background image

Accessing the Avaya G250/G350 Media Gateway

54 Administration for the Avaya G250 and Avaya G350 Media Gateways

 

Authenticating service logins with Access Security Gateway 
(ASG) authentication

The gateway supports ASG authentication for remote service logins. Direct remote connection 
of services to the gateway is needed for gateways that are under service contract, do not have 
LSPs, and are controlled by external MGCs. ASG is a more secure authentication method than 
password authentication and does not require a static password.

ASG uses one-time tokens for authentication, in which a unique secret key is associated with 
each login. ASG authentication is a challenge-response system, in which the remote user 
receives a challenge from the gateway and returns an ASG authenticated response, which the 
gateway verifies before permitting access. A new challenge is used for each access attempt.

ASG authentication is supported for remote services connecting to the gateway using telnet or 
SSH protocols via any of the following:

Dial-up modem connected to the USB or Console port

Frame relay or leased line

Secure gateway VPN

Direct connection to the front panel Console port using the "craft" login

When ASG authentication is enabled on the G350, the G350 recognizes any login attempts 
using Avaya Services reserved usernames as service logins, and requests ASG authentication 
from the user, instead of a static user password. 

The following usernames are reserved for Avaya Services usage: 

rasaccess

sroot

init

inads

, and 

craft

.

When ASG authentication is enabled on the G350, all password user accounts with usernames 
similar to the reserved service logins are deactivated. 

Enabling ASG authentication

ASG authentication can be enabled and disabled on the gateway and requires an ASG 
authentication file. The ASG authentication file contains Avaya Services accounts for 
authenticating users at login as members of Avaya Services. 

1. Download the ASG authentication file for the gateway from the Authentication File System 

(AFS) application on the 

RFA information

 page to an FTP, SCP, or TFTP server, as 

described in 

Installing and Upgrading the Avaya G250 Media Gateway

, 03-300434 and 

Installing and Upgrading the Avaya G350 Media Gateway

, 03-300394.

2. Download the authentication file from the FTP, SCP, or TFTP server to the gateway. Use 

one of the following commands:

To download an authentication file from a remote FTP server: 

copy ftp auth-file 

filename ip

, where 

filename

 is the name of the authentication file, including the 

Summary of Contents for Media Gateway G250

Page 1: ...Administration for the Avaya G250 and Avaya G350 Media Gateways 03 300436 Issue 5 June 2008 ...

Page 2: ...e extent made by the Customer or End User Link disclaimer Avaya Inc is not responsible for the contents or reliability of any linked websites referenced elsewhere within this documentation and Avaya does not necessarily endorse the products services or information described or offered within them We cannot guarantee that these links will work all of the time and we have no control over the availab...

Page 3: ...media module 30 G250 available models 31 Chapter 2 Configuration overview 33 Defining the Console interface 33 Defining the USB modem interface 34 Defining other interfaces 34 Configuration using CLI 35 Configuration using GUI applications 35 Saving configuration changes 36 Summary of configuration changes CLI commands 36 Firmware version control 37 Chapter 3 Accessing the Avaya G250 G350 Media Ga...

Page 4: ...ontents 51 Managing password lockout and disabling 52 Managing password expiry 52 Changing a password 52 Displaying user account information 53 Summary of user account CLI commands 53 Authenticating service logins with Access Security Gateway ASG authentication 54 Enabling ASG authentication 54 Replacing the ASG authentication file 55 Configuring ASG authentication 57 Displaying ASG authentication...

Page 5: ...nds 78 Managing gateway secrets 78 Configuring the Master Configuration Key 79 Summary of Master Configuration Key configuration commands 79 Enabling SYN cookies 79 Configuring SYN cookies 80 Maintaining SYN cookies 81 Summary of SYN cookies configuration commands 81 Managed Security Services MSS 81 MSS reporting mechanism 82 Configuring MSS 82 DoS attack classifications 84 Defining custom DoS cla...

Page 6: ...esolver logging 104 Summary of DNS resolver configuration commands 105 Viewing the status of the device 106 Summary of device status commands 107 Software and firmware management 108 File transfer 108 Software and firmware upgrades 109 Managing the firmware banks 109 Upgrading software and firmware using FTP TFTP 110 Upgrading software and firmware using a USB mass storage device 111 Uploading sof...

Page 7: ...a 134 PIM configuration data 135 Entering SLS mode 136 Unregistered state 136 Setup state 136 Registered state 136 Teardown 137 SLS interaction with specific G250 G350 features 137 Direct Inward Dialing in SLS mode 137 Multiple call appearances in SLS mode 138 Hold in SLS mode 139 Call Transfer in SLS mode 140 Using contact closure in SLS mode 142 IP Softphone shared administrative identity in SLS...

Page 8: ...nnecting devices to the fixed router 211 Ethernet ports on the G350 212 Ethernet ports on the G350 Media Gateway switch 212 Ethernet ports on the G350 Media Gateway router 212 Cables used for connecting devices to the fixed router 212 Configuring switch Ethernet ports 213 Switch Ethernet port commands 213 Summary of switch Ethernet port configuration CLI commands 215 Configuring the WAN Ethernet p...

Page 9: ...33 Deleting current log file and opening an empty log file 233 Displaying log file messages 234 Displaying conditions defined for the file output sink 234 Log file message format 235 Configuring a session log 235 Discontinuing the display of system messages 235 Displaying how the session logging is configured 236 Session logging message format 236 Configuring logging filters 237 Setting the loggin...

Page 10: ...em use 259 Configuring the USB modem interface 259 Configuring the USB port for modem use 259 Summary of CLI commands for configuring the USB port for modem use 261 Configuring the Console port for modem use 262 Summary of CLI commands for configuring the Console port for modem use 263 Configuring the console device to connect to the Console port 264 Chapter 10 Configuring WAN interfaces 265 Seria...

Page 11: ...l installations 294 Prerequisites for configuring modem dial backup 294 Configuring modem dial backup 295 Modem dial backup interactions with other features 299 Configuration example 300 Command sequence 302 Command sequence explanation 303 Modem dial backup maintenance 305 Activating session logging 305 Setting the severity level of the logging session 305 Summary of modem dial backup commands 31...

Page 12: ...ommands 336 Frame relay encapsulation features 337 Frame relay traffic shaping and FRF 12 fragmentation 337 Configuring map classes 338 Displaying configured map classes 338 Summary of frame relay traffic shaping commands 339 Priority DLCI 339 Summary of priority DLCI commands 340 PPP VoIP configuration 341 Site A connection details 341 Site B connection details 342 Configuration Example for Site ...

Page 13: ...n commands 365 Configuring dynamic trap manager 366 Summary of dynamic trap manager configuration commands 367 SNMP configuration examples 368 Chapter 14 Configuring contact closure 371 Contact closure hardware configuration 371 Contact closure software configuration 372 Showing contact closure status 373 Summary of contact closure commands 373 Chapter 15 Transferring and managing announcement fil...

Page 14: ...2 Rapid Spanning Tree Protocol RSTP 392 Spanning tree CLI commands 394 Spanning tree configuration examples 395 Summary of spanning tree commands 398 Port classification 399 Port classification CLI commands 399 Port classification configuration examples 399 Summary of port classification commands 401 Chapter 17 Configuring monitoring applications 403 Configuring RMON 403 RMON CLI commands 404 RMON...

Page 15: ...ng 446 What can be captured 447 Streams that can always be captured 447 Streams that can never be captured 447 Streams that can sometimes be captured 447 Configuring packet sniffing 448 Enabling packet sniffing 448 Limiting packet sniffing to specific interfaces 448 Creating a capture list 449 Defining rule criteria for a capture list 449 Viewing the capture list 456 Applying a capture list 456 Co...

Page 16: ...ng corrections 483 Summary of integrated analog testing commands 484 Chapter 18 Configuring the router 487 Configuring interfaces 487 Router interface concepts 488 Physical router interfaces 488 Layer 2 virtual interfaces 488 Layer 2 logical interfaces 489 IP Interface configuration commands 489 Configuring interface parameter commands 489 Interface configuration examples 490 Displaying interface ...

Page 17: ...tion example 508 Summary of GRE tunneling commands 510 Configuring DHCP and BOOTP relay 511 DHCP 511 BOOTP 511 DHCP BOOTP relay 512 DHCP BOOTP relay commands 513 Summary of DHCP and BOOTP relay commands 513 Configuring DHCP server 514 Typical DHCP server application 515 DHCP server CLI configuration 516 Configuring Options 517 Configuring vendor specific options 518 Optional DHCP server CLI comman...

Page 18: ...s 537 Summary of OSPF commands 539 Route redistribution 541 Export default metric 541 Summary of route redistribution commands 542 Configuring VRRP 542 VRRP configuration example 543 VRRP commands 544 Summary of VRRP commands 545 Configuring fragmentation 546 Fragmentation commands 547 Summary of fragmentation commands 547 Chapter 19 Configuring IPSec VPN 549 G250 G350 R2 2 VPN capabilities 549 G2...

Page 19: ...c VPN configuration 573 Displaying IPSec VPN status 574 IPSec VPN intervention 574 IPSec VPN logging 575 Typical installations 576 Simple VPN topology VPN hub and spokes 576 Configuring the simple VPN topology 577 Configuration example 579 Using dynamic local peer IP 582 Enabling continuous channel 585 Full or partial mesh 586 Full solution hub and spoke with VPN 598 Typical failover applications ...

Page 20: ...icy lists rule criteria 646 IP protocol 647 Source and destination IP address 647 Source and destination port range 648 ICMP type and code 649 TCP establish bit access control lists only 650 Fragments 650 DSCP 650 Composite Operation 650 Composite operations 651 Pre configured composite operations for access control lists 651 Pre configured composite operations for QoS lists 652 Configuring compos...

Page 21: ...ing PBR lists 673 Application example 674 Configuration for the sample policy based routing application 676 Simulating packets in PBR 679 Summary of policy based routing commands 679 Chapter 22 Setting synchronization 683 Synchronization status 684 Displaying synchronization status 685 Summary of synchronization commands 685 Chapter 23 FIPS 687 G250 image and interfaces 687 G250 BRI image and inte...

Page 22: ...3 G250 G350 traps 743 G250 G350 MIB files 751 MIB files in the Load MIB file 753 MIB files in the RFC1315 MIB my file 754 MIB files in the Q BRIDGE MIB my file 756 MIB files in the ENTITY MIB my file 757 MIB files in the IP FORWARD MIB my file 758 MIB files in the VRRP MIB my file 759 MIB files in the UTILIZATION MANAGEMENT MIB my file 760 MIB files in the ENTITY SENSOR MIB my file 761 MIB files i...

Page 23: ...n the BRIDGE MIB my file 789 MIB files in the CONFIG MIB my file 791 MIB files in the G700 MG MIB my file 795 MIB files in the FRAME RELAY DTE MIB my file 799 MIB files in the IP MIB my file 801 MIB files in the Load12 MIB my file 802 MIB files in the PPP LCP MIB my file 804 MIB files in the WAN MIB my file 805 MIB files in the SNMPv2 MIB my file 807 MIB files in the OSPF MIB my file 808 MIB files...

Page 24: ...Contents 24 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 25: ...You can download the latest version of the Administration for the Avaya G250 and Avaya G350 Media Gateways from the Avaya website You must have access to the Internet and a copy of Acrobat Reader must be installed on your personal computer Avaya makes every effort to ensure that the information in this book is complete and accurate However information can change after we publish this book Therefor...

Page 26: ...vaya G250 Media Gateway 03 300433 Quick Start for Hardware Installation The Avaya G350 Media Gateway 03 300148 Installing and Upgrading the Avaya G250 Media Gateway 03 300434 Installing and Upgrading the Avaya G350 Media Gateway 03 300394 Avaya G250 and Avaya G350 CLI Reference 03 300437 Maintenance Alarms for Avaya Communication Manager Media Gateways and Servers 03 300430 Maintenance Commands fo...

Page 27: ... 7585 Maintenance and repair call the Avaya National Customer Care Support Line at 1 800 242 2121 Toll fraud call Avaya Toll Fraud Intervention at 1 800 643 2353 International For all international resources contact your local Avaya authorized dealer for additional help Trademarks All trademarks identified by the or are registered trademarks or trademarks respectively of Avaya Inc All other tradem...

Page 28: ... book To reach us by Mail send your comments to Avaya Inc Product Documentation Group Room B3 H13 1300 W 120th Ave Westminster CO 80234 USA E mail send your comments to document avaya com Fax send your comments to 1 303 538 1741 Mention the name and number of this book Administration for the Avaya G250 and Avaya G350 Media Gateways 03 300436 ...

Page 29: ... the G250 DCP model also supports DCP telephones The G350 is designed for use in a 16 40 user environment but can support sites with up to 72 stations The G250 is designed for smaller branch offices with two to eight users Note Note Instructions in this guide are valid for both the Avaya G250 and Avaya G350 Media Gateways except where otherwise noted G250 and G350 contents An advanced router A hig...

Page 30: ...350 the G350 also supports Power over Ethernet PoE IP telephones DCP digital telephones Analog telephones and trunks E1 T1 trunks ISDN PRI trunks ISDN BRI trunks E1 T1 and USP WAN data lines On board ports USP ports G250 without media modules The G250 supports the following on the device itself without plug in media modules Power over Ethernet PoE IP telephones Analog telephones and trunks E1 T1 t...

Page 31: ... s fixed analog trunk ports with two ISDN BRI trunk ports DCP model G250 DCP The G250 DCP provides twelve DCP Digital Communications Protocol ports as well as four analog trunk ports two analog line ports a Fast Ethernet WAN port and two LAN ports DS1 model G250 DS1 The G250 DS1 provides a T1 E1 and a PRI trunk port enabling support of fractional T1 E1 and PRI The G250 DS1 also includes one analog...

Page 32: ...Introduction 32 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 33: ...g the G250 G350 see Accessing the Avaya G250 G350 Media Gateway on page 39 Defining the Console interface The first thing you should do when configuring a new G250 G350 is to assign an IP address to the Console interface It is not necessary to include a subnet mask 1 Enter interface console to enter the Console context 2 Use the ip address command to define an IP address for the Console interface ...

Page 34: ...ularly the Media Gateway Controller MGC Management data intended for the G250 G350 is routed to the interface defined as the PMI You can use any interface as the PMI For instructions on how to define the PMI see Configuring the Primary Management Interface PMI on page 90 Once you have defined a PMI you must register the G250 G350 with an MGC The MGC is a call controller server that controls teleph...

Page 35: ...essing Avaya IW on page 44 For step by step instructions on how to configure the G250 G350 using the Avaya IW see Installing and Upgrading the Avaya G250 Media Gateway 03 300434 or Installing and Upgrading the Avaya G350 Media Gateway 03 300394 The Gateway Installation Wizard GIW is a standalone application that allows the user to perform certain basic G250 G350 configuration tasks The GIW can be ...

Page 36: ...configuration and loads the startup configuration as the new running configuration When you change the configuration of the G250 G350 your changes affect only the running configuration Your changes are lost when the G250 G350 resets if you do not save your changes Enter copy running config startup config to save changes to the configuration of the G250 G350 A copy of the running configuration beco...

Page 37: ...ware These may be different versions The purpose of this feature is to provide redundancy of firmware You can save an old version of the firmware in case you need to use it later If it becomes necessary to use the older version you can enter set boot bank bank x and then reset the G250 G350 to use the older version This is particularly important when uploading new versions For more information on ...

Page 38: ...Configuration overview 38 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 39: ...configure the Avaya G250 G350 Media Gateway and media modules You can access the CLI with any of the following Telnet through the network A console device Telnet through dialup Telnet through a serial modem Telnet through a USB modem Telnet through a USB modem via the S8300 If the G250 G350 is under service contract with Avaya Services remote service providers can connect remotely to service the G...

Page 40: ...mands You can use the tree command to view the available commands in each context CLI help You can display a list of commands for the context you are in by typing help or The help command displays a list of all CLI commands that you can use within the current context with a short explanation of each command If you type help or before or after the first word or words of a command the CLI displays a...

Page 41: ... about the Console port see Configuring the Console port for modem use on page 262 Connecting a console device to the Services port A console device connected directly to the Services port of the S8300 Server requires a specific configuration of its network settings Note Note Make a record of any IP addresses DNS servers or WINS entries that you change when you configure your services laptop Unles...

Page 42: ...ularly useful if the normal telnet logout does not work Accessing the CLI via a USB modem 1 Connect a modem to the USB port on the front panel of the Avaya G250 or Avaya G350 Media Gateway Use a USB cable to connect the modem The G250 G350 supports the Multitech MultiModem USB MT5634ZBA USB V92 2 Make sure the USB port is properly configured for modem use For details see Configuring the USB port f...

Page 43: ...ur network has a RADIUS server you can use RADIUS authentication for the PPP connection 4 Open any standard telnet program on the remote computer 5 Open a telnet session to the IP address of the Console port on the G250 G350 6 Configure the serial connection on the remote computer to match the configuration of the Console port on the G250 G350 The Console settings are the same as the USB port sett...

Page 44: ...vaya G350 Media Gateway 03 300394 3 From a remote computer create a dialup network connection to the S8300 Use the TCP IP and PPP protocols to create the connection 4 Open any standard telnet program on the remote computer 5 Enter the command telnet followed by the IP address of the S8300 USB port to which the modem is connected 6 Enter the command telnet followed by the PMI of the G250 G350 Acces...

Page 45: ...n Note Note Make sure the customer can change this login its password or its permissions later 7 From the Integrated Management main menu select Launch Maintenance Web Interface 8 From the navigation menu of the Maintenance Web Pages select Security Administrator Accounts The Administrator Accounts screen appears 9 Select Add Login 10 Select Privileged Administrator and click Submit The Administra...

Page 46: ...the section Force password key change on next login select no 17 Click Submit The system informs you the login is added successfully 18 Click the Launch Installation Wizard link on the home page The Avaya IW Overview screen appears Figure 1 Avaya IW Overview screen For step by step instructions on how to configure the G250 G350 using the Avaya IW see Installing and Upgrading the Avaya G250 Media G...

Page 47: ...uring the Media Gateway Controller MGC on page 92 Check connectivity between the G250 G350 and its Media Gateway Controller Display information on the G250 G350 and media modules installed on the G250 G350 Enable the G250 G350 for modem use see Configuring the G250 and G350 for modem use on page 259 Install software and firmware upgrades see Software and firmware upgrades on page 109 Access the GI...

Page 48: ...ks especially provisioning and installing large numbers of gateways simultaneously One of PIM s primary functions is to provision and configure Standard Local Survivability SLS on the G250 and G350 See Configuring Standard Local Survivability SLS on page 129 PIM is launched from the Avaya Network Management Console The Avaya Network Management Console is the central infrastructure application that...

Page 49: ...ication Manager 03 300509 Avaya G250 G350 Media Gateway CLI See Accessing the registered MGC on page 97 Managing login permissions You can manage login permissions to enable different privilege levels for each user and to operate the security mechanism Security overview The Avaya G250 G350 Media Gateway includes a security mechanism through which the system administrator defines users and assigns ...

Page 50: ...stead of a username and password A RADIUS server provides centralized authentication service for many devices on a network Privilege level When you open the Avaya G350 Manager or access the CLI you must enter a username The username that you enter sets your privilege level The commands that are available to you during the session depend on your privilege level If you use RADIUS authentication the ...

Page 51: ... on page 51 The following example creates a user named John with the password john7Long and a Read write privilege level Managing password length and contents Use the following commands to control password length and the characters it must include Use the login authentication min password length command to set the minimum password length to between 8 and 31 characters The default length is 8 chara...

Page 52: ...ntication inactivity period command to disable a local user account after an inactivity period of 2 365 days Managing password expiry You can force all passwords to expire within a certain period of time after they were created Accounts with expired passwords are locked and require an administrator to reset the account using the username command However a user can change the password before it exp...

Page 53: ...able a local user account after successive failed login attempts login authentication min password digit chars Set the minimum number of digit characters that a password must contain login authentication min password length Set the minimum password length login authentication min password lower chars Set the minimum number of lowercase characters that a password must contain login authentication m...

Page 54: ...anel Console port using the craft login When ASG authentication is enabled on the G350 the G350 recognizes any login attempts using Avaya Services reserved usernames as service logins and requests ASG authentication from the user instead of a static user password The following usernames are reserved for Avaya Services usage rasaccess sroot init inads and craft When ASG authentication is enabled on...

Page 55: ...login authentication services logins 3 For connection to Avaya Services via modem dial up enable the RASaccess operation mode for modem operation using ppp authentication ras The gateway must also be configured for remote modem access and enabled as described in Installing and Upgrading the Avaya G250 Media Gateway 03 300434 or Installing and Upgrading the Avaya G350 Media Gateway 03 300394 4 For ...

Page 56: ... authentication file including the full path and ip is the IP address of the host The G350 prompts you for a username and password after you enter the command To download an authentication file from a remote SCP server copy scp auth file filename ip where filename is the name of the authentication file including the full path and ip is the IP address of the host The G350 prompts you for a username...

Page 57: ...to authentication requests before timing out a connection using login authentication response time time where time is the time in seconds after which the gateway aborts the connection if no response is received For example to timeout connections if no response arrives within 180 seconds after an authentication request Use no login authentication response time to return the response time value to t...

Page 58: ...s logins defined in the ASG authentication file Remote users maintained centrally in a Radius server are not subject to the lockout sanction Switch between modem operation modes including rasaccess and ppp modes using ppp authentication pap chap none ras ASG authentication is enabled when ras is selected For example Displaying ASG authentication information Display login authentication settings an...

Page 59: ...ccess read only Services yes challenge root admin local yes password Table 4 ASG authentication CLI command Command Description copy auth file ftp Upload the authentication file from the gateway to an FTP server copy auth file scp Upload the authentication file from the gateway to an SCP server copy auth file tftp Upload the authentication file from the gateway to a TFTP server copy auth file usb ...

Page 60: ...e port When password authentication is disabled ASG authentication is activated login authentication response time Set the time the gateway waits for user response to authentication requests before timing out a connection login authentication lockout Set a policy for locking out access to the gateway after successive failed login attempts login authentication services logins Activate all Avaya Ser...

Page 61: ...50 after encryption based on the G250 G350 s public key When the G250 G350 receives the encrypted random number it decrypts it using the private key This random number is now used with the 3DES CBC encryption method for all encryption and decryption of data The public and private keys are no longer used Password authentication process Before any data is transferred the G250 G350 requires the clien...

Page 62: ...er are reversed To perform file transfers secured by SCP the G250 G350 launches a local SSH client via the CLI This establishes a secured channel to the secured file server The G250 G350 authenticates itself to the server by providing a username and password With a Windows based SSH server WinSSHD the username provided must be a defined user on the Windows machine with read write privileges The fi...

Page 63: ...thentication A RADIUS server provides centralized authentication service for many devices on a network When you use RADIUS authentication you do not need to configure usernames and passwords on the G250 G350 When you try to access the G250 G350 the G250 G350 searches for your username and password in its own database first If it does not find them it activates RADIUS authentication For additional ...

Page 64: ... optional Use the set radius authentication retry number command to set the number of times to resend an access request when there is no response Use the set radius authentication retry time command to set the time to wait before resending an access request Use the set radius authentication udp port command to set the RFC 2138 approved UDP port number Normally the UDP port number should be set to ...

Page 65: ... ports located on the G250 s front panel Table 7 RADIUS authentication configuration command Command Description clear radius authentication server Clear the primary or secondary RADIUS server IP address set radius authentication Enable or disable RADIUS authentication set radius authentication retry number Set the number of times to resend an access request when there is no response set radius au...

Page 66: ...whether the Supplicant is authorized to access the services provided by the Authenticator Authentication Modes Port based The authentication mode defined by the 802 1x standard This mode requires that each 10 100 802 1x enabled port be connected directly to a single 802 1x Supplicant so security will be maintained If more clients are connected to that port the first authenticated client opens the ...

Page 67: ...f the device is not authenticated the gateway initiates authentication with the device All unauthenticated device packets are discarded During this time all authenticated supplicants can send and receive packets from the port The G250 behaves a little differently The G250 controls only the egress packets i e until the device authenticates the port all packets from the network to the device are blo...

Page 68: ...ter set dot1x system auth control enable to enable 802 1x authentication on all ports set to auto mode To disable 802 1x authentication on the G250 G350 enter set dot1x system auth control disable Once the authentication process is enabled the process proceeds as follows The Supplicant is asked to supply a username and password If 802 1x authentication is enabled on the port the Authenticator init...

Page 69: ...t or a group of ports By default re authentication is disabled For example Note Note It is highly recommended to enable re authentication This is especially important for MAC based mode where the re authentication timer helps to re authenticate a device that moved to another port In this case re authentication updates the 802 1x port state regarding the supplicant connected to it To disable re aut...

Page 70: ... ports on which 802 1x is enabled Enter set port dot1x quiet period followed by the module and port number or range of ports and a time period in seconds 0 to 65535 to set the minimum idle time between authentication attempts for a specific port or ports Enter set dot1x tx period followed by a time period in seconds 1 to 65535 to set the time internal between attempts to access the Authenticated S...

Page 71: ...iod in seconds 0 to 65535 to set change the re authentication period which is the interval between a port s attempts to re authenticate the host if re authentication is enabled on the port Enter set port dot1x re authperiod followed by the module and port number and the length of the new re authentication period in seconds 0 to 65535 to set change the re authentication period for a specific port w...

Page 72: ... 30 2 Port Total Authenticated Authenticating Number Supp Supplicants Supplicants 6 1 0 0 0 6 2 0 0 0 Table 8 802 1x Show Port output description Column Description Port Number Number of the module and port Port Auth Mode The authentication mode Possible modes are MAC Based Port Based Port Control Port control type Valid values include force authorized force unauthorized auto Re Auth The state of ...

Page 73: ...tion request must be answered Max Req The maximum number of times a request for authentication is sent before timing out Module Number of the module and port Total Supp The number of currently connected supplicants Authenticated Supplicants The number of authenticated supplicants connected to the G250 G350 Authenticating Supplicants The number of supplicants connected to the G250 G350 being authen...

Page 74: ...iguration commands Command Description clear dot1x config Return the 802 1x values to default and disable the 802 1x application on the G250 G350 set dot1x lldp tlv Specify that if LLDP is enabled then upon 802 1x authentication of a supplicant the G250 G350 transmits the port LLDP information PVID Port VLAN in the LLDP packet sent to the supplicant set dot1x max req Set the maximum number of time...

Page 75: ...n individual port set port dot1x port mode Set a port s mode of authentication port based single supplicant or MAC based multiple supplicants set port dot1x quiet period Set the minimum idle time between authentication attempts for a specific port or ports set port dot1x re authenticate Manually re authenticate a port or group of ports set port dot1x re authentication Enable or disable automatic r...

Page 76: ...forgotten You can only use the recovery password when accessing the G250 G350 via a direct connection to the Console port or Services port Use the set terminal recovery password command to enable or disable the recovery password Use this command only when accessing the G250 G350 via a direct connection to the Console port or Services port show dot1x Display the system 802 1x parameters including w...

Page 77: ...rm of this command to disable the G250 G350 s ability to establish an incoming telnet connection Enter ip telnet client to enable the G250 G350 to establish an outgoing telnet connection Use the no form of this command to disable the G250 G350 s ability to establish an outgoing telnet connection Note Note These commands are secured commands and are not displayed together with the running configura...

Page 78: ...o another The only requirement is that the administrator must generate an identical MCK by using the same passphrase in the target device before executing the copy operation Note Note All gateways have the same default MCK For security reasons it is recommended to configure a new MCK immediately upon gateway installation Table 11 Telnet access configuration commands Command Description ip telnet E...

Page 79: ...ted host Specifically a SYN attack is a well known TCP IP attack in which a malicious attacker targets a vulnerable device and effectively denies it from establishing new TCP connections SYN cookies refers to a well known method of protection against a SYN attack SYN attack SYN flood attack The SYN TCP connection request attack is a common DoS attack characterized by the following pattern Using a ...

Page 80: ... ACK that contains a specially crafted initial sequence number ISN called a cookie The value of the cookie is not a pseudo random number generated by the system but the result of a hash function The hash result is generated from the source IP source port destination IP destination port and some secret values The cookie can be verified when receiving a valid 3rd ACK that establishes the connection ...

Page 81: ...ormation about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Managed Security Services MSS Media Gateway IP interfaces and gateway applications such as WAN routers PoE switches and VPN devices can be at risk for DoS attacks The G250 G350 identifies predefined or custom defined traffic patterns as suspected attacks and generates SNMP notifications referred to as Managed Secur...

Page 82: ...w the syslog messages through the Avaya Maintenance Web Interface MWI if you want to debug security issues directly For information about how to view syslog messages see Viewing QoS traps QoS fault traps and QoS clear traps on page 425 Note Note Any additional SNMP recipients defined with the security notification group enabled also receive the MSS notifications Configuring MSS The MSS feature is ...

Page 83: ...s notification rate command 4 Ensure that INADS reporting is configured on the active MGC For information about configuring INADS reporting in Avaya Communication Manager see Avaya Communication Manager documentation define an SNMP group G350 001 super snmp server group MSS_group v3 noauth read iso write iso notify iso Done create a new snmp user belonging to the SNMP group G350 001 super snmp ser...

Page 84: ...h limited broadcast destination address SYN FLOOD The number of unacknowledged TCP SYN ACK exceeds a predefined rate UNREACHABLE_PORT_ ATTACK TCP UDP IP packets sent to unreachable ports MALFRAGMENTED_IP Malfragmented IP packets on TO ME interfaces MALFORMED_IP Malformed IP packets The G250 G350 reports malformed IP packets when The IP version in the IP header is a value other than 4 The IP header...

Page 85: ...oofing other attack 100 other attack 101 other attack 102 other attack 103 other attack 104 and other attack 105 For example 4 Define the packet criteria to which the ACL rule should apply See Policy lists rule criteria on page 646 For example you can use destination ip to specify that the rule applies to packets with a specific destination address and you can use ip protocol to specify that the r...

Page 86: ...ACL For example 8 Enter the configuration mode of the interface on which you want to activate the ACL For example 9 Activate the configured ACL for incoming packets on the desired interface For example G350 001 super ACL 301 ip rule 1 exit G350 001 super ACL 301 exit G350 001 super interface vlan 203 G350 001 super if vlan 203 ip access group 301 in Done ...

Page 87: ...e 1 dos classification smurf Done apply predefined composite operation deny notify which drops the packet and causes the gateway to send a trap when it drops the packet G350 001 super ACL 301 composite operation Deny Notify Done specify that the ip rule applies to packets with this destination ip address G350 001 super ACL 301 ip rule 1 destination ip 255 255 255 255 0 0 0 0 Done Specify that the ...

Page 88: ...control list If the specified list does not exist the system creates it and enters its configuration mode ip rule Enter configuration mode for the specified rule If the specified rule does not exist the system creates it and enters its configuration mode ip protocol Specify that the current rule applies to packets having the specified IP protocol set mss notification rate Set the rate at which the...

Page 89: ...trator after installation of the G250 G350 1 Use the interface command to enter the interface context Some types of interfaces require an identifier as a parameter Other types of interfaces require the interface s module and port number as a parameter For example For more information on the various types of interfaces see Router interface concepts on page 488 2 Use the ip address command followed ...

Page 90: ... PMI check with your system administrator Setting the PMI of the G250 G350 1 Use the interface command to enter the context of the interface to which you want to set the PMI For example to use the VLAN 1 interface as the PMI enter interface vlan 1 Note Note If the interface has not been defined you must define it now 2 Enter pmi 3 Enter exit to return to general context 4 Enter copy running config...

Page 91: ...tem name command to specify the name of the G250 G350 Summary of PMI configuration CLI commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 16 PMI configuration CLI commands Root level command Command Description interface fastethernet serial tunnel vlan loopback dialer Enter configuration mode for the FastEthernet Serial Tunnel VLAN Loopba...

Page 92: ...e Avaya G250 and Avaya G350 CLI Reference 03 300437 Configuring the Media Gateway Controller MGC The Media Gateway Controller MGC controls telephone services on the Avaya G250 G350 Media Gateway You can use a server with Avaya Communication Manager software as an MGC The G250 G350 supports both External Call Controllers ECC and Internal Call Controllers ICC An ICC is an Avaya S8300 Server that you...

Page 93: ...le as a fifth entry in the MGC list For details about SLS see Configuring Standard Local Survivability SLS on page 129 Standard Local Survivability SLS SLS consists of a module built into the G250 G350 to provide partial backup MGC functionality in the event that the connection with the primary MGC is lost This feature allows a local G250 G350 to provide a degree of MGC functionality when no link ...

Page 94: ...back from an LSP to the primary MGC A call for which the talk path between parties in the call has been established is considered stable A call consisting of a user listening to announcements or music is not considered stable and is not preserved Any change of state in the call prevents the call from being preserved For example putting a call on hold during MGC migration will cause the call to be ...

Page 95: ...ddress of the S8300 The remaining servers will be either alternate C LAN boards connected to the S8400 S8500 or S8700 series servers or an S8300 configured as an LSP or the port enabled as the Ethernet processor port on an S8500 configured as an LSP In the following example of the set mgc list command if the MGC with the IP address 132 236 73 2 is available that MGC becomes the G250 G350 s MGC If ...

Page 96: ...e the set mgc list command without first clearing the MGC list the G250 G350 simply adds the new MGCs to the end of the MGC list Setting reset times If the connection between the G250 G350 and its registered MGC is lost the G250 G350 attempts to recover the connection Use the set reset times primary search command and the set reset times total search command to set the timeout for the G250 G350 s ...

Page 97: ...mand whether or not the local S8300 is the G250 G350 s registered MGC Note Note Both the session mgc command and the session icc command open a telnet connection to the MGC To open a connection directly to the Avaya Communication Manager System Access Terminal SAT application in the MGC add sat to the command For example To open a connection to the MGC s LINUX operating system do not add sat to th...

Page 98: ...P address Table 19 MGC list configuration commands Command Description clear mgc list Remove one or more MGCs from the MGC list session Open a telnet connection to the MGC set icc monitoring Enable or disable heartbeat monitoring of an MGC in ICC or LSP mode set mediaserver Set the MGC management address and ports set mgc list Create a list of valid Media Gateway Controller s set reset times Set t...

Page 99: ...uration is for connecting the G250 G350 to the Internet and getting the DNS server information from the ISP Therefore interfaces configured to automatically learn the DNS servers in the system are usually the FastEthernet with PPPoE interface and the Dialer interface Typical DNS resolver application VPN failover In this typical application the DNS resolver feature is used to provide a VPN failover...

Page 100: ...tion command to specify a description for the list 3 Add a DNS server to the DNS servers list using the name server command Configure the following Assign an index number that ranks the DNS server by priority Specify the IP address of the DNS server G350 001 config ip domain name server list 1 G350 001 config name server list 1 G350 001 config name server list 1 description All DNS servers Done G3...

Page 101: ...in names 7 Optionally configure the number of DNS query retries using the ip domain retry command The default value is 2 8 Optionally configure the timeout for a DNS query using the ip domain timeout command The default value is 3 seconds 9 The DNS resolver is enabled by default If it was disabled and you wish to re enable it enter ip domain lookup G350 001 config name server list 1 name server 1 ...

Page 102: ...matically so the list of DNS servers will include the automatically learned DNS servers Instead For DHCP Client enable DHCP Client by entering ip address dhcp For information about DHCP Client see Configuring DHCP client on page 218 For PPP enable automatic discovery of DNS servers by entering ppp ipcp dns request Figure 4 DNS resolver configuration workflow ip domain name server list description ...

Page 103: ...splay information about DNS resolver Enter show ip domain to display the DNS resolver s configuration The output shows the DNS servers that were statically configured and those which were gathered using DHCP or PPP protocols as well as the list of domain suffixes G350 001 config ip domain name server list 1 G350 001 config name server list 1 description All DNS servers Done G350 001 config name se...

Page 104: ...g DNS resolver logging 1 Enter set logging session enable to enable session logging to the terminal 2 Enter set logging session condition DNSC to view all DNS resolver messages of level Info and above Note Note You can also enable logging messages to a log file or a Syslog server For a full description of logging on the G250 G350 see Configuring logging on page 229 G350 001 set logging session ena...

Page 105: ...remote peer during the PPP IPCP session ip domain list Specify static domain names suffixes to complete non FQDN names hostnames that do not end with a dot ip domain lookup Enable or disable the DNS resolver ip domain name server list Enter the context of the DNS servers list or set up the list description Set a name for the DNS servers list name server Add a DNS server to the list of up DNS serve...

Page 106: ...number of the media module as an argument For example to view information about the media module in slot 2 enter show mm v2 The output of the command shows the following information Slot number Uptime Type of media module Description Serial number and other hardware identification numbers Firmware version Number of ports Fault messages Use the show module command or enter show mg list_config to vi...

Page 107: ... and media module LEDs blink for five seconds Summary of device status commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 21 Device status commands Command Description set utilization cpu Enable CPU utilization measurements show faults Display information about currently active faults show image version Display the software version of the...

Page 108: ...Avaya G250 G350 Media Gateway and other devices You can use file transfer to Install software and firmware upgrades on the G250 G350 Install firmware upgrades on media modules Back up and restore configuration settings show system Display information about the G250 G350 show temp Display the device temperature show timeout Display the amount of time in minutes the terminal remains idle before timi...

Page 109: ...r firmware You can upgrade the following types of software and firmware Firmware for the Avaya G250 G350 Media Gateway Java applet for Avaya G350 Manager G350 only Firmware for media modules Note Note You can also use the G250 G350 to upgrade the firmware and configuration files for IP phones For details see Installing and Upgrading the Avaya G250 Media Gateway 03 300434 or Installing and Upgradin...

Page 110: ...rom Bank B use the steps listed above to reset the G250 G350 to load the firmware from Bank A instead Upgrading software and firmware using FTP TFTP To upgrade software or firmware you must obtain an upgrade file from Avaya Place the file on your FTP or TFTP server Then use one of the following commands to upload the file to the G250 G350 For each of these commands include the full path of the fil...

Page 111: ...0 where the home directory is c home ftp and the upgrade file is located in the directory c home ftp version use the following command Note Note When downloading firmware from the S8300 use only the file name without the directory path in the command line Otherwise the procedure will fail For instance in the example above you must use the following command When downloading firmware from the S8300 ...

Page 112: ...ptB to upgrade IP phone scripts from the USB mass storage device Use the copy usb announcement file to upgrade announcements files from the USB mass storage device Use the copy usb auth file to upgrade the authentication file from the USB mass storage device Use the copy usb license file to upgrade the VPN license file from the USB mass storage device Use the copy usb startup config to upgrade the...

Page 113: ...m the gateway Copying files to a USB mass storage device You can use a USB mass storage device inserted into the G250 G350 USB port to copy individual files to a USB mass storage device Use the copy file usb command to upload a specific file from the gateway to the USB mass storage device where file can be any of the following announcement file Announcements files auth file Authentication file pho...

Page 114: ...rom the gateway to a TFTP server where file can be any of the following announcement file Announcements files capture file The packet sniffing buffer auth file Authentication file capture file The packet sniffing buffer cdr file A Call Detail Recording CDR file dhcp binding The DHCP binding file Summary of software and firmware management commands For more information about these commands see Avay...

Page 115: ...Upgrade announcements files from the USB mass storage device copy usb auth file Upgrade the authorization file from the USB mass storage device copy usb EW_archive Upgrade the Java applet for Avaya G350 Manager software from the USB mass storage device copy usb license file Upgrade the VPN license file from the USB mass storage device copy usb module Upgrade the firmware on a media module from the...

Page 116: ...multiple files with one CLI command which is simpler than the alternative TFTP FTP SCP method in which files are copied and restored individually A single CLI command backs up all the administration and configuration files of a gateway onto a USB mass storage device Another single command restores all of the backed up files If you need to completely replicate a media gateway you can also download ...

Page 117: ...egularly to a USB mass storage device This backup can be very helpful in restoring the gateway s configuration if it becomes faulty or in restoring the entire gateway 1 Connect a USB mass storage device to the G250 G350 USB port 2 Type s to commit the current configuration to NVRAM 3 Enter backup config usb usbdevice0 backup name where backup name is the backup directory path and file name you are...

Page 118: ...device 1 Make sure you have a backup of the G250 G350 on a USB mass storage device Refer to Backing up administration and configuration files using a USB mass storage device on page 117 2 Connect the USB mass storage device to the G250 G350 USB port 3 Enter restore usb usbdevice0 backup name where backup name is the backup directory path and file name on the USB mass storage device vpn_license cfg...

Page 119: ...w G250 G350 to a power source 4 In the new G250 G350 enter show image version to find out which of the two image banks holds the older gateway firmware version and what version it is 5 If the new G250 G350 firmware version is below 26 x y you must replace it with firmware version 26 x y or higher in order to enable the restore option To do so a Download the G250 G350 firmware from the Avaya suppor...

Page 120: ...pported IP phones as well as the 46xxupgrade txt or 46xxupgrade scr file b Insert the USB mass storage device into the PC s USB port c Copy the IP phone files from the PC to the USB mass storage device Place them in the IPPHONE subdirectory under the root backup directory Do not change the names of the downloaded files Note Note You will need to reset the IP phones after the restore operation on t...

Page 121: ...entication file g350_sw_24_21_1 bin or g250_sw_24_21_1 bin Gateway image g350_emweb_3_0_5 bin Embedded web image for G350 only IPPHONE IP phone scripts and images directory 46xxupgrade scr 46xxsettings txt 4601dape1_82 bin 4601dbte1_82 bin MM Media modules file directory relevant to the G350 only mm722v2 fdl mm714v67 fdl mm711h20v67 fdl mmanalogv67 fdl GWANNC Gateway announcements and music on hol...

Page 122: ...50 G350 with the serial number of the new gateway otherwise the gateway is not able to register in the Avaya Communication Manager See Administrator s Guide for Avaya Communication Manager 555 233 506 The new G250 G350 is now a restored fully operational G250 G350 Note Note Before unplugging the USB mass storage device use the safe removal usb command to safely remove the USB mass storage device R...

Page 123: ...ing USB commands are available Use the erase usb command to erase a file or directory on the USB mass storage device Use the show usb command to display the USB devices connected to the gateway Summary of USB backup restore and replication commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 25 USB backup restore and replication CLI command...

Page 124: ...o another For more information see Managing gateway secrets on page 78 You can Use the FTP TFTP SCP copy commands to transfer a configuration file between the G250 G350 and a server on the network Use a USB mass storage device connected to the G250 G350 USB port to upload or download the startup configuration file of the G250 G350 You can use either the USB copy commands or use the USB backup and ...

Page 125: ...350 to an FTP server Use the copy running config tftp command to back up the running configuration on the G250 G350 to a TFTP server Use the copy running config scp command to back up the running configuration on the G250 G350 to a SCP server Use the copy startup config ftp command to back up the startup configuration on the G250 G350 to an FTP server Use the copy startup config tftp command to ba...

Page 126: ...ile from a USB mass storage device to the Startup Configuration NVRAM copy running config ftp Upload the current G250 G350 running configuration to a file on an FTP server copy running config scp Upload the current G250 G350 running configuration to a file on an SCP server copy running config tftp Upload the current G250 G350 running configuration to a file on a TFTP server copy startup config ftp...

Page 127: ...ts The dir command also shows the booter file which cannot be changed You can also use the dir command to list all files in the USB mass storage device connected to the G250 G350 Summary of file listing commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 27 File listing CLI commands Command Description dir List all G250 G350 files or displ...

Page 128: ...Basic device configuration 128 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 129: ...vivability alternative offering limited call processing in survivable mode Although the G250 G350 can host an S8300 Server in ICC or LSP mode SLS offers both local survivability and call control In contrast to the server based survivability features SLS operates entirely from the media gateway and requires a data set comprised of Avaya Communication Manager translations survivable ARS analysis and...

Page 130: ...to pre configured local analog or IP phones that have registered Direct inward dialing Multiple call appearances Hold and call transfer functions Contact closure feature Local call progress tones dial tone busy etc Emergency Transfer Relay ETR in cases of power loss MM711 hw v20 Vintage 69 MM711 hw v30 Vintage 84 MM712 Vintage 8 MM714 hw v1 v5 Vintage 69 MM714 hw v10 Vintage 84 MM716 Vintage 84 MM...

Page 131: ...a phones supported in SLS Table 29 Avaya phones supported in SLS Analog DCP IP 2500 2402 4601 2410 4602 2420 4602sw 6402 4610sw 6402D 4612 6408 4620 6408 4620sw default 6408D default 4621 6408D 4622 6416D 4624 6424D 4625 8403B 8405B 8405B 8405D 8405D 8410B 8410D 8411B 8411D 8434D ...

Page 132: ...calling permissions Inbound calls are directed in one of three ways Using the Incoming Routing form Using the Set Incoming Destination on the Trunk group form which enables mapping to a given station Inbound calls are directed to a previously administered pool of available stations the Survivable Trunk Dest field is y on the Station form The search algorithm is circular so that the incoming calls ...

Page 133: ...gister simultaneously Direct Inward Dialing Multiple call appearances Hold and Call Transfer functions Contact closure feature Call Detail Recording CDR see SLS logging activities on page 144 Trunk Access Code TAC dialing Non ISDN DS1 trunks with in band signaling ISDN PRI BRI trunks T1 robbed bit All 24 channels serve as trunks without full 64 kbps transmission E1 CAS All 31 channels serve as tru...

Page 134: ...ation sent through the H 248 control channel Tone sources including a distinctly different dial tone to inform users that the system is operating in survivable mode Loss plan Avaya Communication Manager provisioning information for the options in the station and trunk media modules is sent through the CCMS channel Provisioning and Installation Manager PIM queries Avaya Communication Manager for st...

Page 135: ...ermine if anything has changed If the data set changes the newer data set is pushed down to the media gateway If the data set does not change the data set in NVRAM remains unchanged Figure notes 1 H 248 call signaling and configuration data 2 CCMS messages through Clear Channel 3 Media Gateway Maintenance Channel 4 PIM extracts Communication Manager translation subset through OSSI NOTE The SLS dat...

Page 136: ...t the G250 G350 registers with SLS resident on the G250 G350 for its call control SLS transitions between four possible SLS states Unregistered Setup Registered and Teardown Unregistered state This is the normal state in which SLS waits for an H 248 registration request from the G250 G350 When SLS receives the request it registers the G250 G350 and transitions to the Setup state Setup state In thi...

Page 137: ...stration with the primary MGC SLS determines that it needs to unregister with the G250 G350 due to internal error conditions Teardown state activities 1 Tears down endpoint objects 2 Sends unregistration requests to IP endpoints that are not on active calls IP endpoints lose registration with SLS and display the discovered IP address during re registration with an MGC 3 Closes the H 323 Gatekeeper...

Page 138: ...ffice WARNING WARNING An analog two wire DID trunk line is different from a standard analog loop start line With analog DID trunk lines the battery power feed to the line is supplied by the gateway s analog trunk interface With a standard loop start line the power is supplied by the central office which is why damage can occur from connecting a loop start PSTN trunk to the DID port The number of s...

Page 139: ...wer analog phones for example Avaya 62xx series have buttons with specific functions for placing a call on Hold Hold button A hold function that is local to the phone Pressing the Hold button causes the analog station to place a hold bridge in both directions at the telephone set No signaling notification is sent to the SLS call engine and therefore there is no ability to notify the other party th...

Page 140: ... want to toggle between the first and second calls press the switchhook and dial the FAC for Hold once each time you want to change calls Hang up Your phone will ring to notify you that you have a call on Hold When you lift the receiver you will hear a dial tone and can perform any of the activities listed in Step 3 Call Transfer in SLS mode Using the Call Transfer feature differs by user and by p...

Page 141: ...nating party If a transfer does not complete the event is logged Transferring an established call from an analog phone Newer analog phones for example Avaya 62xx series have buttons with specific functions for transferring a call The switchhook receiver on off hook sends a disconnect signal to the server and the Transfer Flash button sends a transfer message to the server 1 While on a call press t...

Page 142: ...for example 1 for contact pair 1 and 2 for contact pair 2 You hear stutter tone and then silence confirming these valid codes If you dial an invalid contact closure number you will hear an intercept tone Contact closure feature activations appear in the CDR log see Figure 7 Note Note If the contact closures are set to manual operation the FAC operation will not work even though the confirmation to...

Page 143: ...Save the changes Note Note If you administer the Terminal Type field as a DCP phone shared administrative identity functionality in SLS mode is not supported Emergency Transfer in SLS mode Emergency Transfer Relay ETR on the gateway connects or latches an analog loop start CO trunk port to an analog station port allowing the user to access the PSTN for emergency calls in these conditions Power out...

Page 144: ...idle If the gateway is still in ETR mode after the gateway registers with a new server Communication Manager maintenance must busy out the ports until it receives notification that the ports are idle and available for use SLS logging activities SLS exports call recording data in survivability mode The Call Detail Record CDR log contains detailed information about each outgoing call that uses a tru...

Page 145: ...f the log entry 10 46 35 is the time of the log entry CDR Informational is the category to aid sorting 10 46 is the time the call was placed 00 00 is the duration of the call in hours and minutes or 99 99 if the duration is greater than 99 hours A is the condition code Possible values are 7 Outgoing call 9 Incoming call G350 SLS super show logging cdr file content 02 18 2005 10 46 35 CDR Informati...

Page 146: ... A Outgoing TAC call or emergency call B Used for contact closure 15840 is the extension that activated the feature PULSE indicates the contact closure operation could also be OPEN or CLOSE 003 is the media gateway number 2 is the contact closure number Configuring SLS SLS is included as part of the resident gateway firmware package that is installed as part of the G250 G350 gateway firmware upgra...

Page 147: ...Perform the configuration during the initial administration of the host CM server 1 Access the CM administrative SAT interface For instructions on accessing the Avaya Communication Manager through the G250 G350 see Accessing the registered MGC on page 97 2 At the SAT enter change node names ip to display the IP Node Names form For example 3 In the Name field type the gateway name that is the name ...

Page 148: ...name of the gateway see Step 2 of Configuring the SLS data through the CLI on page 173 change system parameters mg recovery rule 1 Page 1 of 1 SYSTEM PARAMETERS MEDIA GATEWAY AUTOMATIC RECOVERY RULE Recovery Rule Number 1 Rule Name _____________ Migrate H 248 MG to primary immediately Minimum time of network stability 3 WARNING The MG shall be migrated at the first possible opportunity The MG may ...

Page 149: ...te receive calls from other endpoints in this survivable calling zone This field must be set equal to the IP Node Name of the media gateway that will support this station in survivable mode Survivable COR Places a restriction level for stations to limit certain users to only certain types of calls Emergency This station can only be used to place emergency calls which are defined Internal This stat...

Page 150: ...to receive not receive incoming trunk calls in survivable mode default is receive PIM extracts the Communication Manager Figure notes 1 Unrestricted Users can dial any valid routable number except an ARS pattern specifically administered as deny see Figure 9 ETR functionality and calls through the CO are permitted in this class 3 Local Users can only dial these call types locl public network local...

Page 151: ...he Avaya Network Management Console For information about PIM see Accessing PIM on page 48 1 Ensure that the Network Management Console NMC has discovered the media gateway 2 Before PIM s automatic scheduled SLS updates will work as expected set the device parameters for both the server and the gateway in the NMC Server Communication Manager login and password Note Note The server must be the firs...

Page 152: ...chedule form Figure 11 Figure 9 SLS ARS page 8 Optionally click the following buttons View Extract displays the current SLS administration data set for this gateway Perform Extract extracts the SLS information from the controlling Communication Manager server for this Media Gateway Actions enables you to edit or delete a previously administered entry The paper pencil icon is the edit icon which op...

Page 153: ...nd of a dialed string Min Length The minimum length of the user dialed number that the SLS call engine collects to match to the dialed string The default is the length of the specified dialed string element Max Length The maximum length of the user dialed number that the SLS call engine collects to match to the dialed string The default is the length of the specified dialed string element Number o...

Page 154: ... call the originator back Call Type Can be one of the following emer emergency call fnpa 10 digit NANP call hnpa 7 digit NANP call intl public network international number call iop international operator call locl public network local number call natl non NANP call op operator svc service Trunk Group Trunk group number 1 2000 which you can select from the drop down choices of trunk groups found in...

Page 155: ...r up to six SLS updates per day Figure 11 SLS Update Schedule page a Check the Enable SLS Updates box b Set as many as six Daily Updates Note Note The Daily Updates must be at least four hours apart c Click Submit 12 Use the Backup Restore page Figure 12 to backup the PIM database backup schedule ...

Page 156: ...is route pattern must be modified using the CLI There are NO equivalent commands in the PIM wizard screens Enabling and disabling SLS To enable SLS on the G250 G350 enter set sls enable The G250 G350 responds with the message Survivable Call Engine is enabled To disable SLS on the G250 G350 enter set sls disable The G250 G350 responds with the message Survivable Call Engine is disabled Note Note I...

Page 157: ...e taken not to run two SLS data update sessions concurrently The SLS data can be administered locally via CLI and centrally via PIM or an SNMP MIB browser This can cause a situation where one administrator can unknowingly undo the work of the other For example if a local administrator enters trunk group context just before a remote administrator performs an SNMP write operation to change a trunk g...

Page 158: ...ugh the gateway s SLS engine has that port administered the port is unusable during SLS operation on the gateway This is because the hardware port configuration on the media modules is initially configured by CM in subtending gateway mode by using the H 248 control channel to push information down to the gateway SLS capacities The following table lists the SLS capacities by gateway model You can c...

Page 159: ... station extension to display the Station form for this extension 6 Gather the necessary information from Table 35 Table 34 Matching the gateway with the analog station ports Gateway model Media module if applicable Slot configuration G250 Analog V3 G350 MM711 MM714 MM716 Slot V7 ana imm1t2l Table 35 Analog station form data to assemble for SLS 1 of 2 Page Field Name Notes 1 Extension 1 Port The p...

Page 160: ...he SAT enter display port port number where port number is the DCP station port on the gateway The system displays the extension number assigned to the port 5 Once you know the extension enter display station extension to display the Station form for this extension 2 Switchhook Flash This field appears when Type is 2500 1 Name This is the user s name Page numbers might vary for your system Table 3...

Page 161: ...number then it is accepted A new station slot port entry must include the V as in V401 1 Security Code Optional This value is the shared secret between Communication Manager and the media gateway and is used for the registration of an IP Softphone RoadWarrior 1 Type 2402 2410 2420 6402 6402D 6408 6408 6408D 6408D 6416D 6424D 8403B 8405B 8405B 8405D 8405D 8410B 8410D 8411B 8411D 8434D 1 Survivable ...

Page 162: ...t station type type where type is one of the supported IP stations The report lists all IP phones that could have the Survivable GK Node Name administered to the target media gateway The Survivable GK Node Name uniquely associates an IP phone with a particular media gateway 7 Once a match is made between the station form s Survivable GK Node Name and the target gateway s Node Name gather the value...

Page 163: ...the various list commands on CM to look for physical port matches in the various trunk SAT forms in order to discover what translation information is needed 4 Identify the analog trunk ports G250 Ports V305 V306 G250 BRI Ports V302 V303 G250 DCP Ports V305 V306 1 Type 4601 4602 4602SW 4606 4610SW 4612 4620 4620SW 4621 4622 4624 4625 1 Survivable COR Class of Restriction while in SLS mode 1 Surviva...

Page 164: ...e target gateway The system reports the Trunk Group Number Member Number for this particular port 9 Once you know the Trunk Group Number gather trunk group information according to Table 39 Table 39 Trunk group data to assemble for SLS Page Field Name Notes 1 Group Type This field specifies the type of trunks associated with this trunk group 1 Outgoing Dial Type The only acceptable values are tone...

Page 165: ...art Ground start DID In Band DS1 trunks with CO Group Type Loop start Ground start In Band DS1 trunks with Tie Group Type Wink wink Wink immediate Wink auto Immediate Immediate Auto auto Auto wink 1 Group Name Customer identification of trunk group 1 Codeset to Send Display Describes which Q 931 code sets are allowed to send Display IEs 1 Codeset to Send National IEs Describes which Q 931 code set...

Page 166: ...cified with the message sent while connecting to the network 2 Incoming CallingNumber Format Specifies how to fill the Calling Party Number and Called Party Number IEs 1 Incoming Destination Sets a destination station for routing incoming trunk group calls 1 Trunk Hunt Determines the method in which the survivable call engine selects an available trunk from the trunk group pool 6 Sig Grp Specifies...

Page 167: ...face field is set to peerslave 1 Country Protocol Specifies the Layer 3 signaling protocol used by the country specific service provider 1 Protocol Version Used in countries whose public networks allow multiple Layer 3 signaling protocols for ISDN PRI service 1 DCP Analog Bearer Capability Sets the Information Transfer capability in the Bearer Capability IE of the SETUP message 1 Interface Compand...

Page 168: ...cility The enabled setting is when there is a D channel present 1 Primary D channel Specifies the gateway port ID where the D channel is located For the gateways the first component is the three digit gateway number followed by a v the slot number and 24 T1 or 16 E1 1 Trunk Board This is needed only if the Associated Signaling is set to no This does not apply to SLS on the G250 Specifies the gatew...

Page 169: ...pecifies the Layer 3 signaling protocol used by the country specific service provider 1 DCP Analog Bearer Capability Sets the Information Transfer capability in the Bearer Capability IE of the SETUP message 2 Companding Mode Specifies the companding mode used by the far end switch 1 TEI LAPD address assignment for the TEI field 2 Directory Number A Channel B1 s directory number 2 Directory Number ...

Page 170: ...ateway of interest note its IP Network Region 4 At the SAT enter display ip network region n where n is the gateway s administered IP Network Region Read the Codec set field value from the IP Network Region form Table 43 Feature Access Codes to assemble for SLS Page Field Name Notes 1 Contact Closure Open Code Used to open a contact closure relay 1 Contact Closure Close Code Used to close a contac...

Page 171: ...rns and ARS analysis in Communication Manager you must first know which trunk groups are assigned to the gateway of interest After verifying this information perform the following steps 1 At the SAT enter list route pattern trunk group n where n is an administered trunk group to display the administered route pattern s 2 For the first preference for this route pattern entry read the values of the ...

Page 172: ...following steps 1 At the SAT enter display inc call handling trmt trunk group n where n is an administered trunk group 2 For each entry read the values of the following fields see Table 46 Table 45 ARS Dial Patterns for SLS CM Form Page Field Name Notes Route Pattern 1 No Del Digits Specifies the number of dialed digits to be deleted from the beginning of the dialed string The default is 0 Route P...

Page 173: ...administering trunk groups Table 46 Incoming call handling data to gather for SLS CM Form Page Field Name Notes Incoming Call Handling Treatment 1 Called Number Dial string entry that is used to match a pattern on inbound trunk calls Incoming Call Handling Treatment 1 Called Len Maximum length of the user dialed number that the SLS call engine collects to match to the dialed string The default is ...

Page 174: ...S commands guides you in understanding the various sub commands of each sub context Creating the SLS administration data set on the media gateway 1 Log on to the gateway 2 To administer the name enter set system name name where name is typed inside quotation marks To remove the administered name enter set system name and then rename the gateway using the set system name command Note Note The gatew...

Page 175: ... you can add members to the trunk group only after you administer the signaling group information 13 Administer the signaling groups Refer to Administering signaling group parameters on page 196 Table 47 Media Modules supporting SLS for the G350 Media Module Description Permitted Slots MM312 24 low density DCP telephone ports v6 MM710 One T1 E1 trunk port v1 v2 v3 v4 v5 MM711 Eight universal analo...

Page 176: ...c where feature is one of the following ars1 ars2 hold contact open contact close contact pulse and fac is a 1 4 digit string that includes the digits 0 through 9 excluding and for analog rotary phones The fac string must be unique and must not conflict with station extension numbers and Trunk Access Codes TACs Examples set fac ars2 9 set fac contact close 8 Note Note The and characters are not av...

Page 177: ...s the station configuration mode and the command line prompt returns to its original state If you want to remove the station from the SLS administration enter clear extension extension at the command line interface Enter exit to leave the second level station context to return to the super sls context Example station 1234567 ip administers an IP phone with the extension 1234567 2 Depending on the ...

Page 178: ... enter set port module port for this station where module port is a value in Table 49 Note Note This command is only required for stations that support physical media module ports If the class is ip set in Step 1 you cannot run this command dcp8405B dcp8405B dcp8405D dcp8405D dcp8410B dcp8410D dcp8434D Since there is just one entry the model is optional analog2500 is the default value Table 48 Cla...

Page 179: ...the previously administered analog station 1234567 to the first physical analog station port on the G250 BRI gateway s media module 4 Enter set cor cor to set the class of restriction COR for this extension where cor is one of the following emergency internal default local toll unrestricted Table 49 Module port values in SLS station configuration mode Gateway Media module Analog station ports DCP ...

Page 180: ...mber are the same as those administered in the CM Note Note Passwords are not required for analog or DCP phones unless an IP Softphone is using the administrative identity of a DCP phone in which case the password is required Example set password 53136 establishes the password 53136 on a previously administered IP phone 7 To enable DCP or IP phones set in Step 1 to have an expansion module enter s...

Page 181: ...smission rate in Mbps for the DS1 facility The rate can be either 1544 T1 or 2048 E1 4 Enter set signaling mode mode type to set the signaling mode for the DS1 facility where mode type is one of the following values cas Out of band signaling for E1 service yielding thirty 64 kbps B channels for voice transmission robbed bit In band signaling for T1 service yielding twenty four 56 kbps B channels f...

Page 182: ...verrides the other end when glare occurs peerSlave SLS releases the circuit when glare occurs 8 If the DS1 link is employed with ISDN and the glare handling convention is specified as peerMaster or peerSlave for the ISDN link set in Step 7 enter set side side to specify the glare mode either a or b 9 If the DS1 link is employed with ISDN enter set country protocol country code to specify the ISDN ...

Page 183: ...mode see Table 51 Verify that the protocol version matches the country specified in set country protocol set in Step 9 13 Germany ETSI 14 Czech Republic 15 Russia 16 Argentina 17 Greece 18 China 19 Hong Kong 20 Thailand 21 Macedonia 22 Poland 23 Brazil 24 Nordic countries 25 South Africa etsi ETSI no use of RESTART message qsig QSIG Table 50 ISDN Layer 3 country codes continued Country Code Countr...

Page 184: ... Layer 3 country protocols for ISDN Primary Rate service Country code Description Possible Values Country 1 United States AT T mode also known as 5ESS National ISDN 1 Nortel mode also known as DMS Telecordia NI 2 a b c d Country 2 Australia Australia National PRI ETSI invalid invalid a b c d Country 10 United Kingdom DASS ETSI invalid invalid a b c d Country 12 France French National PRI ETSI inva...

Page 185: ...he BRI link from the SLS administration enter exit to leave the second level bri context and return to the super sls context and then enter clear bri slot address 2 Enter set name name to identify the user name for the DS1 trunk Use the 1 27 character name as specified on the Communication Manager form add trunk group n Type the name string inside double quotes 3 Enter set interface glare mode to ...

Page 186: ... values auto TEI is assigned by the network provider zero TEI is fixed administratively 9 Enter set directory number a number to assign a directory number to the B1 channel of the BRI link number is the provisioned number received from the network provider The number value must be identical to the number the network provider has assigned to the circuit 10 Enter set directory number b number to ass...

Page 187: ... the super sls context and then enter clear trunk group tgnum You can create a trunk group that does not have any assigned members Once a valid port is assigned as a trunk group member this trunk group then becomes active and may be employed by SLS call processing for incoming outgoing trunk operation The slot configuration table is used together with the port capacity for the given module to dete...

Page 188: ... model Mode Number of channels Description of maximum trunk group usage G250 4 analog loop start trunk groups 2 analog DID trunk groups G250 BRI 4 BRI trunks channels total 1 analog loop start trunk group 2 analog DID trunk groups G250 DCP 4 analog loop start trunk groups 2 analog DID trunk groups G250 DS1 ISDN T1 23 ISDN E1 30 1 analog loop start trunk group T1 Robbed Bit 24 2 analog DID trunk gr...

Page 189: ...MM714 4 Ports 5 6 7 8 did MM714 4 Ports 1 2 3 4 did MM716 24 Ports 1 24 bri MM720 16 Eight physical ports each offering B1 and B2 channels bri MM722 4 Two physical ports each offering B1 and B2 channels t1 isdn MM710 23 D channel is associated with this facility FAS t1 isdn MM710 24 D channel is not associated with this facility NFAS and the DS1 s signaling mode is set to isdnext e1 isdn MM710 30 ...

Page 190: ...t administer the signaling group and DS1 information before you can add any ports to the trunk group Note Note You can assign the following maximum number of members to a trunk group G250 analog trunks 4 members G250 digital trunks 30 members G350 analog trunks 99 members G350 digital trunks 99 members Table 54 Module port values in SLS trunk group context for the G250 Analog Trunks G250 model Ana...

Page 191: ...bri DS1 Trunks group type parameter is t1 isdn t1 inband e1 isdn e1 inband G250 G250 BRI V401 Port 1 Channel B1 V417 Port 1 Channel B2 V402 Port 2 Channel B1 V418 Port 2 Channel B2 G250 DCP G250 DS1 t1 isdn has 23 channels e1 isdn has 30 channels t1 inband has 24 channels e1 inband has 30 channels Table 55 Media Module port values in SLS trunk group context for the G350 Analog Trunks continued Gro...

Page 192: ...r before adding a new trunk A physical trunk can be a member of only one trunk group 5 For an analog DID trunk group enter set supervision sup type to set the incoming signaling supervision mode sup type can be either immediate or wink Example set supervision wink assigns wink start incoming signaling supervision to a DID trunk group 6 For a non ISDN digital trunk t1 inband or e1 inband enter set ...

Page 193: ... the trunk group 8 For analog DID trunk groups or DS1 tie trunk groups enter set digits digits to define the inserted digit string where digits is the number of digits Note Note The number of digits must comply with the digit treat parameter in the set digit treatment command If the digit treat parameter is insert3 then the digits parameter for this command must be three digits in length 9 Enter s...

Page 194: ...igits one at a time as they are collected 14 For ISDN trunks enter set japan disconnect yes no to specify whether to perform a disconnect sequence CONNECT message followed by a DISCONNECT message 15 For ISDN trunks enter set send name method to define whether or not the calling connected called or busy party s administered name is sent to the network on outgoing or incoming calls method can be one...

Page 195: ... Party Number that is consistent with the numbering plan of the PSTN service provider 18 For non ISDN digital trunks analog loop start and analog ground start trunks enter set incoming destination extension to identify an extension to directly receive an incoming trunk call for example an attendant or a voice response recording system 19 For non ISDN digital trunks enter set incoming dialtone yes ...

Page 196: ...ld does not specify a preferred channel for bearer transport This is useful if the signaling group controls more than one trunk group in cases where you wish to manage a DS1 facility with more than one trunk group 3 Enter set primary dchannel circuit number where circuit number is an identifier for a gateway slot or T1 E1 circuit to select the primary D channel number For the value of circuit numb...

Page 197: ...his NFAS trunk group In other words they do not allow one of the T1 interfaces of this NFAS group to be fractionalized into two or more uses It must be dedicated to this given customer Therefore the following usage rules apply All members of an NFAS DS1 that are administered must belong to the same trunk group All members of this trunk group must belong to a single signaling group 5 Enter show to ...

Page 198: ...he various dial types and the COR permissions 3 Enter set max length length to define the maximum length of the dialed string This must be set prior to the minimum length if the minimum length is larger than the default value 4 Enter set min length length to define the minimum length of the dialed string 5 Enter set tgnum tgnum to designate a trunk group for which this dialed string is assigned 6 ...

Page 199: ... administration enter exit to leave the second level incoming routing context and return to the super sls context and then enter clear internal routing tgnum mode 2 Enter set match pattern pattern to define the beginning digit pattern of an incoming alphanumeric dial string to be matched against 3 Enter set length length to define the length of the dialed string 4 If the mode is set to enbloc in S...

Page 200: ... First Level Context Commands Second Level Context Commands Description set sls Enable or disable SLS show sls Display SLS status enabled or disabled sls Enter the sls context bri Administer an ISDN Basic Rate Interface BRI port for SLS set bearer capability Set the Information Transfer Rate field of the Bearer Capability IE in SLS set country protocol Specify the ISDN Layer 3 country protocol typ...

Page 201: ...2 channel of the BRI link in SLS set tei assignment Select the method by which the Layer 2 LAPD protocol obtains its Terminal Endpoint Identification TEI address in SLS show List all BRI SLS parameters for this BRI port clear attendant Delete the administered attendant provisioning in SLS clear bri Delete the administration for a given BRI channel in SLS clear dial pattern Delete a single dialed s...

Page 202: ...t delete digits Specify the number of digits to be deleted from the beginning of the dialed string for an outbound call in SLS set deny Permit or deny access to an outbound trunk in SLS set insert digits Specify the number of digits to be inserted at the beginning of the dialed string for an outbound call in SLS set max length Establish the maximum length of the dialed string in SLS set min length...

Page 203: ...ocol version Specify country protocol for countries whose public networks allow for multiple ISDN Layer 3 country protocols for ISDN Primary Rate service in SLS set side Specify the glare handling conditions when the set interface command has been administered as peerMaster or peerSlave for the ISDN link in SLS set signaling mode Set the signaling mode for the DS1 facility in SLS show List all SLS...

Page 204: ...data set set max ip registrations Configure the maximum number of IP registrations allowed in the SLS data set set pim lockout Prevent or enable PIM updates while working on SLS administration of the G250 G350 set slot config Define the slot and the board type in the G250 G350 for SLS show attendant Display the administered attendant provisioning show bri List the administered BRI parameters for S...

Page 205: ...specific SLS data parameters show trunk group Display trunk group administration in SLS sig group Administer signaling groups for SLS add nfas interface Identify a list of DS1 modules that are controlled by the primary D channel in SLS remove nfas interface Remove a member from a NFAS managed DS1 group in SLS set associated signaling Specify whether the D channel is physically present in the DS1 i...

Page 206: ... be included in a pool of stations that can receive incoming analog loop start trunk calls in circular queuing in SLS set type Administer specific phone models for SLS show List all Station SLS parameters for this station trunk group Administer trunks for SLS add port Administer the port appropriate for SLS clear tac Remove a trunk access code TAC assignment from a trunk group in SLS remove port R...

Page 207: ...bound calls handle the transmission reception of the dialed pattern in SLS set digits Define the inserted dial string that is added to the beginning of the received DID incoming dial string for analog DID trunks or for DS1 TIE trunks using in band signaling in SLS set digit treatment Define the incoming digit treatment for analog DID trunks or for DS1 TIE trunks using in band signaling in SLS set ...

Page 208: ...g executed and prevents spurious error messages from occasionally being displayed set send name Define whether or not the calling connected called or busy party s administered name is sent to the network on outgoing or incoming calls in SLS set send number Define whether or not the calling connected called or busy party s administered number is sent to the network on outgoing or incoming calls in ...

Page 209: ...ou have a Release 4 x SLS administration data set in which stations are administered with station numbers greater than seven digits and you wish to apply that data set to Release 3 1 level firmware on a gateway you must re administer the stations with extension numbers not exceeding seven digits ...

Page 210: ...Configuring Standard Local Survivability SLS 210 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 211: ...y has the following Ethernet port Eight 10 100 Mbps fixed switch ports on the front panel ports 10 3 10 10 Note Note The G250 DCP model only has two 10 100 Mbps fixed switch ports on its front panel Ethernet ports on the G250 Media Gateway router The router on the Avaya G250 Media Gateway has the following Ethernet port The 10 100 Mbps fixed router port on the front panel port 10 2 Cables used for...

Page 212: ...gh 6 24 The 10 100 Mbps ports on the Avaya MM316 Media Module ports 6 1 through 6 40 The Gigabit port on the Avaya MM314 or MM316 Media Module port 6 51 Note Note The ports on the Avaya MM314 or MM316 Media Module are only available if your G350 includes one of these two media modules Ethernet ports on the G350 Media Gateway router The 10 100 Mbps fixed router port on the front panel port 10 2 Cab...

Page 213: ...set port auto negotiation flowcontrol advertisement command to set the flow control advertisement for the specified port when performing auto negotiation This command is only applicable to the Gigabit Ethernet port Use the show port auto negotiation flowcontrol advertisement command to display the flow control advertisement for a Gigabit port Use the set port disable command to disable a port or r...

Page 214: ... or disable the link negotiation protocol on the specified port This command applies to Fast Ethernet or Gigabit Ethernet ports When negotiation is enabled the speed and duplex of the Fast Ethernet ports are determined by auto negotiation If negotiation is disabled the user can set the speed and duplex of the Fast Ethernet ports Use the set port point to point admin status command followed by the ...

Page 215: ...s of RSTP Rapid Spanning Tree Protocol G350 only set port enable disable Enable or disable a port or a range of ports set port flowcontrol Set the send receive mode for flow control frames IEEE 802 3x or proprietary for a full duplex port set port level Set the default packet priority level for untagged packets set port name Configure a name for a port set port negotiation Enable or disable auto n...

Page 216: ...rmation see Configuring QoS parameters on page 252 Access control policy lists and QoS policy lists For more information see Configuring policy on page 637 SNMP Link Up and Link Down traps For more information see Configuring SNMP traps on page 361 WAN Ethernet port traffic shaping You can use traffic shaping to determine the data transfer rate on the WAN Ethernet port To set traffic shaping use t...

Page 217: ... activated the object tracker sends health check packets at defined intervals to the other side of the interface If the configured number of consecutive keepalive requests are not answered the interface track state changes to down The object tracker continues monitoring the interface and when its track state changes to up the interface state changes to up Enter shutdown to set the administrative s...

Page 218: ...Avaya G250 G350 Media Gateway can function as both a DHCP server and a DHCP client simultaneously That is you can connect a cable modem for an Internet connection to the WAN Fast Ethernet in order to use the G250 G350 as a DHCP client At the same time you can activate the DHCP server on the G250 G350 for use by clients such as IP phones and PCs connected to the LAN ports The DHCP server on the G25...

Page 219: ... 1 Enter the context of the FastEthernet interface For example 2 Optionally configure DHCP client parameters If you do not configure these parameters their default values are used Use the ip dhcp client client id command to set the client identifier for the DHCP client By default the client identifier is usually the MAC address of the G250 G350 FastEthernet interface Use the ip dhcp client hostnam...

Page 220: ... route is dropped from the routing table and traffic is routed to alternate routes If the default route becomes valid again it is added back to the routing table To define an object tracker see Object tracking configuration on page 320 For an example of how to track the DHCP client default route see Typical application tracking the DHCP client default route on page 334 Note that if several default...

Page 221: ... for an interface This is effectively a request to renew an existing IP address or the start of a new process of allocating a new IP address For example G350 001 config if FastEthernet 10 2 show ip dhcp client DHCP Client Mode Enable Status Bound IP Address 193 172 104 161 Subnet Mask 255 255 255 0 Default Router 193 172 104 162 DHCP Server 192 100 106 163 DNS Server 192 100 106 101 Domain Name av...

Page 222: ...ar the DHCP client statistics counters Configuring DHCP client logging messages 1 Enter set logging session enable to enable logging to the CLI terminal 2 Use the set logging session condition dhcpc command to view all DHCP client messages of level Info and above For example Note Note You can also enable logging messages to a log file or a Syslog server For a full description of logging on the G25...

Page 223: ...isable IP address negotiation via DHCP applies to WAN FastEthernet interface only ip dhcp client client id Set the client identifier for the DHCP client ip dhcp client hostname Set the client hostname for the DHCP client ip dhcp client lease Set the lease requested by the DHCP client ip dhcp client request Specify which DHCP options the DHCP client requests from the DHCP server ip dhcp client rout...

Page 224: ...ut the transmission rate is adjustable An LLDP device after receiving an LLDP message from a neighboring network device stores the LLDP information in an SNMP MIB This information is valid only for a finite period of time after TLV reception This time is defined by the LLDP Time to Live TTL TLV value that is contained within the received packet unless refreshed by a newly received TLV The IEEE rec...

Page 225: ...em name System capabilities Management address 802 1 TLVs optional VLAN name Port VLAN LLDP configuration 1 Enable the LLDP agent globally using the set lldp system control command For example The device s global topology information including all mandatory TLVs is now available to neighboring devices supporting LLDP G350 001 super set lldp system control enable Done ...

Page 226: ...ue of TxHoldMultiplier using the command set lldp tx hold multiplier TxHoldMultiplier is a multiplier on the interval configured by set lldp tx interval that determines the actual TTL value sent in an LLDP frame The default value is 30 The time to live value transmitted in TTL TLV is expressed by TTL min 65535 TxInterval TxHoldMultiplier The minimal delay between successive LLDP frame transmission...

Page 227: ...P configuration CLI commands Command Description set lldp re init delay Set the delay from when a port is set to LLDP disable until re initialization is attempted set lldp system control Enable or disable the LLDP application globally per device or stack set lldp tx delay Set the TxDelay which is the minimal delay in seconds between successive LLDP frame transmissions on each port set lldp tx hold...

Page 228: ...50 and Avaya G350 Media Gateways show port lldp config Display port level LLDP configuration show port lldp vlan name config Show the VLANs that are being transmitted on a specific port Table 62 LLDP configuration CLI commands continued Command Description 2 of 2 ...

Page 229: ...Configuring logging filters on page 237 The logging facility logs configuration commands entered through the CLI or via SNMP as well as system traps and informative messages concerning the behavior of various processes However a user enabling the log will only see entered commands with a user level no higher than the user s privileges For example a user with read only privileges will not see enter...

Page 230: ...og server it is defined as disabled so you must use this command in order to enable the server For example 3 Optionally define an output facility for the Syslog server by typing the set logging server facility command followed by the name of the output facility and the IP address of the Syslog server If you do not define an output facility the default local7 facility is used For example The follow...

Page 231: ...ly messages with the appropriate access level are sent to the Syslog output 5 Optionally define filters to limit the types of messages received see Configuring logging filters on page 237 Disabling Syslog servers Enter set logging server disable followed by the IP address of the Syslog server For example Deleting Syslog servers You can delete a Syslog server from the Syslog server table Enter clea...

Page 232: ... and have the following format The message provides the following information A priority 34 in this example which is calculated based on the syslog facility and the severity level A header Oct 11 22 14 15 host LINKDOWN in this example providing the date and time the hostname and a message mnemonic A message 005ms SWICHFABRIC Notification Port 10 3 Link in this example detailing the milliseconds th...

Page 233: ... to upload the syslog file from the gateway to a USB mass storage device Configuring a log file A log file is a file of data concerning a system event saved in the flash memory The log files serve as the system logging database keeping an internal record of system events 1 Enter set logging file enable 2 Optionally define filters to limit the types of messages received see Configuring logging filt...

Page 234: ...001 super show logging file content 11 21 2004 15 45 43 CLI Notification root nvram initialize 11 21 2004 15 43 08 CLI Notification root exit 11 21 2004 15 42 20 ROUTER Warning Duplicate IP address 3 3 3 1 from 00 00 021 11 18 2004 16 48 21 CLI Notification root no track 20 11 18 2004 16 48 18 SAA Debug Response for ipIcmpEcho timed out on rtr 6 echo 11 18 2004 16 48 18 CLI Notification root no rt...

Page 235: ... set logging session enable Note Note If the device is connected to several terminals a separate session log is established for each terminal 2 Optionally define filters to limit the types of messages received see Configuring logging filters on page 237 Discontinuing the display of system messages To discontinue the display of system messages to the terminal screen enter set logging session disabl...

Page 236: ...llowing information The date and time if available The logging application The severity level The message text Note Note The user enabling the log will only see entered commands with a user level no higher than the user s own privileges For example a user with read write privileges will not see entered commands having an admin user level G350 001 super show logging session condition Message loggin...

Page 237: ...og file enter set logging file condition application severity To create a filter for messages sent to a session log on a terminal screen enter set logging session condition application severity where application is the application for which to view messages use all to specify all applications For the list of applications see Applications to be filtered on page 239 severity is the minimum severity ...

Page 238: ... file Informational Session Session from terminal Informational Session from telnet ssh Warning G350 001 super show logging file content critical qos 50 Table 64 Severity levels Severity level Code Description emergency 0 System is unusable alert 1 Immediate action required critical 2 Critical condition error 3 Error condition warning 4 Warning condition notification 5 Normal but significant condi...

Page 239: ... tp CNA test plugs config Configuration changes console Serial modem messages dhcp relay DHCP requests relaying dhcpc DHCP client package dhcps DHCP server package dialer Dialer interface messages dnsc DNS client package fan Cooling system filesys File system problem flash ids IDS events specifically a SYN attack heuristic employed by the SYN cookies feature iphc IP header compression ipsec VPN IP...

Page 240: ...statistics saa RTR probes messages security Secure logging authentication failure snmp SNMP agent stp Spanning tree package G350 only supply Power supply system switchfabric Switch fabric failures system Operating system failures tftp Internal TFTP server threshold RMON alarms tracker Object tracker messages usb USB devices messages usb modem USB modem messages vj comp Van Jacobson header compress...

Page 241: ...o those with severity level of informational or more severe and messages from the cascade application to those with severity level of alert or more severe G350 001 super set logging server 147 2 3 66 Done G350 001 super set logging server enable 147 2 3 66 Done G350 001 super set logging server facility kern 147 2 3 66 Done G350 001 super set logging server access level read write 147 2 3 66 Done ...

Page 242: ...vaya G250 and Avaya G350 CLI Reference 03 300437 G350 001 super set logging session enable Done G350 001 super set logging session condition all Error Done G350 001 super set logging session condition ISAKMP Informational Done G350 001 super show logging session condition Message logging configuration of CLI sink Sink Is Enabled Sink default severity Error Application Severity Override ISAKMP Info...

Page 243: ... messages sent to the specified Syslog server Messages can be filtered by source system severity or both set logging server enable disable Enable or disable a specific Syslog server set logging server facility Define an output facility for the specified Syslog server set logging session Manage message logging for the current console session show logging file condition Display all conditions that h...

Page 244: ...Configuring logging 244 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 245: ...anslates voice and signalling data between VoIP and the system used by the telephones and trunks Configuring RTP and RTCP VoIP uses the RTP and RTCP protocols to transmit and receive digitally encoded voice data RTP and RTCP are the basis of common VoIP traffic RTP and RTCP run over UDP and incur a 12 byte header on top of other IP UDP headers Running on PPP or frame relay these protocols can be c...

Page 246: ... configured to decompress headers You can configure how often a full header is transmitted either as a function of time or of transmitted compressed packets Header compression configuration options The G250 G350 offers two options for configuring header compression IP Header compression IPHC method as defined by RFC 2507 IPHC type compression applies to RTP TCP and UDP headers Van Jacobson VJ meth...

Page 247: ... TCP space not just RTP Use the ip tcp compression connections command to control the number of TCP header compression connections supported on the interface Use the no form of this command to restore the default value of 16 Use the ip rtp max period command to set the maximum number of compressed RTP headers that can be sent between full headers Use the ip rtp max time command to set the maximum ...

Page 248: ...change to a header compression parameter is effective immediately To disable IPHC on an interface use the no form of the command you employed in the interface context no ip rtp header compression or no ip tcp header compression G350 001 config if Serial 4 1 1 ip rtp compression connections 48 Done G350 001 config if Serial 4 1 1 ip tcp compression connections 48 Done G350 001 config if Serial 4 1 ...

Page 249: ...he number of Real Time Transport Protocol RTP connections supported on the current interface ip rtp header compression Enable both RTP and TCP header compression on the current interface ip rtp max period Set the maximum number of compressed headers that can be sent between full headers ip rtp max time Set the maximum number of seconds between full headers ip rtp non tcp mode Set the type of IP he...

Page 250: ...J compression Note Note The ip rtp header compression command always overrides the ip tcp header compression command Both commands enable TCP header compression but they differ in the methods employed Note Note The ip tcp header compression iphc format command always overrides the ip tcp header compression command and activates IPHC type compression For example show ip tcp header compression Displ...

Page 251: ...to display the RTP header compression statistics for a specific interface If no interface is specified statistics for all interfaces are displayed Table 69 Van Jacobson header compression CLI commands Root level command First level command Description clear ip tcp header compression Clear TCP header compression statistics for all enabled interfaces or for a specific interface interface dialer seri...

Page 252: ...ber Clearing the statistics does not cause renegotiation of parameters Use this command regardless of which compression method is employed Configuring QoS parameters The G250 G350 uses MGCP H 248 protocol for call signalling and call routing information Use the following commands to configure QoS for signalling and VoIP traffic Use the set qos control command to define the source for QoS control p...

Page 253: ...ones and Softphones Use the set qos rsvp command to set the current values for the RSVP parameters of the VoIP engines The parameters that can be set are enabled disabled refresh rate seconds failure retry y or n and service profile Guaranteed or Controlled Use the show qos rtcp command to display QoS RSVP and RTCP parameters Summary of QoS RSVP and RTCP configuration CLI commands For more informa...

Page 254: ... traffic shaping is enabled Configuring Weighted Fair VoIP Queueing WFVQ Use the fair queue limit command to specify the maximum number of packets that can be queued in the weighted fair queue The upper and lower limits of this command depend on the amount of bandwidth configured for the interface Note Note This command should generally be used only for troubleshooting Use either the voip queue or...

Page 255: ... fastethernet dialer Enter the Serial FastEthernet or Dialer interface configuration context fair queue limit Set the maximum number of packets that can be queued in the weighted fair queue fair voip queue Enable Weighted Fair VoIP Queuing WFVQ on the current interface priority queue Enable or disable priority queuing mode in a Serial or FastEthernet interface If you disable priority queuing WFVQ ...

Page 256: ... queueing delay which results in a change in the bearer queue size Configuring priority queuing Use the priority queue command to enable priority queuing mode in a serial or FastEthernet interface By default priority queuing is off and Weighted Fair VoIP Queuing WFVQ is enabled on all Serial interfaces and all FastEthernet interfaces for which traffic shaping is enabled If you disable priority que...

Page 257: ...onfiguration context priority queue Enable or disable priority queuing mode in a Serial or FastEthernet interface If you disable priority queuing WFVQ is re enabled queue limit Set the size of any of the four priority queues in packets for a given interface or interface type voip queue Enable or disable custom queueing for VoIP traffic If you disable custom queueing WFVQ is re enabled voip queue d...

Page 258: ...Configuring VoIP QoS 258 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 259: ...Avaya G350 Media Gateway 03 300394 Configuring the USB modem interface By default the USB port is not enabled To enable the USB port you must enable the USB modem interface Enter interface usb modem to enable the USB modem interface Use the no form of this command to disable the USB modem interface The no form of the interface usb modem command also resets the interface to its default parameter va...

Page 260: ...re configured ras Remote Access Service mode is being used for authentication none No password is sent Note Note The ppp authentication command changes the PPP authentication parameters of the Console port as well as the USB port even if you use the command in USB modem interface context Use the ppp timeout authentication command to set the maximum time to wait for an authentication response Use t...

Page 261: ...n IP address and mask to an interface ip peer address Change the IP address offered to a requesting calling host during PPP IPCP connection establishment ppp authentication Configure the authentication method used when starting a client session on the PPP server ppp chap secret Configure the shared secret used in PPP sessions with CHAP authentication ppp timeout authentication Set the maximum time...

Page 262: ... Use the async modem init string command to change the default modem initialization string Use the speed command to set the PPP baud rate to be used by the Console port when connected to a modem in bps Options are 9600 19200 38400 57600 and 115200 The default baud rate is 38400 Use the ip address command to assign an IP address to the Console port This is the IP address to which a remote user can ...

Page 263: ... an active PPP session and shut down the modem Use the load interval command to set the load calculation interval for the interface Summary of CLI commands for configuring the Console port for modem use For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 74 Console port configuration for modem use CLI commands Root level command Command Description...

Page 264: ... Configure the authentication method used when starting a client session on the PPP server ppp chap secret Configure the shared secret used in PPP sessions with CHAP authentication ppp timeout authentication Set the maximum time to wait for an authentication response show ppp authentication Display PPP authentication status shutdown Disconnect an active PPP session and shut down the modem speed Se...

Page 265: ...zed fractional or unframed E1 T1 ports or over a USP interface Frame relay The G250 G350 supports the following LMI types ANSI Annex D ITU T Q 933 Annex A0 LMI Rev1 No LMI Backup functionality Supported between any type of Serial Layer 2 interface For more information see Backup interfaces on page 289 Dynamic CAC For FastEthernet Serial and GRE Tunnel interfaces For more information see Dynamic CA...

Page 266: ...rotocol RTP packets thereby minimizing the overhead and delays involved in RTP implementation TCP header compression reduces the amount of bandwidth needed for non voice traffic For more information see Configuring header compression on page 245 Serial interface overview A Serial interface is a virtual interface that is created over a portion of an E1 T1 or USP port on a WAN media module Serial in...

Page 267: ... Figure 15 E1 T1 Port Channel Group USP port using PPP protocol Figure 16 illustrates a USP port All data from the USP port is encapsulated using the PPP protocol and is sent via a Serial interface over the multiple IP interfaces defined for the Serial interface Figure 16 USP Port PPP Protocol USP port using frame relay protocol Figure 17 illustrates a USP port All data from the USP port is encaps...

Page 268: ...en you connect the G250 G350 as an endpoint in a PTMP configuration you need to increase the OSPF timers manually Use the ip ospf network point to multipoint command in Serial interface context to increase the OSPF timers with the following values Increase the OSPF Hello Interval to 30 seconds Increase the OSPF Dead Interval to 120 seconds For more information on OSPF see Configuring OSPF on page ...

Page 269: ... page 286 7 Enter copy running config startup config to save the configuration Configuring the Avaya MM340 E1 T1 WAN media module For a list of G250 G350 default settings see Table 75 1 Optionally use the show controllers command to display the current settings 2 Enter show ds mode to check whether the G250 G350 is configured for E1 or T1 operation 3 Use the ds mode command to set the mode of the ...

Page 270: ...nternal default is line framing crc4 no crc4 unframed default is crc4 linecode ami hdb3 default is hdb3 6 Use the channel group command to specify the channel group and time slots to be mapped as well as the DS0 speed For example For T1 mode channel group 1 timeslots 1 3 5 7 speed 64 configures time slots numbered 1 3 5 and 7 to be mapped in channel group number 1 and sets the DS0 speed to 64 kbps...

Page 271: ...Step 5 for an E1 port a channel group is automatically created on the entire E1 bandwidth The channel group has the number 0 In Step 8 enter interface serial s p 0 where s is the slot number and p is the port number Note Note After the Serial interface is created its default encapsulation is PPP 9 Configure the interface encapsulation By default the Serial interface uses PPP encapsulation 10 Use t...

Page 272: ...play a specific controller s status and counters Use the show controllers remote command to display controller counters from a peer station Activating loopback mode on an E1 T1 line You can use the loopback command to activate or deactivate loopback mode for an E1 or T1 line Use the loopback diag command to activate or deactivate an inward diagnostic loopback signal on the controller interface Use...

Page 273: ...elength long T1 Set transmit and receive levels for a cable longer than 655 feet cablelength short T1 Set transmit levels for a cable of length 655 feet or shorter channel group Create a channel group logical interface for a PPP or Frame Relay session clock source Set the clock source for an E1 or T1 controller fdl Define the type of Facility Data Link loopback that the remote line is requested to...

Page 274: ... interface serial 3 1 Enter a serial interface on the media module in slot number 3 on port number 1 interface serial 4 1 2 Enter a serial interface on the media module in slot number 4 on port number 1 with IP interface number 2 For example The prompt changes to 2 Use the following commands to change the idle characters transmitter delay encoding type bandwidth parameters line monitoring and from...

Page 275: ...ameter manually for the interface Use the no form of this command to restore the bandwidth parameter to its default value 2 048 The manually specified bandwidth value overrides the dynamically calculated bandwidth during route cost calculations Note Note If you are using the USP port as a clock source configure the port s bandwidth to match the DCE clock rate ignore dcd Specify how the system moni...

Page 276: ...ption interface serial Enter Serial interface or sub interface configuration context bandwidth Set the bandwidth parameter manually for this interface idle character Set the bit pattern used to indicate an idle line ignore dcd Specify how the system monitors the line to determine if it is up or down invert txclock Invert the transmit clock signal from the data communications equipment DCE ip addre...

Page 277: ...or instructions 4 Use the following commands to change the interface parameters ip address Configure the IP address and subnet mask of the interface ppp timeout ncp Set the maximum time to wait for the network layer to negotiate If this time is exceeded the G250 G350 restarts the PPP session ppp timeout retry Set the maximum time to wait for a response during PPP negotiation keepalive Enable keepa...

Page 278: ...trator This enables the use of PPP authentication protocols CHAP and PAP Unlike other tunneling protocols such as L2TP and PPTP PPPoE works directly over Ethernet rather than IP Table 79 PPP configuration CLI commands Root level command Command Description interface serial Enter Serial interface or sub interface configuration context encapsulation Set the encapsulation mode for a Serial interface ...

Page 279: ... on the SP ATM infrastructure The Ethernet frames from the customer s host device can reach one or more access concentrators which are the remote access servers Figure 18 Typical PPPoE Network Topology Configuring PPPoE 1 Enter the FastEthernet interface context with the interface fastethernet 10 2 command 2 Enter encapsulation pppoe to change the encapsulation to PPPoE You must change the encapsu...

Page 280: ...s pppoe client service name Force the PPPoE client to connect only to access concentrators that support a specific service name Use the no form of this command to deactivate connection to a specific service name When connection to a specific service name is deactivated the PPPoe client attempts to automatically discover the service name by initiating PADI frames with a blank service name mtu Set t...

Page 281: ... 80 6 If the G250 G350 is connected to the Internet via the FastEthernet interface configured for PPPoE and you define a VPN tunnel which specifies remote hosts by name it is recommended to use the ppp ipcp dns request command The command requests the list of available DNS servers from the remote peer during the PPP IPCP session The DNS servers are used by the DNS resolver to resolve hostnames to ...

Page 282: ...erface s MTU to 1492 which ensures that overall packet size for the PPPoE interface does not exceed 1500 which is the MTU for Ethernet ppp chap hostname Override the device hostname for PPP CHAP authentication ppp chap password Set the CHAP password for authentication with a remote peer ppp chap refuse Prevent the device from authenticating with CHAP after the device is requested by the remote pee...

Page 283: ...apsulation type is IETF Note Note Non IETF encapsulation is compatible with other vendors 4 If needed use the frame relay lmi commands to change the Local Management Interface LMI parameters from their default values or enter frame relay traffic shaping to activate traffic shaping on the frame relay interface For more information on traffic shaping see Frame relay traffic shaping and FRF 12 fragme...

Page 284: ... USP media module in slot number 4 on port number 1 with IP interface number 1 Note Note The WAN media module in a G250 must always be in slot number 2 The G250 only supports a single channel group Note Note Currently only point to point frame relay sub interfaces are supported 8 Enter frame relay interface dlci DLCI number to configure a Data Link Connection Identifier DLCI for the frame relay su...

Page 285: ...y counters command to reset counters on a specific frame relay interface Use the show interfaces command to display interface configuration and statistics for a specific interface or for all interfaces Summary of frame relay commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 G350 001 super Table 81 Frame relay CLI commands Root level command Co...

Page 286: ...suing a full status enquiry message frame relay lmi n392dte Set the maximum number of unanswered status enquiries the equipment accepts before declaring the interface down frame relay lmi n393dte Set the number of status polling intervals over which the error threshold is counted the monitored event count frame relay lmi type Manually define the type of the Local Management Interface LMI to use fr...

Page 287: ...nterface show map class frame relay Display the map class Frame Relay table Use the show traffic shape command to view traffic shaping and frame relay traffic shaping configuration parameters for all interfaces Use the show ip interface command to display information about IP interfaces To display information about a specific interface include the name of the interface as an argument To display in...

Page 288: ...tatistics for a particular interface or for all interfaces The output displayed differs depending on the type of interface show frame relay map Display a summary table of Frame Relay sub interfaces and DLCIs associated with the sub interfaces show frame relay pvc Display detailed PVC information show frame relay pvc brief Display brief PVC information show frame relay traffic Display frame relay p...

Page 289: ...address does not cause activation of the backup interface Configuring backup delays Configurable activation and deactivation delays provide a damping effect on the backup interface pair This eliminates primary to backup switching in case of fluctuating underlying Layer 2 interfaces You can configure the following backup delays with the backup delay command failure delay The time in seconds between...

Page 290: ...face occurs when the primary Data Link Connection Identifier DLCI is restored Note Note The backup interface is not activated when the primary interface is administratively disabled Backup commands Enter backup interface followed by the interface type and number to set a backup interface You must use this command from the context of the interface for which you are setting a backup interface Use th...

Page 291: ...log modems have limited bandwidth and high latency and are therefore unfit for carrying VoIP traffic However using Dynamic Call Admission Control CAC the G250 G350 can be configured to report zero bandwidth for bearer traffic to the MGC when the primary WAN link fails A matching configuration on the MGC allows it to block new calls if their bearer is about to go over the modem dial backup interfac...

Page 292: ...gateway process to encrypt the traffic as it goes over the Internet Note Note IPSec VPN adds overhead to each packet further reducing available bandwidth Under ideal conditions the bandwidth of the analog modem can reach 56 kbps for downlink 53 kbps in the US and 33 6 kbps for uplink However sub optimal PSTN quality may degrade the downlink bandwidth to 33 6 kbps or even 28 kbps This may not be en...

Page 293: ...te uses the Dialer interface when the primary interface is down The Dialer interface can work both with static and dynamic routing OSPF and RIP Note that the latter mandates the use of unnumbered IP interfaces For information about unnumbered IP interfaces see Configuring unnumbered IP interfaces on page 492 Note Note Modem dial backup has complex interactions with other configuration modules with...

Page 294: ...e username and password The G250 G350 is configured to advertise the branch office subnets with OSPF This feature requires the use of unnumbered IP addresses at the G250 G350 and the RAS Since the Dialer and the primary interfaces are not expected to be up at the same time the RAS server can use passive OSPF interface and the G250 G350 can use static via routes The G250 G350 can call an ISP RAS wh...

Page 295: ... is created and can now be defined as a backup interface for an existing WAN interface 3 Enter up to five dialer strings using the dialer string command For example When the Dialer interface is activated the Dialer first attempts to dial the number associated with dialer string 1 If that attempt fails the Dialer attempts to connect to the number associated with the next dialer string and so on 4 S...

Page 296: ...er until either a connection is made or the number configured in the dialer persistent max attempts command is reached Use the dialer persistent re enable command to enable and configure a timer to re enable dial attempts after the maximum number of dial attempts has been reached For example Use the dialer order command to set which dial strings are used upon a new dial trigger event The default i...

Page 297: ...ers if required For PAP authenticating enter ppp pap sent username followed by a username and password For example For CHAP authentication enter ppp chap hostname followed by a hostname and ppp chap password followed by a password For example G350 001 if dialer 1 dialer wait for ipcp 100 Done G350 001 if dialer 1 ppp pap sent username avaya32 password 123456 Done G350 001 if dialer 1 ppp chap host...

Page 298: ...ion the Dialer interface dials the number associated with the first dialer string 10 From the general context use the ip default gateway dialer command to configure backup routing The following example configures a simple low priority via static route G350 001 super show interfaces dialer 1 Dialer 1 is down line protocol is down Internet address is 4 5 6 7 mask is 255 255 255 0 MTU 1500 bytes Band...

Page 299: ...dem for dial backup Thus the Dialer can utilize the same serial modem that is used for remote access to the device Asynchronous dialing and modem recognition options must be set on the Console port to support creation of the Dialer interface For more information on configuring the Console port see Configuring the Console port for modem use on page 262 The Dialer interface supports PAP and CHAP aut...

Page 300: ... interface to provide an alternative method for activating the Dialer interface when connectivity with the main office is lost This is useful in configurations where the WAN interface is not connected directly to the G250 G350 Use object tracking to configure RTRs to verify connectivity with the main office If the RTR fails the object tracker can be configured to change the status of the Loopback ...

Page 301: ...Modem dial backup Issue 5 June 2008 301 Figure 19 shows the network topology Figure 19 Modem dial backup configuration example ...

Page 302: ...ACL 305 ip rule 20 dscp 46 Done G250 001 super ACL 305 ip rule 20 description Block VoIP Bearer Done G250 001 super ACL 305 ip rule 20 exit G250 001 super ACL 305 exit G250 001 super Steps 3 10 Each command is an individual step G250 001 super interface dialer 1 G250 001 super if Dialer 1 ppp chap hostname area5 Done G250 001 super if Dialer 1 dialer persistent initial delay 5 Done G250 001 super ...

Page 303: ...for a WAN interface Only one Dialer interface can be created on the G250 G350 4 Assign a PPP authentication method with the ppp chap hostname command The Dialer interface authenticates its PPP sessions to the remote RAS server using CHAP authentication and a username of area5 The username area5 must be configured on the RAS as a legitimate user 5 Assign an initial delay for dialing with the dialer...

Page 304: ... command All traffic passing through the Dialer interface must meet the conditions of the access control list associated with this access group or be rejected In this example the access group references access control list 305 which is created to block all outgoing traffic across the Dialer interface other than the VoIP signalling traffic between the branch office gateway and the MGC in the headqu...

Page 305: ...sb modem information set logging session condition ppp information Note Note Not all logging messages indicate problems Some are generated to provide information on normal working activity of the Dialer interface For more information on logging configuration see Configuring logging on page 229 Note Note Syslog and log file logging are also available See Configuring logging on page 229 Setting the ...

Page 306: ...nd the backup interface mechanism is invoked the state of the Dialer interface changes to Up None required Dialer 1 trigger is on off Informational In a modem dial backup scenario the event triggering the Dialer interface is a failure of the primary WAN interface for which the Dialer interface has been configured as the backup interface When the primary WAN interface has been determined to be down...

Page 307: ...igured with the dialer persistent re enable command a timer is created This timer determines when the Dialer interface attempts to begin dialing again after a failure to connect in as many attempts as were configured in the dialer persistent max attempts command For example if you configured the value of dialer persistent max attempts as 10 and dialer persistent re enable is configured for the Dia...

Page 308: ...pabilities of the serial port for potential modem connections None required Modem Detection Failed Warning This message is generated when a modem cable is connected to the serial port but no modem is detected This message is generated every 30 minutes until the modem is detected Troubleshooting steps Check modem cable connection to modem Ensure that modem is powered on Check modem lights for an al...

Page 309: ...message is generated indicating that the device is ready to dial None required USB modem Connection established Informational When the USB modem successfully connects to a remote modem and a PPP session is fully established a message is sent indicating that the PPP is ready to transmit and receive traffic None required USB modem Unplugged Warning This message is generated when a modem cable is con...

Page 310: ...s considered down once the session is fully established and passing traffic LCP then comes up to pass Link Maintenance packets during the session and goes down after the maintenance is complete LCP comes up when a termination request is sent and goes down when the link is terminated None required PAP passed failed Debug This message is sent when the authenticating station responds to the PAP authe...

Page 311: ...tics for a PPP session but does not have the IP address of the local interface to define the session Without IP address information on both sides of the session the PPP session cannot begin passing IP traffic Troubleshooting steps Check Dialer interface configuration to ensure an IP address is configured either as a static address or through Dynamic IP addressing or through IP unnumbered Table 84 ...

Page 312: ...connect every second dialer persistent delay Set the redial interval dialer persistent initial delay Set the minimum delay from boot to persistent dialing dialer persistent max attempts Set the number of consecutive dial attempts for the dial list dialer persistent re enable Set the persistent re enable timer after the maximum number of dial attempts has been reached dialer string Add a phone numb...

Page 313: ...obes over WAN FastEthernet Loopback PPPoE and Dialer PPP interfaces and Frame relay sub interfaces ICMP keepalive is still supported for backward compatibility For information about object tracking see Object tracking on page 319 ppp ipcp dns request Enable requesting DNS information from the remote peer during the PPP IPCP session interface fastethernet loopback serial tunnel Enter the Console Fa...

Page 314: ...ers over a T1 line and via an xDSL connection to the Internet The T1 line is used for voice traffic while data packets are sent over the xDSL line Normal keepalive cannot report on the status of the entire WAN path If the Fast Ethernet line protocol is up but the xDSL connected to it is down normal keepalive reports that the FastEthernet interface is up Only ICMP keepalive which checks the next ho...

Page 315: ...eference 03 300437 Use the keepalive icmp timeout command to set the timeout in seconds for receiving the keepalive response The default value is 1 Use the keepalive icmp success retries command to set the number of consecutive successful keepalive packets necessary to set the interface s keepalive status as up The default value is 1 Use the keepalive icmp failure retries command to set the number...

Page 316: ...0 2 keepalive icmp 135 64 2 12 11 22 33 44 55 66 G350 001 super if FastEthernet 10 2 keepalive icmp interval 5 G350 001 super if FastEthernet 10 2 keepalive icmp timeout 1 G350 001 super if FastEthernet 10 2 keepalive icmp failure retries 3 G350 001 super if FastEthernet 10 2 keepalive icmp success retries 2 Done Table 86 ICMP keepalive CLI commands Root level command Command Description interface...

Page 317: ...rrently available bandwidth Note Note Dynamic CAC works in conjunction with the Avaya Communication Manager Call Admission Control Bandwidth Limitation CAC BL feature A related feature is Inter Gateway Alternate Routing IGAR which provides a mechanism to re route bearer traffic from the WAN to the PSTN under certain configurable conditions For more information on CAC BL and IGAR see Administrator ...

Page 318: ...n set the activation priority to any number from 1 to 255 The default activation priority is 50 The following example sets dynamic CAC on FastEthernet interface 10 2 with a bearer bandwidth limit of 128 and an activation priority of 100 Displaying bandwidth information Use the show dynamic cac command to display bandwidth information about the interface The show dynamic cac command displays the fo...

Page 319: ...tered applications when the state changes Configuring object tracking is a two stage operation The first stage is to define Respond Time Reports RTRs the basic building blocks of object tracking RTRs actively monitor the reachability state of remote devices by generating probes at regular intervals Each RTR identified by a unique number monitors one remote device and learns the state of the device...

Page 320: ...ate of the remote device s changes Object tracking configuration 1 Configure RTRs to monitor remote devices and learn their state up or down Each RTR has a state inactive not running up the remote device is considered up or down the remote device is considered down 2 Configure object trackers to track the states of RTRs Each object tracker calculates its own state up or down based on the states of...

Page 321: ...onnection operation specify also which port to probe in the remote device For example Or 3 Optionally use the frequency command to specify the frequency at which RTR probes are sent If you do not configure this parameter the default value of five seconds is used For example 4 Optionally use the dscp command to set the DSCP value in the IP header of the probe packet thus setting the packets priorit...

Page 322: ...to specify a source IP address instead of using the output interface s address By default the source address command is disabled and RTR probes use the output interface s address Use the source address command when you are probing a device located on the Internet and specify as the source address the G250 G350 public IP address For example 7 Optionally configure the RTR parameters that determine w...

Page 323: ...racker that is an object tracker that tracks a single RTR If you wish you can then configure a track list which contains multiple simple object trackers and specifies how to calculate the overall state of the list Note that a track list is itself an object tracker Therefore you can configure track lists containing object trackers which are either simple object trackers or other track lists Configu...

Page 324: ...e object command to add an object tracker to the list Note Note The object tracker can be a simple one tracking a single RTR or a track list For example 4 Repeat step 3 to add as many object trackers as you require up to a maximum of 50 5 If you specified a Threshold method of calculation in step 1 use the threshold count command to enter the threshold values For example use the following command ...

Page 325: ...cking logging to a CLI terminal Use the show rtr configuration command to display RTR configuration values including all defaults for a specific RTR operation or for all RTR operations Use the show rtr operational state command to display the global operational status of the RTR feature for a specific RTR operation or for all RTR operations Use the show track command to display tracking informatio...

Page 326: ...f level Info and above For example 3 Use the set logging session condition tracker command to view all object tracker messages of level Info and above For example G350 001 set logging session enable Done CLI Notification write set logging session enable G350 001 set logging session condition saa Info Done CLI Notification write set logging session condition saa Info G350 001 set logging session co...

Page 327: ...ure an object tracker which tracks the state of RTR 5 For example G350 001 config rtr 5 G350 001 config rtr 5 type echo protocol ipIcmpEcho 10 0 0 1 G350 001 config rtr icmp 5 wait interval 2 seconds Done G350 001 config rtr icmp 5 fail retries 3 Done G350 001 config rtr icmp 5 success retries 1 Done G350 001 config rtr icmp 5 exit G350 001 config rtr schedule 5 start time now life forever G250 00...

Page 328: ...0 1 G350 001 config rtr icmp 5 wait interval 2 seconds Done G350 001 config rtr icmp 5 fail retries 3 Done G350 001 config rtr icmp 5 success retries 1 Done G350 001 config rtr icmp 5 exit G350 001 config rtr schedule 5 start time now life forever G350 001 config rtr 6 G350 001 config rtr 6 type tcpConnect dest address 20 0 0 1 dest port 80 G350 001 config rtr tcp 6 frequency 500 milliseconds Done...

Page 329: ...he failover mechanism for interfaces See Typical application backup for the WAN FastEthernet interface on page 330 and Typical application interface backup via policy based routing on page 333 Track the state of a route a static route a PBR next hop or the DHCP client default route For an example of how to track the DHCP client default route see Typical application tracking the DHCP client default...

Page 330: ... application of this type is described in full in Failover using a peer group on page 621 Figure 24 Failover VPN topology using object tracking Typical application backup for the WAN FastEthernet interface This typical application illustrates the use of object tracking as a backup mechanism for PPPoE configured on the WAN FastEthernet interface A track list monitors the state of the connection If ...

Page 331: ...inue to be sent over the PPPoE interface as long as the PPP IPCP connection status is up Define four RTRs to probe the four entrances to the Main Offices Configure each one to run immediately and forever rtr 1 type echo protocol ipIcmpEcho 6 0 0 200 next hop interface fastethernet 10 2 exit rtr schedule 1 start time now life forever rtr 2 type echo protocol ipIcmpEcho 6 0 0 201 next hop interface ...

Page 332: ...list threshold count threshold count up 4 down 2 object 1 object 2 object 3 object 4 exit Configure PPPoE encapsulation on interface WAN FastEthernet 10 2 and register the interface with the track list interface fastethernet 10 2 bandwidth 96 encapsulation pppoe traffic shape rate 96000 ip address negotiated keepalive track 50 exit Configure the serial 3 1 1 interface interface serial 3 1 1 encaps...

Page 333: ...s typical application with the example below The example creates a next hop list that sends the specified traffic to the WAN FastEthernet interface which is running PPPoE encapsulation If the WAN FastEthernet interface becomes unavailable the next hop list routes the traffic to the Serial interface 3 1 1 PBR list 801 is created and assigned to interface VLAN 1 so that traffic defined in PBR list 8...

Page 334: ...or routing decisions that is whether traffic can be routed over this default route To do so the user activates tracking to monitor the remote HQ peer When the object tracker is up the DHCP default route may be used When the object tracker is down the DHCP default route is not used for routing and traffic is routed to alternate routes Create PBR list 801 This list routes traffic from IP address 149...

Page 335: ...cp exit Configure the RTRs and object trackers Use the next hop command to ensure that the RTR is sent over the next hop it is monitoring which is the WAN Fast Ethernet running DHCP client 192 30 3 1 is the remote HQ peer IP address rtr 2 type echo protocol ipIcmpEcho 192 30 3 1 next hop interface fastethernet 10 2 exit track 2 rtr 2 exit Apply object tracking on the DHCP client interface fastethe...

Page 336: ...ote device being probed dscp Set the DSCP value for the packets of the RTR probes fail retries Set how many consecutive unanswered probes change the status of an RTR operation device from up to down frequency Set the frequency of the RTR probes next hop Specify the next hop for the RTR probes bypassing normal routing source address Set the source IP address for RTR operations success retries Set h...

Page 337: ...r VoIP queue scheduler to buffer the packets FRF 12 fragmentation allows for link fragmentation and interleaving LFI which reduces the serialization delay on narrow bandwidth PVCs This is required for VoIP traffic You can configure the traffic shaping and fragmentation parameters within traffic shaping templates called map classes A map class is comprised of the following parameters CIR Default 56...

Page 338: ...n enable traffic shaping on a frame relay interface with the frame relay traffic shaping command After you enable traffic shaping a default map class is applied to all currently configured PVCs Configuring map classes Use the map class frame relay command to create a map class and to enter the configuration context of the map class Use the cir out command to configure the CIR in bits per second fo...

Page 339: ...ure of network operations Table 89 Frame relay traffic shaping CLI commands Root level command Command Description interface serial Enter the Serial interface or sub interface configuration context frame relay traffic shaping Turn on off traffic shaping and frame relay fragmentation map class frame relay Create a map class a QoS template which can later be assigned to DLCIs and enter the configura...

Page 340: ...ame relay interface When the primary DLCI is up the sub frame relay interface is up When the primary DLCI is down the sub frame relay interface is down Therefore when using Priority DLCI it is recommended to verify that the primary DLCI is set as the High Priority DLCI in the Priority DLCI group On the Avaya G250 G350 Media Gateway OSPF is mapped by default to the High Priority DLCI For better net...

Page 341: ...o the WAN via a USP 128 Kbps V 35 interface The following are the connection details for Site A The IP phones are configured with the following DSCP tagging Voice DSCP 46 Voice control DSCP 34 Note Note The policy list in the next configuration is based on the assumption that the Media Gateway S8300 and the IP phones send VoIP control packets with a DSCP value of 34 and voice with a DSCP value of ...

Page 342: ...SCP tagging Voice DSCP 46 Voice control DSCP 34 The default RTP UDP port range is 2048 to 3028 Network IPs 24 bit subnet masks IP phones 3 3 3 0 VLAN 1 Data 33 33 33 0 VLAN 2 Serial 2 2 2 2 S8300 4 4 4 10 G350 PMI 4 4 4 11 Configuration Example for Site A You can configure PPP VoIP on the G350 at Site A Commands with footnotes are described at the end of the configuration procedure Loopback and PM...

Page 343: ...onnections 20 depends on the number of phones 5 At this stage you are matching the RTP port range to that of the G350 6 At this stage the default queue size is 6 and since RTP is enabled you can double the VoIP queue size G350 001 interface Vlan 1 G350 001 if Vlan 1 ip address 149 49 54 24 Done G350 001 if Vlan 1 exit G350 001 interface Vlan 2 G350 001 if Vlan 2 ip address 11 11 11 1 24 Done G350 ...

Page 344: ...ion to the start up configuration file and reset the device G350 001 if Loopback1 exit G350 001 copy running config startup config G350 001 reset G350 001 interface Vlan 1 G350 001 if Vlan 1 ip address 3 3 3 1 24 G350 001 if Vlan 1 exit G350 001 interface Vlan 2 G350 001 if Vlan 1 2 ip address 33 33 33 1 24 G350 001 if Vlan 1 2 exit G350 001 controller t1 4 1 G350 001 controller 4 1 channel group ...

Page 345: ... through the gateway itself to the eight Ethernet LAN PoE ports located on the G250 s front panel Note Note The G250 DCP model does not support PoE Note Note When you connect a non powered device to a PoE port the PoE port status is Fault Ignore the Fault status Load detection The MM314 and MM316 PoE media modules and the G250 periodically check all ports powered and non powered to check their sta...

Page 346: ...You can add and remove PDs without manually reconfiguring the switch since it performs a periodic automatic load detection scan on non powered ports If a PD that fits the above criteria is detected on a non powered port then power is applied to the port If a PD is removed from a port then power is denied to that port The disconnected port is then scanned as well In addition if the PoE module in th...

Page 347: ...rts are powered after the switch is booted There are three user configurable PoE priority levels Low High Critical The default value for all ports is Low Power is automatically applied to PDs according to their priority when the power budget increases If the power budget is exceeded power is not provided to a new PD when you attach it even if you define its priority as High or Critical Note Note T...

Page 348: ...ing PoE on a G350 port Configuring PoE priority on a G250 port Configuring PoE priority on a G350 port G250 001 super set port powerinline 10 4 enable Load detection process on port 10 4 is enabled G350 001 super set port powerinline 6 12 enable Load detection process on port 6 12 is enabled G250 001 super set port powerinline 10 5 disable Load detection process on port 10 5 is disabled G350 001 s...

Page 349: ... 6 11 Searching Low telephone 6 12 Disabled Low telephone 6 13 Searching Low telephone 6 14 Searching High telephone 6 15 Searching Low telephone 6 16 Searching Low telephone 6 17 Fault Low telephone 6 18 Fault Low telephone 6 19 Searching Low telephone 6 20 Searching Low telephone 6 21 Searching Low telephone 6 22 Fault Low telephone 6 23 Delivering Power Low telephone G250 003 super show powerin...

Page 350: ...tection process on the port set port powerinline priority Configure the priority level of powering the port set port powerinline type Set the type of powered device connected to the PoE port set powerinline trap disable Disable PoE trap generation set powerinline trap enable Enable the generation of PoE traps and configure the Usage Threshold value show powerinline Display the current inline power...

Page 351: ...m ends the call continues The fixed trunk port and analog line ports do not start to operate until the active call ends The ETR for each of the G250 G350 models closes the tip ring contacts for the ports listed in Table 92 CAUTION CAUTION Some ports should not be administered as DID ports to avoid having the ETR loop start trunk connected directly to the tip and ring circuit of the DID trunk thus ...

Page 352: ...ine port 3 2 in the G250 7 2 in the G350 The other analog line port 3 3 in the G250 7 3 in the G350 will also be disabled To deactivate ETR manually in the G250 use the following command To deactivate ETR manually in the G350 use the following command ETR does not become active in the event of link failure To restore ETR to automatic activation in the G250 use the following command To restore ETR ...

Page 353: ...nk number of the trunk connected to ETR Line number of the line connected to ETR Line status off hook or on hook Summary of ETR commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 93 ETR configuration CLI commands Command Description set etr Enable or disable Emergency Transfer Relay ETR mode or allow the gateway to control ETR mode automa...

Page 354: ...Configuring Emergency Transfer Relay ETR 354 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 355: ...re get statistics and information and receive alerts from network devices You can use any SNMP compatible network management system to monitor and control a G250 G350 Agent and manager communication There are several ways that the SNMP manager and the agent communicate The manager can Retrieve a value get The SNMP manager requests information from the agent such as the number of users logged on to...

Page 356: ...nificant predetermined event takes place on that agent When a notification condition occurs the SNMP agent sends an SNMP notification to the device specified as the trap receiver or trap host The SNMP Administrator configures the trap host usually the SNMP management station to perform the action needed when a trap is detected Note Note For a list of traps and MIBS see Traps and MIBs on page 743 S...

Page 357: ...eView or snmpv1View you may not be able to access the device using SNMPv1 or SNMPv2c In addition traps are sent to designated trap receivers Packets with trap information also contain a trap community string SNMPv2c SNMPv2c is very similar to SNMPv1 However SNMPv2c adds support for the get bulk action and supports a different trap format SNMPv3 SNMPv3 enables the following features over SNMPv1 or ...

Page 358: ...at is calculated with the user key and the data part is sent with DES56 encryption using the user key SNMP server user command Use the snmp server user command to create a user or to change the parameters of an existing user This command includes the following parameters A user name for the user The name of the SNMP group with which to associate the user The SNMP version functionality that the use...

Page 359: ...can access the highest level view below the user s security level For example if the SNMPv1 and SNMPv2c views are undefined for a group anyone logging in using SNMPv1 and SNMPv2c cannot access the device If the NoAuthNoPriv view is not defined for a group SNMPv3 users with a NoAuthNoPriv security level can access the SNMPv2c view The G250 G350 includes the following pre configured groups Table 94 ...

Page 360: ...e Write Views Allow read write access to a specified list of OIDs in the MIB tree Notify Views Allow SNMP notifications from a specified list of OIDs to be sent Each view consists of a list of OIDs in the MIB tree This list can be created using multiple snmp server view commands to either add OIDs to the list or exclude OIDs from a list of all of the OIDs in the G250 G350 s MIB tree You can use wi...

Page 361: ...lure traps for all managers Enter set snmp trap enable disable frame relay to enable or disable frame relay traps for all managers Enter show snmp to display SNMP information Use the show port trap command to display information on SNMP generic Link Up and Link Down traps sent for a specific port or for all ports Use the snmp server informs command to configure the SNMPv3 timeout and retries for n...

Page 362: ...ype of trap by setting the notification list parameter of the snmp server host command to one of the following all All traps This is the default generic Generic traps hardware Hardware faults rmon RMON rising falling alarm dhcp server DHCP server error such as a DHCP IP conflict detection or notification of no IP address left for specific network dhcp clients DHCP client error such as a DHCP clien...

Page 363: ...ial Tunnel or USB modem interface snmp trap link status Enable or disable Link Up and Link Down traps on an interface set port trap Enable or disable SNMP Link Up and Link Down traps notifications and traps on a port set snmp trap enable disable auth Enable or disable authentication failure traps for all managers set snmp trap enable disable frame relay Enable or disable frame relay traps for all ...

Page 364: ...ns Use the no form of this command to remove an SNMPv3 remote user for SNMP notifications Use the set snmp community command to create or modify an SNMPv1 community Use the snmp server engineID command to configure the SNMPv3 engine ID Use the no form of this command to configure the engine ID to its default value The SNMP engine ID is set automatically by a calculation based on the MAC address of...

Page 365: ...display the time to wait before resending a communication Enter show snmp to display a list of SNMP notification receivers Note Note You need an Admin privilege level to use the SNMP commands Summary of SNMP access configuration commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 96 SNMP access configuration CLI commands Command Descriptio...

Page 366: ...ow snmp user Display configuration information for a specified SNMP user show snmp usertogroup Display a table of SNMPv3 users and the groups to which they are mapped show snmp view Display configuration information for all SNMP views snmp server community Enable or disable SNMP access to the G250 G350 snmp server engineID Specify the SNMP Engine ID for the G250 G350 snmp server group Define a new...

Page 367: ...or a list of possible notification types see Notification types on page 362 The following example configures dynamic trap manager to send all traps Use the clear dynamic trap manager command to remove administration of the dynamic trap manager Summary of dynamic trap manager configuration commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 G350 ...

Page 368: ... 2 G350 001 super if FastEthernet 10 2 snmp trap link status Done G350 001 super show snmp Authentication trap disabled Community Access Community String read only read write SNMPv3 Notification Status Traps Enabled Informs Enabled Retries 3 Timeout 3 seconds SNMP Rec Address Model Level Notification Trap Inform User name 149 49 70 137 v1 noauth all trap ReadCommN UDP port 162 DM G350 001 super if...

Page 369: ...p on a LAN port on the G250 The following example disables Link Up and Link Down traps on a LAN port on the G350 G350 001 super set snmp community read only read SNMP read only community string set G350 001 super set snmp community read write write SNMP read write community string set G250 001 super set port trap 10 3 enable Port 10 3 up down trap enabled G350 001 super set port trap 6 5 enable Po...

Page 370: ...Configuring SNMP 370 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 371: ...ays When you dial the contact closure open access code the relay opens no contact When you dial the contact closure close access code the relay closes contact When you dial the contact closure pulse access code the relay closes contact for the pulse duration and then opens no contact You can control each contact closure relay manually with CLI commands or with Avaya G350 Manager Note Note Configur...

Page 372: ...onds after the call controller triggers contact closure in the relay To activate contact closure manually use the set contact closure admin command with the parameter manual trigger In the following example the command activates contact closure in relay 1 of the Avaya Partner Contact Closure Adjunct Contact closure remains active until you deactivate it by using the set contact closure admin comma...

Page 373: ...lay the status of one or more contact closure relays The following example displays the contact closure status of relay 1 of the Avaya Partner Contact Closure Adjunct box Summary of contact closure commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 set contact closure admin 10 1 2 manual off G350 001 super show contact closure MODULE PORT RELAY...

Page 374: ...ways set contact closure pulse duration Set the length of time for the relay to return to normal after the call controller triggers the relay show contact closure Display the status of one or all contact closure relays Table 99 Contact closure CLI commands continued Command Description 2 of 2 ...

Page 375: ...SCP Simple management operations for the announcement files stored in the announcement directory Announcement file operations Upload an announcement file to a remote SCP server using the copy announcement file scp command Specify the file name of the announcement file in the G250 G350 announcement directory followed by the IP address of the remote SCP server and optionally a destination file name ...

Page 376: ...ll path For example Download an announcement file from a USB mass storage device to the G250 G350 announcement directory using the copy usb announcement file command Specify the name of the USB device followed by the file name of the announcement file on the USB device and optionally a destination file name including the full path For example Erase an announcement file from the G250 G350 announcem...

Page 377: ... Mode FTP SERVER SCP CLIENT ID File Description Size Bytes Date 5 46xxupgrade scr Announcement1 4000 09 54 55 04 APR 2005 8 4601dbte1_82 bin Announcement2 8000 09 55 55 04 APR 2005 9 4602dbte1_82 bin Announcement3 16000 09 56 55 04 APR 2005 Nv Ram Total bytes used 28000 Total bytes free 7344800 Total bytes capacity fixed 7372800 G350 001 super show download announcement file status Module 9 Module...

Page 378: ...the G250 G350 announcement directory copy scp announcement file Download an announcement file from a remote SCP server to the G250 G350 announcement directory copy usb announcement file Download an announcement file from a USB mass storage device to the G250 G350 announcement directory erase announcement file Erase an announcement file from the G250 G350 announcement directory rename announcement ...

Page 379: ... flow and increasing security within the VLAN VLAN Tagging VLAN Tagging is a method of controlling the distribution of information on the network The ports on devices supporting VLAN Tagging are configured with the Port VLAN ID and Tagging Mode parameters The Port VLAN ID is the number of the VLAN to which the port is assigned Note Note You need to create a VLAN with the set vlan command before yo...

Page 380: ...P In order to accomplish this the G250 G350 enables multiple VLANs per port The available Port Multi VLAN binding modes are Bound to Configured The port supports all the VLANs configured in the switch Statically Bound The port supports VLANs manually configured on the port Figure 27 shows these binding modes Figure 27 Multi VLAN Binding Static Binding The user manually specifies the list of VLAN I...

Page 381: ...rt that is assigned to a VLAN allows packets tagged for that VLAN only to enter through that port Unassigned packets receive the PVID of the port and are therefore allowed to enter ICC VLAN When the G250 G350 includes an ICC the ICC connects to the G250 G350 via an internal switch By default the ICC is connected on Vlan 1 The VLAN to which the ICC connects is called the ICC VLAN You can use the ic...

Page 382: ...ic VLANs to ports Use the set port vlan command to set the port VLAN ID PVID Use the set port vlan binding mode command to define the binding method used by ports Use the set trunk command to configure the VLAN tagging mode of a port Use the set vlan command to configure VLANs Use the show cam vlan command to display all mac entries in the CAM table for a specific vlan Use the show interfaces vlan...

Page 383: ...will assign all ports on VLAN 34 to their default in the entire management domain do you want to continue Y N y All ports on VLAN id assigned to default VLAN VLAN 34 was deleted successfully G350 001 super interface Vlan 66 G350 001 super if Vlan 66 icc vlan Done G350 001 super interface Vlan 66 G350 001 super if Vlan 66 G350 001 super no interface vlan 66 Done G350 001 super set port vlan binding...

Page 384: ...AN 1 G350 001 super show interfaces Vlan 1 VLAN 1 is up line protocol is up Physical address is 00 04 0d 29 c6 bd MTU 1500 bytes Bandwidth 100000 kbit Reliability 255 255 txLoad 1 255 rxLoad 1 255 Encapsulation ARPA ICC VLAN Link status trap disabled Full duplex 100Mb s ARP type ARPA ARP Timeout 04 00 00 Last input never Last output never Last clearing of show interface counters never 5 minute inp...

Page 385: ... the port clear vlan Delete an existing VLAN and its interface remove the entry from the VLAN table and return ports from this VLAN to the default VLAN 1 interface vlan Create a VLAN interface enter interface VLAN configuration mode or delete a VLAN interface icc vlan Set the current VLAN as the ICC VLAN set port static vlan Assign a static VLAN to a port set port vlan Set the port VLAN ID PVID se...

Page 386: ...s the secondary port If the primary port fails the secondary port takes over You can configure up to 25 pairs of ports per chassis Each pair contains a primary and secondary port You can configure any type of Ethernet port to be redundant to any other You can configure redundant ports from among the Ethernet LAN port on the G350 front panel and the Ethernet ports 1 24 and the Gigabit Ethernet port...

Page 387: ...takes place If you set this to none there is no switchback to the primary port when it recovers In this case switchback to the primary port only takes place if the secondary port fails Port redundancy CLI commands The following commands are used to configure port redundancy For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Use the set port redundancy e...

Page 388: ...port redundancies The following example disables all configured port redundancies The following example configures the switchback interval for all configured port redundancies The following example displays port redundancy information G350 001 super set port redundancy 6 3 6 5 on 1 Monitor Port 6 5 is redundant to port 6 3 Port redundancy is active entry is effective immediately G350 001 super set...

Page 389: ...u cannot however define the port mirroring source and destination ports as the same source and destination ports You can define one source port and one destination port on each G250 G350 for received Rx transmitted Tx or transmitted and received both traffic Port mirroring constraints You cannot use the LAN port on the G350 front panel or the WAN Fast Ethernet port on the G250 and G350 front panel...

Page 390: ...following example creates a port mirroring pair in the G250 The following example displays port mirroring information for the G350 The following example displays port mirroring information for the G250 The following example disables port mirroring G350 001 super set port mirror source port 6 2 mirror port 6 10 sampling always direction rx Mirroring rx packets from port 6 2 to port 6 10 is enabled ...

Page 391: ...tree algorithm ensures the existence of a loop free topology in networks that contain parallel bridges A loop occurs when there are alternate routes between hosts If there is a loop in an extended network bridges may forward traffic indefinitely which can result in increased traffic and degradation in network performance The spanning tree algorithm produces a logical tree topology out of any arran...

Page 392: ... on a port This delay can cause problems on ports carrying time sensitive traffic You can therefore enable or disable spanning tree in the G350 on a per port basis to minimize this effect Rapid Spanning Tree Protocol RSTP The enhanced feature set of the 802 1w standard includes Bridge Protocol Data Unit BPDU type 2 New port roles Alternate port Backup port Direct handshaking between adjacent bridg...

Page 393: ...e of port numbers to specify whether or not a port is considered an edge port For example the following command specifies that ports 5 to 13 on module 6 are edge ports The following command specifies that port 6 on module 6 is not an edge port Enter show port edge state followed by the module and port number to display the edge state of the specified port Use this command without specifying a modu...

Page 394: ...nd to force a port to send a rapid spanning tree hello packet Bridge Protocol Data Unit Use the set port spantree priority command to set the spanning tree priority level of a port This value defines the priority of a port to be blocked in case two ports with the same cost cause a loop Use the set spantree default path cost command to set the version of the spanning tree default path cost used by ...

Page 395: ... forwarding state The following example configures the time interval between the generation of configuration BPDUs by the root The following example configures the amount of time an information message is kept before being discarded G350 001 super set port spantree enable 6 5 port 6 5 was enabled on spantree G350 001 super set port spantree disable 6 5 port 6 5 was disabled on spantree G350 001 su...

Page 396: ...anning tree in order to limit the maximum number of BPDUs transmitted during a hello time period The following example configures the version of spanning tree to use on the device G350 001 super set spantree priority 36864 Bridge priority set to 36864 G350 001 super set spantree tx hold count 4 tx hold count is set to 4 G350 001 super set spantree version rapid spanning tree Spanning tree version ...

Page 397: ...nning Tree Default Path Costs is according to common spanning tree Port State Cost Priority 6 1 not connected 100 128 6 2 not connected 100 128 6 3 not connected 100 128 6 4 not connected 100 128 6 5 not connected 100 128 6 6 not connected 100 128 6 7 not connected 100 128 6 8 not connected 100 128 6 9 not connected 100 128 6 10 not connected 100 128 6 11 not connected 100 128 6 12 not connected 1...

Page 398: ...priority Set the spanning tree priority level of a port set spantree default path cost Set the version of the spanning tree default path cost used by the current bridge set spantree enable disable Enable or disable the spanning tree algorithm for the media gateway set spantree forward delay Specify the time used when transferring the state of a port to the forwarding state set spantree hello time ...

Page 399: ...ation about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Use the set port classification command to set the port classification to either regular or valuable Any change in the spanning tree state from forwarding for a valuable port will erase all learned MAC addresses in the switch Use the show port classification command to display a port s classification Port classificati...

Page 400: ...ssification 10 3 regular 10 4 valuable 10 5 regular 10 6 valuable 10 7 regular 10 8 regular 10 9 regular 10 10 regular G350 001 super show port classification Port Port Classification 6 1 regular 6 2 regular 6 3 regular 6 4 regular 6 5 valuable 6 6 regular 6 7 regular 6 8 regular 6 9 regular 6 10 regular 6 11 regular 6 12 regular 6 13 regular 6 14 regular 6 15 regular 6 16 regular 6 17 regular 6 1...

Page 401: ...e 03 300437 Table 105 Port classification CLI commands Command Description set port classification Set the port classification to either regular or valuable any change in the spanning tree state from forwarding for a valuable port will erase all learned MAC addresses in the switch show port classification Display port classification for a specified port or all ports ...

Page 402: ...Configuring advanced switching 402 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 403: ...N is the internationally recognized and approved standard for detailed analysis of shared Ethernet media It ensures consistency in the monitoring and display of statistics between different vendors RMON s advanced remote networking capabilities provide the tools needed to monitor and analyze the behavior of segments on a network In conjunction with an RMON agent RMON gathers details and logical in...

Page 404: ...ries Use the show rmon history command to display RMON alarm entries Use the show rmon statistics command to display RMON statistics RMON configuration examples The following example creates an RMON alarm entry The following example creates an RMON event entry The following example creates an RMON history entry with an index of 80 on port 24 of the module in slot 6 recording activity over 60 inter...

Page 405: ... 04 G350 001 super show rmon history 80 history Entry 80 is active owned by root Monitors the port 6 24 every 20 seconds Requested of time intervals ie buckets is 60 Granted of time intervals ie buckets is 60 Sample 2 began measuring at 0 21 16 Received 4081 octets 41 packets 0 broadcast and 10 multicast packets 0 undersize and 0 oversize packets 0 fragments and 0 jabbers 0 CRC alignment errors an...

Page 406: ...en the QoS level falls below a configured level Table 106 RMON CLI commands Command Description clear rmon statistics Clear RMON statistics rmon alarm Create or delete an RMON alarm entry rmon event Create or delete an RMON event entry rmon history Create or delete an RMON history entry show rmon alarm Display information about a specific RMON alarm entry or all existing RMON alarm entries show rm...

Page 407: ...to RTP RTP endpoints periodically send RTCP report packets to their remote peer or peers in multicast RTCP reports include QoS data such as delay jitter and loss Collects call data from the gateway such as duration start time and end time Displays the RTP statistics in CLI and MIB formats Displays summary reports for the VoIP engine s Assesses QoS status based on configurable thresholds on an exte...

Page 408: ...configured in Avaya Communication Manager where it is called RTCP Report Period The RTCP interval is typically 5 to 8 seconds For information about configuring the RTCP interval RTCP report period see Administrator Guide for Avaya Communication Manager 03 300509 Thresholds types A threshold on a metric For example you can configure a threshold on the metric packet loss The application samples the ...

Page 409: ...ge Remote Loss 3 0 N A RTT 500mS 2 Local Jitter 50mS 2 Remote Jitter 50mS 2 SSRC Changes N A 2 Table 107 QoS metrics Metric Description Evaluation time Codec Loss The percentage of time the codec plays fill frames due to lack of valid RTP frames Possible causes include jitter and packet loss Every RTCP interval Average Codec Loss The average codec loss measurement since the beginning of the RTP st...

Page 410: ...tat win Every RTCP interval Average Loss The average packet loss evaluation since the beginning of the RTP stream At the end of the session Remote Loss The network loss according to the remote RTP receiver The device learns of the remote packet loss from received RTCP messages Each time an RTCP packet is received Average Remote Loss The average remote network loss measurement since the beginning o...

Page 411: ...ession the echo return loss event counter increments 2 Use the rtp stat event threshold command to set thresholds on QoS events For example With this example configuration if echo return loss is sampled over its threshold more than twice during an RTP session the application considers the session to have QoS faults Enabling and resetting the RTP statistics application When you enable the RTP stati...

Page 412: ... the application is enabled which types of traps are enabled and how the trap rate limiter and minimum statistics window are configured The minimum statistics window is the minimum number of observed RTP sequence increments for which the application evaluates packet loss Enter show rtp stat config For example Table 108 describes the output of the show rtp stat config command G350 001 super show rt...

Page 413: ...pplication is not configured to generate QoS fault and clear traps Fault The QoS fault trap boundary That is the minimum number of active sessions with QoS faults that triggers a QoS fault trap Clear The QoS clear trap boundary That is the reduced number of active sessions with QoS faults that triggers a QoS clear trap to be sent after a QoS fault trap was sent QoS Trap Rate Limiter Token Interval...

Page 414: ...e set too low a significant amount of trap traffic will be generated and negatively impact network performance Enabling QoS traps 1 View the RTP statistic thresholds and modify their configurations as necessary See Viewing RTP statistics thresholds on page 408 and Configuring RTP statistics thresholds on page 410 Reserved The number of rows in the session table that are reserved for sessions with ...

Page 415: ...trap manager use the command snmp server host For example Note Note When using the snmp server host command you can specify only to send certain types of traps to the specified trap manager For example snmp server host 1 1 1 1 traps v1 public rtp stat qos rtp stats faults configures only QoS traps and QoS fault and clear traps to be sent to host 1 1 1 1 To check your current SNMP configurations en...

Page 416: ...as QoS problems A QoS clear trap is then sent if and when the number of active RTP sessions with QoS problems reaches 0 Configuring the trap rate limiter The application features a trap rate limiter The trap rate limiter limits the rate at which QoS traps are sent The rate limiter protects against overloading the trap manager with bursts of traps when a single event causes multiple RTP sessions to...

Page 417: ... Total QoS traps The total number of QoS traps sent since the RTP statistics application was enabled or since the last use of the rtp stat clear command QoS traps Drop The number of QoS traps dropped by the rate limiter since the RTP statistics application was enabled or since the last use of the rtp stat clear command Qos Fault QoS Clear General QoS state QoS Fault means that the number of active...

Page 418: ...ince the last use of the rtp stat clear command Active Session The number of active sessions number of active sessions with QoS problems Total Session The total number of sessions number of sessions that had QoS problems Mean Duration The mean RTP session duration calculated only for terminated calls Tx TTL The IP Time To Live TTL field for transmitted RTP packets Table 109 RTP statistics summary ...

Page 419: ...ess 135 8 76 107 206113 SSRC 2989801899 0 14 Samples 5415 5 sec 16 Codec G72317 62B18 30mS19 Off20 Silence suppression Tx Rx Disabled21 Not Supported22 Play Time 272 610sec23 Loss 0 0 24 125 Avg Loss 0 1 26 RTT 741mS27 3828 Avg RTT 570mS29 JBuf under overruns 0 1 30 0 0 31 Jbuf Delay 22mS32 Max Jbuf Delay 60mS33 Received RTP Packets 923634 Loss 0 0 35 036 Avg Loss 0 0 37 RTT 604mS38 3839 Avg RTT 3...

Page 420: ...sible values Active The session is still open Terminated The session is finished Status Terminated QOS 3 The QoS status of the session Possible values OK There are no QoS problems in the session Faulted There are QoS problems in the session QOS Faulted EngineId 4 The ID of the VoIP engine The G250 G350 has one VoIP engine EngineId 0 Start Time 5 The date of the RTP session 2004 10 20 6 The start t...

Page 421: ...one 69 2011 Local Address 11 The PMI The number after the colon is the UDP port number Local Address 135 8 118 252 2061 Remote Address 13 The remote VoIP engine gateway PMI or IP phone address The number after the colon is the UDP port number Remote Address 135 8 76 107 2061 12 14 SSRC ID The number in parentheses is the number of observed SSRC changes during the session SSRC 2989801899 0 Samples ...

Page 422: ...d during the session Avg Loss 0 1 RTT rtt ms 27 The last sampling of codec round trip time RTT in ms Codec RTT is the round trip delay experienced by the user including internal delay This value is not entirely accurate since remote internal delays are not always known RTT 741mS27 38 rtt events 28 The codec RTT event counter RTT 741mS 3828 Avg RTT 29 The average of all codec RTT values sampled dur...

Page 423: ...rk jitter at the RTP receiver Combined with long RTT a large jitter value may indicate WAN congestion Jitter 0mS41 0 jitter event 42 The RTP receiver network jitter event counter Jitter 0mS 042 Avg Jitter 43 The average of all network jitter values during the session Avg Jitter 0mS TTL last min max 44 The last value of TTL minimum value of TTL and maximum value of TTL sampled during the session TT...

Page 424: ...52 The Layer 2 priority of transmitted RTP packets usually 802 1p L2Pri 6 RTCP 53 The total number of transmitted RTCP packets RTCP 62 Remote Statistics Remote Statistics items are calculated and evaluated upon reception of RTCP messages Loss rem loss 54 The network loss experienced by the remote RTP receiver The local RTP receiver learns about its remote peer statistics from RTCP packets Loss 0 0...

Page 425: ...the string avrtp 5 In the Number of Lines field enter the maximum number of traps you want to view 6 Click View Log The View System Logs screen appears Figure 28 Each line contains one message Avg jitter 59 The average remote jitter Avg Jitter 0mS Echo Cancellation Loss loss dbm 60 The echo cancellation loss on the TDM bus A high value that is a low absolute value may indicate impairment of DCP te...

Page 426: ...tpSessionLocAddrV4 0 IpAddress 135 8 118 2526 avRtpSessionRemAddrV4 0 IpAddress 135 8 76 1077 avRtpSessionDuration 0 INTEGER 2738 avRtpSessionCname 0 STRING gwp 135 8 118 2529 avRtpSessionPhone 0 STRING 69 201110 avRtpSessionSeverity 0 INTEGER warning 4 avRtpSessionDebugStr 0 STRING Id 35 11 Traps 2412 013 Stats S 5414 RTCP 5415 RX 923616 Codec g72317 62B18 encryptionOff19 SSup disabled20 disabled...

Page 427: ...Notes The phone string data is received from Avaya Communication Manager if VMON is configured If you are not running VMON you can cause Avaya Communication Manager to send the phone string data by configuring a dummy RTCP server for the region with a localhost IP address 127 x x x avRtpSessionPhone 0 STRING 69 2011 11 An arbitrary index number for the session in the session table avRtpSessionDebu...

Page 428: ...ring the session RTT 570mS23 38 25 The codec round trip time event counter RTT 570mS 3824 26 The percentage contribution of jitter buffer underruns to the average codec loss Jbuf 0 1 25 0 0 27 The percentage contribution of jitter buffer overruns to the average codec loss Jbuf 0 1 0 0 26 28 The average of all network RTP packet loss values sampled during the session Loss 0 0 27 0 29 The network RT...

Page 429: ...hat increments each time the network jitter experienced by the remote RTP receiver is sampled over its threshold Rem Loss 0 0 0 Jtr 038 39 The echo cancellation loss on the TDM bus A high value that is a low absolute value may indicate impairment of DCP terminals EC Loss 45dB Table 111 QoS Trap output fields continued Label Description From the trap example 4 of 4 Oct 201 11 10 542 LZ SIT SR1 snmp...

Page 430: ...3 40 3 The gateway uptime sysUpTime 0 Timeticks 43131114 4 days 23 48 31 14 sysUpTime 0 Timeticks 43147723 4 days 23 51 17 23 4 The trap name Indicates that this is a QoS fault trap or a QoS clear trap snmpTrapOID 0 OID avRtpQoSFault snmpTrapOID 0 OID avRtpQoSClear 5 The QoS fault trap boundary That is the number of active sessions with QoS faults that causes a QoS fault trap to be sent avRtpQoSFa...

Page 431: ... reverse order most recent first G350 001 super show rtp stat traceroute destination ip 10 2 5 0 255 255 255 0 Session ID 1234 From 123 21 11 5 To 10 2 4 15 At 2004 12 26 12 21 55 TTL HOP ADDRESS DELAY 1 123 21 11 1 2ms 2 212 201 233 102 65ms 3 213 21 51 12 110ms 4 10 2 4 15 175ms Session ID 1234 From 123 21 11 5 To 10 2 4 5 At 2004 12 26 13 30 15 Table 113 RTP traceroute results output Field Desc...

Page 432: ... In addition there are some example calls between various types of phones Configuring the RTP statistics application for a sample network Figure 29 shows the locations of four telephone extensions in an example network Telephones with extensions 2004 and 2111 are connected to the local gateway G250 G350 001 Extensions 2002 and 2101 are connected to the remote gateway G250 G350 002 Figure 29 Four t...

Page 433: ...tat config RTP Statistic Enabled QoS Trap Disabled QoS Fault Trap Disabled Fault 0 Clear 0 QoS Trap Rate Limiter Token Interval 10 00 seconds Bucket Size 5 Session Table Size 128 Reserved 64 Min Stat Win 1 to view the thresholds G350 001 super show rtp stat thresholds Item Threshold Event Threshold Codec Loss 0 0 1 Average Codec Loss 1 0 N A Codec RTT 5 mS 1 Echo Return Loss 1 dB 1 Loss 1 0 1 Aver...

Page 434: ...t threshold echo return loss 0 G350 001 super rtp stat event threshold loss 1 G350 001 super rtp stat event threshold remote loss 0 G350 001 super rtp stat event threshold jitter 0 G350 001 super rtp stat event threshold remote jitter 0 G350 001 super rtp stat event threshold rtt 0 G350 001 super rtp stat event threshold ssrc change 0 to review the threshold configuration again G350 001 super show...

Page 435: ...e 135 9 77 47 v1 noauth all trap ReadCommN UDP port 162 DM 136 9 71 47 v1 noauth all trap WriteCommN UDP port 162 to enable the sending of QoS traps G350 001 super rtp stat qos trap to enable and configure the sending of fault and clear traps G350 001 super rtp stat fault 2 0 to view RTP statistics configuration again G350 001 super show rtp stat config RTP Statistic Enabled QoS Trap Enabled QoS F...

Page 436: ... over the WAN from an analog phone to an IP phone At 00 39 on December 7 2004 a call is placed from analog extension 2111 to IP phone extension 2002 see Figure 30 in the network described in Configuring the RTP statistics application for a sample network on page 432 Figure 30 Remote call from analog to IP phone ...

Page 437: ...s Terminated QOS Faulted2 EngineId 0 Start Time 2004 12 07 00 39 26 End Time 2004 12 07 00 41 01 Duration 00 01 35 CName gwp 30 30 30 1 Phone 199 2111 Local Address 30 30 30 1 2329 SSRC 2764463979 Remote Address 20 20 20 2 2329 SSRC 1260226 0 Samples 19 5 sec Codec G711U 200B 20mS Off Silence suppression Tx Rx Disabled Disabled Play Time 63 916sec Loss 11 0 153 Avg Loss 8 6 RTT 201mS 0 Avg RTT 210...

Page 438: ... over its threshold 15 times 3 The received RTP packet loss event counter indicates that packet loss went over its threshold nine times 4 The remote packet loss event counter indicates that remote packet loss went over its threshold 14 times 5 A local call between an IP and an analog phone A local call is placed at 00 57 between IP phone extension 2004 and analog phone extension 2111 see Figure 31...

Page 439: ... of the session G350 001 super show rtp stat detailed 1 Session ID 1 Status Terminated QOS Ok2 EngineId 0 Start Time 2004 12 07 00 57 13 End Time 2004 12 07 00 59 19 Duration 00 02 06 CName gwp 30 30 30 1 Phone 200 2111 Local Address 30 30 30 1 2165 SSRC 2533871380 Remote Address 30 30 30 2 2165 SSRC 93269 0 ip phone or another medi proc Samples 25 5 sec Codec G711U 200B 20mS Off Silence suppressi...

Page 440: ...rom IP phone to IP phone After the call is ended the following commands are run Sessions 13 and 14 both belong to the call since two VoIP channels are used by an unshuffled call between two IP phones one channel between each telephone and the G250 G350 VoIP engine to display the RTP sessions G350 001 super show rtp sessions ID QoS Start date and time End Time Type Destination 00011 2004 12 07 00 5...

Page 441: ...2329 SSRC 1372162 0 Samples 30 5 sec Codec G711U 200B 20mS Off Silence suppression Tx Rx Disabled Disabled Play Time 144 540sec Loss 0 0 17 Avg Loss 6 9 RTT 99mS 0 Avg RTT 208mS JBuf under ov erruns 7 4 0 0 Jbuf Delay 9mS Max Jbuf Delay 73mS Received RTP Packets 7279 Loss 0 0 17 Avg Loss 6 8 RTT 8mS 0 Avg RTT 68mS Jitter 0mS 0 Avg Jitter 6mS TTL last min max 63 63 63 Duplicates 0 Seq Fall 0 DSCP 4...

Page 442: ... 2 2165 SSRC 120077 0 Samples 29 5 sec Codec G711U 200B 20mS Off Silence suppression Tx Rx Disabled Disabled Play Time 151 140sec Loss 0 0 0 Avg Loss 0 0 RTT 95mS 0 Avg RTT 106mS JBuf under ove rruns 0 0 0 0 Jbuf Delay 11mS Max Jbuf Delay 27mS Received RTP Packets 7556 Loss 0 0 0 Avg Loss 0 0 RTT 0mS 0 Avg RTT 0mS Jitter 0mS 0 Avg Jitter 0mS TTL last min max 64 64 64 Duplicates 0 Seq Fall 0 DSCP 4...

Page 443: ...ce call During the call the following commands are run to display the RTP sessions G350 001 super show rtp sessions ID QoS Start date and time End Time Type Destination 00001 2004 12 23 09 55 17 G729 16 16 16 101 00002 2004 12 23 09 55 20 G711U 149 49 41 50 HOLD Spea ker 1 2 3 4 5 6 7 8 9 0 A BC D EF GHI J L K M NO PQRS TUV WX YZ CONFERE NCE IP Phone Ext 80886 HOLD Spea ker 1 2 3 4 5 6 7 8 9 0 A B...

Page 444: ... 141mS JBuf under overruns 0 8 0 0 Jbuf Delay 20mS Max Jbuf Delay 30mS Received RTP Packets 238 Loss 0 0 0 Avg Loss 0 0 RTT 24mS 0 Avg RTT 21mS Jitter 0mS 0 Avg Jitter 0mS TTL last min max 0 61 61 Duplicates 0 Seq Fall 0 DSCP 0 L2Pri 6 RTCP 26 Transmitted RTP VLAN 400 DSCP 46 L2Pri 6 RTCP 34 Remote Statistics Loss 0 0 0 Avg Loss 0 0 Jitter 2mS 0 Avg Jitter 1mS Echo Cancellation Loss 49dB 0 Len 0mS...

Page 445: ...ter 0mS 0 Avg Jitter 0mS TTL last min max 0 64 64 Duplicates 0 Seq Fall 0 DSCP 0 L2Pri 6 RTCP 30 Transmitted RTP VLAN 400 DSCP 46 L2Pri 6 RTCP 30 Remote Statistics Loss 0 0 0 Avg Loss 0 0 Jitter 1mS 0 Avg Jitter 0mS Echo Cancellation Loss 49dB 0 Len 0mS RSVP Status Reserved Failures 0 Table 114 RTP statistics application CLI commands Command Description rtp stat clear Reset the RTP statistics appl...

Page 446: ...cket sniffing service is capable of capturing non Ethernet packets such as frame relay and PPP Non Ethernet packets are wrapped in a dummy Ethernet header to allow them to be viewed in a libpcap format Thus the G250 G350 allows you to analyze packets on all the interfaces of the device rtp stat qos trap rate limit Configure the QoS trap rate limiter rtp stat service Enable the RTP statistics appli...

Page 447: ...page 448 for a description of how to configure packet sniffing and analyze the resulting capture file Streams that can always be captured H 248 registration RTP from the G250 G350 ARP on the LAN broadcast All packets that traverse the WAN All traffic to from the G250 G350 Streams that can never be captured The following streams can never be captured because they are switched by the internal Ethern...

Page 448: ...ice on the G250 G350 before a user can start capturing packets Enter capture service to enable the packet sniffing service Note Note The packet sniffing service can only be enabled by an administrator connecting with a serial cable to the G250 G350 Console port or Services port To disable packet sniffing enter no capture service Limiting packet sniffing to specific interfaces By default the packet...

Page 449: ...y low Use the ip capture list command followed by the list number to enter the context of a capture list and to create the capture list if it does not exist Capture lists are numbered from 500 to 599 For example You can use the following commands to set the parameters of the capture list Use the name command to assign a name to the capture list Use the owner command to record the name of the perso...

Page 450: ...er L4 session which is blocked L3 rules apply to non initial fragments L3 rules that include the fragment criteria do not apply to initial fragments or non fragment packets L3 rules that do not include the fragment criteria apply to initial fragments and non fragment packets L4 rules apply to initial fragments and non fragment packets Rule criteria commands You can use the following rule criteria ...

Page 451: ...all protocols except the specified protocol use the no form of this command For example Source or destination IP address Use the source ip command to apply the rule to packets from the specified IP address or range of addresses Use the destination ip command to apply the rule to packets going to the specified IP address or range of addresses G350 001 super ip capture list 520 G350 001 super Captur...

Page 452: ... to which the rule applies use the following commands followed by either port name or port number range criteria tcp source port The rule applies to TCP packets from ports that match the defined criteria tcp destination port The rule applies to TCP packets to ports that match the defined criteria udp source port The rule applies to UDP packets from ports that match the defined criteria udp destina...

Page 453: ...ss than the specified name or number For example Any Type any to apply the rule to all port names and port numbers For example To apply the rule to all protocols except the specified protocol use the not form of the applicable command For example G350 001 super Capture 520 ip rule 20 tcp destination port range 1 3 Done G350 001 super Capture 520 ip rule 20 G350 001 super Capture 520 ip rule 20 tcp...

Page 454: ... integer or text string For example To apply the rule to all ICMP packets except the specified type and code use the not form of this command For example Fragment To apply the rule to non initial fragments enter fragment You cannot use the fragment command in a rule that includes UDP or TCP source or destination ports G350 001 super Capture 520 ip rule 20 icmp Echo Reply Done G350 001 super Captur...

Page 455: ...cp source port eq telnet Done G350 001 super Capture 511 ip rule 15 exit Rule 20 provides for capturing any packet coming from the host IP address 135 122 50 171 and going to the subnet 135 122 50 128 including packets going to any of the 30 possible hosts in that subnet G350 001 super Capture 511 ip rule 20 G350 001 super Capture 511 ip rule 20 ip protocol tcp Done G350 001 super Capture 511 ip r...

Page 456: ...enabled specify the following command If no capture list is applied the packet sniffing service captures all packets G350 001 show ip capture list 511 Index Name Owner 511 list 511 other Index Protocol IP Wildcard Port Operation DSCP 10 tcp Src Any Any No Capture Any Dst Any eq Telnet 15 tcp Src Any eq Telnet No Capture Any Dst Any Any 20 tcp Src 135 122 50 171 Host Any Capture Any Dst 135 122 50 ...

Page 457: ... kb The default value is 1000 To activate the change in buffer size you must enter copy running config startup config and reboot the G250 G350 For example Use the capture max frame size command to specify the maximum number of bytes captured for each packet This is useful since in most cases the packet headers contain the relevant information Available values are 14 to 4096 The default value is 12...

Page 458: ...sets the buffer before starting the sniffer Note Note You must apply a capture list using the capture filter group command in order for the capture list to be active If you do not use the capture filter group command the packet sniffing service captures all packets If packet sniffing has been enabled by the administrator the following appears If packet sniffing has not been enabled by the administ...

Page 459: ...e Note Note The number of captured frames can be larger than the number of the frames in the buffer because the capture file may be in cyclic mode You can use the show capture buffer hex command to view a hex dump of the captured packets However for a proper analysis of the captured packets you should upload the capture file and analyze it using a sniffer application as described in the following ...

Page 460: ...problem you can upload the capture file to an S8300 Server and view it using Tethereal which is a command line version of Ethereal G350 001 show capture buffer hex Frame number 1 Time relative to first frame D H M S Micro S 0 0 0 0 0 Packet time 14 01 1970 13 24 55 583598 Frame length 60 bytes Capture Length 60 bytes 00000000 ffff ffff ffff 0040 0da9 4201 0806 0001 B 00000010 0800 0604 0001 0040 0...

Page 461: ...stalling and Upgrading the Avaya G350 Media Gateway 03 300394 3 In the Avaya Maintenance Web Interface select FTP under Security in the main menu 4 Click Start Server 5 Log into the G250 G350 6 Use the copy capture file ftp command to upload the capture file Specify that the capture file should be placed in the ftp pub subdirectory For example 7 At the FTP login prompt enter anonymous 8 At the FTP...

Page 462: ...If you uploaded the capture file to a remote server you can view the file using the industry standard Ethereal application The latest version of Ethereal for Windows Linux UNIX and other platforms can be downloaded from http www ethereal com Note Note Ethereal allows you to create filter expressions to filter the packets in the capture file and display desired files only For example you can displa...

Page 463: ...erefore if the source or destination address of a packet you are viewing in Ethereal starts with 00 00 this indicates the packet is a non Ethernet packet For example see the highlighted destination address of the packet appearing in the middle pane in Figure 34 The dummy Ethernet header is identified by special MAC addresses Packets sent from a non Ethernet interface are identified with an SA addr...

Page 464: ...ation address of 00 00 21 40 10 02 indicates that the packet is being sent to the Serial interface on the media module in slot number 4 on port number 1 with channel group number 2 Simulating packets Capture lists support the IP simulate command Refer to Simulating packets on page 657 G350 001 show capture dummy headers MAC Description 00 00 01 00 00 00 Src dst address of Packet to from frame rela...

Page 465: ...ure interface by default the service captures from all interfaces simultaneously capture ipsec Set whether to capture IPSec VPN packets handled by the internal VPN process decrypted plaintext or encrypted cyphertext capture max frame size Set the maximum octets that are captured from each frame capture start Start capturing packets capture stop Stop capturing packets capture service Enable or disa...

Page 466: ...osite operation Create or edit a composite operation destination ip Define an equation on the destination IP dscp Specify the DSCP value to be set by the current IP rule fragment Apply the current rule to non initial fragments only icmp Set ip protocol to ICMP and an equation on the types of ICMP messages ip protocol Set the IP protocol source ip Set the current rule to apply to packets from the s...

Page 467: ...ction is up but ICMP keepalive fails the following is displayed udp destination port Set ip protocol to UDP and an equation on the destination port udp source port Set ip protocol to UDP and an equation on the source port name Name a capture list owner Set the name of the person or application that has created the list show capture Show the sniffer status show capture buffer hex Show a hex dump of...

Page 468: ...e Operational state Extended operational state Up No Keepalive FastEthernet 10 2 is up line protocol is up Up Up Up Up Keepalive Up FastEthernet 10 2 is up line protocol is up Up Up Up Up Keepalive down FastEthernet 10 2 is up line protocol is down no keepalive Up Up KeepAlive Down Down N A FastEthernet 10 2 is up line protocol is down Up Down FaultDown Standby N A FastEthernet 10 2 is in standby ...

Page 469: ...CNA systems usually include multiple chatterboxes and therefore multiple schedulers However since the schedulers distribute test plug registration parameters among themselves a test plug only has to register with a single scheduler Test plug administrators typically configure multiple schedulers addresses for redundancy You can configure a list of up to five scheduler IP addresses The test plug at...

Page 470: ...whether the attempt succeeded or failed and the time taken by the TCP packet to reach its destination Merge Chatter test that is used transparently to the user to identify a single device with multiple IP addresses and to merge its multiple appearances into one in the network topology map When the test plug receives a request to run an RTP test the test plug uses a UDP port called the RTP test por...

Page 471: ...erform the following configurations as necessary Use the control port command to configure the control port The default control port number is 8889 Use the rtp echo port command to configure the RTP echo port The default RTP echo port number is 8888 Use the rtp test port command to configure the RTP test port The default RTP test port number is 8887 Use the test rate limit command to configure the...

Page 472: ... Media Gateways Note Note The cna testplug service command requires admin access level The test plug attempts to register with the first scheduler on the scheduler list You can use the show cna testplug command to see if the test plug is registered and to view test plug statistics counters ...

Page 473: ...Test none Test Count Failed Cancelled traceroute 0 0 0 rtp 0 0 0 ping 0 0 0 tcpconnect 0 0 0 merge 0 0 0 to enter the test plug context G350 001 super cna testplug 1 to configure entries 3 and 1 on the scheduler list G350 001 super cna testplug 1 scheduler 3 135 64 102 76 Done G350 001 super cna testplug 1 scheduler 1 1 1 1 1 Done to change the configuration of scheduler 1 G350 001 super cna testp...

Page 474: ...t 3 135 64 102 76 50002 Ports Control 8889 RTP test 8888 RTP echo 8887 Test rate limiter Maximum 60 tests in 10 seconds Last Test none Test Count Failed Cancelled traceroute 0 0 0 rtp 0 0 0 ping 0 0 0 tcpconnect 0 0 0 merge 0 0 0 to enable the test plug service G350 001 super cna testplug service Done to display test plug configuration and counters after some running time G350 001 super show cna t...

Page 475: ...lear the CNA test plug counters control port Set or reset the UDP port on which the CNA test plug listens for test requests from schedulers fingerprint Configure the certificate fingerprint used by the CNA test plug to authenticate the scheduler rtp echo port Set or reset the UDP port used by the CNA test plug to listen for RTP streams sent by other test plugs running RTP tests rtp test port Set o...

Page 476: ...0 and Avaya G350 Media Gateways cna testplug service Enable or disable the CNA test plug service on the gateway show cna testplug Display CNA test plug configuration and statistics Table 119 CNA test plug CLI commands continued Root level command Command Description 2 of 2 ...

Page 477: ... by case basis This table is consulted when the default auto mode is specified in the echo cancellation CLI commands The CLI commands also offer the option of overriding the default automatic mode but those alternative modes are intended for debugging and diagnostics purposes only Note Note DS1 echo cancellation can only be administered via the Communication Manager SAT and these settings are alwa...

Page 478: ...s are meant for debugging or diagnosing issues in the field Use the show echo cancellation command to display current settings for echo cancellers within the G250 G350 Summary of echo cancellation commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 120 Echo cancellation CLI commands Command Description set echo cancellation analog Control ...

Page 479: ...isplay the results of the measurements Take corrective action by manually setting a port s balance receive gain or transmit gain The integrated analog testing feature enables quick and accurate testing of the loops at installation and custom modifications to the analog ports that require correction for the actual loop characteristics After installation you can run additional tests whenever needed ...

Page 480: ...est matches hybrid balance Stored in the integrated analog testing firmware is a group of hybrid balance coefficient sets Each entry in the group balances the hybrid against a different loop impedance The match test executes a balance test for each set of coefficients and determines which set best matches the loop Types of test lines The measurements performed by the analog trunk ports in the gate...

Page 481: ...t being tested Note Note If you enter set destination none the port will not attempt to make a call toward any destination but will make the measurement on the current call The test will be performed while the port is in use Remember to start the call before launching the test Use the set responder command to specify a responder port A responder is an analog trunk port that answers an incoming cal...

Page 482: ...ar test profile or all profiles Launching and cancelling a test Once you created a test profile you can launch it when desired However due to memory constraints on the analog media modules only one test can be run at a time Note Note A test will fail if the port specified for the test is in use for a call unless you specified set destination none for this test profile 1 Enter analog test to enter ...

Page 483: ... analog test context 2 Correct the balance receive gain or transmit gain of a port using the following commands Use the set balance command to set the balance on a specific port Use the set receive gain command to set the receive gain on a specific port Use the set transmit gain command to set the transmit gain on a specific port Displaying corrections After correcting the balance receive gain or ...

Page 484: ... clear profile Delete a test profile launch Launch a specific test profile Enter the analog test profile context to setup or edit a test profile set crosstalk destination Set the Local Exchange Carrier number destination of the call from the crosstalk port set crosstalk port Specify the crosstalk port set crosstalk responder Specify the responder port for the crosstalk port set destination Set the...

Page 485: ...fic port set transmit gain Set the transmit gain on a specific port show correction Display the balance receive gain and transmit gain corrections applied to each port show profile Display the details of a test profile show result Display the result of the last measurement performed for a particular profile Table 121 Integrated analog testing CLI commands continued Root Level Commands First level ...

Page 486: ...Configuring monitoring applications 486 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 487: ...HCP server Broadcast relay ARP table ICMP errors RIP OSPF Route redistribution VRRP Fragmentation You can configure multiple routing schemes on the G250 G350 See Routing sources on page 495 for an explanation of the priority considerations employed by the G250 G350 to determine the next hop source Use the ip routing command to enable the router Use the no form of this command to disable the router...

Page 488: ...arized Zone DMZ This interface can also be used as a WAN interface when configured for PPPoE For more information see Configuring PPPoE on page 279 Switching Interface An internal 100 Mbps connection to the G250 G350 internal switch provides a switching interface The switching interface supports VLANs By default the switching interface is associated with the first VLAN Vlan 1 When you configure th...

Page 489: ...es for a WAN see Initial WAN configuration on page 268 Dialer Interface The Dialer interface is used for the modem dial backup feature Refer to Modem dial backup on page 291 Note Note One or more IP interfaces can be defined over each Serial FastEthernet switching and Loopback interface IP Interface configuration commands 1 To create an interface enter interface followed by the type of interface y...

Page 490: ...basic interface configuration commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 G350 001 interface fastethernet 10 2 G350 001 if FastEthernet 10 2 ip address 10 20 30 40 255 255 0 0 Done G350 001 interface Vlan 2 G350 001 if Vlan 2 ip address 10 30 50 70 255 255 0 0 Done Table 122 Basic interface configuration CLI commands Root level command C...

Page 491: ... create a Loopback interface if it does not exist or delete a Loopback interface or sub interface ip address Assign an IP address and mask to an interface or delete an interface ip admin state Set the administrative state of an IP interface interface serial Enter Serial interface or sub interface configuration context create a serial interface if it does not exist or delete a serial interface or s...

Page 492: ...e branch gateway and at both the default and the backup dialing destinations ip address Assign an IP address and mask to an interface or delete an interface ip admin state Set the administrative state of an IP interface interface usb modem Enter the USB modem interface configuration context reset the USB modem interface settings to their factory defaults ip address Assign an IP address and mask to...

Page 493: ...terface configuration 2 Enter the context of the interface on which you want to configure an unnumbered IP address usually the Dialer interface 3 Use the ip unnumbered command specifying the interface from which to borrow the IP address Unnumbered IP examples In the following example a VLAN interface is configured and then the Dialer interface is configured with an unnumbered IP address borrowing ...

Page 494: ...112 n a OSPF 20 0 0 1 32 Tunnel 1 Via Dia 1 22222 n a OSPF 26 0 0 0 8 Vlan 15 2 2 2 2 3 n a STAT LO 31 0 0 0 8 Serial 3 1 1 1 31 0 0 1 1 n a LOCAL 32 0 0 0 8 Serial 3 1 1 2 32 0 0 1 1 n a LOCAL 33 0 0 0 8 Serial 3 1 1 3 33 0 0 1 1 n a LOCAL 99 0 0 0 8 Vlan 99 99 1 1 1 1 n a LOCAL 135 64 0 0 16 FastEth 10 2 149 49 54 1 1 n a STAT HI 138 0 0 0 8 Serial 3 1 1 1 Via Ser 3 1 1 1 2 n a STAT LO 139 0 0 0...

Page 495: ...te is configured on the interface but OSPF is enabled then OSPF determines the next hop 3 RIP If no high priority static router is configured on a given interface and OSPF is not enabled but RIP is enabled RIP determines the next hop 4 EXT OSPF 5 DHCP If no high priority static router is configured on a given interface and neither OSPF nor RIP are enabled and DHCP client is configured on the inter...

Page 496: ...t tracking on page 319 Static routes can be advertised by routing protocols such as RIP and OSPF For more information see Route redistribution on page 541 Static routes also support load balancing similar to OSPF Configuring next hops Static routes can be configured with the following as next hops Via interface route Specifies a Serial interface as the next hop without a specific next hop IP addre...

Page 497: ...nd frame relay allow for a Layer 3 interface to be established without knowing in advance the next hop on the other side of a serial link In this case you can specify a Serial Layer 2 interface or a GRE tunnel as a next hop instead of providing a specific next hop IP address This is equivalent to specifying the node on the other side of the serial link as the next hop when its IP address is unknow...

Page 498: ...igure the permanent option using the ip route command For example the command ip route 193 168 10 0 24 serial 3 1 1 permanent creates a permanent static route to the network 193 168 10 0 24 via the Serial 3 1 1 interface Permanent static routes should not be configured over Serial Layer 2 interfaces that participate in a Primary Backup pair For more information on Backup interfaces see Backup inte...

Page 499: ...t command to specify the format of subnet masks in the output of show commands that display subnet masks such as the show ip route command Use the no form of this command to restore the format to the default format which is decimal Use the show ip route command to display information about the IP routing table Enter show ip route best match followed by an IP address to display a routing table for ...

Page 500: ...fy the format of subnet masks in the output of show commands ip redirects Enable the sending of redirect messages on the current interface ip route Establish a static route ip routing Enable IP routing show ip route Display information about the IP routing table show ip route best match Display a routing table for a destination address show ip route static Display static routes show ip route summa...

Page 501: ...ote Note There may be cases in which the GRE tunnel is not used for routing In such cases it may not be necessary to assign an IP address to the tunnel The main application for GRE tunneling is to allow packets that use protocols not supported on the Internet or packets that use private IP addresses that cannot be routed on the Internet to travel across the Internet The following are examples of s...

Page 502: ...50 Reasons for nested tunneling in a GRE tunnel A static route exists on the source tunnel endpoint that tells the tunnel to route packets addressed to the receiving tunnel endpoint via the tunnel itself The local endpoint of the tunnel learns the tunnel as a route to the tunnel s remote endpoint via OSPF or RIP A combination of static routes via parallel tunnels lead to a situation in which each ...

Page 503: ...ts of the source network 192 68 1 0 in its routing updates This will prevent the source endpoint router 1 from learning the route This solution is for nested tunneling caused by RIP For example using the network shown in Figure 35 as an illustration you would configure the following policy rule on router 2 and activate it on the router RIP with the matching interface G350 001 super ip distribution...

Page 504: ...epalive feature sends keepalive packets through the Tunnel interface to determine whether the tunnel is up or down This feature enables the tunnel s source interface to inform the host if the tunnel is down When the tunnel keepalive feature is not active if the tunnel is down the tunnel s local endpoint continues to attempt to send packets over the tunnel without informing the host that the packet...

Page 505: ...U that is smaller than the size of the packet since the DF bit is set the router sends an ICMP unreachable message back in the originator in this case the GRE router The GRE router then updates the tunnel s MTU limit accordingly When a packet larger than the MTU arrives at the tunnel if the packet is marked do not fragment the tunnel s source interface sends the packet back to the host requesting ...

Page 506: ... address registered with the G250 G350 router 4 In most cases it is recommended to configure keepalive in the tunnel so that the tunnel s source interface can determine and inform the host if the tunnel is down For more information on keepalive see Keepalive on page 504 To configure keepalive for a Tunnel interface enter keepalive in the Tunnel interface context followed by the length in seconds o...

Page 507: ...rence 03 300437 Use the tunnel checksum command in the GRE Tunnel interface context to add a checksum to the GRE header of packets traveling through the tunnel When a checksum is included on one endpoint the receiving tunnel endpoint performs checksum validation on incoming packets and packets without a valid checksum are discarded Use the no form of this command to disable checksums Use the tunne...

Page 508: ...E tunnel application example This section provides an example of a GRE tunnel application and its configuration Figure 36 Simple GRE tunneling application example In the example shown in Figure 36 Host 1 and Host 2 are private networks using a GRE tunnel to connect them via the Internet 11 0 0 10 and 12 0 0 20 are public IP addresses used by the GRE tunnel for the tunnel encapsulation A packet ori...

Page 509: ... 1 keepalive 10 3 Done G350 001 super if Tunnel 1 tunnel source 11 0 0 10 Done G350 001 super if Tunnel 1 tunnel destination 12 0 0 20 Done G350 001 super if Tunnel 1 ip address 1 1 1 1 255 255 255 0 Done G350 001 super if Tunnel 1 exit G350 001 super ip route 12 0 0 0 255 255 255 0 11 0 0 1 1 high G350 001 super router ospf G350 001 super router ospf network 1 1 1 0 0 0 0 255 area 0 0 0 0 Done G3...

Page 510: ... or sub interface keepalive Enable the tunnel keepalive feature tunnel checksum Add a checksum to the GRE header of packets traveling through the tunnel tunnel destination Set the destination address of the tunnel tunnel dscp Assign a DSCP value to packets traveling through the tunnel tunnel key Enable and set an ID key for the tunnel tunnel path mtu discovery Enable dynamic MTU discovery by the t...

Page 511: ...a device can have a different IP address whenever the device connects to the network In some systems the device s IP address can even change while it is still connected DHCP also supports a mix of static and dynamic IP addresses Dynamic addressing simplifies network administration because the software keeps track of IP addresses rather than requiring an administrator to manage the task This means ...

Page 512: ...one IP interface on a VLAN the G250 G350 chooses the lowest IP address on this VLAN when relaying DHCP BOOTP requests The DHCP BOOTP server then uses this address to decide the network from which to allocate the address When there are multiple networks configured the G250 G350 performs a round robin selection process When the DHCP BOOTP server is configured to allocate addresses only from a single...

Page 513: ...bootp dhcp server command to add a BOOTP DHCP server to handle BOOTP DHCP requests received by this interface A maximum of two servers can be added to a single interface Use the no form of this command to remove a server You must be in an interface context to use this command Summary of DHCP and BOOTP relay commands For more information about these commands see Avaya G250 and Avaya G350 CLI Refere...

Page 514: ...ase of WAN failure The G250 G350 supports the following DHCP server features Up to 32 DHCP pools Up to 120 users Up to 256 IP addresses for all DHCP pools together Automatic and reservation pools Standard DHCP options and IP phone and wireless special options Vendor specific information option DHCP relay packets Global statistics Syslog traps for special events The Avaya G250 G350 Media Gateway ca...

Page 515: ...e branch DHCP server does not depend on the headquarters DHCP server There is no backup mechanism between the servers The branch DHCP server operates continually regardless of the status of the centralized DHCP server or the WAN link By default the DHCP server is inactive Before activating DHCP server you configure DHCP pools to define ranges of IP addresses and other network configuration informa...

Page 516: ...assignment By default the lease is eight days 6 For a manual reservation pool use the client identifier command to reserve the pool s IP address for assignment to a specific client To configure a reservation the start IP address and end IP address must be identical You cannot configure more than one reservation on a single pool 7 Configure DHCP options for the pool if required See Configuring Opti...

Page 517: ...text for the option Note Note To configure an option that is listed in Table 127 with an entry in the Specific command column use the specific command instead of the option command 2 Use the name command to set the name of the DHCP option optional 3 Use the value command to enter the option data type and the option data Table 127 Common user configurable DHCP options Option Description Specific co...

Page 518: ...ess conflict after attempting to allocate an IP address that is already in use the server locks the IP address for half an hour by marking the IP address with client identifier 00 00 00 00 00 00 00 If you have solved the conflict before half an hour you can use this command to free the IP address for reallocation Use the clear ip dhcp server statistics command to clear the statistics of the DHCP s...

Page 519: ...nd ip addr 135 64 20 30 Done G350 001 super DHCP 1 subnet mask 255 255 255 0 Done G350 001 super DHCP 1 default router 135 64 20 1 Done G350 001 super DHCP 1 option 176 G350 001 super DHCP 1 option 176 name Avaya IP phone option Done G350 001 super DHCP 1 option 176 value ascii MCIPADD 10 10 2 140 MCPORT 1719 TFTPSRVR 10 10 5 188 Done G350 001 super DHCP 1 option 176 exit G350 001 super DHCP 1 exi...

Page 520: ...64 20 33 Done G350 001 super DHCP 2 dns server 10 10 1 1 Done G350 001 super DHCP 2 domain name my domain com Done G350 001 super DHCP 2 option 176 G350 001 super DHCP 2 option 176 value ascii MCIPADD 192 168 50 17 192 168 50 15 MCPORT 1719 TFTPSRVR 192 168 50 1 TFTPDIR phonedir Done G350 001 super DHCP 2 option 176 exit G350 001 super DHCP 2 exit G350 001 super ip dhcp activate pool 2 Done G350 0...

Page 521: ...resses to DHCP clients Use the show ip dhcp server statistics command to display DHCP server statistics G350 001 super ip dhcp pool 3 G350 001 super DHCP 3 name Data 1 Server Done G350 001 super DHCP 3 start ip addr 135 64 20 61 Done G350 001 super DHCP 3 end ip addr 135 64 20 61 Done G350 001 super DHCP 3 subnet mask 27 Done G350 001 super DHCP 3 client identifier 01 11 22 33 44 55 66 Done G350 0...

Page 522: ... DHCP pools ip dhcp ping packets Enable the sending of a ping packet by the DHCP server to check if the IP address it is about to allocate is already in use by another client ip dhcp ping timeout Set the time the DHCP server waits for a reply to a sent ping packet before allocating an IP address to a DHCP client ip dhcp pool Create a DHCP pool bootfile Provide startup parameters for the DHCP clien...

Page 523: ...he option data server name Specify the optional server name in the boot process of a DHCP client show ip dhcp pool Display DHCP pool configurations start ip addr Set the start IP address of the range of available IP addresses that the DHCP server may assign to clients subnet mask Configure the subnet mask of the pool vendor specific option Create a vendor specific option with a unique index name N...

Page 524: ...he network to respond You can use directed broadcasts to obtain a list of all active hosts on the network A hostile user can exploit directed broadcasts to launch a denial of service attack on the network For each interface on the Avaya G250 G350 Media Gateway you can configure whether the G250 G350 forwards directed broadcast packets to the network address or subnet mask address of the interface ...

Page 525: ...the IP destination of the packet is replaced by the appropriate interface broadcast address If the NetBIOS broadcast packet is a limited broadcast for example 255 255 255 255 it is relayed to all VLANs on which there are NetBIOS enabled interfaces In that case the destination IP address remains the limited broadcast address Enter ip netbios rebroadcast both to enable NetBIOS rebroadcasts on an int...

Page 526: ...ne device to another Therefore a mechanism is required to acquire a destination device hardware address from its IP address This mechanism is called ARP The ARP table The ARP table stores pairs of IP and MAC addresses This storage saves time and communication costs since the host looks in the ARP table first when transmitting a packet If the information is not there then the host sends an ARP Requ...

Page 527: ...tch used recently Dynamic ARP table entries expire after a configurable amount of time The following diagram shows how a switch adds dynamic ARP table entries Use the no arp command to remove static and dynamic entries from the ARP table For example to remove the ARP table entry for the station 192 168 13 76 G350 001 no arp 192 168 13 76 ...

Page 528: ...d to delete all dynamic entries from the ARP table and the IP route cache Use the ip max arp entries command to specify the maximum number of ARP table entries allowed in the ARP table Use the no form of this command to restore the default value Use the show ip arp command to display a list of the ARP resolved MAC to IP addresses in the ARP table Use the show ip reverse arp command to display the ...

Page 529: ...G250 G350 interface enter ip proxy arp Use the no form of this command to disable proxy ARP on an interface Summary of Proxy ARP commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 show ip arp Display a list of the ARP resolved MAC to IP addresses in the ARP table show ip reverse arp Display the IP address of a host based on a known MAC address ...

Page 530: ...50 and Avaya G350 CLI Reference 03 300437 Configuring RIP The Routing Information Protocol RIP enables routers to compute the path that an IP packet should follow Routers exchange routing information using RIP to determine routes that other routers are connected to OSPF is a newer protocol that serves a similar purpose For more information about OSPF see Configuring OSPF on page 536 You can config...

Page 531: ...all subnetworks in a given IP network are of the same size Also when operating RIPv1 you must not configure supernets RIPv1 is defined in RFC 1058 RIPv2 RIPv2 is a newer version of the RIP routing protocol RIPv2 solves some of the problems associated with RIPv1 The most important change in RIPv2 is the addition of a subnetwork mask field which allows RIPv2 to support variable length subnetworks RI...

Page 532: ...f it should insert those routes into its routing table You can assign the rules per interface and per direction Up to 99 RIP distribution access lists can be configured on the Avaya G250 G350 Media Gateway For example to configure RIP distribution access list number 10 permitting distribution and learning of network 10 10 0 0 do the following 1 Enter the command ip distribution access list 10 1 pe...

Page 533: ...to restore the default value Use the distribution list command to apply a distribution access list for incoming or outgoing routing information in route updates Use the no form of this command to deactivate the list Use the ip rip authentication key command to set the authentication string used on the interface Use the no form of this command to clear the password Use the ip rip authentication mod...

Page 534: ...the default value disabling RIP Use the timers basic command to set RIP timers Use the no form of this command to set the RIP timers to their default values Summary of RIP commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 134 RIP CLI commands Root level command Command Description ip distribution access default action Set the default act...

Page 535: ...e ip rip send receive mode Set the RIP send and receive modes on an interface ip rip split horizon Enable or disable the split horizon mechanism router rip Enable the RIP and enter the router configuration context or disable the RIP default metric Set or reset the interface RIP route metric value distribution list Apply a distribution access list for incoming or outgoing routing information in rou...

Page 536: ...us preventing such problems as routing loops and Count to Infinity when routers continuously increment the hop count to a particular network These algorithms make a stable network The disadvantage of shortest path first algorithms is that they require a lot of CPU power and memory In OSPF routers use link state updates to send routing information to all nodes in a network by calculating the shorte...

Page 537: ...he G250 G350 as an OSPF Autonomous System Boundary Router ASBR using route redistribution The G250 G350 can be installed in the OSPF backbone area area 0 0 0 0 or in any OSPF area that is part of a multiple areas network However the G250 G350 cannot be configured to be an OSPF area border router itself The G250 G350 supports the ECMP equal cost multipath ECMP feature which allows load balancing by...

Page 538: ...e interface priority used in Designated Router election Use the no form of this command to set the OSPF priority to its default value Use the ip ospf router id command to configure the router ID Use the no form of this command to return the router ID to its default value Use the network command to enable OSPF in a network Use the no form of this command to disable OSPF in a network The default val...

Page 539: ... FastEthernet Loopback Serial Tunnel or VLAN interface context bandwidth Set the bandwidth parameter manually for this interface ip ospf authentication Specify the authentication type for an interface ip ospf authentication key Configure the interface authentication password ip ospf cost Configure the Cost of an OSPF interface for the purpose of determining the shortest path ip ospf dead interval ...

Page 540: ... an interface redistribute Redistribute routing information from other protocols into OSPF timers spf Configure the delay between runs of OSPFs SPF calculation show ip ospf Display general information about OSPF routing show ip ospf database Display lists of information related to the OSPF database for a specific router show ip ospf interface Display the OSPF related interface information show ip ...

Page 541: ...ric default 20 Direct to OSPF external type 2 metric default 20 By default the G250 G350 does not redistribute routes between OSPF and RIP Redistribution from one protocol to the other can be configured Static routes are by default redistributed to RIP and OSPF The G250 G350 allows the user to globally disable redistribution of static routes to RIP and separately to globally disable redistribution...

Page 542: ...ncy of routers on the LAN and load balancing of traffic VRRP is open to host stations making it an ideal option when redundancy load balancing and ease of configuration are required Table 136 Route redistribution CLI commands Root level command Command Description router ospf Enable OSPF and enter the router configuration context redistribute Redistribute routing information from other protocols i...

Page 543: ... another router is selected as master router In VRRP two or more physical routers can be associated with a virtual router thus achieving extreme reliability In a VRRP environment host stations interact with the virtual router The stations are not aware that this router is a virtual router and are not affected when a new router takes over the role of master router Thus VRRP is fully interoperable w...

Page 544: ...at one second intervals default Otherwise it is idle If the Main router fails the redundant router that does not receive a response from four consecutive polling requests default takes over and starts to advertise the same Virtual MAC for ARP requests Therefore the stations will not detect any change either in the configured default gateway or at the MAC level VRRP has no provisions for routing da...

Page 545: ... timer value for the virtual router ID Use the no form of this command to restore the default value Enter router vrrp to enable VRRP routing Use the no form of this command to disable VRRP routing Use the show ip vrrp command to display VRRP information Summary of VRRP commands For more information about these commands see Avaya G250 and Avaya G350 CLI Reference 03 300437 Table 137 VRRP CLI comman...

Page 546: ... IP fragmentation and reassembly IP fragmentation works as follows Each IP packet is divided into fragments Each fragment becomes its own IP packet Each packet has same identifier source and destination address Fragments are usually not reassembled until final destination The G250 G350 supports fragmentation of IP packets according to RFC 791 and reassembly of IP packets destined only to its inter...

Page 547: ...mble a fragmented IP packet destined to the router Use the no form of this command to set the fragment timeout to its default value Enter fragment to set the treatment for IP fragmentation packets entering on an interface Enter show fragment to display information regarding fragmented IP packets that are destined to a router Summary of fragmentation commands For more information about these comman...

Page 548: ...Configuring the router 548 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 549: ...between the protected networks behind the peers while the IKE SA only secures the key exchanges that generate the IPSec SAs between the peers The G250 G350 IPSec VPN feature is designed to support site to site topologies in which the two peers are gateways Note Note To configure IPSec VPN you need at least a basic knowledge of IPSec Refer to the following guide for a suitable introduction http www...

Page 550: ...IP address mapping Specifying a group of redundant remote peers rather than a single peer Support for a standard based method called Dead Peer Detection DPD which enables fast and efficient detection of connection failure at the IKE level Detection of a dead remote peer through object tracking For information about object tracking see Object tracking on page 319 NAT Traversal The G250 G350 support...

Page 551: ...on Enhanced failover scheme for switching back to the primary peer after timeout When the currently active peer in a peer group is not the first peer and that peer has been active for more than 24 hours if that peer is presumed dead then the active peer pointer is reset back to the first peer in the group Fine tuning of the filtering rules in crypto lists This is achieved by enabling filtering of ...

Page 552: ...he relationships among the various VPN components Figure 39 IPSec VPN configuration model Overview of IPSec VPN components The basic IPSec VPN building blocks define how to secure packets as follows ISAKMP policies Define parameters for IKE phase 1 negotiation Transform sets Define parameters for IKE phase 2 negotiation Figure notes 1 ISAKMP Policy 2 IPSEC Transform set 3 ISAKMP Peer or Peer Group...

Page 553: ...peer or peer group in turn point to an ISAKMP policy Figure 40 illustrates the relationships among the various IPSec VPN components Figure 40 IPSec VPN components crypto map 2 crypto map 1 crypto map N crypto maps pool Rule 1 Rule 4 Rule 3 Rule 2 Rule N crypto list interface isakmp policy N isakmp policy 2 isakmp policy 1 isakmp policies pool transform set 1 transform sets pool isakmp peer 1 isakm...

Page 554: ...in the summary Commands appearing in bold are mandatory ISAKMP policy crypto isakmp policy description authentication pre share encryption hash group lifetime IPSEC transform set crypto ipsec transform set set pfs set security association lifetime seconds set security association lifetime kilobytes mode tunnel transport ISAKMP peer crypto isakmp peer description isakmp policy pre shared key initia...

Page 555: ...p rule description source ip destination ip protect crypto map ip protocol tcp udp icmp dscp fragment Access control list ip access control list global parameters crypto isakmp invalid spi recovery crypto ipsec nat transparency udp encapsulation crypto isakmp nat keepalive assigning a crypto list to an interface crypto ipsec df bit crypto ipsec minimal pmtu ip crypto group ...

Page 556: ...N license via FTP TFTP or SCP Note Note You must have admin permissions to install a VPN license 1 Use one of the following commands copy ftp license file filename ip copy tftp license file filename ip copy scp license file filename ip where filename is the filename including the full path ip is the IP address of the ftp tftp scp server For example 2 Optionally enter show download license file sta...

Page 557: ...P policy it is not mandatory to set the values for that ISAKMP policy since the G250 G350 contains default ISAKMP policy settings Coordinating with the VPN peer Before commencing IPSec VPN configuration you must resolve jointly with your VPN peer the basic parameters so that IPSec VPN can be set up symmetrically in the two peers If the IPSec VPN configuration in the two peers does not match no VPN...

Page 558: ...define at least one ISAKMP policy Note Note You can configure up to 40 ISAKMP policies 1 Enter crypto isakmp policy followed by an index number from 1 to 20 to enter the context of an ISAKMP policy list and to create the list if it does not exist For example 2 You can use the following commands to set the parameters of the ISAKMP policy Use the description command to assign a description to the IS...

Page 559: ...e transform set Note Note You can define up to 40 transform sets 1 Use the crypto ipsec transform set command to enter the context of a transform set and to create the transform set if it does not exist The command variables include The name of the transform set The encryption algorithm used by the transform set Possible values are esp des esp 3des esp aes esp aes 192 esp aes 256 and esp null no e...

Page 560: ...urity association lifetime kilobytes command to set the security association lifetime in kilobytes Use the mode command to set the IPSec mode tunnel or transport Transport mode does not add an additional IP header i e a tunnel header but rather uses the original packet s header However it can be used only when the VPN tunnel endpoints are equivalent to the original packet s source and destination ...

Page 561: ...xist Note Note If you wish to specify the ISAKMP peer by its FQDN name you must configure the G250 G350 as a DNS client see DNS resolver on page 98 and verify that the peer s name is listed in a DNS server Note Note Do not specify an ambiguous ISAKMP peer that is do not configure an FQDN that translates to an IP address which is already associated with another ISAKMP peer For example Or 2 Use the ...

Page 562: ...es represented in hexadecimal notation The default length is 32 characters For example 5 If you wish to work in IKE aggressive mode use the initiate mode aggressive command Note Note Aggressive mode is one of the prerequisites for working with dynamic local peer IP addresses For more information about working with dynamic local peer IP addresses see Using dynamic local peer IP on page 582 For exam...

Page 563: ... a name is one of the prerequisites for working with dynamic local peer IP addresses For more information about working with dynamic local peer IP addresses see Using dynamic local peer IP on page 582 8 Enable Dead Peer Detection DPD keepalives that check whether the remote peer is up using the keepalive command followed by the number of seconds between DPD keepalive probes and the number of secon...

Page 564: ...e a backup in the case of remote peer failure At any point in time only one peer is active and acting as the remote peer If the active peer is presumed dead the next peer in the peer group becomes the active remote peer For a full explanation of the redundancy mechanism see Introduction to the failover mechanism on page 605 Note Note You can define up to 50 peer groups Note Note A peer configured ...

Page 565: ...nformation on page 561 Configuring crypto maps A crypto map points to a transform set and to a peer which in turn points to an ISAKMP policy If you defined a peer group the crypto map can point to the peer group The transform set and ISAKMP policy define how to secure the traffic that matches the ip rule that points to this crypto map Important Important It is mandatory to create at least one cryp...

Page 566: ...ollowed by a value from 0 to 63 The default setting is no set dscp which specifies that the DSCP is copied from the DS field of the original packet For example 6 Specify whether to enable continuous channel IPSec IKE phase 2 with the continuous channel command The default setting is no continuous channel which disables continuous channel IPSec For more information on continuous channel see Enablin...

Page 567: ... the list if it does not exist For example 2 Specify the local IP address for the IPSec tunnels derived from this crypto list using the local address command The local address can be either the IP address or the name of an IP interface of the device Important Important local address is a mandatory command For example Or Note Note Specifying the interface as a name is one of the prerequisites for w...

Page 568: ...e any to apply the rule to all IP addresses Use the no form of the appropriate command to return to the default value any Define the action by specifying whether to protect traffic that matches the source and destination addresses using one of the following commands no protect Do not protect traffic that matches the source and destination addresses protect crypto map crypto map id Protect traffic ...

Page 569: ...ting crypto lists to modify IPSec VPN parameters Most IPSec VPN parameters cannot be modified if they are linked to an active crypto list To modify a parameter linked to an active crypto list you must first deactivate the list using the no ip crypto group command in the context of the interface on which the crypto list is activated Note Note If the crypto list is activated on more than one interfa...

Page 570: ...lid SPI recovery with the crypto isakmp invalid spi recovery command Invalid SPI Recovery enables an IKE SA to be established when an invalid security parameter index error occurs during packet processing A notification of the invalid SPI error is sent to the originating peer so that the SA databases can be re synchronized and successful packet processing can be resumed For example Note Note Inval...

Page 571: ...aversal keepalive is also enabled by default with a default value of 20 seconds Configure NAT Traversal keepalive only if you need to re enable it after it was disabled using the no crypto isakmp nat keepalive command Configure NAT Traversal 1 Enable NAT Traversal by entering crypto ipsec nat transparency udp encapsulation For example 2 Enable NAT Traversal keepalives and configure the keepalive i...

Page 572: ...P address see Using dynamic local peer IP on page 582 3 Use the ip crypto group command followed by the index of the crypto group to assign a crypto group to the interface Important Important ip crypto group is a mandatory command 4 Optionally you can set the following parameters The crypto ipsec minimal pmtu command is intended for advanced users only It sets the minimal PMTU value which can be a...

Page 573: ... peers for a successful debug in case of a problem Displaying IPSec VPN configuration You can use the following show commands to display IPSec VPN configuration For a full description of the commands and their output fields see Avaya G250 and Avaya G350 CLI Reference 03 300437 Use the show crypto ipsec transform set command to display configuration for a specified transform set or all transform se...

Page 574: ...e status Use the show crypto ipsec sa address command to display the IPsec SA configuration by peer IP address Use the show crypto ipsec sa list command to display the IPsec SA runtime database by list ID and rule ID Tip Tip The detail option in the various show crypto ipsec sa commands provides detailed counters information on each IPSec SA To pinpoint the source of a problem it is useful to chec...

Page 575: ...session logging 2 Use the set logging session condition ISAKMP command to view all ISAKMP messages of Info level and above For example 3 Use the set logging session condition IPSEC command to view all IPSec messages of Info level and above For example 4 Initiate a session by pinging the peer device For example G350 001 set logging session enable Done CLI Notification write set logging session enab...

Page 576: ...d via the Internet connection IPSEC Informational Call IKE negotiation for outgoing SPD entry 901_20 Peers 149 49 77 202 135 64 102 109 ISAKMP Informational Initiating IKE phase 1 negotiation Peers 149 49 77 202 135 64 102 109 ISAKMP Informational Finished IKE phase 1 negotiation creating ISAKMP SA Peers 149 49 77 202 135 64 102 109 Icookie 0e2fb5ac12ec04b2 Rcookie 541b912b0a30085d esp des esp sha...

Page 577: ...ted using tunnel mode IPSec The remote peer is the Main Office the VPN Hub An access control list ACL is configured on the Internet interface to allow only the VPN ICMP traffic See Table 139 for configuration settings 2 Configure the VPN Hub Main Office as follows Static routing Branch subnets Internet interface The VPN policy portion for the branch is configured as a mirror image of the branch as...

Page 578: ...ss ESP Permit Ingress ICMP Permit This enables the PMTUD application to work Ingress All allowed services from any IP address to any local subnet Permit Due to the definition of the VPN Policy this will be allowed only if traffic comes over ESP Ingress Default VPN policy Deny Egress IKE Permit Egress ESP Permit Egress ICMP Permit This enables the PMTUD application to work Egress All allowed servic...

Page 579: ...ess set transform set ts1 exit ip crypto list 901 local address Branch Office Public Internet Static IP Address ip rule 10 source ip Branch Subnet1 Branch Subnet1 Mask destination ip any protect crypto map 1 exit ip rule 20 source ip Branch Subnet2 Branch Subnet2 Mask destination ip any protect crypto map 1 exit exit ip access control list 301 ip rule 10 source ip any destination ip any ip protoco...

Page 580: ...n ip host Branch Subnet1 Branch Subnet1 Mask composite operation Permit exit ip rule 50 source ip any destination ip host Branch Subnet2 Branch Subnet2 Mask composite operation Permit exit ip rule default composite operation deny exit exit ip access control list 302 ip rule 10 source ip any destination ip any ip protocol udp udp destination port eq Ike composite operation Permit exit ip rule 11 so...

Page 581: ...ource ip host Branch Subnet2 Branch Subnet2 Mask composite operation Permit exit ip rule default composite operation deny exit exit interface vlan 1 1 ip address Branch Subnet1 Branch Subnet1 Mask pmi icc vlan exit interface vlan 1 2 ip address Branch Subnet2 Branch Subnet2 Mask exit interface FastEthernet 10 2 encapsulation PPPoE traffic shape rate 256000 ip Address Branch Office Public Internet ...

Page 582: ...one of the following Specify continuous channel in the context of the VPN peer to maintain the IKE phase 1 connection even when no traffic is sent see Enabling continuous channel on page 585 Maintain a steady transmission of traffic by sending GRE keepalives or employing object tracking Prerequisites for dynamic local peer IP Specify IKE aggressive mode with the initiate mode aggressive command wh...

Page 583: ... DHCP Client 1 Permit DHCP packets in the ingress access control list ACL and the egress ACL To do so perform the following a Use the no ip access group command to deactivate both the ingress ACL and the egress ACL on the FastEthernet interface b Add a rule to the ingress ACL and to the egress ACL permitting DHCP packets to pass for information on defining ACL policy rules see Defining rules on pa...

Page 584: ...destination port eq bootpc Done G350 001 config ACL 301 ip rule 25 composite operation permit Done G350 001 config ACL 301 ip rule 25 exit G350 001 config ACL 301 exit Add a Permit rule to the Egress ACL for DHCP G350 001 config ip access control list 302 G350 001 config ACL 302 ip rule 25 G350 001 config ACL 302 ip rule 25 source ip any Done G350 001 config ACL 302 ip rule 25 destination ip any D...

Page 585: ... command on the defined interface the IPSec VPN tunnel is immediately started even if no traffic is traversing the interface and the timeouts have expired You can set continuous channel for either or both IKE phase 1 and IKE phase 2 as follows To set continuous channel for IKE phase 1 enter continuous channel when configuring the crypto ISAKMP peer information see Configuring ISAKMP peer informati...

Page 586: ...d to several other branch sites by direct IPSec VPN tunnels The configuration is therefore very similar to the previous one duplicated several times In this topology The Broadband Internet connection uses cable or DSL modem with a static public IP address There is a VPN tunnel from each spoke to the VPN hub over the Internet There is a VPN tunnel from one spoke to another spoke Only VPN traffic is...

Page 587: ...settings Note Note For information about using access control lists see Configuring policy on page 637 Table 140 Configuring the mesh VPN topology Branch Office 1 Traffic direction ACL parameter ACL value Description Ingress IKE from Main Office IP to Branch IP Permit Ingress ESP from Main Office IP to Branch IP Permit Ingress IKE from Second Branch IP to Branch IP Permit Ingress ESP from Second B...

Page 588: ...mation about using access control lists see Configuring policy on page 637 Egress IKE from Branch IP to Second Branch IP Permit This enables the PMTUD application to work Egress ESP from Branch IP to Second Branch IP Permit This traffic is tunnelled using VPN Egress ICMP from local tunnel endpoint to any IP address Permit This enables the PMTUD application to work Egress All allowed services from ...

Page 589: ...ces from any IP address to any local subnet Permit Due to the definition of the VPN Policy this will be allowed only if traffic comes over ESP Ingress Default Deny Egress IKE from Branch IP to Main Office IP Permit Egress ESP from Branch IP to Main Office IP Permit Egress IKE from Branch IP to First Branch IP Permit This enables the PMTUD application to work Egress ESP from Branch IP to First Bran...

Page 590: ...it crypto map 1 set peer Main Office Public Internet Static IP Address set transform set ts1 exit crypto map 2 set peer Second Branch Office Public Internet Static IP Address set transform set ts1 exit ip crypto list 901 local address Branch Office Public Internet Static IP Address ip rule 1 source ip Branch Subnet1 Branch Subnet1 Mask destination ip Second Branch Subnet1 Second Branch Subnet1 Mas...

Page 591: ...k destination ip any protect crypto map 1 exit exit ip access control list 301 ip rule 10 source ip any destination ip any ip protocol udp udp destination port eq Ike composite operation Permit exit ip rule 11 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t composite operation permit exit ip rule 12 source ip any destination ip any ip protocol udp udp destination...

Page 592: ...composite operation Permit exit ip rule default composite operation deny exit exit ip access control list 302 ip rule 10 source ip any destination ip any ip protocol udp udp destination port eq Ike composite operation Permit exit ip rule 11 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t composite operation permit exit ip rule 12 source ip any destination ip any ...

Page 593: ...0 destination ip any source ip host Branch Subnet2 Branch Subnet2 Mask composite operation Permit exit ip rule default composite operation deny exit exit interface vlan 1 1 ip address Branch Subnet1 Branch Subnet1 Mask pmi icc vlan exit interface vlan 1 2 ip address Branch Subnet2 Branch Subnet2 Mask exit interface fastethernet 10 2 encapsulation PPPoE traffic shape rate 256000 ip Address Branch O...

Page 594: ... map 1 set peer Main Office Public Internet Static IP Address set transform set ts1 exit crypto map 2 set peer First Branch Office Public Internet Static IP Address set transform set ts1 exit ip crypto list 901 local address Branch Office Public Internet Static IP Address ip rule 1 source ip Branch Subnet1 Branch Subnet1 Mask destination ip First Branch Subnet1 Second Branch Subnet1 Mask protect c...

Page 595: ...0 source ip Branch Subnet2 Branch Subnet2 Mask destination ip any protect crypto map 1 exit exit ip access control list 301 ip rule 10 source ip any destination ip any ip protocol udp udp destination port eq Ike composite operation Permit exit ip rule 11 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t composite operation permit exit ip rule 12 source ip any desti...

Page 596: ...on ip host Branch Subnet2 Branch Subnet2 Mask composite operation Permit exit ip rule default composite operation deny exit exit ip access control list 302 ip rule 10 source ip any destination ip any ip protocol udp udp destination port eq Ike composite operation Permit exit ip rule 11 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t composite operation permit exi...

Page 597: ...0 destination ip any source ip host Branch Subnet2 Branch Subnet2 Mask composite operation Permit exit ip rule default composite operation deny exit exit interface vlan 1 1 ip address Branch Subnet1 Branch Subnet1 Mask pmi icc vlan exit interface vlan 1 2 ip address Branch Subnet2 Branch Subnet2 Mask exit interface fastethernet 10 2 encapsulation PPPoE traffic shape rate 256000 ip Address Branch O...

Page 598: ...in Office for VoIP bearer and as primary VoIP control connection The Broadband Internet connection uses cable or DSL modem with a static public IP address There is a VPN tunnel to the hub over the Internet for intranet data and as backup connection for VoIP control The local hosts access the Internet directly through the local broadband connection The PSTN connection backs up the voice bearer Figu...

Page 599: ...ting PBR is configured as follows on VoIP VLAN and loopback interfaces Destination IP local subnets Route DBR DSCP bearer Route WAN DSCP control Route 1 WAN 2 DBR Table 142 Configuring hub and spoke with VPN Traffic direction ACL parameter ACL value Ingress IKE UDP 500 from remote tunnel endpoint to local tunnel endpoint Permit Ingress ESP AH from remote tunnel endpoint to local tunnel endpoint Pe...

Page 600: ...he branch The ACL portion for the branch is a mirror image of the branch with some minor modifications Static routing is configured as follows Branch subnets Internet interface The PBR portion for the branch is configured as follows on most interfaces Destination IP branch VoIP subnet s or GW address PMI DSCP bearer Route WAN Destination IP branch VoIP subnet s or GW address PMI DSCP control Route...

Page 601: ...1 set peer Main Office Internet public Static IP Address set transform set ts1 exit ip crypto list 901 local address Branch Office Public Internet Static IP Address ip rule 10 source ip Branch data Subnet Branch data Subnet Mask destination ip any protect crypto map 1 exit ip rule 20 source ip Branch voice Subnet Branch voice Subnet Mask destination ip any protect crypto map 1 exit exit ip access ...

Page 602: ...ion ip any ip protocol esp composite operation Permit exit ip rule 30 source ip any destination ip any ip protocol icmp composite operation Permit exit ip rule 40 source ip any destination ip Branch data Subnet Branch data Subnet Mask composite operation Permit exit ip rule 50 source ip any destination ip Branch voice Subnet Branch voice Subnet Mask composite operation Permit exit ip rule default ...

Page 603: ... exit ip rule 30 source ip any destination ip any ip protocol icmp exit ip rule 40 source ip Branch data Subnet Branch data Subnet Mask destination ip any composite operation Permit exit ip rule 50 source ip Branch voice Subnet Branch voice Subnet Mask destination ip any composite operation Permit exit ip rule default composite operation deny exit exit interface vlan 1 description VoIP_VLAN ip add...

Page 604: ...access group 302 out exit interface serial 3 1 ip address Branch Office serial IP address Branch Office serial net mask exit ip next hop list 1 next hop interface 1 serial 3 1 exit ip next hop list 2 next hop interface 1 serial 3 1 next hop interface 2 FastEthernet 10 2 exit ip pbr list 801 ip rule 10 The following command specifies the Voice bearer dscp 46 next hop list 1 exit ip rule 20 The foll...

Page 605: ...emote devices using keepalive probes and notify registered applications such as VPN when the state changes Object tracking allows monitoring of hosts inside the remote peer s protected network not just of the remote peer itself as in DPD Backup peer mechanism You can use any one of these alternate backup peer mechanisms DNS server see Failover using DNS on page 613 This method utilizes the G250 G3...

Page 606: ...Hub Gateway GRE2 that leads to a Backup Main Office GRE End Point behind the VPN Hub Gateway Define two VPNs Connectivity to the networks in Primary Backup Main Office is determined through GRE keepalives If network connectivity is lost due to failures in the WAN in the Primary Main Office the GRE keep alive will fail and the GRE interface will transition to a down state Redundancy and load sharin...

Page 607: ... local tunnel endpoint to remote tunnel endpoint 1 encrypt using IPSec tunnel mode with the remote peer being tunnel endpoint 1 GRE Traffic from the local tunnel endpoint to remote tunnel endpoint 2 encrypt using IPSec tunnel mode with the remote peer being tunnel endpoint 2 An access control list ACL is configured on the Internet interface to allow only the VPN ICMP traffic See Table 143 for conf...

Page 608: ...ic routing OSPF or RIP is configured to run over the GRE interface to the branch Table 143 Configuring VPN hub redundancy and load sharing topologies Traffic direction ACL parameter ACL value Ingress IKE UDP 500 from remote tunnel endpoint to local tunnel endpoint Permit Ingress ESP AH from remote tunnel endpoint to local tunnel endpoint Permit Ingress Allowed ICMP from any IP address to local tun...

Page 609: ...s esp sha hmac exit crypto map 1 set peer Primary Main Office Internet public Static IP Address set transform set ts1 exit crypto map 2 set peer Backup Main Office Internet public Static IP Address set transform set ts1 exit ip crypto list 901 local address Branch Office Internet public Static IP Address ip rule 1 source ip host Branch GRE Tunnel end point IP Address destination ip host Primary Ma...

Page 610: ... destination port eq Ike nat t composite operation permit exit ip rule 32 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t vsu composite operation permit exit ip rule 40 source ip any destination ip any ip protocol esp composite operation Permit exit ip rule 50 source ip any destination ip host Branch Office Public Internet Static IP Address ip protocol icmp compo...

Page 611: ...on Permit exit ip rule 31 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t composite operation permit exit ip rule 32 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t vsu composite operation permit exit ip rule 40 source ip any destination ip any ip protocol esp composite operation Permit exit ip rule 50 source ip any destination ...

Page 612: ... encapsulation pppoe traffic shape rate 256000 ip address Branch Office Internet public Static IP Address Branch Office Internet public net mask ip crypto group 901 ip access group 301 in ip access group 302 out exit interface Tunnel 1 The following two backup commands specify redundant mode To specify load sharing mode omit them backup interface tunnel 2 backup delay 20 15 keepalive 10 3 tunnel s...

Page 613: ...IKE connection Your DNS server should be able to provide an IP address of a living host The G250 G350 will perform a new DNS query and try to re establish the VPN connection to the newly provided IP address whenever it senses that the currently active remote peer stops responding The G250 G350 can sense that a peer is dead when IKE negotiation times out through DPD keepalives and through object tr...

Page 614: ...cy command 6 Define the remote peer with FQDN using the crypto isakmp peer address command including the pre shared key the ISAKMP policy 7 Define the IPSEC transform set using the crypto ipsec transform set command 8 Define the crypto map using the crypto map command 9 Define the crypto list as follows Set the local address to the public interface name for example FastEthernet 10 2 0 For each pri...

Page 615: ...wed to the public interface optional Permit DNS traffic to allow clear unencrypted DNS traffic Permit IKE Traffic UDP port 500 for VPN control traffic IKE Permit ESP traffic IP Protocol ESP for VPN data traffic IPSEC Permit ICMP traffic to support PMTU application support for a better fragmentation process For each private subnet add a permit rule with the source being the private subnet and the d...

Page 616: ...an 2 description Branch Subnet2 ip address 10 0 20 1 255 255 255 0 exit Define the Public Subnet interface fastethernet 10 2 ip address 100 0 0 2 255 255 255 0 exit Define the default gateway to be on the public subnet ip default gateway 100 0 0 1 Define the DNS name server that is accessible without VPN ip domain name server list 1 name server 1 123 124 125 126 exit Define the IKE Entity crypto i...

Page 617: ...nnel crypto map 1 set peer main vpn avaya com set transform set ts1 exit Define the crypto list for the public interface ip crypto list 901 local address Fast Ethernet 10 2 0 ip rule 5 allows un encrypted traffic for DNS ip rule 5 source ip any destination ip 123 124 125 126 no protect exit ip rule 10 source ip 10 0 10 0 0 0 0 255 destination ip any protect crypto map 1 exit ip rule 20 source ip 1...

Page 618: ...p rule 11 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t composite operation permit exit ip rule 12 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t vsu composite operation permit exit ip rule 20 source ip any destination ip any ip protocol esp composite operation Permit exit ip rule 30 source ip any destination ip any ip protoc...

Page 619: ...on port eq Ike composite operation Permit exit ip rule 11 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t composite operation permit exit ip rule 12 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t vsu composite operation permit exit ip rule 20 source ip any destination ip any ip protocol esp composite operation Permit exit ip ru...

Page 620: ...rce ip 10 0 20 0 0 0 0 255 destination ip any composite operation Permit exit ip rule default composite operation deny exit exit Activate the crypto list and the access control list on the public interface interface fastethernet 10 2 ip crypto group 901 ip access group 301 in ip access group 302 out exit ...

Page 621: ...ers At any point in time only one peer is active and acting as the remote peer An object tracker monitors the state of the active peer If the active peer is presumed dead the next peer in the peer group becomes the active remote peer For more information on object trackers see Object tracking on page 319 Figure 46 Failover VPN topology using a peer group ...

Page 622: ...shared key the ISAKMP policy keepalive track This track is the object tracker that checks if the peer is still alive If an active peer is considered dead the next peer in the peer group becomes the active peer 7 Define a peer group that include all three remote peers using the crypto isakmp peer group command 8 Define the IPSEC transform set using the crypto ipsec transform set command 9 Define th...

Page 623: ...device from sending traffic that is not allowed to the public interface Permit IKE Traffic UDP port 500 for VPN control traffic IKE Note Note If you are using NAT Traversal you also need to open UDP port 4500 and 2070 Permit ESP traffic IP Protocol ESP for VPN data traffic IPSEC Permit ICMP traffic to support the PMTU application for a better fragmentation process For each private subnet add a per...

Page 624: ...escription Branch Subnet1 ip address 10 0 10 1 255 255 255 0 icc vlan pmi exit Define the Private Subnet2 interface vlan 2 description Branch Subnet2 ip address 10 0 20 1 255 255 255 0 exit Define the Public Subnet interface fastethernet 10 2 ip address 100 0 0 2 255 255 255 0 exit Define the default gateway the public interfce ip default gateway 100 0 0 1 ...

Page 625: ...e now life forever rtr 3 type echo protocol ipIcmpEcho host3 IP exit rtr schedule 3 start time now life forever rtr 4 type echo protocol ipIcmpEcho host4 IP exit rtr schedule 4 start time now life forever rtr 5 type echo protocol ipIcmpEcho host5 IP exit rtr schedule 5 start time now life forever track 11 rtr 1 exit track 12 rtr 2 exit track 13 rtr 3 exit track 14 rtr 4 exit track 15 rtr 5 exit tr...

Page 626: ...akmp policy 1 keepalive track 1 exit crypto isakmp peer group main hubs set peer First Main Office VPN address set peer Second Main Office VPN address set peer Third Main Office VPN address exit Define the IPSEC Entity crypto ipsec transform set ts1 esp 3des esp sha hmac exit Define the VPN Tunnel crypto map 1 set peer group main hubs set transform set ts1 exit Define the crypto list for the publi...

Page 627: ...tion permit exit ip rule 12 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t vsu composite operation permit exit ip rule 20 source ip any destination ip any ip protocol esp composite operation Permit exit ip rule 30 source ip any destination ip any ip protocol icmp composite operation Permit exit ip rule 40 source ip any destination ip 10 0 10 0 0 0 0 255 composit...

Page 628: ... nat t composite operation permit exit ip rule 12 source ip any destination ip any ip protocol udp udp destination port eq Ike nat t vsu composite operation permit exit ip rule 20 source ip any destination ip any ip protocol esp composite operation Permit exit ip rule 30 source ip any destination ip any ip protocol icmp composite operation Permit exit ip rule 40 source ip 10 0 10 0 0 0 0 255 desti...

Page 629: ...ss group 301 in ip access group 302 out exit Table 144 Checklist for configuring site to site IPSec VPN Parameter Possible values Actual value 1 VPN License You require the serial number to obtain the VPN license 2 Type of connection to the ISP ADSL Cable Modem 3 VPN Interface FastEthernet10 2 Serial port X Y 4 VPN Local IP Address Type Static If static provide IP Address Mask Next hop Router Dyna...

Page 630: ...sp aes 256 Authentication Hash esp sha hmac esp md5 hmac IP compression enable comp lzs disable PFS Group no pfs default 1 2 5 14 Lifetime seconds 120 to 86 400 default 3 600 1 hour Lifetime kilobytes 2 560 to 536 870 912 default 4 608 000 kb disable 6 Which packets should be secured a Protect rules matching options IP source address IP destination address Table 144 Checklist for configuring site ...

Page 631: ...name b Pre shared key 1 to 127 alphanumerical characters 1 to 64 bytes in hexadecimal notation 8 If the branch IP is dynamic If the branch IP is an initiator set initiate mode to none device is a responder If the branch IP is a responder set initiate mode to aggressive device is an initiator Set self identity to identify the device in the remote peer Table 144 Checklist for configuring site to sit...

Page 632: ...c nat transparency udp encapsulation Re enable NAT Traversal if it was disabled crypto ipsec transform set Enter the IKE phase 2 IPSec transform set context and create or edit IPSec parameters for the VPN tunnel mode Set security association lifetime set pfs Specify whether each IKE phase 2 negotiation will employ PFS and if yes which Diffie Hellman group to employ set security association lifetim...

Page 633: ...s that check whether the remote peer is up keepalive track Bind an object tracker to a remote VPN peer or to an interface to check whether the remote peer or the interface is up pre shared key Configure the IKE pre shared key self identity Set the identity of this device suggest key Generate a random string which you can use as a pre shared key for IKE You must use the same key on both peers crypt...

Page 634: ...seconds crypto isakmp suggest key Generate a random string which you can use as a pre shared key for IKE You must use the same key on both peers crypto map Enter crypto map context and create or edit a crypto map continuous channel In a crypto ISAKMP peer context enable continuous channel IKE which keeps the IKE phase1 session always up and running even if there is no traffic description Enter a d...

Page 635: ...ule Enter ip rule context and create or modify a specific rule description Enter a description for the ip rule in the ip crypto list destination ip Specify the destination IP address of packets to which the current rule applies protect crypto map Protect traffic that matches this rule by applying the IPSec processing configured by the specific crypto map source ip Indicate that the current rule ap...

Page 636: ...play crypto ISAKMP peer group configuration show crypto isakmp policy Display ISAKMP policy configuration show crypto isakmp sa Display the ISAKMP SA database status show crypto map Display all or specific crypto map configurations show ip active lists Display information about a specific policy list or all lists show ip crypto list Display all or specific crypto list configurations Table 145 VPN ...

Page 637: ...rules A set of rules that are executed before the list is evaluated Rule list A list of filtering rules and actions for the G250 G350 to take when a packet matches the rule Match actions on this list are pointers to the composite operation table Actions composite operation table A table that describes actions to be performed when a packet matches a rule The table includes pre defined actions such ...

Page 638: ...applications networks and users can access hosts on your network Also you can restrict internal users from accessing specific sites or applications outside the network Access control lists can be based on permitting or denying specific values or groups of IP addresses protocols ports IP fragments or DSCP values Figure 47 illustrates how access control lists are used to control traffic into and out...

Page 639: ...able Actions composite operation table A table that describes actions to be performed when a packet matches a rule The table includes pre defined actions such as permit and deny You can configure more complex rules Refer to Composite operations on page 651 DSCP map A table that contains DSCP code points and match action pairs Match actions are pointers to the composite operation table Refer to DSC...

Page 640: ...olicy lists and define the list identification attributes You can also delete an unnecessary policy list Creating and editing a policy list To create or edit a policy list you must enter the context of the list If the list already exists you can edit the list from the list context If the list does not exist entering the list context creates the list To create or edit an access control list enter i...

Page 641: ...ning rules on page 645 Configure composite operations See Composite operations on page 651 Configure DSCP mapping QoS lists only See DSCP table on page 654 Defining list identification attributes The policy list attributes including name owner and cookie are used by Avaya QoS Manager software to identify policy lists 1 Enter the context of the policy list in which you want to define the attribute ...

Page 642: ... interface on the Avaya G250 G350 Media Gateway are policy lists including the ingress access control list ingress QoS list egress access control list and egress QoS list Note Note You can also attach PBR lists to certain interfaces but PBR lists are not attached to any interface by default Packets entering the interface When a packet enters the G250 G350 through an interface the G250 G350 applies...

Page 643: ...egress QoS list from among the QoS lists that are configured on the G250 G350 To attach an access control list to an interface as its ingress access control list enter the interface context and enter ip access group list number in To attach an access control list to an interface as its egress access control list enter the interface context and enter ip access group list number out To attach a QoS ...

Page 644: ... can attach a policy list other than a policy based routing list to every interface on the G250 G350 using one command To do this attach a list to the Loopback 1 interface For more information see Attaching policy lists to an interface on page 642 Note Note If you attach a policy list to a Loopback interface other than Loopback 1 the policy list has no effect When you attach a policy list to the L...

Page 645: ...ontain IP options The composite command can be any command defined in the composite operation list These commands are case sensitive To view the composite operation list for the access control list you are working with use the command show composite operation in the context of the access control list The following example defines a rule in access control list 301 that denies access to all incoming...

Page 646: ...rule context creates the rule 1 Enter the context of the list in which you want to create or edit a rule 2 Enter ip rule followed by the number of the rule you want to create or edit For example to create rule 1 enter ip rule 1 You can use the description command in the rule context to add a description of the rule This description is used in the AccessViolation Policy trap to identify and describ...

Page 647: ... all protocols except for one use the no form of the command followed by the name of the protocol to which you do not want the rule to apply For example the following command specifies the UDP protocol for rule 1 in QoS list 401 The following command specifies any IP protocol except IGMP for rule 3 in access control list 302 Source and destination IP address To specify a range of source and destin...

Page 648: ... commands followed by either port name or port number range criteria tcp source port The rule applies to TCP packets from ports that match the defined criteria tcp destination port The rule applies to TCP packets to ports that match the defined criteria udp source port The rule applies to UDP packets from ports that match the defined criteria udp destination port The rule applies to UDP packets to...

Page 649: ...s control list 301 The following command specifies any source TCP port except a port named http for rule 7 in access control list 304 ICMP type and code To apply the rule to a specific type of ICMP packet use the icmp command This command sets the IP protocol parameter to ICMP and specifies an ICMP type and code to which the rule applies You can specify the ICMP type and code by integer or text st...

Page 650: ...n established TCP session Fragments Enter fragment to apply the rule to non initial fragments You cannot use the fragment command in a rule that includes UDP or TCP source or destination ports DSCP Enter dscp followed by a DSCP value from 0 to 63 to apply the rule to all packets with the specified DSCP value Use the no form of the command to remove the rule from the list For example the following ...

Page 651: ...rations for access control lists Table 147 lists the pre configured entries in the composite operation table for rules in an access control list Each column represents the following No A number identifying the operation Name A name identifying the operation Use this name to attach the operation to a rule Access Determines whether the operation forwards forward or drops deny the packet Notify Deter...

Page 652: ...posite operation is set to Trust DSCP the packet s CoS tag is set to 0 before the QoS list rules and DSCP map are executed If the composite operation is set to CoSX the DSCP map is ignored but the QoS list rules are executed on the Ethernet IEEE 802 1p CoS field For example the composite operation CoS3 changes the CoS field to 3 If the composite operation is set to Trust DSCP CoS the operation use...

Page 653: ...operation dscp Determines the value to which the rule resets the packet s DSCP field To ignore the DSCP field use the argument no change or enter no dscp cos Determines the value to which the rule resets the packet s CoS field To ignore the CoS field use the argument no change or enter no cos 4 Enter name followed by a text string to assign a name to the composite operation You must assign a name ...

Page 654: ...ic profile using filtering functions A DSCP value can be mapped to a Class of Service CoS Then for a CoS rules can be applied to determine priority behavior for packets meeting the criteria for the entire CoS Multiple DSCP values can be mapped to a single CoS Rules can also be applied to individual DSCP values The default value of DSCP in a packet is 0 which is defined as best effort You can deter...

Page 655: ... is assigned CoS priority 5 The following commands create a new composite operation called dscp5 and assign the new composite operation to DSCP table entry 7 in QoS list 402 Every packet with DSCP equal to 7 is assigned a new DSCP value of 5 Composite operation dscp5 changes the mapping of packets entering the router with a DSCP values of 7 DSCP value 5 is most likely to be mapped to a different C...

Page 656: ... qos list Displays a list of all configured QoS lists with their list numbers and owners show ip qos list detailed Displays all the parameters of the specified QoS list In ip access control list context show composite operation Displays a list of all composite operations configured for the list show ip rule Displays a list of all rules configured for the list show list displays the parameters of t...

Page 657: ...an interface to test a policy list The command tests the effect of the policy list on a simulated IP packet in the interface You must specify the number of a policy list the direction of the packet in or out and a source and destination IP address You may also specify other parameters For a full list of parameters see Avaya G250 and Avaya G350 CLI Reference 03 300437 For example the following comm...

Page 658: ...6 Dscp value is not changed Table 149 Access control list CLI commands Root level command Command Command Description interface dialer serial loopback fastethernet tunnel vlan Enter the Dialer Serial Loopback FastEthernet Tunnel or VLAN interface configuration context ip access group Activate a specific Access Control list for a specific direction on the current interface ip simulate Test the acti...

Page 659: ... with the specified destination IP address dscp Apply the current rule to packets with the specified DSCP value fragment Apply the current rule for non initial fragments only icmp Apply the current rule to a specific type of ICMP packet ip protocol Apply the current rule to packets with the specified IP protocol show composite operation Display the parameters of the composite operation assigned to...

Page 660: ...d source port name Assign a name to the current list owner Specify the owner of the current list show composite operation Display the composite operations configured for the list show ip rule Display the rules configured for the current list attributes of a specific rule show list Display the attributes of the current list including its rules ip policy list copy Copy an existing policy list to a n...

Page 661: ...ic direction on the current interface ip simulate Test the action of a policy on a simulated packet show ip qos list Display the attributes of a specific QoS list or all QoS lists for the current interface ip policy list copy Copy an existing policy list to a new list ip qos list Enter configuration mode for the specified QoS list and create the list if it does not exist composite operation Enter ...

Page 662: ...iguration mode for a specified policy rule or if the rule does not exist create it and enter its configuration mode composite operation Assign the specified composite operation to the current rule destination ip Apply the current rule to packets with the specified destination IP address dscp Apply the current rule to packets with the specified DSCP value fragment Apply the current rule for non ini...

Page 663: ... source port Apply the rule to UDP packets from the specified source port name Assign a name to the current list owner Specify the owner of the current list pre classification Specify which priority tag the current QoS list uses for data flows show composite operation Display all composite operations configured for the list show dscp table Display the current list s DSCP table show ip rule Display...

Page 664: ...Configuring policy 664 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 665: ...alive provides the interface with the ability to determine whether a next hop is or is not available See ICMP keepalive on page 313 Policy based routing only operates on routed packets Packets traveling within the same subnet are not routed and are therefore not affected by policy based routing The Loopback interface is a logical interface which handles traffic that is sent to and from the G250 G3...

Page 666: ...d to identify VoIP control packets DSCP 34 41 VoIP Bearer RESV packets DSCP 43 44 and VoIP Bearer packets DSCP 46 Policy based routing sends these packets over the T1 WAN line and sends other packets over the Internet This saves bandwidth on the more expensive Serial interface Figure 50 Policy based routing Voice Data division by DSCP Backup You can utilize policy based routing to define backup ro...

Page 667: ...BR list Repeat this command to define additional rules A rule contains i criteria that is matched against the packet and ii a next hop list When a packet matches the criteria specified in the rule the rule s next hop list determines how the packet is routed Each PBR list can have up to 1 500 rules The first rule that matches the packet determines the packet s routing It is important to include a d...

Page 668: ...ommands to define the next hops in the list Enter next hop ip followed by the index number of the entry in the next hop list to define an IP address as a next hop You can optionally apply tracking to monitor the route Enter next hop interface followed by the index number of the entry in the next hop list to define an interface as a next hop You can optionally apply tracking to monitor the route Yo...

Page 669: ...o apply the PBR list In the interface context enter ip pbr group followed by the number of the PBR list to attach the list to the interface The list will be applied to packets entering the interface The following example applies PBR list 802 to VLAN 2 5 Apply the PBR list to the Loopback interface The following example applies PBR list 802 to the Loopback interface 6 Enter copy running config star...

Page 670: ...nge of ports ICMP type and code Fragments DSCP field Note Note The fragment criteria is used for non initial fragments only You cannot specify TCP UDP ports or ICMP code type for a rule when using the fragment command Use IP wildcards to specify a range of source or destination IP addresses The zero bits in the wildcard correspond to bits in the IP address that remain fixed The one bits in the wil...

Page 671: ...e Instead PBR lists use next hop lists For an explanation of next hop lists see Next hop lists on page 671 Enter next hop list followed by the list number of a next hop list to specify a next hop list for the G250 G350 to apply to packets that match the rule You can specify Destination Based Routing instead of a next hop list in which case the G250 G350 applies destination based routing to a packe...

Page 672: ...next hop list and applies object tracker 3 to monitor the route To enter an interface as a next hop enter next hop interface followed by the index number of the entry and the name of the interface You can optionally apply tracking to monitor the route except for the NULL0 For example the command next hop interface 3 serial 4 1 1 1 sets Serial 4 1 1 1 as the third entry on the next hop list Deletin...

Page 673: ...y the number of the list you want to modify to enter the list context Redefine the parameters of the list To delete a PBR list enter exit to return to general context and enter no ip pbr list followed by the number of the list you want to delete Displaying PBR lists To view information about PBR lists and their components use the following commands Many of these commands produce different results ...

Page 674: ...lays the number and name of the specified next hop list In PBR list context show list Displays all the parameters of the current PBR list show ip rule Displays the parameters of all rules configured for the current list show ip rule rule number Displays the parameters of the specified rule In next hop list context show next hop Displays the next hop entries in the current next hop list and their c...

Page 675: ... Internet connection It is assumed that the IP phones on VLAN 6 establish connections with other IP phones on the same subnet sending signalling packets to the MGC and bearer packets directly to other IP phones or to the G250 G350 The policy based routing configuring starts with PBR list 801 This list requires all voice packets addressed to the MGC 149 49 43 210 with DSCP values that indicate voic...

Page 676: ...49 123 0 0 0 0 255 Done G350 001 super PBR 801 ip rule 10 dscp 41 Done G350 001 super PBR 801 ip rule 10 exit Done G350 001 super PBR 801 ip rule 20 destination ip 149 49 123 0 0 0 0 255 Done G350 001 super PBR 801 ip rule 20 dscp 43 Done G350 001 super PBR 801 ip rule 20 exit G350 001 super PBR 801 ip rule 30 G350 001 super PBR 801 ip rule 30 next hop list 1 Done G350 001 super PBR 801 ip rule 30...

Page 677: ...ts generated by the G250 G350 itself are routed via the E1 T1 line The Loopback interface is a logical interface that is always up Packets sent from the G250 G350 such as signaling packets are sent via the Loopback interface In this example applying PBR list 801 to the Loopback interface ensures that signaling packets originating from voice traffic are sent via the T1 E1 line G350 001 super ip nex...

Page 678: ...BR list to the data VLAN 5 In this example you can add a track on GRE Tunnel 1 in order to detect whether this next hop is valid or not for more information on object tracking refer to Object tracking on page 319 Note that the GRE tunnel itself has keepalive and can detect the status of the interface and therefore modify the next hop status G350 001 super ip pbr list 802 G350 001 super PBR 802 nam...

Page 679: ...t of the specified next hop list If the list does not exist it is created next hop interface Add the specified interface to the next hop path for this next hop list next hop ip Add the specified ip address to the next hop path for this next hop list show next hop Display the next hop entries in the current list interface Enter the interface configuration mode for a Dialer Serial Loopback Fast Ethe...

Page 680: ...y the next hop policy to use when the current rule is applied show ip next hop list Display the details of the next hop list or of all next hop lists show ip rule Display the attributes of a specific rule or all rules source ip Apply the current rule to packets from the specified source IP address tcp destination port Apply the current rule to TCP packets with the specified destination port tcp so...

Page 681: ...rmation about the specified list show ip active lists Display information about a specific policy list or all lists show ip active pbr lists Display details about a specific PBR list or all PBR lists show ip pbr list Display information about the specified PBR list Table 151 Policy based routing CLI commands continued Root level command First level command Second level command Description 3 of 3 ...

Page 682: ...Configuring policy based routing 682 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 683: ... more than one port For example v2 1 3 5 8 Note Note The port ID parameter only applies if the source is a BRI module By setting the clock source to primary normal failover will occur The identity of the current synchronization source is not stored in persistent storage Persistent storage is used to preserve the parameters set by this command Note Note Setting the source to secondary overrides nor...

Page 684: ... switching disable Synchronization status The yellow ACT LED on the front of the MM710 media module displays the synchronization status of that module If the yellow ACT LED is solidly on or off it has not been defined as a synchronization source If it is on one or more channels is active If it is an ISDN facility the D channel counts as an active channel and causes the yellow ACT LED to be on When...

Page 685: ...a G350 CLI Reference 03 300437 Table 152 Synchronization CLI commands Command Description clear sync interface Disassociate a previously specified interface as the primary or secondary clock synchronization source set sync interface Define the specified module and port as a potential source for clock synchronization for the media gateway set sync source Specify which clock source is the active clo...

Page 686: ...Setting synchronization 686 Administration for the Avaya G250 and Avaya G350 Media Gateways ...

Page 687: ...hysical enclosure of the branch gateway chassis without any expansion modules These modules and their interfaces are illustrated in the following figures G250 Analog refer to Figure 52 G250 BRI refer to Figure 53 G250 DCP refer to Figure 54 G250 DS1 refer to Figure 55 and G350 refer to Figure 56 G250 image and interfaces Figure 52 Image of the G250 Analog cryptographic module Figure notes 1 V1 ICC...

Page 688: ... port for ACS 308 contact closure adjunct box Power output Contact Closure Adjunct Powers two contact closure relays Analog Line 2 Analog telephone ports on the integrated analog media module Analog phones Data input Data output Power input Line 2 ceases to be a data input output from the module and is directly connected to Analog Trunk providing a power interface when an emergency state occurs Po...

Page 689: ...al TDM Data Ethernet PCI CPU Bus and facilitates power AC Power Input 1 IEC socket Power input Provides power to the module from an external source Ground connector 1 Binding post Ground Provides connection to an external ground for the module Table 153 Physical and logical interfaces on the G250 Analog front panel continued Physical interface Quantity Description FIPS 140 2 logical interface Comm...

Page 690: ... output Indicate Emergency Transfer Relay ETR state Alarm state Test in progress Call activity System 4 System status LEDs Status output Indicate Modem connection through the Console interface Alarm state CPU activity Power ETH WAN 2 WAN status LEDs Status output Link state and activity indication on the associated data interface ETH LAN 2 LAN status LEDs Status output Link state and activity indi...

Page 691: ...USB port 11 Contact Closure CCA port 12 Ethernet WAN ETH WAN port 13 PoE LAN ETH LAN PoE ports 14 Reset RST button 15 Alternate Software Bank ASB button 7 12 13 14 1 2 3 4 5 6 8 9 10 11 15 Table 156 Physical and logical interfaces on the G250 BRI front panel Physical interface Quantity Description FIPS 140 2 logical interface Comments ETH LAN POE 8 RJ 45 10 100 BASE TX Power over Ethernet port Dat...

Page 692: ...n the integrated analog media module Analog phone trunks Data input Data output Power input The Trunk ceases to be a data input output from the module and is directly connected to Analog Line 2 providing a power interface when an emergency state occurs Power failure Failure to communicate with a call controller Firmware error state BRI 2 BRI phone trunks on the integrated media module BRI phone tr...

Page 693: ...Input 1 IEC socket Power input Provides power to the module from an external source Ground connector 1 Binding post Ground Provides connection to an external ground for the module Table 156 Physical and logical interfaces on the G250 BRI front panel continued Physical interface Quantity Description FIPS 140 2 logical interface Comments 3 of 3 Table 157 Buttons on the G250 BRI front panel Button Qu...

Page 694: ...utput Indicate Emergency Transfer Relay ETR state Alarm state Test in progress Call activity System 4 System status LEDs Status output Indicate Modem connection through the Console interface Alarm state CPU activity Power ETH WAN 2 WAN status LEDs Status output Link state and activity indication on the associated data interface ETH LAN 2 LAN status LEDs Status output Link state and activity indica...

Page 695: ... Analog line ports 6 System LEDs 7 Console port 8 USB port 9 Contact Closure CCA port 10 Ethernet WAN ETH WAN port 11 ETH LAN ports 12 DCP ports 13 DCP port LEDs 7 12 13 1 2 3 4 5 6 8 9 10 11 Table 159 Physical and logical interfaces on the G250 DCP front panel Physical interface Quantity Description FIPS 140 2 logical interface Comments DCP 12 DCP ports Data input Data output Status output Contro...

Page 696: ... emergency state occurs Power failure Failure to communicate with a call controller Firmware error state Analog Trunk 4 Analog telephone ports on the integrated analog media module Analog phone trunks Data input Data output Power input The Trunk ceases to be a data input output from the module and is directly connected to Analog Line 2 providing a power interface when an emergency state occurs Pow...

Page 697: ...IEC socket Power input Provides power to the module from an external source Ground connector 1 Binding post Ground Provides connection to an external ground for the module Table 159 Physical and logical interfaces on the G250 DCP front panel continued Physical interface Quantity Description FIPS 140 2 logical interface Comments 3 of 3 Table 160 Buttons on the G250 DCP front panel Button Quantity D...

Page 698: ...ity Description FIPS 140 2 logical interface Comments DCP port 3 DCP telephone ports status LEDs Status output Indicate Emergency Transfer Relay ETR state Alarm state Test in progress Call activity System 4 System status LEDs Status output Indicate Modem connection through the Console interface Alarm state CPU activity Power ...

Page 699: ...onsole port 11 USB port 12 Contact Closure CCA port 13 Ethernet WAN ETH WAN port 14 PoE LAN ETH LAN PoE ports 15 Reset RST button 16 Alternate Software Bank ASB button 7 12 13 14 1 2 3 4 5 6 8 9 10 11 15 16 Table 162 Physical and logical interfaces on the G250 DS1 front panel Physical interface Quantity Description FIPS 140 2 logical interface Comments ETH LAN POE 8 RJ 45 10 100 BASE TX Power over...

Page 700: ... Power failure Failure to communicate with a call controller Firmware error state Analog Trunk 1 Analog telephone ports on the integrated analog media module Analog phone trunks Data input Data output Power input The Trunk ceases to be a data input output from the module and is directly connected to Analog Line 2 providing a power interface when an emergency state occurs Power failure Failure to c...

Page 701: ...IEC socket Power input Provides power to the module from an external source Ground connector 1 Binding post Ground Provides connection to an external ground for the module Table 162 Physical and logical interfaces on the G250 DS1 front panel continued Physical interface Quantity Description FIPS 140 2 logical interface Comments 3 of 3 Table 163 Buttons on the G250 DS1 front panel Button Quantity D...

Page 702: ...t 3 Analog telephone ports status LEDs Status output Indicate Emergency Transfer Relay ETR state Alarm state Test in progress Call activity System 4 System status LEDs Status output Indicate Modem connection through the Console interface Alarm state CPU activity Power ETH WAN 4 T1 E1 PRI trunk interface LEDs Status output Link state and activity indication on the associated data interface ...

Page 703: ...3 V5 standard media module slot 4 V1 slot for standard media module or S8300 media server 5 V4 standard media module slot 6 V3 standard media module slot 7 Analog port LEDs 8 Analog trunk 9 Analog line ports 10 CCA Contact Closure port 11 ETH WAN port 12 ETH LAN port 13 System LEDs 14 Console port 15 USB port 16 RST button 17 ASB button 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ...

Page 704: ...ated analog media module An analog relay between TRUNK and the furthest left LINE port provides Emergency Transfer Relay ETR feature N A CCA 1 RJ 45 port for ACS 308 contact closure adjunct box Power output Contact Closure Adjunct Powers two contact closure relays ETH WAN 1 RJ 45 10 100 BASE TX Ethernet port Data input Data output Status output Control input Supports local area network connectivit...

Page 705: ... Voice TDM Serial TDM Data Ethernet PCI CPU Device Bus and facilitates Power PoE Table 165 Physical and logical interfaces on the G350 front panel continued Physical interface Quantity Description FIPS 140 2 logical interface Comments 2 of 2 Table 166 Buttons on the G350 front panel Button Quantity Description FIPS 140 2 logical interface Comments Reset 1 Push button Control input Resets the gatew...

Page 706: ...yption of IPSec and IKE only supported for communication with legacy VPN systems TDES CBC Encryption of the serial number date for Voice feature activation controlled by the ICC CM server external blade server Table 167 LEDs on the G350 front panel LED Quantity Description FIPS 140 2 logical interface Comments Analog port 3 Analog telephone ports status LEDs Status output Indicate Emergency Transf...

Page 707: ...ermine if the cryptographic module is running in FIPS vs non FIPS mode via Execution of the show running config command Verification that the configuration meets the requirements specified in Administration Procedures on page 721 Verification that the HW version and the firmware version of the module firmware code in banks A and B are FIPS approved versions Non FIPS mode of operation In non FIPS m...

Page 708: ... X Table 168 Non FIPS approved operations and algorithms continued MD5 HMAC SHA1 PTLS TDES DES AES AEA DH RSA decryption DSS 2 of 2 Table 169 Module security level specification Security Requirements Section Level Cryptographic Module Specification 1 Module Port and Interfaces 1 Roles Services and Authentication 2 Finite State Model 1 Physical Security 1 Operational Environment N A Cryptographic K...

Page 709: ...tification and authentication Role Type of authentication Authentication data Description Cryptographic Officer Admin User Identity basedoperator authentication Username and Password The module stores user identity information internally through the use of an external Radius Server database The owner of the cryptographic module who has full access to the module s services User Read Write User Iden...

Page 710: ...y authenticates to the module for the purpose of permitting denying access to services PPPoE Client Role based operator authentication Chap Pap Secrets Simple password authentication is used for PAP based authentication Gateway uses MD5 function to hash the challenge and the secret value in the response message to PPPoE Server An entity that facilitates connection to the broadband access network u...

Page 711: ... Critical Security Parameters defined in the module Table 171 Critical security parameters Key Description Usage IKE Pre shared Keys This key generates IKE SKEYID_d during pre sharedkey authentication The first time key must be entered manually via RS232 connected to the PC acting as terminal emulation Other keys can be defined remotely over encrypted and authenticated IPSEC tunnel HASH_I HASH_R U...

Page 712: ...P SA Noncie Noncer phase 2 initiator and responder nonce IPSEC SA phase 2 TDES key phase 2 basic quick mode IPSEC SA phase 2 DES key phase 2 basic quick mode IPSEC SA phase 2 AES key phase 2 basic quick mode IPSEC SA phase 2 HMAC keys phase 2 basic quick mode IPSEC SA phase 2 keys per protocol phase 2 basic quick mode IKE ephemeral phase 2 DH private key phase 2 phase 2 Diffie Hellman private keys...

Page 713: ...00 Blade server entity and the Gateway X9 31 PRNG key Key for X9 31 PRNG Table 171 Critical security parameters continued Key Description Usage 3 of 3 Table 172 Public keys Key Description Usage Ephemeral DH phase 1 public keys Generated for VPN IKE phase 1 key establishment Ephemeral DH phase 2 public keys Generated for VPN IKE phase 2 PFS key renewal Image download certificate Avaya root CA RSA ...

Page 714: ...the Approved mode of operation X Firmware update Load firmware images digitally signed by RSA SHA1 1024 bit algorithm X CSPs management IKE pre shared keys OSPF secrets PPPoE secrets X X User Management Add and delete Admin users Read Write Users Read Only Users Radius Servers X Module configuration Configure networking capabilities including bypass capability X X Reset Force the module to power c...

Page 715: ...guration data X Zeroization actively destroy all plaintext CSPs and keys X IKE negotiation uses DH TDES HMAC SHA1 PRNG X9 31 X X X X IPSec traffic processing uses AES TDES HMAC SHA1 X X X X Serial Number Exchange X OSPF Routing X PPPoE connection X RADIUS authentication X Table 173 CSP access rights within roles and services continued Service Role Crypto Officer Admin User Read Write User Read 0nl...

Page 716: ...l status indications Module backup Restore Zeroization IKE Negotiation IPSec traffic processing Read subset of status indications OSPF Routing PPPoE Service RADIUS Authentication Serial Number Exchange PRNG Keys RW Z ZW Z R IKE Preshared Keys RW Z W Z Z R Pre shared Session Key SKEYID Z Z RW Ephemeral DH private key Z Z RW Ephemeral DH shared secret Z Z RW HASH_I HASH_R Z Z RW IKE Session phase 1 ...

Page 717: ... R W R R R R R W R OSPF Secret WZ WZ Z Z R RADIUS Secret WZ WZ Z R PPPoE Chap PAP Secret WZ W Z Z R SNMPv3 authentication password WZ R R WZ R R R R R Z Fixed Serial Number secret W Z R Table 174 Role and service access to CSPs continued Key Enable FIPS Mode Firmware Update CSPs Management User Management Module Configuration Reset Read all status indications Module backup Restore Zeroization IKE ...

Page 718: ...ccess to any cryptographic services 4 Use DES to encrypt message traffic only for communications with legacy products that do not support AES or TDES Ephemeral Serial Number secret Z Z IKE Ephemeral DH public keys Z Z RW IKE Ephemeral DH phase 2 public keys Z Z RW Avaya root CA RSA public key RW License RSA public key R RW Table 174 Role and service access to CSPs continued Key Enable FIPS Mode Fi...

Page 719: ...ormed on all RNGs involved in crypto activities in FIPS approved mode Performed for PRNG x9 31 and Random Seed Generator Bypass Test Firmware load test 6 Users can instruct the module to perform the power up self tests via power cycle 7 Prior to each use the internal RNG is tested using the conditional test specified in FIPS 140 2 4 9 2 8 Data output is inhibited during key generation self tests z...

Page 720: ...hanneled through a VPN tunnel The console port is used for local administration Remote management through all other interfaces is disabled In addition the module will Disable administration over SSH protocol Disable dial in and dial out via the modem ports serial and USB Restrict troubleshooting services in the production environment by blocking all non FIPS compliant dev tech commands Disable loa...

Page 721: ...narios and repair actions Limitations The following rules and restrictions apply in FIPS approved mode SSHv2 service must be shut down Media encryption must be shut down H 248 signalling must be shut down The Announcement FTP server shall not be used for upload download G350 executable files or for file transfer of security related data ASG services logon must be shut down ASG BP login must be shu...

Page 722: ...el SCP client service must not be used Usage of Diffie Hellman Group 1 for IKE key negotiation must be suppressed Usage of MD5 for IKE must be suppressed Usage of MD5 for ESP authentication operation in IPSEC must be suppressed Configuration channel between ICC LSP S8300 and Gateway MGP must be suppressed FIPS related CLI commands zeroize enhanced security show self test status For a full descript...

Page 723: ...e PMI Use the reset command and confirm the reset operation Login root Password Password accepted G350 001 super G350 001 super interface vlan 1 G350 001 super if Vlan 1 icc vlan Done G350 001 super if Vlan 1 ip address 100 100 100 1 255 255 255 0 Done G350 001 super if Vlan 1 pmi To change the Primary Management Interface copy the running configuration to the start up configuration file and reset...

Page 724: ...S approved version Enter show system and verify that HW ready for FIP Yes Login root Password Password accepted G350 001 super G350 001 super show system System Name System Location System Contact Uptime d h m s 1 16 03 33 MV Time 11 03 59 22 FEB 2005 MAC Address 00 04 0d 6d 30 e1 WAN MAC address 00 04 0d 6d 30 e1 Serial No 03IS07639510 Model No G250 BRI HW Vintage 3 HW Suffix A FW Vintage 24 11 0...

Page 725: ...her Ram Sniffer Capture 10 phone ScriptA N A Phone Script Nv Ram N A 10 phone ScriptB N A Phone Script Nv Ram N A 10 phone ImageA N A Phone Image Ram N A 10 phone ImageB N A Phone Image Ram N A 10 phone ImageC N A Phone Image Ram N A 10 phone ImageD N A Phone Image Ram N A 10 dhcp binding N A DHCP Binding Nv Ram Ip Address Binding G250 N super dir M file ver num file type file location file descri...

Page 726: ...through the local console port User name root Password root 13 Physically disconnect all network interfaces This ensures that no external activity interferes with the following steps 14 Disable Signaling Encryption H 248 Enter disable link encryption and confirm the operation G350 001 super show self test status Device successfully passed the power up self test sequence G350 001 super reset This c...

Page 727: ... no interface dialer command 19 Disable the recovery password mechanism using the set terminal recovery password disable command G350 001 super disable media encryption Warning The following command will disable the media encryption functionality and it cannot be rolled back Do you want to continue Y N y Done G350 001 super interface Console G350 001 super if Console async mode terminal Done G350 ...

Page 728: ... follows a Enter show username to list CLI users b If there are redundant CLI users use the no username command to delete them Note that you cannot delete the root user G350 001 super no ip ssh This will prevent future remote SSH sessions and disconnect all active SSH sessions do you want to continue Y N y Shutting down all active sesssions Done G350 001 super no cna testplug service Done G350 001...

Page 729: ...uth md5 Other combinations noauth auth sha1 priv des56 are not permitted in FIPS mode G350 001 super show snmp user EngineId 80 00 1a e9 03 00 04 0d 29 ca 61 local User Name initial Authentication Protocol none Privacy Protocol none Storage Type nonVolatile Row Status active G350 001 super no snmp server user initial v3 Done G350 001 super no snmp server remote user john 00 02 00 81 00 d0 00 4c 18...

Page 730: ... context of the interface 33 Configure primary and secondary RADIUS servers G350 001 super Username root password root_fips access type admin User account modified G350 001 super G350 001 super username admin password admin_password access type admin User account added G350 001 super username readwrite password rw_password access type read write User account added G350 001 super username readonly ...

Page 731: ... G350 001 if Tunnel 1 ip ospf authentication message digest Done G350 001 if Tunnel 1 ip ospf message digest 1 md5 ospf_key1 Done G350 001 if Tunnel 1 exit G350 001 super router ospf G350 001 router ospf redistribute connected Done G350 001 router ospf network 10 20 0 0 0 0 0 3 area 0 0 0 0 Done G350 001 router ospf exit G350 001 super interface FastEthernet 10 2 G350 001 if fastEthernet 10 2 no i...

Page 732: ...iant mode on page 720 ip access control list 301 Name list 301 ip rule 10 composite operation Deny ip protocol tcp destination ip host 1 0 0 1 tcp destination port eq Telnet exit ip rule 11 composite operation Deny ip protocol tcp destination ip host 10 0 0 1 tcp destination port eq Telnet exit ip rule 12 composite operation Deny ip protocol tcp destination ip host 10 20 0 1 tcp destination port e...

Page 733: ...Ftp exit ip rule 22 composite operation Deny ip protocol tcp destination ip host 10 20 0 1 tcp destination port eq Ftp exit ip rule 23 composite operation Deny ip protocol tcp destination ip host 100 100 100 1 tcp destination port eq Ftp exit ip rule 24 composite operation Deny ip protocol tcp destination ip host 10 3 0 1 tcp destination port eq Ftp exit ip rule 25 composite operation Deny ip prot...

Page 734: ...y ip protocol udp destination ip host 10 3 0 1 udp destination port eq Tftp exit ip rule 35 composite operation Deny ip protocol udp destination ip host 10 3 0 3 udp destination port eq Tftp exit ip rule 40 composite operation Deny ip protocol udp destination ip host 1 0 0 1 udp destination port eq Snmp exit ip rule 41 composite operation Deny ip protocol udp destination ip host 10 0 0 1 udp desti...

Page 735: ...p exit ip rule 45 composite operation Deny ip protocol udp destination ip host 10 3 0 3 udp destination port eq Snmp exit exit interface vlan 1 ip access group 301 in exit G350 001 super ip route 200 200 200 0 24 tunnel 1 low Done G350 001 super ip route 149 49 70 0 24 tunnel 1 low Done G350 001 super ip route 20 0 0 0 24 10 0 0 2 low Done G350 001 super ip route 20 0 0 2 32 FastEthernet 10 2 low ...

Page 736: ...sets using the crypto ipsec transform set command 43 Configure Crypto Maps using the crypto map command G350 001 super crypto isakmp policy 1 G350 001 super isakmp 1 encryption 3des Done G350 001 super isakmp 1 hash sha Done G350 001 super isakmp 1 group 2 Done G350 001 super isakmp 1 exit G350 001 super crypto isakmp peer address 20 0 0 2 G350 001 super peer 20 0 0 2 pre shared key preshared_key1...

Page 737: ...tination ip any Done G350 001 super Crypto 901 ip rule 10 exit G350 001 super Crypto 901 exit G350 001 super ip crypto list 902 G350 001 super Crypto 902 local address serial 3 1 1 Done G350 001 super Crypto 902 ip rule 10 Done G350 001 super Crypto 902 ip rule 10 protect crypto map 2 Done G350 001 super Crypto 902 ip rule 10 source ip any Done G350 001 super Crypto 902 ip rule 10 destination ip a...

Page 738: ...rator intervention and executes tests in the order defined below The power up self tests are executed during the early boot sequence and before the G350 s data output interfaces are enabled and begin transmitting packets The power up self test order is 1 Booter Integrity Self test 2 Image Integrity Self test 3 NVRAM Self test 4 PRNG Self test 5 Crypto Self tests 6 EEPROM Self test The power up sel...

Page 739: ... Failed NVRAM integrity power up self test Passed PRNG integrity power up self test Passed Crypto integrity power up self test Passed EEPROM integrity power up self test Passed Table 176 Error States Error State Cause Automatic Recovery Procedure 1 Image integrated self test failure An Error Recovery dialog box appears in the console It allows the user to either Retest and continue or Zeroize secr...

Page 740: ... self test The device enters a reset loop This state is unrecoverable by the user If the device does not recover it is recommended to shut down and then power up the device 4 NVRAM integrated self test failure An Error Recovery dialog box appears in the console It allows the user to either Retest and continue or Zeroize secrets G350 Error recovery screen Error Description Pseudo Random Number Gene...

Page 741: ...08 741 Figure 57 Recovering from an error state Power down Gateway Power up Gateway Gateway operates correctly End Yes Delete setup Perform NVRAM initialization Reconfigure Gateway Gateway operates correctly Yes Contact Avaya representative No ...

Page 742: ...ds Command Description disable link encryption Disable H 248 signalling encryption disable media encryption Disable Avaya media encryption SRTP AEA RTP AES enhanced security Activate enhanced security on FIPS ready hardware show self test status Display the results of the power up self test sequence show system Display information about the device zeroize Clear all secret parameters and initialize...

Page 743: ...ent Up with No Changes warmStart Trap enterprise E e args A warmStart trap indicates that the entity sending the protocol is reinitializing itself in such a way as to keep both the agent configuration and the entity s implementation intact LinkUp ifIndex ifAdminStatus ifOperStatus STD System Warning LinkUp Agent Interface Up linkUp Trap enterprise E e on interface 1 A linkUp trap indicates that th...

Page 744: ...ble alarmSample Type alarmValue alarmRising Threshold RMON THRES HOLD Warning rising Alarm Rising Alarm 2 exceeded threshold 5 value 4 Sample type 3 alarm index 1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps fallingAlarm alarmIndex alarmVariable alarmSample Type alarmValue alarmRising Threshold ala...

Page 745: ...ts of the occurred configuration changes It is enabled disabled by chLntAgCAMChangeTra ps duplicateIP Trap ipNetToMediaPh ysAddress ipNetToMediaNe tAddress P330 ROUTER Warning duplicateIPTrap Duplicate IP address 2 detected MAC address 1 This trap reports to the Management station on Duplicate IP identification CRP identify the new IP on the network If it similar to one of its IP interfaces the CR...

Page 746: ...fies the faulty packet A management application would display this trap and the relevant information in a log entry This trap will not be sent at intervals smaller than one minute for identical information in the varbinds list variables DormantPort Fault genPortSWRdF ault genPortGroup Id genPortId P330 SWITCH FABRIC Warning Dormant PortFault Dormant Port Connection Lost on Module 2 Port 3 This tra...

Page 747: ...on wanLocal AlarmOff Local Alarm on interface 4 was cleared Local alarms such as LOS was cleared wanRemote AlarmOn ifIndex ifAdminStatus ifOperStatus ifName ifAlias dsx1Line Status WAN WAN Error wan Remote AlarmOn Remote Alarm on interface 4 Remote alarms such as AIS wanRemote AlarmOff ifIndex ifAdminStatus ifOperStatus ifName ifAlias dsx1Line Status WAN WAN Notification wan Remote AlarmOff Remote...

Page 748: ...arningent Physical ParentRelPos AVAYA E NTITY SUPPLY avEnt48v PwrFlt 48V power supply Fault This trap reports a problem with a 48V power supply avEnt5vPwrFlt entPhysical Index entPhysical Descr entPhySensor Value avEntPhy SensorHi Warning avEntPhy SensorLo Warningent Physical ParentRelPos AVAYA E NTITY SUPPLY avEnt5v PwrFlt 5V power supply Fault This trap reports a problem with a 5V power supply a...

Page 749: ...t This trap reports a problem with a 1 8V power supply avEnt1600mv PwrFlt entPhysical Index entPhysical Descr entPhySensor Value avEntPhy SensorHi Warning avEntPhy SensorLo Warningent Physical ParentRelPos AVAYA E NTITY SUPPLY avEnt1600mv PwrFlt 1 6V 1600mv power supply Fault This trap reports a problem with a 1 6V power supply avEnt48vPwr FltOk entPhysical Index entPhysical Descr entPhySensor Val...

Page 750: ...t Cleared This trap reports the correction of a problem with a 3 3V power supply avEnt2500mv PwrFltOk entPhysical Index entPhysical Descr entPhySensor Value avEntPhy SensorHi Warning avEntPhy SensorLo Warningent Physical ParentRelPos AVAYA E NTITY SUPPLY Notification avEnt2500mvP wrFlt Ok 2 5V 2500mv power supply Fault Cleared This trap reports the correction of a problem with a 2 5V power supply ...

Page 751: ...ure fault 3 This trap reports that the ambient temperature in the device is not within the acceptable temperature range for the device avEntAmbient TempOk entPhysical Index entPhysical Descr entPhySensor Value avEntPhy SensorHi Warning entPhysical ParentRelPos AVAYA ENTITY TEMP Notification avEnt Ambient TempOk Ambient Temperature fault 3 cleared This trap reports that the ambient temperature in t...

Page 752: ...ITY MIB MY AVAYA ENTITY MIB Rnd MIB RND MIB XSWITCH MIB MY XSWITCH MIB CROUTE MIB MY CROUTE MIB RS 232 MIB my RS 232 MIB RIPv2 MIB my RIPv2 MIB IF MIB my IF MIB DS0BUNDLE MIB my DS0BUNDLE MIB RFC1406 MIB my RFC1406 MIB DS0 MIB my DS0 MIB POLICY MIB MY POLICY MIB BRIDGE MIB my BRIDGE MIB CONFIG MIB MY CONFIG MIB G700 MG MIB MY G700 MG MIB FRAME RELAY DTE MIB my FRAME RELAY DTE MIB IP MIB my IP MIB ...

Page 753: ... 1 3 6 1 4 1 1751 2 53 1 2 1 2 genOpRunningState 1 3 6 1 4 1 1751 2 53 1 2 1 3 genOpSourceIndex 1 3 6 1 4 1 1751 2 53 1 2 1 4 genOpDestIndex 1 3 6 1 4 1 1751 2 53 1 2 1 5 genOpServerIP 1 3 6 1 4 1 1751 2 53 1 2 1 6 genOpUserName 1 3 6 1 4 1 1751 2 53 1 2 1 7 genOpPassword 1 3 6 1 4 1 1751 2 53 1 2 1 8 genOpProtocolType 1 3 6 1 4 1 1751 2 53 1 2 1 9 genOpFileName 1 3 6 1 4 1 1751 2 53 1 2 1 10 genO...

Page 754: ...9 genOpFileSystemType 1 3 6 1 4 1 1751 2 53 1 2 1 20 genOpReportSpecificFlags 1 3 6 1 4 1 1751 2 53 1 2 1 21 genOpOctetsReceived 1 3 6 1 4 1 1751 2 53 1 2 1 22 genAppFileId 1 3 6 1 4 1 1751 2 53 2 1 1 1 genAppFileName 1 3 6 1 4 1 1751 2 53 2 1 1 2 genAppFileType 1 3 6 1 4 1 1751 2 53 2 1 1 3 genAppFileDescription 1 3 6 1 4 1 1751 2 53 2 1 1 4 genAppFileSize 1 3 6 1 4 1 1751 2 53 2 1 1 5 genAppFile...

Page 755: ...1 2 frCircuitState 1 3 6 1 2 1 10 32 2 1 3 frCircuitReceivedFECNs 1 3 6 1 2 1 10 32 2 1 4 frCircuitReceivedBECNs 1 3 6 1 2 1 10 32 2 1 5 frCircuitSentFrames 1 3 6 1 2 1 10 32 2 1 6 frCircuitSentOctets 1 3 6 1 2 1 10 32 2 1 7 frCircuitReceivedFrames 1 3 6 1 2 1 10 32 2 1 8 frCircuitReceivedOctets 1 3 6 1 2 1 10 32 2 1 9 frCircuitCreationTime 1 3 6 1 2 1 10 32 2 1 10 frCircuitLastTimeChange 1 3 6 1 ...

Page 756: ...1 17 7 1 1 4 dot1qGvrpStatus 1 3 6 1 2 1 17 7 1 1 5 dot1qVlanTimeMark 1 3 6 1 2 1 17 7 1 4 2 1 1 dot1qVlanIndex 1 3 6 1 2 1 17 7 1 4 2 1 2 dot1qVlanFdbId 1 3 6 1 2 1 17 7 1 4 2 1 3 dot1qVlanCurrentEgressPorts 1 3 6 1 2 1 17 7 1 4 2 1 4 dot1qVlanCurrentUntaggedPorts 1 3 6 1 2 1 17 7 1 4 2 1 5 dot1qVlanStatus 1 3 6 1 2 1 17 7 1 4 2 1 6 dot1qVlanCreationTime 1 3 6 1 2 1 17 7 1 4 2 1 7 dot1qVlanStatic...

Page 757: ...6 1 2 1 17 7 1 4 5 1 6 Object OID Object OID entPhysicalIndex 1 3 6 1 2 1 47 1 1 1 1 1 entPhysicalDescr 1 3 6 1 2 1 47 1 1 1 1 2 entPhysicalVendorType 1 3 6 1 2 1 47 1 1 1 1 3 entPhysicalContainedIn 1 3 6 1 2 1 47 1 1 1 1 4 entPhysicalClass 1 3 6 1 2 1 47 1 1 1 1 5 entPhysicalParentRelPos 1 3 6 1 2 1 47 1 1 1 1 6 entPhysicalName 1 3 6 1 2 1 47 1 1 1 1 7 entPhysicalHardwareRev 1 3 6 1 2 1 47 1 1 1 ...

Page 758: ... 1 4 24 4 1 1 ipCidrRouteMask 1 3 6 1 2 1 4 24 4 1 2 ipCidrRouteTos 1 3 6 1 2 1 4 24 4 1 3 ipCidrRouteNextHop 1 3 6 1 2 1 4 24 4 1 4 ipCidrRouteIfIndex 1 3 6 1 2 1 4 24 4 1 5 ipCidrRouteType 1 3 6 1 2 1 4 24 4 1 6 ipCidrRouteProto 1 3 6 1 2 1 4 24 4 1 7 ipCidrRouteAge 1 3 6 1 2 1 4 24 4 1 8 ipCidrRouteInfo 1 3 6 1 2 1 4 24 4 1 9 ipCidrRouteNextHopAS 1 3 6 1 2 1 4 24 4 1 10 ipCidrRouteMetric1 1 3 6...

Page 759: ... 1 1 3 1 4 vrrpOperPriority 1 3 6 1 2 1 68 1 1 3 1 5 vrrpOperIpAddrCount 1 3 6 1 2 1 68 1 1 3 1 6 vrrpOperMasterIpAddr 1 3 6 1 2 1 68 1 1 3 1 7 vrrpOperPrimaryIpAddr 1 3 6 1 2 1 68 1 1 3 1 8 vrrpOperAuthType 1 3 6 1 2 1 68 1 1 3 1 9 vrrpOperAuthKey 1 3 6 1 2 1 68 1 1 3 1 10 vrrpOperAdvertisementInterval 1 3 6 1 2 1 68 1 1 3 1 11 vrrpOperPreemptMode 1 3 6 1 2 1 68 1 1 3 1 12 vrrpOperVirtualRouterUp...

Page 760: ...1 6889 2 1 11 1 1 1 1 5 genCpuCurrentUtilization 1 3 6 1 4 1 6889 2 1 11 1 1 1 1 6 genCpuUtilizationHistorySampleIndex 1 3 6 1 4 1 6889 2 1 11 1 1 2 1 1 genCpuHistoryUtilization 1 3 6 1 4 1 6889 2 1 11 1 1 2 1 2 genMemUtilizationTotalRAM 1 3 6 1 4 1 6889 2 1 11 1 2 1 genMemUtilizationOperationalImage 1 3 6 1 4 1 6889 2 1 11 1 2 2 genMemUtilizationDynAllocMemUsed 1 3 6 1 4 1 6889 2 1 11 1 2 3 1 gen...

Page 761: ...3 6 1 2 1 99 1 1 1 2 entPhySensorPrecision 1 3 6 1 2 1 99 1 1 1 3 entPhySensorValue 1 3 6 1 2 1 99 1 1 1 4 entPhySensorOperStatus 1 3 6 1 2 1 99 1 1 1 5 entPhySensorUnitsDisplay 1 3 6 1 2 1 99 1 1 1 6 entPhySensorValueTimeStamp 1 3 6 1 2 1 99 1 1 1 7 entPhySensorValueUpdateRate 1 3 6 1 2 1 99 1 1 1 8 Object OID dot1dStpVersion 1 3 6 1 2 1 17 2 16 dot1dStpTxHoldCount 1 3 6 1 2 1 17 2 17 dot1dStpPat...

Page 762: ...t 1 3 6 1 2 1 17 2 19 1 5 dot1dStpPortAdminPathCost 1 3 6 1 2 1 17 2 19 1 6 Object OID 2 of 2 Object OID lseIntPortGroupId 1 3 6 1 4 1 81 19 1 2 1 1 1 lseIntPortId 1 3 6 1 4 1 81 19 1 2 1 1 2 lseIntPortCAMLastChange 1 3 6 1 4 1 81 19 1 2 1 1 39 lseIntPortMACAddGroupId 1 3 6 1 4 1 81 19 1 2 2 1 1 1 lseIntPortMACAddPortId 1 3 6 1 4 1 81 19 1 2 2 1 1 2 lseIntPortMACAddLAId 1 3 6 1 4 1 81 19 1 2 2 1 1...

Page 763: ... 2 1 10 18 6 1 15 dsx1LineStatusLastChange 1 3 6 1 2 1 10 18 6 1 16 dsx1LineStatusChangeTrapEnable 1 3 6 1 2 1 10 18 6 1 17 dsx1LoopbackStatus 1 3 6 1 2 1 10 18 6 1 18 dsx1Ds1ChannelNumber 1 3 6 1 2 1 10 18 6 1 19 dsx1Channelization 1 3 6 1 2 1 10 18 6 1 20 dsx1CurrentIndex 1 3 6 1 2 1 10 18 7 1 1 dsx1CurrentESs 1 3 6 1 2 1 10 18 7 1 2 dsx1CurrentSESs 1 3 6 1 2 1 10 18 7 1 3 dsx1CurrentSEFSs 1 3 6...

Page 764: ... 8 dsx1IntervalLESs 1 3 6 1 2 1 10 18 8 1 9 dsx1IntervalBESs 1 3 6 1 2 1 10 18 8 1 10 dsx1IntervalDMs 1 3 6 1 2 1 10 18 8 1 11 dsx1IntervalLCVs 1 3 6 1 2 1 10 18 8 1 12 dsx1IntervalValidData 1 3 6 1 2 1 10 18 8 1 13 dsx1TotalIndex 1 3 6 1 2 1 10 18 9 1 1 dsx1TotalESs 1 3 6 1 2 1 10 18 9 1 2 dsx1TotalSESs 1 3 6 1 2 1 10 18 9 1 3 dsx1TotalSEFSs 1 3 6 1 2 1 10 18 9 1 4 dsx1TotalUASs 1 3 6 1 2 1 10 18...

Page 765: ... G350 and their OIDs Object OID pppIpOperStatus 1 3 6 1 2 1 10 23 3 1 1 1 pppIpLocalToRemoteCompressionProtocol 1 3 6 1 2 1 10 23 3 1 1 2 pppIpRemoteToLocalCompressionProtocol 1 3 6 1 2 1 10 23 3 1 1 3 pppIpRemoteMaxSlotId 1 3 6 1 2 1 10 23 3 1 1 4 pppIpLocalMaxSlotId 1 3 6 1 2 1 10 23 3 1 1 5 pppIpConfigAdminStatus 1 3 6 1 2 1 10 23 3 2 1 1 pppIpConfigCompression 1 3 6 1 2 1 10 23 3 2 1 2 ...

Page 766: ... 1 1 4 sysName 1 3 6 1 2 1 1 5 sysLocation 1 3 6 1 2 1 1 6 sysServices 1 3 6 1 2 1 1 7 ifNumber 1 3 6 1 2 1 2 1 ifIndex 1 3 6 1 2 1 2 2 1 1 ifDescr 1 3 6 1 2 1 2 2 1 2 ifType 1 3 6 1 2 1 2 2 1 3 ifMtu 1 3 6 1 2 1 2 2 1 4 ifSpeed 1 3 6 1 2 1 2 2 1 5 ifPhysAddress 1 3 6 1 2 1 2 2 1 6 ifAdminStatus 1 3 6 1 2 1 2 2 1 7 ifOperStatus 1 3 6 1 2 1 2 2 1 8 ifLastChange 1 3 6 1 2 1 2 2 1 9 ifInOctets 1 3 6 ...

Page 767: ...1 2 1 4 1 ipDefaultTTL 1 3 6 1 2 1 4 2 ipInReceives 1 3 6 1 2 1 4 3 ipInHdrErrors 1 3 6 1 2 1 4 4 ipInAddrErrors 1 3 6 1 2 1 4 5 ipForwDatagrams 1 3 6 1 2 1 4 6 ipInUnknownProtos 1 3 6 1 2 1 4 7 ipInDiscards 1 3 6 1 2 1 4 8 ipInDelivers 1 3 6 1 2 1 4 9 ipOutRequests 1 3 6 1 2 1 4 10 ipOutDiscards 1 3 6 1 2 1 4 11 ipOutNoRoutes 1 3 6 1 2 1 4 12 ipReasmTimeout 1 3 6 1 2 1 4 13 ipReasmReqds 1 3 6 1 2...

Page 768: ...ic2 1 3 6 1 2 1 4 21 1 4 ipRouteMetric3 1 3 6 1 2 1 4 21 1 5 ipRouteMetric4 1 3 6 1 2 1 4 21 1 6 ipRouteNextHop 1 3 6 1 2 1 4 21 1 7 ipRouteType 1 3 6 1 2 1 4 21 1 8 ipRouteProto 1 3 6 1 2 1 4 21 1 9 ipRouteAge 1 3 6 1 2 1 4 21 1 10 ipRouteMask 1 3 6 1 2 1 4 21 1 11 ipRouteMetric5 1 3 6 1 2 1 4 21 1 12 ipRouteInfo 1 3 6 1 2 1 4 21 1 13 ipNetToMediaIfIndex 1 3 6 1 2 1 4 22 1 1 ipNetToMediaPhysAddre...

Page 769: ... 1 11 13 snmpInTotalSetVars 1 3 6 1 2 1 11 14 snmpInGetRequests 1 3 6 1 2 1 11 15 snmpInGetNexts 1 3 6 1 2 1 11 16 snmpInSetRequests 1 3 6 1 2 1 11 17 snmpInGetResponses 1 3 6 1 2 1 11 18 snmpInTraps 1 3 6 1 2 1 11 19 snmpOutTooBigs 1 3 6 1 2 1 11 20 snmpOutNoSuchNames 1 3 6 1 2 1 11 21 snmpOutBadValues 1 3 6 1 2 1 11 22 snmpOutGenErrs 1 3 6 1 2 1 11 24 snmpOutGetRequests 1 3 6 1 2 1 11 25 snmpOut...

Page 770: ...he G250 G350 and their OIDs Object OID avEntPhySensorHiShutdown 1 3 6 1 4 1 6889 2 1 99 1 1 1 avEntPhySensorHiWarning 1 3 6 1 4 1 6889 2 1 99 1 1 2 avEntPhySensorHiWarningClear 1 3 6 1 4 1 6889 2 1 99 1 1 3 avEntPhySensorLoWarningClear 1 3 6 1 4 1 6889 2 1 99 1 1 4 avEntPhySensorLoWarning 1 3 6 1 4 1 6889 2 1 99 1 1 5 avEntPhySensorLoShutdown 1 3 6 1 4 1 6889 2 1 99 1 1 6 avEntPhySensorEventSuppor...

Page 771: ...4 1 1 9 scGenPortGenericTrap 1 3 6 1 4 1 81 28 1 4 1 1 15 scGenPortLagCapability 1 3 6 1 4 1 81 28 1 4 1 1 20 scGenPortCapability 1 3 6 1 4 1 81 28 1 4 1 1 21 scGenSwitchId 1 3 6 1 4 1 81 28 1 5 1 1 1 scGenSwitchSTA 1 3 6 1 4 1 81 28 1 5 1 1 13 scEthPortGroupId 1 3 6 1 4 1 81 28 2 1 1 1 1 scEthPortId 1 3 6 1 4 1 81 28 2 1 1 1 2 scEthPortFunctionalStatus 1 3 6 1 4 1 81 28 2 1 1 1 27 scEthPortMode 1...

Page 772: ...faceNetMask 1 3 6 1 4 1 81 31 1 2 1 2 ipInterfaceLowerIfAlias 1 3 6 1 4 1 81 31 1 2 1 3 ipInterfaceType 1 3 6 1 4 1 81 31 1 2 1 4 ipInterfaceForwardIpBroadcast 1 3 6 1 4 1 81 31 1 2 1 5 ipInterfaceBroadcastAddr 1 3 6 1 4 1 81 31 1 2 1 6 ipInterfaceProxyArp 1 3 6 1 4 1 81 31 1 2 1 7 ipInterfaceStatus 1 3 6 1 4 1 81 31 1 2 1 8 ipInterfaceMainRouterAddr 1 3 6 1 4 1 81 31 1 2 1 9 ipInterfaceARPServerS...

Page 773: ... 1 3 6 1 4 1 81 31 1 4 1 7 ripInterfaceVersion 1 3 6 1 4 1 81 31 1 4 1 8 ospfGlobalsLeakRIPIntoOSPF 1 3 6 1 4 1 81 31 1 5 1 ospfGlobalsLeakStaticIntoOSPF 1 3 6 1 4 1 81 31 1 5 2 ospfGlobalsLeakDirectIntoOSPF 1 3 6 1 4 1 81 31 1 5 3 ospfGlobalsDefaultExportMetric 1 3 6 1 4 1 81 31 1 5 4 relayVlIndex 1 3 6 1 4 1 81 31 1 6 1 1 relayVlPrimaryServerAddr 1 3 6 1 4 1 81 31 1 6 1 2 relayVlSeconderyServerA...

Page 774: ...1 31 1 12 1 11 ipVRRPAdminStatus 1 3 6 1 4 1 81 31 1 14 1 iphcIfIndex 1 3 6 1 4 1 81 31 1 15 1 1 1 iphcControlTcpAdminStatus 1 3 6 1 4 1 81 31 1 15 1 1 2 iphcTcpSessions 1 3 6 1 4 1 81 31 1 15 1 1 3 iphcNegotiatedTcpSessions 1 3 6 1 4 1 81 31 1 15 1 1 4 iphcControlRtpAdminStatus 1 3 6 1 4 1 81 31 1 15 1 1 5 iphcRtpSessions 1 3 6 1 4 1 81 31 1 15 1 1 6 iphcNegotiatedRtpSessions 1 3 6 1 4 1 81 31 1 ...

Page 775: ... 1 1 1 vlConfAlias 1 3 6 1 4 1 81 31 3 1 1 2 vlConfStatus 1 3 6 1 4 1 81 31 3 1 1 3 Object OID 4 of 4 Object OID rs232Number 1 3 6 1 2 1 10 33 1 rs232PortIndex 1 3 6 1 2 1 10 33 2 1 1 rs232PortType 1 3 6 1 2 1 10 33 2 1 2 rs232PortInSigNumber 1 3 6 1 2 1 10 33 2 1 3 rs232PortOutSigNumber 1 3 6 1 2 1 10 33 2 1 4 rs232PortInSpeed 1 3 6 1 2 1 10 33 2 1 5 rs232PortOutSpeed 1 3 6 1 2 1 10 33 2 1 6 rs23...

Page 776: ... rs232SyncPortRTSControl 1 3 6 1 2 1 10 33 4 1 10 rs232SyncPortRTSCTSDelay 1 3 6 1 2 1 10 33 4 1 11 rs232SyncPortMode 1 3 6 1 2 1 10 33 4 1 12 rs232SyncPortIdlePattern 1 3 6 1 2 1 10 33 4 1 13 rs232SyncPortMinFlags 1 3 6 1 2 1 10 33 4 1 14 rs232InSigPortIndex 1 3 6 1 2 1 10 33 5 1 1 rs232InSigName 1 3 6 1 2 1 10 33 5 1 2 rs232InSigState 1 3 6 1 2 1 10 33 5 1 3 rs232InSigChanges 1 3 6 1 2 1 10 33 5...

Page 777: ... 1 rip2IfStatRcvBadPackets 1 3 6 1 2 1 23 2 1 2 rip2IfStatRcvBadRoutes 1 3 6 1 2 1 23 2 1 3 rip2IfStatSentUpdates 1 3 6 1 2 1 23 2 1 4 rip2IfStatStatus 1 3 6 1 2 1 23 2 1 5 rip2IfConfAddress 1 3 6 1 2 1 23 3 1 1 rip2IfConfDomain 1 3 6 1 2 1 23 3 1 2 rip2IfConfAuthType 1 3 6 1 2 1 23 3 1 3 rip2IfConfAuthKey 1 3 6 1 2 1 23 3 1 4 rip2IfConfSend 1 3 6 1 2 1 23 3 1 5 rip2IfConfReceive 1 3 6 1 2 1 23 3 ...

Page 778: ... ifSpeed 1 3 6 1 2 1 2 2 1 5 ifPhysAddress 1 3 6 1 2 1 2 2 1 6 ifAdminStatus 1 3 6 1 2 1 2 2 1 7 ifOperStatus 1 3 6 1 2 1 2 2 1 8 ifLastChange 1 3 6 1 2 1 2 2 1 9 ifInOctets 1 3 6 1 2 1 2 2 1 10 ifInUcastPkts 1 3 6 1 2 1 2 2 1 11 ifInNUcastPkts 1 3 6 1 2 1 2 2 1 12 ifInDiscards 1 3 6 1 2 1 2 2 1 13 ifInErrors 1 3 6 1 2 1 2 2 1 14 ifInUnknownProtos 1 3 6 1 2 1 2 2 1 15 ifOutOctets 1 3 6 1 2 1 2 2 1...

Page 779: ... 31 1 1 1 7 ifHCInMulticastPkts 1 3 6 1 2 1 31 1 1 1 8 ifHCInBroadcastPkts 1 3 6 1 2 1 31 1 1 1 9 ifHCOutOctets 1 3 6 1 2 1 31 1 1 1 10 ifHCOutUcastPkts 1 3 6 1 2 1 31 1 1 1 11 ifHCOutMulticastPkts 1 3 6 1 2 1 31 1 1 1 12 ifHCOutBroadcastPkts 1 3 6 1 2 1 31 1 1 1 13 ifLinkUpDownTrapEnable 1 3 6 1 2 1 31 1 1 1 14 ifHighSpeed 1 3 6 1 2 1 31 1 1 1 15 ifPromiscuousMode 1 3 6 1 2 1 31 1 1 1 16 ifConnec...

Page 780: ...0 82 3 1 1 dsx0BundleIfIndex 1 3 6 1 2 1 10 82 3 1 2 dsx0BundleCircuitIdentifier 1 3 6 1 2 1 10 82 3 1 3 dsx0BundleRowStatus 1 3 6 1 2 1 10 82 3 1 4 Object OID dsx1LineIndex 1 3 6 1 2 1 10 18 6 1 1 dsx1IfIndex 1 3 6 1 2 1 10 18 6 1 2 dsx1TimeElapsed 1 3 6 1 2 1 10 18 6 1 3 dsx1ValidIntervals 1 3 6 1 2 1 10 18 6 1 4 dsx1LineType 1 3 6 1 2 1 10 18 6 1 5 dsx1LineCoding 1 3 6 1 2 1 10 18 6 1 6 dsx1Sen...

Page 781: ...3 6 1 2 1 10 18 7 1 10 dsx1CurrentLCVs 1 3 6 1 2 1 10 18 7 1 11 dsx1IntervalIndex 1 3 6 1 2 1 10 18 8 1 1 dsx1IntervalNumber 1 3 6 1 2 1 10 18 8 1 2 dsx1IntervalESs 1 3 6 1 2 1 10 18 8 1 3 dsx1IntervalSESs 1 3 6 1 2 1 10 18 8 1 4 dsx1IntervalSEFSs 1 3 6 1 2 1 10 18 8 1 5 dsx1IntervalUASs 1 3 6 1 2 1 10 18 8 1 6 dsx1IntervalCSSs 1 3 6 1 2 1 10 18 8 1 7 dsx1IntervalPCVs 1 3 6 1 2 1 10 18 8 1 8 dsx1I...

Page 782: ...1 3 6 1 2 1 10 18 9 1 7 dsx1TotalLESs 1 3 6 1 2 1 10 18 9 1 8 dsx1TotalBESs 1 3 6 1 2 1 10 18 9 1 9 dsx1TotalDMs 1 3 6 1 2 1 10 18 9 1 10 dsx1TotalLCVs 1 3 6 1 2 1 10 18 9 1 11 Object OID 3 of 3 Object OID dsx0Ds0ChannelNumber 1 3 6 1 2 1 10 81 1 1 1 dsx0RobbedBitSignalling 1 3 6 1 2 1 10 81 1 1 2 dsx0CircuitIdentifier 1 3 6 1 2 1 10 81 1 1 3 dsx0IdleCode 1 3 6 1 2 1 10 81 1 1 4 dsx0SeizedCode 1 3...

Page 783: ...6 1 1 7 ipPolicyListCookie 1 3 6 1 4 1 81 36 1 1 8 ipPolicyListTrackChanges 1 3 6 1 4 1 81 36 1 1 9 ipPolicyListOwner 1 3 6 1 4 1 81 36 1 1 10 ipPolicyListErrMsg 1 3 6 1 4 1 81 36 1 1 11 ipPolicyListTrustedFields 1 3 6 1 4 1 81 36 1 1 12 ipPolicyListScope 1 3 6 1 4 1 81 36 1 1 13 ipPolicyListIpOptionOperation 1 3 6 1 4 1 81 36 1 1 14 ipPolicyListIpFragmentationOperation 1 3 6 1 4 1 81 36 1 1 15 ip...

Page 784: ...us 1 3 6 1 4 1 81 36 2 1 16 ipPolicyRuleApplicabilityType 1 3 6 1 4 1 81 36 2 1 17 ipPolicyRuleErrMsg 1 3 6 1 4 1 81 36 2 1 18 ipPolicyRuleStatus 1 3 6 1 4 1 81 36 2 1 19 ipPolicyRuleDSCPOperation 1 3 6 1 4 1 81 36 2 1 20 ipPolicyRuleDSCPFilter 1 3 6 1 4 1 81 36 2 1 21 ipPolicyRuleDSCPFilterWild 1 3 6 1 4 1 81 36 2 1 22 ipPolicyRuleIcmpTypeCode 1 3 6 1 4 1 81 36 2 1 23 ipPolicyRuleSrcAddrNot 1 3 6...

Page 785: ...licyDiffServName 1 3 6 1 4 1 81 36 4 1 4 ipPolicyDiffServAggIndex 1 3 6 1 4 1 81 36 4 1 5 ipPolicyDiffServApplicabilityPrecedence 1 3 6 1 4 1 81 36 4 1 6 ipPolicyDiffServApplicabilityStatus 1 3 6 1 4 1 81 36 4 1 7 ipPolicyDiffServApplicabilityType 1 3 6 1 4 1 81 36 4 1 8 ipPolicyDiffServErrMsg 1 3 6 1 4 1 81 36 4 1 9 ipPolicyQuerySlot 1 3 6 1 4 1 81 36 5 1 1 ipPolicyQueryListID 1 3 6 1 4 1 81 36 5...

Page 786: ...1 3 6 1 4 1 81 36 6 1 4 ipPolicyDiffServControlErrMsg 1 3 6 1 4 1 81 36 6 1 5 ipPolicyAccessControlViolationEntID 1 3 6 1 4 1 81 36 7 1 1 ipPolicyAccessControlViolationSrcAddr 1 3 6 1 4 1 81 36 7 1 2 ipPolicyAccessControlViolationDstAddr 1 3 6 1 4 1 81 36 7 1 3 ipPolicyAccessControlViolationProtocol 1 3 6 1 4 1 81 36 7 1 4 ipPolicyAccessControlViolationL4SrcPort 1 3 6 1 4 1 81 36 7 1 5 ipPolicyAcc...

Page 787: ... 1 81 36 8 1 12 ipPolicyDSCPmapEntID 1 3 6 1 4 1 81 36 9 1 1 ipPolicyDSCPmapListID 1 3 6 1 4 1 81 36 9 1 2 ipPolicyDSCPmapDSCP 1 3 6 1 4 1 81 36 9 1 3 ipPolicyDSCPmapOperation 1 3 6 1 4 1 81 36 9 1 4 ipPolicyDSCPmapName 1 3 6 1 4 1 81 36 9 1 5 ipPolicyDSCPmapApplicabilityPrecedence 1 3 6 1 4 1 81 36 9 1 6 ipPolicyDSCPmapApplicabilityStatus 1 3 6 1 4 1 81 36 9 1 7 ipPolicyDSCPmapApplicabilityType 1...

Page 788: ... 4 1 81 36 11 1 1 6 ipPolicyValidListIpOption 1 3 6 1 4 1 81 36 11 1 1 7 ipPolicyValidListIpFragmentation 1 3 6 1 4 1 81 36 11 1 1 8 ipPolicyValidRuleEntID 1 3 6 1 4 1 81 36 11 2 1 1 ipPolicyValidRuleIfIndex 1 3 6 1 4 1 81 36 11 2 1 2 ipPolicyValidRuleSubContext 1 3 6 1 4 1 81 36 11 2 1 3 ipPolicyValidRuleListID 1 3 6 1 4 1 81 36 11 2 1 4 ipPolicyValidRuleRuleID 1 3 6 1 4 1 81 36 11 2 1 5 ipPolicy...

Page 789: ... dot1dBaseNumPorts 1 3 6 1 2 1 17 1 2 dot1dBaseType 1 3 6 1 2 1 17 1 3 dot1dBasePort 1 3 6 1 2 1 17 1 4 1 1 dot1dBasePortIfIndex 1 3 6 1 2 1 17 1 4 1 2 dot1dBasePortCircuit 1 3 6 1 2 1 17 1 4 1 3 dot1dBasePortDelayExceededDiscards 1 3 6 1 2 1 17 1 4 1 4 dot1dBasePortMtuExceededDiscards 1 3 6 1 2 1 17 1 4 1 5 dot1dStpProtocolSpecification 1 3 6 1 2 1 17 2 1 dot1dStpPriority 1 3 6 1 2 1 17 2 2 dot1d...

Page 790: ... 1 3 6 1 2 1 17 2 15 1 2 dot1dStpPortState 1 3 6 1 2 1 17 2 15 1 3 dot1dStpPortEnable 1 3 6 1 2 1 17 2 15 1 4 dot1dStpPortPathCost 1 3 6 1 2 1 17 2 15 1 5 dot1dStpPortDesignatedRoot 1 3 6 1 2 1 17 2 15 1 6 dot1dStpPortDesignatedCost 1 3 6 1 2 1 17 2 15 1 7 dot1dStpPortDesignatedBridge 1 3 6 1 2 1 17 2 15 1 8 dot1dStpPortDesignatedPort 1 3 6 1 2 1 17 2 15 1 9 dot1dStpPortForwardTransitions 1 3 6 1 ...

Page 791: ... 6 1 4 1 81 7 9 3 2 1 3 chLntAgTrapsPermMngrId 1 3 6 1 4 1 81 7 9 3 7 1 1 chLntAgTrapsId 1 3 6 1 4 1 81 7 9 3 7 1 2 chLntAgTrapsEnableFlag 1 3 6 1 4 1 81 7 9 3 7 1 3 chLntAgMaxTrapsNumber 1 3 6 1 4 1 81 7 9 3 100 chGroupList 1 3 6 1 4 1 81 7 18 chLogFileGroupId 1 3 6 1 4 1 81 7 22 1 1 chLogFileIndex 1 3 6 1 4 1 81 7 22 1 2 chLogFileName 1 3 6 1 4 1 81 7 22 1 3 chLogFileAbsoluteTime 1 3 6 1 4 1 81 ...

Page 792: ...mStatus 1 3 6 1 4 1 81 8 1 1 16 genGroupHWStatus 1 3 6 1 4 1 81 8 1 1 17 genGroupSupplyVoltageFault 1 3 6 1 4 1 81 8 1 1 18 genGroupIntTemp 1 3 6 1 4 1 81 8 1 1 19 genGroupSpecificOID 1 3 6 1 4 1 81 8 1 1 20 genGroupConfigurationSymbol 1 3 6 1 4 1 81 8 1 1 21 genGroupLastChange 1 3 6 1 4 1 81 8 1 1 22 genGroupRedunRecovery 1 3 6 1 4 1 81 8 1 1 23 genGroupHWVersion 1 3 6 1 4 1 81 8 1 1 24 genGroupH...

Page 793: ... 1 4 1 81 8 1 1 42 genGroupCascadDownStatus 1 3 6 1 4 1 81 8 1 1 43 genGroupSTARootPortID 1 3 6 1 4 1 81 8 1 1 44 genGroupCopyPortInstruction 1 3 6 1 4 1 81 8 1 1 45 genGroupLicenseKey 1 3 6 1 4 1 81 8 1 1 46 genGroupLogFileClear 1 3 6 1 4 1 81 8 1 1 47 genGroupBootVersion 1 3 6 1 4 1 81 8 1 1 48 genGroupResetLastStamp 1 3 6 1 4 1 81 8 1 1 49 genGroupSerialNumber 1 3 6 1 4 1 81 8 1 1 50 genGroupSh...

Page 794: ...81 9 1 1 20 genPortName 1 3 6 1 4 1 81 9 1 1 21 genPortClassification 1 3 6 1 4 1 81 9 1 1 22 genPortVLANBindingMode 1 3 6 1 4 1 81 9 1 1 23 softRedundancyId 1 3 6 1 4 1 81 11 1 1 1 softRedundancyName 1 3 6 1 4 1 81 11 1 1 2 softRedundancyGroupId1 1 3 6 1 4 1 81 11 1 1 3 softRedundancyPortId1 1 3 6 1 4 1 81 11 1 1 4 softRedundancyGroupId2 1 3 6 1 4 1 81 11 1 1 5 softRedundancyPortId2 1 3 6 1 4 1 8...

Page 795: ...eFaultMask 1 3 6 1 4 1 6889 2 9 1 1 10 12 cmgHardwareStatusMask 1 3 6 1 4 1 6889 2 9 1 1 10 13 cmgModuleSlot 1 3 6 1 4 1 6889 2 9 1 1 11 1 1 1 cmgModuleType 1 3 6 1 4 1 6889 2 9 1 1 11 1 1 2 cmgModuleDescription 1 3 6 1 4 1 6889 2 9 1 1 11 1 1 3 cmgModuleName 1 3 6 1 4 1 6889 2 9 1 1 11 1 1 4 cmgModuleSerialNumber 1 3 6 1 4 1 6889 2 9 1 1 11 1 1 5 cmgModuleHWVintage 1 3 6 1 4 1 6889 2 9 1 1 11 1 1...

Page 796: ...9 2 9 1 2 2 6 cmgCurrent802Vlan 1 3 6 1 4 1 6889 2 9 1 2 2 7 cmgPrimaryClockSource 1 3 6 1 4 1 6889 2 9 1 2 3 1 cmgSecondaryClockSource 1 3 6 1 4 1 6889 2 9 1 2 3 2 cmgActiveClockSource 1 3 6 1 4 1 6889 2 9 1 2 3 3 cmgRegistrationState 1 3 6 1 4 1 6889 2 9 1 3 1 cmgActiveControllerAddress 1 3 6 1 4 1 6889 2 9 1 3 2 cmgH248LinkStatus 1 3 6 1 4 1 6889 2 9 1 3 3 cmgH248LinkErrorCode 1 3 6 1 4 1 6889 ...

Page 797: ...1 6889 2 9 1 4 3 3 4 cmgVoipLocalBbeDscp 1 3 6 1 4 1 6889 2 9 1 4 4 1 1 cmgVoipLocalEfDscp 1 3 6 1 4 1 6889 2 9 1 4 4 1 2 cmgVoipLocal802Priority 1 3 6 1 4 1 6889 2 9 1 4 4 1 3 cmgVoipLocalMinRtpPort 1 3 6 1 4 1 6889 2 9 1 4 4 1 4 cmgVoipLocalMaxRtpPort 1 3 6 1 4 1 6889 2 9 1 4 4 1 5 cmgVoipLocalRtcpEnabled 1 3 6 1 4 1 6889 2 9 1 4 4 2 1 cmgVoipLocalRtcpMonitorIpAddress 1 3 6 1 4 1 6889 2 9 1 4 4 ...

Page 798: ... cmgVoipEngineReset 1 3 6 1 4 1 6889 2 9 1 4 5 1 13 cmgVoipFaultMask 1 3 6 1 4 1 6889 2 9 1 4 5 1 14 cmgCcModule 1 3 6 1 4 1 6889 2 9 1 6 1 1 1 cmgCcPort 1 3 6 1 4 1 6889 2 9 1 6 1 1 2 cmgCcRelay 1 3 6 1 4 1 6889 2 9 1 6 1 1 3 cmgCcAdminState 1 3 6 1 4 1 6889 2 9 1 6 1 1 4 cmgCcPulseDuration 1 3 6 1 4 1 6889 2 9 1 6 1 1 5 cmgCcStatus 1 3 6 1 4 1 6889 2 9 1 6 1 1 6 cmgTrapManagerAddress cmgTrapMana...

Page 799: ... 2 1 10 32 1 1 3 frDlcmiAddressLen 1 3 6 1 2 1 10 32 1 1 4 frDlcmiPollingInterval 1 3 6 1 2 1 10 32 1 1 5 frDlcmiFullEnquiryInterval 1 3 6 1 2 1 10 32 1 1 6 frDlcmiErrorThreshold 1 3 6 1 2 1 10 32 1 1 7 frDlcmiMonitoredEvents 1 3 6 1 2 1 10 32 1 1 8 frDlcmiMaxSupportedVCs 1 3 6 1 2 1 10 32 1 1 9 frDlcmiMulticast 1 3 6 1 2 1 10 32 1 1 10 frDlcmiStatus 1 3 6 1 2 1 10 32 1 1 11 frDlcmiRowStatus 1 3 6...

Page 800: ...13 frCircuitThroughput 1 3 6 1 2 1 10 32 2 1 14 frCircuitMulticast 1 3 6 1 2 1 10 32 2 1 15 frCircuitType 1 3 6 1 2 1 10 32 2 1 16 frCircuitDiscards 1 3 6 1 2 1 10 32 2 1 17 frCircuitReceivedDEs 1 3 6 1 2 1 10 32 2 1 18 frCircuitSentDEs 1 3 6 1 2 1 10 32 2 1 19 frCircuitLogicalIfIndex 1 3 6 1 2 1 10 32 2 1 20 frCircuitRowStatus 1 3 6 1 2 1 10 32 2 1 21 frErrIfIndex 1 3 6 1 2 1 10 32 3 1 1 frErrTyp...

Page 801: ...1 2 1 4 5 ipForwDatagrams 1 3 6 1 2 1 4 6 ipInUnknownProtos 1 3 6 1 2 1 4 7 ipInDiscards 1 3 6 1 2 1 4 8 ipInDelivers 1 3 6 1 2 1 4 9 ipOutRequests 1 3 6 1 2 1 4 10 ipOutDiscards 1 3 6 1 2 1 4 11 ipOutNoRoutes 1 3 6 1 2 1 4 12 ipReasmTimeout 1 3 6 1 2 1 4 13 ipReasmReqds 1 3 6 1 2 1 4 14 ipReasmOKs 1 3 6 1 2 1 4 15 ipReasmFails 1 3 6 1 2 1 4 16 ipFragOKs 1 3 6 1 2 1 4 17 ipFragFails 1 3 6 1 2 1 4 ...

Page 802: ...oMediaType 1 3 6 1 2 1 4 22 1 4 ipRoutingDiscards 1 3 6 1 2 1 4 23 Object OID 2 of 2 Object OID genOpModuleId 1 3 6 1 4 1 1751 2 53 1 2 1 1 genOpIndex 1 3 6 1 4 1 1751 2 53 1 2 1 2 genOpRunningState 1 3 6 1 4 1 1751 2 53 1 2 1 3 genOpSourceIndex 1 3 6 1 4 1 1751 2 53 1 2 1 4 genOpDestIndex 1 3 6 1 4 1 1751 2 53 1 2 1 5 genOpServerIP 1 3 6 1 4 1 1751 2 53 1 2 1 6 genOpUserName 1 3 6 1 4 1 1751 2 53...

Page 803: ...9 genOpFileSystemType 1 3 6 1 4 1 1751 2 53 1 2 1 20 genOpReportSpecificFlags 1 3 6 1 4 1 1751 2 53 1 2 1 21 genOpOctetsReceived 1 3 6 1 4 1 1751 2 53 1 2 1 22 genAppFileId 1 3 6 1 4 1 1751 2 53 2 1 1 1 genAppFileName 1 3 6 1 4 1 1751 2 53 2 1 1 2 genAppFileType 1 3 6 1 4 1 1751 2 53 2 1 1 3 genAppFileDescription 1 3 6 1 4 1 1751 2 53 2 1 1 4 genAppFileSize 1 3 6 1 4 1 1751 2 53 2 1 1 5 genAppFile...

Page 804: ...nkStatusLocalMRU 1 3 6 1 2 1 10 23 1 1 1 1 6 pppLinkStatusRemoteMRU 1 3 6 1 2 1 10 23 1 1 1 1 7 pppLinkStatusLocalToPeerACCMap 1 3 6 1 2 1 10 23 1 1 1 1 8 pppLinkStatusPeerToLocalACCMap 1 3 6 1 2 1 10 23 1 1 1 1 9 pppLinkStatusLocalToRemoteACCompression 1 3 6 1 2 1 10 23 1 1 1 1 12 pppLinkStatusRemoteToLocalACCompression 1 3 6 1 2 1 10 23 1 1 1 1 13 pppLinkStatusTransmitFcsSize 1 3 6 1 2 1 10 23 1...

Page 805: ... 2 2 1 1 5 ifTableXtndDescription 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 6 ifTableXtndKeepAlive 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 7 ifTableXtndMtu 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 8 ifTableXtndInvertTxClock 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 9 ifTableXtndDTELoopback 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 10 ifTableXtndIgnoreDCD 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 11 ifTableXtndIdleChars 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 12 ifTabl...

Page 806: ...2 1 6 2 2 1 1 28 ifTableXtndReliability 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 29 ifTableXtndCacBBL 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 31 ifTableXtndCacPriority 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 32 ifTableXtndCacifStatus 1 3 6 1 4 1 6889 2 1 6 2 2 1 1 33 frDlcmiXtndIndex 1 3 6 1 4 1 6889 2 1 6 2 4 1 1 1 frDlcmiXtndLMIAutoSense 1 3 6 1 4 1 6889 2 1 6 2 4 1 1 2 frStaticCircuitSubIfIndex 1 3 6 1 4 1 6889 2 1 6 2 4 ...

Page 807: ... 1 1 6 sysServices 1 3 6 1 2 1 1 7 snmpInPkts 1 3 6 1 2 1 11 1 snmpInBadVersions 1 3 6 1 2 1 11 3 snmpInBadCommunityNames 1 3 6 1 2 1 11 4 snmpInBadCommunityUses 1 3 6 1 2 1 11 5 snmpInASNParseErrs 1 3 6 1 2 1 11 6 snmpEnableAuthenTraps 1 3 6 1 2 1 11 30 snmpOutPkts 1 3 6 1 2 1 11 2 snmpInTooBigs 1 3 6 1 2 1 11 8 snmpInNoSuchNames 1 3 6 1 2 1 11 9 snmpInBadValues 1 3 6 1 2 1 11 10 snmpInReadOnlys ...

Page 808: ...1 19 snmpOutTooBigs 1 3 6 1 2 1 11 20 snmpOutNoSuchNames 1 3 6 1 2 1 11 21 snmpOutBadValues 1 3 6 1 2 1 11 22 snmpOutGenErrs 1 3 6 1 2 1 11 24 snmpOutGetRequests 1 3 6 1 2 1 11 25 snmpOutGetNexts 1 3 6 1 2 1 11 26 snmpOutSetRequests 1 3 6 1 2 1 11 27 snmpOutGetResponses 1 3 6 1 2 1 11 28 snmpOutTraps 1 3 6 1 2 1 11 29 Object OID 2 of 2 Object OID ospfRouterId 1 3 6 1 2 1 14 1 1 ospfAdminStat 1 3 6...

Page 809: ...1 2 ospfImportAsExtern 1 3 6 1 2 1 14 2 1 3 ospfSpfRuns 1 3 6 1 2 1 14 2 1 4 ospfAreaBdrRtrCount 1 3 6 1 2 1 14 2 1 5 ospfAsBdrRtrCount 1 3 6 1 2 1 14 2 1 6 ospfAreaLsaCount 1 3 6 1 2 1 14 2 1 7 ospfAreaLsaCksumSum 1 3 6 1 2 1 14 2 1 8 ospfAreaSummary 1 3 6 1 2 1 14 2 1 9 ospfAreaStatus 1 3 6 1 2 1 14 2 1 10 ospfLsdbAreaId 1 3 6 1 2 1 14 4 1 1 ospfLsdbType 1 3 6 1 2 1 14 4 1 2 ospfLsdbLsid 1 3 6 1...

Page 810: ...7 1 10 ospfIfPollInterval 1 3 6 1 2 1 14 7 1 11 ospfIfState 1 3 6 1 2 1 14 7 1 12 ospfIfDesignatedRouter 1 3 6 1 2 1 14 7 1 13 ospfIfBackupDesignatedRouter 1 3 6 1 2 1 14 7 1 14 ospfIfEvents 1 3 6 1 2 1 14 7 1 15 ospfIfAuthKey 1 3 6 1 2 1 14 7 1 16 ospfIfStatus 1 3 6 1 2 1 14 7 1 17 ospfIfMulticastForwarding 1 3 6 1 2 1 14 7 1 18 ospfIfDemand 1 3 6 1 2 1 14 7 1 19 ospfIfAuthType 1 3 6 1 2 1 14 7 1...

Page 811: ...6 1 2 1 14 10 1 7 ospfNbrLsRetransQLen 1 3 6 1 2 1 14 10 1 8 ospfNbmaNbrStatus 1 3 6 1 2 1 14 10 1 9 ospfNbmaNbrPermanence 1 3 6 1 2 1 14 10 1 10 ospfNbrHelloSuppressed 1 3 6 1 2 1 14 10 1 11 ospfExtLsdbType 1 3 6 1 2 1 14 12 1 1 ospfExtLsdbLsid 1 3 6 1 2 1 14 12 1 2 ospfExtLsdbRouterId 1 3 6 1 2 1 14 12 1 3 ospfExtLsdbSequence 1 3 6 1 2 1 14 12 1 4 ospfExtLsdbAge 1 3 6 1 2 1 14 12 1 5 ospfExtLsdb...

Page 812: ...hod 1 3 6 1 2 1 10 131 1 1 2 1 3 tunnelConfigID 1 3 6 1 2 1 10 131 1 1 2 1 4 tunnelConfigStatus 1 3 6 1 2 1 10 131 1 1 2 1 5 ipTunnelIfIndex 1 3 6 1 4 1 81 31 8 1 1 1 ipTunnelIfChecksum 1 3 6 1 4 1 81 31 8 1 1 2 ipTunnelIfKey 1 3 6 1 4 1 81 31 8 1 1 3 ipTunnelIfkeyMode 1 3 6 1 4 1 81 31 8 1 1 4 ipTunnelIfAgingTimer 1 3 6 1 4 1 81 31 8 1 1 5 ipTunnelIfMTUDiscovery 1 3 6 1 4 1 81 31 8 1 1 6 ipTunnel...

Page 813: ...g Service logins 54 Auto Fallback in SLS 131 autoneg 217 Auto negotiation Fast Ethernet port 217 flowcontrol advertisement 213 port speed 214 Autonomous System Boundary Router 537 Avaya Communication Manager accessing 49 configuring for SLS 147 functions 49 Avaya IW accessing 44 administrator login configuring 45 configuration using 44 description 44 laptop configuration for 44 Avaya Services auth...

Page 814: ...06 analog test 481 484 area 537 540 arp 526 528 arp timeout 528 async mode interactive 262 263 async mode terminal 262 263 async modem init string 259 262 263 async reset modem 259 262 263 async limit string 261 async reset modem 261 authentication 634 autoneg 217 backup config usb 117 123 backup delay 289 290 291 backup interface 290 291 298 299 304 313 bandwidth 275 276 537 539 bc out 338 339 be...

Page 815: ...file scp 114 461 465 copy capture file tftp 461 466 copy capture file usb 113 114 461 466 copy cdr file ftp 113 114 copy cdr file scp 114 copy cdr file usb 113 114 copy dhcp binding ftp 113 114 copy dhcp binding scp 114 copy dhcp binding usb 113 114 copy file usb 113 copy ftp announcement file 376 378 copy ftp auth file 54 56 59 copy ftp EW_archive 110 115 copy ftp license file 556 copy ftp module...

Page 816: ...ble 296 312 dialer string 295 304 312 dialer wait for ipcp 296 312 dial pattern 174 197 202 dir 115 123 127 disable link encryption 726 disconnect ssh 61 62 distribution list 532 distribution list 533 535 dns server 517 522 domain name 517 522 dos classification 85 ds1 173 202 dscp access control list 659 object tracking 321 336 packet sniffing 451 466 policy based routing 680 policy lists 650 QoS...

Page 817: ...ck 220 223 ip dhcp ping packets 518 522 ip dhcp ping timeout 518 522 ip dhcp pool 516 ip dhcp pools 522 ip dhcp server 516 524 ip directed broadcast 524 525 ip distribution access default action 532 534 ip distribution access list 532 534 ip distribution access list cookie 534 ip distribution access list copy 534 ip distribution access list name 534 ip distribution access list owner 534 ip domain ...

Page 818: ...3 local address 567 635 login authentication 57 login authentication inactivity period 52 53 login authentication local craft password 57 60 login authentication lockout 52 53 57 60 login authentication min password digit chars 51 53 login authentication min password length 51 53 login authentication min password lower chars 51 53 login authentication min password special chars51 53 login authenti...

Page 819: ...ce 446 rtp stat thresholds 411 446 rtp stat service 411 rtp test port 471 475 rtr 321 336 rtr schedule 323 336 running config startup config 36 safe removal usb 124 scheduler 471 475 self identity 563 633 server name 518 523 session 97 98 session mgc 461 set associated signaling 196 205 set attendant 176 204 set balance 483 485 set bearer capability bri 186 200 set bearer capability ds1 184 202 se...

Page 820: ...99 204 set max ip registrations 174 204 set max length 198 202 set mediaserver 97 98 set mgc list 94 96 98 set min length 198 202 set mss notification rate 83 set name bri 185 201 set name ds1 181 203 set name station 180 206 set name trunk group 193 207 set numbering format 195 207 set password 180 206 set peer 564 565 633 634 set peer group 566 set peer group 634 set pfs 560 632 set pim lockout ...

Page 821: ...4 set spantree tx hold count 398 set spantree version 394 398 set spid a 186 201 set spid b 186 201 set supervision 192 208 set swhook flash 180 206 set sync interface 683 685 set sync source 683 685 set sync switching 684 685 set system contact 91 set system location 91 set system name 91 set tac 189 208 set tei assignment 186 201 set terminal recovery password 76 77 set tgnum 198 202 set transfo...

Page 822: ...stribution access lists 536 show ip domain 103 105 show ip domain statistics 103 105 show ip icmp 530 show ip interface 287 show ip interface brief 492 show ip interfaces 288 show ip next hop list all 674 show ip ospf 538 540 show ip ospf database 538 540 show ip ospf interface 538 540 730 show ip ospf neighbor 538 540 show ip ospf protocols 540 show ip pbr list 673 681 show ip protocols 536 539 s...

Page 823: ...ls 200 show snmp 82 361 363 365 415 show snmp engineID 365 show snmp group 365 366 show snmp retries 365 366 show snmp timeout 365 366 show snmp user 365 366 728 show snmp userToGroup 365 show snmp usertogroup 366 show snmp view 364 366 show spantree 395 399 show startup config 287 show station 205 show sync timing 685 show system 93 106 108 116 124 show tcp syn cookies 81 show temp 106 108 show t...

Page 824: ...124 MGC list 94 modem 259 primary management interface 90 RTCP 245 RTP 245 running configuration 36 saving configuration changes 36 startup 287 startup configuration 36 switching 379 using Avaya IW 44 using GIW 47 using GUI applications 34 35 using the CLI 35 WAN ethernet port 216 Configuration file CLI commands 126 Console device configuring console port for use with 262 configuring console port ...

Page 825: ...8 overview 514 typical application 515 Diagnosing and monitoring the network 403 Dial On Demand Routing DDR 292 Dialer interface activating with object tracking 300 as backup for Loopback interface 293 as backup for WAN interface 292 assigning access control list to 304 assigning to Console port 304 authentication method 297 CHAP authentication 297 CLI commands 312 configuring 295 configuring as b...

Page 826: ...g duplex type 213 configuring link negotiation protocol 214 configuring switch port 213 connecting devices to 211 212 list of 211 212 port redundancy 386 setting flowcontrol advertisements 213 WAN Ethernet port see WAN Ethernet port ETR CLI commands 353 deactivating 352 description 351 displaying status 353 in SLS mode 143 LED 351 manual activation 352 setting state 352 trunk to port latchings 351...

Page 827: ...ssembly 547 Frame relay 265 displaying configuration 287 enabling traffic shaping 338 Frame relay encapsulation CLI commands 285 down status 290 encapsulation types 283 establishing Layer 3 interface 497 IETF 283 illustration 267 non IETF 283 supported features 337 supported on Serial interfaces 266 489 Frame relay traffic shaping CLI commands 339 configuring within map classes 337 description 337...

Page 828: ...9 phase 2 549 Ingress Access Control List 665 Ingress QoS List 665 Integrated analog testing CLI commands 484 displaying corrections 483 displaying test results 482 healing trunks 483 overview 479 profiles clearing 482 profiles configuring 481 profiles displaying 482 test cancelling 482 test launching 482 test lines 480 types of tests 479 Interface configuration CLI commands 490 Interface status C...

Page 829: ...d TLVs 225 verify advertisements 226 LMI parameters 283 Load balancing ECMP 537 VRRP 542 Local Management Interface see LMI parameters 283 Log file see Logging Logging CLI commands 242 configuring log file 233 configuring session log 235 configuring Syslog server 230 copying the Syslog file 233 default severity levels 238 defining filters 237 deleting log file 233 deleting Syslog server 231 Dialer...

Page 830: ... 1x protocol 65 Ethernet ports 212 MM316 media module 802 1x protocol 65 Ethernet ports 212 MM340 media module configuring 269 E1 T1 WAN interface 488 MM342 media module configuring 274 USP WAN interface 488 Modem configuring 259 configuring console port for use with 264 configuring console port to detect 262 configuring type on console port 262 connecting to Console port 43 connecting to S8300 Se...

Page 831: ... OSPF Autonomous System Boundary Router 537 P Packet sniffing analyzing capture file 462 analyzing captured packets 459 applying a capture list 456 applying rules to an address range 451 applying rules to packets with DSCP values 451 applying rules to packets with ip protocols 451 capture list examples 455 clearing the capture buffer 457 CLI commands 465 configuring 448 creating capture list 449 d...

Page 832: ...evices 347 Point to Multi Point topology 268 Point to Point frame relay 265 268 Poison reverse 532 533 Policy access control lists 637 attaching policy list to interface at IACL 643 attaching policy lists to an interface 642 attaching QoS list to interface at ingress QoS list 643 changing DSCP table entries 655 configuring composite operations 653 copy list 641 create access control lost 640 creat...

Page 833: ...ng information 387 enabling 387 secondary port activation 387 setting redundancy intervals 387 switchback 387 Ports alternate 392 analog line 351 assigning static VLANs 382 auto negotiation mode 214 backup 392 CCA 688 692 696 700 704 classification 399 configuring administrative state 213 configuring E1 port 269 configuring name 214 configuring speed 214 configuring T1 port 269 configuring VLAN ta...

Page 834: ...equisites 294 serving multiple branch offices 294 Recovery password 76 CLI commands 77 Remote Access Server see RAS Remote services logins 54 Restoring the gateway via the gateway USB port 118 RIP advertising static routes 496 authentication type 533 CLI commands 534 compared to OSPF 536 configuration 533 default metric 541 description 530 distribution access lists 532 enabling 534 learning defaul...

Page 835: ...CP 245 RTP configuring 245 overview 406 statistics application functionality 407 viewing configuration thresholds 409 RTP header compression see Header compression RTP session data 406 RTP statistics CLI commands 445 RTP statistics application configuration and output examples 432 configuring 408 configuring additional trap destinations 415 configuring fault and clear traps 416 configuring QoS tra...

Page 836: ...172 IP stations data 162 ISDN BRI trunks data 168 signaling groups data 168 system parameters data 170 provisioning data 134 states 136 registered 136 setup 136 teardown 137 unregistered 136 supported functionality 132 up conversion to release 4 0 208 SNMP adding an OID to a view 364 agent manager communication methods 355 changing user parameters 358 configuration examples 368 configuring traps 3...

Page 837: ...d balancing 496 Low Preference 496 permanent 498 redistributing to RIP and OSPF 541 removing 499 types 496 via interface 497 Survivability auto fallback to primary MGC 94 configuring the MGC list 94 connection preserving migration 94 ELS 93 enhanced local survivability see ELS 93 MGC list 93 modem dial backup 94 options 93 overview 93 setting reset times 96 SLS see SLS Switch connecting to fixed r...

Page 838: ...01 705 assigning IP address 34 changing the ip peer address 260 263 CLI commands 261 configuring for modem use 42 connecting modem 42 default parameters 259 description 259 disconnecting USB sessions 260 displaying USB modem interface parameters 260 enabling 259 resetting 259 resetting the USB modem 259 setting authentication method 260 setting ip address 259 setting PPP timeout disconnects 260 se...

Page 839: ...inuous channel 585 coordinating with the VPN peer 557 crypto list assigning to an interface 572 configuring 567 deactivating 569 overview 552 crypto map configuring 565 overview 552 failover mechanisms 605 introduction 549 ISAKMP policies configuring 558 overview 552 license file 556 logging 575 maintenance 573 modem dial backup and 292 NAT Traversal 570 object tracking for failover 330 peer confi...

Page 840: ...86 CLI commands 288 WAN endpoint device connecting to fixed router port 211 212 WAN Ethernet port backup interfaces 217 binding interface to object tracker 217 configuring 216 traffic shaping 216 WAN Ethernet ports CLI commands 217 Weighted Fair VoIP Queuing 254 265 292 WFVQ CLI commands 255 WFVQ see Weighted Fair VoIP Queuing Z zeroize 742 ...

Reviews: