose
The purpose of that command is to associate a Load-Balancing-Group with a Peer
Network.

Command
peer-net netid load-balancing-group group_id

Arguments
netid
This is the identifier of the Peer network.
group_id

This is the identifier of the Load-Balancing-Group that has been previously


created with the command load-balancing-group group_id.

Example
-> peer-net 1 load-balancing-group 2
Create an association between the Peer Network 1 and the Load-BalancingGroup 2.

80

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid vlan vid

peer-net netid vlan vid


Purpose
The purpose of that command is to associate a Vlan with a Peer Network.

Command
peer-net netid vlan vid

Arguments
netid
This is the identifier of the Peer network.
vid
This is the identifier of the Vlan that has been previously created with the
command vlan vid.

Example
-> peer-net 1 vlan 11
Create an association between the Peer Network 1 and the Vlan 11.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

81

Peer Networks

peer-net netid no vlan

peer-net netid no vlan


Purpose
The purpose of that command is to remove the association between a Vlan and a Peer
Network.

Command
peer-net netid no vlan
Arguments
netid
This is the identifier of the Peer Network.

Example
-> peer-net 12 no vlan

82

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid max call duration call_duration

peer-net netid max call duration call_duration


Purpose
The purpose of that command is to set or modify the maximum call duration in hours.
Beyond that delay any SIP request/dialog cannot be trusted as belonging to an existing
SIP dialog.
The call duration is measured from the time where the dialog has been opened.

Command
peer-net netid max call duration call_duration

Arguments
netid
This is the identifier of the Peer network.
call_duration
The maximum call duration is set in hours. The default value is 168 hours.

Example
-> peer-net 20 max call duration 24

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

83

Peer Networks

peer-net netid polling ping {enable | disable}

peer-net netid polling ping {enable | disable}


Purpose
The purpose of that command is to enable or disable the Ping polling mechanism
between the LPOCs and RPOCs of a Peer-Network. This Ping polling mechanism
allows checking the IP connectivity with the peering points on the untrusted side of
the firewall. The status of the peer-point connectivity can be retrieved via the CLI
command show peer-net connectivity.
By default the Ping polling is enabled.
By default a Ping request is issued each 4 seconds. ICMP requests are sent for both
IPv4 and IPv6 protocols according to the RPOC/LPOC configuration.
The Ping polling period can be modified via the CLI command peer-net netid
polling ping interval.

Command
peer-net netid polling ping {enable | disable}

Arguments
netid
This is the identifier of the Peer network.

Example
-> peer-net 20 polling ping enable
-> peer-net 11 polling ping disable

84

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid polling ping period interval

peer-net netid polling ping period interval


Purpose
The purpose of that command is to modify the period of the Ping polling occurring
between the LPOCs and RPOCs of a Peer-Network. This Ping polling mechanism
allows checking the IP connectivity with the peering points on the untrusted side of
the firewall. The status of the peer-point connectivity can be retrieved via the CLI
command show peer-net connectivity.
By default a Ping request is issued each 4 seconds. ICMP requests are sent for both
IPv4 and IPv6 protocols according to the RPOC/LPOC configuration.

Command
peer-net netid polling ping period interval

Arguments
netid
This is the identifier of the Peer network.
interval
The Ping polling period interval is set in seconds. The default value is 4.

Example
-> peer-net 20 polling ping period 60

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

85

Peer Networks

peer-net netid dscp dscp_value

peer-net netid dscp dscp_value


Purpose
The purpose of that command is to configure, on a per peer-network basis, the DSCP
value (Differentiated Services Code Point or DiffServ) that is encoded in the DSCP
field of the IP headers for outgoing SIP messages sent by the firewall on the Untrusted
side.

Command
peer-net netid dscp dscp_value

Arguments
netid
This is the identifier of the Peer network.
dscp_value
The dscp_value ranges from 0 to 63.
The value specified here is encoded in the DSCP field of the IP headers for
outgoing SIP messages sent by the firewall on the Untrusted side.

Example
-> peer-net 2 dscp 14
-> peer-net 3 dscp 38

86

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid dscp default

peer-net netid dscp default


Purpose
The purpose of that command is to specify that the SFW default DSCP value is used
to encode the DSCP field (Differentiated Services Code Point or DiffServ) of the IP
headers for outgoing SIP messages sent on the Untrusted side.
The default DSCP value can be configured via the CLI command dscp default
default_dscp. This value applies for all peer-networks unless a specific DSCP value
has been configured for a given peer-network via the command peer-net netid dscp
dscp_value.

Command
peer-net netid dscp default

Arguments
netid
This is the identifier of the Peer network.
default
The default DSCP value can be changed with the CLI command dscp default
default_dscp.

Example
-> peer-net 2 dscp default

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

87

Peer Networks

dscp default default_dscp

dscp default default_dscp


Purpose
This command allows the operator to configure the SFW Default DSCP value that is
encoded in the DSCP field (Differentiated Services Code Point or DiffServ) of the IP
headers for outgoing SIP messages sent on the Untrusted side.
This command has an impact for all peer-networks unless a specific DSCP value has
been configured for a given peer-network via the command peer-net netid dscp
dscp_value.

Command
dscp default default_dscp

Arguments
Default_dscp
The default_dscp ranges from 0 to 63.
The value specified here is encoded in the DSCP field of the IP headers for
outgoing SIP messages sent by the firewall on the Untrusted side for the peernetwork with no specific DSCP value configured.
The default value for default_dscp is zero.
The default_dscp value for the SFW can be retrieved via the command show
dscp default.

Example
-> dscp default 14

88

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show dscp default

show dscp default


Purpose
This command returns the SFW default DSCP value.
The SFW Default DSCP value is encoded in the DSCP field (Differentiated Services
Code Point or DiffServ) of the IP headers for outgoing SIP messages sent on the
Untrusted side.
The SFW default DSCP value has an impact for all peer-networks unless a specific
DSCP value has been configured for a given peer-network via the command peer-net
netid dscp dscp_value.

Command
show dscp default

Example
-> show dscp default
DSCP default value

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

89

Peer Networks

peer-net netid tls-profile tlsprofileid

peer-net netid tls-profile tlsprofileid


Purpose
This command allows the operator to associate a TLS profile with a Peer Network.

In the SIP firewall a peer network entity may be associated to a particular VPN
through its VLAN id. A TLS profile may be also configured per peer network
entity: This permits to have particular TLS configuration (the one of the TLS
profile) per VPN. This particular TLS configuration will be applied to all rpoc
of the related peer network entity.
Refer to the description of the CLI command
tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check]
[renegotiation-period period_in_hours] [name description]
to see the how a TLS profile is created and modified.

Command
peer-net netid tls-profile tlsprofileid

Arguments
netid
This is the identifier of the Peer network.

tlsprofileid
This is the identifier of the TLS profile.

Example
-> peer-net 4 tls-profile 2

90

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

peer-net netid no tls-profile

peer-net netid no tls-profile


Purpose
This command allows the operator to remove the association between a TLS profile
and a Peer Network.

Command
peer-net netid no tls-profile

Arguments
netid
This is the identifier of the Peer network.

Example
-> peer-net 4 no tls-profile

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

91

Peer Networks

no peer-net netid

no peer-net netid
Purpose
The purpose of that command is to delete a Peer Network.

Command
no peer-net netid
Arguments
netid
This is the identifier of the Peer network.

Example
-> no peer-net 20
Deletes the Peer Network 20.

92

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show peer-net

show peer-net
Purpose
The purpose of that command is to display the configuration of the Peer Networks.

Command
show peer-net [netid ]
Arguments
netid
This is the identifier of the Peer network.
If the netid is not specified, information is displayed for all Peer Networks.
If the netid is specified, complementary outputs are provided:

IP Filter associated with the Peer Network

Untrusted LPOC associated with the Peer Network

rpoc associated with the Peer Network

Output Definition
Lpoc
Identifies the list of untrusted lpoc associated with the Peer Network..
Sec Prof
Identifies the Security Profile associated with the Peer Network.
LBG
Identifies the Load Balancing Group associated with the Peer Network.
Vlan
Identifies the Vlan associated with the Peer Network.
Max call duration
Specifies the maximum call duration in hours. Beyond that delay any SIP
request/dialog cannot be trusted as belonging to an existing SIP dialog. The
max call duration can be changed with the CLI peer-net netid max call
duration call-duration

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

93

Peer Networks

show peer-net

The call duration is measured from the time where the dialog has been
opened.
DSCP
Specifies the DSCP value configured for the Peer-Network.
Example
-> show peer-net
+-------+----------------+---------+------+-------+-----+------+----------+---------+-------+
! Netid ! Name
! Status ! Lpoc ! Sec. ! LBG ! Vlan ! Max call ! DSCP
! TLS
!
!
!
!
!
! prof. !
!
! duration !
! prof. !
+-------+----------------+---------+------+-------+-----+------+----------+---------+-------+
! 2
! Peer2-london
! created ! 2
! 2
! 1
! 2
! 3600
! default ! none !
! 3
! Peer3-Newyork ! created ! 3
! 2
! 1
! 3
! 3600
! default ! none !
! 4
! Peer4-Mexico
! created ! 4
! 2
! 1
! 4
! 3600
! default ! none !
! 5
! Peer5-Tokyo
! created ! 5
! 2
! 4
! 5
! 3600
! default ! none !
+-------+----------------+---------+------+-------+-----+------+----------+---------+-------+

show peer-net 3
+-------+---------------+---------+------+-------+-----+------+----------+---------+-------+
! Netid ! Name
! Status ! Lpoc ! Sec. ! LBG ! Vlan ! Max call ! DSCP
! TLS
!
!
!
!
!
! prof. !
!
! duration !
! prof. !
+-------+---------------+---------+------+-------+-----+------+----------+---------+-------+
! 3
! Peer3-Newyork ! created ! 3
! 2
! 1
! 3
! 3600
! default ! 2
!
+-------+---------------+---------+------+-------+-----+------+----------+---------+-------+
1 elements
+-----+------+------------------+--------------+-------+-------+-------+---------+-----------------------+
! Net ! rpoc ! NAT
! IP Addresses ! Udp
! Tcp
! Tls
! Listen. ! Name
!
! id ! id
!
!
!
!
!
! trusted !
!
!
!
!
!
!
!
!
! port
!
!
+-----+------+------------------+--------------+-------+-------+-------+---------+-----------------------+
! 3
! 1
! 1.2.3.4/32:50001 ! 172.18.3.9
! n/s
! n/s
! 50001 ! 10301
! 39.atlanta.example.co !
!
!
!
!
!
!
!
!
! m
!
! 3
! 2
! 10.203.1.2/32
! 192.168.1.6 ! 50002 ! 50002 ! n/s
! 10302
!
!
! 3
! 3
! 1.2.3.5/32:50003 ! 172.18.3.10 ! 50003 ! 50003 ! n/s
! 10303
! 310.atlanta.example.c !
!
!
!
!
!
!
!
!
! om
!
+-----+------+------------------+--------------+-------+-------+-------+---------+-----------------------+
3 elements
+------+-----------+-------------------------------+------------+--------+------+------+------+------+
! Lpoc ! Side
! Name
! IP Address ! Status ! Udp ! Tcp ! Sctp ! Tls !
! id
!
!
!
!
!
!
!
!
!
+------+-----------+-------------------------------+------------+--------+------+------+------+------+
! 3
! untrusted ! mgc8.ims32.alcatel-lucent.com ! 160.0.3.5 ! up
! 5060 ! 5060 ! n/s ! 5061 !
+------+-----------+-------------------------------+------------+--------+------+------+------+------+
1 elements

Vlan id
Name
Vlan status
Vlan side
Vlan IP subnet
SFW router
IP gateway
configured v4&v6 MAC gateway
resolved v4&v6 MAC gateway
RIP
IP MTU

94

:
:
:
:
:
:
:
:
:
:
:

3
UNTRUSTED_VLAN_3
up
untrusted
172.16.3.0/24
172.16.3.5
172.16.3.254
no V4 MAC
/ no V6 MAC
00:d0:95:ff:94:74 / no IP V6 gateway
disable
1500

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show peer-net netid lpoc

show peer-net netid lpoc


Purpose
The purpose of that command is to display the association between a Peer Network
and its LPOC on the untrusted interface of the firewall.

Command
show peer-net netid lpoc
Arguments
netid
This is the identifier of the Peer network.
Output Definition
Untrusted lpoc
Identifies the Untrusted LPOC associated with the Peer Network.
Example
-> show peer-net 4 lpoc

+-------+----------+----------------+
! Netid ! Name

! Untrusted lpoc !

+-------+----------+----------------+
! 4

! peerNet4 ! 4

! 4

! peerNet4 ! 5

+-------+----------+----------------+

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

95

Peer Networks

show peer-net [netid] filter

show peer-net [netid] filter


Purpose
The purpose of that command is to display the IP filters associated with the Peer
Networks.
See the command peer-net [netid] filter to get complementary information about
the IP filters.

Command
show peer-net [netid] filter
Arguments
netid
This is the identifier of the Peer network.
Example
-> show peer-net 5 filter
+-------+-----------+--------------------------+--------+
! Netid ! Filter Id ! IP Address

! Action !

+-------+-----------+--------------------------+--------+
! 5

! 1

! 2001:5::172:20:5:36/128

! accept !

! 5

! 2

! 172.20.5.35/32

! accept !

+-------+-----------+--------------------------+--------+

96

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show peer-net [netid] rpoc

show peer-net [netid] rpoc


Purpose
The purpose of that command is to display the Peering Points associated with the Peer
Networks and their configuration.
See the command peer-net [netid] filter to get complementary information about
the IP filters.

Command
show peer-net [netid] filter
Arguments
netid
This is the identifier of the Peer network. If this parameter is omitted the
output returns information for all Peer Networks
Output Definition
Peer net
This is the identifier of the Peer network.
Poc id
Identifies the Peering Point within the Peer Network.
ip_address
Displays the IP address of the Peering Point.
Udp Tcp Sctp Tls
Displays listening port values of the Peering Point.
Listening trusted port
Displays the listening port value on the trusted interface of the firewall that
matches the remote Peering Point on the untrusted interface of the firewall.
Reread the paragraph describing the command peer-net netid rpoc
peering_point_id ip to understand the relationship between Peering Point
and listening port on the Trusted interface.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

97

Peer Networks

show peer-net [netid] rpoc

Example
->

show peer-net rpoc

+-------+------+----------------------------------------+-------+-------+------+-----+------------------------+
! Netid ! rpoc ! IP Address

! Udp

! Tcp

! Sctp ! Tls ! Listening trusted port !

+-------+------+----------------------------------------+-------+-------+------+-----+------------------------+
! 2

! 1

! 172.17.2.50

2001:2::172:17:2:50

! 50001 ! n/s

! n/s

! n/s ! 10201

! 3

! 1

! 172.18.3.9

2001:3::172:18:3:9

! 50001 ! 50001 ! n/s

! n/s ! 10301

! 4

! 1

! 172.19.4.35

2001:4::172:19:4:35

! 50001 ! n/s

! n/s

! n/s ! 10401

! 5

! 1

! 172.20.5.33

2001:5::172:20:5:33

! 50001 ! 50001 ! n/s

! n/s ! 10501

! 5

! 2

! 172.20.5.34

! 50002 ! 50002 ! n/s

! n/s ! 10502

! 5

! 3

! 2001:5::172:20:5:35

! 50003 ! 50003 ! n/s

! n/s ! 10503

! 5

! 7

! 172.20.5.37

2001:5::172:20:5:37

! 5060

! n/s

! n/s ! 10507

! 20

! 15

! 172.23.8.9

2001:8::172:23:8:9

! 50001 ! 50001 ! n/s

! n/s ! 12015

! 5060

+-------+------+----------------------------------------+-------+-------+------+-----+------------------------+

98

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show peer-net connectivity

show peer-net connectivity


Purpose

The purpose of that command is to check, on the untrusted side the IP


connectivity between the untrusted LPOC and the remote POCs (peering
points of the Peer-Network).
The IP connectivity is checked issuing periodically ICMP requests from the
LPOC to the RPOC associated within the Peer-Network. By default a Ping
request is issued each 4 seconds. ICMP requests are sent for both IPv4 and
IPv6 protocols according to the RPOC/LPOC configuration.
The Ping polling can be enabled or disabled via the CLI command peer-net
netid polling ping {enable | disable}. By default the Ping is enabled.
The Ping polling period can be modified via the CLI command peer-net
netid polling ping interval.

Command
show peer-net [netid] connectivity
Arguments
netid
This is the identifier of the Peer network. If this parameter is omitted the
output returns information for all Peer Networks
Example
-> show peer-net connectivity
+-------+------+------+--------+--------+---------+---------+---------+---------+----------------+
! Netid ! rpoc ! lpoc ! period ! PING

! SIP

! SIP v4

! PING v4 ! SIP v6

! PING v6

+-------+------+------+--------+--------+---------+---------+---------+---------+----------------+
! 2

! 1

! 2

! 4

! enable ! disable ! Unknown ! PING UP ! Unknown ! NO VLAN SUBNET !

! 4

! 1

! 4

! 4

! enable ! disable ! Unknown ! PING UP ! Unknown ! PING UP

! 5

! 2

! 5

! 4

! enable ! disable ! Unknown ! PING UP ! Unknown ! V4 ONLY

! 5

! 3

! 5

! 4

! enable ! disable ! Unknown ! V6 ONLY ! Unknown ! PING UP

! 9

! 1

! 9

! 4

! enable ! disable ! Unknown ! NO RESP ! Unknown ! NO MAC

! 10

! 1

! 10

! 4

! enable ! disable ! Unknown ! PING UP ! Unknown ! PING UP

! 20

! 15

! 8

! 10

! enable ! disable ! Unknown ! PING UP ! Unknown ! PING UP

+-------+------+------+--------+--------+---------+---------+---------+---------+----------------+

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

99

Peer Networks

show peer-net connectivity

Output Definition
SIP v4 and SIP v6

The SIP v4 and SIP v6 are meaningless with the current SFW
release. In a future release a SIP OPTIONS polling mechanism

will be activated optionally to check the SIP processes status in


the same way that what is already available on the trusted side
between the lpoc and the rpoc (IBCFs CCSs)

PING v4 and PING v6

The PING v4 status reflects the IP V4 connectivity between LPOC


and RPOC of a Peer-Network.
The PING v6 status reflects the IP V6 connectivity between LPOC
and RPOC of a Peer-Network.

PING UP means that the rpoc successfully responds to the


ICMP Requests sent by the SIP Firewall.

NO MAC means that the configuration is consistent but the


RPOC destination MAC address has not been yet resolved.

NO LPOC means that the configuration is not consistent.


There is no LPOC associated with the Peer-Network whereas
there is at least a RPOC and a Vlan associated with that PeerNetwork.

NO LPOC IP ADDR means that the configuration is not


consistent.
The LPOC associated with the Peer-Network has no IPv4
address whereas there is at least one IPv4 RPOC associated
with that Peer-Network.
The LPOC associated with the Peer-Network has no IPv6
address whereas there is at least one IPv6 RPOC associated
with that Peer-Network.

NO VLAN means that the configuration is not consistent.


There is no Vlan associated with the Peer-Network.

NO VLAN SUBNET means that the configuration is not


consistent.
There is no IPv4 subnet in the definition of the vlan associated
with the Peer-Network whereas there is at least one IPv4 RPOC
associated with that Peer-Network.

100

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show peer-net connectivity

There is no IPv6 subnet in the definition of the vlan associated


with the Peer-Network whereas there is at least one IPv6 RPOC
associated with that Peer-Network.

NO ROUTER IP means that the configuration is not


consistent.
An IP router address is required in the definition of the vlan
associated with the Peer-Network otherwise the LPOC is
unreachable. A router is required in the vlan definition as soon
as the vlan and the LPOC are not in the same subnet.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

ROUTER IP NOT IN SUBNET means that the configuration


is not consistent. The router IP address in the definition of the
vlan, associated with the Peer-Network, is not in the vlan subnet.

NO DEFAULT GW means that the configuration is not


consistent. An IP gateway address is required in the definition
of the vlan associated with the Peer-Network otherwise the
RPOC is unreachable. A gateway is required in the vlan
definition as soon as the vlan and the RPOC are not in the same
subnet.

GATEWAY IP NOT IN SUBNET means that the


configuration is not consistent. The gateway IP address in the
definition of the vlan, associated with the Peer-Network, is not
in the vlan subnet.

NO RESP means that the configuration is consistent. The


MAC address of the RPOC is known but the SFW does not get
any response to the ping requests.

TRUNK DOWN means that the configuration is consistent.


The untrusted trunk is down.

V6 ONLY means that configuration is consistent but LPOC


or RPOC are IPv6 only, thus ping v4 cannot be performed.

V4 ONLY means that configuration is consistent but LPOC


or RPOC are IPv4 only, thus ping v6 cannot be performed.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

101

Peer Networks

show peer-net [netid] statistics [trusted | untrusted]

show peer-net [netid] statistics [trusted | untrusted]


Purpose
The purpose of that command is to display SFW SIP statistics sorted by the Peer
Network identifiers.
The statistics are split in two main categories:

Untrusted side statistics:


Count SIP messages sent to a Peer-Network on the Untrusted
interface of the firewall.
Count SIP messages received from a Peer-Network on the Untrusted
interface of the firewall.

Trusted side statistics:


Count SIP messages, on the Trusted interface of the firewall, sent to
the IBCF (RPOC of Load-Balancing-Group) and coming from a Peer
Network (identified by the netid).
Count SIP messages, on the Trusted interface of the firewall, received
from the IBCF (RPOC of Load-Balancing-Group) and to be sent to a
Peer-Network .

Note that only non-zero values are displayed.

Command
show peer-net [netid] statistics [trusted | untrusted]
Arguments
netid
This is the identifier of the Peer network. If this parameter is omitted the
output returns information for all Peer Networks
trusted | untrusted
Optionally you may display statistics for only one side of the firewall.

102

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show peer-net [netid] statistics [trusted | untrusted]

Output Definition
Statistics are sorted by category. The level 1 provides high-level counters. The
level 2 provides more detailed statistics over Level 1. Then the level 3 allows to
get details over the layer 2 statistics.

Counters

Definitions

Valid for

Valid

Untrusted

for
Trusted

Level 1
This table contains the Level 1 statistics per Peer Networks
Number of packets dropped because
frameTooSmall
of UDP size is below minimum
acceptable size.
Number of potential SIP messages
tokenizerMsgIn
provided to the SIP hardware assist
tokenizer
Number of potential SIP messages for
tokenizerMsgErr
which there was not SIP Tokenizer
resources
Number of potential SIP messages
tokenizerMsgOut
returned by the SIP Tokenizer and
Provided to the Pass1 of SIP parsing
Should be the same as
pass1MsgIn
TokenizerMsgOut
Number of SIP or non-SIP messages
pass1Drop
dropped during pass 1 processing
Number of SIP messages that has been
pass1SipSuccess
successful in Pass 1
Should be the same as Pass1SipSuccess
pass2SipIn

pass2Drop
pass2MethodRateIn

pass2MethodRateDrop
pass2AdmCtlCall
pass2AdmCtlCallDrop
pass2AdmCtlOther
pass2AdmCtlOtherDrop

regenerationIn
regenerationDrop
leakyBucketIn
leakyBucketDrop
sendIn
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Number of SIP messages dropped


during pass 2 processing
Number of SIP messages submitted to
the method rate limiter (initial request
only or in-dialog transaction
for which there was no on-going dialog
context).
Number of Sip Message drop because
of the excessive rate
Number of SIP message submitted to
the admission control for initial INVITE
Number of Call rejected because invite
rate is greater than the available rate
on trusted side
Number of SIP messages submitted to
the admission control for non Invite, in
dialog transaction and response.
Number of Call rejected because
aggregate transaction/response rate is
greater than the available rate on
trusted side.
Number of SIP message submitted for
regeneration.
Number of SIP messages for which the
SIP regeneration has failed
Number of SIP messages submitted to
the Leaky buckets of the trusted side
Number of SIP messages rejected by
the Leaky bucket (typically leaky
bucket full)
Number of SIP message submitted to
the ouput (trusted or untrusted)
Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes
yes

yes
yes

yes

yes

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

yes

yes

yes

yes

no

yes

no

yes

yes
103

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid

Untrusted

for
Trusted

sendDrop
sendSuccess

104

Number of SIP message dropped while


in the output stage
Number of SIP messages that has been
successfully sent.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

yes

yes

yes

yes

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid

Untrusted

for
Trusted

Level 2 : Pass 1 drop per reason


This table contains the Level 2 statistics for dropped messages.
It provides details on the messages counted in pass1Drop of the Level 1 statistics.
pass1DropConfigMismatch
Number of packets dropped
because of UDP size is below
minimum acceptable size.
pass1DropAdmControlReject
Number of SIP frames dropped due to
configuration mismatch.
pass1DropInitialNoRpocUnt
Number of SIP messages dropped
due to output overloading
pass1DropInitialNoTokenBucket
Number of initial SIP requests dropped
because there is no RPOC available
within a load balancing group
pass1DropFsmCheckOOSequence
Number of initial SIP requests dropped
because no Token bucket is
configured for the method (conf.
Issue)
pass1DropFsmCheckRetryCounterExhausted Number of SIP messages detected in
"Out Of Sequence" state.
pass1DropInDialogOverRate
SIP messages dropped because the
maximum retries has been reached
pass1DropMalformed
Number of SIP In-Dialog messages
dropped due to over rate.
pass1DropSuspicious
Number of SIP messages dropped
due to malformed header: parsing
error, mandatory header Missing,
etc..
pass1DropOutofResources
Number of SIP messages dropped
due to suspect format : e.g. oai
missing or unknown

yes

yes

yes

no

yes

no

yes

no

yes

yes

yes

yes

yes

no

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

Level 3 : Pass 1 drop suspicious


This table the Level 3 statistics for dropped messages.
It provides details on the messages counted in pass1Suspicious of the Level 2: Pass1
drop per reason statistics.
pass1DropSuspiciousInitialInvite
Number of SIP INVITE messages
dropped due to suspect format : e.g.
oai missing or unknown
pass1DropSuspiciousInitialNonInvite
Number of SIP non-INVITE messages
dropped due to suspect format : e.g.
oai missing or unknown
pass1DropSuspiciousSubsequentReq
Number of SIP subsequent requests
dropped due to suspect format : e.g.
oai missing or unknown
pass1DropSuspiciousResponse
Number of SIP responses dropped
due to suspect format : e.g. oai
missing or unknown
pass1DropSuspiciousBye
Number of SIP BYE messages dropped
due to suspect format : e.g. oai
missing or unknown
pass1DropSuspiciousCancel
Number of SIP CANCEL messages
dropped due to suspect format : e.g.
oai missing or unknown

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

105

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid for

Untrusted

Trusted

Level 2 : Pass 1 success per SIP operation


This table contains Level 2 statistics.
It provides details on the messages counted in pass1SipSuccess of the Level 1
statistics.
pass1SipSuccessInitialInvite
number of initial INVITE that has
been successful in Pass 1
pass1SipSuccessInitialNonInvite
number of initial Non INVITE that has
been successful in Pass 1 (Out of
dialog)
pass1SipSuccessSubsequentReq
number of subsequent transaction
that has been successful in Pass 1 (in
dialog)
pass1SipSuccessResponse
number of Response that has been
successful in Pass 1 ( In & Out of
dialog)

yes

yes

yes

yes

yes

yes

yes

yes

yes

no

yes

yes

yes

yes

yes

yes

yes

no

yes

yes

yes

yes

yes

yes

yes

no

yes

yes

yes

yes

yes

yes

Level 2 : Pass 2 drop per reason


This table contains Level 2 statistics for dropped messages.
It provides details on the messages counted in pass2Drop of the Level 1 statistics.
pass2DropRateLimiting
Number of out of dialog transaction
dropped due to method rate limiting
(all Qos and Method
pass2DropMalformed
Number of SIP messages dropped
due to malformed header: parsing
error, mandatory header Missing,
etc..
pass2DropConfigMismatch
Number of SIP frames dropped due
to configuration mismatch.
pass2DropSuspicious
Number of SIP messages dropped
due to suspect format : e.g. oai
missing or unknown
pass2DropAdmControlReject
Number of SIP messages rejected by
the admission control (all Qos and
messages types)
pass2DropFsmCheckOOSequence
Number of SIP messages rejected
because considered Out Of
Sequence.
pass2DropFsmCheckRetryCounterExhausted Number of SIP messages dropped
because the maximum retries has
been reached
pass2DropInDialogOutOfResources
Number of SIP In-Dialog messages
rejected because problem of
ressources.
pass2DropInDialogOverRate
Number of SIP In-Dialog messages
rejected because considered as
over-rate.
pass2DropCheckHeaderRegeneration
SIP message dropped due to error
while parsing the header that are
changed by the Firewall

Level 3 : Pass 2 drop suspicious


This table contains the Level 3 statistics for dropped messages.
It provides details on the messages counted in pass2DropSuspicious of the Level2:
Pass2 drop per reason statistics.
pass2DropSuspiciousInitialInvite
Number of SIP INVITE messages
dropped due to suspect format :
e.g. oai missing or unknown
pass2DropSuspiciousInitialNonInvite
Number of SIP non-INVITE messages
dropped due to suspect format :
e.g. oai missing or unknown
106

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

pass2DropSuspiciousSubsequentReq

pass2DropSuspiciousResponse

pass2DropSuspiciousBye

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

show peer-net [netid] statistics [trusted | untrusted]

Number of SIP subsequent requests


dropped due to suspect format :
e.g. oai missing or unknown
Number of SIP responses dropped
due to suspect format : e.g. oai
missing or unknown
Number of SIP BYE messages
dropped due to suspect format :
e.g. oai missing or unknown

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

yes

yes

yes

yes

yes

yes

107

Peer Networks

pass2DropSuspiciousCancel

Counters

show peer-net [netid] statistics [trusted | untrusted]

Number of SIP CANCEL messages


dropped due to suspect format : e.g.
oai missing or unknown

yes

yes

Definitions

Valid for

Valid

Untrusted

for
Trusted

Level 2 : Pass 2 rate per SIP method


This table contains the Level 2 statistics for messages received and submitted to the
Rate Limiter.
It provides details on the messages counted in pass2MethodRateIn of the Level 1
statistics, per SIP method.
pass2MethodRateInAck
Number of SIP ACK messages
submitted to the method rate limiter.
pass2MethodRateInBye
Number of SIP BYE messages submitted
to the method rate limiter.
pass2MethodRateInCancel
Number of SIP CANCEL messages
submitted to the method rate limiter.
pass2MethodRateInInfo
Number of SIP INFO messages
submitted to the method rate limiter.
pass2MethodRateInInvite
Number of SIP INVITE messages
submitted to the method rate limiter.
pass2MethodRateInMessage
Number of SIP MESSAGE messages
submitted to the method rate limiter.
pass2MethodRateInNotify
Number of SIP NOTIFY messages
submitted to the method rate limiter.
pass2MethodRateInOptions
Number of SIP OPTIONS messages
submitted to the method rate limiter.
pass2MethodRateInPrack
Number of SIP PRACK messages
submitted to the method rate limiter.
pass2MethodRateInPublish
Number of SIP PUBLISH messages
submitted to the method rate limiter.
pass2MethodRateInRefer
Number of SIP REFER messages
submitted to the method rate limiter.
pass2MethodRateInRegister
Number of SIP REGISTER messages
submitted to the method rate limiter.
pass2MethodRateInSubscribe
Number of SIP SUBSCRIBE messages
submitted to the method rate limiter.
pass2MethodRateInUpdate
Number of SIP UPDATE messages
submitted to the method rate limiter.
pass2MethodRateInOther
Number of SIP other messages
submitted to the method rate limiter.

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes
yes

no
no

Level 2 : Pass 2 rate per QoS


This table contains Level 2 statistics for messages received and submitted to the Rate
Limiter.
It provides details on the messages counted in pass2MethodRateIn of the Level 1
statistics, per QOS level.
pass2MethodRateInQos0
Number of SIP messages submitted to
the method rate limiter for QOS0.
pass2MethodRateInQos1
Number of SIP messages submitted to
the method rate limiter for QOS1.
pass2MethodRateInQos2
Number of SIP messages submitted to
the method rate limiter for QOS2.
pass2MethodRateInQos3
Number of SIP messages submitted to
the method rate limiter for QOS3.
pass2MethodRateInQos4
Number of SIP messages submitted to
the method rate limiter for QOS4.
pass2MethodRateInQos5
Number of SIP messages submitted to
the method rate limiter for QOS5.
pass2MethodRateInQos6
Number of SIP messages submitted to
the method rate limiter for QOS6.
pass2MethodRateInQos7
Number of SIP messages submitted to
108

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show peer-net [netid] statistics [trusted | untrusted]

the method rate limiter for QOS7.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

109

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid for

Untrusted

Trusted

Level 2 : Pass 2 rate drop per SIP method


This table contains the Level 2 statistics for messages received and submitted to the
Rate Limiter and dropped.
It provides details on the messages counted in pass2MethodRateDrop of the Level
1 statistics, per SIP method.
pass2MethodRateDropAck
Number of SIP INFO messages dropped
by the method rate limiter.
pass2MethodRateDropBye
Number of SIP BYE messages dropped
by the method rate limiter.
pass2MethodRateDropCancel
Number of SIP CANCEL messages
dropped by the method rate limiter.
pass2MethodRateDropInfo
Number of SIP INFO messages dropped
by the method rate limiter.
pass2MethodRateDropInvite
Number of SIP INVITE messages
dropped by the method rate limiter.
pass2MethodRateDropMessage
Number of SIP MESSAGE messages
dropped by the method rate limiter.
pass2MethodRateDropNotify
Number of SIP NOTIFY messages
dropped by the method rate limiter.
pass2MethodRateDropOptions
Number of SIP OPTIONS messages
dropped by the method rate limiter.
pass2MethodRateDropPrack
Number of SIP PRACK messages
dropped by the method rate limiter.
pass2MethodRateDropPublish
Number of SIP PUBLISH messages
dropped by the method rate limiter.
pass2MethodRateDropRefer
Number of SIP REFER messages
dropped by the method rate limiter.
pass2MethodRateDropRegister
Number of SIP REGISTER messages
dropped by the method rate limiter.
pass2MethodRateDropSubscribe
Number of SIP SUBSCRIBE messages
dropped by the method rate limiter.
pass2MethodRateDropUpdate
Number of SIP UPDATE messages
dropped by the method rate limiter.
pass2MethodRateDropOther
Number of SIP other messages
dropped by the method rate limiter.

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

Level 2 : Pass 2 rate drop per QoS


This table contains the Level 2 statistics for messages received and submitted to the
Rate Limiter and dropped.
It provides details on the messages counted in pass2MethodRateDrop of the Level
1 statistics, per QOS level.
pass2MethodRateDropQos0
Number of Sip message drop because
of the excessive rate in QOS0
pass2MethodRateDropQos1
Number of Sip message drop because
of the excessive rate in QOS1
pass2MethodRateDropQos2
Number of Sip message drop because
of the excessive rate in QOS2
pass2MethodRateDropQos3
Number of Sip message drop because
of the excessive rate in QOS3
pass2MethodRateDropQos4
Number of Sip message drop because
of the excessive rate in QOS4
pass2MethodRateDropQos5
Number of Sip message drop because
of the excessive rate in QOS5
pass2MethodRateDropQos6
Number of Sip message drop because
of the excessive rate in QOS6
pass2MethodRateDropQos7
Number of Sip message drop because
of the excessive rate in QOS7

110

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid for

Untrusted

Trusted

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

Level 2 : Pass 2 Admission Control Invite per QoS


This table contains Level 2 statistics for INVITE messages received and submitted to
the Admission Control.
It provides details on the messages counted in pass2AdmCtlCall of the Level 1
statistics, per QOS level.
pass2AdmCtlCallQos0
Number of SIP message submitted to
the admission control for initial INVITE in
QOS0.
pass2AdmCtlCallQos1
Number of SIP message submitted to
the admission control for initial INVITE in
QOS1.
pass2AdmCtlCallQos2
Number of SIP message submitted to
the admission control for initial INVITE in
QOS2.
pass2AdmCtlCallQos3
Number of SIP message submitted to
the admission control for initial INVITE in
QOS3.
pass2AdmCtlCallQos4
Number of SIP message submitted to
the admission control for initial INVITE in
QOS4.
pass2AdmCtlCallQos5
Number of SIP message submitted to
the admission control for initial INVITE in
QOS5.
pass2AdmCtlCallQos6
Number of SIP message submitted to
the admission control for initial INVITE in
QOS6.
pass2AdmCtlCallQos7
Number of SIP message submitted to
the admission control for initial INVITE in
QOS7.

Level 2 : Pass 2 Admission Control Invite drop per


QoS
This table contains the Level 2 statistics for messages received and submitted to the
Admission Control and dropped.
It provides details on the messages counted in pass2AdmCtlCall of the Level 1
statistics, per QOS level.
pass2AdmCtlCallDropQos0
Number of Call rejected because
invite rate is greater than the available
rate on trusted side for QOS0.
pass2AdmCtlCallDropQos1
Number of Call rejected because
invite rate is greater than the available
rate on trusted side for QOS1.
pass2AdmCtlCallDropQos2
Number of Call rejected because
invite rate is greater than the available
rate on trusted side for QOS2.
pass2AdmCtlCallDropQos3
Number of Call rejected because
invite rate is greater than the available
rate on trusted side for QOS3.
pass2AdmCtlCallDropQos4
Number of Call rejected because
invite rate is greater than the available
rate on trusted side for QOS4.
pass2AdmCtlCallDropQos5
Number of Call rejected because
invite rate is greater than the available
rate on trusted side for QOS5.
pass2AdmCtlCallDropQos6
Number of Call rejected because
invite rate is greater than the available
rate on trusted side for QOS6.
pass2AdmCtlCallDropQos7
Number of Call rejected because
invite rate is greater than the available
rate on trusted side for QOS7.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

111

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid for

Untrusted

Trusted

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes

no

yes
yes

no
no

Level 2 : Pass 2 Admission Control Non-Invite per


QoS
This table contains the Level 2 statistics for non-INVITE messages received and
submitted to the Admission Control. It provides details on the messages counted in
pass2AdmCtlCall of the Level 1 statistics, per QOS level.
pass2AdmCtlOtherQos0

pass2AdmCtlOtherQos1

pass2AdmCtlOtherQos2

pass2AdmCtlOtherQos3

pass2AdmCtlOtherQos4

pass2AdmCtlOtherQos5

pass2AdmCtlOtherQos6

pass2AdmCtlOtherQos7

Number of SIP messages submitted to


the admission control for non Invite, in
dialog transaction and response, for
QOS0.
Number of SIP messages submitted to
the admission control for non Invite, in
dialog transaction and response, for
QOS1.
Number of SIP messages submitted to
the admission control for non Invite, in
dialog transaction and response, for
QOS2.
Number of SIP messages submitted to
the admission control for non Invite, in
dialog transaction and response, for
QOS3.
Number of SIP messages submitted to
the admission control for non Invite, in
dialog transaction and response, for
QOS4.
Number of SIP messages submitted to
the admission control for non Invite, in
dialog transaction and response, for
QOS5.
Number of SIP messages submitted to
the admission control for non Invite, in
dialog transaction and response, for
QOS6.
Number of SIP messages submitted to
the admission control for non Invite, in
dialog transaction and response, for
QOS7.

Level 2 : Pass 2 Admission Control Non-Invite


drop per QoS
This table contains the Level 2 statistics for non-INVITE messages received and
dropped by Admission Control. It provides details on the messages counted in
pass2AdmCtlOtherDrop of the Level 1 statistics, per QOS level.
pass2AdmCtlOtherDropQos0
Number of non-INVITE rejected
because aggregate
transaction/response rate is greater
than the available rate on trusted side,
for QOS0.
pass2AdmCtlOtherDropQos1
Number of non-INVITE rejected
because aggregate
transaction/response rate is greater
than the available rate on trusted side,
for QOS1.
pass2AdmCtlOtherDropQos2
Number of non-INVITE rejected
because aggregate
transaction/response rate is greater
than the available rate on trusted side,
for QOS2.
pass2AdmCtlOtherDropQos3
Number of non-INVITE rejected
112

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

pass2AdmCtlOtherDropQos4

pass2AdmCtlOtherDropQos5

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

show peer-net [netid] statistics [trusted | untrusted]

because aggregate
transaction/response rate is greater
than the available rate on trusted side,
for QOS3.
Number of non-INVITE rejected
because aggregate
transaction/response rate is greater
than the available rate on trusted side,
for QOS4.
Number of non-INVITE rejected
because aggregate
transaction/response rate is greater
than the available rate on trusted side,
for QOS5.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

yes

no

yes

no

113

Peer Networks

Counters
pass2AdmCtlOtherDropQos6

pass2AdmCtlOtherDropQos7

show peer-net [netid] statistics [trusted | untrusted]

Definitions
Number of non-INVITE rejected
because aggregate
transaction/response rate is greater
than the available rate on trusted side,
for QOS6.
Number of non-INVITE rejected
because aggregate
transaction/response rate is greater
than the available rate on trusted side,
for QOS7.

Valid for

Valid for

Untrusted

Trusted

yes

no

yes

no

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes
yes

yes
yes

Level 2 : Regeneration Per SIP operation


This table contains the description of the Level 2 statistics for SIP messages received
on one interface and submitted for regeneration before being sent on the other
interface.
It provides details on the messages counted in regenerationIn counter of the Level
1 statistics, per SIP operation.
regenerationInInitialInvite
Number of SIP INVITE message
submitted for regeneration.
regenerationInInitialNonInvite
Number of SIP non-INVITE message
submitted for regeneration.
regenerationInSubsequentReq
Number of SIP subsequent requests
submitted for regeneration.
regenerationInResponse
Number of SIP response submitted for
regeneration.

Level 2 : Regeneration Drop Per SIP operation


This table contains the description of the Level 2 statistics for SIP messages received
on one interface and dropped because message regeneration failed.
It provides details on the messages counted in regenerationDrop of the Level 1
statistics, per SIP operation.
regenerationDropInitialInvite
Number of SIP INVITE messages for
which the SIP regeneration failed
regenerationDropInitialNonInvite
Number of SIP non-INVITE messages for
which the SIP regeneration failed
regenerationDropSubsequentReq
Number of SIP Subsequent requests for
which the SIP regeneration failed
regenerationDropResponse
Number of SIP responses for which the
SIP regeneration failed

Level 2 : Leaky Bucket Per SIP operation


This table contains the description of the Level 2 statistics for SIP messages received
on one interface and submitted to the leaky buckets.
It provides details on the messages counted in leakyBucketIn of the Level 1
statistics, per SIP operation.
leakyBucketInInitialInvite
Number of SIP INVITE messages
submitted to the Leaky buckets of the
trusted side
leakyBucketInOther
Number of SIP non-INVITE messages
submitted to the Leaky buckets of the
trusted side

Level 2 : Leaky Bucket Drop Per SIP operation


This table contains the description of the Level 2 statistics for SIP messages received
on one interface and rejected by the leaky buckets.
It provides details on the messages counted in leakyBucketDrop of the Level 1
statistics, per SIP operation.
leakyBucketDropInitialInvite
Number of SIP INVITE messages
rejected by the Leaky bucket (typically
leaky bucket full)
leakyBucketDropOther
Number of SIP non-INVITE messages
114

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show peer-net [netid] statistics [trusted | untrusted]

rejected by the Leaky bucket (typically


leaky bucket full)

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

115

Peer Networks

Counters

show peer-net [netid] statistics [trusted | untrusted]

Definitions

Valid for

Valid for

Untrusted

Trusted

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

Level 2 : Send Per SIP operation


This table contains the description of the Level 2 statistics for SIP messages received
on one interface and submitted to the other interface.
It provides details on the messages counted in sendIn of the Level 1 statistics, per
SIP operation.
sendInInitialInviteUnt
Number of SIP INVITE message
submitted to the output (trusted or
untrusted)
sendInInitialNonInviteUnt
Number of SIP non-INVITE message
submitted to the output (trusted or
untrusted)
sendInSubsequentReqUnt
Number of SIP subsequent requests
submitted to the output (trusted or
untrusted)
sendInResponseUnt
Number of SIP responses submitted to
the output (trusted or untrusted)

Level 2 : Send Drop per cause


This table contains the description of the Level 2 statistics for SIP messages received
on one interface and dropped during the output stage.
It provides details on the messages counted in sendDrop of the Level 1 statistics.
sendDropL2errorUnt
Number of SIP message dropped due
to Layer 2 error while in the output
stage
sendDropNoMacAddressUnt
Number of SIP message dropped due
to unknown destination MAC@ while in
the output stage

Level 2 : Send Success per SIP operation


This table contains the description of the Level 2 statistics for SIP messages received
on one interface and successfully submitted to the other interface.
It provides details on the messages counted in sendSuccess of the Level 1 statistics.
sendSuccessInitialInviteUnt
Number of SIP INVITE messages that
has been successfully sent.
sendSuccessInitialNonInviteUnt
Number of SIP non-INVITE messages
that has been successfully sent.
sendSuccessSubsequentReqUnt
Number of SIP subsequent requests
that has been successfully sent.
sendSuccessResponseUnt
Number of SIP responses that has been
successfully sent.

116

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Peer Networks

show peer-net [netid] statistics [trusted | untrusted]

Example
-> show peer-net statistics untrusted

UNTRUSTED SIDE LEVEL 1 STATISTICS


...
pass1Drop

313

964

260

...
pass2Drop
...
pass2MethodRateDrop
...

Level 2 statistics pass1Drop


pass1Drop

313

pass1DropMalformed

209

pass1DropSuspicious

104

Level 3 pass1DropSuspicious
pass1DropSuspicious

104

pass1DropSuspiciousSubsequentReq

pass1DropSuspiciousResponse

pass1DropSuspiciousBYE

100

pass1DropSuspiciousCANCEL

Level 2 statistics pass2Drop per reason


pass2Drop

964

pass2DropRateLimiting

260

pass2DropMalformed

704

Level 2 statistics pass2MethodRateDrop per SIP method


pass2MethodRateDrop

260

pass2MethodRateDropInvite

260

Level 2 statistics pass2MethodRateDrop per QOS


pass2MethodRateDrop

260

pass2MethodRateDropQos0

260

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

117

Security Profile

Purpose

This paragraph provides information about the Security-Profile.


The purpose of the Security-Profile is to protect the IBCF from SIP messages overload
coming from the Peer-Network.
Introduction

A Security-Profile, associated with a Peer-Network, allows setting of the following


parameters involved in admission control on the Untrusted Interface:

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SIP call setup rate limitation. This limitation applies to the method INVITE
creating a new dialog.

SIP transaction rate limitation within INVITE dialogs. This limitation applies to
all SIP methods within an established INVITE dialog.

SIP out-of-dialog messages rate limitation per method. This limitation applies to
the methods that may appear outside a dialog: REGISTER, INFO, MESSAGE,
OPTION, PUBLISH, NOTIFY.

SIP RCS dialog setup rate limitation. This limitation applies to the non-Invite
methods SUBSCRIBE, REFER creating a new dialog and also to the NOTIFY
dialog within a SUBSCRIBE dialog or REFER dialog.

Message rate limitation in case of dialog context re-creation. This limitation


applies to the methods UPDATE, BYE, ACK and PRACK when a SIP dialog
needs to be rebuilt. The SIP dialog may have be cleaned up from the firewall due
to aging when the firewall needs to make room for new calls and would have ran
out of SIP context otherwise. The SIP dialog may also be cleaned up following a
switchover. In the case the SIP request methods mentioned above will allow to recreate the SIP dialog.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

118

Security Profile

show peer-net [netid] statistics [trusted | untrusted]

Moreover the Security-Profile allows setting the following parameters:

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SIP method allow/deny within INVITE dialogs. This setting permits to accept or
reject a specific SIP method within an established INVITE dialog.

Topology Hiding (THIG) enabling/disabling.

Ringing Timer. This setting permits to configure the duration an initial INVITE
transaction can stay in the Ringing state waiting for a final response.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

119

Security Profile

Summary of the CLI for Security Profile management

Summary of the CLI for Security Profile management


Security Profile
security-profile profile_id [name description]
security-profile profile_id invite dialog setup-rate messages_per_sec
security-profile profile_id invite in-dialog transaction-rate messages_per_sec
security-profile profile_id invite in-dialog method-accept all
security-profile profile_id invite in-dialog no method-accept all
security-profile profile_id invite in-dialog method-accept { info | message | notify | options |
publish | subscribe }
security-profile profile_id invite in-dialog no method-accept { info | message | notify | options |
publish | subscribe }
security-profile profile_id out-of-dialog method-rate all messages_per_sec
security-profile profile_id out-of-dialog method-rate
{ register messages_per_sec | info messages_per_sec |
message messages_per_sec | notify messages_per_sec |
options messages_per_sec | publish messages_per_sec |
subscribe messages_per_sec | refer messages_per_sec |
update messages_per_sec | bye messages_per_sec |
prack messages_per_sec }
security-profile profile_id out-of-dialog no method-rate all
security-profile profile_id out-of-dialog no method-rate { register | info | message | notify |
options | publish | subscribe | refer | update | bye | prack }
security-profile profile_id sip thig
security-profile profile_id sip no thig
security-profile profile_id route-reorder
security-profile profile_id no route-reorder
security-profile profile_id ringing-timer duration
security-profile profile_id sip route-mode {contact | record-route}
security-profile profile_id private_ip
security-profile profile_id no private_ip
security-profile profile_id fqdn-in-from thig
security-profile profile_id no fqdn-in-from thig
security-profile profile_id clone profile_id
no security-profile profile_id
show security-profile profile_id

V3.0.14 add the following new commands:


security-profile profile_id sip route-mode {contact | record-route}
security-profile profile_id private_ip
security-profile profile_id no private_ip
security-profile profile_id fqdn-in-from thig
security-profile profile_id no fqdn-in-from thig
120

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

security-profile profile_id

security-profile profile_id
Purpose
The purpose of that command is to create a Security-Profile.
Once created the parameters of the Security-Profile needs to be modified to adjust the rate limiters
according to your needs. Finally the Security-Profile needs to be associated with a Peer-Network
to become effective.
Command
security-profile profile_id [name description]

Arguments
profile_id
This is the identifier of the Security-Profile.
Up to 32 Security-Profile can be created.
description
Description of the Security-Profile (31 characters)

Example
-> security-profile 2 name SecProf2
Complementary Information

By default, creating a new security-profile, the default values are the following:
-> security-profile 10
-> show security-profile 10
Profile id
:
Name
INVITE in-dialog accepted methods
PUBLISH SUBSCRIBE OPTIONS
INVITE in-dialog forbidden methods
REGISTER out-of-dialog rate
INFO out-of-dialog rate
MESSAGE out-of-dialog rate
NOTIFY out-of-dialog rate
PUBLISH out-of-dialog rate
SUBSCRIBE out-of-dialog rate
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

10

INFO MESSAGE NOTIFY

:
:
:
:
:
:
:

0
0
0
0
0
0
121

Security Profile

security-profile profile_id

REFER out-of-dialog rate


UPDATE out-of-dialog rate
BYE out-of-dialog rate
PRACK out-of-dialog rate
OPTIONS out-of-dialog rate
INVITE dialog setup rate
INVITE in-dialog transaction rate
ringing timer
THIG

:
:
:
:
:
:
:
:
:

0
0
0
0
0
0
10
180
yes

So, after creating a new security-profile, you need to set the INVITE dialog setup rate
according to your need:
-> security-profile 10 invite dialog setup-rate 1000

Optionally, you may need to adjust the INVITE In-dialog transaction rate:
-> security-profile 10 invite in-dialog transaction-rate 20

You need also to set the Method rate limitation used in case of dialog context re-creation.
This limitation applies to the methods UPDATE, BYE, ACK and PRACK when a SIP
dialog needs to be rebuilt (e.g. context recreation may appear after a switchover).
-> security-profile 10 out-of-dialog method-rate bye 1000
-> security-profile 10 out-of-dialog method-rate prack 1000

Optionally, you may need to set the RCS dialog setup rate for the methods SUBSCRIBE,
REFER and NOTIFY.
-> security-profile 10 out-of-dialog method-rate subscribe 500
-> security-profile 10 out-of-dialog method-rate refer 500

Finally you need to associate the security-profile with the peer-network.


-> peer-net 10 security-profile 10

122

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

security-profile profile_id invite dialog setup-rate

security-profile profile_id invite dialog setup-rate


Purpose
The purpose of that command is to define the acceptable initial INVITE rate from an untrusted
peer network.
Command
security-profile profile_id invite dialog setup-rate messages_per_sec

Arguments
profile_id
This is the identifier of the Security-Profile.
messages_per_sec
Rate in messages per second for the method INVITE, creating a dialog, received from the
untrusted side.
The 32 configurable values are the following:
0, 5, 10, 20, 30, 40, 50, 100, 150, 200, 250, 300, 350, 400, 450, 500, 600, 700, 800, 900, 1000,
1200, 1400, 1600, 1800, 2000, 2200, 2400, 2600, 2800, 3000, 3200, 3400, 3600, 3800.

Example
-> security-profile 2 invite dialog setup-rate 2000

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

123

Security Profile

security-profile profile_id invite in-dialog transaction-rate

security-profile profile_id invite in-dialog transaction-rate


Purpose
The purpose of that command is to configure the rate limiter applying for all SIP methods within a
dialog.
Once the SIP firewall has started to track an INVITE dialog, it uses the transaction-rate limiter for
all methods within the dialog.
Command
security-profile profile_id invite in-dialog transaction-rate messages_per_sec

Arguments
profile_id
This is the identifier of the Security-Profile.
messages_per_sec
Defines the transaction rate in messages per second within an established dialog.
The 32 configurable values are the following:
0, 5, 10, 20, 30, 40, 50, 100, 150, 200, 250, 300, 350, 400, 450, 500, 600, 700, 800, 900, 1000,
1200, 1400, 1600, 1800, 2000, 2200, 2400, 2600, 2800, 3000, 3200, 3400, 3600, 3800.

Example
-> security-profile 2 invite in-dialog transaction-rate 10

124

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

security-profile profile_id invite in-dialog method accept

security-profile profile_id invite in-dialog method accept


Purpose
The purpose of that command is to configure the accepted SIP methods within an INVITE dialog.
Command
security-profile profile_id invite in-dialog method-accept all
security-profile profile_id invite in-dialog method-accept { info | message |
notify | options | publish | subscribe }

Arguments
profile_id
This is the identifier of the Security-Profile.
all
Specifies that all SIP methods are allowed within an INVITE dialog.

{ info | message | notify | options | publish | subscribe }


The accepted SIP methods within an INVITE dialog can be selected individually.

Example
-> security-profile 2 invite in-dialog method-accept info
-> security-profile 2 invite in-dialog method-accept message
-> security-profile 2 invite in-dialog method-accept options

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

125

security-profile profile_id invite in-dialog no method accept

Security Profile

security-profile profile_id invite in-dialog no method accept


Purpose
The purpose of that command is to configure the forbidden SIP methods within an INVITE dialog.
Command
security-profile profile_id invite in-dialog no method-accept all
security-profile profile_id invite in-dialog no method-accept { info |
message | notify | options | publish | subscribe }

Arguments
profile_id
This is the identifier of the Security-Profile.
all
Specifies that all SIP methods are forbidden within an INVITE dialog.

{ info | message | notify | options | publish | subscribe }


The forbidden SIP methods within an INVITE dialog can be selected individually.

Example
-> security-profile 2 invite in-dialog no method-accept subscribe
-> security-profile 2 invite in-dialog no method-accept publish

126

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

security-profile profile_id out-of-dialog method-rate

security-profile profile_id out-of-dialog method-rate


Purpose

The following CLI command has several purposes:

it configures the SIP method rate limit for transactions that take place out of a
dialog. This can be the case for REGISTER, INFO, MESSAGE, OPTIONS,
PUBLISH, NOTIFY.

it configures the transaction rate limit for non-INVITE dialogs. This can be the
case for RCS scenarios with SUBSCRIBE, REFER, NOTIFY.

it configures the SIP transaction rate per method applied when the dialog tracking
context has been removed from the SFW. This situation may happen either
because a switchover occurred or because of dialog tracking aging due to resource
limitation.

Command
security-profile profile_id out-of-dialog method-rate all messages_per_sec

security-profile profile_id out-of-dialog method-rate


{ register messages_per_sec | info messages_per_sec |
message messages_per_sec | notify messages_per_sec |
options messages_per_sec | publish messages_per_sec |
subscribe messages_per_sec | refer messages_per_sec |
update messages_per_sec | bye messages_per_sec |
prack messages_per_sec }

Arguments
profile_id
This is the identifier of the Security-Profile.
all
Specifies that all SIP methods listed above, outside an INVITE dialog, have the same rate
limiter. If all is not specified, then it is possible to define a specific rate limiter per
method.
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

127

Security Profile

security-profile profile_id out-of-dialog method-rate

messages_per_sec
Defines the per method rate in messages per second, for methods that appeared outside an
INVITE dialog.
The 32 configurable values are the following:
0, 5, 10, 20, 30, 40, 50, 100, 150, 200, 250, 300, 350, 400, 450, 500, 600, 700, 800, 900, 1000,
1200, 1400, 1600, 1800, 2000, 2200, 2400, 2600, 2800, 3000, 3200, 3400, 3600, 3800.

A rate limit of 0 indicates that the method is blocked. By default each method rate limiter
is set to 0.

Example
->
->
->
->
->

security-profile
security-profile
security-profile
security-profile
security-profile

2
2
2
2
2

out-of-dialog
out-of-dialog
out-of-dialog
out-of-dialog
out-of-dialog

method-rate
method-rate
method-rate
method-rate
method-rate

register 1000
info 1000
message 1000
notify 1000
publish 1000

-> security-profile 2 out-of-dialog method-rate subscribe 500


-> security-profile 2 out-of-dialog method-rate refer 500
->
->
->
->

security-profile
security-profile
security-profile
security-profile

2
2
2
2

out-of-dialog
out-of-dialog
out-of-dialog
out-of-dialog

method-rate
method-rate
method-rate
method-rate

update 2000
bye 2000
prack 2000
options 2000

Complementary Information

The methods SUBSCRIBE and REFER create RCS (Rich Communication Service)
dialogs. NOTIFY appears also in RCS dialogs. So the attribute out-of-dialog of the CLI
command may be considered, rightly, as not correct. Nevertheless the above command
applies also for RCS until a better wording can be developed such as
security-profile profile_id rcs-dialog method-rate.

128

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

security-profile profile_id out-of-dialog no method-rate

security-profile profile_id out-of-dialog no method-rate


Purpose

The following CLI command remove the SIP method rate limiter applied previously.
Command
security-profile profile_id out-of-dialog no method-rate all

security-profile profile_id out-of-dialog no method-rate


{ register | info | message | notify | options | publish | subscribe | refer |
update | bye | prack }

Arguments
profile_id
This is the identifier of the Security-Profile.
all
Specifies that all SIP methods listed above, outside an INVITE dialog, have their rate
limiter removed. This means that the default value 0 is applied for all SIP methods and
thus forbidden.

If the attribute all is not specified, it is possible to remove the rate limiter for a
specific SIP method.

Example
-> security-profile 2 out-of-dialog no method-rate register

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

129

Security Profile

security-profile profile_id sip thig

security-profile profile_id sip thig


Purpose

The purpose of this command is to enable or disable the Topology Hiding.


The SIP Firewall performs topology hiding (THIG) on all SIP Request and response that
are initiated by the private network so that peering networks cannot see IP addresses, port
numbers, host names of internal network elements.
THIG is performed by ciphering all private URIs found in the outgoing SIP messages.
Similarly, all ciphered headers found in incoming SIP messages are deciphered.
For the SIP headers Via, Route, Record-Route, a fixed pattern is appended to the end of
each ciphered text: tokenized-by=sfw.net.
The domain name sfw.net is the default value. It can be modified via a configuration
specified in the sitecfg.sfw. See the paragraph Part I:23 How to configure the SFW SITE
specific parameters

Command
security-profile profile_id sip thig
security-profile profile_id no sip thig
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and a PeerNetwork are associated via the CLI command peer-network netid security-profile
profile_id.
sip thig
Enable THIG towards the Peer-Networks associated with the specified profile_id.
no sip thig
Disable THIG towards the Peer-Networks associated with the specified profile_id.

130

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

security-profile profile_id sip thig

Complementary Information

1. For the following headers: Request-Line, From, To, Diversion, History Info, PAsserted-Identity, only the host-port part of the URI (either a host-name or an IP
address) is ciphered.
Example:

Before THIG:
From: Alice <sip:alice@192.168.2.50:50001;p=abc>;tag=dftghjhg

After THIG:
From: Alice
<sip:alice@5ZW02glU6kTzZkpYJdXK2vQMTEf;p=abc>;tag=dftghjhg

2. For the Contact header, the whole addr-spec value is ciphered and the public IP
address of the SIP Firewall is appended. This allows routing of subsequent requests
coming from the untrusted side using the REQUEST-URI.
Example:
Before THIG:
Contact: "Mr Smith" <sip:smith@192.168.0.2;transport=tcp>;q=0.7;
expires=3600

After THIG, it will give:


Contact: "Mr Smith"
<sip:t4M0WHcpYBP7F9xLGHbPIGjlhsYvCDRuf@10.7.8.5>;q=0.7;
expires=3600

3. For the following headers: Via, Route, Record-Route, Path, Service-Route, the whole
field value is ciphered. Moreover, multiple headers with the same field name are
ciphered in a single one. This allows to follow Section 5.10.4 of 3GPP 24.229 for
topology hiding requirements.
Example:
Before THIG:
Via: SIP/2.0/UDP 10.7.8.5:5060;branch=z9hG4bK-14755-10;oai=yyyy7vbsKa+53ryUDHyyyy7y+mY4y
Via: SIP/2.0/UDP 192.168.2.50:50001;branch=z9hG4bK-9119-1-0

After THIG, it will give a single header line. This is possible as long as the resulting
string is short enough to be contained in a single header line:
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

131

Security Profile

security-profile profile_id sip thig

Via: SIP/2.0/UDP 5P0gx7l4PkTRfgTygHyujyYr.TghRgrESXpmMDg0zhQ1BP3s8CDoft4Fsg2bBesxARl.SD7YU2Mf;tokenized-by=sfw.net;branch=z9hG4bK-45

List of (de-)ciphered Headers

Ciphering or deciphering of headers depends on the message origin, the kind of message
(Request/Response), and the dialog originator. The following table shows the list of
ciphered/deciphered headers according to each of the preceding condition.

Ciphering in outgoing messages


Headers

request

response

Request-Line
Contact
From

if dialog origin
is trusted

if dialog origin
is trusted

Diversion

132

response

Route
Via

request
X

To
Record-Route

Deciphering in incoming
messages

History-Info

P-AssertedIdentity

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

security-profile profile_id route-reorder

security-profile profile_id route-reorder


Purpose

The purpose of this command is to enable or disable the option to allow disordered Route
headers in the subsequent request from peer networks.
There must be Route headers in subsequent request from peer network as SIP firewall has
already informed the route set in previous transaction through Record-Route headers. In
the request from peer networks, the Route headers should be in order, the top one points
to the lpoc at untrusted side of SIP Firewall, the second one points to the rpoc at trusted
side of SIP Firewall.
Unfortunately, some external SIP devices do not follow RFC 3261 very well, they may
send the subsequent requests with disordered Route headers. To tolerate this kind of
behavior, the option route-reorder it added.

Command
security-profile profile_id route-reorder
security-profile profile_id no route-reorder
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and a PeerNetwork are associated via the CLI command peer-network netid security-profile
profile_id.
route-reorder
Enable the option to accept disordered Route headers in subsequent requests from PeerNetworks associated with the specified profile_id.
no route-reorder
Disable the option to accept disordered Route headers in subsequent requests from PeerNetworks associated with the specified profile_id.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

133

Security Profile

security-profile profile_id ringing-timer duration

security-profile profile_id ringing-timer duration


Purpose

The purpose of this command is to configure, in seconds, the maximum duration of the
ringing time. This is the duration an initial INVITE transaction can stay in the Ringing
state waiting for a final response.
This setting becomes effective when the security-profile is associated with the peernetwork.

Command
security-profile profile_id ringing-timer duration
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and a PeerNetwork are associated via the CLI command peer-network netid security-profile
profile_id.
duration
The Ringing timer can be set, in seconds, in the range from 30 to 300.
The default value is 180 seconds.

Example
-> security-profile 20 duration 360

134

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

security-profile profile_id clone profile_id

security-profile profile_id clone profile_id


Purpose

The following CLI command allows creation of a new security-profile copying an


existing one.
Command
security-profile profile_id2 clone profile_id1

Arguments
profile_id2
This is the identifier of the new Security-Profile to be created.
The identifier must be in the range 1-32.
profile_id1
This is the identifier of the already existing Security-Profile used as template to create the
clone.

Example
-> security-profile 20 clone 19

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

135

Security Profile

security-profile profile_id fqdn-in-from thig

security-profile profile_id fqdn-in-from thig


Purpose

The purpose of this command is to enable or disable the Topology Hiding for From and PAsserted-Identify headers when their host part is a host-name.
When host part is IP address, From and P-Asserted-Identify headers will always be
ciphered.
fqdn-in-from thig only take effect when sip thig is enabled.
Command
security-profile profile_id fqdn-in-from thig
security-profile profile_id no fqdn-in-from thig
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and a PeerNetwork are associated via the CLI command peer-network netid security-profile
profile_id.
fqdn-in-from thig
Enable THIG for From and P-Asserted-Identify headers whose host part is a host name
when sending message to Peer-Networks associated with the specified profile_id.
no fqdn-in-from thig
Disable THIG for From and P-Asserted-Identify headers whose host part is a host
name when sending message to Peer-Networks associated with the specified profile_id.

136

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

security-profile profile_id sip route-mode

security-profile profile_id sip route-mode


Purpose

The purpose of this command is to specify if SFW will add Record-Route headers in
messages sent to Peer-Networks.
If SFW doesnt send Record-Route headers to Peer-Networks, oai will be contained in
Contact header. To ensure subsequence in-dialog request can successfully arrive at SFW
from Peer-Networks, if SIP THIG is disabled, SFW untrusted lpoc IP will be put into host
part of Contact header. The original host part will be saved as a private parameter of
Contact header.
Command
security-profile profile_id sip route-mode record-route
security-profile profile_id sip route-mode contact
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and
a Peer-Network are associated via the CLI command peer-network netid
security-profile profile_id.
sip route-mode record-route
Messges sent to Peer-Networks associated with the specified profile_id have
Record-Route headers.
sip route-mode contact
Messges sent to Peer-Networks associated with the specified profile_id dont
have Record-Route headers. Oai is put into Contact header.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

137

Security Profile

security-profile profile_id private_ip

security-profile profile_id private_ip


Purpose

The purpose of this command is to specify if SFW will add private ip(lpoc untrusted ip) in
From/P-AID/To/ Contact headers in messages sent to Peer-Networks.
For requests (e.g., INVITE/re-INVITE/UPDATE/ACK/BYE/PRACK/CANCEL) sent
from trusted side to un-trusted side, which currently contain From/P-AID/Contact header
with MGC-8 private IP/port in host part, SFW should put SFW public IP/port into host
part, and put MGC-8 private IP/port as From/P-AID/Contact URI parameter when thig is
disabled.
For requests (e.g., INVITE/re-INVITE/UPDATE/ACK/BYE/PRACK/CANCEL) sent
from trusted side to un-trusted side, which currently contain From/P-AID header with
tokenized string in host part, SFW should put SFW public IP/port into host part, and put
tokenized string as From/P-AID URI parameter when thig is enabled.
For responses (1xx-6xx) (to initial INVITE from un-trusted to trusted) received from
MGC-8, which contain Contact header with MGC-8 private IP/port in host port, SFW
should put SFW public IP/port into host part, and put MGC-8 private IP/port as Contact
URI parameter.
Command

security-profile profile_id private_ip


security-profile profile_id no private_ip
Arguments

profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and
a Peer-Network are associated via the CLI command peer-network netid securityprofile profile_id.
private_ip
Add private ip in From/P-AID/To headers in messages sent to Peer-Networks.
no private_ip
Do not add private ip in From/P-AID/To headers in messages sent to PeerNetworks..

138

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Security Profile

no security-profile profile_id

no security-profile profile_id
Purpose

The purpose of this command is to delete a Security-Profile.


A Security-Profile cannot be deleted if it still associated with a Peer-Network.
There is no command peer-network netid no security-profile, to remove the association between
a Peer-Network and a Security-Profile, it is necessary to associate a new Security-Profile to the
Peer-Network. Then the unused Security-Profile can be deleted.

Command
no security-profile profile_id

Arguments
profile_id
This is the identifier of the Security-Profile to be deleted.
Example
-> no security-profile 20

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

139

Security Profile

show security-profile profile_id

show security-profile profile_id


Purpose

Displays the Security-Profile configuration.


Command
show security-profile [profile_id]

Arguments
profile_id
This is the identifier of the Security-Profile to be displayed. If profile_id is not specified,
all Security Profiles are displayed.
Example
-> show security-profile 19
Profile id
Name
INVITE in-dialog accepted methods
PUBLISH SUBSCRIBE OPTIONS
INVITE in-dialog forbidden methods
REGISTER out-of-dialog rate
INFO out-of-dialog rate
MESSAGE out-of-dialog rate
NOTIFY out-of-dialog rate
PUBLISH out-of-dialog rate
SUBSCRIBE out-of-dialog rate
REFER out-of-dialog rate
UPDATE out-of-dialog rate
BYE out-of-dialog rate
PRACK out-of-dialog rate
OPTIONS out-of-dialog rate
INVITE dialog setup rate
INVITE in-dialog transaction rate
T1 timer
INVITE fork-response
INVITE fork-timer (TM)
THIG

140

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

:
:
:

19
INFO MESSAGE NOTIFY

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
1000
10
100
32
64
yes

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

TLS feature overview

Introduction
TLS usage rational

The primary goal of the TLS protocol is to provide privacy and data integrity for the SIP
flows exchanged between the SIP firewall and remote SIP entities on its untrusted side.
It also provides mutual authentication of both peers through the verification of their
respective X509 certificates.

Reference documents
Standard

[SIP connect] SIP-PBX / Service Provider Interoperability - "SIPconnect 1.1 Technical


Recommendation" - SIP Forum Document Number: TWG-2
Main RFC's

[RFC2246] The TLS Protocol Version 1.0


[RFC3280] Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

141

TLS feature overview

Feature Overview

Feature Overview
Standards and algorithms supported

The SIP firewall supports TLS v1.0 (RFC 2246) and X.509v3 certificates (RFC 3280)
based on RSA key (up to 4096 bits).
SSLv2 and SSLv3 are not supported due to their related vulnerabilities.
Certificate revocation with OCSP (Online Certificate Status Protocol) or with statically
configured list of certificate is not supported.
List of algorithms supported:

For key exchange: DiffieHellman, RSA,

For authentication: RSA (maximum key size = 4096 bits),

For symmetric ciphering: AES128, AES256, 3DES, RC4,

For integrity: SHA1.

Compression is not supported.

Main Feature List

The following main features are supported:

TLS v1.0 handshake, change cipher, alert and record protocol

Automatic TLS connection handling toward rpoc entity

X509 certificates management (CLI interface)

Local certificate management


o Importation in PEM Base64 of public certificate and its private key
(SSLeay format)
o Support of Certificate Signing Request (CSR) procedure. The
generated CSR is in PKCS#10 format.
o Content display
o Suppression

Certificate Authority (CA) certificate management


o Importation in PEM Base64 format
o Content display
o Suppression

142

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

TLS Feature Description

TLS feature overview

TLS domain handling per VPN through TLS profile usage

TLS profile management


o Creation/Modification
o Content display
o Suppression

Dimensioning

The SIP firewall supports the following dimensioning concerning TLS:


o Maximum Local certificate(s): 32
o Maximum CA certificate(s): 64
o Maximum TLS profile(s): 32
o Maximum CA identifier per profile: 64

TLS Feature Description


X509 certificate handling (CLI interface)

The SFW supports TLS with mutual authentication (each side must present its X509
certificate). This is the typical authentication mode in SIP peering (cf static mode of [SIP
connect] referenced document).

Two types of X509v3 certificates are handled by the SFW:

Local certificate used to identify the SFW,

CA certificates used to check the validity of the rpoc certificates:


All the CA certificates of the rpoc "signing chain" must be imported on the SFW
in order to check the validity of the rpoc certificate.

Local certificates (and their private key) and CA certificates may be imported through
root account using multi-line CLI commands: Copy/Paste is used to import X509
certificates or private key in PEM/Base64 format. A private key is only required for local
certificate (it is recommended to protect it by a password).

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

143

TLS Feature Description

TLS feature overview

Local certificates may be also managed through the Certificate Signing Request (CSR)
procedure:
In CSR procedure, a public/private key pair is generated locally to the SFW
(step1) and a corresponding CSR is generated in PEM/Base64 format toward the
Certificate Authority (step 2). The CA sends back the corresponding X509
certificate (signed by the CA). This X509 certificate is then imported in the SFW
(step3). With the CSR procedure the private key is always kept on the SFW: this is
more secure than a private key importation.

SFW
Local Certificate(s)
3/ Certificate importation
1/ Certificate request creation

Root
user

Certification
Authority

Cert.part
Private
key part

2/ Certificate signing request (CSR)

Figure 1 - Certificate Signing Request (CSR) handling

TLS domain handling per VPN through TLS profile usage

In the SIP firewall a peer network entity may be associated to a particular VPN through its
VLAN id. A TLS profile may be also configured per peer network entity: This allows to
have particular TLS configuration (the one of the TLS profile) per VPN. This particular
TLS configuration will be applied to all rpoc of the related peer network entity.

VLAN w (corresponding to VPN x) <- Peer-net y -> TLS profile z

Each TLS profile contains:

144

a description name

the id of the local certificate to use for the SFW,

the list of id of trusted CA certificates,

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

TLS Feature Description

TLS feature overview

optionally: the fact to check the validity of the peer certificate (CA check flag that
is set to Yes by default),

optionally: the renegotiation period (in hour) to force a new TLS handshake
periodically (not activated by default). This option should be used to take into
account CA certificates updates on already established TLS connection.

TLS connection handling

When TLS secured connection is required with a rpoc, its transport layer must be
configured in TLS mode. When TLS is configured for this rpoc, the other transport layers
are no more relevant: only TLS can be used with this rpoc.
Moreover, the peer-network of the rpoc must be configured with a valid TLS profile.
The SFW automatically establishes and maintains a TLS connection toward this rpoc
using the local certificate of the TLS profile as its certificate and using the CA certificates
referenced in the TLS profile to validate the rpoc certificate.
The SFW also accepts incoming TLS connection from this rpoc using the same certificate
model.

If the local certificate used by the TLS connection is modified, the TLS connection is reestablished with the new one.
If the CA certificate list of the TLS profile used by the connection is modified, it will be
taken into account on the existing TLS connection if the optional parameter "renegotiation
period timeout" is set on the TLS profile.
The renegotiation will work only for TLS peers that support RFC 5746. For the other
peers, it will launch a full TLS disconnection/reconnection.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

145

TLS Profile

Purpose

This paragraph provides information about the configuration of the TLS profiles.

Introduction : TLS connections and TLS Profile handling

A new TLS permanent connection is established with a RPOC (2 connections if RPOC is


dual-stack IPv4/IPv6) when:

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Transport is set to TLS for this RPOC. See the CLI command peer-net
netid rpoc peering_point_id

Transport is set to TLS for the LPOC associated with the Peer Network.
See the CLI command peer-net netid lpoc poc_id

A TLS-profile is associated with the Peer Network. See the CLI


command peer-net netid tls-profile tls_profile_id

The TLS profile is valid. This means that:

The SFW local certificate and its associated private key are
matching.

If ca-check has been set for this TLS profile, it must exist a list
of CA associated with the TLS Profile. This allows to check the
peering point certificate against the CA signing chain.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

146

TLS Profile

Summary of the CLI for TLS-Profile management

Summary of the CLI for TLS-Profile management


TLS Profile
tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check] [renegotiation-period period_in_hours]
[name description]
tls-profile tlsprofileid name description
tls-profile tlsprofileid local-cert certid
tls-profile tlsprofileid {no-ca-check|ca-check}
tls-profile tlsprofileid renegotiation-period period_in_hours
tls-profile tlsprofileid no renegotiation-period
tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] [certid8]
tls-profile tlsprofileid no ca-cert-list certid
no tls-profile tlsprofileid
show tls-profile

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

147

TLS Profile

tls-profile tlsprofileid local-cert ca-check renegotiation-period

tls-profile tlsprofileid local-cert ca-check renegotiation-period


Purpose
The purpose of that command is to create a TLS Profile.

Each TLS profile contains:

a description name

the id of the local certificate to use for the SFW,

the list of ids of trusted CA certificates,

optionally: the fact to check or not the validity of the peer certificate. If not
specified during the creation of the TLS profile, checking the validity of the peer
certificate is the default behavior.

optionally: the renegotiation period (in hour) to force a new TLS handshake
periodically (not activated by default). This option should be used to take into
account CA certificates updates on already established TLS connection.

The TLS Profile needs to be associated with a Peer-Network to become effective.


Command
tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check]
[renegotiation-period period_in_hours] [name description]

Arguments
tlsprofileid
This is the identifier of the TLS Profile.
Up to 32 TLS Profiles can be created.
local-cert
Identifies the SFW local certificate.

no-ca-check | ca-check
Specifies whether or not the peer certificate needs to be checked against the CA certificate
signing chain.

renegotiation-period
148

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

tls-profile tlsprofileid no renegotiation-period

TLS Profile

If renegotiation-period is set in TLS profile, the ongoing TLS connections are


renegotiated (TLS handshake) every renegotiation-period value.
name
Description of the TLS Profile (32 characters).

Example
-> tls-profile 2 local-cert 1 ca-check renegotiation-period 1
name tls-prof-operator1

tls-profile tlsprofileid no renegotiation-period


Purpose
The purpose of that command is to create a TLS Profile.

Each TLS profile contains:

a description name

the id of the local certificate to use for the SFW,

the list of id of trusted CA certificates,

optionally: the fact to check or not the validity of the peer certificate. If not
specified during the creation of the TLS profile, checking the validity of the peer
certificate is the default behavior.

optionally: the renegotiation period (in hour) to force a new TLS handshake
periodically (not activated by default). This option should be used to take into
account CA certificates updates on already established TLS connection.

The TLS Profile needs to be associated with a Peer-Network to become effective.


Command
tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check]
[renegotiation-period period_in_hours] [name description]

Arguments
tlsprofileid
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

149

TLS Profile

tls-profile tlsprofileid no renegotiation-period

This is the identifier of the TLS Profile.


Up to 32 TLS Profiles can be created.
local-cert
Identifies the SFW local certificate.

no-ca-check | ca-check
Specifies whether or not the peer certificate needs to be checked against the CA certificate
signing chain.

renegotiation-period

If renegotiation-period is set in TLS profile, the ongoing TLS connections are


renegotiated (TLS handshake) every renegotiation-period value.
name
Description of the TLS Profile (32 characters).

Example
-> tls-profile 2 local-cert 1 ca-check renegotiation-period 1

150

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

TLS Profile

tls-profile tlsprofileid ca-cert-list certid1 [certid8]

tls-profile tlsprofileid ca-cert-list certid1 [certid8]


Purpose
The purpose of that command is to associate a list of trusted CA certificates ids with a TLS

profile.
If the option ca-check has been set for the given TLS profile, the validity of the peer
certificate will be checked against this list of CA certificates.
Command
tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] [certid8]

Arguments
tlsprofileid
This is the identifier of the TLS Profile.
ca-cert-list
Up to 64 CA certificates ids can be associated with a TLS profile. However the above
command limits the number of certificate ids to 8.
As described in the example, if more than 8 certificate ids need to be associated with a
TLS profile this is done running the CLI command several times.

Example
-> tls-profile 2 ca-cert-list 1 2 3 4 5 6 7 8
-> tls-profile 2 ca-cert-list 9 10
-> show tls-profile
+---------+----------------------+-------+---------------+-------+-----------------------+
! TLS
! Name
! Local ! Renegotiation ! CA
! CA
!
! profile !
! cert. ! period
! check ! cert.
!
! id
!
! id
! (hours)
!
! id(s)
!
+---------+----------------------+-------+---------------+-------+-----------------------+
! 1
! tls-prof-doamain1
! 1
! 1
! Yes
! 1
!
! 2
! tls-prof-sipp-server ! 1
! 1
! Yes
! 1 2 3 4 5 6 7 8 9 10 !
+---------+----------------------+-------+---------------+-------+-----------------------+

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

151

tls-profile tlsprofileid no ca-cert-list certid1 [certid8]

TLS Profile

tls-profile tlsprofileid no ca-cert-list certid1 [certid8]


Purpose
The purpose of that command is to remove a list of trusted CA certificates ids from a TLS

profile.
Command
tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] [certid8]

Arguments
tlsprofileid
This is the identifier of the TLS Profile.
ca-cert-list
This is the list of CA certificates ids that needs to be removed from the TLS profile.
The above command limits the list of certificate ids to 8.
As described in the example, if more than 8 certificate ids need to be removed from a TLS
profile this is done running the CLI command several times.

Example
-> tls-profile 2 no ca-cert-list 1 2 3 4 5 6 7 8
-> tls-profile 2 no ca-cert-list 9 10
-> show tls-profile
+---------+----------------------+-------+---------------+-------+-----------------------+
! TLS
! Name
! Local ! Renegotiation ! CA
! CA
!
! profile !
! cert. ! period
! check ! cert.
!
! id
!
! id
! (hours)
!
! id(s)
!
+---------+----------------------+-------+---------------+-------+-----------------------+
! 1
! tls-prof-doamain1
! 1
! 1
! Yes
! 1
!
! 2
! tls-prof-sipp-server ! 1
! 1
! Yes
!
!
+---------+----------------------+-------+---------------+-------+-----------------------+

152

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

CA certificates

Purpose

The SFW supports TLS with mutual authentication (each side must present its X509
certificate). This is the typical authentication mode in SIP peering (cf static mode of [SIP
connect] referenced document).
Two types of X509v3 certificates are handled by the SFW:

Local certificate used to identify the SFW,

CA certificates used to check the validity of the rpoc certificates:


All the CA certificates of the rpoc "signing chain" must be imported on the SFW
in order to check the validity of the rpoc certificate.

This paragraph provides information about the management of the X509 certificates of the
Certification Authority (CA). It describes how to import a CA certificate, how to check
the content of the imported CA certificate and how to check the SFW configuration
related with CA certificates.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

153

CA certificates

Summary of the CLI for CA certificates management

Summary of the CLI for CA certificates management


CA certificates
import certificate ca ca-certid [name description ]
certificate ca ca-certid name description
no certificate ca ca-certid
show certificate ca pem ca-certid
show certificate ca details ca-certid
show certificate ca ca-certid
show certificate ca

Remark about the show commands:

The following CLI commands :


show

certificate ca details ca-certid ,

show

certificate ca ca-certid ,

show certificate ca

allow the operator to read attributes of the X509 certificates such as Subject Common
Name, Issuer Common Name , validity dates etc.
When SFW is managed by an OMC-P such details will be taken into account by a
Certificate Manager residing on the OMC-P that may bring more added values.
However, the SNMP interface between OMC-P and SFW allows the OMC-P to retrieve
the CA certificates in PEM base64 format in the same way that the command show
certificate ca pem ca-certid.

154

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

CA certificates

import certificate ca ca-certid [name description]

import certificate ca ca-certid [name description]


Purpose
This command allows the operator to import on the SFW a CA (Certification Authority)
certificate in PEM base64 format.
Command
Import certificate ca ca-certid [name description] <Copy/Paste certificate>

Arguments
ca-certid
This is the identifier of the CA certificate.
Up to 64 CA certificates can be imported.
name
This attribute is optional. If omitted during the import phase, the name of the CA
certificate can be later specified via the command certificate ca ca-certid name
description. The description of the CA certificate is limited to 32 characters.

<Copy/Paste certificate>
When the operator hits the carriage-return he has the ability to copy paste the certificate in
PEM base64 format.

Example
-> import certificate ca 64
Please copy and then paste below the certificate in PEM Base64
SSLeay format ...
-----BEGIN CERTIFICATE----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV
BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV
CM5btYl6pzhv89v3rfniPlCOle+IfFkgFi8cYhaB5p1txfvY5oTBC5Fm6lVzqBKv
AgMBAAGjgeIwgd8wHQYDVR0OBBYEFH0WXCkG/Kve4CxF2jrIrZM3WKujMIGvBgNV
EDAOBgNVBAMTB25ld3lvcmuCCQDSl0t794lbpzAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOh
FLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLM
IhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA
-----END CERTIFICATE----Command successful

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

155

CA certificates

certificate ca ca-certid name description

certificate ca ca-certid name description


Purpose
This command allows the operator to add or modify the name of a CA (Certification Authority)
certificate previously imported.
Command
certificate ca ca-certid name description

Arguments
ca-certid
This is the identifier of the CA certificate.
name
The description of the CA certificate is limited to 32 characters.

Example
-> certificate ca 64 name alcatel-lucent.cert

156

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

CA certificates

no certificate ca ca-certid

no certificate ca ca-certid
Purpose
This command allows the operator to suppress a CA (Certification Authority) certificate
previously imported.
Command
no certificate ca ca-certid

Arguments
ca-certid
This is the identifier of the CA certificate.

Example
-> no certificate ca 64

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

157

CA certificates

show certificate ca pem ca-certid

show certificate ca pem ca-certid


Purpose
This command allows the operator to retrieve a CA certificate in PEM base64 format.
It provides also information such as the name associated with the CA certificate and its validity
period.
Command
show certificate ca pem ca-certid

Arguments
ca-certid
This is the identifier of the CA certificate.

Example
-> show certificate ca pem 1
----- Cert Id=1; Cert Name= CA1.crt ----Certificate in PEM Base64 format:
-----BEGIN CERTIFICATE----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV
BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV
BAoTA0FMVTEqMCgGA1UECxMhU0ZXIHRlc3RiZWQgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRAwDgYDVQQDEwduZXd5b3JrMB4XDTExMDkwNzA5NTEzNFoXDTE2MDkwNTA5
NTEzNFowfDELMAkGA1UEBhMCRnIxDzANBgNVBAgTBkZyYW5jZTEQMA4GA1UEBxMH
T3J2YXVsdDEMMAoGA1UEChMDQUxVMSowKAYDVQQLEyFTRlcgdGVzdGJlZCBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAMTB25ld3lvcmswgZ8wDQYJKoZIhvcN
SIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOh
FLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLM
IhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA
-----END CERTIFICATE----Certificate dates validity checking is OK : notBefore=Sep
09:51:34 2011 GMT < current date=Oct 19 10:03:12 2011 <
notAfter=Sep 5 09:51:34 2016 GMT

Command successful

158

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

CA certificates

show certificate ca details ca-certid

show certificate ca details ca-certid


Purpose
This command allows the operator to decode a CA certificate, previously imported in PEM format,
and check that it contains the correct information.
Command
show certificate ca details ca-certid

Arguments
ca-certid
This is the identifier of the CA certificate.

Example
-> show certificate ca details 2
----- Cert Id=2; Cert Name= CA2.crt ----Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=Fr, ST=France, L=Orvault, O=ALU, OU=SFW testbed Certificate Authority,
CN=newyork
Validity
Not Before: Sep 13 12:05:36 2011 GMT
Not After : Sep 12 12:05:36 2012 GMT
Subject: C=Fr, ST=France, O=CA2, CN=myCA2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a9:3f:9e:12:5e:40:97:ff:5f:55:a2:b1:56:6b:
40:18:b4:2b:1d:4e:c4:5e:ac:42:8c:85:fa:83:96:
1c:4f:55:8e:03:42:f1:b1:f8:61:d8:ca:e2:7f:81:
6d:56:6d:fb:a9:d0:9c:88:e2:a7:3c:22:47:c0:bb:
fa:4d:de:90:fd:80:26:95:72:a7:9a:cc:34:3a:42:
f8:43:39:c6:2c:c7:61:ba:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
10:00:CE:58:D3:A1:9E:54:D1:AC:AE:E2:96:48:9F:D1:D3:E8:D6:0D
X509v3 Authority Key Identifier:
keyid:7D:16:5C:29:06:FC:AB:DE:E0:2C:45:DA:3A:C8:AD:93:37:58:AB:A3
Signature Algorithm: sha1WithRSAEncryption
39:41:bd:2d:52:2e:dc:b1:96:35:b0:74:ed:fa:bc:1e:8e:2c:
73:7d:17:da:01:71:04:4a:f1:ab:a3:9d:74:6d:a6:20:92:be:
ed:67:51:a4:68:a3:55:ad:41:c0:84:b2:29:67:bd:84:69:49:
00:66
Certificate dates validity checking is OK : notBefore=Sep 13 12:05:36 2011 GMT < current
date=Oct 19 11:55:58 2011 < notAfter=Sep 12 12:05:36 2012 GMT
Command successful

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

159

CA certificates

show certificate ca ca-certid

show certificate ca ca-certid


Purpose
This command allows the operator to read the main attributes of a CA certificate.
Command
show certificate ca ca-certid

Arguments
ca-certid
This is the identifier of the CA certificate.

Example
-> show certificate ca 2
+-------+---------+---------+---------+----------+----------+
! CA
! Cert.
! Subject ! Issuer ! Dates
! Private !
! cert. ! Name
! Common ! Common ! Validity ! key
!
! id
!
! Name
! Name
!
! matching !
+-------+---------+---------+---------+----------+----------+
! 2
! CA2.crt ! myCA2
! newyork ! OK
! n/s
!
+-------+---------+---------+---------+----------+----------+
1 elements
Subject C/ST/L
Subject /O/OU/Email
Issuer C/ST/L
Issuer /O/OU/Email

:
:
:
:

Fr/France/
/CA2//
Fr/France/Orvault
/ALU/SFW testbed Certificate Authority/

X509v3 Subject Alternative Name(s)


Command successful

160

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

CA certificates

show certificate ca

show certificate ca
Purpose
This command allows the operator to list all CA certificates imported on the SFW with there main
attributes.
Command
show certificate ca

Example
-> show certificate ca
+-------+----------------+---------+---------+----------+----------+
! CA
! Cert.
! Subject ! Issuer ! Dates
! Private !
! cert. ! Name
! Common ! Common ! Validity ! key
!
! id
!
! Name
! Name
!
! matching !
+-------+----------------+---------+---------+----------+----------+
! 1
! CA1.crt
! newyork ! newyork ! OK
! n/s
!
! 2
! CA2.crt
! myCA2
! newyork ! OK
! n/s
!
! 3
! CA3.crt
! myCA3
! myCA2
! OK
! n/s
!
! 4
! CA4.crt
! myCA4
! myCA3
! OK
! n/s
!
! 5
! CA5.crt
! myCA5
! myCA4
! OK
! n/s
!
! 6
! CA6.crt
! myCA6
! myCA5
! OK
! n/s
!
! 7
! CA7.crt
! myCA7
! myCA6
! OK
! n/s
!
! 8
! CA8.crt
! myCA8
! myCA7
! OK
! n/s
!
! 9
! CA9.crt
! myCA9
! myCA8
! OK
! n/s
!
! 10
! CA10.crt
! myCA10 ! myCA9
! OK
! n/s
!
! 11
! CA11.crt
! myCA11 ! myCA10 ! OK
! n/s
!
+-------+----------------+---------+---------+----------+----------+
Command successful

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

161

10

Local X509 certificates


and Privates Keys

Purpose

The SFW supports TLS with mutual authentication (each side must present its X509
certificate). This is the typical authentication mode in SIP peering (cf static mode of [SIP
connect] referenced document).
Two types of X509v3 certificates are handled by the SFW:

Local certificate used to identify the SFW,

CA certificates used to check the validity of the rpoc certificates:


All the CA certificates of the rpoc "signing chain" must be imported on the SFW
in order to check the validity of the rpoc certificate.

This paragraph provides information about the management of the local X509 certificates.
It describes how to import and check the content of a local certificate and its related
Private Key.

The local X509 certificates may result from a CSR (Certificate Signing Request)
generated on the SFW. This avoids exposing the related Private Key.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

162

Local X509 certificates and Privates Keys

Summary of the CLI for SFW local certificates management

Summary of the CLI for SFW local certificates management


SFW Local certificates
import certificate local certid [name description ]
import certificate local privatekey certid [password pwd] [name description ]
certificate local certid name description
no certificate local certid
show certificate local pem certid
show certificate local details certid
show certificate local certid
show certificate local
certificate local certid request common-name common_name email email_address country
country_name state state_or_province_name locality locality_name organization organization_name
organizational-unit organizational_unit_name [subject-alt-name subject_alt_name] [name description]

Remark about the show commands:

The following CLI commands :


show

certificate local details certid ,

show

certificate local certid ,

show certificate local

allow the operator to read attributes of the local X509 certificates such as Subject
Common Name, Issuer Common Name , validity dates etc.
When SFW is managed by an OMC-P such details will be taken into account by a
Certificate Manager residing on the OMC-P that may bring more added values.
However, the SNMP interface between OMC-P and SFW allows the OMC-P to retrieve
the local certificates in PEM base64 format in the same way that the command show
certificate local pem certid.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

163

Local X509 certificates and Privates Keys

import certificate local certid [name description]

import certificate local certid [name description]


Purpose
This command allows the operator to import on the SFW a local X509 certificate in PEM base64
format.
A SFW local certificate authenticates the SFW side of the TLS connection whereas a CA
certificate authenticates a peer.
Importation of a local X509 certificate must be followed or preceded by the importation of its
related Private Key. There is an exception, when the local X509 results from a CSR (Certificate
Signing Request) locally generated on the SFW, the importation of the related Private Key is not
required.
The operator may import first the certificate of the private key. Both will be tied by the same
certid.
Command
import certificate local certid [name description] <Copy/Paste certificate>

Arguments
certid
This is the identifier of the SFW local certificate and its related Private Key.
Up to 32 local certificates can be imported.
name
This attribute is optional. If omitted during the import phase, the name of the local
certificate can be later specified via the command certificate local certid name
description. The description of the local certificate is limited to 32 characters.
<Copy/Paste certificate>
When the operator hits the carriage-return he has the ability to copy paste the certificate in
PEM base64 format.
Example
-> import certificate local 2 name sfw-westford
Please copy and then paste below the certificate in PEM Base64
SSLeay format ...
-----BEGIN CERTIFICATE----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV
BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV
-----END CERTIFICATE-----

164

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local X509 certificates and Privates Keys

import certificate local privatekey certid [password pwd]

import certificate local privatekey certid [password pwd]


Purpose
This command allows the operator to import on the SFW a Private Key in PEM base64 format
related to a local X509 certificate.
Importation of a Private Key must be followed or preceded by the importation of its related local
X509 certificate. Both will be tied by the same certid.

Command
import certificate local privatekey certid [password pwd] [name description]
<Copy/Paste certificate>

Arguments
certid
This is the identifier of the SFW local certificate and its related Private Key.
Up to 32 local certificates can be imported.
name
This attribute is optional. It provides a name for the local certificate related to the private
key currently imported.
If omitted during the import phase of the private key, the name of the local certificate can
be later specified either during the importation of the local certificate or via the command
certificate local certid name description. The description of the local
certificate is limited to 32 characters.
password
If the Private Key is encrypted the password must be supplied during the importation of
the private Key.

<Copy/Paste certificate>
When the operator hits the carriage-return he has the ability to copy paste the Private Key
in PEM base64 format.

Example
-> import certificate local privatekey 2
Please copy and then paste below the certificate in PEM Base64
SSLeay format ...
-----BEGIN RSA PRIVATE KEY----3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

165

Local X509 certificates and Privates Keys

import certificate local privatekey certid [password pwd]

MIICXQIBAAKBgQDFCbmOTEaVD3dJ26QSWKZ92TaDFfobxfjdnFVxYhi3hWPGD3uk
DDjqhWnV1BQsEHfGXpvyV/WNUnoI2hZpsjL8XgjWy5ZA/SASpptGfnXwbd6K4FGu
29azGKD+WGKd+oPljlqp3+9rLNnD53fqlNWobM/RO2Pfp9r0Py19ugk3vQJBAK7f
+eTEKS2/ZlwGuRgVAMBhkzwnTasZkChhQpBRNN0cdLfVnE0P3VrkDGa+MaoDL9zY
l4xdMnjjXqa3FRve77ECQQCKZKudL7a6XrZRZl+2T3PpM8gOQ8sLqzG4J2+VkzBy
P/JXZxrJX1oXifJPtWd5y6z5Wjc7JXyYUtatWB3WY2g0
-----END RSA PRIVATE KEY----Remark
Note that the private keys are not stored in the SFW configuration file as they have been imported.
The Private Keys are ciphered and cannot be exported via the output of a show command.

166

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local X509 certificates and Privates Keys

certificate local certid name description

certificate local certid name description


Purpose
This command allows the operator to add or modify the name of a local certificate previously
imported.
Command
certificate local certid name description

Arguments
certid
This is the identifier of the SFW local certificate.
name
The description of the local certificate is limited to 32 characters.

Example
-> certificate local 1 name sfw5.cert

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

167

Local X509 certificates and Privates Keys

no certificate local certid

no certificate local certid


Purpose
This command allows the operator to suppress a local certificate previously imported. This
command suppresses at the same time the Private Key with the same certid.
Command
no certificate ca certid

Arguments
ca-certid
This is the identifier of the CA certificate.

Example
-> no certificate local 1

168

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local X509 certificates and Privates Keys

show certificate local pem certid

show certificate local pem certid


Purpose
This command allows the operator to retrieve a local certificate in PEM base64 format.
The X509 part of the local certificate can then be exported. However the Private Key part in PEM
format is ciphered and cannot be encrypted.
This command provides also information such as the name associated with the local certificate, its
validity period and the validity of the local certificate against its Private Key.
Command
show certificate local pem certid

Arguments
ca-certid
This is the identifier of the local certificate.

Example
-> show certificate local pem 1
----- Cert Id=1; Cert Name= sfw5.cert ----Certificate in PEM Base64 format:
-----BEGIN CERTIFICATE----MIIC8TCCAlqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJGcjEP
ZbCgF7CYoX6C1Xm6q6E5ct1eAdDkZaYuyo6hkPOJn3MnnJ1erw==
-----END CERTIFICATE----Certificate dates validity checking is OK : notBefore=Oct 6 15:31:24 2011
GMT < current date=Oct 19 13:33:
5 15:31:24 2012 GMT
Private Key in PEM Base64 format:
-----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E28F48920FAD24FA
QpzjZSVF1Iu2GRirxUfvUiNAWZmGaWwzXo4wP02EMwYi1uQkwlT7JCrcHsaI9+XP
eyMx00YdgcWieN269iGQGm9wPSa9ms2qfXrw/RolQynEZsr7vxwzr2G/gD/tOc8z
HitDDsEgFTutDVxG/kzkNWT099p/dWXFzUzqspt2Dwvzzuye1HrBP0GFlJ/fXzKJ
CXv4ctyO6U3nblu7szWK21Cez+5xizaptrWs+APQ0qMMlSQXE4EjYg==
-----END RSA PRIVATE KEY----Key modulus of certificate public key is matching with the one of the
Private Key

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

169

Local X509 certificates and Privates Keys

show certificate local details certid

show certificate local details certid


Purpose
This command allows the operator to decode a CA certificate, previously imported in PEM format,
and check that it contains the correct information.
Command
show certificate local details certid

Arguments
certid
This is the identifier of the CA certificate.

Example
-> show certificate local details 1
----- Cert Id=1; Cert Name= sfw5.cert ----Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=Fr, ST=France, L=Orvault, O=ALU, OU=SFW testbed Certificate Authority,
CN=newyork
Validity
Not Before: Oct 6 15:31:24 2011 GMT
Not After : Oct 5 15:31:24 2012 GMT
Subject: C=Fr, ST=France, L=Orvault, O=ALU, OU=SFW_testbed,
CN=sfw5/emailAddress=sfw5@orvault.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:09:b9:8e:4c:46:95:0f:77:49:db:a4:12:58:
a6:7d:d9:36:83:15:fa:1b:c5:f8:dd:9c:55:71:62:
46:a3:09:94:00:c4:65:ed:0a:44:d8:bf:61:27:0c:
6d:83:55:6c:84:be:83:6b:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
84:15:47:37:C8:BE:E9:A6:81:2C:24:E9:67:18:F4:ED:C4:C6:BE:B6
X509v3 Authority Key Identifier:
keyid:7D:16:5C:29:06:FC:AB:DE:E0:2C:45:DA:3A:C8:AD:93:37:58:AB:A3
Signature Algorithm: sha1WithRSAEncryption
74:a5:c2:d4:06:4a:93:23:f1:ad:2e:fa:c2:b9:83:40:ab:83:
f6:65:b0:a0:17:b0:98:a1:7e:82:d5:79:ba:ab:a1:39:72:dd:
5e:01:d0:e4:65:a6:2e:ca:8e:a1:90:f3:89:9f:73:27:9c:9d:
5e:af
Certificate dates validity checking is OK : notBefore=Oct 6 15:31:24 2011 GMT < current
date=Oct 19 14:05:40 2011 < notAfter=Oct 5 15:31:24 2012 GMT
Key modulus of certificate public key is matching with the one of the Private Key
Command succesful
sfw5> show certificate ca pem 1
----- Cert Id=1; Cert Name= CA1.crt ----Certificate in PEM Base64 format:
-----BEGIN CERTIFICATE----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV
170

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local X509 certificates and Privates Keys

show certificate local certid

BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV
QUxVMSowKAYDVQQLEyFTRlcgdGVzdGJlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
EDAOBgNVBAMTB25ld3lvcmuCCQDSl0t794lbpzAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOh
FLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLM
IhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA
-----END CERTIFICATE----Certificate dates validity checking is OK : notBefore=Sep 7 09:51:34 2011 GMT < current
date=Oct 19 14:08:13 2011 < notAfter=Sep 5 09:51:34 2016 GMT
Command succesful

show certificate local certid


Purpose
This command allows the operator to read the main attributes of a local certificate.
It permits also to check that the local certificate and its private key are matching.
Command
show certificate local certid
Arguments
ca-certid
This is the identifier of the CA certificate.

Example
show certificate local 1
+-------+-----------+---------+---------+----------+----------+
! Local ! Cert.
! Subject ! Issuer ! Dates
! Private !
! cert. ! Name
! Common ! Common ! Validity ! key
!
! id
!
! Name
! Name
!
! matching !
+-------+-----------+---------+---------+----------+----------+
! 1
! sfw5.cert ! sfw5
! newyork ! OK
! matching !
+-------+-----------+---------+---------+----------+----------+
1 elements
Subject C/ST/L
Subject /O/OU/Email
Issuer C/ST/L
Issuer /O/OU/Email

:
:
:
:

Fr/France/Orvault
/ALU/SFW_testbed/sfw5@orvault.fr
Fr/France/Orvault
/ALU/SFW testbed Certificate Authority/

X509v3 Subject Alternative Name(s)


Command successful

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

171

Local X509 certificates and Privates Keys

show certificate local

show certificate local


Purpose
This command allows the operator to list all local certificates imported on the SFW with there
main attributes.
Command
show certificate local

Example
-> show certificate local
+-------+-----------+---------+---------+----------+----------+
! Local ! Cert.
! Subject ! Issuer ! Dates
! Private !
! cert. ! Name
! Common ! Common ! Validity ! key
!
! id
!
! Name
! Name
!
! matching !
+-------+-----------+---------+---------+----------+----------+
! 1
! sfw5.cert ! sfw5
! newyork ! OK
! matching !
! 2
! sfw6.cert ! sfw6
! newyork ! OK
! matching !
! 3
! sfw7.cert ! sfw7
! newyork ! OK
! matching !
+-------+-----------+---------+---------+----------+----------+
Command successful

172

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local X509 certificates and Privates Keys

certificate local certid request

certificate local certid request


Purpose
This command formats a certificate signing request (CSR), in PEM base64 format, for a local
certificate. It also generates an associated RSA private key of 2048 bits if a key not already exists
for this cert id. The PEM base64 part, displayed by the output of this command, can be
copied/pasted in a file to be sent to the relevant certification authority that may sign it. The
resulting signed certificate must be imported through the standard importation procedure (import
certificate local certid) with the same cert id in order to be consistent with the private key part.

SFW
Local Certificate(s)
3/ Certificate importation
1/ Certificate request creation

Root
user

Certification
Authority

Cert.part
Private
key part

2/ Certificate signing request (CSR)

Command
certificate local certid request common-name common_name email email_address
country country_name state state_or_province_name locality locality_name
organization organization_name organizational-unit organizational_unit_name
[subject-alt-name subject_alt_name] [name description]

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

173

Local X509 certificates and Privates Keys

certificate local certid request

Arguments
ca-certid
This is the identifier of the CA certificate.
common-name

The fully qualified domain name (FQDN) of your SFW.


email

An email address used to contact your organization.


country

The two-letter ISO code for the country where your organization is located.
state

The state/region where your organization is located. This shouldn't be abbreviated.


locality

The city where your organization is located.


organization

The legal name of your organization. This should not be abbreviated and should
include suffixes such as Inc, Corp, or LLC.
organizational-unit

The division of your organization handling the certificate.


subject-alt-name

The subject alternative name extension allows various literal values. These include
email (an email address) URI (a uniform resource indicator), DNS (a DNS
domain name), IP (an IP address).
In case of interconnection with a IP-PBX and to be compliant with the SIP
connect recommendation
SIP-PBX / Service Provider Interoperability - "SIPconnect 1.1 Technical,
the recommended format for the subject-alt-name is the SIP URI formatted as in
the following example:
Example: URI:sip:sfw4. alcatel-lucent.com

174

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Local X509 certificates and Privates Keys

certificate local certid request

Example
-> certificate local 4 request common-name sfw4 email
sfw4@orvault.fr country Fr state France locality Orvault
organization ALU organizational-unit SFW-Testbed subject-alt-name
URI:sip:sfw4.alcatel-lucent.com name sfw4.cert
... generating private key for this local certificate (none
existing)
Certification request for this local certificate in PEM Base64
format:
-----BEGIN CERTIFICATE REQUEST----MIIC5TCCAc0CAQAwgYMxDTALBgNVBAMTBHNmdzQxHjAcBgkqhkiG9w0BCQEWD3Nm
dzRAb3J2YXVsdC5mcjELMAkGA1UEBhMCRnIxDzANBgNVBAgTBkZyYW5jZTEQMA4G
A1UEBxMHT3J2YXVsdDEMMAoGA1UEChMDQUxVMRQwEgYDVQQLEwtTRlctVGVzdGJl
ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5SSaCQ8yzs8NtF0Qqb
/Peu8fA8TZwjH0WEFrvZe03qeFH568CdnxGSqUoskgx3CQDogfMRPqsEsUSf0nX8
94+XTW2HJn2r/WyZbKOO9XtC+ZSmplXE60EHs5vCcqjlg0u2VAHfVYmG9E5ZMORL
7THfom5RrYzFHOFV8yzEjBgNKvjWQE52qjjyYePI68+ZxWGYHIVUyOSaxFLnJV9z
NuClEGRDmAkvw1mLmT+VbCoQErX0xbg7hZVfx04uHUxHThiV8hsDlI40n7WXArwM
dCgGChU5wLDbww9iISe9b9ZaZD71t/0mrpz/KtWNIFPBlx5d8Hf+UK/0jPA0yqlk
YDW3rKuTvWQJInDHPIaIZlIVc/oxLKOlzA==
-----END CERTIFICATE REQUEST----Command successful

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

175

11

Internal DNS server

Purpose

This paragraph provides information about the configuration of the SFW internal DNS
server intended to resolve names of Untrusted Peering-Points.

Introduction

With the current release, SFW doesnt perform DNS requests toward an external DNS
server to resolve FQDN that may appear in SIP headers.
SFW implements its own internal DNS server.

FQDN in Incoming messages received from Peer-Networks


SFW checks that FQDN included in top Record-Route and top Via headers can be
resolved via the SFW internal DNS server. This checking ensures that SIP responses and
subsequent request coming from the MGC8 IBCF will be routable.
SFW doesnt check that FQDN included in Route header or Req-URI can be resolved via
its internal DNS server. In that case a FQDN doesnt prevent the MGC8 IBCF CCS
selection.

FQDN in Outgoing messages received from the MGC8


In case of SIP request, after removing its own Routes, SFW checks that FQDN included in
the top Route, if any, can be resolved via the SFW internal DNS server.
In case of SIP request, after removing its own Routes, SFW checks that FQDN included in
the Request-Line, if there is no more Route header, can be resolved via the SFW internal
DNS server. This ensures that the SIP message will be properly routed.
In case of SIP response, after removing its own Via, SFW checks that FQDN included in
the top Via can be resolved via the SFW internal DNS server.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

176

Internal DNS server

Summary of the CLI for the internal DNS management

Summary of the CLI for the internal DNS management


SFW internal DNS
dns-internal dns-entry-id name rpoc-name peer-net netid ip address
dns-internal dns-entry-id name rpoc-name
dns-internal dns-entry-id peer-net netid
dns-internal dns-entry-id ip address
dns-internal dns-entry-id no ipv4
dns-internal dns-entry-id no ipv6
show dns-internal

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

177

Internal DNS server

dns-internal dns-entry-id name peer-net ip

dns-internal dns-entry-id name peer-net ip


Purpose
The purpose of that command is to create a DNS entry in the internal DNS server of the SFW.
Command
dns-internal dns-entry-id name rpoc-name peer-net netid ip address
Arguments
dns-entry-id
This is the identifier of the DNS entry. Up to 2047 DNS entries can be created.
rpoc-name
This is the FQDN of the Remote POC.
netid
This is the identifier of the Peer Network.
address
This is the IP address, IPv4 or IPv6, matching the FQDN specified for that entry.
Note that in case of dual stack IPv4/IPv6, you need to specify one address at the creation
of the DNS entry and then add the other address via the CLI command
dns-internal dns-entry-id ip address.

Example
-> dns-internal 1 name proxyA.biloxy.com peer-net 20 ip 172.23.8.9
-> dns-internal 1 ip 2001:8::172:23:8:9

178

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Internal DNS server

dns-internal dns-entry-id name rpoc-name

dns-internal dns-entry-id name rpoc-name


Purpose
The purpose of that command is to modify the FQDN of a DNS entry in the internal DNS server of
the SFW.
Command
dns-internal dns-entry-id name rpoc-name
Arguments
dns-entry-id
This is the identifier of the DNS entry.
rpoc-name
This is the FQDN of the Remote POC.
Example
-> dns-internal 1 name B2B.biloxy.com

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

179

Internal DNS server

dns-internal dns-entry-id peer-net netid

dns-internal dns-entry-id peer-net netid


Purpose
The purpose of that command is to modify the Peer Network identifier of a DNS entry in the
internal DNS server of the SFW.
Command
dns-internal dns-entry-id peer-net netid
Arguments
dns-entry-id
This is the identifier of the DNS entry.
netid
This is the Peer-Network identifier.
Example
-> dns-internal 1 peer-net 20

180

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Internal DNS server

dns-internal dns-entry-id ip address

dns-internal dns-entry-id ip address


Purpose
The purpose of that command is to modify the IP address associated with a FQDN in a DNS entry
in the internal DNS server of the SFW.
Command
dns-internal dns-entry-id ip address
Arguments
dns-entry-id
This is the identifier of the DNS entry.
address
This is the IP address, IPv4 or IPv6, matching the FQDN specified for that entry.
Note that in case of dual stack IPv4/IPv6, you need to specify one address at the creation
of the DNS entry and then add the other address via this CLI command.

Example
-> dns-internal 1 ip 2001:7::182:13:21:4

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

181

Internal DNS server

dns-internal dns-entry-id no ipv4

dns-internal dns-entry-id no ipv4


Purpose
The purpose of that command is to remove the IP v4 address associated with a FQDN in a DNS
entry in the internal DNS server of the SFW.
Command
dns-internal dns-entry-id no ipv4
Arguments
dns-entry-id

This is the identifier of the DNS entry.


Example
-> dns-internal 1 no ipv4

dns-internal dns-entry-id no ipv6


Purpose
The purpose of that command is to remove the IP v6 address associated with a FQDN in a DNS
entry in the internal DNS server of the SFW.
Command
dns-internal dns-entry-id no ipv6
Arguments
dns-entry-id

This is the identifier of the DNS entry.


Example
-> dns-internal 1 no ipv6

182

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Internal DNS server

show dns-internal

show dns-internal
Purpose
The purpose of that command is to display the configuration of the internal DNS server.
Command
dns-internal [peer-net netid]
Arguments
netid

Optionally this identifier of a Peer-Network can be specified to display only DNS


entries related to that Peer-Network.
Output Definition
Name & IP address
Display the possible resolution of FQDN representing peering-points on the Untrusted side
of the firewall
Validity
To be used during FQDN resolution, an IP address configured in the SFW internal DNS
must match an IP address configured as peering-point (rpoc) for the specified peer-net.
o invalid means that the address is not yet configured as peering-point in
the peer-network.

o V4 only means that the IPv4 address match a peering-point whereas the
IPv6 address, if any, is not yet configured as peering-point.

o V6 only means that the IPv6 address match a peering-point whereas the
IPv4 address, if any, is not yet configured as peering-point.

o V4 and V6 means that both IP addresses V4 and V6 are matching


the peering-point configuration.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

183

Internal DNS server

show dns-internal

Example
-> show dns-internal
+-----+----------+-------------------+---------------------------------------+----------+
! idx ! peer-net ! name

! IP address

! Validity !

+-----+----------+-------------------+---------------------------------------+----------+
! 1

! 20

! proxyA.biloxy.com ! 172.23.8.9

! 2

! 7

! 3

2001:8::172:23:8:9

! V4 & V6

! proxyA.biloxy.com ! 172.22.7.35

! V4 only

! 5

! proxyA.biloxy.com ! 172.20.5.33

! V4 only

! 6

! 10

! proxyA.biloxy.com ! 172.24.90.10

2001:90::172:24:90:10 ! V6 only

! 8

! 3

! proxyA.biloxy.com ! 172.18.3.9

! invalid

! 9

! 4

! proxyA.biloxy.com ! 172.19.4.35

2001:4::172:19:4:35

! V4 & V6

! 10

! 6

! proxyA.biloxy.com ! 172.21.6.33

2001:6::172:21:6:33

! V4 & V6

! 12

! 11

! proxyA.biloxy.com ! 172.16.11.50

2001:11::172:16:11:50 ! V4 & V6

+-----+----------+-------------------+---------------------------------------+----------+

-> show dns-internal peer-net 7


+-----+----------+-------------------+-------------+----------+
! idx ! peer-net ! name

! IP address

! Validity !

+-----+----------+-------------------+-------------+----------+
! 2

! 7

! proxyA.biloxy.com ! 172.22.7.35 ! V4 only

+-----+----------+-------------------+-------------+----------+

184

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

12

Load Balancing Group

Purpose

This paragraph provides information about:

What is the Load-Balancing-Group object.

CLIs to configure the Load-Balancing-Group object.

Introduction

The main features provided by the Load Balancing Group are the following:

Configuration of a set of IP address and Port belonging to the IBCF


A Load-Balancing-Group contains the IP information that allows the SIP firewall to reach
the trusted IBCF it protects.
The IBCF can contain several processors for SIP signaling, each of which can support
multiple processes (called CCSs). Currently, all these processes share the same IP address,
but use different signaling port numbers. In a future release, this is expected to change to
separate IP addresses per processor.
In the Load-Balancing-Group object a CCS is referenced as an rpoc: remote point of
contact on the trusted side of the SIP firewall.
To address any kind of IBCF architecture, the SIP firewall accepts any combination of IP
address and port (i.e.: one unique IP address and one port per service blade, or one IP
address per service blade and one unique port).
A Peer Network MUST have a Load Balancing group assigned.
A Load-Balancing-Group can be shared by several Peer Networks.

Load balancing of initial untrusted SIP requests


For the incoming initial SIP message received on the Untrusted side (new INVITE or a
transaction out of an INVITE dialog), the SIP firewall uses the load balancing group
associated with the Peer Network to select one of the remote POC (IBCF CCS). Once
selected, the trusted remote POC wont change anymore for the whole SIP dialog or the
out-of-dialog SIP transaction.
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

185

Load Balancing Group

show dns-internal

Overload Control and rate limiters


The Load-Balancing-Group provides an Overload Control feature thanks to the
configuration of the call and transaction rate limiters.
These rate limiters are applied per remote POC (CCS) to be able to assign different
weights on the IBCF processes.
From rate limiting standpoint, the rate limiters of the remote POCs, within a Load
Balancing Group, are applied after the one associated to the remote Peer Network (see
Security Profile). Since the sum of the rate limiters of the Peer Network associated to the
Load Balancing group can exceed the rate defined for the Load-Balancing-Group, the SIP
firewall processes fair load balancing among the Peer Networks.

Geographical Redundancy
The SIP firewall can protect a geographically redundant IBCF.
To address this case, active and standby remote POCs (CCSs) are similarly declared in the
Load Balancing Group object.
The SFW sends heartbeats (SIP OPTIONS) periodically to each CCS to keep track of
which ones are active. It doesnt send any new INVITEs to a CCS that is not responding to
the heartbeat.
This addresses active/standby IBCF configuration as well as active/active IBCF
configuration.

Load Balancing group and Trusted Local POC association


One Trusted Local POC needs to be associated with each Load-Balancing-Group.
The IP address of the trusted lpoc is the source IP address of the SIP messages sent to the
IBCF CCSs (rpoc).

186

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Summary of the CLI for Load-Balancing-Group management

Load Balancing Group

Summary of the CLI for Load-Balancing-Group management


Load-Balancing-Group
load-balancing-group groupId [enable | disable] [name description]
load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port]
| tls[ port]]
load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port] | tls[ port]}
load-balancing-group GroupId rpoc poc_id no ipv4
load-balancing-group GroupId rpoc poc_id no ipv6
load-balancing-group GroupId rpoc poc_id no {udp| tcp | sctp | tls}
load-balancing-group GroupId no rpoc poc_id
load-balancing-group GroupId lpoc trusted_lpoc_id
load-balancing-group GroupId no lpoc trusted_lpoc_id
load-balancing-group GroupId vlan vid
load-balancing-group GroupId polling period interval
load-balancing-group GroupId rpoc poc_id call rate call_rate delay sip_msg_delay
load-balancing-group GroupId rpoc poc_id transaction rate trans_rate delay
sip_trans_delay
no load-balancing-group groupId
show load-balancing-group [GroupId]
show load-balancing-group [GroupId] rpoc [poc_id]
show load-balancing-group [GroupId] connectivity

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

187

Load Balancing Group

load-balancing-group groupId

load-balancing-group groupId
Purpose
The purpose of that command is to create a Load-Balancing-Group.
Command
load-balancing-group groupId [enable | disable] [name description]

Arguments
groupId
This is the identifier of the Load-Balancing-Group.
Up to 32 Load-Balancing-Group can be created.

enable | disable
Provides the ability to change the operational status of the Load-Balancing-Group.
description
Description of the Load-Balancing-Group (31 characters)

Example
-> load-balancing-group 1 enable name LBG_1

188

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

load-balancing-group groupId rpoc

load-balancing-group groupId rpoc


Purpose
The purpose of that command is to associate an IBCF remote POC (MGC8 CCS process) with a
Load-Balancing-Group.
The Load-Balancing-Group is a collection of CCSs. This command requires to be ran once for
each CCS.
Command
load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[
port] | sctp[ port] | tls[ port]]
load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port]
| tls[ port]}

Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within a Load-BalancingGroup. Up to 32 rpoc can be defined per Load-Balancing-Group. The same poc_id can be
used for different Load-Balancing-Group.
ip_address
Defines the IPv4 or IPv6 address of the remote POC.
A remote POC can be dual-stack IPv4/IPv6. In that case the CLI must be run twice, once
to specify the IPv4 address, once to specify the IPv6 address.
port
Optionally the listening port and transport mode of the remote POC can be specified. If
this option is not specified, the port 5060 and UDP transport are configured by default.
It is still possible to modify the listening ports with the following command:
load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port] | tls[
port]}

If the transport mode is specified but the port value is omitted then the port will be
assigned automatically. It will be set to 5060 if there is no other transport mode configured

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

189

Load Balancing Group

load-balancing-group groupId rpoc

or it will be set automatically to the same value than the one set for other transport mode
already configured.
A modification of the port value, whatever the transport mode, affects the port value for all
transport modes. This means that all listening port values are equal for a peering point.

Example
-> load-balancing-group 2 rpoc 1 ip 192.168.2.50

Configures the IPv4 address of the remote POC and implicitly the udp port 5060.
-> load-balancing-group 2 rpoc 1 ip 2001:200::192:168:2:50

Configures the IPv6 address of the remote POC.


-> load-balancing-group 2 rpoc 1 tcp

Configures the tcp port with the port value equal to the udp port value.
-> load-balancing-group 2 rpoc 1 udp 5064

Modifies the udp port value. As a consequence other transport mode already
configured are also implicitly configured with the same port value.
-> load-balancing-group 2 rpoc 2 ip 192.168.2.55 udp 5066

Configures IP address and UDP listening port of a remote POC in a single


command.

190

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

load-balancing-group groupId rpoc

Complementary information

Hereafter is a networking example based on the MGC-8 case where the service blades
(CCS modules) share the same IP address but use different Port numbers to provide SIP
service.

The primary IBCF is configured with a unique IP address (192.168.10.10), and provides 2
SIP service blades on the following ports: 5061, 5062.
The backup IBCF is configured with a unique IP address (192.168.10.20), and provides 2
SIP service blades on the following ports: 5061, 5062.
From the SIP Firewall point of view, these 2 addresses and 4 ports are seen as remote
POCs.
In order to achieve geographical redundancy, the 4 remote POCs (CCSs in MGC8
terminology) are gathered in the same Load Balancing Group 1.
The SIP firewall performs heartbeat request towards the remote POCs sending SIP
OPTIONS messages.
Only available remote POCs are intended to reply to the SIP OPTIONS. Thus, the SIP
firewall may know which processes on the MGC8 are ready to receive SIP Traffic.
This allows support of IBCF processes in an active/standby mode as well as in an
active/active mode.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

191

Load Balancing Group

load-balancing-group groupId rpoc

The resulting CLI commands are:


-> lpoc trusted 1 ip 192.168.20.1 enable name LPOC_TRUSTED_1
-> vlan 20 trusted enable name TRUSTED_VLAN_20
-> vlan 20 subnet 192.168.20.0 mask 255.255.255.252 gw
192.168.20.2 no rip
->
->
->
->
->
->
->

load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group

1
1
1
1
1
1
1

enable name LBG_1


vlan 20
lpoc 1
rpoc 1 ip 192.168.10.10
rpoc 2 ip 192.168.10.10
rpoc 3 ip 192.168.10.20
rpoc 4 ip 192.168.10.20

udp
udp
udp
udp

5061
5062
5061
5062

-> peer-net 1 load-balancing-group 1

192

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

load-balancing-group groupId rpoc no ipv4

load-balancing-group groupId rpoc no ipv4


Purpose
The purpose of that command is to delete the IPv4 address of an IBCF remote POC (MGC8 CCS
process) within a Load-Balancing-Group.
Command
load-balancing-group GroupId rpoc poc_id no ipv4
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within a Load-BalancingGroup.
Example
-> load-balancing-group 2 rpoc 1 no ipv4

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

193

Load Balancing Group

load-balancing-group groupId rpoc no ipv6

load-balancing-group groupId rpoc no ipv6


Purpose
The purpose of that command is to delete the IPv6 address of an IBCF remote POC (MGC8 CCS
process) within a Load-Balancing-Group.
Command
load-balancing-group GroupId rpoc poc_id no ipv6
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within a Load-BalancingGroup.
Example
-> load-balancing-group 2 rpoc 13 no ipv6

194

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

load-balancing-group groupId rpoc poc_id no {udp | tcp | sctp | tls}

load-balancing-group groupId rpoc poc_id no {udp | tcp |


sctp | tls}
Purpose
The purpose of that command is to remove a transport mode from a remote POC associated with a
Load-Balancing-Group.
Command
load-balancing-group groupId rpoc poc_id no {udp| tcp| sctp| tls}

Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within a Load-BalancingGroup.
no

{udp | tcp | sctp | tls}


Specifies the transport type to be removed from the RPOC.

Example
-> load-balancing-group 2 rpoc 1 ip 192.168.2.50 tcp 5060

Configures the tcp port value to 5060 and also implicitly the udp port value to
5060.
-> load-balancing-group 2 rpoc 1 no udp
Disables the udp transport mode for the remote POC 1 of the Load-Balancing-Group 2.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

195

Load Balancing Group

load-balancing-group groupId no rpoc poc_id

load-balancing-group groupId no rpoc poc_id


Purpose
The purpose of that command is to remove the association between a remote POC (MGC8 CCS
process) and a Load-Balancing-Group.

Command
load-balancing-group groupId no rpoc poc_id
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within the Load-BalancingGroup.

Example
-> load-balancing-group 1 no rpoc 2

196

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

load-balancing-group groupId lpoc trusted_lpoc_id

load-balancing-group groupId lpoc trusted_lpoc_id


Purpose
The purpose of that command is to associate a Trusted Local Point of Contact (lpoc) with a LoadBalancing-Group.

Command
load-balancing-group groupId lpoc trusted_lpoc_id
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
trusted_lpoc_id
This is the identifier of the Trusted LPOC that has been previously created via the
command lpoc trusted poc_id .

Example
-> load-balancing-group 1 lpoc 1
Associates the Trusted LPOC 1 with the Load-Balancing-Group 1.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

197

Load Balancing Group

load-balancing-group groupId no lpoc trusted_lpoc_id

load-balancing-group groupId no lpoc trusted_lpoc_id


Purpose
The purpose of that command is to remove the association between a Trusted Local Point of
Contact (lpoc) and a Load-Balancing-Group.

Command
load-balancing-group groupId no lpoc trusted_lpoc_id
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
trusted_lpoc_id
This is the identifier of the Trusted LPOC that has been previously associated with the
Load-Balancing-Group.

Example
-> load-balancing-group 1 no lpoc 1
Removes the association between the Trusted LPOC 1 and the Load-Balancing-Group 1.

198

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

load-balancing-group groupId vlan vid

load-balancing-group groupId vlan vid


Purpose
The purpose of that command is to associate a Vlan with a Peer Network.

Command
load-balancing-group groupId vlan vid

Arguments
groupId
This is the identifier of the Load-Balancing-Group.
vid
This is the identifier of the Vlan that has been previously created with the command vlan
vid.

Example
-> load-balancing-group 1 vlan 20
Create an association between the Load-Balancing-Group 1 and the Vlan 20.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

199

Load Balancing Group

load-balancing-group groupId no vlan

load-balancing-group groupId no vlan


Purpose
The purpose of that command is to remove the association between a Vlan and a Load-BalancingGroup.

Command
load-balancing-group groupId no vlan
Arguments
groupId
This is the identifier of the Load-Balancing-Group.

Example
-> load-balancing-group 1 no vlan

200

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

load-balancing-group groupId polling period interval

load-balancing-group groupId polling period interval


Purpose
In order to check the IP/SIP connectivity on the trusted side between the LPOC and RPOCs
associated within the same Load-Balancing-Group there are two polling mechanism:

A Ping polling is issued periodically sending ICMP requests from the LPOC to the
RPOCs (IBCFs CCSs).

A SIP polling is issued periodically sending SIP OPTIONS from the LPOC to the
RPOCs (IBCFs CCSs).

The purpose of that command is to modify the period of the Ping and SIP polling occurring
between the LPOC and RPOCs of a Load-Balancing-Group. By default Ping requests and SIP
OPTIONS are sent each 4 seconds.
ICMP requests and SIP OPTIONS are sent for both IPv4 and IPv6 protocols according to the
RPOC/LPOC configuration.
The status of the CCSs connectivity on the trusted side can be retrieved via the CLI command
show load-balancig-group connectivity.

Command
load-balancing-group groupId polling period interval

Arguments
groupId
This is the identifier of the Load-Balancing-Group.
interval
Sets the value, in seconds, of the polling period interval.

Example
-> load-balancing-group 1 polling period 10

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

201

load-balancing-gro groupId rpocup poc_id call rate

Load Balancing Group

load-balancing-group groupId rpoc poc_id call rate


Purpose

The purpose of that command is to configure the Call Admission Control per remote POC
(rpoc) associated with a Load Balancing Group. In the MGC8 terminology the rpoc
represents the CCS entity.
The call admission control applies to Initial INVITE SIP messages and allows
dimensioning of the transmit queue depth (call setup queue) that is associated with each
CCS.
By configuring a call setup rate limiter on a Peer Network (thanks the configuration of a
SIP Security Profile), one can limit the rate of one source, but there is no way (on the
Peer-Network configuration) to control that the sum of all the sources does not overload
the IBCF CCSs where all the sources converge.
So to avoid such a situation, the following command defines:
o the call setup rate that is supported per rpoc (CCS)
o the maximum delay that a SIP message can stay in the transmit queue associated
with the rpoc (CCS)
The transmit queue depth, in SIP messages, is computed according to the value of
call_rate and sip_msg_delay parameters

Command
load-balancing-group groupId rpoc poc_id call rate call_rate delay sip_msg_delay

Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within the Load-BalancingGroup.
call_rate
Call setup rate per seconds. The value should be between 0 and 100000.

202

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

load-balancing-group groupId rpoc poc_id call rate

sip_msg_delay
Defines the time a SIP message can remain in the transmit queue of the SIP firewall before
being dropped. The delay is set in milliseconds in the range 1-2000.
Example
-> load-balancing-group 3 rpoc 1 call rate 10000 delay 300

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

203

Load Balancing Group

load-balancing-group groupId rpoc poc_id transaction rate

load-balancing-group groupId rpoc poc_id transaction rate


Purpose

The purpose of that command is to allows dimensioning of the non-INVITE transaction


queue per remote POC (rpoc) associated with a Load-Balancing-Group. In the MGC8
terminology the rpoc represents the CCS entity.
The transaction rate applies to non-INVITE SIP messages.
The transaction delay limits the maximum time the SIP firewall can delay a non-invite SIP
message within the non-invite transmission queue associated with a rpoc.

Command
load-balancing-group groupId rpoc poc_id transaction rate trans_rate delay
sip_trans_delay

Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within the Load-BalancingGroup.
trans_rate
This is the maximum number of transactions per seconds. The value should be between 0
and 100000.
sip_trans_delay
Defines the time a SIP message can remain in the transmit queue of the SIP firewall before
being dropped. The delay is set in milliseconds in the range 1-2000.
Example
-> load-balancing-group 3 rpoc 1 transaction rate 10000 delay 300

204

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

no load-balancing-group groupId

no load-balancing-group groupId
Purpose

The purpose of that command is to delete a Load-Balancing-Group.


Before deleting a Load-Balancing-Group it is necessary to remove the existing
associations between this Load-Balancing-Group and its RPOC and LPOC via the
commands:
load-balancing-group groupId no rpoc poc_id
load-balancing-group groupId no lpoc trusted_lpoc_id

Command
no load-balancing-group groupId
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
Example
-> load-balancing-group 3 no lpoc 2
-> load-balancing-group 3 no rpoc 1
-> no load-balancing-group 3

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

205

Load Balancing Group

show load-balancing-group

show load-balancing-group
Purpose

The purpose of that command is to display the Load-Balancing-Group configuration and


its operational status.

Command
show load-balancing-group [groupId]
Arguments
groupId
This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load
Balancing Groups are displayed.
Example
-> show load-balancing-group
+----------+-----------------+--------+------+-------+
! Group Id ! Name
! Status ! Lpoc ! Vlan !
+----------+-----------------+--------+------+-------+
! 1
! LBG_1
! up
! 1
! 200
!
! 2
! LBG_2
! up
! 1
! 200
!
! 3
! LBG-Tokyo
! up
! 1
! 200
!
! 4
! LBG4-Mexico
! up
! 1
! 200
!
+----------+-----------------+--------+------+-------+
Output Definition
Status
The Load-Balancing-Group status is:

206

up if at least one rpoc (MGC8 CCS) is seen alive via the SIP OPTIONS
heartbeat mechanism.

down if all rpoc (MGC8 CCS) failed to answer to the SIP OPTIONS
sent by the SIP Firewall.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

show load-balancing-group rpoc

show load-balancing-group rpoc


Purpose

The purpose of that command is to display, on the trusted side, the Remote POC
configurations and their operational status.

Command
show load-balancing-group [groupId] rpoc [poc_id]
Arguments
groupId
This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load
Balancing Groups are displayed.
Example
->

show load-balancing-group rpoc

+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+
! LBG ! rpoc ! Ope state ! IP Address

! Udp

! Tcp

! Sctp ! Tls ! call/sec ! Tx/sec !

+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+
! 1

! 1

! up

! 192.168.2.50

2001:200::192:168:2:50 ! 50001 ! 50001 ! n/s

! n/s ! 10000

! 10000

! 2

! 1

! up

! 3

! 1

! up

! 192.168.2.9

! 50001 ! 50001 ! n/s

! n/s ! 10000

! 10000

! 192.168.2.33

! 50001 ! 50001 ! n/s

! n/s ! 10000

! 10000

! 4

! 1

! up

! 192.168.2.35

2001:200::192:168:2:35 ! 50001 ! 50001 ! n/s

! n/s ! 10000

! 10000

! 5

! 1

! up

! 192.168.2.37

! n/s ! 10000

! 10000

! 5060

! 5060

! n/s

+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+

Output Definition
Ope State
The rpoc (MGC8 CCS) status rely on the SIP OPTIONS heartbeat mechanism. The rpoc
is:

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

up if the rpoc successfully responds to the SIP OPTIONS sent by the SIP
Firewall.

down if the rpoc fails to answer to the SIP OPTIONS sent by the SIP
Firewall.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

207

Load Balancing Group

show load-balancing-group connectivity

show load-balancing-group connectivity


Purpose

The purpose of that command is to check, on the trusted side, the IP and SIP connectivity
between the trusted LPOC and the remote POCs (IBCFs CCSs).
The IP connectivity is checked issuing periodically ICMP requests from the LPOC to the
RPOC associated within the Load-Balancing-Group. By default a Ping request is issued
each 5 seconds. ICMP requests are sent for both IPv4 and IPv6 protocols according to the
RPOC/LPOC configuration.
The SIP connectivity is checked according to the SIP OPTIONS heartbeat mechanism.
The SFW sents periodically SIP OPTIONS from the LPOC to the RPOC associated within
the Load-Balancing-Group. By default a SIP OPTIONS is sent each 5 seconds. Depending
on the RPOC/LPOC configuration the SIP OPTIONS mechanism is activated either over
IPv4 or IPv6 or both protocols.
The polling period, applying for both Ping and SIP OPTIONS, can be modified via the
CLI command load-balancing-group GroupId polling period interval

Command
show load-balancing-group [groupId] connectivity
Arguments
groupId
This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load
Balancing Groups are displayed.
Example
-> show load-balancing-group connectivity
+----------+------+------+--------+--------+---------+--------+-----------------+
! Group Id ! rpoc ! lpoc ! period ! SIP v4 ! PING v4 ! SIP v6 ! PING v6

+----------+------+------+--------+--------+---------+--------+-----------------+
! 1

! 1

! 1

! 4

! up

! PING UP ! down

! PING UP

! 2

! 1

! 1

! 4

! up

! PING UP ! down

! V4 ONLY

! 3

! 1

! 1

! 4

! up

! PING UP ! down

! V4 ONLY

! 4

! 1

! 1

! 4

! up

! PING UP ! down

! NO RESP

! 5

! 1

! 1

! 4

! up

! NO MAC

! V4 ONLY

! down

+----------+------+------+--------+--------+---------+--------+-----------------+

208

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Load Balancing Group

show load-balancing-group connectivity

Output Definition
SIP v4
The SIP v4 status relies on the SIP OPTIONS heartbeat mechanism over IPv4 protocol.

up means that the rpoc successfully responds to the SIP OPTIONS sent
by the SIP Firewall using IPv4 protocol.

down means that the rpoc fails to answer to the SIP OPTIONS sent by
the SIP Firewall using IPv4 protocol.

SIP v6
The SIP v6 status relies on the SIP OPTIONS heartbeat mechanism over IPv6 protocol.

up means that the rpoc successfully responds to the SIP OPTIONS sent
by the SIP Firewall using IPv6 protocol.

down means that the rpoc fails to answer to the SIP OPTIONS sent by
the SIP Firewall using IPv6 protocol.

PING v4 and PING v6


The PING v4 status reflects the IP V4 connectivity between LPOC and RPOC of a
Load-Balancing-Group.
The PING v6 status reflects the IP V6 connectivity between LPOC and RPOC of a
Load-Balancing-Group.

PING UP means that the rpoc successfully responds to the ICMP


Requests sent by the SIP Firewall.

NO MAC means that the configuration is consistent but the RPOC


destination MAC address has not been yet resolved.

NO LPOC means that the configuration is not consistent. There is no


LPOC associated with the Load-Balancing-Group whereas there is at least
a RPOC and a Vlan associated with that Load-Balancing-Group.

NO LPOC IP ADDR means that the configuration is not consistent.


The LPOC associated with the Load-Balancing-Group has no IPv4 address
whereas there is at least one IPv4 RPOC associated with that LoadBalancing-Group.
The LPOC associated with the Load-Balancing-Group has no IPv6 address
whereas there is at least one IPv6 RPOC associated with that LoadBalancing-Group.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

209

Load Balancing Group

show load-balancing-group connectivity

NO VLAN means that the configuration is not consistent. There is no


Vlan associated with the Load-Balancing-Group.

NO VLAN SUBNET means that the configuration is not consistent.


There is no IPv4 subnet in the definition of the vlan associated with the
Load-Balancing-Group whereas there is at least one IPv4 RPOC associated
with that Load-Balancing-Group.
There is no IPv6 subnet in the definition of the vlan associated with the
Load-Balancing-Group whereas there is at least one IPv6 RPOC associated
with that Load-Balancing-Group.

NO ROUTER IP means that the configuration is not consistent.


An IP router address is required in the definition of the vlan associated with
the Load-Balancing-Group otherwise the LPOC is unreachable. A router is
required in the vlan definition as soon as the vlan and the LPOC are not in
the same subnet.

210

ROUTER IP NOT IN SUBNET means that the configuration is not


consistent. The router IP address in the definition of the vlan, associated
with the Load-Balancing-Group, is not in the vlan subnet.

NO DEFAULT GW means that the configuration is not consistent. An IP


gateway address is required in the definition of the vlan associated with the
Load-Balancing-Group otherwise the RPOC is unreachable. A gateway is
required in the vlan definition as soon as the vlan and the RPOC are not in
the same subnet.

GATEWAY IP NOT IN SUBNET means that the configuration is not


consistent. The gateway IP address in the definition of the vlan, associated
with the Load-Balancing-Group, is not in the vlan subnet.

NO RESP means that the configuration is consistent. The MAC address


of the RPOC is known but the SFW does not get any response to the ping
requests.

TRUNK DOWN means that the configuration is consistent. The trusted


trunk is down.

V6 ONLY means that configuration is consistent but LPOC or RPOC are


IPv6 only, thus ping v4 cannot be performed.

V4 ONLY means that configuration is consistent but LPOC or RPOC are


IPv4 only, thus ping v6 cannot be performed.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

13

Tcp Syn Flood Protection

Purpose

This paragraph provides information about the SFW configuration preventing from TCP
SYN flooding.
Introduction

TCP SYN are filtered out according to predefine thresholds depending on the interface
type.
The default thresholds values are the following ones:
o OAM interface: 10 TCP SYN per sec
o Trusted interface: 1000 TCP SYN per sec
o Untrusted interface: 2000 TCP SYN per sec

When the TCP SYN rate exceeds the above thresholds the SFW suspects that an attack is
ongoing and enters in TCP SYN regulation mode.
In that state the TCP SYN are filtered out to prevent the attack. However TCP connection
establishment is still possible for non-attackers.
When activated the TCP SYN regulation mode will last at least 30 seconds.
The default TCP SYN threshold values can be adjusted via the CLI commands listed
below.
The show tcp syn command provides useful information about the TCP SYN flood
parameters and current status.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

211

Tcp Syn Flood Protection

Summary of the CLI for TCP SYN Flood management

Summary of the CLI for TCP SYN Flood management


TCP SYN Flood management
tcp syn oam rate syn_per_sec
tcp syn untrusted rate syn_per_sec
tcp syn trustec rate syn_per_sec
show tcp syn
show tcp statistics [oam | untrusted [netid] | trusted [netid] ]

tcp syn oam rate syn_per_sec


Purpose
The purpose of that command is to modify the default value applied for TCP SYN flood
protection on the OAM interface of the firewall. The default value is set to 10 TCP SYN per

second.
Command
tcp syn oam rate syn_per_sec

Arguments
syn_per_sec
Defines the acceptable TCP SYN rate on the OAM interface. This rate cannot be set
higher than 20 TCP SYN per second.
Example
-> tcp syn oam rate 5

212

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Tcp Syn Flood Protection

tcp syn untrusted rate syn_per_sec

tcp syn untrusted rate syn_per_sec


Purpose
The purpose of that command is to modify the default value applied for TCP SYN flood
protection on the Untrusted interface of the firewall. The default value is set to 2000 TCP SYN

per second.
Command
tcp syn untrusted rate syn_per_sec
Arguments
syn_per_sec
Defines the acceptable TCP SYN rate on the Untrusted interface. This rate cannot be set
higher than 10000 TCP SYN per second.
Example
-> tcp syn untrusted rate 5000

tcp syn trusted rate syn_per_sec


Purpose
The purpose of that command is to modify the default value applied for TCP SYN flood
protection on the Trusted interface of the firewall. The default value is set to 1000 TCP SYN per

second.
Command
tcp syn trusted rate syn_per_sec
Arguments
syn_per_sec
Defines the acceptable TCP SYN rate on the Untrusted interface. This rate cannot be set
higher than 10000 TCP SYN per second.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

213

Tcp Syn Flood Protection

show tcp syn

show tcp syn


Purpose
The purpose of that command is to display the TCP SYN flood configuration and check if the
SFW has been or is currently under TCP SYN attacks
Command
show tcp syn
Output Definition
rate
This is the maximum rate of TCP SYN per second before entering in TCP SYN regulation
mode.
status
Off: There is no TCP SYN flood attack ongoing.
On: There is a TCP SYN flood attack ongoing.
Attack counter
Counts the number of TCP SYN attacks.
Example
-> show tcp syn
+-----------+------+--------+----------------+
! interface ! rate ! status ! attack counter !
+-----------+------+--------+----------------+
! oam
! 10
! off
! 0
!
! trusted
! 1000 ! off
! 0
!
! untrusted ! 2000 ! off
! 0
!
+-----------+------+--------+----------------+

214

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Tcp Syn Flood Protection

show tcp statistics

show tcp statistics


Purpose
The purpose of that command is to display the TCP statistics per interface type.
Command
show tcp statistics
Output Definition
Active connections openings
Passive connection openings
Failed connection attempts
Connection resets received
Connections established
Segments received
Segments send out
Segments retransmitted
TCP segment received in error
TCP Resets sent
TCP SYN received
TCP SYN dropped
TCP RST dropped because bad sequence number

tcpActiveOpens
tcpPassiveOpens
tcpAttemptFails
tcpEstabResets
tcpCurrEstab
tcpInSegs
tcpOutSegs
tcpRetransSegs
tcpInErrs
tcpOutRsts
tcpSynRcv
tcpSynDropped
tcpOutOfSeqResets
.
Example
-> show tcp statistics
CUMULATED UNTRUSTED
tcpActiveOpens
tcpPassiveOpens
tcpCurrEstab
tcpInSegs
tcpOutSegs
tcpSynRcv

TCP
:
:
:
:
:
:

STATISTICS
16523
2
3
18894
30190
2

CUMULATED TRUSTED TCP STATISTICS


tcpActiveOpens
:
261153
tcpCurrEstab
:
31
tcpInSegs
:
243029
tcpOutSegs
:
384744
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

215

Tcp Syn Flood Protection

OAM TCP STATISTICS


tcpActiveOpens
tcpPassiveOpens
tcpAttemptFails
tcpCurrEstab
tcpInSegs
tcpOutSegs
tcpRetransSegs

216

show tcp statistics

:
:
:
:
:
:
:

34
32
1
3
1965
1753
1

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

14

Interfaces (Ge Ports) &


Trunks

Purpose

This paragraph provides information about the management of the Gigabits Ethernet
physical ports of the SIP Firewall.

Introduction

The SIP firewall is made of 2 DHSPP4 boards running in Active/Standby mode for the
SIP Firewalling application.
Each DHSPP4 is hosted in a different 7510 SCM2 board (slot 10 and slot 11)
Each DHSPP4 provides 8 gigabits Ethernet physical ports (Ge0..Ge7).
Four interfaces per DHSPP4 are available in the front panel (Ge0..Ge3) for

Ge0 interfaces are dedicated to the cabling towards the Untrusted networks

Ge3 interfaces are dedicated to the cabling towards the Trusted networks

Ge1 and Ge2 are used to interconnect Active and Standby DHSPP4

Two interfaces per DHSPP4, not accessible on the front panel but via the SCM, are used
for OAM (Ge4) and SCM/DHSPP4 (Ge5) supervision.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

217

Interfaces (Ge Ports) & Trunks

Summary of the CLI for Ge Interfaces and Trunks management

Summary of the CLI for Ge Interfaces and Trunks management


Ge Interfaces and Trunks management
show interfaces
show interfaces slot[/port]
trunk {trusted|untrusted} mode [linkagg | act-stdy]
show trunk [trusted|untrusted]
show trunk [trusted|untrusted] port

218

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Interfaces (Ge Ports) & Trunks

show interfaces

show interfaces
Purpose
The purpose of the following commands is to provide information about the Giga Ethernet
interfaces of the SIP Firewall.
Commands
show interfaces
show interfaces slot[/port]
Arguments
slot
This is the identifier of the SCM slot hosting the DHSPP4. Its either 10 or 11.
port
Optionally the Giga Ethernet port number can be specified.
Example

-> show interfaces


+-----------------------------+--------------+--------------------+
! Slot/Port
! Admin Status ! Operational Status !
+-----------------------------+--------------+--------------------+
! 10/Ge0 external untrusted
! up
! up
!
! 10/Ge1 external inter-HSPP ! up
! up
!
! 10/Ge2 external inter-HSPP ! up
! up
!
! 10/Ge3 external trusted
! up
! up
!
! 10/Ge4 internal OAM
! up
! up
!
! 10/Ge5 internal supervision ! up
! up
!
! 11/Ge0 external untrusted
! up
! up
!
! 11/Ge1 external inter-HSPP ! up
! up
!
! 11/Ge2 external inter-HSPP ! up
! up
!
! 11/Ge3 external trusted
! up
! up
!
! 11/Ge4 internal OAM
! up
! up
!
! 11/Ge5 internal supervision ! up
! up
!
+-----------------------------+--------------+--------------------+

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

219

Interfaces (Ge Ports) & Trunks

show interfaces

-> show interfaces 10/0


Slot/Port
Description
Operational Status
Last Time Link Changed
Type
MAC Address
Rx
Bytes Received
Unicast Frames
Broadcast/Multicast Frames
Error Frames
Discarded frames
Tx
Bytes Xmitted
Unicast Frames
Broadcast/Multicast Frames
Queued Frames

220

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

10/0
10/Ge0 external untrusted
up
54:03:47
Ethernet
00:11:3F:C7:DD:2D
1298954
2209
11750
943
0
202216
4396
0
0

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Interfaces (Ge Ports) & Trunks

trunk {trusted|untrusted} mode [linkagg | act-stdy]

trunk {trusted|untrusted} mode [linkagg | act-stdy]


Purpose

Trusted and Untrusted interfaces are connected to the next-hop IP using either
Static Link Aggregation (802.3ad), without LACP. This is the preferred configuration

but it requires the PE Router to be carrier grade. Or,


Active/Standby configuration. If the PE router is not carrier grade this is the

configuration to be chosen. In that case both interfaces must belong to the same vlan and a
layer 2 switching must be configured between both switch-routers.
The purpose of that command is to configure the trunk mode according to the PE Router
capability:
Static Link Aggregation (802.3ad) configuration with carrier grade router.

Active/Standby configuration in case of Switch-Routers that are not carrier grade.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

221

Interfaces (Ge Ports) & Trunks

trunk {trusted|untrusted} mode [linkagg | act-stdy]

Commands
trunk {trusted|untrusted} mode [linkagg | act-stdy]
Arguments
{trusted|untrusted}
The operator can only change the mode of the trusted and untrusted trunk. OAM and
inter-DHSPP4 trunks have predefined setup.
linkagg
Configure the trunk in Static Link Aggregation mode (802.3ad). Static LAGG means that
there is no LACP protocol. This must be taken into account on the PE-Router where
LACP could be activated by default when configuring a Ling Aggregation. LACP must be
disabled on the PE-Router for this LAGG.
Act-stdy
Configure the trunk in Active-Standby mode. Remember that in that case both

interfaces must belong to the same vlan and a layer 2 switching must be
configured between both switch-routers.
Example

-> trunk trusted mode linkagg


-> trunk untrusted mode linkagg

222

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Interfaces (Ge Ports) & Trunks

show trunk

show trunk
Purpose

The following command displays information about the configuration and the status of the
trunks. Additional information can be retrieved with the command show trunk port
Commands
show trunk [trusted|untrusted]
Output Definition
Trunk-group
This is the trunk alias.
Oper State
Operational state of the trunk (up/down).
Mode
Networking mode configured.
Att/Up ports
Number of attached ports and number of ports UP.
Example

-> show trunk


+-------------+------------+----------+--------+-------+
! Trunk-group ! Oper State ! Mode
! Att/Up ! ports !
+-------------+------------+----------+--------+-------+
! trusted
! up
! linkagg ! 2
! 2
!
! untrusted
! up
! linkagg ! 2
! 2
!
! inter-DHSPP ! up
! linkagg ! 2
! 2
!
! oam
! up
! act-stdy ! 2
! 2
!
+-------------+------------+----------+--------+-------+

show trunk port


3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

223

Interfaces (Ge Ports) & Trunks

show trunk port

Purpose

The following command provides complementary information about the configuration


and the status of the trunks.
Commands
show trunk port
Output Definition
Slot/Port

The slot/port associated with the trunk group.


Trunk Group

The alias of the trunk group associated with the port.


Oper State

The current port state (up/down).


Role

The role of the port within the trunk (primary/backup).


The interpretation depends of the trunk group mode:
Linkagg mode : both port are active however only the primary are used for the
case of broadcast;
Act/stdy mode: only the primary port is used, frame received on the backup port
are ignored
Example
-> show trunk port
+-----------+-------------+------------+---------+
! Slot/Port ! Trunk Group ! Oper state ! Role
!
+-----------+-------------+------------+---------+
! 10/Ge0
! untrusted
! up
! primary !
! 11/Ge0
! untrusted
! up
! backup !
! 10/Ge3
! trusted
! up
! primary !
! 11/Ge3
! trusted
! up
! backup !
! 10/Ge1
! DHSPP4
! up
! primary !
! 10/Ge2
! DHSPP4
! up
! backup !
! 10/Ge4
! oam trunk
! up
! primary !
! 11/Ge4
! oam trunk
! up
! backup !
+-----------+-------------+------------+---------+

224

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

15

SIP Message Management

Purpose

This paragraph provides information about options whether perform check on some SIP
headers and configuration on the SIP firewall.

Introduction

The SFW by default performs check on SIP mandatory headers. If any mandatory header
is missing, the SIP message will be rejected. But some SIP UEs may send message
without some mandatory header since they are following obsolete specification. To
support such kind of SIP behavior, SFW has configuration on whether or not accept the
SIP message without the specific mandatory header.

Summary of the CLI for SIP Message Management


SIP header management
sip-header max-forwards {enable|disable}
show sip-header

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

225

SIP Message Management

sip-header max-forwards {enable|disable}

sip-header max-forwards {enable|disable}


Purpose

The following command provides a option to allow invite request from un-trusted side
without of max-forwards header pass through the sip firewall.

Commands
sip-header max-forwards {enable|disable}
Arguments
{enable|disable}
Enable will allow incoming INVITE without Max-Forwards header pass through sip
firewall, it also insert a default max-forward header to invite request to trust side, if the
receiving invite request from un-trusted side doesn't contain max-forwards header.

Disable will reject the INVITE without Max-Forwards header. In default, the argument is
disable.
Example
-> sip-header max-forwards enable

226

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SIP Message Management

show sip-header

show sip-header
Purpose

The following command provides information about the configuration of SIP header
management.
Commands
show sip-header
Output Definition
max forwards

Current status of backward support on Max-Forwards header.

Example
-> show sip-header
+--------------+
! max forwards !
+--------------+
! enabled
!
+--------------+
1 elements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

227

16

SNMP Management

Purpose

This paragraph provides information about the SNMP support and configuration on the
SIP firewall.

Introduction

The SFW current release supports SNMP as follow:


o SFW sends traps in V2c only.
o SNMP set and get are by default expected in SNMP V3. This is the
preferred mode. Refer to the user management section to see how to
configure authentication and encryption parameters for SNMP V3.
o

SNMP set and get in V2c are possible via a specific configuration in the
sitecfg.sfw. Please refer to the Appendix How to configure the SFW site
Specific parameters if you want to perform SNMP set/get in V2c.

o SNMP get/set V2c and V3 can both be done at the same time
o SFW supports an Active Alarm Table to be able to retrieve the SNMP
alarms that are currently active. This allows the OMC-P to know the SFW
alarms status even if traps have been lost.
The Active Alarms are returned doing an SNMP get table on the table
ActiveAlarmsTable of the mib ALCATEL-OMCCNALARMMANAGEMENT-MIB.
The SFW supports the following MIBs:
o Standard MIB : RFC 1213 parts
mib-2 system oids
mib-2 interfaces oids
o ALU-SFW-MANAGEMENT-MIB
This is the SFW proprietary Mib used for SFW provisioning and SFW
Performance Management.
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

228

SNMP Management

Summary of the CLI for SNMP Management

Snmp branch ::alcatel-lucent(637).srd(71).sfw(20)


o ALCATEL-OMCCN-ALARMMANAGEMENT-MIB
This is the Mib for events report and Active Alarm Table.

The SFW is seen as a standalone SNMP node, independent from the 7510 MGW.
Active/Standby SFW boards are seen as a single entity from an SNMP manager with a
single IP address.

Summary of the CLI for SNMP Management


SNMP Trap management
snmp station stationId ip ip_address [port port_num] community community_string version {v2c | v3}
[enable | disable]
snmp station stationId {enable | disable}
no snmp station stationId
show snmp station
show snmp alarm thresholds
snmp alarm modify threshold threshold_id value new_value
show snmp trap config
snmp trap trap_id filter-delay delay
snmp trap trap_id {enable | disable}
snmp trap restore default
show snmp alarm active

SNMP Get and SNMP Set management

(these commands are explained in the

User management section)


user username no-snmp
user username auth {sha | md5} priv {aes | des}

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

229

SNMP Management

Alarms Management

Alarms Management
Hereafter are the Alarms and Events that are sent by the SFW SNMP agent.
Table 1

SFW SNMP TRAPS

Trap name

Trap id

sfwLinkDown

1001

Description
When raised this alarms means
that one of the interfaces
configured on the SFW went
down.

Severity
major

When cleared this alarms means


that one of the interfaces
configured on the SFW came up.

sfwBoardActLossStbSupervision

1002

When raised this alarm means


that SFW active DHSPP4 board
losses supervision of standby
DHSPP4 board.

major

When cleared this alarm means


that SFW active DHSPP4 board
recovers supervision of standby
DHSPP4 board.

sfwIbcfCcsStatusChange

1003

When raised this alarms means


that the SFW detected, via SIP
OPTION heartbeat mechanism,
that a CCS of the local IBCF
became unreachable.

warning

When cleared this alarms means


that the SFW detected, via SIP
OPTION heartbeat mechanism,
that a CCS of the local IBCF
recovered reachability.

sfwLoadBalancingGroupStatusChange

1004

When raised this alarms means


that the SFW detected, via SIP
OPTION heartbeat mechanism,
that all CCS belonging to a Load
Balancing Group became
unreachable.

major

When cleared this alarms means


that the SFW detected, via SIP
OPTION heartbeat mechanism,
that at least one CCS belonging to
a Load Balancing Group
recovered reachability.

sfwBoardTemperatureTooHigh

1005

When raised this alarms means


that one SFW board temperature
has crossed a threshold.

Threshold 1 major
Threshold 2 critical

When cleared this alarms means


that the temperature has gone
below a threshold.

sfwHealthMonCpuAlert

1006

When raised this alarms means


that one SFW board CPU has
crossed a threshold.

Threshold 1 major
Threshold 2 critical

When cleared this alarms means


that the CPU has gone below a
threshold.

sfwHealthMonMemAlert
230

1007

When raised this alarms means


that one SFW board Memory

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

Threshold 1 major

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

Alarms Management

Trap name

Trap id

Description

Severity

item has crossed a threshold.

Threshold 2 critical

When cleared this alarms means


that all Memory items are below
a threshold.

sfwUntrLowLayerDrop

1008

When raised this alarms means


that the counter
"sfwUntrustedLowLayerDrop"
has exceeded a threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter
"sfwUntrustedLowLayerDrop"
has decreased below a threshold.
The counter
"sfwUntrustedLowLayerDrop"
counts the number of packets
dropped on the Untrusted side
because of ARP error, IP error,
Fragmentation error, UDP error,
ICMP error, N-Tuple
classification error, Minimum
size error.

sfwUntrSipPass1Drop

1009

When raised this alarms means


that the counter "pass1Drop", for
the Peer Network identified by
"peerNetIndex", has exceeded a
threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter "pass1Drop", for
the Peer Network identified by
"peerNetIndex", has decreased
below a threshold.
The counter "pass1Drop" counts
the number of packets dropped on
the Untrusted side during the SIP
Pass1 checks.

sfwUntrSipPass1SuspectDrop

1010

When raised this alarms means


that the counter
"pass1DropSipSuspicious", for
the Peer Network identified by
"peerNetIndex", has exceeded a
threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter
"pass1DropSipSuspicious", for
the Peer Network identified by
"peerNetIndex", has decreased
below a threshold.
The counter
"pass1DropSipSuspicious" counts
the number of packets dropped on
the Untrusted side during the
Pass1 checks due to suspect
format.

sfwUntrSipPass2MethodRateInQos0

1011

When raised this alarms means


that the counter
"pass2MethodRateInQos0", for
the Peer Network identified by
"peerNetIndex", has exceeded a
threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter
"pass2MethodRateInQos0", for
the Peer Network identified by
"peerNetIndex", has decreased
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

231

SNMP Management

Alarms Management

Trap name

Trap id

Description

Severity

below a threshold.
The counter
"pass2MethodRateInQos0"
counts the number of packets on
the Untrusted side downgraded to
QOS0 during the Pass2 checks. A
SIP message is downgraded to
QOS0 when abnormal behavior
has been observed for a SIP flow
with same IP/SIP signature.

sfwUntrSipPass2Drop

1012

When raised this alarms means


that the counter "pass2Drop", for
the Peer Network identified by
"peerNetIndex", has exceeded a
threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter "pass2Drop", for
the Peer Network identified by
"peerNetIndex", has decreased
below a threshold.
The counter "pass2Drop" counts
the number of packets dropped on
the Untrusted side during the SIP
Pass2 checks.

sfwUntrSipMethodRateDrop

1013

When raised this alarms means


that the counter associated with
pass2MethodRateDrop, reporting
the number of messages dropped
because of rate limitation, has
exceeded a threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter associated with
pass2MethodRateDrop has
decreased below a threshold.
This alarm applies for a specific
Peer Network identified by the
object peerNetIndex.

sfwUntrSipAdmCtlCallDrop

1014

When raised this alarms means


that the counter associated with
pass2AdmCtlCallDrop, reporting
the number of messages dropped
because of INVITE rate greater
than the available rate on trusted
side, has exceeded a threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter associated with
pass2AdmCtlCallDrop has
decreased below a threshold.
This alarm applies for a specific
Peer Network identified by the
object peerNetIndex.

sfwUntrIpFragAttackPrevented

1015

Notify that the SFW detected a IP


Fragmentation attack and
prevented it. i.e. :
- IP fragment overlapped

Threshold 1

warning
Threshold 2 minor

- IP fragmentation buffer full


- IP fragment overrun
- IP fragment overwriteetc
This alarm is raised when the
counter
sfwUntrustedLowLayerDropFrag

232

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

Alarms Management

Trap name

Trap id

Description

Severity

has exceeded a threshold.


This alarm is cleared when the
counter
sfwUntrustedLowLayerDropFrag
has decreased below a threshold.

sfwUntrArpAttackPrevented

1016

Notify that the SFW detected an


ARP attack and prevented it. i.e. :
- ARP cache exhausting and
poisoning prevention

Threshold 1

warning
Threshold 2 minor

- Forged ARP request prevention


- ARP flooding prevention
This alarm is raised when the
counter
sfwUntrustedLowLayerDropArp
has exceeded a threshold.
This alarm is cleared when the
counter
sfwUntrustedLowLayerDropArp
has decreased below a threshold.

sfwUntrIcmpAttackPrevented

1017

Notify that the SFW detected an


ICMP attack and prevented it.
This alarm is raised when the
counter
sfwUntrustedLowLayerDropIcmp
has exceeded a threshold.

Threshold 1

warning
Threshold 2 minor

This alarm is cleared when the


counter
sfwUntrustedLowLayerDropIcmp
has decreased below a threshold.

sfwTrustedLowLayerDrop

1018

When raised this alarms means


that the counter
"sfwTrustedLowLayerDrop" has
exceeded a threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter
"sfwTrustedLowLayerDrop" has
decreased below a threshold.
The counter
"sfwTrustedLowLayerDrop"
counts the number of packets
dropped on the Trusted side
because of ARP error, IP error,
Fragmentation error, UDP error,
ICMP error, N-Tuple
classification error, Minimum
size error.

sfwTrustedSipPass1Drop

1019

When raised this alarms means


that the counter "pass1Drop", for
the Peer Network identified by
"peerNetIndex", has exceeded a
threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter "pass1Drop", for
the Peer Network identified by
"peerNetIndex", has decreased
below a threshold.
The counter "pass1Drop" counts
the number of packets dropped on
the Trusted side during the SIP
Pass1 checks.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

233

SNMP Management

Alarms Management

Trap name

Trap id

sfwTrustedSipPass2Drop

1020

Description
When raised this alarms means
that the counter "pass2Drop", for
the Peer Network identified by
"peerNetIndex", has exceeded a
threshold.

Severity
Threshold 1

warning
Threshold 2 minor

When cleared this alarms means


that the counter "pass2Drop", for
the Peer Network identified by
"peerNetIndex", has decreased
below a threshold.
The counter "pass2Drop" counts
the number of packets dropped on
the Trusted side during the SIP
Pass2 checks.

sfwTcpSynFlood

1021

When raised this alarms


means that a TCP SYN Flood
attack has been prevented on
one of the interfaces of the
SFW.

warning

As soon as the TCP SYN


flood is detected a TCP SYN
regulation
mechanism
is
started on the SFW interfaces.
In that state the TCP SYN are
filtered to prevent the attack.
However TCP connection
establishment is still possible
for non-attackers.
Due to the TCP SYN
regulation the alarm will not be
cleared before 30 sec even if
the attack was performed
during 1 sec.

sfwTcpResetFlood

1022

When raised this alarms


means that the counter
"tcpOutOfSeqResets", for the
Peer Network identified by
"peerNetIndex", has exceeded
a threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms


means that the counter
"tcpOutOfSeqResets", for the
Peer Network identified by
"peerNetIndex",
has
decreased below a threshold.

sfwTcpErrorsFlood

1023

When raised this alarms


means that the counter
"tcpInErrs", for the Peer
Network
identified
by
"peerNetIndex", has exceeded
a threshold.

Threshold 1

warning
Threshold 2 minor

When cleared this alarms


means that the counter
"tcpInErrs", for the Peer
Network
identified
by
has
"peerNetIndex",
decreased below a threshold.

sfwConfigurationChanged

1101

This trap is sent when the


SFW configuration has been
"certified".

warning

The configuration is "certified"


with one of the following
operations :
- either via CLI : "copy working
234

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

Alarms Management

Trap name

Trap id

Description

Severity

certified" , note that this


operation is allowed only after
a "copy running working".
- or via SNMP set on the
object
sfwConfigMgmtCopyToFlash
value
with
the
copyWorkingCertified(2) in the
branch sfwConfigMgmt of the
SFW
mib
ALU-SFWMANAGEMENT-MIB.

The SFW raises and clears most of its alarms, sending snmp traps, when observation
counters (or gauges) exceed predefined thresholds.
For this kind of alarms, there are 2 thresholds per object. This allows monitoring of the
system behavior with 2 different severities per alarm.
To easily correlate the counters (or gauges) thresholds and their related alarms, thresholds
identifiers and traps identifiers have common ids.

Table 2

SFW SNMP TRAPS Thresholds

Thresholds names

Threshold

Description

Associated Alarm

Trap id

Thresholds on the
board temperature.
When crossed an
alarm is raised or
cleared.
Thresholds on the
board CPU. When
crossed an alarm is
raised or cleared
Thresholds on the
board Memory. When
crossed an alarm is
raised or cleared
Thresholds on the
counter of dropped
messages on the
Untrusted interface
due to the following
reasons:
ARP error

Invalid IP
packet

IP
fragmentatio
n error
Invalid UDP

packet

Invalid
ICMP
packet

Unknown
source IP
address

Invalid
destination
IP:port

sfwBoardTemperatureT
ooHigh

1005

sfwHealthMonCpuAlert

1006

sfwHealthMonMemAlert

1007

sfwUntrLowLayerDrop

1008

id
sfwBoardTemperatureTooHighTh1
sfwBoardTemperatureTooHighTh2

1005.1
1005.2

sfwHealthMonCpuAlertTh1
sfwHealthMonCpuAlertTh2

1006.1
1006.2

sfwHealthMonMemAlertTh1
sfwHealthMonMemAlertTh2

1007.1
1007.2

sfwUntrLowLayerDropTh1
sfwUntrLowLayerDropTh2

1008.1
1008.2

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

235

SNMP Management

Alarms Management

Thresholds names

Threshold

Description

Associated Alarm

Trap id

sfwUntrSipPass1Drop

1009

sfwUntrSipPass1Suspe
ctDrop

1010

sfwUntrSipPass2Metho
dRateInQos0

1011

sfwUntrSipPass2Dro
p

1012

id

sfwUntrSipPass1DropTh1
sfwUntrSipPass1DropTh2

1009.1
1009.2

sfwUntrSipPass1SuspectDropTh1
sfwUntrSipPass1SuspectDropTh2

1010.1
1010.2

sfwUntrSipPass2MethodRateInQos0Th1
sfwUntrSipPass2MethodRateInQos0Th2

1011.1
1011.2

sfwUntrSipPass2DropTh1
sfwUntrSipPass2DropTh2

1012.1
1012.2

UDP packet
length
below
minimum
size
Thresholds on the
counter of dropped
messages during SIP
pass1 checking on the
Untrusted interface
due to the following
reasons:

Configuration
mismatch

Output
overloading

No RPOC
available
within a load
balancing
group

No Token
bucket

Out Of
Sequence SIP
message

Maximum
retries has
been reached

Malformed
header

Suspicious
header format

Lack of
resources

Thresholds on the
counter of dropped
messages during SIP
pass1 parsing due to
suspicious header
format.
Thresholds on the
counter of packets on
the Untrusted side
downgraded to QOS0
during the Pass2
checks. A SIP
message is
downgraded to QOS0
when abnormal
behavior has been
observed for a SIP
flow with same IP/SIP
signature.
Thresholds on the
counter of dropped
messages during SIP
pass2 checking on the
Untrusted interface
due to the following
reasons:

Method rate
limitation

236

Malformed

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

Alarms Management

Thresholds names

Threshold

Description

Associated Alarm

Trap id

sfwUntrSipMethodRa
teDrop

1013

sfwUntrSipAdmCtlCa
llDrop

1014

sfwUntrIpFragAttack
Prevented

1015

sfwUntrArpAttackPre
vented
sfwUntrIcmpAttackPr
evented

1016

sfwTrustedLowLayer
Drop

1018

id
header

sfwUntrSipMethodRateDropTh1
sfwUntrSipMethodRateDropTh2

1013.1
1013.2

sfwUntrSipAdmCtlCallDropTh1
sfwUntrSipAdmCtlCallDropTh2

1014.1
1014.2

sfwUntrustedLowLayerDropFragTh1
sfwUntrustedLowLayerDropFragTh2

1015.1
1015.2

sfwUntrArpAttackPreventedTh1
sfwUntrArpAttackPreventedTh2
sfwUntrIcmpAttackPreventedTh1
sfwUntrIcmpAttackPreventedTh1

1016.1
1016.2
1017.1
1017.2

sfwTrustedLowLayerDropTh1
sfwTrustedLowLayerDropTh2

1018.1
1018.2

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Configuration
mismatch

Suspicious
header format

Admission
Control

Out Of
Sequence SIP
message

Maximum
retries has
been reached

Lack of
resources

SIPP parsing
error during
regeneration
of the SIP
message

Thresholds on the
counter of dropped
messages during SIP
pass2 checking due to
rate limitation per SIP
method.
Thresholds on the
counter of dropped
messages during SIP
pass2 checking due to
Admission Control.
Invite rate is greater
than the available rate
on trusted side.
Thresholds on the
counter of dropped
messages due to IP
fragmentation errors.
Thresholds on the
counter of ARP errors.
Thresholds on the
counter of ICMP
errors.
Thresholds on the
counter of dropped
messages on the
Trusted interface due
to the following
reasons:
ARP error

Invalid IP
packet

IP
fragmentatio
n error

Invalid UDP
packet

Invalid
ICMP
packet

Unknown
source IP
address

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

1017

237

SNMP Management

Alarms Management

Thresholds names

Threshold

Description

Associated Alarm

Trap id

sfwTrustedSipPass1
Drop

1019

sfwTrustedSipPass2
Drop

1020

sfwTcpResetFlood

1022

id

sfwTrustedSipPass1DropTh1
sfwTrustedSipPass1DropTh2

sfwTrustedSipPass2DropTh1
sfwTrustedSipPass2DropTh2

sfwTcpResetFloodTh1
sfwTcpResetFloodTh2

238

1019.1
1019.2

1020.1
1020.2

1022.1
1022.2

Invalid
destination
IP:port

UDP packet
length
below
minimum
size
Thresholds on the
counter of dropped
messages during SIP
pass1 checking on the
Untrusted interface
due to the following
reasons:

Configuration
mismatch

Out Of
Sequence SIP
message

Maximum
retries has
been reached

Malformed
header

Suspicious
header format

Lack of
resources

Thresholds on the
counter of dropped
messages during SIP
pass2 checking on the
Untrusted interface
due to the following
reasons:

Malformed
header

Configuration
mismatch

Suspicious
header format

Out Of
Sequence SIP
message

Maximum
retries has
been reached

Lack of
resources

SIPP parsing
error during
regeneration
of the SIP
message

Thresholds on the
counter of TCP reset
detected as out-of-

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

Thresholds names

Alarms Management

Threshold

Description

Associated Alarm

Trap id

sfwTcpErrorsFlood

1023

id
sfwTcpInErrsTh1
sfwTcpInErrsTh2

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

1023.1
1023.2

sequence.
Thresholds on the
counter of TCP
segments received in
error and dropped by
the firewall.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

239

SNMP Management

Table 3

Alarms Management

SFW SNMP TRAPS format

SFW sends SNMP traps using the following X733 format. This format is also the one described in
the Active Alarm Table of the Mib ALCATEL-OMCCN-ALARMMANAGEMENT-MIB.

Field

Description

TrapSequenceNumber
Identifier
ManagedObjectClass
ManagedObjectInstance
FriendlyName
EventType
EventTime
Severity

This is the sequence number of the sent trap


Identifies the trap sent.
Identifies the SFW Object Class on which the trap applies.
Identifies the SFW Object Instance on which the trap applies.
Identifies the name of the SFW sending the trap.
Enum value corresponding with event type according to X.733.
The date and time at which the event indicated in the trap occurred.
Enum value corresponding with severity for the event reported in the trap.
Critical = 1
Major = 2
Minor = 3
Warning = 4
Cleared = 5
Enum value indicate the probable cause according to 3GPP.
Provides additional information on the meaning of the trap.
Identifies the 7510 hosting the SFW.
Identifies the name of SFW counters monitored to send the trap.
Value of the SFW counters which kick off the trap.

3GPPProbableCause
SpecificProblem
AdditionnalText
ThresholdInfoAttribute
ThresholdInfoValue
ThresholdInfoDirection
ThresholdInfoTriggerHigh
ThresholdInfoTriggerLow
UserLabel
ProposedRepairAction
AdditionnalInfoName1
AdditionnalInfoValue1
AdditionnalInfoName2
AdditionnalInfoValue2
AdditionnalInfoName3
AdditionnalInfoValue3
AdditionnalInfoName4
AdditionnalInfoValue4
AdditionnalInfoName5
AdditionnalInfoValue5

240

Higher Threshold on the SFW counter identified by ThresholdInfoAttribute


Lower Threshold on the SFW counter identified by ThresholdInfoAttribute
This text field explains clearly the meaning of the trap.
This field explains the actions that could be done to solve the problem
reported by this trap.
Provides additional information on the reason of the trap.
Provides additional information on the reason of the trap.
Provides additional information on the reason of the trap.
Provides additional information on the reason of the trap.
Provides additional information on the reason of the trap.
Provides additional information on the reason of the trap.
Provides additional information on the reason of the trap.
Provides additional information on the reason of the trap.
Provides additional information on the reason of the trap.
Provides additional information on the reason of the trap.

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alarms Management

SNMP Management

SFW Alarm content example :

Field
TrapSequenceNumber
Identifier
ManagedObjectClass
ManagedObjectInstance
FriendlyName
EventType
EventTime
Severity
3GPPProbableCause
SpecificProblem
AdditionnalText
ThresholdInfoAttribute
ThresholdInfoValue
ThresholdInfoDirection
ThresholdInfoTriggerHigh

sfwLinkDown

sfwBoardTemperatureTooHigh

1001
ifTable
ifIndex
sysName
equipment

1005
boardTable
boardIndex
sysName
equipment

major
linkFailure
ifOperStatus
sfw7510Name

major
temperatureUnacceptable
none
sfw7510Name

none
none
none
none

boardTemperature
BoardTemperature value
Up | down
sfwBoardTemperatureTooHighTh2
value
SfwBoardTemperatureTooHighTh1
value
Board Temperature Too High
See alarm description in SFW
proprietary Mib.
none
none
none
none
none
none
none
none
none
none

ThresholdInfoTriggerLow

none

UserLabel
ProposedRepairAction

Link Status Change


See alarm description in SFW
proprietary Mib.
ifDescr
ifDescr value
ifAdminStatus
IfAdminStatus value
none
none
none
none
none
none

AdditionnalInfoName1
AdditionnalInfoValue1
AdditionnalInfoName2
AdditionnalInfoValue2
AdditionnalInfoName3
AdditionnalInfoValue3
AdditionnalInfoName4
AdditionnalInfoValue4
AdditionnalInfoName5
AdditionnalInfoValue5

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

241

SNMP Management

snmp station stationId ip ip_address

snmp station stationId ip ip_address


Purpose
The purpose of the following command is to create or modify a SNMP station to receive the traps
sent by the firewall.
Commands
snmp station stationId ip ip_address [port port_num] community {community_string |
username} version {v2c | v3} [enable | disable]
Arguments
stationId
This is the identifier of the SNMP station. Up to 5 SNMP stations can be configured.
ip_address
This is the IP address to which SNMP unicast traps will be sent.
port_num
This is the listening UDP port of the SNMP station. This parameter is optional. The
default value is 162.
community_string
This is the community string used when sending traps in V2c. This string must between 1
and 32 characters.
username
This is the username used when sending traps in V3.
version
With this release traps can be sent in V2c only.
enable | disable
If this parameter is set to disable the SNMP trap will not be sent towards the SNMP
station.
Example

-> snmp station 1 ip 139.54.128.9 port 163 community public version v2c
enable

242

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

snmp station stationId {enable | disable}

snmp station stationId {enable | disable}


Purpose
The purpose of the following command is to disable the SNMP trap forwarding towards a
configured SNMP station.
Commands
snmp station stationId {enable | disable}
Arguments
stationId
This is the identifier of the SNMP station.
enable | disable
If this parameter is set to disable the SNMP trap will not be sent towards the SNMP
station.
Example

-> snmp station 1 disable

no snmp station stationId


Purpose
The purpose of the following command is to delete a SNMP station.
Commands
no snmp station stationId
Arguments
stationId
This is the identifier of the SNMP station.
Example
-> no snmp station 1

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

243

SNMP Management

show snmp station

show snmp station


Purpose
The purpose of the following command is to display the SNMP stations configuration.
Commands
show snmp station
Example
-> show snmp station
+------------+--------------------+--------+----------+-----------+
! Station Id ! IpAddress/udpPort ! Status ! Protocol ! Community !
+------------+--------------------+--------+----------+-----------+
! 1
! 139.54.128.9/162
! Enable ! v2c
! public
!
! 2
! 139.54.128.112/162 ! Enable ! v2c
! public
!
+------------+--------------------+--------+----------+-----------+

244

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

show snmp alarm thresholds

show snmp alarm thresholds


Purpose
The purpose of the following command is to display the current configuration of the alarm
thresholds.
Refer to the Table 1 SFW SNMP TRAPS and the Table 2 SFW SNMP TRAPS Thresholds
described at the beginning of this section to get a detailed description of the SNMP alarms
managed by the SFW.
Commands
show snmp alarm thresholds
Outputs information
Ids
There are to thresholds per alarm. If needed, the threshold Id will identify the threshold to
be modified with the command snmp alarm modify threshold threshold_id value
new_value
Thresholds names
The name of the threshold is provided to easily correlate the threshold with the related
SNMP trap.
Values
This is the threshold value.

Example
-> show snmp alarm thresholds
+--------+------------------------------------+--------+
! Ids
! Thresholds names
! values !
+--------+------------------------------------+--------+
! 1005.1 ! sfwBoardTemperatureTooHighTh1
! 67
!
! 1005.2 ! sfwBoardTemperatureTooHighTh2
! 70
!
! 1006.1 ! sfwHealthMonCpuAlertTh1
! 90
!
! 1006.2 ! sfwHealthMonCpuAlertTh2
! 95
!
! 1007.1 ! sfwHealthMonMemAlertTh1
! 85
!
! 1007.2 ! sfwHealthMonMemAlertTh2
! 95
!
! 1008.1 ! sfwUntrLowLayerDropTh1
! 10000 !
! 1008.2 ! sfwUntrLowLayerDropTh2
! 50000 !
! 1009.1 ! sfwUntrSipPass1DropTh1
! 1000
!
+--------+------------------------------------+--------+
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

245

SNMP Management

show snmp alarm thresholds

! Ids
! Thresholds names
! values !
+--------+------------------------------------+--------+
! 1009.2 ! sfwUntrSipPass1DropTh2
! 5000
!
! 1010.1 ! sfwUntrSipPass1SuspectDropTh1
! 100
!
! 1010.2 ! sfwUntrSipPass1SuspectDropTh2
! 500
!
! 1011.1 ! sfwUntrSipPass2MethodRateInQos0Th1 ! 100
!
! 1011.2 ! sfwUntrSipPass2MethodRateInQos0Th2 ! 500
!
! 1012.1 ! sfwUntrSipPass2DropTh1
! 100
!
! 1012.2 ! sfwUntrSipPass2DropTh2
! 500
!
! 1013.1 ! sfwUntrSipMethodRateDropTh1
! 100
!
! 1013.2 ! sfwUntrSipMethodRateDropTh2
! 500
!
! 1014.1 ! sfwUntrSipAdmCtlCallDropTh1
! 100
!
! 1014.2 ! sfwUntrSipAdmCtlCallDropTh2
! 500
!
! 1015.1 ! sfwUntrIpFragAttackPreventedTh1
! 1000
!
! 1015.2 ! sfwUntrIpFragAttackPreventedTh2
! 5000
!
! 1016.1 ! sfwUntrArpAttackPreventedTh1
! 1000
!
! 1016.2 ! sfwUntrArpAttackPreventedTh2
! 5000
!
! 1017.1 ! sfwUntrIcmpAttackPreventedTh1
! 1000
!
! 1017.2 ! sfwUntrIcmpAttackPreventedTh2
! 5000
!
! 1018.1 ! sfwTrustedLowLayerDropTh1
! 1000
!
! 1018.2 ! sfwTrustedLowLayerDropTh2
! 5000
!
! 1019.1 ! sfwTrustedSipPass1DropTh1
! 100
!
! 1019.2 ! sfwTrustedSipPass1DropTh2
! 500
!
! 1020.1 ! sfwTrustedSipPass2DropTh1
! 100
!
! 1020.2 ! sfwTrustedSipPass2DropTh2
! 500
!
! 1022.1 ! sfwTcpResetFloodTh1
! 100
!
! 1022.2 ! sfwTcpResetFloodTh2
! 500
!
! 1023.1 ! sfwTcpErrorFloodTh1
! 100
!
! 1023.2 ! sfwTcpErrorFloodTh2
! 500
!
+--------+------------------------------------+--------+

246

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

snmp alarm modify threshold threshold_id

snmp alarm modify threshold threshold_id


Purpose
The purpose of the following command is to modify a threshold value associated with an SNMP
trap. This operation must be done with caution because the SFW raises or clears alarms based on
the fact that counters or gauges are crossing thresholds.
Commands
snmp alarm modify threshold threshold_id value new_value
Arguments
threshold_id
This is the identifier of the Alarm threshold to be modified. The command show snmp
alarm thresholds allows retrieving the Thresholds Ids. There are 2 thresholds per alarm to
manage 2 severities per alarm.
new_value
For alarm 1005 the thresholds are given in Celsius.
For alarms 1006 and 1007, the thresholds represent a percentage of CPU or memory.
For other alarms, the thresholds represent a number of events per seconds.
For example :
+--------+------------------------------------+--------+
! Ids
! Thresholds names
! values !
+--------+------------------------------------+--------+
! 1010.1 ! sfwUntrSipPass1SuspectDropTh1
! 100
!

The alarm 1010 is raised when the gauge associated with the counter
"pass1DropSipSuspicious" exceeds the threshold value 100.
The gauge is the variation of the counter during one second.

Refer to the Table 1 SFW SNMP TRAPS and the Table 2 SFW SNMP TRAPS
Thresholds described at the beginning of this section to get a detailed description
of the SNMP alarms managed by the SFW.
Example
-> snmp alarm modify threshold 1010.1 value 200

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

247

SNMP Management

show snmp trap config

show snmp trap config


Purpose
The purpose of the following command is to display information about the traps managed by
the SFW.
Commands
show snmp trap config
Outputs information
Traps list
SNMP traps name attempt to be meaningful.
Id
This is the identifier of the snmp trap.
Severity
This is the alarm severity associated with the snmp trap.
Most of the alarms are managed with 2 thresholds. This allows managing 2 severities. The
severity displayed with show snmp trap config is the severity associated with the lower
threshold.

Refer to the Table 1 SFW SNMP TRAPS and the Table 2 SFW SNMP TRAPS
Thresholds described at the beginning of this section to get a detailed description
of the SNMP alarms managed by the SFW.
Filter-delay
By default most of the traps are absorbed with a delay of 2 seconds but this value can be
modified with the command snmp trap trap_id filter-delay delay.
Status
enable means that the SNMP trap will be sent if the corresponding event occurs.
By default all traps are enabled but can be disabled with the command snmp trap
trap_id {enable | disable}

248

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

show snmp trap config

Example
-> show snmp trap config
+-----------------------------------+------+----------+--------------+--------+
! Traps list

! Id

! Severity ! Filter-delay ! Status !

+-----------------------------------+------+----------+--------------+--------+
! sfwLinkDown

! 1001 ! major

! 1

! enable !

! sfwBoardActLossStbSupervision

! 1002 ! major

! 2

! enable !

! sfwIbcfCcsStatusChange

! 1003 ! warning

! 4

! enable !

! sfwLoadBalancingGroupStatusChange ! 1004 ! major

! 4

! enable !

! sfwBoardTemperatureTooHigh

! 1005 ! major

! 10

! enable !

! sfwHealthMonCpuAlert

! 1006 ! major

! 10

! enable !

! sfwHealthMonMemAlert

! 1007 ! major

! 10

! enable !

! sfwUntrLowLayerDrop

! 1008 ! warning

! 2

! enable !

! sfwUntrSipPass1Drop

! 1009 ! warning

! 2

! enable !

! sfwUntrSipPass1SuspectDrop

! 1010 ! warning

! 2

! enable !

! sfwUntrSipPass2MethodRateInQos0

! 1011 ! warning

! 2

! enable !

! sfwUntrSipPass2Drop

! 1012 ! warning

! 2

! enable !

! sfwUntrSipMethodRateDrop

! 1013 ! warning

! 2

! enable !

! sfwUntrSipAdmCtlCallDrop

! 1014 ! warning

! 2

! enable !

! sfwUntrIpFragAttackPrevented

! 1015 ! warning

! 2

! enable !

! sfwUntrArpAttackPrevented

! 1016 ! warning

! 2

! enable !

! sfwUntrIcmpAttackPrevented

! 1017 ! warning

! 2

! enable !

! sfwTrustedLowLayerDrop

! 1018 ! warning

! 2

! enable !

! sfwTrustedSipPass1Drop

! 1019 ! warning

! 2

! enable !

! sfwTrustedSipPass2Drop

! 1020 ! warning

! 2

! enable !

! sfwTcpSynFlood

! 1021 ! warning

! 2

! enable !

! sfwTcpResetFlood

! 1022 ! warning

! 2

! enable !

! sfwTcpErrorFlood

! 1023 ! warning

! 2

! enable !

! sfwConfigMgmtCopyToFlash

! 1101 ! warning

! 2

! enable !

+-----------------------------------+------+----------+--------------+--------+

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

249

SNMP Management

snmp trap trap_id filter-delay delay

snmp trap trap_id filter-delay delay


Purpose
The SFW SNMP agent is polling objects (counters, gauges, status) to check if a condition is
reached and if so it sends the appropriate SNMP traps to report Alarms or Events. The default
polling timer is 1, 2, 4 or 10 seconds depending on the trap id.
For example the trap sfwBoardTemperatureTooHigh has a default filter delay of 10 seconds.
This means that the temperature is checked each 10 seconds.
This polling interval value can be modified for each trap.
Commands
snmp trap trap_id filter-delay delay
Arguments
trap_id
This is the identifier of the trap to be modified. The command show snmp trap config
allows retrieving the Trap Ids.
delay
This is the new filtering delay in seconds.
Example
-> snmp trap 1011 filter-delay 5

250

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

SNMP Management

snmp trap trap_id {enable | disable}

snmp trap trap_id {enable | disable}


Purpose
The purpose of the following command is to enable or disable the sending of a trap. By default all
traps are enabled.
Commands
snmp trap trap_id {enable | disable}
Arguments
trap_id
This is the identifier of the trap to be modified. The command show snmp trap config
allows retrieving the Trap Ids.
Example
-> snmp trap 1011 disable

snmp trap restore default


Purpose
The purpose of the following command is to restore the default values, filtering delay and status,
for the trap management.
Commands
snmp trap restore default

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

251

SNMP Management

show snmp alarm active

show snmp alarm active


Purpose
The purpose of the following command is to display the alarms currently active, this means

the alarms that have been raised by sending an SNMP trap but not yet cleared.
This CLI provides the same information than a SNMP get on the table
activeAlarmsTable of the proprietary MIB ALCATEL-OMCCNALARMMANAGEMENT-MIB.
Commands
show snmp alarm active
Outputs information
Sequence number
This is the trapSequenceNumber set in the corresponding SNMP traps.
trap id & trap name
Identify the alarm.
MIB object
Identifies the SFW object causing the alarm.

Example
-> show snmp alarm active
+----------+------+----------------------------+---------------+----------------------+----------+
! Sequence ! trap ! trap name

! MIB object

! date and time

! severity !

! number

! id

+----------+------+----------------------------+---------------+----------------------+----------+
! 27

! 1005 ! sfwBoardTemperatureTooHigh ! boardTable.10 ! 2011 Jul 12

9:40:58 ! major

! 26

! 1005 ! sfwBoardTemperatureTooHigh ! boardTable.11 ! 2011 Jul 12

9:40:58 ! major

! 13

! 1001 ! sfwLinkDown

! ifTable.117

! 2011 Jul 12

2:21:50 ! major

! 12

! 1001 ! sfwLinkDown

! ifTable.116

! 2011 Jul 12

2:21:50 ! major

! 8

! 1001 ! sfwLinkDown

! ifTable.107

! 2011 Jul 12

2:21:50 ! major

! 7

! 1001 ! sfwLinkDown

! ifTable.106

! 2011 Jul 12

2:21:50 ! major

+----------+------+----------------------------+---------------+----------------------+----------+

252

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

17

Users Management

Purpose

This paragraph provides information about Users Management on the SIP firewall.

Introduction

The User Management CLI commands allow you to create, modify or delete users that
will be authorized to manage the SFW firewall via CLI.
Additionally, with the commands listed hereafter, CLI commands partition management is
performed according the user level parameter.

Summary of the CLI for Users Management


Users management
user username password
user username level {adm|ope|viewer}
user username no-snmp
user username auth {sha | md5} priv {aes | des}
no user username
show user [adm|ope|viewer]
show user cmd [adm|ope|viewer]

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

253

Users Management

user username password

user username password


Purpose
The purpose of the following command is to create a user entry in the local user database. You

must be logged with Administrator privilege to be authorized to run this command.


Additionally this command allows the operator to modify a users password.
Users with Administrator privileges can change the password of everybody.
Users with operator or viewer privileges can change only their own password.
By default, a new user is created with operator privileges. This can be modified later
with the CLI command user username level {adm|ope|viewer} .

Commands
user username password
Arguments
username
This is the name of the user used for logging into the SFW.
password
The password is not displayed in cleared text and must be entered twice for security
reason.
-> user sfwUser password
enter password : *********
password again : *********
Command successful

The password minimum length is 8 alphanumeric characters.


These characters must be chosen within the following 4 categories:

Digits [0-9]

Lower case letters [a-z]

Upper case letters [A-Z].

Special characters [[!"#$%&')*+,-./;<=>?@\^_`|}~]]

The password must contain characters from at least 3 of these categories.

254

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

user username level {adm | ope | viewer}

Users Management

user username level {adm | ope | viewer}


Purpose
The purpose of the following command is to modify the privileges of a user and thus the

authorized CLI domains. By default, users are created with operator privileges.
You must be logged with Administrator privilege to be authorized to run this command.
Commands
user username level {adm|ope|viewer}
Arguments
level
There are three types of users with different level of privileges.

level viewer
This is the lower level. It gives limited privileges to the user.
Such user will be able to run only CLI commands show to display the SFW config.
The command show user cmd viewer provides the list of commands authorized for this
level.

level ope
This is the intermediate level. It gives operator privileges to the user.
This means that the user will be able to run all CLI commands except the command to
create, modify or delete users
The command show user cmd ope provides the list of commands authorized for this
level in addition to the lower level.

level adm
This is the higher level. It gives administrator privileges to the user.
This means that the user will be able to run all CLI commands.
The command show user cmd adm provides the list of commands authorized for this
level in addition to the lower levels.
Example
-> user visitor level viewer

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

255

Users Management

user username no snmp

user username no snmp


Purpose

The purpose of the following command is to deny SNMP access to the switch for the
specified user.

Commands
user username no snmp
Arguments
username
This is the name of the user.
Example
-> user visitorCLI no snmp

256

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Users Management

user username auth { sha | md5} priv {aes | des}

user username auth { sha | md5} priv {aes | des}


Purpose

The purpose of the following command is to configure SNMP V3 authentication and


encryption algorithms for a given user.

Commands
user username auth {sha | md5} priv {aes | des}
Arguments
username
This is the name of the user.
auth
Specifies that the SHA or MD5 authentication algorithm should be used for authenticating
SNMP PDU for the user.
priv
Specifies that the AES or DES encryption standard should be used for encrypting SNMP
PDU for the user.
Example
-> user admin auth sha priv des

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

257

Users Management

no user username

no user username
Purpose

The purpose of the following command is to delete a user entry in the local user database.
You must be logged with Administrator privilege to be authorized to run this command.
Commands
no user username
Arguments
username
This is the name of the user to be deleted.
Example
-> no user visitor

show user cmd [adm|ope|viewer]


Purpose

The purpose of the following command is to display the list of CLI commands allowed
for a given user-level in addition to the authorized commands of the lower level.
This means, for example, that running the command show user cmd ope the output will
not display the show commands that are inherited from the lower user-level viewer.
If the user-level is not provided all CLI commands are displayed with their respective
level.
Commands
show user cmd [adm | ope | viewer]

258

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

show user cmd [adm|ope|viewer]

Users Management

Example
->show user cmd viewer
+--------+------+----------------------------------------------------------+
! Level

! Mode ! CLI

+--------+------+----------------------------------------------------------+
! viewer ! All

! show snmp trap active

! viewer ! All

! show snmp alarm active

! viewer ! All

! show monitoring-host statistics

! viewer ! All

! show dscp default

! viewer ! All

! show certificate local [<1..32>]

! viewer ! All

! show certificate ca [<1..64>]

! viewer ! All

! show certificate local {details|pem} <1..32>

! viewer ! All

! show certificate ca {details|pem} <1..64>

! viewer ! All

! show tls-profile [<1..32>]

! viewer ! All

! show dns-internal [peer-net <1..2047>]

! viewer ! All

! show sfw status

! viewer ! All

! show peer-net [<1..2047>] connectivity

! viewer ! All

! show load-balancing-group [<1..32>] connectivity

! viewer ! All

! show ntp server

! viewer ! All

! show tcp statistics oam

! viewer ! All

! show tcp statistics untrusted [<1..2047>]

! viewer ! All

! show tcp statistics trusted [<1..2047>]

! viewer ! All

! show tcp statistics

! viewer ! All

! show tcp syn

! viewer ! All

! show system

+--------+------+----------------------------------------------------------+
! Level

! Mode ! CLI

+--------+------+----------------------------------------------------------+
! viewer ! All

! show syslog

! viewer ! All

! show snmp community

! viewer ! All

! show snmp station

! viewer ! All

! show snmp alarm config

! viewer ! All

! show snmp trap config

! viewer ! All

! show configuration consistency

! viewer ! All

! show snmp trap thresholds

! viewer ! All

! show snmp alarm thresholds

! viewer ! All

! show monitoring-host

! viewer ! All

! show user cmd [adm|ope|viewer]

! viewer ! All

! show running-directory

! viewer ! All

! show peer-net <1..2047> lpoc

! viewer ! All

! show trunk [trusted|untrusted|oam|inter-dhspp4] port

! viewer ! All

! show configuration {running|working|certified}

! viewer ! All

! show interfaces [S/P]

! viewer ! All

! show load-balancing-group [<1..32>] rpoc [<1..32>]

! viewer ! All

! show vlan [<0..4095>]

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

259

Users Management

show user cmd [adm|ope|viewer]

! viewer ! All

! show trunk [trusted|untrusted|oam|inter-dhspp4]

! viewer ! All

! show security-profile [<1..32>]

! viewer ! All

! show peer-net [<1..2047>] rpoc [<1..63>]

+--------+------+----------------------------------------------------------+
! Level

! Mode ! CLI

+--------+------+----------------------------------------------------------+
! viewer ! All

! show peer-net [<1..2047>]

! viewer ! All

! show peer-net [<1..2047>] statistics [trusted|untrusted] !

! viewer ! All

! show lpoc [untrusted [<1..128>]]

! viewer ! All

! show lpoc [trusted [<1..128>]]

! viewer ! All

! show port [untrusted [<1..128>]]

! viewer ! All

! show port [trusted [<1..128>]]

! viewer ! All

! show load-balancing-group [<1..32>]

! viewer ! All

! show peer-net [<1..2047>] filter [<1..32>]

! viewer ! CLI

! history

! viewer ! CLI

! quit

+--------+------+----------------------------------------------------------+

260

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Users Management

show user [adm|ope|viewer]

show user [adm|ope|viewer]


Purpose

The purpose of the following command is to display the existing users.


Commands
show user [adm | ope| viewer]

Example
-> show user
+-----------------+-------+------+------+
! name
! level ! auth ! priv !
+-----------------+-------+------+------+
! root
! admin ! none ! none !
! sfwNonRegTester ! admin ! sha ! des !
+-----------------+-------+------+------+

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

261

18

Syslog Management

Purpose

This paragraph provides information about Syslog Management on the SIP firewall.

Introduction

The SFW supports sending SYSLOG messages in accordance to RFC 3164 and RFC
5424. SYSLOG messages are transmitted using the UDP transport, according to RFC
5426.
SYSLOG messages can be sent either on the oam interface, or on the trusted interface.

Summary of the CLI for Syslog Management


Syslog management
syslog-server oam ip ip-address [port port-nb]
syslog-server trusted ip ip-address [port port-nb] vlan vlan-id lpoc lpoc-id
syslog-server [ip ip-address] [port port-nb] [vlan vlan-id] [lpoc lpoc-id]
syslog [rate messages-per-seconds] [length max-message-length] [facility facility-code]
[rfc3164|rfc5424]
no syslog-server
show syslog

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

262

Syslog Management

syslog-server oam ip ip-address

syslog-server oam ip ip-address


Purpose
The purpose of the following command is to define a syslog-server accessible via the OAM

interface, this means via the Ethernet port used for accessing the SFW CLI session
through the SCM board.
In that case the source IP address of the Syslog messages is the OAM IP address of the
SFW.

Commands
syslog-server oam ip ip-address [port port-nb]
Arguments
ip-address
This is the IPv4 address of the Syslog server.
port-nb
This is the UDP listening port of the Syslog server. If port-nb is not specified, the default
SYSLOG UDP port number is 514.

Example
-> syslog-server oam ip 155.132.232.30

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

263

Syslog Management

syslog-server trusted ip ip-address

syslog-server trusted ip ip-address


Purpose
The purpose of the following command is to define a syslog-server accessible via the trusted

interface.

Commands
syslog-server trusted ip ip-address [port port-nb] vlan vlan-id lpoc lpoc-id
Arguments
ip-address
This is the IPv4 address of the Syslog server.
port-nb
This is the UDP listening port of the Syslog server. If port-nb is not specified, the default
SYSLOG UDP port number is 514.
vlan-id
This is the Vlan identifier on the trusted side of the firewall on which the Syslog messages
have to be sent to reach the syslog server.
lpoc-id
The lpoc-id allows setting of the source IP address for the Syslog messages to be sent. It
must be a trusted lpoc. Run the command show lpoc trusted to choose the lpoc-id
according the source IPv4 address you want to get for Syslog messages.

Example
-> syslog-server trusted ip 192.168.2.33 port 514 vlan 200 lpoc 128

264

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Syslog Management

syslog-server [ip] [port] [vlan] [lpoc]

syslog-server [ip] [port] [vlan] [lpoc]


Purpose
The purpose of the following command is to modify the attributes of a syslog-server.

Commands
syslog-server [ip ip-address] [port port-nb] [vlan vlan-id] [lpoc lpoc-id]
Arguments
ip-address
This is the IPv4 address of the Syslog server.
port-nb
This is the UDP listening port of the Syslog server. If port-nb is not specified, the default
SYSLOG UDP port number is 514.
vlan-id
This is the Vlan identifier on the trusted side of the firewall on which the Syslog messages
have to be sent to reach the syslog server. The modification of the vlan-id is only possible
if the syslog-server has been defined as accessible via the trusted interface via the
command syslog-server trusted ip.
lpoc-id
The lpoc-id allows setting of the source IP address for the Syslog messages to be sent. It
must be a trusted lpoc. Run the command show lpoc trusted to choose the lpoc-id
according the source IPv4 address you want to get for Syslog messages. The modification
of the lpoc-id is only possible if the syslog-server has been defined as accessible via the
trusted interface via the command syslog-server trusted ip

Example
-> syslog-server ip 192.168.2.34
-> syslog-server port 512
-> syslog-server vlan 201

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

265

Syslog Management

syslog [rate] [length] [facility] [rfc3164 | rfc5424]

syslog [rate] [length] [facility] [rfc3164 | rfc5424]


Purpose
The behavior of SYSLOG client on SFW can be modified using the following command.

Commands
syslog [rate messages-per-seconds] [length max-message-length] [facility facility-code]
[rfc3164|rfc5424]
Arguments
messages-per-seconds
Output rate for SYSLOG messages [0 100]. If messages-per-seconds is not

specified, a default value of 50 is used.


max-message-length
Maximum SYSLOG message length [480 8000]. If max-message-length is not

specified, a default value of 1024 is used.


facility-code
SYSLOG facility code [0..23]. facility-code value is taken from the System Message

Facilities list of the RFC 5424. It is used to build the PRI field of SYSLOG
message. If not specified, a default value of 1 (user-level messages) is used.
Numerical Code
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

kernel messages
user-level messages
mail system
system daemons
security/authorization messages
messages generated internally by syslogd
line printer subsystem
network news subsystem
UUCP subsystem
clock daemon
security/authorization messages
FTP daemon
NTP subsystem
log audit
log alert
clock daemon (note 2)
local use 0 (local0)
local use 1 (local1)
local use 2 (local2)
local use 3 (local3)
local use 4 (local4)
local use 5 (local5)
local use 6 (local6)
23

266

Facility

local use 7

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

(local7)
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Syslog Management

no syslog-server

rfc3164 | rfc5424

To conform SYSLOG message format to RFC3164 or RFC5424. The default


SYSLOG message format conforms to RFC3164.

Example
-> syslog rate 10 length 512 facility 1

no syslog-server
Purpose
The following command delete the SYSLOG server configuration.
Commands
no syslog-server

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

267

Syslog Management

show syslog

show syslog
Purpose
The following command displays SYSLOG server and client configuration.
Commands
show syslog
Example

268

-> show syslog


Interface
Server IP address
Server Port
lpoc
Vlan
rate
length
rfc
facility

:
:
:
:
:
:
:
:
:

trusted
192.168.2.234
514
1
1
50
1024
rfc5424
1

-> show syslog


Interface
Server IP address
Server Port
lpoc
Vlan
rate
length
rfc
facility

:
:
:
:
:
:
:
:
:

oam
192.168.10.104
514
0
0
50
1024
rfc3164
11

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

19

NTP servers Management

Purpose

This paragraph provides information about the configuration of the NTP servers on the
SFW.

Summary of the CLI for Syslog Management


NTP servers management
ntp server serverId ip ip_address
no ntp server serverId
show ntp server

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

269

NTP servers Management

ntp server serverId ip ip-address

ntp server serverId ip ip-address


Purpose
The purpose of the following command is to define a NTP server. They must accessible via

the OAM interface, this means via the Ethernet port used for accessing the SFW CLI
session through the SCM board.

Commands
ntp server serverId ip ip_address
Arguments
serverId
This is the identifier of the NTP server. Up to 3 NTP servers can be created.
ip-address
This is the IPv4 address of the NTP server.

Example
-> ntp server 1 ip 155.132.232.21

no ntp server serverId


Purpose
The purpose of the following command is to delete a ntp server.

Commands
no ntp server serverId
Arguments
serverId
270

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

NTP servers Management

show ntp server

This is the identifier of the NTP server to be deleted.

Example
-> no ntp server 1

show ntp server


Purpose
The purpose of the following command is to display the NTP servers configuration.

Commands
show ntp server

Example

3FZ-08139-AAAA-PCZZA! 135.117.121.10 !
! 3
! 155.132.232.30 !
+-----------+----------------+

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

271

20

Monitoring SIP messages


dropped

Purpose
To be able to track SIP Packets rejected by the firewall either because of a DOS attack or a
misconfiguration, you have the ability to define a host where these packets will be forwarded.
The Monitoring-Host can be either reachable via the OAM interface or via the Trusted interface of
the firewall.

Summary of the CLI for Monitoring-Host Management


Monitoring-Host management
monitoring-host trusted ip ipAddress port ipPort lpoc trustedLpoc vlan vlanId rate msgsec
monitoring-host oam ip ipAddress port ipPort rate msgsec
monitoring-host [ip ipAddress] [port ipPort] [lpoc <1..128>] [vlan vlanId] [rate msgsec ]
show monitoring-host

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

272

Monitoring SIP messages dropped

monitoring-host trusted ip ip-address port ipPort

monitoring-host trusted ip ip-address port ipPort


Purpose
The purpose of the following command is to define a Monitoring-Host, reachable via the

Trusted interface of the firewall, where the SIP packets detected as invalid and dropped
will be forwarded.

Commands
monitoring-host trusted ip ipAddress port ipPort lpoc trustedLpoc vlan vlanId rate msgsec
Arguments
ip-address
This is the IPv4 address of the Monitoring-Host. It must be located on the trusted side of
the firewall.
ipPort
This is the destination port for the packets sent to the Monitoring-Host.
trustedLpoc
The source IP address of the packets sent to the Monitoring-Host will be the IP address
assigned to the Trusted LPOC mentioned here. Run the command show lpoc trusted
to get the list of LPOC and related IP addresses. Any trusted LPOC can be selected. A
specific trusted LPOC can also be configured to assign a dedicated source IP address for
the messages sent to the Monitoring-Host.
vlan
This is the vlan identifier, on the trusted side, allowing to reach the Monitoring-Host.
rate
This is the rate limiter associated with the monitoring feature to limit the number or
forwarded messages. The rate limiter must be set between 1 and 10 messages per second.
The default value is 10.

Example
-> monitoring-host trusted ip 192.168.2.110 port 5060 lpoc 128 vlan 200 rate
10

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

273

Monitoring SIP messages dropped

monitoring-host trusted ip ip-address port ipPort

Additional information
On the monitoring host you just need to run wireshark.
When the SFW dropped a SIP messages two messages are forwarded to the monitoring host:

Both messages can be correlated via the Identification field of the IP header.

The INFO message provides the cause of the drop. See an example hereafter.
The second message is a copy of the original SIP message that has been rejected by the firewall.

Example of INFO message on the Monitoring-Host


Request-Line: INFO sip:peernet8@ALU.SFW.ERROR SIP/2.0
Message Header
User-Agent: ALU SFW ERROR REPORTING
Contact: <SFW-5.slot11@192.168.10.205>
From: <172.23.8.9:50001>
To: <10.7.8.5:5060>
CSeq: 2630 INFO
Warning: Version:1.2.3 file:sfw_dfa_api.cpp line:763
Warning: mark:CallID error:(13)HeaderNotFound

274

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Monitoring SIP messages dropped

monitoring-host oam ip ip-address port ipPort

monitoring-host oam ip ip-address port ipPort


Purpose
The purpose of the following command is to define a Monitoring-Host, reachable via the

OAM interface of the firewall, where the SIP packets detected as invalid and dropped
will be forwarded.

Commands
monitoring-host oam ip ipAddress port ipPort rate msgsec
Arguments
ip-address
This is the IPv4 address of the Monitoring-Host.
In that case, as oam as been specified in the CLI, the Monitoring-Host must be
reachable via the OAM interface of the firewall, this means through the SCM2 hosting the
DHSPP4.
When invalid SIP messages are sent to the Monitoring-host, the source IP address is the
OAM IP address of the firewall.
ipPort
This is the destination port for the packets sent to the Monitoring-Host.
rate
This is the rate limiter associated with the monitoring feature to limit the number or
forwarded messages. The rate limiter must be set between 1 and 10 messages per second.
The default value is 10.

Example

-> monitoring-host oam ip 192.168.2.110 port 5060 rate 10

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

275

Monitoring SIP messages dropped

show monitoring-host

show monitoring-host
Purpose
The following command displays the Monitoring-Host configuration.
Depending on the location of the Monitoring-Host, either reachable via the trusted interface or the
oam interface, the output is different.

Commands
Show monitoring-host
Output attributes
IP address
This is the IPv4 address of the Monitoring-Host.
Port
This is the destination port for the packets sent to the Monitoring-Host.
lpoc
This parameter is valid only if the Monitoring-Host has been defined on the Trusted side
of the firewall. It identifies the source IP address for the messages to be sent to the
Monitoring-Host. This IP address is the one assigned to the given trusted LPOC.
vlan
This parameter is valid only if the Monitoring-Host has been defined on the Trusted side
of the firewall. This is the vlan identifier, on the trusted side, allowing to reach the
Monitoring-Host.
rate
This is the rate limiter associated with the monitoring feature to limit the number or
forwarded messages.

276

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Monitoring SIP messages dropped

show monitoring-host

Example

-> show monitoring-host


IP address
Port
lpoc
Vlan
rate

:
:
:
:
:

192.168.2.110
5060
128
200
10

-> show monitoring-host


interface
:
OAM
IP address
:
139.54.128.34
Port
:
5060
rate
:
10

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

277

21

Configuration Management

Purpose

The Configuration Management CLI commands allow you to manage the SFW
configuration files in the working directory, the certified directory, and the running
configuration.
The working and certified configurations are stored in flash while the running
configuration is in RAM.
Beyond the configuration management, few show commands listed in that chapter
allow you to monitor the status of the SFW. Pay attention to:
show running directory
show configuration consistency
show system
show sfw status

Summary of the CLI for Configuration Management


Configuration management
copy running working
copy working certified
show configuration { running | working | certified }
show running directory
show configuration consistency
switchover
configuration retrieve
show system
system location
show sfw status

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

278

Configuration Management

copy running working

copy running working


Purpose
The purpose of the following command is to copy the running configuration (in RAM) to the

working directory (in flash).


This command overwrites the config.cfg file of the working directory.
The consistency of the configuration is checked when the configuration is saved via the CLI
commands copy running working. The checks are related to the IP configuration, see the
command show configuration consistency to get details about the points that are checked.
By default the SFW restarts with the certified configuration. To ensure that the working
configuration is valid it will be possible in a future SFW release to perform the command reload
working prior to copy working certified to validate the working configuration.

Commands
copy running working

copy working certified


Purpose
This command is used to overwrite the content of the certified directory with the content of the
working directory.
This should only be done if the contents of the working directory have been verified as the best
version of the SFW configuration.
In a future release, the command reload working will allow to check the validity of the working
configuration.
Commands
copy working certified

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

279

Configuration Management

show configuration

Warning

With the current release to save the SFW configuration you need to run the following
steps:

Run the command copy running working


Run the command copy working certified

There is no way to jump from the running configuration to the certified configuration.
The SFW always restart from the certified configuration. In a future release it will be
possible to reload the SFW with the working configuration to ensure that this
configuration is good prior to save it in the certified directory.

show configuration
Purpose
The purpose of the following command is to display the firewall configuration. Three options are
possible.
Show configuration running displays the current configuration in RAM.
Show configuration working displays the configuration saved in flash in the working

directory via the command copy running working.


Show configuration certified displays the configuration saved in flash in the certified

directory via the command copy working certified.

Commands
show configuration { running | working | certified }

280

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Configuration Management

show running-directory

show running-directory
Purpose
The purpose of the following command is to display information about the status of the
configuration.

Commands
show running-directory

Output Information
Current Active DHSSP4 slot
This is the SCM slot, 10 or 11, hosting the current active DHSPP4.
Last reload from

CERTIFIED or WORKING. A start-up from the certified directory is the normal case, the
exception is the start-up issued via the command reload working.
Running configuration

Configuration may have changed but not yet saved. The status tells you if the command
copy running working needs to run.
Certify status

Configuration may have been saved in the working directory but not yet in the
certified directory. The status tells you if the command copy working certified needs
to run.
IP configuration consistency

The status, YES or NO, tells you if inconsistencies have been detected in the IP
configuration of the firewall. Same information can be retrieved with the command show
configuration consistency.
Example
-> show running-directory
CONFIGURATION STATUS
Current Active DHSPP4 slot
Last reload from
Running configuration
Certify status
IP configuration consistency

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

:
:
:
:
:

11
CERTIFIED
copy running working NOT NEEDED
copy working certified NOT NEEDED
YES

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

281

Configuration Management

show configuration consistency

show configuration consistency


Purpose
This commands allows you to detect anomalies in the SFW configuration related to IP
configuration.
The consistency of the configuration is checked when the configuration is saved via the CLI
commands copy running working.
The consistency of the configuration can also be checked via the CLI command show
configuration consistency.
The consistency checking are the following ones:

If a peering-point IP address (rpoc) associated with a Peer-Network doesnt belong to the


vlan subnet associated with this Peer-Network, then a gateway must have been defined
for the vlan.

If a MGC8 IBCF CCS IP addresses (rpoc) associated with a Load-Balancing-Group


doesnt belong to the vlan subnet associated with this Load-Balancing-Group, then a
gateway must have been defined for the vlan.

If a vlan gateway has been defined, its IP address must belong to the vlan subnet

If a Local Point of Contact (lpoc) associated with a Peer-Network doesnt belong to the
vlan subnet associated with this Peer-Network, then a router must have been defined for
the vlan.

If a Local Point of Contact (lpoc) associated with a Load-Balancing-Group doesnt belong


to the vlan subnet associated with this Load-Balancing-Group, then a router must have
been defined for the vlan.

If a vlan router has been defined, its IP address must belong to the vlan subnet

Within a Peer-Network, IP overlapping between Peering-Point IP addresses (rpoc) must


not exist.

Within a Peer-Network, IP overlapping between Peering-Point IP addresses (rpoc) and IP


filters must not exist.

Within a Load-Balancing-Group, IP overlapping between CCS IP addresses (rpoc) must


not exist.

If a Vlan is assigned to more than one Peer-Network, IP overlapping between PeeringPoint IP addresses (rpoc) must not exist.

If a Vlan is assigned to more than one Peer-Network, IP overlapping between PeeringPoint IP addresses (rpoc) and IP filters must not exist.

Commands
show configuration consistency
282

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Configuration Management

switchover

Example
-> show configuration consistency
Running configuration is consistent
-> show configuration consistency
IPv4 ERROR
- vlan 10 has a router outside of the vlan subnet
Running configuration is not consistent !

switchover
Purpose
This command performs a switchover. The Active DHSPP4 performs a restart and the Backup
DHSPP4 becomes Active.
A copy running working followed by a copy working certified may be required before issuing
this command. Run the command show running-directory to get this information.

Commands
switchover
Warning
This command cannot be issued twice in a row without waiting for a minimal delay of 45 seconds.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

283

Configuration Management

configuration retrieve

configuration retrieve
Purpose
The SFW name is not configurable via a CLI command. It should have been configured during the
SFW first installation via the sitecfg.sfw configuration file.
See the paragraph How to configure the SFW SITE specific parameters later in that document to
see how to configure the SFW name.
Its quite important to configure the SFW name because:

The SFW name uniquely identifies the SFW. This is particularly important in case of
SCM/DHSPP4 hot-swap. In that case the unique SFW name avoids overwriting the
existing configuration with the one that may exist on the replacement board.

The SFW name, configured via the sitecfg.sfw, is displayed in all SNMP traps.

The SFW name is the CLI prompt.

So, if you wish to re-configure the SFW name you need to follow the procedure described
hereafter:
Steps
1

Update the sitecfg.sfw as described in the paragraph How to configure the SFW SITE
specific parameters

Perform a double switchover to reload the new sitecfg.sfw on both DHSPP4.

At this point you will be able to access the CLI only with the initial user/password. Contact
your account or technical support representative for information about default
login / password.

You will notice that you restarted without any configuration.


login : root
password : ******
***********************************************
ALCATEL - LUCENT
ATCA-SFW 1.3.0 2011/02/21 11:43
Running configuration : WITHOUT CONFIGURATION
In case the SFW name has been changed in sitecfg
you can run "configuration retrieve" CLI
to retrieve former configuration
Hello root !
We strongly recommend you to change your
password for a safer one !!!

284

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Configuration Management

show system

To retrieve the previous configuration you just need to run the CLI configuration retrieve.
This command will restore the former configuration and you will be disconnected from the
CLI session.

On the next attempt to access the CLI session you can use your previous user/password.

END OF STEPS

show system
Purpose
The purpose of the following command is to display information about the SFW node you are
managing such as SFW software release, SFW name and location.
Similar information can be retrieved via SNMP by performing a SNMP get on the system
objects of the RFC1213 mib.
Commands
show system

Output Information
Description

Provides the SFW software release. This is the sysDescr of the RFC1213 mib.
Object ID

Provides the SNMP oid identifying the SFW node. This is the sysObjectId of the
RFC1213 mib.
Up Time

Provides the times since the SFW is up and running. This is the sysUpTime of the
RFC1213 mib.
Additionally, the number of system boots that occurred from the first SFW installation is
provided. A switchover is not counted as a system boot as upon a switchover the SFW
backup DHSPP4 is taking over without restarting.
Contact

Initialized with the Alcatel-Lucent Customer Portal. There is no CLI to modify this object.
This is the sysContact of the RFC1213 mib.
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

285

Configuration Management

show system

Name

Initialized with the SFW name. There is no CLI to initialize this object. The SFW name
comes from the sitecfg.sfw file where static configuration is defined at the first SFW
installation.
This attribute is displayed in all SNMP traps sent by the SFW. This is the sysName of the
RFC1213 mib.
Location

Provides information about the location of the SFW. The CLI system location allows to
modify this attribute. It can be used to locate the 7510 hosting the SFW. This attribute is
displayed in all SNMP traps sent by the SFW. This is the sysLocation of the RFC1213
mib.

Example
-> show system
Description
:
Object ID
:
Up Time
:
Contact
:
Name
:
Location
:
Date & Time
:

286

7510-SFW 1.3.0 2011/02/21 18:39


1.3.6.1.4.1.637.71.20
1 days 01 hours 52 minutes and 20 seconds (boot #14)
Alcatel-Lucent, http://alcatel-lucent.com/wps/portal/
sfw5
7510-Orvault-TR34-Baie36
Wed Apr 27 10:02:15 2011

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Configuration Management

system location

system location
Purpose
This command updates the system location information. This value is useful to correlate the
SFW node with the 7510 hosting it.
The system location can be then displayed via the command show system.
The system location is written in all SNMP traps sent by the SFW in the field AdditionnalText.
Commands
show location text_string

Arguments
text_string

Describes the SFW physical location. For example, 7510-Orvault-TR34-Baie36.


The system location can range from 1 to 53 characters in length.

Example
-> system location

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

287

Configuration Management

show sfw status

show sfw status


Purpose
The purpose of the following command is to display information about the status of SFW
DHSPP4 boards such as temperature, CPU and Memory consumption.
Commands
show sfw status
Output Information
! slot ! DHSPP

! SCM

! celsius !

This table allows the operator to know, for each SFW board:
o Which DHSPP4 is currently Active and which one is Standby.
o Which SCM2 is currently Active.
o What is the temperature for each DHSPP4.
CPU Load

This is an average of the CPU load over the 12 cores of the Active DHSPP4.
FPA memory distributor % free

Provides the percentage of free memory for FPA memory areas.


FPAS memory distributor % free

Provides the percentage of free memory for FPAS memory areas.

Example
-> show sfw status
+------+---------+---------+---------+
! slot ! DHSPP
! SCM
! celsius !
+------+---------+---------+---------+
! 11
! ACTIVE ! STANDBY ! 59
!
! 10
! STANDBY ! UNKNOWN ! 57
!
+------+---------+---------+---------+
0% CPU load
FPA memory distributor
PACKET BUFFER
WORK QUEUE ENTRY
DFA RESULT
DFA COMMAND
PKO COMMAND BUFFER
TIMER CHUNKS

% free
:
99
:
93
:
100
:
99
:
96
:
99

FPAS memory distributor % free


288

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Configuration Management

IP FLOW
COLLISION BLOCK
IP FRAGMENT
TCP CONTEXT
SIP CONTEXT
ARP CACHE

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

show sfw status

:
:
:
:
:
:

99
99
100
99
99
98

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

289

22

CLI Session Management

Purpose

The SFW accepts simultaneously up to 20 SSH CLI sessions.


Refer to the paragraph SFW prerequisite at the beginning of that document to know
how to open a CLI session via a SSH tunnel.
The CLI listed below allow to modify the default CLI session timeout and to display the
currently opened sessions.

Summary of the CLI for Configuration Management


CLI Session management
cli session timeout
show cli session

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

290

CLI Session Management

cli session timeout

cli session timeout


Purpose
The purpose of the following command is to modify the default CLI session timeout (5mn).
Commands
cli session timeout time_in_mn
Arguments
time_in_mn
The default timeout range is between 1 and 1440 minutes.

show cli session


Purpose
The purpose of the following command is to display the currently opened CLI sessions.
Commands
Show cli session
example
-> show cli session
CLI session timeout : 60 minutes
+------+-------------+------------+---------------------+
! user ! status
! inactivity ! origin
!
+------+-------------+------------+---------------------+
! root ! established ! 0 seconds ! 139.54.128.34:47156 !
! root ! established ! 21 minutes ! 139.54.128.34:48218 !
+------+-------------+------------+---------------------+

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

291

23

How to configure the SFW


SITE specific parameters

Purpose
With the SFW release R2.0 there are some SFW objects that cannot be yet configurable via CLI.

SFW name

Trusted Domain Name

SIP Status mode and extension

SNMP V2c Client community name

The configuration of these objects is done via the file sitecfg.sfw. After updating this file
according to your site-specific data you need to upload it to the SCM boards and reboot the
DHSPP4.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

292

How to configure the SFW SITE specific parameters

How to update the SITECFG.SFW configuration file

How to update the SITECFG.SFW configuration file


The sitecfg.sfw can be created from an excel template available on the Customer Portal in the
Manuals and Guides section of the 7510 MGW product.

SFW name
SFW-site1

Trusted domain
name
atlanta.com

SIP status mode

list of choice

all

restricted

restricted

SIP status extension

SNMPv2

community
name
public

EOF

Steps
1

Go to the Alcatel-Lucent Customer and Business Partner Portal :


o

https://market.alcatel-lucent.com/release/jsp/sso/login.jsp

After a successful login, within the box Technical Content for, select the product
7510 MGW (Media Gateway).

Select the Manuals and Guides link

Download the document 3FZ-08141-ACAA-PCZZA SFW - sfwStaticConf.xls ,

sitecfg.sfw template for release R3.0

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

293

How to configure the SFW SITE specific parameters

How to update the SITECFG.SFW configuration file

According to your site configuration, update the above sfwStaticConf-R20x.xls excel file.

Modify the SFW name. This will affect the CLI prompt.

Modify the Trusted Domain Name. This will replace the default domain name sfw.net
appended during topology hiding in the tokenized-by=sfw.net.

Select the SIP Status Mode:


o

Restricted : the list of SIP response code is restricted to the list define
by http://www.voip-info.org/wiki/view/SIP+response+codes

All : the list of SIP response codes is not restricted. All codes are accepted.

Optionally configure the section SIP Status Extension. If the SIP Status Mode has been
set to restricted, you have the ability to extend the list of authorized response codes.

If needed, configures the SNMP V2 community name. This is required if you want to perform
SNMP V2 set/get from the OMC-P as the CLI only allows you to configure SNMP V3
parameters.

Save the Excel file in sfwStaticConf.xls format for further modifications.

Save the Excel file in sfwStaticConf.csv format to allow its parsing by the SFW application

10 Rename the sfwStaticConf.csv file as sitecfg.sfw


11 Then follow the next procedure Install the sitecfg.sfw configuration file on the SFW

END OF STEPS

294

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

How to configure the SFW SITE specific parameters

Install the SITECFG.SFW configuration file on the SFW

Install the SITECFG.SFW configuration file on the SFW


Follow the procedure below to apply on the SFW the configuration described above.

Steps
1

copy the sitecfg.sfw on your tftp server. Warning, this file must be in CSV format (NOT in
XLS format).

Log in to the 7510


Contact your account or technical support representative for information about
default login/password.

"tftp get" the sitecfg.sfw on the Active SCM.

ACT-SCM:1.10(r0)> tftp get 1.2.3.4:/7510/sfw-7510.1.1.0/sitecfg.sfw

"tftp get" the sitecfg.sfw on the Standby SCM.

ACT-SCM:1.10(r0)>
Setting up remote
STB-SCM:1.11(r0)>
STB-SCM:1.11(r0)>

rc 1 11
console to [01][11]
tftp get 1.2.3.4:/7510/sfw7510.1.0.1/sitecfg.sfw

exit

Enable both DHSPP4 cards (this step is only required during the first SFW/DHSPP4
installation)

ACT-SCM:1.10(r0)> enable module gw.1.10.amc.1


ACT-SCM:1.10(r0)> enable module gw.1.11.amc.1
ACT-SCM:1.10(r0)> save
(safe for reboot)
6

Reset both DHSPP4 (this step is not required during the first SFW/DHSPP4 installation)

ACT-SCM:1.10(r0)> reset module 1 10 amc


ACT-SCM:1.10(r0)> reset module 1 11 amc

END OF STEPS

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

295

IP Configuration example

Overview
Purpose

This appendix provides, through few examples, a quick overview of the SFW IP
configuration.
Contents

This appendix covers these topics.


IP Configuration Introduction

298

Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode

299

Untrusted side IP connectivity with VRF support

300

Untrusted side IP connectivity without VRF support

302

Trusted side IP connectivity, case 1

304

Trusted side IP connectivity, case 2

305

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

297

IP Configuration example

IP Configuration Introduction

IP Configuration Introduction

The SIP firewall is made of 2 DHSPP4 running in Active/Standby mode for the
SIP Firewalling application.

Each DHSPP4 is hosted in a different 7510 SCM2 board (slot 10 and slot 11)

The standby DHSPP4 operates in layer 2 pass-through mode for the SIP signaling
traffic.

A trunk between the 2 DHSPP4 operates SIP frame relay between Active/Standby.

Trusted and Untrusted interfaces are connected to the next-hop IP using either
o Static Link Aggregation (802.3ad). This is the preferred configuration but
it requires the PE Router to be carrier grade.
Or
o Active/Standby configuration. If the PE router is not carrier grade this is
the configuration to be chosen.

298

Peer Networks realm separation is achieved using 802.1q tagged vlans

Overlapping IP addresses of peering points is supported but requires the PE router


to support VRF feature.

A single Point of Contact (POC) can be defined for all peer networks.

If single POC and realm separation are both needed the PE router must support
VRF

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

IP Configuration example

Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode

Untrusted/Trusted Interfaces,

Link Aggregate or Active/Standby mode

2 network configurations are possible depending on Switch/Router capability:

Static Link Aggregation (802.3ad) configuration with carrier grade router.

Active/Standby configuration in case of Switch-Routers that are not carrier grade.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

299

IP Configuration example

Untrusted side IP connectivity with VRF support

Untrusted side IP connectivity with VRF support


Assumption : PE Router is supporting VRF.

Realm separation using different Vlan tags

Single point of contact for all Peer Networks. The PE Router must support VRF.

SFW LPOC and Peer Network in different subnets

Overlapping IP addresses for peering points is possible as the PE router is


supporting VRF.

CLI Configuration
! *** trunks
trunk untrusted mode linkagg
! *** Poc untrusted
lpoc untrusted 1 enable name LPOC_UNTRUSTED_1
lpoc untrusted 1 ip 160.0.20.1 udp 5060
! *** vlans
vlan 11 untrusted enable name UNTRUSTED_VLAN_11
vlan 11 subnet 192.168.11.0 mask 255.255.255.252 router
192.168.11.2 rip gw 192.168.11.1
vlan 12 untrusted enable name UNTRUSTED_VLAN_12
vlan 12 subnet 192.168.12.0 mask 255.255.255.252 router
192.168.12.2 rip gw 192.168.12.1
! *** peer networks
peer-net 1 enable name PEER_1
300

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

IP Configuration example

Untrusted side IP connectivity with VRF support

peer-net
peer-net
peer-net
peer-net

1
1
1
1

lpoc
vlan
rpoc
rpoc

peer-net
peer-net
peer-net
peer-net
peer-net

2
2
2
2
2

enable name PEER_2


lpoc 1
vlan 12
rpoc 1 ip 150.0.50.3 udp 5060
rpoc 2 ip 150.0.50.4 udp 5060

1
11
1 ip 150.0.40.1 udp 5060
2 ip 150.0.40.2 udp 5060

Ping from the router (src IP 192.168.11.1 or 192.168.12.1 ) to the untrusted lpoc
160.0.20.1 must be successful
Ping from the peering-points (rpoc) to the untrusted lpoc 160.0.20.1 must be successful

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

301

IP Configuration example

Untrusted side IP connectivity without VRF support

Untrusted side IP connectivity without VRF support


Assumption : PE Router is not supporting VRF.

Realm separation using different Vlan tags

One point of contact per Peer Network.

SFW LPOC and Peer Network in different subnets

Overlapping IP addresses for peering points is not possible because the PE router
is not supporting VRF.

CLI Configuration
! *** trunks
trunk untrusted mode linkagg
! *** Poc untrusted
lpoc
lpoc
lpoc
lpoc

untrusted
untrusted
untrusted
untrusted

1
1
2
2

enable name LPOC_UNTRUSTED_1


ip 192.168.11.2 udp 5060
enable name LPOC_UNTRUSTED_2
ip 192.168.12.2 udp 5060

! *** vlans
vlan 11 untrusted enable name UNTRUSTED_VLAN_11
vlan 11 subnet 160.11.20.0 mask 255.255.255.252 no rip gw
160.11.20.1
vlan 12 untrusted enable name UNTRUSTED_VLAN_12
vlan 12 subnet 160.12.20.0 mask 255.255.255.252 no rip gw
160.12.20.1
! *** peer networks
peer-net 1 enable name PEER_1
302

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

IP Configuration example

Untrusted side IP connectivity without VRF support

peer-net
peer-net
peer-net
peer-net

1
1
1
1

lpoc
vlan
rpoc
rpoc

1
11
1 ip 150.0.40.1 udp 5060
2 ip 150.0.40.2 udp 5060

peer-net
peer-net
peer-net
peer-net
peer-net

2
2
2
2
2

enable name PEER_2


lpoc 2
vlan 12
rpoc 1 ip 150.0.50.3 udp 5060
rpoc 2 ip 150.0.50.4 udp 5060

Ping from the router to the untrusted lpoc 160.11.20.2 and 160.12.20.2 must be
successful

Ping from the peering-points (rpoc) to the untrusted lpoc must be successful

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

303

IP Configuration example

Trusted side IP connectivity, case 1

Trusted side IP connectivity, case 1

CCSs addresses and Trusted lpoc in different subnets

Single Point of Contact on the trusted side

CLI Configuration
! *** trunks
trunk trusted mode linkagg
! *** Poc trusted
lpoc trusted 1 ip 192.168.20.1 enable name LPOC_TRUSTED_1
! *** vlans
vlan 20 trusted enable name TRUSTED_VLAN_20
vlan 20 subnet 192.168.20.0 mask 255.255.255.252 gw 192.168.20.2
no rip
! *** load balancing group
load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group

1
1
1
1
1
1
1

enable name LBG_1


vlan 20
lpoc 1
rpoc 1 ip 192.168.10.10
rpoc 2 ip 192.168.10.10
rpoc 3 ip 192.168.10.20
rpoc 4 ip 192.168.10.20

udp
udp
udp
udp

5061
5062
5061
5062

! *** load balancing group and peer-network association


peer-net 1 load-balancing-group 1
304

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

IP Configuration example

Trusted side IP connectivity, case 2

peer-net 2 load-balancing-group 1

Ping from the router (src IP 192.168.20.2 ) to the trusted lpoc 192.168.20.1 must be
successful

Ping from the CCSs (rpoc) to the trusted lpoc must be successful

Trusted side IP connectivity, case 2

CCSs addresses and Trusted lpoc in the same subnet

Single Point of Contact on the trusted side

CLI Configuration
! *** trunks
trunk trusted mode linkagg
! *** Poc trusted
lpoc trusted 1 ip 192.168.10.1 enable name LPOC_TRUSTED_1
! *** vlans
vlan 10 trusted enable name TRUSTED_VLAN_20
vlan 10 subnet 192.168.10.0 mask 255.255.255.0
! *** load balancing group
load-balancing-group 1 enable name LBG_1
load-balancing-group 1 vlan 10
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

305

IP Configuration example

Trusted side IP connectivity, case 2

load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group
load-balancing-group

1
1
1
1
1

lpoc
rpoc
rpoc
rpoc
rpoc

1
1
2
3
4

ip
ip
ip
ip

192.168.10.10
192.168.10.10
192.168.10.20
192.168.10.20

udp
udp
udp
udp

5061
5062
5061
5062

! *** load balancing group and peer-network association


peer-net 1 load-balancing-group 1
peer-net 2 load-balancing-group 1

306

Ping from the CCSs (rpoc) to the trusted lpoc 192.168.10.1 must be successful

Ping from the switch to the trusted lpoc cannot be performed

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

IPv6 support

Overview
Purpose

This appendix is only focused on the areas impacted by IP v6 configuration.


The CLI commands are not explained in details and the purpose here is to get an overview
of what has changed since the previous release that was only supporting IPv4.
The detailed description of each command is provided in the previous chapters LPOC,
Peer-Network, Load-Balancing-Group and Vlan.

create and modify IPv4/IPv6 objects


SFW supports IPv6 and IPv4 on trusted and untrusted sides.
All objects related to Trusted and Untrusted sides that were previously IPv4 only are now
dual-stack IPv4/IPv6. This applies to vlan configuration, lpoc configuration, PeerNetwork rpoc and Load-Balancing-Group rpoc. This means that these objects can have
simultaneously an IPv4 and an IPv6 address.

The set of CLI commands to configure dual stack IPv4/IPv6 objects is almost the same
than the one you already known for the previous SFW releases and is backward
compatible with the previous configuration files.

Lpoc and rpoc creation is done with the same set of CLI commands than previously.
You just need to specify an IPv6 address with the right format (e.g. 2001:b8::192:168:2:5)
to get an IPv6 stack. If the lpoc or rpoc is dual-stack you need to run the command twice,
once to create the object with an IPv4 (or IPv6) address, and then a second time to add the
IPv6 (or IPv4 address).
3FZ 08139 ACAA PCZZA
Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

308

IPv6 support

create and modify IPv4/IPv6 objects

Examples:
lpoc untrusted 2 ip 172.17.2.5 enable name LPOC_UNTRUSTED_2
lpoc untrusted 2 ip 2001:2::172:17:2:5
peer-net 20 rpoc 15 ip 172.23.8.9
peer-net 20 rpoc 15 ip 2001:8::172:23:8:9

IP address deletion for lpoc and rpoc requires new keywords to know on which IP
address the CLI needs to be applied.
Examples:
lpoc untrusted 2 no ipv6
peer-net 20 rpoc 15 no ipv4

Vlan creation has been slightly modified to accept IPv6 address format. Previously the IP
mask was written with the IP address format (e.g. 255.255.255.0). Now for both IPv4 and
IPv6 the mask has to be defined using the /length format.
Examples:
vlan 11 untrusted enable name UNTRUSTED_VLAN_11 subnet 172.16.11.0/24
vlan 11 subnet 2001:11::/64

But a configuration file with the command vlan 11 subnet 172.16.11.0 mask
255.255.255.0 is still accepted as the compatibility with previous releases is ensured.
IP address deletion for vlan requires new keywords to know on which IP address the
CLI needs to be applied.
Examples:
Vlan 11 no ipv6 router
Vlan 11 no ipv6 gw

With dual stack IPv4/IPv6 objects it can become tricky to check end-to-end IP
connectivity. For example, if rpoc are dual stack, then lpoc and vlan must also be dual
stack. To facilitate the IP connectivity status, 2 new commands have been introduced:
Show peer-net connectivity
Show load-balancing-group connectivity

These commands, with the help of periodic IP and SIP polling, allow detection of
inconsistencies in the configuration or IP connectivity issue toward the remote poc.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

309

IPv6 support

IPv6 Q&A

IPv6 Q&A
IPv4 and IPv6 precedence in case of dual-stack.

When IPv6 and IPv4 are both present on one interface, priority is given to IPv6.
Does IPv6 support means modification in Vlan / Peer-Network association?

No, you can still use a single tagged vlan per Peer-Network. IPv4 and IPv6 can work over
the same vlan.
Does IPv6 support means modification in Vlan / Load-Balancing association?

No, you can still use a single tagged vlan per Load-Balancing-Group. IPv4 and IPv6 can
work over the same vlan.
Is there a change in Peering-Point addressing from MGC8 point of view?

No, a dual-stack Peering-Point is reached via the same listening port on the Trusted Local
POC of the firewall. The LPOC needs to be dual-stack.
Which SFW objects remain IPv4 only?

The following objects remain IPv4 only:


NTP client/server
Syslog client/Server
Monitoring Host
OAM interfaces (CLI and SNMP)

310

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

IPv6 support

IPv6 Q&A

CLI for IPv6 support

Trusted and Untrusted LPOC


lpoc untrusted poc_id [ip ip_address] [enable | disable] [name description]
lpoc untrusted poc_id no ipv6
lpoc untrusted poc_id no ipv4
lpoc trusted poc_id [ip ip_address] [enable | disable] [ name description]
lpoc trusted poc_id no ipv6
lpoc trusted poc_id no ipv4
show lpoc [trusted [ poc_id ]| untrusted [poc_id]]

Vlan
vlan vid {trusted | untrusted} [enable | disable] [name description]
subnet ip_address/len [router ip_address [rip | no rip]] [gw ip_address]
vlan vid subnet ip_address/len
vlan vid router ip_address [rip | no rip]
vlan vid gw ip_address
vlan vid no ipv4
vlan vid no ipv6
vlan vid no [ipv4 | ipv6] router
vlan vid no [ipv4 | ipv6] gw
show vlan

Peer Network
peer-net netid filter filter_id ip address/mask [accept | deny]
peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[
port]]
peer-net netid rpoc peering_point_id no ipv4
peer-net netid rpoc peering_point_id no ipv6
show peer-net [netid] rpoc
show peer-net [netid] connectivity

Load Balancing Group


load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port]
| tls[ port]]
load-balancing-group GroupId rpoc poc_id no ipv4
load-balancing-group GroupId rpoc poc_id no ipv6
show load-balancing-group [GroupId] rpoc [poc_id]
show load-balancing-group [GroupId] connectivity

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

311

Configuration backup &


restore

Backup configuration on the SFW


Follow the procedure below to apply on the SFW configuration.
Steps
1

Execute the copy running working cli command to save the current configuration.

SFW-XXX> copy running working


Command successful
SFW-XXX>

Using SFTP SFW OAM IP, get the SFW configuration file /mnt/mtd0/working/config.cfg
by sftp from the SFW. Username: support. Password: 44700$orvault

$ sftp support@x.x.x.x
Connecting to x.x.x.x...
support@ x.x.x.x's password:
sftp> get /mnt/mtd0/working/config.cfg
Fetching /mnt/mtd0/working/config.cfg to config.cfg
/mnt/mtd0/working/config.cfg
100%
24KB 23.9KB/s
00:00
sftp> bye

The configuration file will be saved on the remoter server after completing the above two
steps.

END OF STEPS

3FZ 08139 ACAA


PCZZA Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

312

Configuration backup & restore

Restore configuration to the SFW

Restore configuration to the SFW


Follow the procedure below to apply on the SFW configuration.
Steps
1

Put the backup configuration file back to the sfw / directory using sftp SFW oam IP from
the remoter server. Username: support. Password: 44700$orvault.

$ sftp support@x.x.x.x
Connecting to x.x.x.x...
support@ x.x.x.x's password:
sftp> pwd
Remote working directory: /
sftp> put config.cfg
Uploading config.cfg to /config.cfg
config.cfg
100%
24KB
sftp> bye

23.9KB/s

00:00

Execute the show sfw status cli command to get the slot number of the active DHSPP.

SFW-XXX> show sfw status


+------+---------+---------+-------------+
! slot ! DHSPP

! SCM

! Temperature !

! role

! (celsius)

! role

+------+---------+---------+-------------+
! 10

! ACTIVE

! ACTIVE

! 51

! 11

! STANDBY ! UNKNOWN ! 50

+------+---------+---------+-------------+

Access SFW by ssh SFW OAM IP. Username: support. Password: 44700$orvault.

$ ssh support@x.x.x.x
support@10.84.13.10's password:
BusyBox v1.2.1 (2013.08.27-07:36+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ $

Change the user to root by executing telnet 1.1.1.slot. In our example, the active slot
number is 10 based on the output of cli command show sfw status.
/ $ telnet 1.1.1.10
Entering character mode
Escape character is '^]'.

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

313

Configuration backup & restore

Restore configuration to the SFW

BusyBox v1.2.1 (2013.08.27-07:36+0000) Built-in shell (ash)


Enter 'help' for a list of built-in commands.
~ #

Copy the configuration file to the configuration directory.

~ # cp /config.cfg /mnt/mtd0/working/config.cfg
~ # cp /config.cfg /mnt/mtd0/certified0/config.cfg
~ # cp /config.cfg /mnt/mtd0/certified1/config.cfg
~ # cp /config.cfg /mnt/mtd0/certified2/config.cfg

Copy configuration file to the configuration directory on the standby card by rcp. The standby
SFW IP is 1.1.1.slot. In our example, the standby slot number is 11 based on the output of cli
command show sfw status.

~ # rcp /config.cfg 1.1.1.11:/mnt/mtd0/working/config.cfg


~ # rcp /config.cfg 1.1.1.11:/mnt/mtd0/certified0/config.cfg
~ # rcp /config.cfg 1.1.1.11:/mnt/mtd0/certified1/config.cfg
~ # rcp /config.cfg 1.1.1.11:/mnt/mtd0/certified2/config.cfg

Execute the switchover cli command to switch over SFW.

SFW-XXX> switchover
Running duplex mode configuration synced. Are you sure (Y/N) ? y

Command successful
SFW-XXX>

Login to CLI again after the SFW is switched over. Check the SFW status using show sfw
status. When the SFW status becomes active/standby, execute switchover again.

SFW-XXX> show sfw status


+------+---------+---------+-------------+
! slot ! DHSPP

! SCM

! Temperature !

! role

! (celsius)

! role

+------+---------+---------+-------------+
! 11

! ACTIVE

! STANDBY ! 50

! 10

! STANDBY ! UNKNOWN ! 51

+------+---------+---------+-------------+

SFW-XXX> switchover
Running duplex mode configuration synced. Are you sure (Y/N) ? y

Command successful
SFW-XXX>
314

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Configuration backup & restore

Restore configuration to the SFW

The configuration will be restored after completing the above eight steps

10 The configuration will be restored after completing the above eight steps
END OF STEPS

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

315

24

Glossary

Symbols

Numerics

3FZ 08139 ACAA PCZZA


Edition 07
July 2015

Alcatel-Lucent Proprietary
Use pursuant to applicable agreements

316