7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 1/316
Alcatel-Lucent
7510-SFW IMS Peering SIP Firewall | Release 3.0
CLI Reference Guide
Alcatel-Lucent — ProprietaryUse pursuant to applicable agreements
3FZ 08139 ACAA PCZZA
July 2015Edition 07
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 2/316
Alcatel-Lucent — ProprietaryUse pursuant to applicable agreements
Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respectiveowners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright © 2015 Alcatel-Lucent. All Rights Reserved.
Contains proprietary/trade secret information which is the property of Alcatel-Lucent and must not be made available to, or copied or used by anyone outside
Alcatel-Lucent without its written authorization.
Limited warranty
Alcatel-Lucent provides a limited warranty to this product.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 3/316
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary iii Edition 07 Use pursuant to applicable agreementsJuly 2015
Contents
About this document xi
Purpose ..................................................................................................................................................... xi
Reason for revision.................................................................................................................................. xii
Intended audience .................................................................................................................................... xii
Conventions used ................................................................................................................................... xiii
Related information ................................................................................................................................ xiii
Technical support ................................................................................................................................... xiii
How to comment .................................................................................................................................... xiii
1
Introduction 15
SFW location in the IMS architecture ..................................................................................................... 16
SFW high level functionalities ................................................................................................................ 17
SIP Firewall main features ...................................................................................................................... 19
SIP stateless Record-Route Proxy Firewall with dialog and transaction tracking .................................. 19
SIP features ............................................................................................................................................. 20
2
SFW prerequisite 23
Procedure 1: Checking presence of sitecfg.sfw on SCM ........................................................................ 23
Procedure 2: SFW OAM IP address configuration ................................................................................. 25
Procedure 3: How to get access to the SFW CLI .................................................................................... 26
3
Vlan Management 27
Summary of the CLI for Vlan management ............................................................................................ 29
vlan vid {trusted | untrusted} subnet ip_address mask ................................................................... 30
vlan vid subnet ip_address/len ................................................................................................... 34
vlan vid [router ip_address [rip | no rip]] ...................................................................................... 35
vlan vid no [ipv4 | ipv6] router .............................................................................................................. 36
vlan vid gw ip_address ................................................................................................................... 37
vlan vid no [ipv4 | ipv6] gw .................................................................................................................. 38
vlan vid name description ............................................................................................................. 39
vlan vid no name ................................................................................................................................... 40
vlan vid mac mac_address ............................................................................................................... 41
no vlan vid ............................................................................................................................................. 42
show vlan ................................................................................................................................................ 43
4
Local Point Of Contact (LPOC) 44
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 4/316
Contents
iv Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Trusted interface definition ...................................................................................................................... 44
Untrusted interface definition .................................................................................................................. 45
Local Point Of Contact definition ............................................................................................................ 45
Summary of the CLI for Trusted and Untrusted LPOC ........................................................................... 46
lpoc untrusted poc_id ........................................................................................................................... 47
lpoc untrusted poc_id no ipv6 .............................................................................................................. 49
lpoc untrusted poc_id no ipv4 .............................................................................................................. 49
lpoc untrusted poc_id no {udp | tcp | sctp | tls} ................................................................................... 50
no lpoc untrusted poc_id ...................................................................................................................... 50
lpoc trusted poc_id ............................................................................................................................... 51
lpoc trusted poc_id no ipv6 .................................................................................................................. 53
lpoc trusted poc_id no ipv4 .................................................................................................................. 53
no lpoc trusted poc_id .......................................................................................................................... 54
show lpoc ................................................................................................................................................. 55
ip defrag ................................................................................................................................................... 56
show ip defrag .......................................................................................................................................... 57
5
Peer Networks 58
Summary of the CLI for Peer Network management .............................................................................. 59
peer-net netid ....................................................................................................................................... 60
peer-net netid filter filter_id ip address/mask ................................................................... 61
peer-net netid filter filter_id rpoc ............................................................................................. 62
peer-net netid no filter .......................................................................................................................63
peer-net netid rpoc peering_point_id ip ................................................................................. 64
peer-net netid rpoc peering_point_id no ipv4 .......................................................................68
peer-net netid rpoc peering_point_id no ipv6 .......................................................................68
peer-net netid rpoc peering_point_id no {udp | tcp | sctp | tls} .............................................. 69
peer-net netid rpoc peering_point_id name fqdn .................................................................. 70
peer-net netid rpoc peering_point_id no name ........................................................................ 71
peer-net netid rpoc peering_point_id nat ................................................................................. 72
peer-net netid rpoc peering_point_id port-forwarding ............................................................ 74
peer-net netid rpoc peering_point_id no port-forwarding ....................................................... 75
peer-net netid no rpoc peering_point_id ................................................................................ 76
peer-net netid lpoc untrusted_lpoc_id .................................................................................... 77
peer-net netid no lpoc untrusted_lpoc_id .............................................................................. 78
peer-net netid security-profile security_profile_id .............................................................. 79
peer-net netid load-balancing-group group_id ............................................................................. 80
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 5/316
Contents
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary v Edition 07 Use pursuant to applicable agreementsJuly 2015
peer-net netid vlan vid ..................................................................................................................... 81
peer-net netid no vlan ....................................................................................................................... 82
peer-net netid max call duration call_duration ........................................................................ 83
peer-net netid polling ping {enable | disable} .................................................................................... 84
peer-net netid polling ping period interval.................................................................................. 85
peer-net netid dscp dscp_value .................................................................................................... 86
peer-net netid dscp default ................................................................................................................. 87
dscp default default_dscp ................................................................................................................ 88
show dscp default .................................................................................................................................... 89
peer-net netid tls-profile tlsprofileid ....................................................................................... 90
peer-net netid no tls-pr ofile ................................................................................................................ 91
no peer-net netid .................................................................................................................................. 92
show peer-net .......................................................................................................................................... 93
show peer-net netid lpoc .................................................................................................................... 95
show peer-net [netid ] filter................................................................................................................. 96
show peer-net [netid ] rpoc ................................................................................................................. 97
show peer-net connectivity .................................................................................................................... 99
show peer-net [netid ] statistics [trusted | untrusted] ........................................................................ 102
6
Security Profile 118
Summary of the CLI for Security Profile management......................................................................... 120
security-profile profile_id ............................................................................................................. 121
security-profile profile_id invite dialog setup-rate........................................................................ 123
security-profile profile_id invite in-dialog transaction-rate .......................................................... 124
security-profile profile_id invite in-dialog method accept ............................................................ 125
security-profile profile_id invite in-dialog no method accept ....................................................... 126
security-profile profile_id out-of-dialog method-rate ................................................................... 127
security-profile profile_id out-of-dialog no method-rate .............................................................. 129
security-profile profile_id sip thig ................................................................................................ 130
security-profile profile_id route-reorder ....................................................................................... 133
security-profile profile_id ringing-timer duration ................................................................... 134
security-profile profile_id clone profile_id .......................................................................... 135
security-profile profile_id fqdn-in-from thig ................................................................................ 136
security-profile profile_id sip route-mode .................................................................................... 137
security-profile profile_id private_ip ............................................................................................ 138
no security-profile profile_id ........................................................................................................ 139
show security-profile profile_id .................................................................................................... 140
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 6/316
Contents
vi Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
7
TLS feature overview 141
Introduction ............................................................................................................................................ 141
Reference documents ............................................................................................................................. 141
Feature Overview ................................................................................................................................... 142
TLS Feature Description ........................................................................................................................ 143
8
TLS Profile 146
Summary of the CLI for TLS-Profile management ............................................................................... 147
tls-profile tlsprofileid local-cert ca-check renegotiation-period ................................................. 148
tls-profile tlsprofileid no renegotiation-period ........................................................................... 149
tls-profile tlsprofileid ca-cert-list certid1 … [certid8] .................................................... 151
tls-profile tlsprofileid no ca-cert-list certid1 … [certid8] ...............................................152
9
CA certificates 153
Summary of the CLI for CA certificates management .......................................................................... 154
import certificate ca ca-certid [name description] ................................................................ 155
certificate ca ca-certid name description ............................................................................... 156
no certificate ca ca-certid ............................................................................................................... 157
show certificate ca pem ca-certid ................................................................................................... 158
show certificate ca details ca-certid ................................................................................................159
show certificate ca ca-certid ........................................................................................................... 160
show certificate ca ................................................................................................................................. 161
10
Local X509 certificates and Privates Keys 162
Summary of the CLI for SFW local certificates management ............................................................... 163
import certificate local certid [name description] ................................................................... 164
import certificate local privatekey certid [ password pwd ] ...................................................... 165
certificate local certid name description .................................................................................. 167
no certificate local certid .................................................................................................................. 168
show certificate local pem certid ...................................................................................................... 169
show certificate local details certid ................................................................................................... 170
show certificate local certid .............................................................................................................. 171
show certificate local ............................................................................................................................. 172
certificate local certid request ........................................................................................................... 173
11
Internal DNS server 176
Summary of the CLI for the internal DNS management ....................................................................... 177
dns-internal dns-entry-id name peer-net ip ............................................................................... 178
dns-internal dns-entry-id name rpoc-name .......................................................................... 179
dns-internal dns-entry-id peer-net netid ............................................................................... 180
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 7/316
Contents
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary vii Edition 07 Use pursuant to applicable agreementsJuly 2015
dns-internal dns-entry-id ip address .................................................................................... 181
dns-internal dns-entry-id no ipv4 .............................................................................................. 182
dns-internal dns-entry-id no ipv6 .............................................................................................. 182
show dns-internal .................................................................................................................................. 183
12
Load Balancing Group 185
Summary of the CLI for Load-Balancing-Group management ............................................................ 187
load-balancing-group groupId ........................................................................................................... 188
load-balancing-group groupId rpoc.................................................................................................. 189
load-balancing-grou p groupId rpoc no ipv4 .................................................................................... 193
load-balancing-group groupId rpoc no ipv6 .................................................................................... 194
load-balancing-group groupId rpoc poc_id no {udp | tcp | sctp | tls} .......................................... 195
load-balancing-group groupId no rpoc poc_id ............................................................................. 196
load-balancing-group groupId lpoc trusted_lpoc_id ............................................................. 197
load-balancing-group groupId no lpoc trusted_lpoc_id ........................................................ 198
load-balancing-group groupId vlan vid .......................................................................................... 199
load-balancing-group groupId no vlan ........................................................................................... 200
load-balancing-group groupId polling period interval .............................................................. 201
load-balancing-group groupId rpoc poc_id call rate ............................................................................ 202
load-balancing-group groupId rpoc poc_id transaction rate ....................................................... 204
no load-balancing-group groupId ...................................................................................................... 205
show load-balancing-group ................................................................................................................... 206
show load-balancing-group rpoc .......................................................................................................... 207
show load-balancing-group connectivity ............................................................................................. 208
13
Tcp Syn Flood Protection 211
Summary of the CLI for TCP SYN Flood management ....................................................................... 212
tcp syn oam rate syn_per_sec ......................................................................................................... 212
tcp syn untrusted rate syn_per_sec ................................................................................................. 213
tcp syn trusted rate syn_per_sec ..................................................................................................... 213
show tcp syn .......................................................................................................................................... 214
show tcp statistics .................................................................................................................................. 215
14
Interfaces (Ge Ports) & Trunks 217
Summary of the CLI for Ge Interfaces and Trunks management ......................................................... 218
show interfaces ...................................................................................................................................... 219
trunk {trusted|untrusted} mode [linkagg | act-stdy] ............................................................................. 221
show trunk ............................................................................................................................................. 223
show trunk port ..................................................................................................................................... 223
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 8/316
Contents
viii Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
15
SIP Message Management 225
Summary of the CLI for SIP Message Management ............................................................................. 225
sip-header max-forwards {enable|disable} ............................................................................................ 226
show sip-header ..................................................................................................................................... 227
16
SNMP Management 228
Summary of the CLI for SNMP Management ....................................................................................... 229
Alarms Management .............................................................................................................................. 230
snmp station stationId ip ip_address ..................................................................................... 242
snmp station stationId {enable | disable} .................................................................................... 243
no snmp station stationId .............................................................................................................. 243
show snmp station .................................................................................................................................. 244
show snmp alarm thresholds .................................................................................................................. 245
snmp alarm modify threshold threshold_id ................................................................................... 247
show snmp trap config ........................................................................................................................... 248
snmp trap trap_id filter-delay delay .............................................................................................. 250
snmp trap trap_id {enable | disable} ................................................................................................ 251
snmp trap restore default ........................................................................................................................ 251
show snmp alarm active ......................................................................................................................... 252
17
Users Management 253
Summary of the CLI for Users Management ......................................................................................... 253
user username password ................................................................................................................... 254
user username level {adm | ope | viewer} ......................................................................................... 255
user username no snmp ..................................................................................................................... 256
user username auth { sha | md5} priv {aes | des} ............................................................................. 257
no user username ................................................................................................................................ 258
show user cmd [adm|ope|viewer] ........................................................................................................... 258
show user [adm|ope|viewer] ................................................................................................................... 261
18
Syslog Management 262
Summary of the CLI for Syslog Management ....................................................................................... 262
syslog-server oam ip ip-address ..................................................................................................... 263
syslog-server trusted ip ip-address ................................................................................................. 264
syslog-server [ip] [port] [vlan] [lpoc] .................................................................................................... 265
syslog [rate] [length] [facility] [rfc3164 | rfc5424] ................................................................................ 266
no syslog-server ..................................................................................................................................... 267
show syslog ............................................................................................................................................ 268
19
NTP servers Management 269
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 9/316
Contents
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary ix Edition 07 Use pursuant to applicable agreementsJuly 2015
Summary of the CLI for Syslog Management ...................................................................................... 269
ntp server serverId ip ip-address .............................................................................................. 270
no ntp server serverId ...................................................................................................................... 270
show ntp server...................................................................................................................................... 271
20
Monitoring SIP messages dropped 272
Summary of the CLI for Monitoring-Host Management ...................................................................... 272
monitoring-host trusted ip ip-address port ipPort ..................................................................... 273
monitoring-host oam ip ip-address port ipPort ......................................................................... 275
-> monitoring-host oam ip 192.168.2.110 port 5060 rate 10 ...................... 275
show monitoring-host ............................................................................................................................ 276
21
Configuration Management 278
Summary of the CLI for Configuration Management ........................................................................... 278
copy running working ........................................................................................................................... 279
copy working certified .......................................................................................................................... 279
show configuration ................................................................................................................................ 280
show running-directory ......................................................................................................................... 281
show configuration consistency ............................................................................................................ 282
switchover ............................................................................................................................................. 283
configuration retrieve ............................................................................................................................ 284
show system .......................................................................................................................................... 285
system location ...................................................................................................................................... 287
show sfw status ..................................................................................................................................... 288
22
CLI Session Management 290
Summary of the CLI for Configuration Management ........................................................................... 290
cli session timeout ................................................................................................................................. 291
show cli session ..................................................................................................................................... 291
23
How to configure the SFW SITE specific parameters 292
How to update the SITECFG.SFW configuration file .......................................................................... 293
Install the SITECFG.SFW configuration file on the SFW .................................................................... 295
A
IP Configuration example 297
IP Configuration Introduction ............................................................................................................... 298
Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode .............................................. 299
Untrusted side IP connectivity with VRF support ................................................................................. 300
Untrusted side IP connectivity without VRF support ........................................................................... 302
Trusted side IP connectivity, case 1 ...................................................................................................... 304
Trusted side IP connectivity, case 2 ...................................................................................................... 305
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 10/316
Contents
x Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
B
IPv6 support 308
create and modify IPv4/IPv6 objects ..................................................................................................... 308
IPv6 Q&A .............................................................................................................................................. 310
C
Configuration backup & restore 312
Backup configuration on the SFW ......................................................................................................... 312
Restore configuration to the SFW.......................................................................................................... 313
24
Glossary 316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 11/316
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary xi Edition 07 Use pursuant to applicable agreementsJuly 2015
About this document
Purpose
This document is the SFW SIP firewall Command Line Interface User’s Guide. It
provides detailed information on the configuration of the SIP Firewall, dedicated to IMS
SIP peering and protecting the IBCF (MGC8).
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 12/316
About this document
xii Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Reason for revision
The following table shows the revision history of this document.
Location Revision Issue
• Creation of this document for the SFW release 3.0
• New features introduced in R3.0:
o TLS support on Untrusted side.
o Far-End NAT Traversal
o 2047 Peer Network
Ed01
2011/12
• The IP Filter index range is modified to 1..32
•
New CLIs have been added no be able to set theVlan Name without setting the Vlan Subnet.
• Add reference for 3FZ-08141-AC AA-PCZZA "SFW -
sfwStaticConf.xls , sitec fg.sfw template for release
R3.0"
Ed02
2012/01
• Default passwords must not be given in the
customer documentation. Contact your account or technicalsupport representative for information about default passwords.
Ed03
2012/02
• The range of the parameter “name” for the
following objec ts is changed to 0..31
o Peer-network
o Load-Balancing-Group
o Vlan
o Security-Profile
Ed04
2012/02
• Add ‘sip-header ‘ command. Ed05
2013/09
Intended audience
The target audience of this manual is network administrators and Information Systems professionals who maintain IMS equipments.
This manual assumes that the administrator of the 7510-SFW is knowledgeable about theconcepts, network topologies, and Local Area Network (LAN) and SIP protocol discussedin this manual.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 13/316
About this document
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary xiii Edition 07 Use pursuant to applicable agreementsJuly 2015
Conventions used
This guide uses the following typographical conventions:
Appearance Description
graphical user interface text Text that is displayed in a graphical userinterface or in a hardware label
variable A value or command-line parameter that the user
provides
[ ] Text or a value that is optional
{ value1 | value2 }
{variable1 | variable2 }
A choice of values or variables from which one
value or variable is used
Related information
This guide has to be used in conjunction with the 7510-SFW documentation listed in thetable hereafter.
Product Part Number Product Description
Getting Started
with SFW
3FZ 08140 A BAA
PCZZAThis document provides tips to deploy the
SFW R2.0.6 and further releases.
sfwStaticConf.xls 3FZ-08141-AC AA -
PCZZAThis document provide an excel template to
build the sitecfg.sfw file for SFW releaseR3.0.
The sitecfg.sfw file allows configuration of
site specific attributes that cannot be
provisionned via CLI or OMCP management.
Technical support
For technical support, contact your local Alcatel-Lucent customer support team. See theAlcatel-Lucent Support web site (http://alcatel-lucent.com/support/) for contactinformation.
How to comment
To comment on this document, go to the Online Comment Form (http://infodoc.alcatel-
lucent.com/comments/) or e-mail your comments to the Comments Hotline([email protected]).
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 14/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 15/316
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 15 Edition 07 Use pursuant to applicable agreementsJuly 2015
1 Introduction
Overview
Purpose
Before going through the description of the Command Line Interface, the chapter 1 of thisdocument presents the 7510-SFW “SIP Firewall for IMS Peering”.
Contents
This chapter covers these topics.
SFW location in the IMS architecture 16
SFW high level functionalities 17
SIP Firewall main features 19
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 16/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 17/316
Introduction SFW high level functionalities
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 17 Edition 07 Use pursuant to applicable agreementsJuly 2015
SFW high level functionalities
Alcatel-Lucent’s BGW has an internal firewall functionality to protect the bearer networkfrom external attacks, but a separate signaling firewall is needed to protect the IBCF from
SIP signaling attacks. This document describes the features of the SIP Signaling firewall.
Figure 1 shows the Alcatel-Lucent border solution. The SFW (Signaling Firewall) sits onthe edge of the network in front of the IBCF.
Only the SIP signaling messages pass through the SFW; bearer packets go directly to a
BGW. The border solution could include several BGWs. Each BGW might only connectto a subset of the peering networks, so the IBCF must choose the appropriate BGW for
each incoming/outgoing call. The internal network elements might be end offices, wirelessMSCs, IMS systems, voice mail systems, announcement servers, etc.
High-level functionalities of the SFW :
o Network Address/Port Translation
o Load Sharing among IBCF CCS
o n-tuple Filtering
o SIP Supporto Malicious Attack Prevention
o Realm Separation
o Per SIP method Rate Limiting
o IBCF Geographic Redundancy Support
o Overlapping IP Address Support
o Topology Hiding
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 18/316
Introduction SFW high level functionalities
18 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Figure 2 - SFW high level functionalities
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 19/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 20/316
Introduction SIP Firewall main features
20 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
SIP features
SIP Parser Attack Prevention
Only the SIP header is analyzed by the SIP Firewall, the SDP is not analyzed.
SFW accepts only SIP messages that are properly formatted.
Only mandatory SIP headers are parsed.
SFW checks the SIP message maximum sizes (header and total message size).
Protection against SIP DoS and Distributed DoS attacks
Rate limitation per types of messages
It is the first level of protection, when the unstrusted SIP message is out of its rate, it is
dropped by the SIP firewall. The rate limiters are configurable per untrusted sources (Peer Network).
Transaction tracking
The SIP firewall is aware of the transactions and can drop out of sequence messages aswell the duplicate messages.
The transaction tracking is also used in the load balancing and overload control to adapt
the transaction rate towards the local IBCF . That feature permits to the SIP firewall to beaware of the number of SIP transaction that are in progress and the average time the I-BCFtakes for processing it.
Dialog tracking
Dialog tracking is provided for INVITE dialog only. It permits to track transaction inside a
dialog. Transactions that are out of sequence are blocked, for example it may block blindCANCEL or BYE attacks.
The dialog tracking is also used in the load balancing and the overload control to adapt theload of the call setup and to reject new INVITE when the number of established callsreaches a limit. The limit is configurable per peer.
Initial Request Flooding attack detection
The SIP firewall is able to detect a transaction flooding attacks and to isolate SIP messagesthat correspond to the signature of the attacker. Note that in that case some legitimate SIPtraffic might be affected because they match the same signature.
DDOS attack mitigation on initial INVITE
When all the fields uses for flooding detection changes on each SIP message the SIPfirewall is not able to detect the source of the attack by just analysis the SIP message. The
detection is based on a threshold of bad response for a given signature by tracking the
behavior of the transaction. When that threshold is reached, all initial INVITEs matchingthat signature have their rate downgraded. That downgrade remains until the bad response
counters drop below the normal threshold. That mechanism will impact legitimate traffic
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 21/316
Introduction SIP Firewall main features
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 21 Edition 07 Use pursuant to applicable agreementsJuly 2015
that match the same signature, but avoids setting up the source IP address in quarantine
and by the way blocking an entire peer. Typically, in case of IP spoofing attack if the SIPfirewall puts the source IP in quarantine the attack is successful, because the SIP firewall
blocks the legitimate source.
Remote SIP ports replication on trusted side
In terms of SIP ports (IP address and port) it provides as many SIP ports that the trusted I-
BCF can reach on the untrusted side (that are also called peering points). When the trustedI-BCF has to sends a SIP request towards a remote I-BCF, it has to resolve the IP address
and the port of that next hop SIP either by a local routing table or thanks to DNS.
The local routing table or the DNS provides an IP address and port that does not designatethe remote I-BCF, but rather a SIP port provided by the SIP firewall on the trusted side.
On the other hand, the SIP firewall is configured with a routing table that permits to perform the mapping between the trusted SIP port and the SIP port of the remote i-BCF onthe untrusted side. This is 1:1 mapping.
For local I-BCF outgoing requests, the SIP firewall does not take any decision about thenext SIP hop, it just follows the information of the SIP routing table.
Transparent to forking
When the local I-BCF decides to fork, the SIP firewall is transparent. However if a forkingtakes place after the remote I-BCF, it might be possible that several 200 OK replies are
sent back to the local I-BCF. That case is detected by the SIP firewall, and all the 200 OK
responses are forwarded to the SIP port from which the initial INVITE was coming from.
Single Point of Contact
On the untrusted side the SFW can be configured to be the single point of contact for theremote peers while operating in a networking environment that provides separation among
the peer networks.
For the case of the trusted side, the SFW provide a single point of Contact for the local
IBCF for reaching all the peering points. This avoids updating the network configurationof the trusted side when more peering points are added.
Untrusted SIP ports
For the untrusted side it provides as many untrusted SIP ports (IP@ and port) as theremote I-BCFs may address. However it is not required to provide as many SIP ports as
the local I-BCF provides.
Local IBCF partitioning
When a local IBCF is deployed in the IMS core network as a centralized component, the
SFW provides the ability to partition the local IBCF in smaller subsets. That partitioningapplied to a centralized I-BCF make the solution equivalent to a distributed model:
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 22/316
Introduction SIP Firewall main features
22 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
It provides an isolation of remote I-BCFs (VPN) on different SIP service blades of thelocal I-BCF by affecting remote IBCF to different partitions
it permits to limit DDOS attacks not detected by the SIP firewall to only a subset of thelocal I-BCF.
Load Balancing and overload control
That feature permits to balance the load of the SIP traffic among SIP service blades of the
local I-BCF belonging to the same partition.
It provides a Qos feature that permits to allocate a bandwidth for the SIP requests that is proportional to the weight of the remote IBCF as well as a number a simultaneous calls.
For the case of the simultaneous calls, a remote IBCF might use more that its strict
proportional share of the total simultaneous call capacity when the partition is not loaded.This information is configurable and expressed as a percentage of the total call capacity.
The SIP message rate of each remote IBCF is adapted to the aggregate rate of the partitionto which it belongs. Typically, if the rate for a particular SIP method is not reached for a
given IBCF, the SIP message might still be dropped because the maximum aggregate ratefor the method has been reached.
Redundancy
The SIP firewall operates in 1+1 redundancy mode. It provides redundancy for theestablished calls but not for the transaction inside or outside a dialog.
L2/L3/L4 SIP-aware firewalling
The SIP firewall provides L2/L3/L4 firewalling which is SIP aware on the untrusted sideand thus does not require any external firewall. That solution provides better performances
versus a solution with an external L2/L3/L4 firewall; in case of overloading, the drop is
performed at SIP level and not at L3 or L4 level. There avoids dropping legitimate SIPtraffic, that is not the case with SIP firewalls that separate the L2/L3/L4 firewalling and
the SIP firewalling.
IP V4 address overlapping
The IP address overlapping is supported on the untrusted side thanks to the usage of
802.1Q tag to separate Peer Network that have same IP addresses.
VPN separation
VPN separation is provided thanks the usage of 802.1Q.
Reliable Transport
Only TCP is supported in that release. TCP connections are terminated at SIP firewalllevel.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 23/316
Alcatel-Lucent — Proprietary 23 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
2 SFW prerequisite
On the first 7510-SFW installation, prior doing anything else, you need to pay attention to thefollowing points:
Item Purpose How to check
1 sitecfg.sfw This file must be present on
both SCM hosting primary and
backup DHSPP4.
Follow procedure 1
described below.
2 SFW CLI
login
Prior accessing to the SFW
CLI session you need to:- Configure the SFW
OAM IP address on
the 7510
- Know the initial login /
password
Follow procedure 2 and 3
described below.
Procedure 1: Checking presence of sitecfg.sfw on SCM
When to use
On the first 7510-SFW installation you need to check the presence of the file
sitecfg.sfw on both SCM (primary and backup) hosting both DHSPP4 of theSIP Firewall (SFW).
If this file is not present the SIP Firewall application will fail to
be loaded.
This file must contain the name of the SIP Firewall (SFW). The SFW name is
not configurable via CLI commands. It’s quite important to configure the SFWname because:
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 24/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 25/316
SFW prerequisite Procedure 2: SFW OAM IP address configuration
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 25 Edition 07 Use pursuant to applicable agreementsJuly 2015
Procedure 2: SFW OAM IP address configuration
When to use
The SFW is hosted by the 7510. It is the 7510 who allocates the SFW OAM IP
address. The following 7510 procedure allows configuration of the SFW OAMIP address:
Steps
1 Log in to the 7510
Contact your account or technical support representative for
information about default login/password.
2 Configure the OAM IP address using the ui commands:
define sfw ip <oam-ip-address> <oam-ip-mask> <default-route-ip-address>
3 Check the OAM IP address configuration.
view sfw ip
E N D O F S T E P S
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 26/316
SFW prerequisite Procedure 3: How to get access to the SFW CLI
26 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Procedure 3: How to get access to the SFW CLI
When to use
SFW configuration via CLI requires to open a SSH tunnel.
Steps
1 Open a SSH tunnel to the SFW
ssh cli@oam-ip-address (e.g. [email protected])
2 Open the CLI session with the initial login / password
Contact your account or technical support representative for
information about default login / password.
3 Then you have the ability to change the root password.
-> user <login> password <new-password>
E N D O F S T E P S
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 27/316
Alcatel-Lucent — Proprietary 27 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
3 Vlan Management
Purpose
This paragraph provides information about the Vlan management in the SFW.
Introduction
The main purpose of the Vlan Management is to provide the ability to isolatethe Peer Network and to address the case of the IP V4 address overlapping.
Each Peer Network can have its own VLAN, however it is still possible thatseveral Peer Networks share the same VLAN. In that last case, they share thesame broadcast domain and there is no possible IP address overlapping.
Before going further it’s necessary to define the following acronyms thatappear throughout this document:
LPOC : a lpoc is a Local Point of Contact. This means it’s an IP address of thefirewall in charge of the SIP Signaling messages. There are LPOC on the
untrusted side of the firewall, facing the Peer-Networks, and LPOC on thetrusted side of the firewall, facing the MGC8 IBCF.
RPOC: a rpoc is a Remote Point of Contact. This means it’s an IP address of
SIP Signaling entity either on the untrusted side of the firewall or on thetrusted side of the firewall.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 28/316
Vlan Management
28 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
The Vlan management allows supporting various IP configurations:
1. The SFW LPOC and the RPOC are in the same subnet.
In that case the Vlan configuration will define only an IPsubnet/mask
2. The SFW LPOC and the RPOC are in different subnets.
In that case, a default gateway needs to be added in the vlanconfiguration to be able to reach the RPOC subnet.
3. The SFW LPOC and the Vlan Subnet are in different subnets.
For example, this case exists when several Peer-Networks
(isolated through different vlans) share a single Point Of
Contact. In that case a “pseudo-router” needs to be added in theVlan configuration.
The IP configurations capabilities described above apply for both Untrustedand Trusted sides. Remember that:
• LPOC designates either a SFW Local Point of Contact on theUntrusted or on the Trusted side.
• RPOC, Remote Point of Contact, designates either a peering-
point of a Peer-Network or Signaling entity (CCS) of the MGC8IBCF.
The appendix “SFW IP configuration” at the end of that document illustrates
the various IP configuration mentioned above through examples.
When a “pseudo-router” has been added to a vlan, The Peer-Network using
that Vlan must have a LPOC in a different subnet.
In order to simplify the configuration of the next hop router, the VLAN
Management can be configured to perform RIP announcement of the localPOC IP addresses that are accessible through the “pseudo-router”.
The SIP FW supports up to 4096 (0..4095) vlan values. A Vlan is eithertrusted or untrusted, as a consequence it is not possible to use the same VLAN
number for the trusted and untrusted side.
The vlan 0 and vlan 4095 have special meanings.
The vlan 0 is used to specify an untagged vlan for the Trusted side.
The vlan 4095 is used to specify an untagged vlan for the Untrusted side.
All other vlans (1..4094) are 802.1q tagged vlans.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 29/316
Vlan Management Summary of the CLI for Vlan management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 29 Edition 07 Use pursuant to applicable agreementsJuly 2015
Summary of the CLI for Vlan management
Vlan management
vlan vid {trusted | untrusted} [enable | disable] [name description]subnet ip_address/len [router ip_address [rip | no rip]] [gw ip_address]
vlan vid subnet ip_address/len
vlan vid router ip_address [rip | no r ip]
vlan vid no [ipv4 | ipv6] router
vlan vid gw ip_address
vlan vid no [ipv4 | ipv6] gw
vlan vid name description
vlan vid no name
vlan vid no ipv4
vlan vid no ipv6
vlan vid mac mac_address
vlan vid v4mac mac_address
vlan vid v6mac mac_address
vlan vid no mac
vlan vid no v4mac
vlan vid no v6mac
no vlan vid
show vlan [vid]
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 30/316
Vlan Management vlan vid {trusted | untrusted} subnet ip_address mask
30 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
vlan vid {trusted | untrusted} subnet ip_address mask
Purpose
The purpose of that command is the creation of a vlan. This vlan will be later
associated with either a Peer-Network or a Load-Balancing-Group to provide IP
connectivity with these remote entities.
In the case of the association with the Peer-Network it will allow realm separation and
IP v4 addresses overlapping.
Command
vlan vid {trusted | untrusted} [enable | disable] [name description]
subnet ip_address mask ip_address
[router ip_address [rip | no rip]] [gw ip_address]
Arguments
vid
This is the identifier of the vlan.
The vlan 0 and vlan 4095 have special meanings.
The vlan 0 is used to specify an untagged vlan for the Trusted side.
The vlan 4095 is used to specify an untagged vlan for the Untrusted side.
All other vlans (1..4094) are 802.1q tagged vlans.
trusted | untrusted
This keyword indicates the SFW interface that owns the vlan. Even if the SIP
firewall is connected to different switch/routers, the firewall does not allowthe use the same vlan on the trusted and untrusted side.
enable | disable
Provides the ability to change the operational status of the vlan.
description
Description of the vlan (31 characters)
subnet ip_address/len
These parameters describe the IP subnet and IP mask that are associated withthe vlan.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 31/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 32/316
Vlan Management vlan vid {trusted | untrusted} subnet ip_address mask
32 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
The consistency of the configuration can also be checked via the CLI
command “show configuration consistency”.
The consistency checking are the following ones:
• If a peering-point IP address (rpoc) associated with a Peer-
Network doesn’t belong to the vlan subnet associated with thisPeer-Network, then a “gateway” must have been defined for thevlan.
• If a MGC8 IBCF CCS IP addresses (rpoc) associated with a
Load-Balancing-Group doesn’t belong to the vlan subnet
associated with this Load-Balancing-Group, then a “gateway”must have been defined for the vlan.
• If a vlan “gateway” has been defined, its IP address must belong
to the vlan subnet
• If a Local Point of Contact (lpoc) associated with a Peer-
Network doesn’t belong to the vlan subnet associated with this
Peer-Network, then a “router” must have been defined for thevlan.
• If a Local Point of Contact (lpoc) associated with a Load-
Balancing-Group doesn’t belong to the vlan subnet associated
with this Load-Balancing-Group, then a “router” must have been defined for the vlan.
• If a vlan “router” has been defined, its IP address must belong
to the vlan subnet
• Within a Peer-Network, IP overlapping between Peering-PointIP addresses (rpoc) must not exist.
• Within a Peer-Network, IP overlapping between Peering-PointIP addresses (rpoc) and IP filters must not exist.
• Within a Load-Balancing-Group, IP overlapping between CCSIP addresses (rpoc) must not exist.
• If a Vlan is assigned to more than one Peer-Network, IP
overlapping between Peering-Point IP addresses (rpoc) must notexist.
• If a Vlan is assigned to more than one Peer-Network, IP
overlapping between Peering-Point IP addresses (rpoc) and IPfilters must not exist.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 33/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 34/316
Vlan Management vlan vid subnet ip_address/len
34 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
vlan vid subnet ip_address/len
Purpose
The purpose of that command is to modify the “subnet” IP address for an existing vlan.
Command
vlan vid subnet ip_address/len
Arguments
vid
This is the identifier of the vlan to be modified.
subnet ip_address/len
These parameters describe the IP subnet and IP mask length that are
associated with the vlan.
It can be an IPv4 or IPv6 subnet.
Example
-> vlan 8 subnet 2001:b8::/64
-> vlan 200 subnet 192.168.2.0/24
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 35/316
Vlan Management vlan vid [router ip_address [rip | no rip]]
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 35 Edition 07 Use pursuant to applicable agreementsJuly 2015
vlan vid [router ip_address [rip | no rip]]
Purpose
The purpose of that command is to add or modify the “router” IP address for an
existing vlan. Optionally, in case of Ipv4, the RIP protocol can be activated for this
vlan.
Command
vlan vid [router ip_address [rip | no rip]]
Arguments
vid
This is the identifier of the vlan to be modified.
router
This parameter defines the “pseudo-router” providing accessibility to a LPOC
created in a different subnet. The IP address of this “pseudo-router” must be
in the subnet defined when creating the vlan.
It can be an IPv4 or IPv6 address.
rip | no rip
If a “pseudo-router” has been configured on the vlan it is possible to advertise
via the RIP protocol the LPOC which are accessed through this pseudo-router.
By default rip is not activated. When “no rip” is configured, static routes
should be configured on the next hop router to be able to reach the LPOC.
Example
-> vlan 8 router 172.23.8.3 rip
-> vlan 8 router 2001:b8::172:23:8:3
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 36/316
Vlan Management vlan vid no [ipv4 | ipv6] router
36 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
vlan vid no [ipv4 | ipv6] router
Purpose
The purpose of that command is to remove the “router” IP address for an existing vlan.
Command
vlan vid no [ipv4 | ipv6] router
Arguments
vid
This is the identifier of the vlan to be modified.
no [ipv4|ipv6] router
This parameter defines the “pseudo-router” providing accessibility to a LPOC
created in a different subnet.
You have the ability to remove only the IPv4 router or the IPv6 router.
Example
-> vlan 8 no router
-> vlan 15 no ipv4 router
-> vlan 20 no ipv6 router
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 37/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 38/316
Vlan Management vlan vid no [ipv4 | ipv6] gw
38 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
vlan vid no [ipv4 | ipv6] gw
Purpose
The purpose of that command is to remove the “gateway” IP address for an existing
vlan.
Command
vlan vid no [ipv4|ipv6] gw
Arguments
vid
This is the identifier of the vlan to be modified.
no gw
This attribute defines a default gateway. This default gateway is required
when the remote POC IP address is not in the vlan subnet.
You have the ability to remove only the IPv4 gateway or the IPv6 gateway.
Example
-> vlan 4 no gw
-> vlan 8 no ipv4 gw
-> vlan 20 no ipv6 gw
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 39/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 40/316
Vlan Management vlan vid no name
40 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
vlan vid no name
Purpose
The purpose of that command is to delete the name of an existing vlan.
Command
vlan vid no name
Arguments
vid
This is the identifier of the vlan to be modified.
Example
-> vlan 4 no name
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 41/316
Vlan Management vlan vid mac mac_address
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 41 Edition 07 Use pursuant to applicable agreementsJuly 2015
vlan vid mac mac_address
Purpose
The purpose of that command is to specify the MAC address of the “gateway”.
When a MAC address is specified for the vlan gateway, the SFW bypass the ARP (or
ND) resolution to set the MAC address in IP frames sent to the gateway. This avoids a
man-in-the-middle attack, the IP frames cannot be sent to the attacker who would
have stolen the IP address of the gateway.
The command “vlan vid mac mac_address” assigns a unique MAC address for
both IPv4 and IPv6 gateways of the Vlan.
You can assign different MAC addresses for IPv4 and IPv6 gateways via the CLI
“vlan vid v4mac mac_address [v6mac mac_address]”
This command is allowed only if a “gateway” has been previously configured via the
CLI command “vlan vid gw ip_address”.
The CLI command “show vlan vid ” returns the MAC address configured for the
gateway but also the MAC address learned from the ARP (or ND) resolution.
Command
vlan vid mac mac_address
vlan vid v4mac mac_address
vlan vid v6mac mac_address
Arguments
vid
This is the identifier of the vlan to be modified.
mac_address
This is the MAC address of the gateway.
Example
-> vlan 8 mac 00:d0:95:ff:94:74
-> vlan 9 v4mac 00:e0:b1:7c:48:4c
-> vlan 10 v6mac 00:d0:95:fe:33:26
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 42/316
Vlan Management no vlan vid
42 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
no vlan vid
Purpose
The purpose of that command is to delete an existing vlan.
Command
no vlan vid
Arguments
vid
This is the identifier of the vlan to be deleted.
The vlan cannot be deleted if it still associated with a Peer-Network or a
Load-Balancing-Group.
There is no command “peer-network netid no vlan”, to remove the association
between a Peer-Network and a vlan, it is necessary to associate a new vlan to
the Peer-Network. Then the unused vlan can be deleted.
There is no command “load-balancing-group group_id no vlan”, to remove
the association between a Load-Balancing-Group and a vlan, it is necessary to
associate a new vlan to the Load-Balancing-Group. Then the unused vlan can be deleted.
Example
-> no vlan 4
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 43/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 44/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 45/316
Local Point Of Contact (LPOC) Untrusted interface definition
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 45 Edition 07 Use pursuant to applicable agreementsJuly 2015
SIP messages, received from the local IBCF on the SIP firewall trusted lpoc,
are sent to the peering points according to the IP ports where the SIP messageare received.
The static mapping between the listening IP port on the trusted interface and
peering points IP addresses is described later in that document in the “Peer Networks” section.
Untrusted interface definition
The untrusted interface is facing the peer networks.
The configuration of the SIP firewall provides the ability to configure a single point of contact for all peer networks to reach the trusted IBCF.
However, it is still possible to define more that one point of contacts on the
untrusted side.
The configuration of the “untrusted lpoc” IP addresses and IP ports is
described below.
Local Point Of Contact definition
A Local Point a Contact (LPOC) is defined by the following attributes:
o A lpoc reference (1..128)
o An IP address (Ipv6 or Ipv4 )
o The type of the interface to which the LPOC must be bound
The SIP firewall provides the ability to declare up to 128 LPOC per interfacetype (trusted or untrusted).
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 46/316
Local Point Of Contact (LPOC) Summary of the CLI for Trusted and Untrusted LPOC
46 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Summary of the CLI for Trusted and Untrusted LPOC
Trusted and Untrusted LPOC
lpoc untrusted poc_id [ip ip_address] [enable | disable] [name description]
lpoc untrusted poc_id [ ip ip_address] [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]]
lpoc untrusted poc_id no ipv4
lpoc untrusted poc_id no ipv6
lpoc untrusted poc_id no {udp | tcp | sctp | tls}
no lpoc untrusted poc_id
lpoc trusted poc_id [ip ip_address] [enable | disable] [ name description]
lpoc trusted poc_id no ipv4
lpoc trusted poc_id no ipv6
no lpoc trusted poc_id
show lpoc [trusted [ poc_id ]| untrusted [poc_id]]
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 47/316
Local Point Of Contact (LPOC) lpoc untrusted poc_id
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 47 Edition 07 Use pursuant to applicable agreementsJuly 2015
lpoc untrusted poc_id
Purpose
Creates an Untrusted LPOC.
Command
lpoc untrusted poc_id [ip ip_address] [enable | disable] [name sfw-
fqdn]
lpoc untrusted poc_id [ip ip_address] [udp[ port] | tcp[ port] |
sctp[ port] | tls[ port]]
Arguments
poc_id
The poc_id, referencing the untrusted LPOC, is later associated with one or
several “peer-networks”.
ip_address
IPv4 or IPv6 address of the LPOC.
A LPOC can be dual-stack IPv4/IPv6. In that case the CLI must be run twice,
once to specify the IPv4 address, once to specify the IPv6 address.
It is possible to change the IP address of the LPOC without disabling it.
The lpoc creation is rejected if there is already a poc_id with the same IP
address.
sfw-fqdn
Optionally, it is possible to specify a name for the LPOC (63 characters max.)
If the peering-point sends SIP messages to the SFW with a pre-loaded Route
header using a FQDN, the name of the lpoc must match this FQDN.
This FQDN represents the public IP address of the firewall.
port
Udp, tcp, sctp or tls listening port of the LPOC. Note that the TLS port must
be different from the TCP port.
enable | disable
By default the LPOC is created in the enable state. In the LPOC is created in
the disable state, any Peer Network that reference that LPOC will be
unreachable until it moves to the enable state.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 48/316
Local Point Of Contact (LPOC) lpoc untrusted poc_id
48 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
If the LPOC is in disable state, all the IP frames with a destination IP
matching the LPOC IP address are filtered by the SIP firewall
Example
-> lpoc untrusted 8 enable name mgc8.ims32.alcatel-lucent.com
-> lpoc untrusted 8 ip 10.7.8.5
-> lpoc untrusted 8 ip 2001:b8::10:7:8:5
-> lpoc untrusted 8 udp 5060
-> lpoc untrusted 8 tcp 5060
-> lpoc untrusted 8 tls 5061
In the above example, if a SIP Invite received on the SFW lpoc address:port
10.7.8.5:5060 contains the following pre-loaded Route header.
Route: <sip:[email protected];lr>
The FQDN of the pre-loaded Route matches the lpoc name and the address :port on
which the message has been received. In that case the SIP message is accepted by
the firewall.
If the FQDN was unknown, the SIP message would be dropped by the firewall.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 49/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 50/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 51/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 52/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 53/316
Local Point Of Contact (LPOC) lpoc trusted poc_id no ipv6
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 53 Edition 07 Use pursuant to applicable agreementsJuly 2015
lpoc trusted poc_id no ipv6
Purpose
Removes the IPv6 address from an LPOC.
Command
lpoc trusted poc_id no ipv6
Arguments
poc_id
The poc_id, referencing the trusted LPOC.
no ipv6
Specifies the IP protocol version to be removed from the LPOC.
Example
-> lpoc trusted 1 no ipv6
lpoc trusted poc_id no ipv4
Purpose
Removes the IPv4 address from an LPOC.
Command
lpoc trusted poc_id no ipv4
Arguments
poc_id
The poc_id, referencing the trusted LPOC.
no ipv6
Specifies the IP protocol version to be removed from the LPOC.
Example
-> lpoc trusted 1 no ipv4
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 54/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 55/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 56/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 57/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 58/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 59/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 60/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 61/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 62/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 63/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 64/316
Peer Networks peer-net netid rpoc peering_point_id ip
64 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
peer-net netid rpoc peering_point_id ip
Purpose
The purpose of that command is to define the IP address of a host that is in the scope
of the remote Peer Network.
Command
peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] |
sctp[ port] | tls[ port]]
peer-net netid rpoc peering_point_id {udp[ port] | tcp[ port] | sctp[ port] |
tls[ port]}
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
The number of peering points per Peer Network differs according to the Peer
Network identifier:
o when the netid is in the range [1..500] up to 63 peering points
may be defined by Peer Network.
o When the netid is in the range [501..2047] only 2 peering
points can be defined by Peer Network.
The same peering_point_id value can be used for different Peer Network. The
uniqueness of the peering point is guarantee by the combination of the local
peering_point_id and the reference of the Peer Network (netid).
ip_address
Defines the IPv4 or IPv6 address of the peering point.
A peering point can be dual-stack IPv4/IPv6. In that case the CLI must be run
twice, once to specify the IPv4 address, once to specify the IPv6 address.
port
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 65/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 66/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 67/316
Peer Networks peer-net netid rpoc peering_point_id ip
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 67 Edition 07 Use pursuant to applicable agreementsJuly 2015
The following table is an example of the routing table used by the SIP firewall when it
has to route an initial SIP Request initiated by the trusted IBCF to find out the remote
POC.
Trusted Untrusted
Peer Network and Peering Point (rpoc) provisioning
Listening port on
lpoc trusted
netid peering_
point_id
ip_address udp tcp tls sctp
10101 1 1 10.0.10.1
2001:31::10:1
5060 5060 0 0
10102 1 2 10.0.10.2
2001:31::10:2
5060 5060 0 0
10201 2 1 20.0.10.1
2001:42::20:1
8080 8080 0 0
10202 2 2 20.0.10.2
2001:42::20:2
8080 8080 0 0
The associated CLI are:
-> peer-net 1 rpoc 1 ip 10.0.10.1 udp 5060
-> peer-net 1 rpoc 1 ip 2001:31::10:1
-> peer-net 1 rpoc 1 tcp
-> peer-net 1 rpoc 2 ip 10.0.10.2 udp 5060
-> peer-net 1 rpoc 2 ip 2001:31::10:2
-> peer-net 1 rpoc 2 tcp
-> peer-net 2 rpoc 1 ip 20.0.10.1 udp 8080
-> peer-net 2 rpoc 1 tcp
-> peer-net 2 rpoc 1 ip 2001:42::20:1
-> peer-net 2 rpoc 2 ip 20.0.10.2 udp 8080
-> peer-net 2 rpoc 2 ip 2001:42::20:2
->peer-net 2 rpoc 2 tcp
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 68/316
Peer Networks peer-net netid rpoc peering_point_id no ipv4
68 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
peer-net netid rpoc peering_point_id no ipv4
Purpose
The purpose of that command is to delete the IPv4 address of a peering point within a
Peer-Network.
Command
peer-net netid rpoc peering_point_id no ipv4
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the peering point within the Peer-Network.
Example
-> peer-net 20 rpoc 15 no ipv4
peer-net netid rpoc peering_point_id no ipv6
Purpose
The purpose of that command is to delete the IPv6 address of a peering point within a
Peer-Network.
Command
peer-net netid rpoc peering_point_id no ipv6
Example
-> peer-net 20 rpoc 15 no ipv6
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 69/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 70/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 71/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 72/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 73/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 74/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 75/316
Peer Networks peer-net netid rpoc peering_point_id no port-forwarding
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 75 Edition 07 Use pursuant to applicable agreementsJuly 2015
peer-net netid rpoc peering_point_id no port-forwarding
Purpose
The purpose of that command is to delete the port-forwarding configuration
previously defined for the natted peering-point.
Command
peer-net netid rpoc peering_point_id no port-forwarding
Arguments
netid
This is the identifier of the Peer network.
peering_point_id
This is the identifier of the Peering Point within the Peer Network.
Example
-> peer-net 3 rpoc 3 no port-forwarding
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 76/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 77/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 78/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 79/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 80/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 81/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 82/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 83/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 84/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 85/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 86/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 87/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 88/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 89/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 90/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 91/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 92/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 93/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 94/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 95/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 96/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 97/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 98/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 99/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 100/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 101/316
Peer Networks show peer-net connectivity
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 101 Edition 07 Use pursuant to applicable agreementsJuly 2015
There is no IPv6 subnet in the definition of the vlan associated
with the Peer-Network whereas there is at least one IPv6 RPOCassociated with that Peer-Network.
• “NO ROUTER IP” means that the configuration is not
consistent.An IP router address is required in the definition of the vlanassociated with the Peer-Network otherwise the LPOC is
unreachable. A router is required in the vlan definition as soonas the vlan and the LPOC are not in the same subnet.
• “ROUTER IP NOT IN SUBNET” means that the configurationis not consistent. The router IP address in the definition of the
vlan, associated with the Peer-Network, is not in the vlan subnet.
• “NO DEFAULT GW” means that the configuration is not
consistent. An IP gateway address is required in the definitionof the vlan associated with the Peer-Network otherwise the
RPOC is unreachable. A gateway is required in the vlan
definition as soon as the vlan and the RPOC are not in the samesubnet.
• “GATEWAY IP NOT IN SUBNET” means that theconfiguration is not consistent. The gateway IP address in the
definition of the vlan, associated with the Peer-Network, is notin the vlan subnet.
• “NO RESP” means that the configuration is consistent. TheMAC address of the RPOC is known but the SFW does not getany response to the ping requests.
• “TRUNK DOWN” means that the configuration is consistent.The untrusted trunk is down.
• “V6 ONLY” means that configuration is consistent but LPOCor RPOC are IPv6 only, thus ping v4 cannot be performed.
• “V4 ONLY” means that configuration is consistent but LPOCor RPOC are IPv4 only, thus ping v6 cannot be performed.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 102/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 103/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 104/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 105/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 106/316
Peer Networks show peer-net [netid] statistics [trusted | untrusted]
106 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Counters Definitions Valid for
Untrusted
Valid for
Trusted
Level 2 : Pass 1 success per SIP operation This table contains Level 2 statistics.
It provides details on the messages counted in pass1SipSuccess of the “Level 1”
statistics.
pass1SipSuccessInitialInvite number of initial INVITE that has
been successful in Pass 1 yes yespass1SipSuccessInitialNonInvite number of initial Non INVITE that has
been succ essful in Pass 1 (Out of
dialog) yes yespass1SipSuccessSubsequentReq number of subsequent transaction
that has been successful in Pass 1 (in
dialog) yes yespass1SipSuccessResponse number of Response that has been
successful in Pass 1 ( In & Out of
dialog) yes yes
Level 2 : Pass 2 drop per reason
This table contains Level 2 statistics for dropped messages.
It provides details on the messages counted in pass2Drop of the “Level 1” statistics.
pass2DropRateLimiting Number of out of dialog transaction
dropped due to method rate limiting
(all Qos and Method yes nopass2DropMalformed Number of SIP messages dropped
due to malformed header: parsing
error, mandatory header Missing,
etc.. yes yespass2DropConfigMismatch Number of SIP frames dropped due
to configuration mismatch. yes yespass2DropSuspicious Number of SIP messages dropped
due to suspect format : e.g. oai
missing or unknown yes yespass2DropAdmControlRejec t Number of SIP messages rejec ted by
the admission control (all Qos and
messages types) yes no pass2DropFsmCheckOOSequence Number of SIP messages rejec ted
because considered Out Of
Sequence. yes yespass2DropFsmCheckRetryCounterExhausted Number of SIP messages dropped
because the maximum retries has
been reached yes yespass2DropInDialogOutOfResources Number of SIP In-Dialog messages
rejected because problem of
ressources. yes yespass2DropInDialogOverRate Number of SIP In-Dialog messages
rejected because considered as
over-rate. yes no pass2DropCheckHeaderRegeneration SIP message dropped due to error
while parsing the header that are
changed by the Firewall yes yes
Level 3 : Pass 2 drop suspicious
This table contains the Level 3 statistics for dropped messages.
It provides details on the messages counted in pass2DropSuspicious of the “Level2:
Pass2 drop per reason” statistics.
pass2DropSuspic iousInitialInvite Number of SIP INVITE messages
dropped due to suspect format :
e.g. oai missing or unknown yes yespass2DropSuspiciousInitialNonInvite Number of SIP non-INVITE messages
dropped due to suspect format :
e.g. oai missing or unknown yes yes
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 107/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 108/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 109/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 110/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 111/316
Peer Networks show peer-net [netid] statistics [trusted | untrusted]
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 111 Edition 07 Use pursuant to applicable agreementsJuly 2015
Counters Definitions Valid for
Untrusted
Valid for
Trusted
Level 2 : Pass 2 Admission Control Invite per QoS
This table contains Level 2 statistics for INVITE messages received and submitted to
the Admission Control.
It provides details on the messages counted in pass2AdmCtlCall of the “Level 1”
statistics, per QOS level.
pass2AdmCtlCallQos0 Number of SIP message submitted to
the admission c ontrol for initial INVITE in
QOS0. yes nopass2AdmCtlCallQos1 Number of SIP message submitted to
the admission c ontrol for initial INVITE in
QOS1. yes no pass2AdmCtlCallQos2 Number of SIP message submitted to
the admission c ontrol for initial INVITE in
QOS2. yes nopass2AdmCtlCallQos3 Number of SIP message submitted to
the admission c ontrol for initial INVITE inQOS3. yes no
pass2AdmCtlCallQos4 Number of SIP message submitted to
the admission c ontrol for initial INVITE in
QOS4. yes no pass2AdmCtlCallQos5 Number of SIP message submitted to
the admission c ontrol for initial INVITE in
QOS5. yes nopass2AdmCtlCallQos6 Number of SIP message submitted to
the admission c ontrol for initial INVITE in
QOS6. yes no pass2AdmCtlCallQos7 Number of SIP message submitted to
the admission c ontrol for initial INVITE in
QOS7. yes no
Level 2 : Pass 2 Admission Control Invite drop perQoS
This table contains the Level 2 statistics for messages received and submitted to the
Admission Control and dropped.
It provides details on the messages counted in pass2AdmCtlCall of the “Level 1”
statistics, per QOS level.
pass2AdmCtlCallDropQ os0 Number of Call rejected bec ause
invite rate is greater than the available
rate on trusted side for QOS0. yes nopass2AdmCtlCallDropQ os1 Number of Call rejected bec ause
invite rate is greater than the available
rate on trusted side for QOS1. yes no pass2AdmCtlCallDropQ os2 Number of Call rejected bec ause
invite rate is greater than the availablerate on trusted side for QOS2. yes nopass2AdmCtlCallDropQ os3 Number of Call rejected bec ause
invite rate is greater than the available
rate on trusted side for QOS3. yes no pass2AdmCtlCallDropQ os4 Number of Call rejected bec ause
invite rate is greater than the available
rate on trusted side for QOS4. yes no pass2AdmCtlCallDropQ os5 Number of Call rejected bec ause
invite rate is greater than the available
rate on trusted side for QOS5. yes nopass2AdmCtlCallDropQ os6 Number of Call rejected bec ause
invite rate is greater than the available
rate on trusted side for QOS6. yes no pass2AdmCtlCallDropQ os7 Number of Call rejected bec ause
invite rate is greater than the availablerate on trusted side for QOS7. yes no
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 112/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 113/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 114/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 115/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 116/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 117/316
Peer Networks show peer-net [netid] statistics [trusted | untrusted]
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 117 Edition 07 Use pursuant to applicable agreementsJuly 2015
Example
-> show peer-net statistics untrusted
UNTRUSTED SIDE LEVEL 1 STATISTICS
...
pass1Drop : 313
...
pass2Drop : 964
...
pass2MethodRateDrop : 260
...
Level 2 statistics pass1Drop
pass1Drop : 313
pass1DropMalformed : 209
pass1DropSuspicious : 104
Level 3 pass1DropSuspicious
pass1DropSuspicious : 104
pass1DropSuspiciousSubsequentReq : 1
pass1DropSuspiciousResponse : 2
pass1DropSuspiciousBYE : 100
pass1DropSuspiciousCANCEL : 1
Level 2 statistics pass2Drop per reason
pass2Drop : 964
pass2DropRateLimiting : 260
pass2DropMalformed : 704
Level 2 statistics pass2MethodRateDrop per SIP method
pass2MethodRateDrop : 260
pass2MethodRateDropInvite : 260
Level 2 statistics pass2MethodRateDrop per QOS
pass2MethodRateDrop : 260
pass2MethodRateDropQos0 : 260
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 118/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 119/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 120/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 121/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 122/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 123/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 124/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 125/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 126/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 127/316
Security Profile security-profile profile_id out-of-dialog method-rate
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 127 Edition 07 Use pursuant to applicable agreementsJuly 2015
security-profile profile_id out-of-dialog method-rate
Purpose
The following CLI command has several purposes:
• it configures the SIP method rate limit for transactions that take place out of a
dialog. This can be the case for REGISTER, INFO, MESSAGE, OPTIONS,
PUBLISH, NOTIFY.
• it configures the transaction rate limit for non-INVITE dialogs. This can be thecase for RCS scenarios with SUBSCRIBE, REFER, NOTIFY.
• it configures the SIP transaction rate per method applied when the dialog trackingcontext has been removed from the SFW. This situation may happen either
because a switchover occurred or because of dialog tracking aging due to resourcelimitation.
Command
security-profile profile_id out-of-dialog method-rate all messages_per_sec
security-profile profile_id out-of-dialog method-rate
{ register messages_per_sec | info messages_per_sec |
message messages_per_sec | notify messages_per_sec |
options messages_per_sec | publish messages_per_sec |
subscribe messages_per_sec | refer messages_per_sec |
update messages_per_sec | bye messages_per_sec |
prack messages_per_sec }
Arguments
profile_id
This is the identifier of the Security-Profile.
all
Specifies that all SIP methods listed above, outside an INVITE dialog, have the same rate
limiter. If “all” is not specified, then it is possible to define a specific rate limiter per
method.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 128/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 129/316
Security Profile security-profile profile_id out-of-dialog no method-rate
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 129 Edition 07 Use pursuant to applicable agreementsJuly 2015
security-profile profile_id out-of-dialog no method-rate
Purpose
The following CLI command remove the SIP method rate limiter applied previously.
Command
security-profile profile_id out-of-dialog no method-rate all
security-profile profile_id out-of-dialog no method-rate
{ register | info | message | notify | options | publish | subscribe | refer |
update | bye | prack }
Arguments
profile_id
This is the identifier of the Security-Profile.
all
Specifies that all SIP methods listed above, outside an INVITE dialog, have their rate
limiter removed. This means that the default value 0 is applied for all SIP methods and
thus forbidden.
If the attribute “all” is not specified, it is possible to remove the rate limiter for aspecific SIP method.
Example
-> security-profile 2 out-of-dialog no method-rate register
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 130/316
Security Profile security-profile profile_id sip thig
130 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
security-profile profile_id sip thig
Purpose
The purpose of this command is to enable or disable the Topology Hiding.
The SIP Firewall performs topology hiding (THIG) on all SIP Request and response that
are initiated by the private network so that peering networks cannot see IP addresses, port
numbers, host names of internal network elements.
THIG is performed by ciphering all private URIs found in the outgoing SIP messages.Similarly, all ciphered headers found in incoming SIP messages are deciphered.
For the SIP headers Via, Route, Record-Route, a fixed pattern is appended to the end ofeach ciphered text: “tokenized-by=sfw.net”.
The domain name “sfw.net” is the default value. It can be modified via a configuration
specified in the sitecfg.sfw. See the paragraph Part I:23 How to configure the SFW SITE
specific parameters
Command
security-profile profile_id sip thig
security-profile profile_id no sip thig
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and a Peer-
Network are associated via the CLI command “peer-network netid security-profile
profile_id ”.
sip thig
Enable THIG towards the Peer-Networks associated with the specified profile_id .
no sip thig
Disable THIG towards the Peer-Networks associated with the specified profile_id .
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 131/316
Security Profile security-profile profile_id sip thig
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 131 Edition 07 Use pursuant to applicable agreementsJuly 2015
Complementary Information
1. For the following headers: Request-Line, From, To, Diversion, History Info, P-
Asserted-Identity, only the host-port part of the URI (either a host-name or an IPaddress) is ciphered.
Example:
Before THIG:
From: Alice <sip:[email protected]:50001;p=abc>;tag=dftghjhg
After THIG:
From: Alice
<sip:alice@5ZW02glU6kTzZkpYJdXK2vQMTEf;p=abc>;tag=dftghjhg
2. For the Contact header, the whole addr-spec value is ciphered and the public IP
address of the SIP Firewall is appended. This allows routing of subsequent requestscoming from the untrusted side using the REQUEST-URI.
Example:
Before THIG:
Contact: "Mr Smith" <sip:[email protected];transport=tcp>;q=0.7;
expires=3600
After THIG, it will give:
Contact: "Mr Smith"
<sip:[email protected]>;q=0.7;
expires=3600
3. For the following headers: Via, Route, Record-Route, Path, Service-Route, the whole
field value is ciphered. Moreover, multiple headers with the same field name are
ciphered in a single one. This allows to follow Section 5.10.4 of 3GPP 24.229 for topology hiding requirements.
Example:
Before THIG:
Via: SIP/2.0/UDP 10.7.8.5:5060;branch=z9hG4bK-14755-1-
0;oai=yyyy7vbsKa+53ryUDHyyyy7y+mY4y
Via: SIP/2.0/UDP 192.168.2.50:50001;branch=z9hG4bK-9119-1-0
After THIG, it will give a single header line. This is possible as long as the resulting
string is short enough to be contained in a single header line:
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 132/316
Security Profile security-profile profile_id sip thig
132 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Via: SIP/2.0/UDP 5P0gx7l4PkTRfgTy-
gHyujyYr.TghRgrESXpmMDg0zhQ1BP3s8CDoft4Fsg2bBe-
sxARl.SD7YU2Mf;tokenized-by=sfw.net;branch=z9hG4bK-45
List of (de-)ciphered Headers
Ciphering or deciphering of headers depends on the message origin, the kind of message
(Request/Response), and the dialog originator. The following table shows the list ofciphered/deciphered headers according to each of the preceding condition.
Ciphering in outgoing messages Deciphering in incomingmessages
Headers request response request response
Request-Line X
Contact X X
From if dialog origin
is trusted
X
To if dialog origin
is trusted
X
Record-Route X X X X
Route X X
Via X X X
Diversion X X X
History-Info X X X
P-Asserted-
Identity
X
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 133/316
Security Profile security-profile profile_id route-reorder
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 133 Edition 07 Use pursuant to applicable agreementsJuly 2015
security-profile profile_id route-reorder
Purpose
The purpose of this command is to enable or disable the option to allow disordered Routeheaders in the subsequent request from peer networks.
There must be Route headers in subsequent request from peer network as SIP firewall has
already informed the route set in previous transaction through Record-Route headers. In
the request from peer networks, the Route headers should be in order, the top one pointsto the lpoc at untrusted side of SIP Firewall, the second one points to the rpoc at trustedside of SIP Firewall.
Unfortunately, some external SIP devices do not follow RFC 3261 very well, they may
send the subsequent requests with disordered Route headers. To tolerate this kind of behavior, the option route-reorder it added.
Command
security-profile profile_id route-reorder
security-profile profile_id no route-reorder
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and a Peer-
Network are associated via the CLI command “peer-network netid security-profile
profile_id ”.
route-reorder
Enable the option to accept disordered Route headers in subsequent requests from Peer-
Networks associated with the specified profile_id .
no route-reorder
Disable the option to accept disordered Route headers in subsequent requests from Peer-
Networks associated with the specified profile_id .
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 134/316
Security Profile security-profile profile_id ringing-timer duration
134 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
security-profile profile_id ringing-timer duration
Purpose
The purpose of this command is to configure, in seconds, the maximum duration of theringing time. This is the duration an initial INVITE transaction can stay in the Ringingstate waiting for a final response.
This setting becomes effective when the security-profile is associated with the peer-network.
Command
security-profile profile_id ringing-timer duration
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and a Peer-
Network are associated via the CLI command “peer-network netid security-profile
profile_id ”.
duration
The Ringing timer can be set, in seconds, in the range from 30 to 300.
The default value is 180 seconds.
Example
-> security-profile 20 duration 360
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 135/316
Security Profile security-profile profile_id clone profile_id
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 135 Edition 07 Use pursuant to applicable agreementsJuly 2015
security-profile profile_id clone profile_id
Purpose
The following CLI command allows creation of a new security-profile copying anexisting one.
Command
security-profile profile_id2 clone profile_id1
Arguments
profile_id2
This is the identifier of the new Security-Profile to be created.
The identifier must be in the range 1-32.
profile_id1
This is the identifier of the already existing Security-Profile used as template to create the
clone.
Example
-> security-profile 20 clone 19
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 136/316
Security Profile security-profile profile_id fqdn-in-from thig
136 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
security-profile profile_id fqdn-in-from thig
Purpose
The purpose of this command is to enable or disable the Topology Hiding for From and P-Asserted-Identify headers when their host part is a host-name.
When host part is IP address, From and P-Asserted-Identify headers will always beciphered.
“fqdn-in-from thig” only take effect when “sip thig” is enabled.
Command
security-profile profile_id fqdn-in-from thig
security-profile profile_id no fqdn-in-from thig
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and a Peer-
Network are associated via the CLI command “peer-network netid security-profile
profile_id ”.
fqdn-in-from thig
Enable THIG for From and P-Asserted-Identify headers whose host part is a host namewhen sending message to Peer-Networks associated with the specified profile_id .
no fqdn-in-from thig
Disable THIG for From and P-Asserted-Identify headers whose host part is a host
name when sending message to Peer-Networks associated with the specified profile_id .
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 137/316
Security Profile security-profile profile_id sip route-mode
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 137 Edition 07 Use pursuant to applicable agreementsJuly 2015
security-profile profile_id sip route-mode
Purpose
The purpose of this command is to specify if SFW will add Record-Route headers inmessages sent to Peer-Networks.
If SFW doesn’t send Record-Route headers to Peer-Networks, oai will be contained inContact header. To ensure subsequence in-dialog request can successfully arrive at SFW
from Peer-Networks, if SIP THIG is disabled, SFW untrusted lpoc IP will be put into host
part of Contact header. The original host part will be saved as a private parameter ofContact header.
Command
security-profile profile_id sip route-mode record-route
security-profile profile_id sip route-mode contact
Arguments
profile _id
This is the identifier of the Security-Profile. Remember that a Security-Profile and
a Peer-Network are associated via the CLI command “peer-network netid
security-profile profile_id ”.
sip route-mode record-route
Messges sent to Peer-Networks associated with the specified profile_id have
Record-Route headers.
sip route-mode contact
Messges sent to Peer-Networks associated with the specified profile_id don’t
have Record-Route headers. Oai is put into Contact header.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 138/316
Security Profile security-profile profile_id private_ip
138 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
security-profile profile_id private_ip
Purpose
The purpose of this command is to specify if SFW will add private ip(lpoc untrusted ip) inFrom/P-AID/To/ Contact headers in messages sent to Peer-Networks.
For requests (e.g., INVITE/re-INVITE/UPDATE/ACK/BYE/PRACK/CANCEL) sentfrom trusted side to un-trusted side, which currently contain From/P-AID/Contact header
with MGC-8 private IP/port in host part, SFW should put SFW public IP/port into host
part, and put MGC-8 private IP/port as From/P-AID/Contact URI parameter when thig isdisabled.
For requests (e.g., INVITE/re-INVITE/UPDATE/ACK/BYE/PRACK/CANCEL) sent
from trusted side to un-trusted side, which currently contain From/P-AID header withtokenized string in host part, SFW should put SFW public IP/port into host part, and puttokenized string as From/P-AID URI parameter when thig is enabled.
For responses (1xx-6xx) (to initial INVITE from un-trusted to trusted) received fromMGC-8, which contain Contact header with MGC-8 private IP/port in host port, SFW
should put SFW public IP/port into host part, and put MGC-8 private IP/port as ContactURI parameter.
Command
security-profile profile_id private_ipsecurity-profile profile_id no private_ip
Arguments
profile_id
This is the identifier of the Security-Profile. Remember that a Security-Profile and
a Peer-Network are associated via the CLI command “peer-network netid security- profile profile_id”.
private_ip
Add private ip in From/P-AID/To headers in messages sent to Peer-Networks.
no private_ip
Do not add private ip in From/P-AID/To headers in messages sent to Peer-
Networks..
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 139/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 140/316
Security Profile show security-profile profile_id
140 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show security-profile profile_id
Purpose
Displays the Security-Profile configuration.
Command
show security-profile [ profile_id ]
Arguments
profile_id
This is the identifier of the Security-Profile to be displayed. If profile_id is not specified,
all Security Profiles are displayed.
Example
-> show security-profile 19Profile id : 19Name :INVITE in-dialog accepted methods : INFO MESSAGE NOTIFY
PUBLISH SUBSCRIBE OPTIONSINVITE in-dialog forbidden methods :REGISTER out-of-dialog rate : 1000INFO out-of-dialog rate : 1000MESSAGE out-of-dialog rate : 1000NOTIFY out-of-dialog rate : 1000PUBLISH out-of-dialog rate : 1000SUBSCRIBE out-of-dialog rate : 1000REFER out-of-dialog rate : 1000UPDATE out-of-dialog rate : 1000BYE out-of-dialog rate : 1000PRACK out-of-dialog rate : 1000OPTIONS out-of-dialog rate : 1000INVITE dialog setup rate : 1000INVITE in-dialog transaction rate : 10
T1 timer : 100INVITE fork-response : 32INVITE fork-timer (TM) : 64THIG : yes
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 141/316
Alcatel-Lucent — Proprietary 141 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
7 TLS feature overview
Introduction
TLS usage rational
The primary goal of the TLS protocol is to provide privacy and data integrity for the SIPflows exchanged between the SIP firewall and remote SIP entities on its untrusted side.
It also provides mutual authentication of both peers through the verification of their
respective X509 certificates.
Reference documents
Standard
[SIP connect] SIP-PBX / Service Provider Interoperability - "SIPconnect 1.1 TechnicalRecommendation" - SIP Forum Document Number: TWG-2
Main RFC's
[RFC2246] The TLS Protocol Version 1.0
[RFC3280] Internet X.509 Public Key Infrastructure Certificate and CertificateRevocation List (CRL) Profile
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 142/316
TLS feature overview Feature Overview
142 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Feature Overview
Standards and algorithms supported
The SIP firewall supports TLS v1.0 (RFC 2246) and X.509v3 certificates (RFC 3280) based on RSA key (up to 4096 bits).
SSLv2 and SSLv3 are not supported due to their related vulnerabilities.
Certificate revocation with OCSP (Online Certificate Status Protocol) or with staticallyconfigured list of certificate is not supported.
List of algorithms supported:
• For key exchange: Diffie–Hellman, RSA,
• For authentication: RSA (maximum key size = 4096 bits),
• For symmetric ciphering: AES128, AES256, 3DES, RC4,
• For integrity: SHA1.
Compression is not supported.
Main Feature List
The following main features are supported:
• TLS v1.0 handshake, change cipher, alert and record protocol
• Automatic TLS connection handling toward rpoc entity
• X509 certificates management (CLI interface)
• Local certificate management
o Importation in PEM Base64 of public certificate and its private key(SSLeay format)
o Support of Certificate Signing Request (CSR) procedure. The
generated CSR is in PKCS#10 format.o Content display
o Suppression
• Certificate Authority (CA) certificate management
o Importation in PEM Base64 format
o Content display
o Suppression
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 143/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 144/316
TLS feature overview TLS Feature Description
144 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Local certificates may be also managed through the Certificate Signing Request (CSR) procedure:
In CSR procedure, a public/private key pair is generated locally to the SFW(step1) and a corresponding CSR is generated in PEM/Base64 format toward the
Certificate Authority (step 2). The CA sends back the corresponding X509certificate (signed by the CA). This X509 certificate is then imported in the SFW(step3). With the CSR procedure the private key is always kept on the SFW: this is
more secure than a private key importation.
Local Certificate(s)
Cert.part
Privatekey part
SFW
Certification Authority
Rootuser
1/ Certificate request creation
2/ Certificate signing request (CSR)
3/ Certificate importation
Figure 1 - Certificate Signing Request (CSR) handling
TLS domain handling per VPN through TLS profile usage
In the SIP firewall a peer network entity may be associated to a particular VPN through itsVLAN id. A TLS profile may be also configured per peer network entity: This allows to
have particular TLS configuration (the one of the TLS profile) per VPN. This particularTLS configuration will be applied to all rpoc of the related peer network entity.
VLAN w (corresponding to VPN x) <- Peer-net y -> TLS profile z
Each TLS profile contains:
• a description name
• the id of the local certificate to use for the SFW,
• the list of id of trusted CA certificates,
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 145/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 146/316
Alcatel-Lucent — Proprietary 146 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
8 TLS Profile
Purpose
This paragraph provides information about the configuration of the TLS profiles.
Introduction : TLS connections and TLS Profile handling
A new TLS permanent connection is established with a RPOC (2 connections if RPOC isdual-stack IPv4/IPv6) when:
• Transport is set to TLS for this RPOC. See the CLI command “peer-netnetid rpoc peering_point_id”
• Transport is set to TLS for the LPOC associated with the Peer Network.See the CLI command “peer-net netid lpoc poc_id”
• A TLS-profile is associated with the Peer Network. See the CLIcommand “peer-net netid tls-profile tls_profile_id”
• The TLS profile is valid. This means that:
• The SFW local certificate and its associated private key arematching.
• If “ca-check” has been set for this TLS profile, it must exist a listof CA associated with the TLS Profile. This allows to check the
peering point certificate against the CA signing chain.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 147/316
TLS Profile Summary of the CLI for TLS-Profile management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 147 Edition 07 Use pursuant to applicable agreementsJuly 2015
Summary of the CLI for TLS-Profile management
TLS Profile
tls-profile tlsprofileid [local-cert certid] [no-ca-check|ca-check] [renegotiation-period period_in_hours][name description]
tls-profile tlsprofileid name description
tls-profile tlsprofileid local-cert certid
tls-profile tlsprofileid {no-ca-check|ca-check}
tls-profile tlsprofileid renegotiation-period period_in_hours
tls-profile tlsprofileid no renegotiation-period
tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] … [certid8]
tls-profile tlsprofileid no ca-cert-list certid
no tls-profile tlsprofileid show tls-profile
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 148/316
TLS Profile tls-profile tlsprofileid local-cert ca-check renegotiation-period
148 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
tls-profile tlsprofileid local-cert ca-check renegotiation-period
Purpose
The purpose of that command is to create a TLS Profile.
Each TLS profile contains:
• a description name
• the id of the local certificate to use for the SFW,
• the list of ids of trusted CA certificates,
• optionally: the fact to check or not the validity of the peer certificate. If notspecified during the creation of the TLS profile, checking the validity of the peer certificate is the default behavior.
• optionally: the renegotiation period (in hour) to force a new TLS handshake
periodically (not activated by default). This option should be used to take intoaccount CA certificates updates on already established TLS connection.
The TLS Profile needs to be associated with a Peer-Network to become effective.
Command
tls-profile tlsprofileid [local-cert certid ] [no-ca-check|ca-check]
[renegotiation-period period_in_hours] [name description]
Arguments
tlsprofileid
This is the identifier of the TLS Profile.
Up to 32 TLS Profiles can be created.
local-cert
Identifies the SFW local certificate.
no-ca-check | ca-check
Specifies whether or not the peer certificate needs to be checked against the CA certificate
signing chain.
renegotiation-period
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 149/316
TLS Profile tls-profile tlsprofileid no renegotiation-period
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 149 Edition 07 Use pursuant to applicable agreementsJuly 2015
If renegotiation-period is set in TLS profile, the ongoing TLS connections arerenegotiated (TLS handshake) every renegotiation-period value.
name
Description of the TLS Profile (32 characters).
Example
-> tls-profile 2 local-cert 1 ca-check renegotiation-period 1name tls-prof-operator1
tls-profile tlsprofileid no renegotiation-period
Purpose
The purpose of that command is to create a TLS Profile.
Each TLS profile contains:
• a description name
• the id of the local certificate to use for the SFW,
• the list of id of trusted CA certificates,
• optionally: the fact to check or not the validity of the peer certificate. If notspecified during the creation of the TLS profile, checking the validity of the peer
certificate is the default behavior.
• optionally: the renegotiation period (in hour) to force a new TLS handshake
periodically (not activated by default). This option should be used to take intoaccount CA certificates updates on already established TLS connection.
The TLS Profile needs to be associated with a Peer-Network to become effective.
Command
tls-profile tlsprofileid [local-cert certid ] [no-ca-check|ca-check]
[renegotiation-period period_in_hours] [name description]
Arguments
tlsprofileid
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 150/316
TLS Profile tls-profile tlsprofileid no renegotiation-period
150 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
This is the identifier of the TLS Profile.
Up to 32 TLS Profiles can be created.
local-cert
Identifies the SFW local certificate.
no-ca-check | ca-check
Specifies whether or not the peer certificate needs to be checked against the CA certificate
signing chain.
renegotiation-period
If renegotiation-period is set in TLS profile, the ongoing TLS connections are
renegotiated (TLS handshake) every renegotiation-period value.
name
Description of the TLS Profile (32 characters).
Example
-> tls-profile 2 local-cert 1 ca-check renegotiation-period 1
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 151/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 152/316
TLS Profile
152 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
tls-profile tlsprofileid no ca-cert-list certid1 … [certid8]
Purpose
The purpose of that command is to remove a list of trusted CA certificates ids from a TLS profile.
Command
tls-profile tlsprofileid ca-cert-list certid1 [certid2] [certid3] … [certid8]
Arguments
tlsprofileid
This is the identifier of the TLS Profile.
ca-cert-list
This is the list of CA certificates ids that needs to be removed from the TLS profile.
The above command limits the list of certificate ids to 8.
As described in the example, if more than 8 certificate ids need to be removed from a TLS
profile this is done running the CLI command several times.
Example
-> tls-profile 2 no ca-cert-list 1 2 3 4 5 6 7 8-> tls-profile 2 no ca-cert-list 9 10
-> show tls-profile+---------+----------------------+-------+---------------+-------+-----------------------+! TLS ! Name ! Local ! Renegotiation ! CA ! CA !! profile ! ! cert. ! period ! check ! cert. !
! id ! ! id ! (hours) ! ! id(s) !+---------+----------------------+-------+---------------+-------+-----------------------+! 1 ! tls-prof-doamain1 ! 1 ! 1 ! Yes ! 1 !! 2 ! tls-prof-sipp-server ! 1 ! 1 ! Yes ! !+---------+----------------------+-------+---------------+-------+-----------------------+
tls-profile tlsprofileid no ca-cert-list certid1 … [certid8]
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 153/316
Alcatel-Lucent — Proprietary 153 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
9 CA certificates
Purpose
The SFW supports TLS with mutual authentication (each side must present its X509certificate). This is the typical authentication mode in SIP peering (cf static mode of [SIPconnect] referenced document).
Two types of X509v3 certificates are handled by the SFW:
• Local certificate used to identify the SFW,
• CA certificates used to check the validity of the rpoc certificates:
All the CA certificates of the rpoc "signing chain" must be imported on the SFWin order to check the validity of the rpoc certificate.
This paragraph provides information about the management of the X509 certificates of the
Certification Authority (CA). It describes how to import a CA certificate, how to checkthe content of the imported CA certificate and how to check the SFW configuration
related with CA certificates.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 154/316
CA certificates Summary of the CLI for CA certificates management
154 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Summary of the CLI for CA certificates management
CA certificates
import certificate ca ca-certid [name description ]
certificate ca ca-certid name description
no certificate ca ca-certid
show certificate ca pem ca-certid
show certificate ca details ca-certid
show certificate ca ca-certid
show certificate ca
Remark about the “show” commands:
The following CLI commands :
“show certificate ca details ca-certid” ,
“show certificate ca ca-certid” ,
“ show certificate ca”
allow the operator to read attributes of the X509 certificates such as “Subject Common Name”, “Issuer Common Name” , “validity dates” etc.
When SFW is managed by an OMC-P such details will be taken into account by aCertificate Manager residing on the OMC-P that may bring more added values.
However, the SNMP interface between OMC-P and SFW allows the OMC-P to retrievethe CA certificates in PEM base64 format in the same way that the command “ show
certificate ca pem ca-certid”.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 155/316
CA certificates import certificate ca ca-certid [name description]
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 155 Edition 07 Use pursuant to applicable agreementsJuly 2015
import certificate ca ca-certid [name description]
Purpose
This command allows the operator to import on the SFW a CA (Certification Authority)
certificate in PEM base64 format.
Command
Import certificate ca ca-certid [name description] <Copy/Paste certificate>
Arguments
ca-certid
This is the identifier of the CA certificate.
Up to 64 CA certificates can be imported.
name
This attribute is optional. If omitted during the import phase, the name of the CA
certificate can be later specified via the command “certificate ca ca-certid name
description”. The description of the CA certificate is limited to 32 characters.
<Copy/Paste certificate>
When the operator hits the carriage-return he has the ability to copy paste the certificate in
PEM base64 format.
Example
-> import certificate ca 64Please copy and then paste below the certificate in PEM Base64SSLeay format ...-----BEGIN CERTIFICATE-----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNVCM5btYl6pzhv89v3rfniPlCOle+IfFkgFi8cYhaB5p1txfvY5oTBC5Fm6lVzqBKv AgMBAAGjgeIwgd8wHQYDVR0OBBYEFH0WXCkG/Kve4CxF2jrIrZM3WKujMIGvBgNVEDAOBgNVBAMTB25ld3lvcmuCCQDSl0t794lbpzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOhFLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLMIhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA-----END CERTIFICATE-----Command successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 156/316
CA certificates certificate ca ca-certid name description
156 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
certificate ca ca-certid name description
Purpose
This command allows the operator to add or modify the name of a CA (Certification Authority)
certificate previously imported.
Command
certificate ca ca-certid name description
Arguments
ca-certid
This is the identifier of the CA certificate.
name
The description of the CA certificate is limited to 32 characters.
Example
-> certificate ca 64 name alcatel-lucent.cert
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 157/316
CA certificates no certificate ca ca-certid
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 157 Edition 07 Use pursuant to applicable agreementsJuly 2015
no certificate ca ca-certid
Purpose
This command allows the operator to suppress a CA (Certification Authority) certificate
previously imported.
Command
no certificate ca ca-certid
Arguments
ca-certid
This is the identifier of the CA certificate.
Example
-> no certificate ca 64
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 158/316
CA certificates show certificate ca pem ca-certid
158 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show certificate ca pem ca-certid
Purpose
This command allows the operator to retrieve a CA certificate in PEM base64 format.
It provides also information such as the name associated with the CA certificate and its validity
period.
Command
show certificate ca pem ca-certid
Arguments
ca-certid
This is the identifier of the CA certificate.
Example
-> show certificate ca pem 1
----- Cert Id=1; Cert Name= CA1.crt -----
Certificate in PEM Base64 format:-----BEGIN CERTIFICATE-----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNVBAoTA0FMVTEqMCgGA1UECxMhU0ZXIHRlc3RiZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAwDgYDVQQDEwduZXd5b3JrMB4XDTExMDkwNzA5NTEzNFoXDTE2MDkwNTA5NTEzNFowfDELMAkGA1UEBhMCRnIxDzANBgNVBAgTBkZyYW5jZTEQMA4GA1UEBxMHT3J2YXVsdDEMMAoGA1UEChMDQUxVMSowKAYDVQQLEyFTRlcgdGVzdGJlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAMTB25ld3lvcmswgZ8wDQYJKoZIhvcNSIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOhFLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLMIhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA-----END CERTIFICATE-----
Certificate dates validity checking is OK : notBefore=Sep 709:51:34 2011 GMT < current date=Oct 19 10:03:12 2011 <notAfter=Sep 5 09:51:34 2016 GMT
Command successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 159/316
CA certificates show certificate ca details ca-certid
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 159 Edition 07 Use pursuant to applicable agreementsJuly 2015
show certificate ca details ca-certid
Purpose
This command allows the operator to decode a CA certificate, previously imported in PEM format,
and check that it contains the correct information.
Command
show certificate ca details ca-certid
Arguments
ca-certid
This is the identifier of the CA certificate.
Example -> show certificate ca details 2
----- Cert Id=2; Cert Name= CA2.crt -----Certificate:
Data:Version: 3 (0x2)Serial Number: 5 (0x5)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=Fr, ST=France, L=Orvault, O=ALU, OU=SFW testbed Certificate Authority,
CN=newyorkValidity
Not Before: Sep 13 12:05:36 2011 GMTNot After : Sep 12 12:05:36 2012 GMT
Subject: C=Fr, ST=France, O=CA2, CN=myCA2Subject Public Key Info:
Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)
Modulus (1024 bit):00:a9:3f:9e:12:5e:40:97:ff:5f:55:a2:b1:56:6b:40:18:b4:2b:1d:4e:c4:5e:ac:42:8c:85:fa:83:96:1c:4f:55:8e:03:42:f1:b1:f8:61:d8:ca:e2:7f:81:6d:56:6d:fb:a9:d0:9c:88:e2:a7:3c:22:47:c0:bb:fa:4d:de:90:fd:80:26:95:72:a7:9a:cc:34:3a:42:f8:43:39:c6:2c:c7:61:ba:65
Exponent: 65537 (0x10001)X509v3 extensions:
X509v3 Basic Constraints:CA:FALSE
Netscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:
10:00:CE:58:D3:A1:9E:54:D1:AC:AE:E2:96:48:9F:D1:D3:E8:D6:0DX509v3 Authority Key Identifier:
keyid:7D:16:5C:29:06:FC:AB:DE:E0:2C:45:DA:3A:C8:AD:93:37:58:AB:A3
Signature Algorithm: sha1WithRSAEncryption39:41:bd:2d:52:2e:dc:b1:96:35:b0:74:ed:fa:bc:1e:8e:2c:73:7d:17:da:01:71:04:4a:f1:ab:a3:9d:74:6d:a6:20:92:be:ed:67:51:a4:68:a3:55:ad:41:c0:84:b2:29:67:bd:84:69:49:00:66
Certificate dates validity checking is OK : notBefore=Sep 13 12:05:36 2011 GMT < currentdate=Oct 19 11:55:58 2011 < notAfter=Sep 12 12:05:36 2012 GMT
Command successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 160/316
CA certificates show certificate ca ca-certid
160 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show certificate ca ca-certid
Purpose
This command allows the operator to read the main attributes of a CA certificate.
Command
show certificate ca ca-certid
Arguments
ca-certid
This is the identifier of the CA certificate.
Example -> show certificate ca 2+-------+---------+---------+---------+----------+----------+! CA ! Cert. ! Subject ! Issuer ! Dates ! Private !! cert. ! Name ! Common ! Common ! Validity ! key !! id ! ! Name ! Name ! ! matching !+-------+---------+---------+---------+----------+----------+! 2 ! CA2.crt ! myCA2 ! newyork ! OK ! n/s !+-------+---------+---------+---------+----------+----------+1 elements
Subject C/ST/L : Fr/France/Subject /O/OU/Email : /CA2//Issuer C/ST/L : Fr/France/OrvaultIssuer /O/OU/Email : /ALU/SFW testbed Certificate Authority/
X509v3 Subject Alternative Name(s) :Command successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 161/316
CA certificates show certificate ca
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 161 Edition 07 Use pursuant to applicable agreementsJuly 2015
show certificate ca
Purpose
This command allows the operator to list all CA certificates imported on the SFW with there main
attributes.
Command
show certificate ca
Example -> show certificate ca+-------+----------------+---------+---------+----------+----------+! CA ! Cert. ! Subject ! Issuer ! Dates ! Private !! cert. ! Name ! Common ! Common ! Validity ! key !! id ! ! Name ! Name ! ! matching !+-------+----------------+---------+---------+----------+----------+! 1 ! CA1.crt ! newyork ! newyork ! OK ! n/s !! 2 ! CA2.crt ! myCA2 ! newyork ! OK ! n/s !! 3 ! CA3.crt ! myCA3 ! myCA2 ! OK ! n/s !! 4 ! CA4.crt ! myCA4 ! myCA3 ! OK ! n/s !! 5 ! CA5.crt ! myCA5 ! myCA4 ! OK ! n/s !! 6 ! CA6.crt ! myCA6 ! myCA5 ! OK ! n/s !! 7 ! CA7.crt ! myCA7 ! myCA6 ! OK ! n/s !! 8 ! CA8.crt ! myCA8 ! myCA7 ! OK ! n/s !! 9 ! CA9.crt ! myCA9 ! myCA8 ! OK ! n/s !! 10 ! CA10.crt ! myCA10 ! myCA9 ! OK ! n/s !! 11 ! CA11.crt ! myCA11 ! myCA10 ! OK ! n/s !+-------+----------------+---------+---------+----------+----------+Command successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 162/316
Alcatel-Lucent — Proprietary 162 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
10 Local X509 certificates
and Privates Keys
Purpose
The SFW supports TLS with mutual authentication (each side must present its X509
certificate). This is the typical authentication mode in SIP peering (cf static mode of [SIPconnect] referenced document).
Two types of X509v3 certificates are handled by the SFW:
• Local certificate used to identify the SFW,
• CA certificates used to check the validity of the rpoc certificates:
All the CA certificates of the rpoc "signing chain" must be imported on the SFWin order to check the validity of the rpoc certificate.
This paragraph provides information about the management of the local X509 certificates.
It describes how to import and check the content of a local certificate and its relatedPrivate Key.
The local X509 certificates may result from a CSR (Certificate Signing Request)
generated on the SFW. This avoids exposing the related Private Key.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 163/316
Local X509 certificates and Privates Keys Summary of the CLI for SFW local certificates management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 163 Edition 07 Use pursuant to applicable agreementsJuly 2015
Summary of the CLI for SFW local certificates management
SFW Local certificates
import certificate local certid [name description ]
import certificate local privatekey certid [password pwd] [name description ]
certificate local certid name description
no certificate local certid
show certificate local pem certid
show certificate local details certid
show certificate local certidshow certificate local
certificate local certid request common-name common_name email email_address countrycountry_name state state_or_province_name locality locality_name organization organization_name organizational-unit organizational_unit_name [subject-alt-name subject_alt_name] [name description]
Remark about the “show” commands:
The following CLI commands :
“show certificate local details certid” ,
“show certificate local certid” ,
“ show certificate local”
allow the operator to read attributes of the local X509 certificates such as “Subject
Common Name”, “Issuer Common Name” , “validity dates” etc.
When SFW is managed by an OMC-P such details will be taken into account by a
Certificate Manager residing on the OMC-P that may bring more added values.
However, the SNMP interface between OMC-P and SFW allows the OMC-P to retrieve
the local certificates in PEM base64 format in the same way that the command “ show
certificate local pem certid”.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 164/316
Local X509 certificates and Privates Keys import certificate local certid [name description]
164 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
import certificate local certid [name description]
Purpose
This command allows the operator to import on the SFW a local X509 certificate in PEM base64
format.
A SFW local certificate authenticates the SFW side of the TLS connection whereas a CA
certificate authenticates a peer.
Importation of a local X509 certificate must be followed or preceded by the importation of its
related Private Key. There is an exception, when the local X509 results from a CSR (Certificate
Signing Request) locally generated on the SFW, the importation of the related Private Key is not
required.
The operator may import first the certificate of the private key. Both will be tied by the same
certid .
Command
import certificate local certid [name description] <Copy/Paste certificate>
Arguments
certid
This is the identifier of the SFW local certificate and its related Private Key.
Up to 32 local certificates can be imported.
name
This attribute is optional. If omitted during the import phase, the name of the local
certificate can be later specified via the command “certificate local certid name
description”. The description of the local certificate is limited to 32 characters.
<Copy/Paste certificate>
When the operator hits the carriage-return he has the ability to copy paste the certificate in
PEM base64 format.
Example
-> import certificate local 2 name sfw-westfordPlease copy and then paste below the certificate in PEM Base64SSLeay format ...-----BEGIN CERTIFICATE-----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNV-----END CERTIFICATE-----
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 165/316
Local X509 certificates and Privates Keys import certificate local privatekey certid [password pwd]
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 165 Edition 07 Use pursuant to applicable agreementsJuly 2015
import certificate local privatekey certid [ password pwd ]
Purpose
This command allows the operator to import on the SFW a Private Key in PEM base64 format
related to a local X509 certificate.
Importation of a Private Key must be followed or preceded by the importation of its related local
X509 certificate. Both will be tied by the same certid .
Command
import certificate local privatekey certid [password pwd ] [name description]
<Copy/Paste certificate>
Arguments
certid
This is the identifier of the SFW local certificate and its related Private Key.
Up to 32 local certificates can be imported.
name
This attribute is optional. It provides a name for the local certificate related to the privatekey currently imported.
If omitted during the import phase of the private key, the name of the local certificate can
be later specified either during the importation of the local certificate or via the command
“certificate local certid name description. The description of the local
certificate is limited to 32 characters.
password
If the Private Key is encrypted the password must be supplied during the importation of
the private Key.
<Copy/Paste certificate>
When the operator hits the carriage-return he has the ability to copy paste the Private Key
in PEM base64 format.
Example
-> import certificate local privatekey 2Please copy and then paste below the certificate in PEM Base64
SSLeay format ...-----BEGIN RSA PRIVATE KEY-----
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 166/316
Local X509 certificates and Privates Keys import certificate local privatekey certid [password pwd]
166 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
MIICXQIBAAKBgQDFCbmOTEaVD3dJ26QSWKZ92TaDFfobxfjdnFVxYhi3hWPGD3ukDDjqhWnV1BQsEHfGXpvyV/WNUnoI2hZpsjL8XgjWy5ZA/SASpptGfnXwbd6K4FGu29azGKD+WGKd+oPljlqp3+9rLNnD53fqlNWobM/RO2Pfp9r0Py19ugk3vQJBAK7f+eTEKS2/ZlwGuRgVAMBhkzwnTasZkChhQpBRNN0cdLfVnE0P3VrkDGa+MaoDL9zYl4xdMnjjXqa3FRve77ECQQCKZKudL7a6XrZRZl+2T3PpM8gOQ8sLqzG4J2+VkzByP/JXZxrJX1oXifJPtWd5y6z5Wjc7JXyYUtatWB3WY2g0
-----END RSA PRIVATE KEY-----
Remark
Note that the private keys are not stored in the SFW configuration file as they have been imported.
The Private Keys are ciphered and cannot be exported via the output of a “show” command.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 167/316
Local X509 certificates and Privates Keys certificate local certid name description
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 167 Edition 07 Use pursuant to applicable agreementsJuly 2015
certificate local certid name description
Purpose
This command allows the operator to add or modify the name of a local certificate previously
imported.
Command
certificate local certid name description
Arguments
certid
This is the identifier of the SFW local certificate.
name
The description of the local certificate is limited to 32 characters.
Example
-> certificate local 1 name sfw5.cert
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 168/316
Local X509 certificates and Privates Keys no certificate local certid
168 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
no certificate local certid
Purpose
This command allows the operator to suppress a local certificate previously imported. This
command suppresses at the same time the Private Key with the same certid .
Command
no certificate ca certid
Arguments
ca-certid
This is the identifier of the CA certificate.
Example
-> no certificate local 1
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 169/316
Local X509 certificates and Privates Keys show certificate local pem certid
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 169 Edition 07 Use pursuant to applicable agreementsJuly 2015
show certificate local pem certid
Purpose
This command allows the operator to retrieve a local certificate in PEM base64 format.
The X509 part of the local certificate can then be exported. However the Private Key part in PEM
format is ciphered and cannot be encrypted.
This command provides also information such as the name associated with the local certificate, its
validity period and the validity of the local certificate against its Private Key.
Command
show certificate local pem certid
Arguments
ca-certid
This is the identifier of the local certificate.
Example
-> show certificate local pem 1
----- Cert Id=1; Cert Name= sfw5.cert -----Certificate in PEM Base64 format:-----BEGIN CERTIFICATE-----MIIC8TCCAlqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJGcjEPZbCgF7CYoX6C1Xm6q6E5ct1eAdDkZaYuyo6hkPOJn3MnnJ1erw==-----END CERTIFICATE-----
Certificate dates validity checking is OK : notBefore=Oct 6 15:31:24 2011GMT < current date=Oct 19 13:33: 5 15:31:24 2012 GMT
Private Key in PEM Base64 format:
-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,E28F48920FAD24FA
QpzjZSVF1Iu2GRirxUfvUiNAWZmGaWwzXo4wP02EMwYi1uQkwlT7JCrcHsaI9+XPeyMx00YdgcWieN269iGQGm9wPSa9ms2qfXrw/RolQynEZsr7vxwzr2G/gD/tOc8zHitDDsEgFTutDVxG/kzkNWT099p/dWXFzUzqspt2Dwvzzuye1HrBP0GFlJ/fXzKJCXv4ctyO6U3nblu7szWK21Cez+5xizaptrWs+APQ0qMMlSQXE4EjYg==-----END RSA PRIVATE KEY-----
Key modulus of certificate public key is matching with the one of thePrivate Key
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 170/316
Local X509 certificates and Privates Keys show certificate local details certid
170 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show certificate local details certid
Purpose
This command allows the operator to decode a CA certificate, previously imported in PEM format,
and check that it contains the correct information.
Command
show certificate local details certid
Arguments
certid
This is the identifier of the CA certificate.
Example -> show certificate local details 1
----- Cert Id=1; Cert Name= sfw5.cert -----Certificate:
Data:Version: 3 (0x2)Serial Number: 6 (0x6)Signature Algorithm: sha1WithRSAEncryptionIssuer: C=Fr, ST=France, L=Orvault, O=ALU, OU=SFW testbed Certificate Authority,
CN=newyorkValidity
Not Before: Oct 6 15:31:24 2011 GMTNot After : Oct 5 15:31:24 2012 GMT
Subject: C=Fr, ST=France, L=Orvault, O=ALU, OU=SFW_testbed,CN=sfw5/[email protected]
Subject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)
Modulus (1024 bit):00:c5:09:b9:8e:4c:46:95:0f:77:49:db:a4:12:58:a6:7d:d9:36:83:15:fa:1b:c5:f8:dd:9c:55:71:62:46:a3:09:94:00:c4:65:ed:0a:44:d8:bf:61:27:0c:6d:83:55:6c:84:be:83:6b:2f
Exponent: 65537 (0x10001)X509v3 extensions:
X509v3 Basic Constraints:CA:FALSE
Netscape Comment:
OpenSSL Generated CertificateX509v3 Subject Key Identifier:84:15:47:37:C8:BE:E9:A6:81:2C:24:E9:67:18:F4:ED:C4:C6:BE:B6
X509v3 Authority Key Identifier:keyid:7D:16:5C:29:06:FC:AB:DE:E0:2C:45:DA:3A:C8:AD:93:37:58:AB:A3
Signature Algorithm: sha1WithRSAEncryption74:a5:c2:d4:06:4a:93:23:f1:ad:2e:fa:c2:b9:83:40:ab:83:f6:65:b0:a0:17:b0:98:a1:7e:82:d5:79:ba:ab:a1:39:72:dd:5e:01:d0:e4:65:a6:2e:ca:8e:a1:90:f3:89:9f:73:27:9c:9d:5e:af
Certificate dates validity checking is OK : notBefore=Oct 6 15:31:24 2011 GMT < currentdate=Oct 19 14:05:40 2011 < notAfter=Oct 5 15:31:24 2012 GMT
Key modulus of certificate public key is matching with the one of the Private KeyCommand succesfulsfw5> show certificate ca pem 1
----- Cert Id=1; Cert Name= CA1.crt -----
Certificate in PEM Base64 format:-----BEGIN CERTIFICATE-----MIIDWTCCAsKgAwIBAgIJANKXS3v3iVunMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 171/316
Local X509 certificates and Privates Keys show certificate local certid
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 171 Edition 07 Use pursuant to applicable agreementsJuly 2015
BAYTAkZyMQ8wDQYDVQQIEwZGcmFuY2UxEDAOBgNVBAcTB09ydmF1bHQxDDAKBgNVQUxVMSowKAYDVQQLEyFTRlcgdGVzdGJlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAMTB25ld3lvcmuCCQDSl0t794lbpzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAGuXhqH+qynbueiJmrRVb12/lgmMaHaNiKeOaUupYK+RoSOhFLmUIHN4e9b0YpujOMBOKxFeuyP4dNT1i11KPADGoha18vZke/YgiV4sBvT+amLMIhspzdKn88JQftfANA2/iEJksrUX2Z5RH4Ff9RYnwk1xnKw2gP2RG+xCa/lA-----END CERTIFICATE-----
Certificate dates validity checking is OK : notBefore=Sep 7 09:51:34 2011 GMT < current
date=Oct 19 14:08:13 2011 < notAfter=Sep 5 09:51:34 2016 GMT
Command succesful
show certificate local certid
Purpose
This command allows the operator to read the main attributes of a local certificate.
It permits also to check that the local certificate and its private key are matching.
Command
show certificate local certid
Arguments
ca-certid
This is the identifier of the CA certificate.
Example show certificate local 1+-------+-----------+---------+---------+----------+----------+! Local ! Cert. ! Subject ! Issuer ! Dates ! Private !! cert. ! Name ! Common ! Common ! Validity ! key !! id ! ! Name ! Name ! ! matching !+-------+-----------+---------+---------+----------+----------+! 1 ! sfw5.cert ! sfw5 ! newyork ! OK ! matching !+-------+-----------+---------+---------+----------+----------+1 elements
Subject C/ST/L : Fr/France/OrvaultSubject /O/OU/Email : /ALU/SFW_testbed/[email protected] C/ST/L : Fr/France/OrvaultIssuer /O/OU/Email : /ALU/SFW testbed Certificate Authority/
X509v3 Subject Alternative Name(s) :Command successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 172/316
Local X509 certificates and Privates Keys show certificate local
172 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show certificate local
Purpose
This command allows the operator to list all local certificates imported on the SFW with there
main attributes.
Command
show certificate local
Example -> show certificate local+-------+-----------+---------+---------+----------+----------+! Local ! Cert. ! Subject ! Issuer ! Dates ! Private !! cert. ! Name ! Common ! Common ! Validity ! key !! id ! ! Name ! Name ! ! matching !+-------+-----------+---------+---------+----------+----------+! 1 ! sfw5.cert ! sfw5 ! newyork ! OK ! matching !! 2 ! sfw6.cert ! sfw6 ! newyork ! OK ! matching !! 3 ! sfw7.cert ! sfw7 ! newyork ! OK ! matching !+-------+-----------+---------+---------+----------+----------+Command successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 173/316
Local X509 certificates and Privates Keys certificate local certid request
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 173 Edition 07 Use pursuant to applicable agreementsJuly 2015
certificate local certid request
Purpose
This command formats a certificate signing request (CSR), in PEM base64 format, for a local
certificate. It also generates an associated RSA private key of 2048 bits if a key not already exists
for this cert id. The PEM base64 part, displayed by the output of this command, can be
copied/pasted in a file to be sent to the relevant certification authority that may sign it. The
resulting signed certificate must be imported through the standard importation procedure (import
certificate local certid ) with the same cert id in order to be consistent with the private key part.
Local Certificate(s)
Cert.part
Privatekey part
SFW
Certification Authority
Rootuser
1/ Certificate request creation
2/ Certificate signing request (CSR)
3/ Certificate importation
Command
certificate local certid request common-name common_name email email_address
country country_name state state_or_province_name locality locality_name
organization organization_name organizational-unit organizational_unit_name
[subject-alt-name subject_alt_name] [name description]
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 174/316
Local X509 certificates and Privates Keys certificate local certid request
174 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Arguments
ca-certid
This is the identifier of the CA certificate.
common-name
The fully qualified domain name (FQDN) of your SFW.
An email address used to contact your organization.
country
The two-letter ISO code for the country where your organization is located.
state
The state/region where your organization is located. This shouldn't be abbreviated.
locality
The city where your organization is located.
organization
The legal name of your organization. This should not be abbreviated and should
include suffixes such as Inc, Corp, or LLC.
organizational-unit
The division of your organization handling the certificate.
subject-alt-name
The subject alternative name extension allows various literal values. These include
email (an email address) URI (a uniform resource indicator), DNS (a DNSdomain name), IP (an IP address).
In case of interconnection with a IP-PBX and to be compliant with the “SIPconnect” recommendation
“SIP-PBX / Service Provider Interoperability - "SIPconnect 1.1 Technical”,
the recommended format for the subject-alt-name is the SIP URI formatted as inthe following example:
Example: URI:sip:sfw4. alcatel-lucent.com
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 175/316
Local X509 certificates and Privates Keys certificate local certid request
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 175 Edition 07 Use pursuant to applicable agreementsJuly 2015
Example
-> certificate local 4 request common-name sfw4 [email protected] country Fr state France locality Orvaultorganization ALU organizational-unit SFW-Testbed subject-alt-nameURI : si p: sf w4. al cat el - l ucent . com name sfw4.cert
... generating private key for this local certificate (noneexisting)Certification request for this local certificate in PEM Base64format:-----BEGIN CERTIFICATE REQUEST-----MIIC5TCCAc0CAQAwgYMxDTALBgNVBAMTBHNmdzQxHjAcBgkqhkiG9w0BCQEWD3NmdzRAb3J2YXVsdC5mcjELMAkGA1UEBhMCRnIxDzANBgNVBAgTBkZyYW5jZTEQMA4G A1UEBxMHT3J2YXVsdDEMMAoGA1UEChMDQUxVMRQwEgYDVQQLEwtTRlctVGVzdGJlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5SSaCQ8yzs8NtF0Qqb/Peu8fA8TZwjH0WEFrvZe03qeFH568CdnxGSqUoskgx3CQDogfMRPqsEsUSf0nX894+XTW2HJn2r/WyZbKOO9XtC+ZSmplXE60EHs5vCcqjlg0u2VAHfVYmG9E5ZMORL7THfom5RrYzFHOFV8yzEjBgNKvjWQE52qjjyYePI68+ZxWGYHIVUyOSaxFLnJV9zNuClEGRDmAkvw1mLmT+VbCoQErX0xbg7hZVfx04uHUxHThiV8hsDlI40n7WXArwMdCgGChU5wLDbww9iISe9b9ZaZD71t/0mrpz/KtWNIFPBlx5d8Hf+UK/0jPA0yqlkYDW3rKuTvWQJInDHPIaIZlIVc/oxLKOlzA==-----END CERTIFICATE REQUEST-----
Command successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 176/316
Alcatel-Lucent — Proprietary 176 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
11 Internal DNS server
Purpose
This paragraph provides information about the configuration of the SFW internal DNSserver intended to resolve names of Untrusted Peering-Points.
Introduction
With the current release, SFW doesn’t perform DNS requests toward an external DNSserver to resolve FQDN that may appear in SIP headers.
SFW implements its own internal DNS server.
FQDN in Incoming messages received from Peer-Networks
SFW checks that FQDN included in top Record-Route and top Via headers can beresolved via the SFW internal DNS server. This checking ensures that SIP responses andsubsequent request coming from the MGC8 IBCF will be routable.
SFW doesn’t check that FQDN included in Route header or Req-URI can be resolved via
its internal DNS server. In that case a FQDN doesn’t prevent the MGC8 IBCF CCSselection.
FQDN in Outgoing messages received from the MGC8
In case of SIP request, after removing its own Routes, SFW checks that FQDN included inthe top Route, if any, can be resolved via the SFW internal DNS server.
In case of SIP request, after removing its own Routes, SFW checks that FQDN included in
the Request-Line, if there is no more Route header, can be resolved via the SFW internalDNS server. This ensures that the SIP message will be properly routed.
In case of SIP response, after removing its own Via, SFW checks that FQDN included in
the top Via can be resolved via the SFW internal DNS server.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 177/316
Internal DNS server Summary of the CLI for the internal DNS management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 177 Edition 07 Use pursuant to applicable agreementsJuly 2015
Summary of the CLI for the internal DNS management
SFW internal DNSdns-internal dns-entry-id name rpoc-name peer-net netid ip address
dns-internal dns-entry-id name rpoc-name
dns-internal dns-entry-id peer-net netid
dns-internal dns-entry-id ip address
dns-internal dns-entry-id no ipv4
dns-internal dns-entry-id no ipv6
show dns-internal
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 178/316
Internal DNS server dns-internal dns-entry-id name peer-net ip
178 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
dns-internal dns-entry-id name peer-net ip
Purpose
The purpose of that command is to create a DNS entry in the internal DNS server of the SFW.
Command
dns-internal dns-entry-id name rpoc-name peer-net netid ip address
Arguments
dns-entry-id
This is the identifier of the DNS entry. Up to 2047 DNS entries can be created.
rpoc-name
This is the FQDN of the Remote POC.
netid
This is the identifier of the Peer Network.
address
This is the IP address, IPv4 or IPv6, matching the FQDN specified for that entry.
Note that in case of dual stack IPv4/IPv6, you need to specify one address at the creation
of the DNS entry and then add the other address via the CLI command
“dns-internal dns-entry-id ip address”.
Example
-> dns-internal 1 name proxyA.biloxy.com peer-net 20 ip 172.23.8.9
-> dns-internal 1 ip 2001:8::172:23:8:9
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 179/316
Internal DNS server dns-internal dns-entry-id name rpoc-name
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 179 Edition 07 Use pursuant to applicable agreementsJuly 2015
dns-internal dns-entry-id name rpoc-name
Purpose
The purpose of that command is to modify the FQDN of a DNS entry in the internal DNS server of
the SFW.
Command
dns-internal dns-entry-id name rpoc-name
Arguments
dns-entry-id
This is the identifier of the DNS entry.
rpoc-name
This is the FQDN of the Remote POC.
Example
-> dns-internal 1 name B2B.biloxy.com
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 180/316
Internal DNS server dns-internal dns-entry-id peer-net netid
180 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
dns-internal dns-entry-id peer-net netid
Purpose
The purpose of that command is to modify the Peer Network identifier of a DNS entry in the
internal DNS server of the SFW.
Command
dns-internal dns-entry-id peer-net netid
Arguments
dns-entry-id
This is the identifier of the DNS entry.
netid
This is the Peer-Network identifier.
Example
-> dns-internal 1 peer-net 20
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 181/316
Internal DNS server dns-internal dns-entry-id ip address
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 181 Edition 07 Use pursuant to applicable agreementsJuly 2015
dns-internal dns-entry-id ip address
Purpose
The purpose of that command is to modify the IP address associated with a FQDN in a DNS entry
in the internal DNS server of the SFW.
Command
dns-internal dns-entry-id ip address
Arguments
dns-entry-id
This is the identifier of the DNS entry.
address
This is the IP address, IPv4 or IPv6, matching the FQDN specified for that entry.
Note that in case of dual stack IPv4/IPv6, you need to specify one address at the creation
of the DNS entry and then add the other address via this CLI command.
Example
-> dns-internal 1 ip 2001:7::182:13:21:4
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 182/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 183/316
Internal DNS server show dns-internal
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 183 Edition 07 Use pursuant to applicable agreementsJuly 2015
show dns-internal
Purpose
The purpose of that command is to display the configuration of the internal DNS server.
Command
dns-internal [peer-net netid ]
Arguments
netid
Optionally this identifier of a Peer-Network can be specified to display only DNS
entries related to that Peer-Network.
Output Definition
Name & IP address
Display the possible resolution of FQDN representing peering-points on the Untrusted side
of the firewall
Validity
To be used during FQDN resolution, an IP address configured in the SFW internal DNS
must match an IP address configured as peering-point (rpoc) for the specified peer-net.
o “invalid” means that the address is not yet configured as peering-point inthe peer-network.
o “V4 only” means that the IPv4 address match a peering-point whereas the
IPv6 address, if any, is not yet configured as peering-point.
o “V6 only” means that the IPv6 address match a peering-point whereas the
IPv4 address, if any, is not yet configured as peering-point.
o “V4 and V6” means that both IP addresses V4 and V6 are matchingthe peering-point configuration.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 184/316
Internal DNS server show dns-internal
184 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Example
-> show dns-internal
+-----+----------+-------------------+---------------------------------------+----------+
! idx ! peer-net ! name ! IP address ! Validity !
+-----+----------+-------------------+---------------------------------------+----------+
! 1 ! 20 ! proxyA.biloxy.com ! 172.23.8.9 2001:8::172:23:8:9 ! V4 & V6 !
! 2 ! 7 ! proxyA.biloxy.com ! 172.22.7.35 ! V4 only !
! 3 ! 5 ! proxyA.biloxy.com ! 172.20.5.33 ! V4 only !
! 6 ! 10 ! proxyA.biloxy.com ! 172.24.90.10 2001:90::172:24:90:10 ! V6 only !
! 8 ! 3 ! proxyA.biloxy.com ! 172.18.3.9 ! invalid !
! 9 ! 4 ! proxyA.biloxy.com ! 172.19.4.35 2001:4::172:19:4:35 ! V4 & V6 !
! 10 ! 6 ! proxyA.biloxy.com ! 172.21.6.33 2001:6::172:21:6:33 ! V4 & V6 !
! 12 ! 11 ! proxyA.biloxy.com ! 172.16.11.50 2001:11::172:16:11:50 ! V4 & V6 !
+-----+----------+-------------------+---------------------------------------+----------+
-> show dns-internal peer-net 7
+-----+----------+-------------------+-------------+----------+
! idx ! peer-net ! name ! IP address ! Validity !
+-----+----------+-------------------+-------------+----------+
! 2 ! 7 ! proxyA.biloxy.com ! 172.22.7.35 ! V4 only !
+-----+----------+-------------------+-------------+----------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 185/316
Alcatel-Lucent — Proprietary 185 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
12 Load Balancing Group
Purpose
This paragraph provides information about:
•What is the Load-Balancing-Group object.
• CLIs to configure the Load-Balancing-Group object.
Introduction
The main features provided by the Load Balancing Group are the following:
Configuration of a set of IP address and Port belonging to the IBCF
A Load-Balancing-Group contains the IP information that allows the SIP firewall to reachthe trusted IBCF it protects.
The IBCF can contain several processors for SIP signaling, each of which can supportmultiple processes (called CCS’s). Currently, all these processes share the same IP address,
but use different signaling port numbers. In a future release, this is expected to change toseparate IP addresses per processor.
In the Load-Balancing-Group object a CCS is referenced as an rpoc: remote point ofcontact on the trusted side of the SIP firewall.
To address any kind of IBCF architecture, the SIP firewall accepts any combination of IP
address and port (i.e.: one unique IP address and one port per service blade, or one IP
address per service blade and one unique port).A Peer Network MUST have a Load Balancing group assigned.
A Load-Balancing-Group can be shared by several Peer Networks.
Load balancing of initial untrusted SIP requests
For the incoming initial SIP message received on the Untrusted side (new INVITE or a
transaction out of an INVITE dialog), the SIP firewall uses the load balancing group
associated with the Peer Network to select one of the remote POC (IBCF CCS). Once
selected, the trusted remote POC won’t change anymore for the whole SIP dialog or theout-of-dialog SIP transaction.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 186/316
Load Balancing Group show dns-internal
186 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Overload Control and rate limiters
The Load-Balancing-Group provides an Overload Control feature thanks to theconfiguration of the call and transaction rate limiters.
These rate limiters are applied per remote POC (CCS) to be able to assign differentweights on the IBCF processes.
From rate limiting standpoint, the rate limiters of the remote POCs, within a LoadBalancing Group, are applied after the one associated to the remote Peer Network (see
Security Profile). Since the sum of the rate limiters of the Peer Network associated to the
Load Balancing group can exceed the rate defined for the Load-Balancing-Group, the SIPfirewall processes fair load balancing among the Peer Networks.
Geographical Redundancy
The SIP firewall can protect a geographically redundant IBCF.
To address this case, active and standby remote POCs (CCSs) are similarly declared in theLoad Balancing Group object.
The SFW sends heartbeats (SIP OPTIONS) periodically to each CCS to keep track ofwhich ones are active. It doesn’t send any new INVITEs to a CCS that is not responding to
the heartbeat.
This addresses active/standby IBCF configuration as well as active/active IBCF
configuration.
Load Balancing group and Trusted Local POC association
One Trusted Local POC needs to be associated with each Load-Balancing-Group.
The IP address of the trusted lpoc is the source IP address of the SIP messages sent to theIBCF CCSs (rpoc).
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 187/316
Load Balancing Group Summary of the CLI for Load-Balancing-Group management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 187 Edition 07 Use pursuant to applicable agreementsJuly 2015
Summary of the CLI for Load-Balancing-Group management
Load-Balancing-Group
load-balancing-group groupId [enable | disable] [name description]
load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port]| tls[ port]]
load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port] | tls[ port]}
load-balancing-group GroupId rpoc poc_id no ipv4
load-balancing-group GroupId rpoc poc_id no ipv6
load-balancing-group GroupId rpoc poc_id no {udp| tcp | sctp | tls}
load-balancing-group GroupId no rpoc poc_id
load-balancing-group GroupId lpoc trusted_lpoc_id
load-balancing-group GroupId no lpoc trusted_lpoc_id
load-balancing-group GroupId vlan vid
load-balancing-group GroupId polling period interval
load-balancing-group GroupId rpoc poc_id call rate call_rate delay sip_msg_delay
load-balancing-group GroupId rpoc poc_id transaction rate trans_rate delay sip_trans_delay
no load-balancing-group groupId
show load-balancing-group [GroupId]show load-balancing-group [GroupId] rpoc [poc_id] show load-balancing-group [GroupId] connectivity
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 188/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 189/316
Load Balancing Group load-balancing-group groupId rpoc
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 189 Edition 07 Use pursuant to applicable agreementsJuly 2015
load-balancing-group groupId rpoc
Purpose
The purpose of that command is to associate an IBCF remote POC (MGC8 CCS process) with a
Load-Balancing-Group.
The Load-Balancing-Group is a collection of CCSs. This command requires to be ran once for
each CCS.
Command
load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[ port]]
load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port]
| tls[ port]}
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within a Load-Balancing-
Group. Up to 32 rpoc can be defined per Load-Balancing-Group. The same poc_id can be
used for different Load-Balancing-Group.
ip_address
Defines the IPv4 or IPv6 address of the remote POC.
A remote POC can be dual-stack IPv4/IPv6. In that case the CLI must be run twice, once
to specify the IPv4 address, once to specify the IPv6 address.
port
Optionally the listening port and transport mode of the remote POC can be specified. If
this option is not specified, the port 5060 and UDP transport are configured by default.
It is still possible to modify the listening ports with the following command:
load-balancing-group GroupId rpoc poc_id {udp[ port] | tcp[ port] | sctp[ port] | tls[
port]}
If the transport mode is specified but the port value is omitted then the port will be
assigned automatically. It will be set to 5060 if there is no other transport mode configured
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 190/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 191/316
Load Balancing Group load-balancing-group groupId rpoc
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 191 Edition 07 Use pursuant to applicable agreementsJuly 2015
Complementary information
Hereafter is a networking example based on the MGC-8 case where the service blades(CCS modules) share the same IP address but use different Port numbers to provide SIP
service.
The primary IBCF is configured with a unique IP address (192.168.10.10), and provides 2
SIP service blades on the following ports: 5061, 5062.
The backup IBCF is configured with a unique IP address (192.168.10.20), and provides 2
SIP service blades on the following ports: 5061, 5062.
From the SIP Firewall point of view, these 2 addresses and 4 ports are seen as remotePOCs.
In order to achieve geographical redundancy, the 4 remote POCs (CCSs in MGC8
terminology) are gathered in the same Load Balancing Group 1.
The SIP firewall performs heartbeat request towards the remote POCs sending SIP
OPTIONS messages.
Only available remote POCs are intended to reply to the SIP OPTIONS. Thus, the SIP
firewall may know which processes on the MGC8 are ready to receive SIP Traffic.
This allows support of IBCF processes in an active/standby mode as well as in anactive/active mode.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 192/316
Load Balancing Group load-balancing-group groupId rpoc
192 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
The resulting CLI commands are:
-> lpoc trusted 1 ip 192.168.20.1 enable name LPOC_TRUSTED_1
-> vlan 20 trusted enable name TRUSTED_VLAN_20-> vlan 20 subnet 192.168.20.0 mask 255.255.255.252 gw192.168.20.2 no rip
-> load-balancing-group 1 enable name LBG_1-> load-balancing-group 1 vlan 20-> load-balancing-group 1 lpoc 1-> load-balancing-group 1 rpoc 1 ip 192.168.10.10 udp 5061-> load-balancing-group 1 rpoc 2 ip 192.168.10.10 udp 5062-> load-balancing-group 1 rpoc 3 ip 192.168.10.20 udp 5061-> load-balancing-group 1 rpoc 4 ip 192.168.10.20 udp 5062
-> peer-net 1 load-balancing-group 1
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 193/316
Load Balancing Group load-balancing-group groupId rpoc no ipv4
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 193 Edition 07 Use pursuant to applicable agreementsJuly 2015
load-balancing-group groupId rpoc no ipv4
Purpose
The purpose of that command is to delete the IPv4 address of an IBCF remote POC (MGC8 CCS
process) within a Load-Balancing-Group.
Command
load-balancing-group GroupId rpoc poc_id no ipv4
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within a Load-Balancing-
Group.
Example
-> load-balancing-group 2 rpoc 1 no ipv4
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 194/316
Load Balancing Group load-balancing-group groupId rpoc no ipv6
194 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
load-balancing-group groupId rpoc no ipv6
Purpose
The purpose of that command is to delete the IPv6 address of an IBCF remote POC (MGC8 CCS
process) within a Load-Balancing-Group.
Command
load-balancing-group GroupId rpoc poc_id no ipv6
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within a Load-Balancing-
Group.
Example
-> load-balancing-group 2 rpoc 13 no ipv6
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 195/316
Load Balancing Group load-balancing-group groupId rpoc poc_id no {udp | tcp | sctp | tls}
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 195 Edition 07 Use pursuant to applicable agreementsJuly 2015
load-balancing-group groupId rpoc poc_id no {udp | tcp |sctp | tls}
Purpose
The purpose of that command is to remove a transport mode from a remote POC associated with a
Load-Balancing-Group.
Command
load-balancing-group groupId rpoc poc_id no {udp| tcp| sctp| tls}
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within a Load-Balancing-
Group.
no {udp | tcp | sctp | tls}
Specifies the transport type to be removed from the RPOC.
Example
-> load-balancing-group 2 rpoc 1 ip 192.168.2.50 tcp 5060
Configures the tcp port value to 5060 and also implicitly the udp port value to
5060.
-> load-balancing-group 2 rpoc 1 no udp
Disables the udp transport mode for the remote POC 1 of the Load-Balancing-Group 2.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 196/316
Load Balancing Group load-balancing-group groupId no rpoc poc_id
196 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
load-balancing-group groupId no rpoc poc_id
Purpose
The purpose of that command is to remove the association between a remote POC (MGC8 CCS
process) and a Load-Balancing-Group.
Command
load-balancing-group groupId no rpoc poc_id
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within the Load-Balancing-
Group.
Example
-> load-balancing-group 1 no rpoc 2
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 197/316
Load Balancing Group load-balancing-group groupId lpoc trusted_lpoc_id
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 197 Edition 07 Use pursuant to applicable agreementsJuly 2015
load-balancing-group groupId lpoc trusted_lpoc_id
Purpose
The purpose of that command is to associate a Trusted Local Point of Contact (lpoc) with a Load-
Balancing-Group.
Command
load-balancing-group groupId lpoc trusted_lpoc_id
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
trusted_lpoc_id
This is the identifier of the Trusted LPOC that has been previously created via the
command “ lpoc t rusted poc_id ”.
Example
-> load-balancing-group 1 lpoc 1
Associates the Trusted LPOC 1 with the Load-Balancing-Group 1.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 198/316
Load Balancing Group load-balancing-group groupId no lpoc trusted_lpoc_id
198 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
load-balancing-group groupId no lpoc trusted_lpoc_id
Purpose
The purpose of that command is to remove the association between a Trusted Local Point of
Contact (lpoc) and a Load-Balancing-Group.
Command
load-balancing-group groupId no lpoc trusted_lpoc_id
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
trusted_lpoc_id
This is the identifier of the Trusted LPOC that has been previously associated with the
Load-Balancing-Group.
Example
-> load-balancing-group 1 no lpoc 1
Removes the association between the Trusted LPOC 1 and the Load-Balancing-Group 1.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 199/316
Load Balancing Group load-balancing-group groupId vlan vid
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 199 Edition 07 Use pursuant to applicable agreementsJuly 2015
load-balancing-group groupId vlan vid
Purpose
The purpose of that command is to associate a Vlan with a Peer Network.
Command
load-balancing-group groupId vlan vid
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
vid
This is the identifier of the Vlan that has been previously created with the command “vlan
vid”.
Example
-> load-balancing-group 1 vlan 20
Create an association between the Load-Balancing-Group 1 and the Vlan 20.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 200/316
Load Balancing Group load-balancing-group groupId no vlan
200 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
load-balancing-group groupId no vlan
Purpose
The purpose of that command is to remove the association between a Vlan and a Load-Balancing-
Group.
Command
load-balancing-group groupId no vlan
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
Example
-> load-balancing-group 1 no vlan
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 201/316
Load Balancing Group load-balancing-group groupId polling period interval
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 201 Edition 07 Use pursuant to applicable agreementsJuly 2015
load-balancing-group groupId polling period interval
Purpose
In order to check the IP/SIP connectivity on the trusted side between the LPOC and RPOCs
associated within the same Load-Balancing-Group there are two polling mechanism:
• A Ping polling is issued periodically sending ICMP requests from the LPOC to the
RPOCs (IBCF’s CCSs).
• A SIP polling is issued periodically sending SIP OPTIONS from the LPOC to the
RPOCs (IBCF’s CCSs).
The purpose of that command is to modify the period of the Ping and SIP polling occurring
between the LPOC and RPOCs of a Load-Balancing-Group. By default Ping requests and SIP
OPTIONS are sent each 4 seconds.
ICMP requests and SIP OPTIONS are sent for both IPv4 and IPv6 protocols according to the
RPOC/LPOC configuration.
The status of the CCSs connectivity on the trusted side can be retrieved via the CLI command
“show load-balancig-group connectivity”.
Command
load-balancing-group groupId polling period interval
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
interval
Sets the value, in seconds, of the polling period interval.
Example
-> load-balancing-group 1 polling period 10
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 202/316
Load Balancing Group load-balancing-gro groupId rpocup poc_id call rate
202 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
load-balancing-group groupId rpoc poc_id call rate
Purpose
The purpose of that command is to configure the Call Admission Control per remote POC(rpoc) associated with a Load Balancing Group. In the MGC8 terminology the rpoc
represents the CCS entity.
The call admission control applies to Initial INVITE SIP messages and allows
dimensioning of the transmit queue depth (call setup queue) that is associated with eachCCS.
By configuring a call setup rate limiter on a Peer Network (thanks the configuration of aSIP Security Profile), one can limit the rate of one source, but there is no way (on the
Peer-Network configuration) to control that the sum of all the sources does not overloadthe IBCF CCSs where all the sources converge.
So to avoid such a situation, the following command defines:
o the call setup rate that is supported per rpoc (CCS)
o the maximum delay that a SIP message can stay in the transmit queue associated with the rpoc (CCS)
The transmit queue depth, in SIP messages, is computed according to the value ofcall_rate and sip_msg_delay parameters
Command
load-balancing-group groupId rpoc poc_id call rate call_rate delay sip_msg_delay
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within the Load-Balancing-
Group.
call_rate
Call setup rate per seconds. The value should be between 0 and 100000.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 203/316
Load Balancing Group load-balancing-group groupId rpoc poc_id call rate
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 203 Edition 07 Use pursuant to applicable agreementsJuly 2015
sip_msg_delay
Defines the time a SIP message can remain in the transmit queue of the SIP firewall before being dropped. The delay is set in milliseconds in the range 1-2000.
Example
-> load-balancing-group 3 rpoc 1 call rate 10000 delay 300
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 204/316
Load Balancing Group load-balancing-group groupId rpoc poc_id transaction rate
204 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
load-balancing-group groupId rpoc poc_id transaction rate
Purpose
The purpose of that command is to allows dimensioning of the non-INVITE transactionqueue per remote POC (rpoc) associated with a Load-Balancing-Group. In the MGC8terminology the rpoc represents the CCS entity.
The transaction rate applies to non-INVITE SIP messages.
The transaction delay limits the maximum time the SIP firewall can delay a non-invite SIPmessage within the non-invite transmission queue associated with a rpoc.
Command
load-balancing-group groupId rpoc poc_id transaction rate trans_rate delay
sip_trans_delay
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
poc_id
This is the identifier of the remote POC (MGC8 CCS process) within the Load-Balancing-
Group.
trans_rate
This is the maximum number of transactions per seconds. The value should be between 0
and 100000.
sip_trans_delay
Defines the time a SIP message can remain in the transmit queue of the SIP firewall before being dropped. The delay is set in milliseconds in the range 1-2000.
Example
-> load-balancing-group 3 rpoc 1 transaction rate 10000 delay 300
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 205/316
Load Balancing Group no load-balancing-group groupId
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 205 Edition 07 Use pursuant to applicable agreementsJuly 2015
no load-balancing-group groupId
Purpose
The purpose of that command is to delete a Load-Balancing-Group.
Before deleting a Load-Balancing-Group it is necessary to remove the existing
associations between this Load-Balancing-Group and its RPOC and LPOC via thecommands:
load-balancing-group groupId no rpoc poc_id
load-balancing-group groupId no lpoc trusted_lpoc_id
Command
no load-balancing-group groupId
Arguments
groupId
This is the identifier of the Load-Balancing-Group.
Example
-> load-balancing-group 3 no lpoc 2
-> load-balancing-group 3 no rpoc 1
-> no load-balancing-group 3
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 206/316
Load Balancing Group show load-balancing-group
206 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show load-balancing-group
Purpose
The purpose of that command is to display the Load-Balancing-Group configuration andits operational status.
Command
show load-balancing-group [groupId]
Arguments
groupId
This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load
Balancing Groups are displayed.
Example
-> show load-balancing-group
+----------+-----------------+--------+------+-------+
! Group Id ! Name ! Status ! Lpoc ! Vlan !
+----------+-----------------+--------+------+-------+
! 1 ! LBG_1 ! up ! 1 ! 200 !
! 2 ! LBG_2 ! up ! 1 ! 200 !
! 3 ! LBG-Tokyo ! up ! 1 ! 200 !
! 4 ! LBG4-Mexico ! up ! 1 ! 200 !
+----------+-----------------+--------+------+-------+
Output Definition
Status
The Load-Balancing-Group status is:
• “up” if at least one rpoc (MGC8 CCS) is seen alive via the SIP OPTIONSheartbeat mechanism.
• “down” if all rpoc (MGC8 CCS) failed to answer to the SIP OPTIONS
sent by the SIP Firewall.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 207/316
Load Balancing Group show load-balancing-group rpoc
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 207 Edition 07 Use pursuant to applicable agreementsJuly 2015
show load-balancing-group rpoc
Purpose
The purpose of that command is to display, on the trusted side, the Remote POCconfigurations and their operational status.
Command
show load-balancing-group [groupId] rpoc [poc_id]
Arguments
groupId
This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load
Balancing Groups are displayed.
Example
-> show load-balancing-group rpoc
+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+
! LBG ! rpoc ! Ope state ! IP Address ! Udp ! Tcp ! Sctp ! Tls ! call/sec ! Tx/sec !
+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+
! 1 ! 1 ! up ! 192.168.2.50 2001:200::192:168:2:50 ! 50001 ! 50001 ! n/s ! n/s ! 10000 ! 10000 !
! 2 ! 1 ! up ! 192.168.2.9 ! 50001 ! 50001 ! n/s ! n/s ! 10000 ! 10000 !
! 3 ! 1 ! up ! 192.168.2.33 ! 50001 ! 50001 ! n/s ! n/s ! 10000 ! 10000 !
! 4 ! 1 ! up ! 192.168.2.35 2001:200::192:168:2:35 ! 50001 ! 50001 ! n/s ! n/s ! 10000 ! 10000 !
! 5 ! 1 ! up ! 192.168.2.37 ! 5060 ! 5060 ! n/s ! n/s ! 10000 ! 10000 !
+-----+------+-----------+----------------------------------------+-------+-------+------+-----+----------+--------+
Output Definition
Ope State
The rpoc (MGC8 CCS) status rely on the SIP OPTIONS heartbeat mechanism. The rpoc
is:
• “up” if the rpoc successfully responds to the SIP OPTIONS sent by the SIPFirewall.
• “down” if the rpoc fails to answer to the SIP OPTIONS sent by the SIPFirewall.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 208/316
Load Balancing Group show load-balancing-group connectivity
208 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show load-balancing-group connectivity
Purpose
The purpose of that command is to check, on the trusted side, the IP and SIP connectivity between the trusted LPOC and the remote POCs (IBCF’s CCSs).
The IP connectivity is checked issuing periodically ICMP requests from the LPOC to the
RPOC associated within the Load-Balancing-Group. By default a Ping request is issued
each 5 seconds. ICMP requests are sent for both IPv4 and IPv6 protocols according to theRPOC/LPOC configuration.
The SIP connectivity is checked according to the SIP OPTIONS heartbeat mechanism.The SFW sents periodically SIP OPTIONS from the LPOC to the RPOC associated within
the Load-Balancing-Group. By default a SIP OPTIONS is sent each 5 seconds. Dependingon the RPOC/LPOC configuration the SIP OPTIONS mechanism is activated either over
IPv4 or IPv6 or both protocols.
The polling period, applying for both Ping and SIP OPTIONS, can be modified via theCLI command “load-balancing-group GroupId polling period interval”
Command
show load-balancing-group [groupId] connectivity
Arguments
groupId
This is the identifier of the Load-Balancing-Group. If groupId is not specified, all Load
Balancing Groups are displayed.
Example
-> show load-balancing-group connectivity
+----------+------+------+--------+--------+---------+--------+-----------------+
! Group Id ! rpoc ! lpoc ! period ! SIP v4 ! PING v4 ! SIP v6 ! PING v6 !
+----------+------+------+--------+--------+---------+--------+-----------------+
! 1 ! 1 ! 1 ! 4 ! up ! PING UP ! down ! PING UP !
! 2 ! 1 ! 1 ! 4 ! up ! PING UP ! down ! V4 ONLY !
! 3 ! 1 ! 1 ! 4 ! up ! PING UP ! down ! V4 ONLY !
! 4 ! 1 ! 1 ! 4 ! up ! PING UP ! down ! NO RESP !
! 5 ! 1 ! 1 ! 4 ! up ! NO MAC ! down ! V4 ONLY !
+----------+------+------+--------+--------+---------+--------+-----------------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 209/316
Load Balancing Group show load-balancing-group connectivity
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 209 Edition 07 Use pursuant to applicable agreementsJuly 2015
Output Definition
SIP v4
The “SIP v4” status relies on the SIP OPTIONS heartbeat mechanism over IPv4 protocol.
• “up” means that the rpoc successfully responds to the SIP OPTIONS sent by the SIP Firewall using IPv4 protocol.
• “down” means that the rpoc fails to answer to the SIP OPTIONS sent bythe SIP Firewall using IPv4 protocol.
SIP v6
The “SIP v6” status relies on the SIP OPTIONS heartbeat mechanism over IPv6 protocol.
• “up” means that the rpoc successfully responds to the SIP OPTIONS sent
by the SIP Firewall using IPv6 protocol.
• “down” means that the rpoc fails to answer to the SIP OPTIONS sent bythe SIP Firewall using IPv6 protocol.
PING v4 and PING v6
The “PING v4” status reflects the IP V4 connectivity between LPOC and RPOC of a
Load-Balancing-Group.
The “PING v6” status reflects the IP V6 connectivity between LPOC and RPOC of a
Load-Balancing-Group.
• “PING UP” means that the rpoc successfully responds to the ICMPRequests sent by the SIP Firewall.
• “NO MAC” means that the configuration is consistent but the RPOCdestination MAC address has not been yet resolved.
• “NO LPOC” means that the configuration is not consistent. There is no
LPOC associated with the Load-Balancing-Group whereas there is at leasta RPOC and a Vlan associated with that Load-Balancing-Group.
• “NO LPOC IP ADDR” means that the configuration is not consistent.
The LPOC associated with the Load-Balancing-Group has no IPv4 addresswhereas there is at least one IPv4 RPOC associated with that Load-
Balancing-Group.
The LPOC associated with the Load-Balancing-Group has no IPv6 address
whereas there is at least one IPv6 RPOC associated with that Load-Balancing-Group.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 210/316
Load Balancing Group show load-balancing-group connectivity
210 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
• “NO VLAN” means that the configuration is not consistent. There is noVlan associated with the Load-Balancing-Group.
• “NO VLAN SUBNET” means that the configuration is not consistent.
There is no IPv4 subnet in the definition of the vlan associated with the
Load-Balancing-Group whereas there is at least one IPv4 RPOC associated with that Load-Balancing-Group.
There is no IPv6 subnet in the definition of the vlan associated with the
Load-Balancing-Group whereas there is at least one IPv6 RPOC associated with that Load-Balancing-Group.
• “NO ROUTER IP” means that the configuration is not consistent.
An IP router address is required in the definition of the vlan associated with
the Load-Balancing-Group otherwise the LPOC is unreachable. A router is
required in the vlan definition as soon as the vlan and the LPOC are not inthe same subnet.
• “ROUTER IP NOT IN SUBNET” means that the configuration is not
consistent. The router IP address in the definition of the vlan, associated with the Load-Balancing-Group, is not in the vlan subnet.
• “NO DEFAULT GW” means that the configuration is not consistent. An IP
gateway address is required in the definition of the vlan associated with the
Load-Balancing-Group otherwise the RPOC is unreachable. A gateway isrequired in the vlan definition as soon as the vlan and the RPOC are not in
the same subnet.• “GATEWAY IP NOT IN SUBNET” means that the configuration is not
consistent. The gateway IP address in the definition of the vlan, associated with the Load-Balancing-Group, is not in the vlan subnet.
• “NO RESP” means that the configuration is consistent. The MAC addressof the RPOC is known but the SFW does not get any response to the pingrequests.
• “TRUNK DOWN” means that the configuration is consistent. The trusted trunk is down.
• “V6 ONLY” means that configuration is consistent but LPOC or RPOC areIPv6 only, thus ping v4 cannot be performed.
• “V4 ONLY” means that configuration is consistent but LPOC or RPOC areIPv4 only, thus ping v6 cannot be performed.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 211/316
Alcatel-Lucent — Proprietary 211 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
13 Tcp Syn Flood Protection
Purpose
This paragraph provides information about the SFW configuration preventing from TCPSYN flooding.
Introduction
TCP SYN are filtered out according to predefine thresholds depending on the interfacetype.
The default thresholds values are the following ones:
o OAM interface: 10 TCP SYN per sec
o Trusted interface: 1000 TCP SYN per sec
o Untrusted interface: 2000 TCP SYN per sec
When the TCP SYN rate exceeds the above thresholds the SFW suspects that an attack isongoing and enters in TCP SYN regulation mode.
In that state the TCP SYN are filtered out to prevent the attack. However TCP connectionestablishment is still possible for non-attackers.
When activated the TCP SYN regulation mode will last at least 30 seconds.
The default TCP SYN threshold values can be adjusted via the CLI commands listed below.
The “show tcp syn” command provides useful information about the TCP SYN flood parameters and current status.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 212/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 213/316
Tcp Syn Flood Protection tcp syn untrusted rate syn_per_sec
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 213 Edition 07 Use pursuant to applicable agreementsJuly 2015
tcp syn untrusted rate syn_per_sec
Purpose
The purpose of that command is to modify the default value applied for TCP SYN flood
protection on the Untrusted interface of the firewall. The default value is set to 2000 TCP SYN per second.
Command
tcp syn untrusted rate syn_per_sec
Arguments
syn_per_sec
Defines the acceptable TCP SYN rate on the Untrusted interface. This rate cannot be set
higher than 10000 TCP SYN per second.
Example
-> tcp syn untrusted rate 5000
tcp syn trusted rate syn_per_sec
Purpose
The purpose of that command is to modify the default value applied for TCP SYN flood
protection on the Trusted interface of the firewall. The default value is set to 1000 TCP SYN persecond.
Command
tcp syn trusted rate syn_per_sec
Arguments
syn_per_sec
Defines the acceptable TCP SYN rate on the Untrusted interface. This rate cannot be set
higher than 10000 TCP SYN per second.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 214/316
Tcp Syn Flood Protection show tcp syn
214 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show tcp syn
Purpose
The purpose of that command is to display the TCP SYN flood configuration and check if the
SFW has been or is currently under TCP SYN attacks
Command
show tcp syn
Output Definition
rate
This is the maximum rate of TCP SYN per second before entering in TCP SYN regulation
mode.
status
Off: There is no TCP SYN flood attack ongoing.
On: There is a TCP SYN flood attack ongoing.
Attack counter
Counts the number of TCP SYN attacks.
Example
-> show tcp syn
+-----------+------+--------+----------------+
! interface ! rate ! status ! attack counter !
+-----------+------+--------+----------------+
! oam ! 10 ! off ! 0 !
! trusted ! 1000 ! off ! 0 !
! untrusted ! 2000 ! off ! 0 !
+-----------+------+--------+----------------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 215/316
Tcp Syn Flood Protection show tcp statistics
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 215 Edition 07 Use pursuant to applicable agreementsJuly 2015
show tcp statistics
Purpose
The purpose of that command is to display the TCP statistics per interface type.
Command
show tcp statistics
Output Definition
tcpActiveOpens Active connections openings
tcpPassiveOpens Passive connection openings tcpAttemptFails Failed connection attempts tcpEstabResets Connection resets received
tcpCurrEstab Connections established
tcpInSegs Segments received
tcpOutSegs Segments send out tcpRetransSegs Segments retransmitted
tcpInErrs TCP segment received in error
tcpOutRsts TCP Resets sent
tcpSynRcv TCP SYN received
tcpSynDropped TCP SYN dropped tcpOutOfSeqResets TCP RST dropped because bad sequence number
.
Example
-> show tcp statistics
CUMULATED UNTRUSTED TCP STATISTICS
tcpActiveOpens : 16523
tcpPassiveOpens : 2tcpCurrEstab : 3
tcpInSegs : 18894
tcpOutSegs : 30190
tcpSynRcv : 2
CUMULATED TRUSTED TCP STATISTICS
tcpActiveOpens : 261153
tcpCurrEstab : 31
tcpInSegs : 243029tcpOutSegs : 384744
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 216/316
Tcp Syn Flood Protection show tcp statistics
216 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
OAM TCP STATISTICS
tcpActiveOpens : 34
tcpPassiveOpens : 32
tcpAttemptFails : 1
tcpCurrEstab : 3
tcpInSegs : 1965
tcpOutSegs : 1753
tcpRetransSegs : 1
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 217/316
Alcatel-Lucent — Proprietary 217 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
14 Interfaces (Ge Ports) &
Trunks
Purpose
This paragraph provides information about the management of the Gigabits Ethernet physical ports of the SIP Firewall.
Introduction
The SIP firewall is made of 2 DHSPP4 boards running in Active/Standby mode for theSIP Firewalling application.
Each DHSPP4 is hosted in a different 7510 SCM2 board (slot 10 and slot 11)
Each DHSPP4 provides 8 gigabits Ethernet physical ports (Ge0..Ge7).Four interfaces per DHSPP4 are available in the front panel (Ge0..Ge3) for
• Ge0 interfaces are dedicated to the cabling towards the Untrusted networks
• Ge3 interfaces are dedicated to the cabling towards the Trusted networks
• Ge1 and Ge2 are used to interconnect Active and Standby DHSPP4
Two interfaces per DHSPP4, not accessible on the front panel but via the SCM, are usedfor OAM (Ge4) and SCM/DHSPP4 (Ge5) supervision.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 218/316
Interfaces (Ge Ports) & Trunks Summary of the CLI for Ge Interfaces and Trunks management
218 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Summary of the CLI for Ge Interfaces and Trunks management
Ge Interfaces and Trunks management
show interfaces
show interfaces slot[/port]
trunk {trusted|untrusted} mode [linkagg | act-stdy]
show trunk [trusted|untrusted]
show trunk [trusted|untrusted] port
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 219/316
Interfaces (Ge Ports) & Trunks show interfaces
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 219 Edition 07 Use pursuant to applicable agreementsJuly 2015
show interfaces
Purpose
The purpose of the following commands is to provide information about the Giga Ethernet
interfaces of the SIP Firewall.
Commands
show interfaces
show interfaces slot[/port]
Arguments
slot
This is the identifier of the SCM slot hosting the DHSPP4. It’s either 10 or 11.
port
Optionally the Giga Ethernet port number can be specified.
Example
-> show interfaces
+-----------------------------+--------------+--------------------+
! Slot/Port ! Admin Status ! Operational Status !
+-----------------------------+--------------+--------------------+
! 10/Ge0 external untrusted ! up ! up !
! 10/Ge1 external inter-HSPP ! up ! up !
! 10/Ge2 external inter-HSPP ! up ! up !
! 10/Ge3 external trusted ! up ! up !
! 10/Ge4 internal OAM ! up ! up !
! 10/Ge5 internal supervision ! up ! up !
! 11/Ge0 external untrusted ! up ! up !
! 11/Ge1 external inter-HSPP ! up ! up !
! 11/Ge2 external inter-HSPP ! up ! up !
! 11/Ge3 external trusted ! up ! up !
! 11/Ge4 internal OAM ! up ! up !
! 11/Ge5 internal supervision ! up ! up !
+-----------------------------+--------------+--------------------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 220/316
Interfaces (Ge Ports) & Trunks show interfaces
220 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
-> show interfaces 10/0
Slot/Port : 10/0
Description : 10/Ge0 external untrusted
Operational Status : up
Last Time Link Changed : 54:03:47
Type : Ethernet
MAC Address : 00:11:3F:C7:DD:2D
Rx :
Bytes Received : 1298954
Unicast Frames : 2209
Broadcast/Multicast Frames : 11750
Error Frames : 943
Discarded frames : 0
Tx :Bytes Xmitted : 202216
Unicast Frames : 4396
Broadcast/Multicast Frames : 0
Queued Frames : 0
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 221/316
Interfaces (Ge Ports) & Trunks trunk {trusted|untrusted} mode [linkagg | act-stdy]
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 221 Edition 07 Use pursuant to applicable agreementsJuly 2015
trunk {trusted|untrusted} mode [linkagg | act-stdy]
Purpose
Trusted and Untrusted interfaces are connected to the next-hop IP using either
• Static Link Aggregation (802.3ad), without LACP. This is the preferred configuration
but it requires the PE Router to be carrier grade. Or,
• Active/Standby configuration. If the PE router is not carrier grade this is the
configuration to be chosen. In that case both interfaces must belong to the same vlan and alayer 2 switching must be configured between both switch-routers.
The purpose of that command is to configure the trunk mode according to the PE Routercapability:
Static Link Aggregation (802.3ad) configuration with carrier grade router.
Active/Standby configuration in case of Switch-Routers that are not carrier grade.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 222/316
Interfaces (Ge Ports) & Trunks trunk {trusted|untrusted} mode [linkagg | act-stdy]
222 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Commands
trunk {trusted|untrusted} mode [linkagg | act-stdy]
Arguments
{trusted|untrusted} The operator can only change the mode of the trusted and untrusted trunk. OAM and
inter-DHSPP4 trunks have predefined setup.
linkagg
Configure the trunk in Static Link Aggregation mode (802.3ad). Static LAGG means that
there is no LACP protocol. This must be taken into account on the PE-Router where
LACP could be activated by default when configuring a Ling Aggregation. LACP must be
disabled on the PE-Router for this LAGG.
Act-stdy
Configure the trunk in Active-Standby mode. Remember that in that case both
interfaces must belong to the same vlan and a layer 2 switching must beconfigured between both switch-routers.
Example
-> trunk trusted mode linkagg
-> trunk untrusted mode linkagg
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 223/316
Interfaces (Ge Ports) & Trunks show trunk
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 223 Edition 07 Use pursuant to applicable agreementsJuly 2015
show trunk
Purpose
The following command displays information about the configuration and the status of thetrunks. Additional information can be retrieved with the command “show trunk port”
Commands
show trunk [trusted|untrusted]
Output Definition
Trunk-group
This is the trunk alias.
Oper State
Operational state of the trunk (up/down).
Mode
Networking mode configured.
Att/Up ports
Number of attached ports and number of ports UP.
Example
-> show trunk
+-------------+------------+----------+--------+-------+
! Trunk-group ! Oper State ! Mode ! Att/Up ! ports !
+-------------+------------+----------+--------+-------+
! trusted ! up ! linkagg ! 2 ! 2 !
! untrusted ! up ! linkagg ! 2 ! 2 !
! inter-DHSPP ! up ! linkagg ! 2 ! 2 !
! oam ! up ! act-stdy ! 2 ! 2 !
+-------------+------------+----------+--------+-------+
show trunk port
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 224/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 225/316
Alcatel-Lucent — Proprietary 225 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
15 SIP Message Management
Purpose
This paragraph provides information about options whether perform check on some SIP
headers and configuration on the SIP firewall.
Introduction
The SFW by default performs check on SIP mandatory headers. If any mandatory headeris missing, the SIP message will be rejected. But some SIP UEs may send message
without some mandatory header since they are following obsolete specification. To
support such kind of SIP behavior, SFW has configuration on whether or not accept theSIP message without the specific mandatory header.
Summary of the CLI for SIP Message Management
SIP header management
sip-header max-forwards {enable|disable}
show sip-header
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 226/316
SIP Message Management sip-header max-forwards {enable|disable}
226 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
sip-header max-forwards {enable|disable}
Purpose
The following command provides a option to allow invite request from un-trusted sidewithout of max-forwards header pass through the sip firewall.
Commands
sip-header max-forwards {enable|disable}
Arguments
{enable|disable}
Enable will allow incoming INVITE without Max-Forwards header pass through sip
firewall, it also insert a default max-forward header to invite request to trust side, if the
receiving invite request from un-trusted side doesn't contain max-forwards header.
Disable will reject the INVITE without Max-Forwards header. In default, the argument is
disable.
Example
-> sip-header max-forwards enable
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 227/316
SIP Message Management show sip-header
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 227 Edition 07 Use pursuant to applicable agreementsJuly 2015
show sip-header
Purpose
The following command provides information about the configuration of SIP headermanagement.
Commands
show sip-header
Output Definition
max forwards
Current status of backward support on Max-Forwards header.
Example
-> show sip-header
+--------------+
! max forwards !
+--------------+! enabled !
+--------------+
1 elements
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 228/316
Alcatel-Lucent — Proprietary 228 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
16 SNMP Management
Purpose
This paragraph provides information about the SNMP support and configuration on the
SIP firewall.
Introduction
The SFW current release supports SNMP as follow:
o SFW sends traps in V2c only.
o SNMP set and get are by default expected in SNMP V3. This is the preferred mode. Refer to the “user management” section to see how to
configure authentication and encryption parameters for SNMP V3.
o SNMP set and get in V2c are possible via a specific configuration in the
sitecfg.sfw. Please refer to the Appendix “How to configure the SFW siteSpecific parameters” if you want to perform SNMP set/get in V2c.
o SNMP get/set V2c and V3 can both be done at the same time
o SFW supports an “Active Alarm Table” to be able to retrieve the SNMPalarms that are currently active. This allows the OMC-P to know the SFW
alarms status even if traps have been lost.
The “Active Alarms” are returned doing an SNMP “get table” on the table
“ActiveAlarmsTable” of the mib ALCATEL-OMCCN-
ALARMMANAGEMENT-MIB.
The SFW supports the following MIBs:
o Standard MIB : RFC 1213 parts
mib-2 system oids
mib-2 interfaces oids
o ALU-SFW-MANAGEMENT-MIB
This is the SFW proprietary Mib used for SFW provisioning and SFWPerformance Management.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 229/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 230/316
SNMP Management Alarms Management
230 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Alarms Management
Hereafter are the Alarms and Events that are sent by the SFW SNMP agent.
Table 1 SFW SNMP TRAPS
Trap name Trap id Descript ion Severity
sfwLinkDown 1001When raised this alarms meansthat one of the interfacesconfigured on the SFW wentdown.
When cleared this alarms meansthat one of the interfacesconfigured on the SFW came up.
major
sfwBoardActLossStbSupervision 1002When raised this alarm meansthat SFW active DHSPP4 boardlosses supervision of standbyDHSPP4 board.
When cleared this alarm meansthat SFW active DHSPP4 boardrecovers supervision of standbyDHSPP4 board.
major
sfwIbcfCcsStatusChange 1003When raised this alarms meansthat the SFW detected, via SIPOPTION heartbeat mechanism,that a CCS of the local IBCF became unreachable.
When cleared this alarms means
that the SFW detected, via SIPOPTION heartbeat mechanism,that a CCS of the local IBCFrecovered reachability.
warning
sfwLoadBalancingGroupStatusChange 1004When raised this alarms meansthat the SFW detected, via SIPOPTION heartbeat mechanism,that all CCS belonging to a LoadBalancing Group becameunreachable.
When cleared this alarms meansthat the SFW detected, via SIPOPTION heartbeat mechanism,that at least one CCS belonging toa Load Balancing Group
recovered reachability.
major
sfwBoardTemperatureTooHigh 1005When raised this alarms meansthat one SFW board temperaturehas crossed a threshold.
When cleared this alarms meansthat the temperature has gone below a threshold.
Threshold 1 major
Threshold 2 critical
sfwHealthMonCpuAlert 1006When raised this alarms meansthat one SFW board CPU hascrossed a threshold.
When cleared this alarms meansthat the CPU has gone below athreshold.
Threshold 1 major
Threshold 2 critical
sfwHealthMonMemAlert 1007When raised this alarms meansthat one SFW board Memory
Threshold 1 major
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 231/316
SNMP Management Alarms Management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 231 Edition 07 Use pursuant to applicable agreementsJuly 2015
Trap name Trap id Descript ion Severity
item has crossed a threshold.
When cleared this alarms meansthat all Memory items are belowa threshold.
Threshold 2 critical
sfwUntrLowLayerDrop 1008When raised this alarms meansthat the counter"sfwUntrustedLowLayerDrop"has exceeded a threshold.
When cleared this alarms meansthat the counter"sfwUntrustedLowLayerDrop"has decreased below a threshold.
The counter"sfwUntrustedLowLayerDrop"counts the number of packetsdropped on the Untrusted side because of ARP error, IP error,Fragmentation error, UDP error,
ICMP error, N-Tupleclassification error, Minimumsize error.
Threshold 1warning
Threshold 2 minor
sfwUntrSipPass1Drop 1009When raised this alarms meansthat the counter "pass1Drop", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.
When cleared this alarms meansthat the counter "pass1Drop", forthe Peer Network identified by"peerNetIndex", has decreased below a threshold.
The counter "pass1Drop" counts
the number of packets dropped onthe Untrusted side during the SIPPass1 checks.
Threshold 1
warning
Threshold 2 minor
sfwUntrSipPass1SuspectDrop 1010When raised this alarms meansthat the counter"pass1DropSipSuspicious", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.
When cleared this alarms meansthat the counter"pass1DropSipSuspicious", forthe Peer Network identified by"peerNetIndex", has decreased below a threshold.
The counter"pass1DropSipSuspicious" countsthe number of packets dropped onthe Untrusted side during thePass1 checks due to suspectformat.
Threshold 1
warning
Threshold 2 minor
sfwUntrSipPass2MethodRateInQos0 1011When raised this alarms meansthat the counter"pass2MethodRateInQos0", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.
When cleared this alarms meansthat the counter
"pass2MethodRateInQos0", forthe Peer Network identified by"peerNetIndex", has decreased
Threshold 1warning
Threshold 2 minor
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 232/316
SNMP Management Alarms Management
232 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Trap name Trap id Descript ion Severity
below a threshold.
The counter"pass2MethodRateInQos0"counts the number of packets on
the Untrusted side downgraded toQOS0 during the Pass2 checks. ASIP message is downgraded toQOS0 when abnormal behaviorhas been observed for a SIP flowwith same IP/SIP signature.
sfwUntrSipPass2Drop 1012When raised this alarms meansthat the counter "pass2Drop", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.
When cleared this alarms meansthat the counter "pass2Drop", forthe Peer Network identified by"peerNetIndex", has decreased
below a threshold.
The counter "pass2Drop" countsthe number of packets dropped onthe Untrusted side during the SIPPass2 checks.
Threshold 1
warning
Threshold 2 minor
sfwUntrSipMethodRateDrop 1013When raised this alarms meansthat the counter associated with pass2MethodRateDrop, reportingthe number of messages dropped because of rate limitation, hasexceeded a threshold.
When cleared this alarms meansthat the counter associated with pass2MethodRateDrop has
decreased below a threshold.This alarm applies for a specificPeer Network identified by theobject peerNetIndex.
Threshold 1
warning
Threshold 2 minor
sfwUntrSipAdmCtlCallDrop 1014When raised this alarms meansthat the counter associated with pass2AdmCtlCallDrop, reportingthe number of messages dropped because of INVITE rate greaterthan the available rate on trustedside, has exceeded a threshold.
When cleared this alarms meansthat the counter associated with pass2AdmCtlCallDrop has
decreased below a threshold.This alarm applies for a specificPeer Network identified by theobject peerNetIndex.
Threshold 1
warning
Threshold 2 minor
sfwUntrIpFragAttackPrevented 1015 Notify that the SFW detected a IPFragmentation attack and prevented it. i.e. :
- IP fragment overlapped
- IP fragmentation buffer full
- IP fragment overrun
- IP fragment overwrite…etc…
This alarm is raised when the
countersfwUntrustedLowLayerDropFrag
Threshold 1warning
Threshold 2 minor
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 233/316
SNMP Management Alarms Management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 233 Edition 07 Use pursuant to applicable agreementsJuly 2015
Trap name Trap id Descript ion Severity
has exceeded a threshold.
This alarm is cleared when thecountersfwUntrustedLowLayerDropFrag
has decreased below a threshold.
sfwUntrArpAttackPrevented 1016 Notify that the SFW detected anARP attack and prevented it. i.e. :
- ARP cache exhausting and poisoning prevention
- Forged ARP request prevention
- ARP flooding prevention
This alarm is raised when thecountersfwUntrustedLowLayerDropArphas exceeded a threshold.
This alarm is cleared when thecountersfwUntrustedLowLayerDropArphas decreased below a threshold.
Threshold 1
warning
Threshold 2 minor
sfwUntrIcmpAttackPrevented 1017 Notify that the SFW detected anICMP attack and prevented it.
This alarm is raised when thecountersfwUntrustedLowLayerDropIcmphas exceeded a threshold.
This alarm is cleared when thecountersfwUntrustedLowLayerDropIcmphas decreased below a threshold.
Threshold 1
warning
Threshold 2 minor
sfwTrustedLowLayerDrop 1018
When raised this alarms means
that the counter"sfwTrustedLowLayerDrop" hasexceeded a threshold.
When cleared this alarms meansthat the counter"sfwTrustedLowLayerDrop" hasdecreased below a threshold.
The counter"sfwTrustedLowLayerDrop"counts the number of packetsdropped on the Trusted side because of ARP error, IP error,Fragmentation error, UDP error,ICMP error, N-Tupleclassification error, Minimum
size error.
Threshold 1
warning
Threshold 2 minor
sfwTrustedSipPass1Drop 1019When raised this alarms meansthat the counter "pass1Drop", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.
When cleared this alarms meansthat the counter "pass1Drop", forthe Peer Network identified by"peerNetIndex", has decreased below a threshold.
The counter "pass1Drop" countsthe number of packets dropped onthe Trusted side during the SIP
Pass1 checks.
Threshold 1
warning
Threshold 2 minor
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 234/316
SNMP Management Alarms Management
234 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Trap name Trap id Descript ion Severity
sfwTrustedSipPass2Drop 1020When raised this alarms meansthat the counter "pass2Drop", forthe Peer Network identified by"peerNetIndex", has exceeded athreshold.
When cleared this alarms meansthat the counter "pass2Drop", forthe Peer Network identified by"peerNetIndex", has decreased below a threshold.
The counter "pass2Drop" countsthe number of packets dropped onthe Trusted side during the SIPPass2 checks.
Threshold 1
warning
Threshold 2 minor
sfwTcpSynFlood 1021 When raised this alarmsmeans that a TCP SYN Floodattack has been prevented onone of the interfaces of the
SFW. As soon as the TCP SYNflood is detected a TCP SYNregulation mechanism isstarted on the SFW interfaces.In that state the TCP SYN arefiltered to prevent the attack.However TCP connectionestablishment is still possiblefor non-attackers.
Due to the TCP SYNregulation the alarm will not becleared before 30 sec even ifthe attack was performedduring 1 sec.
warning
sfwTcpResetFlood 1022 When raised this alarmsmeans that the counter"tcpOutOfSeqResets", for thePeer Network identified by"peerNetIndex", has exceededa threshold.
When cleared this alarmsmeans that the counter"tcpOutOfSeqResets", for thePeer Network identified by"peerNetIndex", hasdecreased below a threshold.
Threshold 1warning
Threshold 2 minor
sfwTcpErrorsFlood 1023 When raised this alarmsmeans that the counter
"tcpInErrs", for the PeerNetwork identified by"peerNetIndex", has exceededa threshold.
When cleared this alarmsmeans that the counter"tcpInErrs", for the PeerNetwork identified by"peerNetIndex", hasdecreased below a threshold.
Threshold 1
warning
Threshold 2 minor
sfwConfigurationChanged 1101 This trap is sent when theSFW configuration has been"certified".
The configuration is "certified"with one of the followingoperations :
- either via CLI : "copy working
warning
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 235/316
SNMP Management Alarms Management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 235 Edition 07 Use pursuant to applicable agreementsJuly 2015
Trap name Trap id Descript ion Severity
certified" , note that thisoperation is allowed only aftera "copy running working".
- or via SNMP set on the
objectsfwConfigMgmtCopyToFlashwith the valuecopyWorkingCertified(2) in thebranch sfwConfigMgmt of theSFW mib ALU-SFW-MANAGEMENT-MIB.
The SFW raises and clears most of its alarms, sending snmp traps, when observationcounters (or gauges) exceed predefined thresholds.
For this kind of alarms, there are 2 thresholds per object. This allows monitoring of the
system behavior with 2 different severities per alarm.To easily correlate the counters (or gauges) thresholds and their related alarms, thresholdsidentifiers and traps identifiers have common ids.
Table 2 SFW SNMP TRAPS Thresholds
Thresholds names Threshold
id
Description Associated Alarm Trap id
sfwBoardTemperatureTooHighTh1
sfwBoardTemperatureTooHighTh2
1005.1
1005.2
Thresholds on the
board temperature.When crossed analarm is raised orcleared.
sfwBoardTemperatureT
ooHigh
1005
sfwHealthMonCpuAlertTh1sfwHealthMonCpuAlertTh2
1006.11006.2
Thresholds on theboard CPU. Whencrossed an alarm israised or cleared
sfwHealthMonCpuAlert 1006
sfwHealthMonMemAlertTh1sfwHealthMonMemAlertTh2
1007.11007.2
Thresholds on theboard Memory. Whencrossed an alarm israised or cleared
sfwHealthMonMemAlert 1007
sfwUntrLowLayerDropTh1sfwUntrLowLayerDropTh2
1008.11008.2
Thresholds on thecounter of droppedmessages on theUntrusted interface
due to the followingreasons:• ARP error • Invalid IP
packet• IP
fragmentation error
• Invalid UDPpacket
• InvalidICMPpacket
• Unknownsource IPaddress
•
InvaliddestinationIP:port
sfwUntrLowLayerDrop 1008
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 236/316
SNMP Management Alarms Management
236 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Thresholds names Threshold
id
Description Associated Alarm Trap id
• UDP packetlengthbelowminimumsize
sfwUntrSipPass1DropTh1sfwUntrSipPass1DropTh2
1009.11009.2
Thresholds on thecounter of droppedmessages during SIPpass1 checking on theUntrusted interfacedue to the followingreasons:
• Configurationmismatch
• Outputoverloading
• No RPOCavailable
within a load balancinggroup
• No Token bucket
• Out Of Sequence SIPmessage
• Maximumretries has been reached
• Malformed header
• Suspiciousheader format
• Lack of resources
sfwUntrSipPass1Drop 1009
sfwUntrSipPass1SuspectDropTh1sfwUntrSipPass1SuspectDropTh2
1010.11010.2
Thresholds on thecounter of droppedmessages during SIPpass1 parsing due tosuspicious headerformat.
sfwUntrSipPass1SuspectDrop
1010
sfwUntrSipPass2MethodRateInQos0Th1sfwUntrSipPass2MethodRateInQos0Th2
1011.11011.2
Thresholds on thecounter of packets onthe Untrusted sidedowngraded to QOS0
during the Pass2checks. A SIPmessage isdowngraded to QOS0when abnormalbehavior has beenobserved for a SIPflow with same IP/SIPsignature.
sfwUntrSipPass2MethodRateInQos0
1011
sfwUntrSipPass2DropTh1sfwUntrSipPass2DropTh2
1012.11012.2
Thresholds on thecounter of droppedmessages during SIPpass2 checking on theUntrusted interfacedue to the followingreasons:
•
Method ratelimitation
• Malformed
sfwUntrSipPass2Drop
1012
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 237/316
SNMP Management Alarms Management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 237 Edition 07 Use pursuant to applicable agreementsJuly 2015
Thresholds names Threshold
id
Description Associated Alarm Trap id
header
• Configurationmismatch
• Suspiciousheader format
• AdmissionControl
• Out Of Sequence SIPmessage
• Maximumretries has been reached
• Lack of resources
• SIPP parsingerror duringregenerationof the SIPmessage
sfwUntrSipMethodRateDropTh1sfwUntrSipMethodRateDropTh2
1013.11013.2
Thresholds on thecounter of droppedmessages during SIPpass2 checking due torate limitation per SIPmethod.
sfwUntrSipMethodRateDrop
1013
sfwUntrSipAdmCtlCallDropTh1sfwUntrSipAdmCtlCallDropTh2
1014.11014.2
Thresholds on thecounter of droppedmessages during SIP
pass2 checking due to Admission Control.Invite rate is greaterthan the available rateon trusted side.
sfwUntrSipAdmCtlCallDrop
1014
sfwUntrustedLowLayerDropFragTh1sfwUntrustedLowLayerDropFragTh2
1015.11015.2
Thresholds on thecounter of droppedmessages due to IPfragmentation errors.
sfwUntrIpFragAttackPrevented
1015
sfwUntrArpAttackPreventedTh1sfwUntrArpAttackPreventedTh2
1016.11016.2
Thresholds on thecounter of ARP errors.
sfwUntrArpAttackPrevented
1016
sfwUntrIcmpAttackPreventedTh1sfwUntrIcmpAttackPreventedTh1
1017.11017.2
Thresholds on thecounter of ICMPerrors.
sfwUntrIcmpAttackPr evented
1017
sfwTrustedLowLayerDropTh1
sfwTrustedLowLayerDropTh2
1018.1
1018.2
Thresholds on thecounter of droppedmessages on theTrusted interface dueto the followingreasons:
• ARP error • Invalid IP
packet• IP
fragmentation error
• Invalid UDPpacket
• InvalidICMPpacket
•
Unknownsource IPaddress
sfwTrustedLowLayer
Drop
1018
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 238/316
SNMP Management Alarms Management
238 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Thresholds names Threshold
id
Description Associated Alarm Trap id
• InvaliddestinationIP:port
•
UDP packetlengthbelowminimumsize
sfwTrustedSipPass1DropTh1sfwTrustedSipPass1DropTh2
1019.11019.2
Thresholds on thecounter of droppedmessages during SIPpass1 checking on theUntrusted interfacedue to the followingreasons:
• Configurationmismatch
• Out Of Sequence SIPmessage
• Maximumretries has been reached
• Malformed header
• Suspiciousheader format
• Lack of resources
sfwTrustedSipPass1Drop
1019
sfwTrustedSipPass2DropTh1sfwTrustedSipPass2DropTh2
1020.11020.2
Thresholds on thecounter of dropped
messages during SIPpass2 checking on theUntrusted interfacedue to the followingreasons:
• Malformed header
• Configurationmismatch
• Suspiciousheader format
• Out Of
Sequence SIPmessage
• Maximumretries has been reached
• Lack of resources
• SIPP parsingerror duringregenerationof the SIPmessage
sfwTrustedSipPass2Drop
1020
sfwTcpResetFloodTh1sfwTcpResetFloodTh2 1022.11022.2Thresholds on thecounter of TCP resetdetected as out-of-
sfwTcpResetFlood 1022
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 239/316
SNMP Management Alarms Management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 239 Edition 07 Use pursuant to applicable agreementsJuly 2015
Thresholds names Threshold
id
Description Associated Alarm Trap id
sequence.
sfwTcpInErrsTh1sfwTcpInErrsTh2
1023.11023.2
Thresholds on thecounter of TCPsegments received inerror and dropped bythe firewall.
sfwTcpErrorsFlood 1023
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 240/316
SNMP Management
240 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Table 3 SFW SNMP TRAPS format
SFW sends SNMP traps using the following X733 format. This format is also the one described in
the “Active Alarm Table” of the Mib ALCATEL-OMCCN-ALARMMANAGEMENT-MIB.
Field Description
TrapSequenceNumber This is the sequence number of the sent trap
Identifier Identifies the trap sent.
ManagedObjectClass Identifies the SFW Object Class on which the trap applies.
ManagedObjectInstance Identifies the SFW Object Instance on which the trap applies.
FriendlyName Identifies the name of the SFW sending the trap.
EventType Enum value corresponding with event type according to X.733.
EventTime The date and time at which the event indicated in the trap occurred.
Severity Enum value corresponding with severity for the event reported in the trap.Critical = 1Major = 2Minor = 3
Warning = 4Cleared = 5
3GPPProbableCause Enum value indicate the probable cause according to 3GPP.
SpecificProblem Provides additional information on the meaning of the trap.
AdditionnalText Identifies the 7510 hosting the SFW.
ThresholdInfoAttribute Identifies the name of SFW counters monitored to send the trap.
ThresholdInfoValue Value of the SFW counters which kick off the trap.
ThresholdInfoDirection
ThresholdInfoTriggerHigh Higher Threshold on the SFW counter identified by “ThresholdInfoAttribute”
ThresholdInfoTriggerLow Lower Threshold on the SFW counter identified by “ThresholdInfoAttribute”
UserLabel This text field explains clearly the meaning of the trap.
ProposedRepairAction This field explains the actions that could be done to solve the problemreported by this trap.
AdditionnalInfoName1 Provides additional information on the reason of the trap.
AdditionnalInfoValue1 Provides additional information on the reason of the trap.AdditionnalInfoName2 Provides additional information on the reason of the trap.
AdditionnalInfoValue2 Provides additional information on the reason of the trap.
AdditionnalInfoName3 Provides additional information on the reason of the trap.
AdditionnalInfoValue3 Provides additional information on the reason of the trap.
AdditionnalInfoName4 Provides additional information on the reason of the trap.
AdditionnalInfoValue4 Provides additional information on the reason of the trap.
AdditionnalInfoName5 Provides additional information on the reason of the trap.
AdditionnalInfoValue5 Provides additional information on the reason of the trap.
Alarms Management
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 241/316
SNMP Management
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 241 Edition 07 Use pursuant to applicable agreementsJuly 2015
SFW Alarm content example :
Field sfwLinkDown sfwBoardTemperatureTooHigh
TrapSequenceNumber
Identifier 1001 1005ManagedObjectClass ifTable boardTableManagedObjectInstance ifIndex boardIndexFriendlyName sysName sysNameEventType equipment equipmentEventTime
Severity major major 3GPPProbableCause linkFailure temperatureUnacceptableSpecificProblem ifOperStatus noneAdditionnalText sfw7510Name sfw7510NameThresholdInfoAttribute none boardTemperature
ThresholdInfoValue none BoardTemperature valueThresholdInfoDirection none Up | down
ThresholdInfoTriggerHigh none sfwBoardTemperatureTooHighTh2value
ThresholdInfoTriggerLow none SfwBoardTemperatureTooHighTh1value
UserLabel Link Status Change Board Temperature Too High
ProposedRepairAction See alarm description in SFWproprietary Mib.
See alarm description in SFWproprietary Mib.
AdditionnalInfoName1 ifDescr none
AdditionnalInfoValue1 ifDescr value none
AdditionnalInfoName2 ifAdminStatus none
AdditionnalInfoValue2 IfAdminStatus value none
AdditionnalInfoName3 none none
AdditionnalInfoValue3 none none
AdditionnalInfoName4 none none
AdditionnalInfoValue4 none none
AdditionnalInfoName5 none none
AdditionnalInfoValue5 none none
Alarms Management
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 242/316
SNMP Management snmp station stationId ip ip_address
242 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
snmp station stationId ip ip_address
Purpose
The purpose of the following command is to create or modify a SNMP station to receive the traps
sent by the firewall.
Commands
snmp station stationId ip ip_address [port port_num] community {community_string |
username} version {v2c | v3} [enable | disable]
Arguments
stationId
This is the identifier of the SNMP station. Up to 5 SNMP stations can be configured.
ip_address
This is the IP address to which SNMP unicast traps will be sent.
port_num
This is the listening UDP port of the SNMP station. This parameter is optional. The
default value is 162.
community_stringThis is the community string used when sending traps in V2c. This string must between 1and 32 characters.
username
This is the username used when sending traps in V3.
version
With this release traps can be sent in V2c only.
enable | disable
If this parameter is set to “disable” the SNMP trap will not be sent towards the SNMPstation.
Example
-> snmp station 1 ip 139.54.128.9 port 163 community public version v2c
enable
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 243/316
SNMP Management snmp station stationId {enable | disable}
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 243 Edition 07 Use pursuant to applicable agreementsJuly 2015
snmp station stationId {enable | disable}
Purpose
The purpose of the following command is to disable the SNMP trap forwarding towards a
configured SNMP station.
Commands
snmp station stationId {enable | disable}
Arguments
stationId
This is the identifier of the SNMP station.
enable | disable
If this parameter is set to “disable” the SNMP trap will not be sent towards the SNMPstation.
Example
-> snmp station 1 disable
no snmp station stationId
Purpose
The purpose of the following command is to delete a SNMP station.
Commands
no snmp station stationId
Arguments
stationId
This is the identifier of the SNMP station.
Example
-> no snmp station 1
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 244/316
SNMP Management show snmp station
244 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show snmp station
Purpose
The purpose of the following command is to display the SNMP stations configuration.
Commands
show snmp station
Example
-> show snmp station
+------------+--------------------+--------+----------+-----------+
! Station Id ! IpAddress/udpPort ! Status ! Protocol ! Community !
+------------+--------------------+--------+----------+-----------+! 1 ! 139.54.128.9/162 ! Enable ! v2c ! public !
! 2 ! 139.54.128.112/162 ! Enable ! v2c ! public !
+------------+--------------------+--------+----------+-----------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 245/316
SNMP Management show snmp alarm thresholds
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 245 Edition 07 Use pursuant to applicable agreementsJuly 2015
show snmp alarm thresholds
Purpose
The purpose of the following command is to display the current configuration of the alarm
thresholds.
Refer to the Table 1 “SFW SNMP TRAPS” and the Table 2 “SFW SNMP TRAPS Thresholds”
described at the beginning of this section to get a detailed description of the SNMP alarms
managed by the SFW.
Commands
show snmp alarm thresholds
Outputs information
Ids
There are to thresholds per alarm. If needed, the threshold Id will identify the threshold to
be modified with the command “snmp alarm modify threshold threshold_id value
new_value”
Thresholds names
The name of the threshold is provided to easily correlate the threshold with the relatedSNMP trap.
Values
This is the threshold value.
Example
-> show snmp alarm thresholds
+--------+------------------------------------+--------+
! Ids ! Thresholds names ! values !
+--------+------------------------------------+--------+
! 1005.1 ! sfwBoardTemperatureTooHighTh1 ! 67 !
! 1005.2 ! sfwBoardTemperatureTooHighTh2 ! 70 !
! 1006.1 ! sfwHealthMonCpuAlertTh1 ! 90 !
! 1006.2 ! sfwHealthMonCpuAlertTh2 ! 95 !
! 1007.1 ! sfwHealthMonMemAlertTh1 ! 85 !
! 1007.2 ! sfwHealthMonMemAlertTh2 ! 95 !
! 1008.1 ! sfwUntrLowLayerDropTh1 ! 10000 !
! 1008.2 ! sfwUntrLowLayerDropTh2 ! 50000 !
! 1009.1 ! sfwUntrSipPass1DropTh1 ! 1000 !
+--------+------------------------------------+--------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 246/316
SNMP Management show snmp alarm thresholds
246 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
! Ids ! Thresholds names ! values !
+--------+------------------------------------+--------+
! 1009.2 ! sfwUntrSipPass1DropTh2 ! 5000 !
! 1010.1 ! sfwUntrSipPass1SuspectDropTh1 ! 100 !
! 1010.2 ! sfwUntrSipPass1SuspectDropTh2 ! 500 !
! 1011.1 ! sfwUntrSipPass2MethodRateInQos0Th1 ! 100 !
! 1011.2 ! sfwUntrSipPass2MethodRateInQos0Th2 ! 500 !
! 1012.1 ! sfwUntrSipPass2DropTh1 ! 100 !
! 1012.2 ! sfwUntrSipPass2DropTh2 ! 500 !
! 1013.1 ! sfwUntrSipMethodRateDropTh1 ! 100 !
! 1013.2 ! sfwUntrSipMethodRateDropTh2 ! 500 !
! 1014.1 ! sfwUntrSipAdmCtlCallDropTh1 ! 100 !
! 1014.2 ! sfwUntrSipAdmCtlCallDropTh2 ! 500 !
! 1015.1 ! sfwUntrIpFragAttackPreventedTh1 ! 1000 !
! 1015.2 ! sfwUntrIpFragAttackPreventedTh2 ! 5000 !! 1016.1 ! sfwUntrArpAttackPreventedTh1 ! 1000 !
! 1016.2 ! sfwUntrArpAttackPreventedTh2 ! 5000 !
! 1017.1 ! sfwUntrIcmpAttackPreventedTh1 ! 1000 !
! 1017.2 ! sfwUntrIcmpAttackPreventedTh2 ! 5000 !
! 1018.1 ! sfwTrustedLowLayerDropTh1 ! 1000 !
! 1018.2 ! sfwTrustedLowLayerDropTh2 ! 5000 !
! 1019.1 ! sfwTrustedSipPass1DropTh1 ! 100 !
! 1019.2 ! sfwTrustedSipPass1DropTh2 ! 500 !
! 1020.1 ! sfwTrustedSipPass2DropTh1 ! 100 !
! 1020.2 ! sfwTrustedSipPass2DropTh2 ! 500 !! 1022.1 ! sfwTcpResetFloodTh1 ! 100 !
! 1022.2 ! sfwTcpResetFloodTh2 ! 500 !
! 1023.1 ! sfwTcpErrorFloodTh1 ! 100 !
! 1023.2 ! sfwTcpErrorFloodTh2 ! 500 !
+--------+------------------------------------+--------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 247/316
SNMP Management snmp alarm modify threshold threshold_id
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 247 Edition 07 Use pursuant to applicable agreementsJuly 2015
snmp alarm modify threshold threshold_id
Purpose
The purpose of the following command is to modify a threshold value associated with an SNMP
trap. This operation must be done with caution because the SFW raises or clears alarms based on
the fact that counters or gauges are crossing thresholds.
Commands
snmp alarm modify threshold threshold_id value new_value
Arguments
threshold_id
This is the identifier of the Alarm threshold to be modified. The command “show snmp
alarm thresholds” allows retrieving the Thresholds Ids. There are 2 thresholds per alarm to
manage 2 severities per alarm.
new_value
For alarm 1005 the thresholds are given in °Celsius.
For alarms 1006 and 1007, the thresholds represent a percentage of CPU or memory.
For other alarms, the thresholds represent a number of events per seconds.
For example :
+--------+------------------------------------+--------+
! Ids ! Thresholds names ! values !
+--------+------------------------------------+--------+
! 1010.1 ! sfwUntrSipPass1SuspectDropTh1 ! 100 !
The alarm 1010 is raised when the gauge associated with the counter
"pass1DropSipSuspicious" exceeds the threshold value 100.
The gauge is the variation of the counter during one second.
Refer to the Table 1 “SFW SNMP TRAPS” and the Table 2 “SFW SNMP TRAPS
Thresholds” described at the beginning of this section to get a detailed description
of the SNMP alarms managed by the SFW.
Example
-> snmp alarm modify threshold 1010.1 value 200
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 248/316
SNMP Management show snmp trap config
248 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show snmp trap config
Purpose
The purpose of the following command is to display information about the traps managed by
the SFW.
Commands
show snmp trap config
Outputs information
Traps list
SNMP traps name attempt to be meaningful.
Id
This is the identifier of the snmp trap.
Severity
This is the alarm severity associated with the snmp trap.
Most of the alarms are managed with 2 thresholds. This allows managing 2 severities. The
severity displayed with “show snmp trap config” is the severity associated with the lower
threshold”.
Refer to the Table 1 “SFW SNMP TRAPS” and the Table 2 “SFW SNMP TRAPSThresholds” described at the beginning of this section to get a detailed descriptionof the SNMP alarms managed by the SFW.
Filter-delay
By default most of the traps are absorbed with a delay of 2 seconds but this value can be
modified with the command “snmp trap trap_id filter-delay delay”.
Status
“enable” means that the SNMP trap will be sent if the corresponding event occurs.
By default all traps are enabled but can be disabled with the command “snmp traptrap_id {enable | disable}”
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 249/316
SNMP Management show snmp trap config
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 249 Edition 07 Use pursuant to applicable agreementsJuly 2015
Example
-> show snmp trap config
+-----------------------------------+------+----------+--------------+--------+
! Traps list ! Id ! Severity ! Filter-delay ! Status !
+-----------------------------------+------+----------+--------------+--------+
! sfwLinkDown ! 1001 ! major ! 1 ! enable !
! sfwBoardActLossStbSupervision ! 1002 ! major ! 2 ! enable !
! sfwIbcfCcsStatusChange ! 1003 ! warning ! 4 ! enable !
! sfwLoadBalancingGroupStatusChange ! 1004 ! major ! 4 ! enable !
! sfwBoardTemperatureTooHigh ! 1005 ! major ! 10 ! enable !
! sfwHealthMonCpuAlert ! 1006 ! major ! 10 ! enable !
! sfwHealthMonMemAlert ! 1007 ! major ! 10 ! enable !
! sfwUntrLowLayerDrop ! 1008 ! warning ! 2 ! enable !
! sfwUntrSipPass1Drop ! 1009 ! warning ! 2 ! enable !
! sfwUntrSipPass1SuspectDrop ! 1010 ! warning ! 2 ! enable !
! sfwUntrSipPass2MethodRateInQos0 ! 1011 ! warning ! 2 ! enable !
! sfwUntrSipPass2Drop ! 1012 ! warning ! 2 ! enable !
! sfwUntrSipMethodRateDrop ! 1013 ! warning ! 2 ! enable !
! sfwUntrSipAdmCtlCallDrop ! 1014 ! warning ! 2 ! enable !
! sfwUntrIpFragAttackPrevented ! 1015 ! warning ! 2 ! enable !
! sfwUntrArpAttackPrevented ! 1016 ! warning ! 2 ! enable !
! sfwUntrIcmpAttackPrevented ! 1017 ! warning ! 2 ! enable !
! sfwTrustedLowLayerDrop ! 1018 ! warning ! 2 ! enable !
! sfwTrustedSipPass1Drop ! 1019 ! warning ! 2 ! enable !
! sfwTrustedSipPass2Drop ! 1020 ! warning ! 2 ! enable !
! sfwTcpSynFlood ! 1021 ! warning ! 2 ! enable !
! sfwTcpResetFlood ! 1022 ! warning ! 2 ! enable !
! sfwTcpErrorFlood ! 1023 ! warning ! 2 ! enable !
! sfwConfigMgmtCopyToFlash ! 1101 ! warning ! 2 ! enable !
+-----------------------------------+------+----------+--------------+--------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 250/316
SNMP Management snmp trap trap_id filter-delay delay
250 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
snmp trap trap_id filter-delay delay
Purpose
The SFW SNMP agent is polling objects (counters, gauges, status) to check if a condition is
reached and if so it sends the appropriate SNMP traps to report Alarms or Events. The default
polling timer is 1, 2, 4 or 10 seconds depending on the trap id.
For example the trap “sfwBoardTemperatureTooHigh” has a default filter delay of 10 seconds.
This means that the temperature is checked each 10 seconds.
This polling interval value can be modified for each trap.
Commands
snmp trap trap_id filter-delay delay
Arguments
trap_id
This is the identifier of the trap to be modified. The command “show snmp trap config”
allows retrieving the Trap Ids.
delay
This is the new filtering delay in seconds.
Example
-> snmp trap 1011 filter-delay 5
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 251/316
SNMP Management snmp trap trap_id {enable | disable}
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 251 Edition 07 Use pursuant to applicable agreementsJuly 2015
snmp trap trap_id {enable | disable}
Purpose
The purpose of the following command is to enable or disable the sending of a trap. By default all
traps are enabled.
Commands
snmp trap trap_id {enable | disable}
Arguments
trap_id
This is the identifier of the trap to be modified. The command “show snmp trap config”
allows retrieving the Trap Ids.
Example
-> snmp trap 1011 disable
snmp trap restore default
Purpose
The purpose of the following command is to restore the default values, filtering delay and status,
for the trap management.
Commands
snmp trap restore default
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 252/316
SNMP Management show snmp alarm active
252 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show snmp alarm active
Purpose
The purpose of the following command is to display the alarms currently active, this meansthe alarms that have been raised by sending an SNMP trap but not yet cleared.
This CLI provides the same information than a SNMP get on the table
“activeAlarmsTable” of the proprietary MIB ALCATEL-OMCCN-ALARMMANAGEMENT-MIB.
Commands
show snmp alarm active
Outputs information
Sequence number
This is the trapSequenceNumber set in the corresponding SNMP traps.
trap id & trap name
Identify the alarm.
MIB object
Identifies the SFW object causing the alarm.
Example
-> show snmp alarm active
+----------+------+----------------------------+---------------+----------------------+----------+
! Sequence ! trap ! trap name ! MIB object ! date and time ! severity !
! number ! id ! ! ! ! !
+----------+------+----------------------------+---------------+----------------------+----------+
! 27 ! 1005 ! sfwBoardTemperatureTooHigh ! boardTable.10 ! 2011 Jul 12 9:40:58 ! major !
! 26 ! 1005 ! sfwBoardTemperatureTooHigh ! boardTable.11 ! 2011 Jul 12 9:40:58 ! major !
! 13 ! 1001 ! sfwLinkDown ! ifTable.117 ! 2011 Jul 12 2:21:50 ! major !
! 12 ! 1001 ! sfwLinkDown ! ifTable.116 ! 2011 Jul 12 2:21:50 ! major !
! 8 ! 1001 ! sfwLinkDown ! ifTable.107 ! 2011 Jul 12 2:21:50 ! major !
! 7 ! 1001 ! sfwLinkDown ! ifTable.106 ! 2011 Jul 12 2:21:50 ! major !
+----------+------+----------------------------+---------------+----------------------+----------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 253/316
Alcatel-Lucent — Proprietary 253 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
17 Users Management
Purpose
This paragraph provides information about Users Management on the SIP firewall.
Introduction
The User Management CLI commands allow you to create, modify or delete users thatwill be authorized to manage the SFW firewall via CLI.
Additionally, with the commands listed hereafter, CLI commands partition management is performed according the ”user level” parameter.
Summary of the CLI for Users Management
Users management
user username password
user username level {adm|ope|viewer}
user username no-snmp user username auth {sha | md5} priv {aes | des}
no user username
show user [adm|ope|viewer]
show user cmd [adm|ope|viewer]
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 254/316
Users Management user username password
254 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
user username password
Purpose
The purpose of the following command is to create a user entry in the local user database. Youmust be logged with “Administrator” privilege to be authorized to run this command.
Additionally this command allows the operator to modify a user’s password.
Users with “Administrator” privileges can change the password of everybody.
Users with “operator” or “viewer” privileges can change only their own password.
By default, a new user is created with “operator” privileges. This can be modified laterwith the CLI command “ user username level {adm|ope|viewer} “.
Commands
user username password
Arguments
username
This is the name of the user used for logging into the SFW.password
The password is not displayed in cleared text and must be entered twice for security
reason.
-> user sfwUser password
enter password : *********
password again : *********
Command successful
The password minimum length is 8 alphanumeric characters.
These characters must be chosen within the following 4 categories:
• Digits [0-9]
• Lower case letters [a-z]
• Upper case letters [A-Z].
• Special characters [[!"#$%&')*+,-./;<=>?@\^_`|}~]]
The password must contain characters from at least 3 of these categories.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 255/316
Users Management user username level {adm | ope | viewer}
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 255 Edition 07 Use pursuant to applicable agreementsJuly 2015
user username level {adm | ope | viewer}
Purpose
The purpose of the following command is to modify the privileges of a user and thus theauthorized CLI domains. By default, users are created with “operator” privileges.
You must be logged with “Administrator” privilege to be authorized to run this command.
Commands
user username level {adm|ope|viewer}
Arguments
level
There are three types of users with different level of privileges.
level viewer
This is the lower level. It gives limited privileges to the user.
Such user will be able to run only CLI commands “show” to display the SFW config.
The command “show user cmd viewer” provides the list of commands authorized for this
level.
level ope
This is the intermediate level. It gives operator privileges to the user.
This means that the user will be able to run all CLI commands except the command to
create, modify or delete “users”
The command “show user cmd ope” provides the list of commands authorized for this
level in addition to the lower level.
level adm
This is the higher level. It gives administrator privileges to the user.
This means that the user will be able to run all CLI commands.
The command “show user cmd adm” provides the list of commands authorized for this
level in addition to the lower levels.
Example
-> user visitor level viewer
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 256/316
Users Management user username no snmp
256 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
user username no snmp
Purpose
The purpose of the following command is to deny SNMP access to the switch for thespecified user.
Commands
user username no snmp
Arguments
username
This is the name of the user.
Example
-> user visitorCLI no snmp
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 257/316
Users Management user username auth { sha | md5} priv {aes | des}
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 257 Edition 07 Use pursuant to applicable agreementsJuly 2015
user username auth { sha | md5} priv {aes | des}
Purpose
The purpose of the following command is to configure SNMP V3 authentication andencryption algorithms for a given user.
Commands
user username auth {sha | md5} priv {aes | des}
Arguments
username
This is the name of the user.
auth
Specifies that the SHA or MD5 authentication algorithm should be used for authenticating
SNMP PDU for the user.
priv
Specifies that the AES or DES encryption standard should be used for encrypting SNMPPDU for the user.
Example
-> user admin auth sha priv des
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 258/316
Users Management no user username
258 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
no user username
Purpose
The purpose of the following command is to delete a user entry in the local user database.You must be logged with “Administrator” privilege to be authorized to run this command.
Commands
no user username
Arguments
username
This is the name of the user to be deleted.
Example
-> no user visitor
show user cmd [adm|ope|viewer]
Purpose
The purpose of the following command is to display the list of CLI commands allowedfor a given user-level in addition to the authorized commands of the lower level.
This means, for example, that running the command “show user cmd ope” the output will
not display the “show” commands that are inherited from the lower user-level “viewer”.If the user-level is not provided all CLI commands are displayed with their respective
level.
Commands
show user cmd [adm | ope | viewer]
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 259/316
Users Management show user cmd [adm|ope|viewer]
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 259 Edition 07 Use pursuant to applicable agreementsJuly 2015
Example
->show user cmd viewer
+--------+------+----------------------------------------------------------+
! Level ! Mode ! CLI !
+--------+------+----------------------------------------------------------+
! viewer ! All ! show snmp trap active !
! viewer ! All ! show snmp alarm active !
! viewer ! All ! show monitoring-host statistics !
! viewer ! All ! show dscp default !
! viewer ! All ! show certificate local [<1..32>] !
! viewer ! All ! show certificate ca [<1..64>] !
! viewer ! All ! show certificate local {details|pem} <1..32> !
! viewer ! All ! show certificate ca {details|pem} <1..64> !
! viewer ! All ! show tls-profile [<1..32>] !
! viewer ! All ! show dns-internal [peer-net <1..2047>] !
! viewer ! All ! show sfw status !
! viewer ! All ! show peer-net [<1..2047>] connectivity !
! viewer ! All ! show load-balancing-group [<1..32>] connectivity !
! viewer ! All ! show ntp server !
! viewer ! All ! show tcp statistics oam !
! viewer ! All ! show tcp statistics untrusted [<1..2047>] !
! viewer ! All ! show tcp statistics trusted [<1..2047>] !
! viewer ! All ! show tcp statistics !
! viewer ! All ! show tcp syn !
! viewer ! All ! show system !
+--------+------+----------------------------------------------------------+
! Level ! Mode ! CLI !
+--------+------+----------------------------------------------------------+
! viewer ! All ! show syslog !
! viewer ! All ! show snmp community !
! viewer ! All ! show snmp station !
! viewer ! All ! show snmp alarm config !
! viewer ! All ! show snmp trap config !
! viewer ! All ! show configuration consistency !
! viewer ! All ! show snmp trap thresholds !
! viewer ! All ! show snmp alarm thresholds !
! viewer ! All ! show monitoring-host !
! viewer ! All ! show user cmd [adm|ope|viewer] !
! viewer ! All ! show running-directory !
! viewer ! All ! show peer-net <1..2047> lpoc !
! viewer ! All ! show trunk [trusted|untrusted|oam|inter-dhspp4] port !
! viewer ! All ! show configuration {running|working|certified} !
! viewer ! All ! show interfaces [S/P] !
! viewer ! All ! show load-balancing-group [<1..32>] rpoc [<1..32>] !
! viewer ! All ! show vlan [<0..4095>] !
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 260/316
Users Management show user cmd [adm|ope|viewer]
260 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
! viewer ! All ! show trunk [trusted|untrusted|oam|inter-dhspp4] !
! viewer ! All ! show security-profile [<1..32>] !
! viewer ! All ! show peer-net [<1..2047>] rpoc [<1..63>] !
+--------+------+----------------------------------------------------------+
! Level ! Mode ! CLI !
+--------+------+----------------------------------------------------------+
! viewer ! All ! show peer-net [<1..2047>] !
! viewer ! All ! show peer-net [<1..2047>] statistics [trusted|untrusted] !
! viewer ! All ! show lpoc [untrusted [<1..128>]] !
! viewer ! All ! show lpoc [trusted [<1..128>]] !
! viewer ! All ! show port [untrusted [<1..128>]] !
! viewer ! All ! show port [trusted [<1..128>]] !
! viewer ! All ! show load-balancing-group [<1..32>] !
! viewer ! All ! show peer-net [<1..2047>] filter [<1..32>] !
! viewer ! CLI ! history !! viewer ! CLI ! quit !
+--------+------+----------------------------------------------------------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 261/316
Users Management show user [adm|ope|viewer]
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 261 Edition 07 Use pursuant to applicable agreementsJuly 2015
show user [adm|ope|viewer]
Purpose
The purpose of the following command is to display the existing users.
Commands
show user [adm | ope| viewer]
Example
-> show user
+-----------------+-------+------+------+
! name ! level ! auth ! priv !
+-----------------+-------+------+------+
! root ! admin ! none ! none !
! sfwNonRegTester ! admin ! sha ! des !
+-----------------+-------+------+------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 262/316
Alcatel-Lucent — Proprietary 262 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
18 Syslog Management
Purpose
This paragraph provides information about Syslog Management on the SIP firewall.
Introduction
The SFW supports sending SYSLOG messages in accordance to RFC 3164 and RFC
5424. SYSLOG messages are transmitted using the UDP transport, according to RFC5426.
SYSLOG messages can be sent either on the oam interface, or on the trusted interface.
Summary of the CLI for Syslog Management
Syslog management
syslog-server oam ip ip-address [port port-nb]
syslog-server trusted ip ip-address [port port-nb] vlan vlan-id lpoc lpoc-id
syslog-server [ip ip-address] [port port-nb] [vlan vlan-id] [lpoc lpoc-id]
syslog [rate messages-per-seconds] [length max-message-length] [facility facility-code][rfc3164|rfc5424]
no syslog-server
show syslog
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 263/316
Syslog Management syslog-server oam ip ip-address
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 263 Edition 07 Use pursuant to applicable agreementsJuly 2015
syslog-server oam ip ip-address
Purpose
The purpose of the following command is to define a syslog-server accessible via the OAMinterface, this means via the Ethernet port used for accessing the SFW CLI sessionthrough the SCM board.
In that case the source IP address of the Syslog messages is the OAM IP address of theSFW.
Commands
syslog-server oam ip ip-address [port port-nb]
Arguments
ip-address
This is the IPv4 address of the Syslog server.
port-nb
This is the UDP listening port of the Syslog server. If port-nb is not specified, the default
SYSLOG UDP port number is 514.
Example
-> syslog-server oam ip 155.132.232.30
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 264/316
Syslog Management syslog-server trusted ip ip-address
264 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
syslog-server trusted ip ip-address
Purpose
The purpose of the following command is to define a syslog-server accessible via the trustedinterface.
Commands
syslog-server trusted ip ip-address [port port-nb] vlan vlan-id lpoc lpoc-id
Arguments
ip-address
This is the IPv4 address of the Syslog server.
port-nb
This is the UDP listening port of the Syslog server. If port-nb is not specified, the default
SYSLOG UDP port number is 514.
vlan-id
This is the Vlan identifier on the trusted side of the firewall on which the Syslog messageshave to be sent to reach the syslog server.
lpoc-id
The lpoc-id allows setting of the source IP address for the Syslog messages to be sent. It
must be a “trusted” lpoc. Run the command “show lpoc trusted” to choose the lpoc-id
according the source IPv4 address you want to get for Syslog messages.
Example
-> syslog-server trusted ip 192.168.2.33 port 514 vlan 200 lpoc 128
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 265/316
Syslog Management syslog-server [ip] [port] [vlan] [lpoc]
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 265 Edition 07 Use pursuant to applicable agreementsJuly 2015
syslog-server [ip] [port] [vlan] [lpoc]
Purpose
The purpose of the following command is to modify the attributes of a syslog-server.
Commands
syslog-server [ip ip-address] [port port-nb] [vlan vlan-id] [lpoc lpoc-id]
Arguments
ip-address
This is the IPv4 address of the Syslog server.
port-nb
This is the UDP listening port of the Syslog server. If port-nb is not specified, the default
SYSLOG UDP port number is 514.
vlan-id
This is the Vlan identifier on the trusted side of the firewall on which the Syslog messages
have to be sent to reach the syslog server. The modification of the vlan-id is only possibleif the syslog-server has been defined as accessible via the “trusted” interface via the
command “syslog-server trusted ip”.
lpoc-id
The lpoc-id allows setting of the source IP address for the Syslog messages to be sent. It
must be a “trusted” lpoc. Run the command “show lpoc trusted” to choose the lpoc-id
according the source IPv4 address you want to get for Syslog messages. The modification
of the lpoc-id is only possible if the syslog-server has been defined as accessible via the
“trusted” interface via the command “syslog-server trusted ip”
Example
-> syslog-server ip 192.168.2.34
-> syslog-server port 512
-> syslog-server vlan 201
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 266/316
Syslog Management syslog [rate] [length] [facility] [rfc3164 | rfc5424]
266 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
syslog [rate] [length] [facility] [rfc3164 | rfc5424]
Purpose
The behavior of SYSLOG client on SFW can be modified using the following command.
Commands
syslog [rate messages-per-seconds] [length max-message-length] [facility facility-code]
[rfc3164|rfc5424]
Arguments
messages-per-seconds
Output rate for SYSLOG messages [0 – 100]. If messages-per-seconds is not
specified, a default value of 50 is used.
max-message-length
Maximum SYSLOG message length [480 – 8000]. If max-message-length is notspecified, a default value of 1024 is used.
facility-code
SYSLOG facility code [0..23]. facility-code value is taken from the System MessageFacilities list of the RFC 5424. It is used to build the PRI field of SYSLOG
message. If not specified, a default value of 1 (user-level messages) is used. Numerical Code Facility
0 ker nel messages1 user - l evel messages2 mai l syst em3 syst em daemons4 secur i t y/ aut hor i zat i on messages5 messages gener at ed i nt er nal l y by sysl ogd6 l i ne pr i nt er subsyst em7 net wor k news subsyst em8 UUCP subsyst em
9 cl ock daemon10 secur i t y/ aut hor i zat i on messages11 FTP daemon12 NTP subsyst em13 l og audi t14 l og al er t15 cl ock daemon ( not e 2)16 l ocal use 0 ( l ocal 0)17 l ocal use 1 ( l ocal 1)18 l ocal use 2 ( l ocal 2)19 l ocal use 3 ( l ocal 3)20 l ocal use 4 ( l ocal 4)21 l ocal use 5 ( l ocal 5)22 l ocal use 6 ( l ocal 6)
23 l ocal use 7 ( l ocal 7)
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 267/316
Syslog Management no syslog-server
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 267 Edition 07 Use pursuant to applicable agreementsJuly 2015
rfc3164 | rfc5424
To conform SYSLOG message format to RFC3164 or RFC5424. The defaultSYSLOG message format conforms to RFC3164.
Example
-> syslog rate 10 length 512 facility 1
no syslog-server
Purpose
The following command delete the SYSLOG server configuration.
Commands
no syslog-server
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 268/316
Syslog Management show syslog
268 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show syslog
Purpose
The following command displays SYSLOG server and client configuration.
Commands
show syslog
Example -> show syslogInterface : trustedServer IP address : 192.168.2.234Server Port : 514lpoc : 1Vlan : 1rate : 50length : 1024rfc : rfc5424facility : 1
-> show syslogInterface : oamServer IP address : 192.168.10.104Server Port : 514lpoc : 0Vlan : 0rate : 50length : 1024rfc : rfc3164facility : 11
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 269/316
Alcatel-Lucent — Proprietary 269 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
19 NTP servers Management
Purpose
This paragraph provides information about the configuration of the NTP servers on theSFW.
Summary of the CLI for Syslog Management
NTP servers management
ntp server serverId ip ip_address no ntp server serverId
show ntp server
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 270/316
NTP servers Management ntp server serverId ip ip-address
270 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
ntp server serverId ip ip-address
Purpose
The purpose of the following command is to define a NTP server. They must accessible viathe OAM interface, this means via the Ethernet port used for accessing the SFW CLIsession through the SCM board.
Commands
ntp server serverId ip ip_address
Arguments
serverId
This is the identifier of the NTP server. Up to 3 NTP servers can be created.
ip-address
This is the IPv4 address of the NTP server.
Example
-> ntp server 1 ip 155.132.232.21
no ntp server serverId
Purpose
The purpose of the following command is to delete a ntp server.
Commands
no ntp server serverId
Arguments
serverId
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 271/316
NTP servers Management show ntp server
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 271 Edition 07 Use pursuant to applicable agreementsJuly 2015
This is the identifier of the NTP server to be deleted.
Example
-> no ntp server 1
show ntp server
Purpose
The purpose of the following command is to display the NTP servers configuration.
Commands
show ntp server
Example
3FZ-08139-AAAA-PCZZA! 135.117.121.10 !
! 3 ! 155.132.232.30 !
+-----------+----------------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 272/316
Alcatel-Lucent — Proprietary 272 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
20 Monitoring SIP messages
dropped
Purpose
To be able to track SIP Packets rejected by the firewall either because of a DOS attack or a
misconfiguration, you have the ability to define a host where these packets will be forwarded.
The Monitoring-Host can be either reachable via the OAM interface or via the Trusted interface of
the firewall.
Summary of the CLI for Monitoring-Host Management
Monitoring-Host management
monitoring-host trusted ip ipAddress port ipPort lpoc trustedLpoc vlan vlanId rate msgsec
monitoring-host oam ip ipAddress port ipPort rate msgsec
monitoring-host [ip ipAddress] [port ipPort] [ lpoc <1..128>] [vlan vlanId] [ rate msgsec ]
show monitoring-host
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 273/316
Monitoring SIP messages dropped monitoring-host trusted ip ip-address port ipPort
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 273 Edition 07 Use pursuant to applicable agreementsJuly 2015
monitoring-host trusted ip ip-address port ipPort
Purpose
The purpose of the following command is to define a Monitoring-Host, reachable via theTrusted interface of the firewall, where the SIP packets detected as invalid and droppedwill be forwarded.
Commands
monitoring-host trusted ip ipAddress port ipPort lpoc trustedLpoc vlan vlanId rate msgsec
Arguments
ip-address
This is the IPv4 address of the Monitoring-Host. It must be located on the trusted side of
the firewall.
ipPort
This is the destination port for the packets sent to the Monitoring-Host.
trustedLpoc
The source IP address of the packets sent to the Monitoring-Host will be the IP address
assigned to the “Trusted LPOC” mentioned here. Run the command “show lpoc trusted”
to get the list of LPOC and related IP addresses. Any trusted LPOC can be selected. A
specific trusted LPOC can also be configured to assign a dedicated source IP address for
the messages sent to the Monitoring-Host.
vlan
This is the vlan identifier, on the trusted side, allowing to reach the Monitoring-Host.
rate
This is the rate limiter associated with the monitoring feature to limit the number or
forwarded messages. The rate limiter must be set between 1 and 10 messages per second.
The default value is 10.
Example
-> monitoring-host trusted ip 192.168.2.110 port 5060 lpoc 128 vlan 200 rate
10
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 274/316
Monitoring SIP messages dropped monitoring-host trusted ip ip-address port ipPort
274 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Additional information
On the monitoring host you just need to run wireshark.
When the SFW dropped a SIP messages two messages are forwarded to the monitoring host:
Both messages can be correlated via the “Identification” field of the IP header.
The INFO message provides the cause of the drop. See an example hereafter.The second message is a copy of the original SIP message that has been rejected by the firewall.
Example of INFO message on the Monitoring-Host
Request-Line: INFO sip:[email protected] SIP/2.0
Message Header
User-Agent: ALU SFW ERROR REPORTING
Contact: <[email protected]>
From: <172.23.8.9:50001>To: <10.7.8.5:5060>
CSeq: 2630 INFO
Warning: Version:1.2.3 file:sfw_dfa_api.cpp line:763
Warning: mark:CallID error:(13)HeaderNotFound
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 275/316
Monitoring SIP messages dropped monitoring-host oam ip ip-address port ipPort
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 275 Edition 07 Use pursuant to applicable agreementsJuly 2015
monitoring-host oam ip ip-address port ipPort
Purpose
The purpose of the following command is to define a Monitoring-Host, reachable via theOAM interface of the firewall, where the SIP packets detected as invalid and droppedwill be forwarded.
Commands
monitoring-host oam ip ipAddress port ipPort rate msgsec
Arguments
ip-address
This is the IPv4 address of the Monitoring-Host.
In that case, as “oam” as been specified in the CLI, the Monitoring-Host must be
reachable via the OAM interface of the firewall, this means through the SCM2 hosting the
DHSPP4.
When invalid SIP messages are sent to the Monitoring-host, the source IP address is the
OAM IP address of the firewall.
ipPort
This is the destination port for the packets sent to the Monitoring-Host.
rate
This is the rate limiter associated with the monitoring feature to limit the number or
forwarded messages. The rate limiter must be set between 1 and 10 messages per second.
The default value is 10.
Example
-> monitoring-host oam ip 192.168.2.110 port 5060 rate 10
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 276/316
Monitoring SIP messages dropped show monitoring-host
276 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show monitoring-host
Purpose
The following command displays the Monitoring-Host configuration.
Depending on the location of the Monitoring-Host, either reachable via the trusted interface or the
oam interface, the output is different.
Commands
Show monitoring-host
Output attributes
IP address
This is the IPv4 address of the Monitoring-Host.
Port
This is the destination port for the packets sent to the Monitoring-Host.
lpoc
This parameter is valid only if the Monitoring-Host has been defined on the Trusted side
of the firewall. It identifies the source IP address for the messages to be sent to the
Monitoring-Host. This IP address is the one assigned to the given trusted LPOC.
vlan
This parameter is valid only if the Monitoring-Host has been defined on the Trusted side
of the firewall. This is the vlan identifier, on the trusted side, allowing to reach the
Monitoring-Host.
rate
This is the rate limiter associated with the monitoring feature to limit the number or
forwarded messages.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 277/316
Monitoring SIP messages dropped show monitoring-host
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 277 Edition 07 Use pursuant to applicable agreementsJuly 2015
Example
-> show monitoring-host
IP address : 192.168.2.110
Port : 5060
lpoc : 128Vlan : 200
rate : 10
-> show monitoring-host
interface : OAM
IP address : 139.54.128.34
Port : 5060
rate : 10
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 278/316
Alcatel-Lucent — Proprietary 278 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
21 Configuration Management
Purpose
The Configuration Management CLI commands allow you to manage the SFW
configuration files in the working directory, the certified directory, and the running
configuration.
The working and certified configurations are stored in flash while the runningconfiguration is in RAM.
Beyond the configuration management, few “show” commands listed in that chapter
allow you to monitor the status of the SFW. Pay attention to:
show running directory
show configuration consistency
show system
show sfw status
Summary of the CLI for Configuration Management
Configuration management
copy running working
copy working certified
show configuration { running | working | certified }
show running directory
show configuration consistency
switchover
configuration retrieve
show system
system location
show sfw status
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 279/316
Configuration Management copy running working
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 279 Edition 07 Use pursuant to applicable agreementsJuly 2015
copy running working
Purpose
The purpose of the following command is to copy the running configuration (in RAM) to theworking directory (in flash).
This command overwrites the config.cfg file of the working directory.
The consistency of the configuration is checked when the configuration is saved via the CLI
commands “copy running working”. The checks are related to the IP configuration, see the
command “show configuration consistency” to get details about the points that are checked.
By default the SFW restarts with the certified configuration. To ensure that the working
configuration is valid it will be possible in a future SFW release to perform the command “reload
working” prior to “copy working certified” to validate the working configuration.
Commands
copy running working
copy working certified
Purpose
This command is used to overwrite the content of the certified directory with the content of the
working directory.
This should only be done if the contents of the working directory have been verified as the bestversion of the SFW configuration.
In a future release, the command ”reload working” will allow to check the validity of the working
configuration.
Commands
copy working certified
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 280/316
Configuration Management show configuration
280 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Warning
With the current release to save the SFW configuration you need to run the followingsteps:
Run the command “copy running working”
Run the command “copy working certified”
There is no way to jump from the “running” configuration to the “certified” configuration.
The SFW always restart from the “certified” configuration. In a future release it will be possible to reload the SFW with the “working” configuration to ensure that this
configuration is good prior to save it in the “certified” directory.
show configuration
Purpose
The purpose of the following command is to display the firewall configuration. Three options are
possible.
• “Show configuration running” displays the current configuration in RAM.
• “Show configuration working” displays the configuration saved in flash in the working
directory via the command “copy running working”.
• “Show configuration certified” displays the configuration saved in flash in the certified
directory via the command “copy working certified”.
Commands
show configuration { running | working | certified }
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 281/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 282/316
Configuration Management show configuration consistency
282 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show configuration consistency
Purpose
This commands allows you to detect anomalies in the SFW configuration related to IP
configuration.
The consistency of the configuration is checked when the configuration is saved via the CLI
commands “copy running working”.
The consistency of the configuration can also be checked via the CLI command “show
configuration consistency”.
The consistency checking are the following ones:
•
If a peering-point IP address (rpoc) associated with a Peer-Network doesn’t belong to thevlan subnet associated with this Peer-Network, then a “gateway” must have been defined
for the vlan.
• If a MGC8 IBCF CCS IP addresses (rpoc) associated with a Load-Balancing-Group
doesn’t belong to the vlan subnet associated with this Load-Balancing-Group, then a
“gateway” must have been defined for the vlan.
• If a vlan “gateway” has been defined, its IP address must belong to the vlan subnet
• If a Local Point of Contact (lpoc) associated with a Peer-Network doesn’t belong to the
vlan subnet associated with this Peer-Network, then a “router” must have been defined for
the vlan.
• If a Local Point of Contact (lpoc) associated with a Load-Balancing-Group doesn’t belong
to the vlan subnet associated with this Load-Balancing-Group, then a “router” must have
been defined for the vlan.
• If a vlan “router” has been defined, its IP address must belong to the vlan subnet
• Within a Peer-Network, IP overlapping between Peering-Point IP addresses (rpoc) must
not exist.
• Within a Peer-Network, IP overlapping between Peering-Point IP addresses (rpoc) and IP
filters must not exist.• Within a Load-Balancing-Group, IP overlapping between CCS IP addresses (rpoc) must
not exist.
• If a Vlan is assigned to more than one Peer-Network, IP overlapping between Peering-
Point IP addresses (rpoc) must not exist.
• If a Vlan is assigned to more than one Peer-Network, IP overlapping between Peering-
Point IP addresses (rpoc) and IP filters must not exist.
Commands
show configuration consistency
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 283/316
Configuration Management switchover
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 283 Edition 07 Use pursuant to applicable agreementsJuly 2015
Example -> show configuration consistencyRunning configuration is consistent
-> show configuration consistencyIPv4 ERROR - vlan 10 has a router outside of the vlan subnetRunning configuration is not consistent !
switchover
Purpose
This command performs a switchover. The Active DHSPP4 performs a restart and the Backup
DHSPP4 becomes Active.
A “copy running working” followed by a “copy working certified” may be required before issuing
this command. Run the command “ show running-directory” to get this information.
Commands
switchover
Warning
This command cannot be issued twice in a row without waiting for a minimal delay of 45 seconds.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 284/316
Configuration Management configuration retrieve
284 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
configuration retrieve
Purpose
The SFW name is not configurable via a CLI command. It should have been configured during the
SFW first installation via the sitecfg.sfw configuration file.
See the paragraph “How to configure the SFW SITE specific parameters” later in that document to
see how to configure the SFW name.
It’s quite important to configure the SFW name because:
• The SFW name uniquely identifies the SFW. This is particularly important in case of
SCM/DHSPP4 hot-swap. In that case the unique SFW name avoids overwriting the
existing configuration with the one that may exist on the replacement board.
• The SFW name, configured via the sitecfg.sfw, is displayed in all SNMP traps.
• The SFW name is the CLI prompt.
So, if you wish to re-configure the SFW name you need to follow the procedure describedhereafter:
Steps
1 Update the sitecfg.sfw as described in the paragraph “How to configure the SFW SITEspecific parameters”
2 Perform a double switchover to reload the new sitecfg.sfw on both DHSPP4.
3 At this point you will be able to access the CLI only with the initial user/password. Contactyour account or technical support representative for information about defaultlogin / password.
4 You will notice that you restarted without any configuration. l ogi n : rootpassword : ** ****
***********************************************ALCATEL - LUCENT
ATCA- SFW 1. 3. 0 2011/ 02/ 21 11: 43Runni ng conf i gurat i on : WI THOUT CONFI GURATI ON
I n case t he SFWname has been changed i n si t ecf gyou can r un "conf i gur at i on r et r i eve" CLIt o retr i eve f or mer conf i gur at i on
Hel l o r oot !
We st r ongl y r ecommend you to change yourpassword f or a saf er one ! ! !
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 285/316
Configuration Management show system
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 285 Edition 07 Use pursuant to applicable agreementsJuly 2015
5 To retrieve the previous configuration you just need to run the CLI “configuration retrieve”.This command will restore the former configuration and you will be disconnected from theCLI session.
6 On the next attempt to access the CLI session you can use your previous user/password .
E N D O F S T E P S
show system
Purpose
The purpose of the following command is to display information about the SFW node you are
managing such as SFW software release, SFW name and location.
Similar information can be retrieved via SNMP by performing a SNMP get on the “system”
objects of the RFC1213 mib.
Commands
show system
Output Information
Description
Provides the SFW software release. This is the sysDescr of the RFC1213 mib.
Object ID
Provides the SNMP oid identifying the SFW node. This is the sysObjectId of the
RFC1213 mib.
Up Time
Provides the times since the SFW is up and running. This is the sysUpTime of the
RFC1213 mib.
Additionally, the number of system boots that occurred from the first SFW installation is
provided. A “switchover” is not counted as a system boot as upon a switchover the SFW
backup DHSPP4 is taking over without restarting.
Contact
Initialized with the Alcatel-Lucent Customer Portal. There is no CLI to modify this object.This is the sysContact of the RFC1213 mib.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 286/316
Configuration Management show system
286 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Name
Initialized with the SFW name. There is no CLI to initialize this object. The SFW name
comes from the sitecfg.sfw file where static configuration is defined at the first SFW
installation.
This attribute is displayed in all SNMP traps sent by the SFW. This is the sysName of the
RFC1213 mib.
Location
Provides information about the location of the SFW. The CLI “system location” allows to
modify this attribute. It can be used to locate the 7510 hosting the SFW. This attribute is
displayed in all SNMP traps sent by the SFW. This is the sysLocation of the RFC1213
mib.
Example -> show systemDescription : 7510-SFW 1.3.0 2011/02/21 18:39Object ID : 1.3.6.1.4.1.637.71.20Up Time : 1 days 01 hours 52 minutes and 20 seconds (boot #14)Contact : Alcatel-Lucent, http://alcatel-lucent.com/wps/portal/Name : sfw5Location : 7510-Orvault-TR34-Baie36Date & Time : Wed Apr 27 10:02:15 2011
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 287/316
Configuration Management system location
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 287 Edition 07 Use pursuant to applicable agreementsJuly 2015
system location
Purpose
This command updates the “system location” information. This value is useful to correlate the
SFW node with the 7510 hosting it.
The system location can be then displayed via the command “show system”.
The system location is written in all SNMP traps sent by the SFW in the field AdditionnalText.
Commands
show location text_string
Arguments
text_string
Describes the SFW physical location. For example, 7510-Orvault-TR34-Baie36.
The system location can range from 1 to 53 characters in length.
Example -> system location
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 288/316
Configuration Management show sfw status
288 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
show sfw status
Purpose
The purpose of the following command is to display information about the status of SFW
DHSPP4 boards such as temperature, CPU and Memory consumption.
Commands
show sfw status
Output Information
! slot ! DHSPP ! SCM ! celsius !
This table allows the operator to know, for each SFW board:
o Which DHSPP4 is currently Active and which one is Standby.
o Which SCM2 is currently Active.
o What is the temperature for each DHSPP4.
CPU Load
This is an average of the CPU load over the 12 cores of the Active DHSPP4.
FPA memory distributor % free
Provides the percentage of free memory for FPA memory areas.
FPAS memory distributor % free
Provides the percentage of free memory for FPAS memory areas.
Example -> show sfw status+------+---------+---------+---------+! slot ! DHSPP ! SCM ! celsius !+------+---------+---------+---------+! 11 ! ACTIVE ! STANDBY ! 59 !! 10 ! STANDBY ! UNKNOWN ! 57 !+------+---------+---------+---------+
0% CPU load
FPA memory distributor % freePACKET BUFFER : 99WORK QUEUE ENTRY : 93DFA RESULT : 100DFA COMMAND : 99PKO COMMAND BUFFER : 96TIMER CHUNKS : 99
FPAS memory distributor % free
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 289/316
Configuration Management show sfw status
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 289 Edition 07 Use pursuant to applicable agreementsJuly 2015
IP FLOW : 99COLLISION BLOCK : 99IP FRAGMENT : 100TCP CONTEXT : 99SIP CONTEXT : 99
ARP CACHE : 98
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 290/316
Alcatel-Lucent — Proprietary 290 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
22 CLI Session Management
Purpose
The SFW accepts simultaneously up to 20 SSH CLI sessions.
Refer to the paragraph “SFW prerequisite” at the beginning of that document to knowhow to open a CLI session via a SSH tunnel.
The CLI listed below allow to modify the default CLI session timeout and to display thecurrently opened sessions.
Summary of the CLI for Configuration Management
CLI Session management
cli session timeout
show cli session
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 291/316
CLI Session Management cli session timeout
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 291 Edition 07 Use pursuant to applicable agreementsJuly 2015
cli session timeout
Purpose
The purpose of the following command is to modify the default CLI session timeout (5mn).
Commands
cli session timeout time_in_mn
Arguments
time_in_mn
The default timeout range is between 1 and 1440 minutes.
show cli session
Purpose
The purpose of the following command is to display the currently opened CLI sessions.
Commands
Show cli session
example
-> show cli session
CLI session timeout : 60 minutes
+------+-------------+------------+---------------------+! user ! status ! inactivity ! origin !+------+-------------+------------+---------------------+! root ! established ! 0 seconds ! 139.54.128.34:47156 !! root ! established ! 21 minutes ! 139.54.128.34:48218 !+------+-------------+------------+---------------------+
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 292/316
Alcatel-Lucent — Proprietary 292 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
23 How to configure the SFW
SITE specific parameters
Purpose
With the SFW release R2.0 there are some SFW objects that cannot be yet configurable via CLI.
• SFW name
• Trusted Domain Name
• SIP Status mode and extension
• SNMP V2c Client community name
The configuration of these objects is done via the file sitecfg.sfw. After updating this file
according to your site-specific data you need to upload it to the SCM boards and reboot theDHSPP4.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 293/316
How to configure the SFW SITE specific parameters How to update the SITECFG.SFW configuration file
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 293 Edition 07 Use pursuant to applicable agreementsJuly 2015
How to update the SITECFG.SFW configuration file
The sitecfg.sfw can be created from an excel template available on the Customer Portal in the
“Manuals and Guides” section of the 7510 MGW product.
# SFW nameSFW-site1
#
Trusted domainname
atlanta.com
# SIP status mode# list of choice all
restricted restricted
# SIP status extension
# SNMPv2
#communityname
public
# EOF
Steps
1 Go to the Alcatel-Lucent Customer and Business Partner Portal :
o https://market.alcatel-lucent.com/release/jsp/sso/login.jsp
o After a successful login, within the box “Technical Content for”, select the product
7510 MGW (Media Gateway).
o Select the “Manuals and Guides” link
o Download the document 3FZ-08141-ACAA-PCZZA “SFW - sfwStaticConf.xls ,sitecfg.sfw template for release R3.0”
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 294/316
How to configure the SFW SITE specific parameters How to update the SITECFG.SFW configuration file
294 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
2 According to your site configuration, update the above sfwStaticConf-R20x.xls excel file.
3 Modify the SFW name. This will affect the CLI prompt.
4 Modify the Trusted Domain Name. This will replace the default domain name “sfw.net”
appended during topology hiding in the “tokenized-by=sfw.net”.
5 Select the “SIP Status Mode”:
o Restricted : the list of SIP response code is restricted to the list define
by http://www.voip-info.org/wiki/view/SIP+response+codes
o All : the list of SIP response codes is not restricted. All codes are accepted.
6 Optionally configure the section “SIP Status Extension”. If the “SIP Status Mode” has beenset to “restricted”, you have the ability to extend the list of authorized response codes.
7 If needed, configures the SNMP V2 community name. This is required if you want to performSNMP V2 set/get from the OMC-P as the CLI only allows you to configure SNMP V3
parameters.
8 Save the Excel file in sfwStaticConf.xls format for further modifications.
9 Save the Excel file in sfwStaticConf.csv format to allow its parsing by the SFW application
10 Rename the sfwStaticConf.csv file as sitecfg.sfw
11 Then follow the next procedure “Install the sitecfg.sfw configuration file on the SFW”
E N D O F S T E P S
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 295/316
How to configure the SFW SITE specific parameters Install the SITECFG.SFW configuration file on the SFW
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 295 Edition 07 Use pursuant to applicable agreementsJuly 2015
Install the SITECFG.SFW configuration file on the SFW
Follow the procedure below to apply on the SFW the configuration described above.
Steps
1 copy the sitecfg.sfw on your tftp server. Warning, this file must be in CSV format (NOT inXLS format).
2 Log in to the 7510
Contact your account or technical support representative for information aboutdefault login/password.
3 "tftp get" the sitecfg.sfw on the Active SCM.
ACT- SCM: 1. 10( r 0) > tftp get 1. 2. 3. 4: / 7510/ sf w- 7510. 1. 1. 0/ sitecfg.sfw
4 "tftp get" the sitecfg.sfw on the Standby SCM.
ACT-SCM:1.10( r 0) > rc 1 11
Setting up remote console to [01][11]STB-SCM:1.11( r 0) > tftp get 1. 2. 3. 4: / 7510/ sf w7510. 1. 0. 1/ sitecfg.sfw STB-SCM:1.11( r 0) > exit
5 Enable both DHSPP4 cards (this step is only required during the first SFW/DHSPP4installation)
ACT-SCM:1.10(r0)> enable module gw.1.10.amc.1 ACT-SCM:1.10(r0)> enable module gw.1.11.amc.1 ACT-SCM:1.10(r0)> save (safe for reboot)
6 Reset both DHSPP4 (this step is not required during the first SFW/DHSPP4 installation)
ACT-SCM:1.10(r0)> reset module 1 10 amc ACT-SCM:1.10(r0)> reset module 1 11 amc
E N D O F S T E P S
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 296/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 297/316
Alcatel-Lucent — Proprietary 297 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
A IP Configuration example
Overview
Purpose
This appendix provides, through few examples, a quick overview of the SFW IP
configuration.
Contents
This appendix covers these topics.
IP Configuration Introduction 298
Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode 299
Untrusted side IP connectivity with VRF support 300
Untrusted side IP connectivity without VRF support 302
Trusted side IP connectivity, case 1 304
Trusted side IP connectivity, case 2 305
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 298/316
IP Configuration example IP Configuration Introduction
298 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
IP Configuration Introduction
• The SIP firewall is made of 2 DHSPP4 running in Active/Standby mode for the
SIP Firewalling application.
• Each DHSPP4 is hosted in a different 7510 SCM2 board (slot 10 and slot 11)
• The standby DHSPP4 operates in layer 2 pass-through mode for the SIP signaling
traffic.
• A trunk between the 2 DHSPP4 operates SIP frame relay between Active/Standby.
• Trusted and Untrusted interfaces are connected to the next-hop IP using either
o Static Link Aggregation (802.3ad). This is the preferred configuration butit requires the PE Router to be carrier grade.
Or
o Active/Standby configuration. If the PE router is not carrier grade this isthe configuration to be chosen.
• Peer Networks realm separation is achieved using 802.1q tagged vlans
• Overlapping IP addresses of peering points is supported but requires the PE router to support VRF feature.
• A single Point of Contact (POC) can be defined for all peer networks.
• If single POC and realm separation are both needed the PE router must supportVRF
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 299/316
IP Configuration example Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 299 Edition 07 Use pursuant to applicable agreementsJuly 2015
Untrusted/Trusted Interfaces, Link Aggregate or Active/Standby mode
• 2 network configurations are possible depending on Switch/Router capability:
Static Link Aggregation (802.3ad) configuration with carrier grade router.
Active/Standby configuration in case of Switch-Routers that are not carrier grade.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 300/316
IP Configuration example Untrusted side IP connectivity with VRF support
300 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Untrusted side IP connectivity with VRF support
Assumption : PE Router is supporting VRF.
• Realm separation using different Vlan tags
• Single point of contact for all Peer Networks. The PE Router must support VRF.
•
SFW LPOC and Peer Network in different subnets• Overlapping IP addresses for peering points is possible as the PE router is
supporting VRF.
CLI Configuration
! *** trunkstrunk untrusted mode linkagg
! *** Poc untrusted
lpoc untrusted 1 enable name LPOC_UNTRUSTED_1lpoc untrusted 1 ip 160.0.20.1 udp 5060
! *** vlans
vlan 11 untrusted enable name UNTRUSTED_VLAN_11vlan 11 subnet 192.168.11.0 mask 255.255.255.252 router192.168.11.2 rip gw 192.168.11.1vlan 12 untrusted enable name UNTRUSTED_VLAN_12vlan 12 subnet 192.168.12.0 mask 255.255.255.252 router192.168.12.2 rip gw 192.168.12.1
! *** peer networks
peer-net 1 enable name PEER_1
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 301/316
IP Configuration example Untrusted side IP connectivity with VRF support
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 301 Edition 07 Use pursuant to applicable agreementsJuly 2015
peer-net 1 lpoc 1peer-net 1 vlan 11peer-net 1 rpoc 1 ip 150.0.40.1 udp 5060peer-net 1 rpoc 2 ip 150.0.40.2 udp 5060
peer-net 2 enable name PEER_2
peer-net 2 lpoc 1peer-net 2 vlan 12peer-net 2 rpoc 1 ip 150.0.50.3 udp 5060peer-net 2 rpoc 2 ip 150.0.50.4 udp 5060
• Ping from the router (src IP 192.168.11.1 or 192.168.12.1 ) to the untrusted lpoc160.0.20.1 must be successful
• Ping from the peering-points (rpoc) to the untrusted lpoc 160.0.20.1 must be successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 302/316
IP Configuration example Untrusted side IP connectivity without VRF support
302 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Untrusted side IP connectivity without VRF support
Assumption : PE Router is not supporting VRF.
• Realm separation using different Vlan tags
• One point of contact per Peer Network.
• SFW LPOC and Peer Network in different subnets
• Overlapping IP addresses for peering points is not possible because the PE router is not supporting VRF.
CLI Configuration
! *** trunkstrunk untrusted mode linkagg
! *** Poc untrusted
lpoc untrusted 1 enable name LPOC_UNTRUSTED_1lpoc untrusted 1 ip 192.168.11.2 udp 5060lpoc untrusted 2 enable name LPOC_UNTRUSTED_2lpoc untrusted 2 ip 192.168.12.2 udp 5060
! *** vlans
vlan 11 untrusted enable name UNTRUSTED_VLAN_11vlan 11 subnet 160.11.20.0 mask 255.255.255.252 no rip gw160.11.20.1vlan 12 untrusted enable name UNTRUSTED_VLAN_12vlan 12 subnet 160.12.20.0 mask 255.255.255.252 no rip gw160.12.20.1
! *** peer networkspeer-net 1 enable name PEER_1
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 303/316
IP Configuration example Untrusted side IP connectivity without VRF support
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 303 Edition 07 Use pursuant to applicable agreementsJuly 2015
peer-net 1 lpoc 1peer-net 1 vlan 11peer-net 1 rpoc 1 ip 150.0.40.1 udp 5060peer-net 1 rpoc 2 ip 150.0.40.2 udp 5060
peer-net 2 enable name PEER_2
peer-net 2 lpoc 2peer-net 2 vlan 12peer-net 2 rpoc 1 ip 150.0.50.3 udp 5060peer-net 2 rpoc 2 ip 150.0.50.4 udp 5060
• Ping from the router to the untrusted lpoc 160.11.20.2 and 160.12.20.2 must besuccessful
• Ping from the peering-points (rpoc) to the untrusted lpoc must be successful
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 304/316
IP Configuration example Trusted side IP connectivity, case 1
304 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
Trusted side IP connectivity, case 1
• CCSs addresses and Trusted lpoc in different subnets
• Single Point of Contact on the trusted side
CLI Configuration
! *** trunkstrunk trusted mode linkagg
! *** Poc trusted
lpoc trusted 1 ip 192.168.20.1 enable name LPOC_TRUSTED_1
! *** vlans
vlan 20 trusted enable name TRUSTED_VLAN_20vlan 20 subnet 192.168.20.0 mask 255.255.255.252 gw 192.168.20.2
no rip
! *** load balancing group
load-balancing-group 1 enable name LBG_1load-balancing-group 1 vlan 20load-balancing-group 1 lpoc 1load-balancing-group 1 rpoc 1 ip 192.168.10.10 udp 5061load-balancing-group 1 rpoc 2 ip 192.168.10.10 udp 5062load-balancing-group 1 rpoc 3 ip 192.168.10.20 udp 5061load-balancing-group 1 rpoc 4 ip 192.168.10.20 udp 5062
! *** load balancing group and peer-network association
peer-net 1 load-balancing-group 1
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 305/316
IP Configuration example Trusted side IP connectivity, case 2
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 305 Edition 07 Use pursuant to applicable agreementsJuly 2015
peer-net 2 load-balancing-group 1
• Ping from the router (src IP 192.168.20.2 ) to the trusted lpoc 192.168.20.1 must besuccessful
• Ping from the CCSs (rpoc) to the trusted lpoc must be successful
Trusted side IP connectivity, case 2
• CCSs addresses and Trusted lpoc in the same subnet
• Single Point of Contact on the trusted side
CLI Configuration
! *** trunkstrunk trusted mode linkagg
! *** Poc trusted
lpoc trusted 1 ip 192.168.10.1 enable name LPOC_TRUSTED_1
! *** vlans
vlan 10 trusted enable name TRUSTED_VLAN_20vlan 10 subnet 192.168.10.0 mask 255.255.255.0
! *** load balancing group
load-balancing-group 1 enable name LBG_1load-balancing-group 1 vlan 10
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 306/316
IP Configuration example Trusted side IP connectivity, case 2
306 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
load-balancing-group 1 lpoc 1load-balancing-group 1 rpoc 1 ip 192.168.10.10 udp 5061load-balancing-group 1 rpoc 2 ip 192.168.10.10 udp 5062load-balancing-group 1 rpoc 3 ip 192.168.10.20 udp 5061load-balancing-group 1 rpoc 4 ip 192.168.10.20 udp 5062
! *** load balancing group and peer-network associationpeer-net 1 load-balancing-group 1peer-net 2 load-balancing-group 1
• Ping from the CCSs (rpoc) to the trusted lpoc 192.168.10.1 must be successful
• Ping from the switch to the trusted lpoc cannot be performed
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 307/316
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 308/316
Alcatel-Lucent — Proprietary 308 Use pursuant to applicable agreements
3FZ 08139 ACAA PCZZAEdition 07 July 2015
B IPv6 support
Overview
Purpose
This appendix is only focused on the areas impacted by IP v6 configuration.
The CLI commands are not explained in details and the purpose here is to get an overviewof what has changed since the previous release that was only supporting IPv4.
The detailed description of each command is provided in the previous chapters “LPOC”,
“Peer-Network”, “Load-Balancing-Group” and “Vlan”.
create and modify IPv4/IPv6 objects
SFW supports IPv6 and IPv4 on trusted and untrusted sides.
All objects related to Trusted and Untrusted sides that were previously IPv4 only are now
dual-stack IPv4/IPv6. This applies to vlan configuration, lpoc configuration, Peer- Network rpoc and Load-Balancing-Group rpoc. This means that these objects can have
simultaneously an IPv4 and an IPv6 address.
The set of CLI commands to configure dual stack IPv4/IPv6 objects is almost the same
than the one you already known for the previous SFW releases and is backwardcompatible with the previous configuration files.
Lpoc and rpoc creation is done with the same set of CLI commands than previously.You just need to specify an IPv6 address with the right format (e.g. 2001:b8::192:168:2:5)
to get an IPv6 stack. If the lpoc or rpoc is dual-stack you need to run the command twice,
once to create the object with an IPv4 (or IPv6) address, and then a second time to add the
IPv6 (or IPv4 address).
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 309/316
IPv6 support create and modify IPv4/IPv6 objects
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 309 Edition 07 Use pursuant to applicable agreementsJuly 2015
Examples:
lpoc untrusted 2 ip 172.17.2.5 enable name LPOC_UNTRUSTED_2
lpoc untrusted 2 ip 2001:2::172:17:2:5
peer-net 20 rpoc 15 ip 172.23.8.9
peer-net 20 rpoc 15 ip 2001:8::172:23:8:9
IP address deletion for lpoc and rpoc requires new keywords to know on which IPaddress the CLI needs to be applied.
Examples:
lpoc untrusted 2 no ipv6
peer-net 20 rpoc 15 no ipv4
Vlan creation has been slightly modified to accept IPv6 address format. Previously the IP
mask was written with the IP address format (e.g. 255.255.255.0). Now for both IPv4 andIPv6 the mask has to be defined using the “/length” format.
Examples:
vlan 11 untrusted enable name UNTRUSTED_VLAN_11 subnet 172.16.11.0/24
vlan 11 subnet 2001:11::/64
But a configuration file with the command “vlan 11 … subnet 172.16.11.0 mask255.255.255.0” is still accepted as the compatibility with previous releases is ensured.
IP address deletion for vlan requires new keywords to know on which IP address theCLI needs to be applied.
Examples:
Vlan 11 no ipv6 router
Vlan 11 no ipv6 gw
With dual stack IPv4/IPv6 objects it can become tricky to check end-to-end IP
connectivity. For example, if rpoc are dual stack, then lpoc and vlan must also be dualstack. To facilitate the IP connectivity status, 2 new commands have been introduced:
Show peer-net connectivity
Show load-balancing-group connectivity
These commands, with the help of periodic IP and SIP polling, allow detection ofinconsistencies in the configuration or IP connectivity issue toward the remote poc.
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 310/316
IPv6 support IPv6 Q&A
310 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
IPv6 Q&A
IPv4 and IPv6 precedence in case of dual-stack.
When IPv6 and IPv4 are both present on one interface, priority is given to IPv6.
Does IPv6 support means modification in Vlan / Peer-Network association?
No, you can still use a single tagged vlan per Peer-Network. IPv4 and IPv6 can work overthe same vlan.
Does IPv6 support means modification in Vlan / Load-Balancing association?
No, you can still use a single tagged vlan per Load-Balancing-Group. IPv4 and IPv6 can
work over the same vlan.
Is there a change in Peering-Point addressing from MGC8 point of view?
No, a dual-stack Peering-Point is reached via the same listening port on the Trusted LocalPOC of the firewall. The LPOC needs to be dual-stack.
Which SFW objects remain IPv4 only?
The following objects remain IPv4 only:
NTP client/server
Syslog client/Server
Monitoring Host
OAM interfaces (CLI and SNMP)
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 311/316
IPv6 support IPv6 Q&A
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 311 Edition 07 Use pursuant to applicable agreementsJuly 2015
CLI for IPv6 support
Trusted and Untrusted LPOC
lpoc untrusted poc_id [ip ip_address] [enable | disable] [name description]
lpoc untrusted poc_id no ipv6
lpoc untrusted poc_id no ipv4
lpoc trusted poc_id [ip ip_address] [enable | disable] [ name description]
lpoc trusted poc_id no ipv6
lpoc trusted poc_id no ipv4
show lpoc [trusted [ poc_id ]| untrusted [poc_id]]
Vlan
vlan vid {trusted | untrusted} [enable | disable] [name description]subnet ip_address/len [router ip_address [rip | no rip]] [gw ip_address]
vlan vid subnet ip_address/len
vlan vid router ip_address [rip | no rip]
vlan vid gw ip_address
vlan vid no ipv4
vlan vid no ipv6
vlan vid no [ipv4 | ipv6] router
vlan vid no [ipv4 | ipv6] gw
show vlan
Peer Network
peer-net netid filter filter_id ip address/mask [accept | deny]
peer-net netid rpoc peering_point_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port] | tls[port]]
peer-net netid rpoc peering_point_id no ipv4
peer-net netid rpoc peering_point_id no ipv6
show peer-net [netid] rpoc
show peer-net [netid] connectivity
Load Balancing Group
load-balancing-group GroupId rpoc poc_id ip ip_address [udp[ port] | tcp[ port] | sctp[ port]| tls[ port]]
load-balancing-group GroupId rpoc poc_id no ipv4
load-balancing-group GroupId rpoc poc_id no ipv6show load-balancing-group [GroupId] rpoc [poc_id] show load-balancing-group [GroupId] connectivity
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 312/316
Alcatel-Lucent — Proprietary 312 Use pursuant to applicable agreements
3FZ 08139 ACAAPCZZA Edition 07 July 2015
C Configuration backup &
restore
Backup configuration on the SFWFollow the procedure below to apply on the SFW configuration.
Steps
1 Execute the “copy running working” cli command to save the current configuration.
SFW- XXX> copy running working
Command successf ul
SFW- XXX>
2 Using SFTP SFW OAM IP, get the SFW configuration file “/mnt/mtd0/working/config.cfg” by sftp from the SFW. Username: support. Password: 44700$orvault
$ sftp [email protected]
Connecti ng to x. x. x. x. . .
suppor t @x. x. x. x' s passwor d:
sf t p> get /mnt/mtd0/working/config.cfg
Fet chi ng / mnt / mt d0/ wor ki ng/ conf i g. cf g t o conf i g. cf g
/ mnt / mt d0/ wor ki ng/ conf i g. cf g100% 24KB 23. 9KB/ s 00: 00
sf t p> bye
3 The configuration file will be saved on the remoter server after completing the above twosteps.
E N D O F S T E P S
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 313/316
Configuration backup & restore Restore configuration to the SFW
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 313 Edition 07 Use pursuant to applicable agreementsJuly 2015
Restore configuration to the SFW
Follow the procedure below to apply on the SFW configuration.
Steps
1 Put the backup configuration file back to the sfw “/” directory using sftp SFW oam IP fromthe remoter server. Username: support. Password: 44700$orvault.
$ sftp [email protected]
Connecti ng to x. x. x. x. . .
suppor t @x. x. x. x' s passwor d:
sf t p> pwd
Remot e worki ng di r ect ory: /
sf t p> put config.cfg Upl oadi ng conf i g. cf g t o / conf i g. cf g
conf i g. cf g100% 24KB 23. 9KB/ s 00: 00sf t p> bye
2 Execute the “show sfw status” cli command to get the slot number of the active DHSPP.
SFW- XXX> show sf w st at us
+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +
! sl ot ! DHSPP ! SCM ! Temper atur e !
! ! rol e ! rol e ! ( cel si us) !
+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +
! 10 ! ACTI VE ! ACTI VE ! 51 !
! 11 ! STANDBY ! UNKNOWN ! 50 !
+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +
3 Access SFW by ssh SFW OAM IP. Username: support. Password: 44700$orvault.$ ssh [email protected]
support @10. 84. 13. 10' s password:
BusyBox v1. 2. 1 ( 2013. 08. 27- 07: 36+0000) Bui l t - i n shel l ( ash)
Ent er ' hel p' f or a l i st of bui l t - i n commands.
/ $
4 Change the user to “root” by executing “telnet 1.1.1.slot”. In our example, the active slotnumber is 10 based on the output of cli command “show sfw status”.
/ $ telnet 1.1.1.10
Ent er i ng char act er mode
Escape char act er i s ' ]̂ ' .
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 314/316
Configuration backup & restore Restore configuration to the SFW
314 Alcatel-Lucent — Proprietary 3FZ 08139 ACAA PCZZAUse pursuant to applicable agreements Edition 07
July 2015
BusyBox v1. 2. 1 ( 2013. 08. 27- 07: 36+0000) Bui l t - i n shel l ( ash)
Ent er ' hel p' f or a l i st of bui l t - i n commands.
~ #
5 Copy the configuration file to the configuration directory.
~ # cp / conf i g. cf g / mnt / mt d0/ wor ki ng/ conf i g. cf g
~ # cp / conf i g. cf g / mnt / mt d0/ cer t i f i ed0/ conf i g. cf g
~ # cp / conf i g. cf g / mnt / mt d0/ cer t i f i ed1/ conf i g. cf g
~ # cp / conf i g. cf g / mnt / mt d0/ cer t i f i ed2/ conf i g. cf g
6 Copy configuration file to the configuration directory on the standby card by rcp. The standbySFW IP is 1.1.1.slot. In our example, the standby slot number is 11 based on the output of clicommand “show sfw status”.
~ # r cp / conf i g. cf g 1. 1. 1. 11: / mnt / mt d0/ wor ki ng/ conf i g. cf g
~ # r cp / conf i g. cf g 1. 1. 1. 11: / mnt / mt d0/ cer t i f i ed0/ conf i g. cf g
~ # r cp / conf i g. cf g 1. 1. 1. 11: / mnt / mt d0/ cer t i f i ed1/ conf i g. cf g
~ # r cp / conf i g. cf g 1. 1. 1. 11: / mnt / mt d0/ cer t i f i ed2/ conf i g. cf g
7 Execute the “switchover” cli command to switch over SFW.
SFW- XXX> switchover
Runni ng dupl ex mode conf i gurat i on synced. Ar e you sure ( Y/ N) ? y
Command successf ulSFW- XXX>
8 Login to CLI again after the SFW is switched over. Check the SFW status using “show sfwstatus”. When the SFW status becomes active/standby, execute “switchover” again.
SFW- XXX> show sfw status
+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +
! sl ot ! DHSPP ! SCM ! Temperat ur e !
! ! rol e ! rol e ! ( cel s i us) !
+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +
! 11 ! ACTI VE ! STANDBY ! 50 !
! 10 ! STANDBY ! UNKNOWN ! 51 !
+- - - - - - +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - +
SFW- XXX> switchover
Runni ng dupl ex mode conf i gurat i on synced. Ar e you sure ( Y/ N) ? y
Command successf ul
SFW- XXX>
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 315/316
Configuration backup & restore Restore configuration to the SFW
3FZ 08139 ACAA PCZZA Alcatel-Lucent — Proprietary 315 Edition 07 Use pursuant to applicable agreementsJuly 2015
9 The configuration will be restored after completing the above eight steps
10 The configuration will be restored after completing the above eight steps
E N D O F S T E P S
7/23/2019 3fz08139acaapczza_v1_sfw Cli Reference Guide - Release 3.0
http://slidepdf.com/reader/full/3fz08139acaapczzav1sfw-cli-reference-guide-release-30 316/316