Manuals / Patton electronic / Communications / IP Phone

Patton electronic SmartNode 4110 Series manual About access control lists, What access lists do

Models: SmartNode 4110 Series

1 664

Download 664 pages 15.88 Kb

Page 254

SmartWare Software Configuration Guide	24 • Access control list configuration

Introduction

This chapter provides an overview of IP Access Control Lists and describes the tasks involved in conﬁguring them.

This chapter includes the following sections:

•About access control lists

•Access control list conﬁguration task list (see page 256)

•Examples (see page 266)

About access control lists

This section brieﬂy describes what access lists do, why and when you should conﬁgure access lists, and basic versus advanced access lists.

What access lists do

Access lists ﬁlter network trafﬁc by controlling whether routed packets are forwarded, dropped or blocked at the router's interfaces. Your router examines each packet to determine whether to forward or drop the packet, based on the criteria you speciﬁed within the access lists.

Access list criteria could be the source address of the trafﬁc, the destination address of the trafﬁc, the upper- layer protocol, or other information.

Note Sophisticated users can sometimes successfully evade or fool basic access lists because no authentication is required.

Why you should conﬁgure access lists

There are many reasons to conﬁgure access lists. For example, you can use access lists to restrict contents of routing updates, or to provide trafﬁc ﬂow control. But one of the most important reasons to conﬁgure access lists is to provide security for your network, and this is the reason explored in this chapter.

You should use access lists to provide a basic level of security for accessing your network. If you do not conﬁgure access lists on your router, all packets passing through the router could be allowed onto all parts of your network.

Introduction

254

Image 254

Patton electronic SmartNode 4110 Series manual About access control lists, What access lists do

Contents

SmartWare Release Patton Electronics Company, Inc Summary Table of Contents SmartWare Software Configuration Guide Table of Contents Command line interface CLI Copying configurations to and from a remote storage location IP context overview 11 NAT/NAPT configuration Serial port configuration PRI port configuration Isdn Overview Basic IP routing configuration Snmp configuration Dhcp configuration CS context overview VPN configuration CS interface configuration FXO interface configuration SIP interface configuration Table of Contents 524 45 H.323 gateway configuration Pstn profile configuration Location Service Terms and definitions List of Figures SmartWare Software Configuration Guide List of Tables Audience How to read this guideAbout this guide Structure About this guide About this guide General conventions PrecautionsTypographical conventions used in this document Garamond bold typeSmartWare Software Configuration GuideAbout this guide Patton support headquarters in the USA Service and supportMouse conventions Fax +1 253Patton Electronics Company Warranty coverageRMA numbers Chapter contents System overviewIntroduction VoIP Gateway Circuit SwitchSmartWare embedded software IP RouterApplications Carrier networksEnterprise networks WANLAN telephony Typical LAN telephony system with a SmartNode gatewayConﬁguration concepts Conﬁguration concept overview Example Contexts and GatewaysContext GatewayPorts and circuits Interfaces, Ports, and BindingsInterfaces BindingsProﬁles Proﬁles and Use commandsUse Commands Command line interface CLI Operator exec mode, the system prompt is displayed as Command modesCLI prompt Command completion Command editingCommand help Navigating the CLICommand history Command Editing ShortcutsAccessing the CLI Accessing the SmartWare CLI task list If desiredEnding a Telnet or console port session see Accessing via the console portConsole port procedure Using an alternate TCP listening port for the Telnet server Accessing via a Telnet sessionTelnet Procedure Disabling the Telnet serverSelecting a secure password Login displayConﬁguring operators and administrators Password encryptionFactory preset administrator account Creating an operator accountOpening a secure conﬁguration session over SSH Creating an administrator accountName and password password Nodecfg#copy running-conﬁg startup-conﬁgDisplaying account information Mode EnableDisplaying the CLI version Node# who Switching to another accountChecking identity and connected users Node whoUsed in operator execution mode Command index numbersAccessing the CLI Showing command default values Ending a Telnet or console port sessionSystem image handling System image handling Memory regions in SmartWare System image handling task list Local Persistent Volatile FlashShow version Displaying system image informationCopying system images from a network server to Flash memory Step Command Purpose Upgrading the software directly Here’s an example for conﬁguration provisioning Auto provisioning of ﬁrmware and conﬁgurationExplanation To use and debug provisioning Boot procedure Boot procedureIP Addresses in the Factory Conﬁguration Default Startup ConﬁgurationFactory conﬁguration Conﬁguration ﬁle handling Understanding conﬁguration ﬁles Configuration file handling Conﬁguration ﬁle handling task list Sample conﬁguration ﬁleCopying conﬁgurations within the local memory Local Memory RegionsName nvramtarget-name Node# copy nvram backup startup-conﬁgBackup already present in ﬂash memory Name into the local memoryCopying conﬁgurations to and from a remote storage location Remote memory regions for SmartWareNew-startupnvramstartup-conﬁg Displaying conﬁguration ﬁle informationNodecfg# copy tftp//ip-addressport Modifying the running conﬁguration at the CLI Node#reload Modifying the running conﬁguration ofﬂineNode#copy running-conﬁg tftp//node-ip Example Deleting a speciﬁed conﬁguration Example Modifying the running conﬁguration ofﬂineDeleting a speciﬁed conﬁguration Delete the conﬁguration named minimal explicitlyEncrypted Conﬁguration Download CLI copy command copy tftp//host/path conﬁg-ﬁleEncrypted ﬁle download Auto provisioningInstall a custom encryption key optional Use CasesUpload an encrypted conﬁguration ﬁle Encrypt a conﬁguration ﬁleDownload an encrypted conﬁguration ﬁle Basic system management Basic system management conﬁguration task list Node cfg#copy tftp//tftp-server/path/ﬁle Managing feature license keysDownloads the license key ﬁle and install Name licenses LicensesSetting system information Setting the system banner System banner with message to operatorsSetting time and date Display clock informationDetermining and deﬁning the active CLI version Display time since last restartConﬁguring the Web server De enRestarting the system Displaying the system logsUnit Controlling command executionDisplaying reports Ctrl-cterminate current command Ctrl-zsuspend active commandShow the currently running commands Bring job 0 to foregroundSome examples Timed execution of CLI commandMode System Displaying the checksum of a conﬁgurationName sys#no terminal idle-time Radius Client Conﬁguration AAA component Authentication procedure with a Radius server General AAA ConﬁgurationAuthentication proﬁle-name Nodecfg#proﬁle authentication nameNodepf-authname#server-timeout Nodecfg#show proﬁle authenticationRadius conﬁguration Conﬁguring Radius clients Example Conﬁgure the Radius clients as shown in ﬁgureConﬁguring Radius accounting Vendor109 Conﬁguring the Radius server Attributes in the Radius request messageConﬁguring the local database accounts Attributes in the Radius accept messagePassword Example Create an administrator and an operator accountWord password Base. The no form removes an existing accountStoring call logs with quality information IP context overview IP context and related elements IP context overview conﬁguration task list Creating and conﬁguring IP interfaces Planning your IP conﬁgurationConﬁguring physical ports IP interface related informationConﬁguring RIP Conﬁguring NaptConﬁguring static IP routing Conﬁguring access control lists Conﬁguring quality of service QoSIP interface conﬁguration Nodectx-iprouter#interface name IP interface conﬁguration task listCreating an IP interface Nodeif-ip name#Deleting an IP interface Name if-ip if-name# no napt Setting the IP address and netmaskConﬁguring a Napt DMZ interface InsideRouter advertisement broadcast message Icmp message processingIcmp redirect messages Example Deﬁning the MTU of the interface Nodeif-ipname#tcp adjust-mssDeﬁning the MTU and MSS of the interface MTU packet size value must be in the range fromConﬁguring an interface as a point-to-point link Displaying IP interface informationFlushing dynamic ARP entries Testing connections with the ping commandDisplaying dynamic ARP entries Processing gratuitous ARP requestsIP link supervision Mode Either operator or administrator executionBer timeout seconds Node#ping address numDebug connectivity Check connectivity of an IP linkShow IP link status Debug ARPTraceroute Example Debug ARP outputConﬁguring the Igmp Proxy Example Display the ARP informationNAT/NAPT conﬁguration Dynamic Napt Dynamic NAT Tftp because the SmartNode might become inaccessibleStatic Napt Static NAT Napt traversalNode cfg#proﬁle napt name NAT/NAPT conﬁguration task listCreating a Napt proﬁle OptionalOptional Ahespgreipv6 localip Conﬁguring a Napt DMZ hostDeﬁning Napt port ranges AH, ESP, GRE, or IPv6 respectively directed toName pf-napt pf-name# udp-handling symmetricaddress Preserving TCP/UDP port numbers in NaptDeﬁning the UDP Napt type Node cfg#context ip router Activate NAT/NAPTDisplaying NAT/NAPT conﬁguration information Node cfg#show proﬁle naptConﬁguring NAT static protocol entries Mode proﬁle napt pf-naptExample Display NAT/NAPT conﬁguration information Ethernet port conﬁguration Conﬁguring medium for an Ethernet port Entering the Ethernet port conﬁguration modeEthernet port conﬁguration task list Nodeprt-eth slot/port#encapsulation ip Conﬁguring Ethernet encapsulation type for an Ethernet portBinding an Ethernet port to an IP interface Conﬁgures the encapsulation type to IPMultiple IP addresses on Ethernet ports Nodeprt-eth slot/port#bind interface name routerConﬁguring a Vlan Nodevlanid#encapsulation ippppoemulti Nodeconﬁg#port ethernet slot portNodeprt-ethslot/port#vlan id Nodevlanid#bind interface name routerNodeprt-eth slot/port#cos rx-map layer Adding a receive mapping table entryExample Adding a receive mapping table entry Adding a transmit mapping table entry Closing an Ethernet portUsing the built-in Ethernet sniffer Nvramethernet-0-0-1.cap Following is an example of how the sniffer is normally usedNvramethernet-0-slot-port.cap Link scheduler conﬁguration Using trafﬁc classes Applying scheduling at the bottleneckPriority Weighted fair queuing WFQIntroduction to Scheduling ShapingBurst tolerant shaping or wfq HierarchySetting the modem rate Quick referencesLink scheduler conﬁguration task list Command cross referencePolicy-map policy-map Proﬁle service-policy Source trafﬁc-class classPacket classiﬁcation Enable statistics gathering seeDeﬁning the access control list proﬁle Creating an access control list Scenario with Web server regarded as a single source hostNodepf-acl name#permit ip host ip-address any trafﬁc-class Creating a service policy proﬁleNodecfg#proﬁle acl name Nodepf-acl name#permit ip any anyStructure of a Service-Policy Proﬁle Deﬁning fair queuing weight Specifying the handling of trafﬁc-classesDeﬁning the bit-rate Mode SourceSpecifying the type-of-service TOS ﬁeld Deﬁning absolute priorityNodesrc name#set ip tos value Specifying differentiated services codepoint Dscp markingSpecifying the precedence ﬁeld Nodesrc name#set ip precedence valueNodesrc name#set ip dscp value Deﬁnes the Class-Of-Service value applied to packets of forSpecifying layer 2 marking Value is from 0 toDiscarding Excess Load Quality of Service for routed RTP streamsDeﬁning random early detection Nodesrc name#random-detect burst-toleranceMode proﬁle service-policy/proﬁle Policy name in out Devoting the service policy proﬁle to an interfaceNodeif-ip if-name#use proﬁle service Displaying link scheduling proﬁle information Enable statistics gatheringDisplaying link arbitration status Optional Value Implication on Command Output Serial port conﬁguration Serial port conﬁguration task list Disabling an interfaceEnabling an interface Port Conﬁguring the serial encapsulation typeConﬁguring the hardware port protocol Conﬁguring the active clock edge Conﬁguring the baudrate Baudrate176 Frame Relay conﬁguration Frame Relay conﬁguration task list Conﬁguring Frame Relay encapsulationConﬁguring the LMI type Conﬁguring the keep-alive intervalNodepvc dlci#fragment size Enabling fragmentationBer to be used on the speciﬁed virtual circuit For this PVC only FRF.12 end-to-end fragmentationEntering Frame Relay PVC conﬁguration mode Conﬁguring the PVC encapsulation type Binding the Frame Relay PVC to IP interfaceMode PVC IP interface wan is bound to PVC 1 on port serial 0Enabling a Frame Relay PVC Disabling a Frame Relay PVCDebugging Frame Relay Displaying Frame Relay information Integrated service access 188 Conﬁgure the serial interface settings Check that the Frame Relay settings are correctExample 2 Frame Relay on e1t1 with a channel-group PRI port conﬁguration Terminology PRI port conﬁguration task listConﬁguring PRI port-type Enable/Disable PRI portPRI Debugging Conﬁguring PRI clock-modeAmi b8zs hdb3 Conﬁguring PRI framingName prt-e1t1 slot/port# linecode Name prt-e1t1 slot/port# framingConﬁguring PRI application mode E1T1 only Conﬁguring PRI line-build-out E1T1 in T1 mode onlyConﬁguring PRI used-connector E1T1 in E1 mode only Conﬁguring PRI LOS threshold E1T1 only Conﬁguring PRI Loopback detection E1T1 onlyDefault disabled Conﬁguring PRI encapsulationConﬁguring Channel-Group Timeslots Mode channel-group group-nameCreate a Channel-Group Conﬁguring Channel-Group EncapsulationMode hdlc Entering Hdlc Conﬁguration ModeMode channel-group group Conﬁguring Hdlc CRC-TypePRI Debugging Default no encapsulationConﬁguring Hdlc Encapsulation PRI Conﬁguration Examples Example 3 RBS with a channel-group Example 1 IsdnExample 2 RBS without a channel-group Example 4 Frame Relay without a channel-group Example 7 PPP with a channel-group Example 5 Framerelay with a channel-groupExample 6 PPP without a channel-group BRI port conﬁguration Conﬁguring BRI clock-mode Enable/Disable BRI portBRI port conﬁguration task list Conﬁguring BRI encapsulation Conﬁguring BRI Power-FeedFeed Default disabled Creating a channel groupTimeslots timeslots Default no timeslotsName ch-grp group-name#no Selects the timeslot to be used Name#show port bri BRI DebuggingName#no debug bri BRI Conﬁguration Examples Example 1 Isdn with auto clock/uni-side settingsExample 2 Isdn with manual clock/uni-side settings Example 3 Multi-Link PPP over two B-Channels Isdn Overview Isdn reference points Isdn reference pointsIsdn UNI Signaling Possible SmartNode port conﬁgurations215 Isdn Conﬁguration Concept Isdn LayeringIsdn conﬁguration Isdn conﬁguration task list Enter Q.921 conﬁguration modeMode base-mode Conﬁguring Q.921 parametersConﬁguring Q.921 encapsulation Mode q921Enter Q.931 conﬁguration mode Mode q931 Conﬁguring Q.931 parametersEtsi Nodeq931slot/port#signalling-ruleNodeq931slot/port#no signalling-rule Pss1oldFace if-name Conﬁguring Q.931 encapsulationDebugging Isdn Control interfaceNode#show port isdn slot port detail level Isdn Conﬁguration ExamplesExample being clock slave on uni network interface Example PRI Example QsigAssume the scenario as illustrated in ﬁgure RBS conﬁguration Conﬁguring RBS protocol Enter RBS conﬁguration modeRBS conﬁguration task list Debugging RBS Mode rbsConﬁguring RBS encapsulation Noderbs#no encapsulation cc-rbsRBS Conﬁguration Examples Example Conﬁguring RBS Ground Start on a E1T1 port229 DSL Port Conﬁguration Line Setup Conﬁguring PPPoEConﬁguration Summary Profile napt WANUsing PVC channels with PPPoE Setting up permanent virtual circuits PVCUsing PVC channels in bridged Ethernet mode PPPoE access Troubleshooting DSL ConnectionsDiagnostics Link StateBasic IP routing conﬁguration Static routing Basic IP routing conﬁguration task listRouting tables Policy routingNodecfg#context ip router Enters the IP router Context Displaying IP route information seeConﬁguring static IP routes Adds a static routeDeleting static IP routes Displaying IP route informationConﬁguring policy routing 0.0/0 172.16.32.2 StaticExamples Basic static IP routing exampleChanging the default UDP port range for RTP and Rtcp RIP conﬁguration Routing protocol RIP conﬁguration task list Enabling send RIPEnabling an interface to receive RIP Specifying the send RIP versionEnabling RIP learning Example Enabling RIP learn host and defaultSpecifying the receive RIP version Enabling RIP announcing Specifying the default route metric Enabling RIP auto summarizationEnabling RIP split-horizon processing Enabling the poison reverse algorithmEnabling holding down aged routes Setting the RIP route expiry3600 Default 180 seconds Nodeif-ipname#rip route-expiryDisplaying RIP conﬁguration of an IP interface Displaying global RIP information252 Access control list conﬁguration Why you should conﬁgure access lists About access control listsWhat access lists do When to conﬁgure access lists Features of access control listsAccess control list conﬁguration task list Mapping out the goals of the access control listNodepf-acl name#permit ip src src-wildcard any Where the syntax is Nodepf-acl name#deny icmp src src-wildcard Nodepf-acl name#permit icmp src src-wildcard anyType type type type code code cos group Any host src dest dest-wildcard any host destType type Where the syntax is as followingMsg name Code codePort lt port range from to cos group cos-rtp group Nodepf-acl name#permit tcp udp sctp src src-wildCard any host src eq port gt port lt port range Nodepf-acl name#deny tcp udp sctp src srcGt port Eq portLt port Range from toWhere the syntax is Debugging an access control list proﬁle Unbind an access control list proﬁle from an interfaceDisplaying an access control list proﬁle Control list profile shall be debugged Commands that have to be entered are listed below Denying a speciﬁc subnetSnmp conﬁguration Snmp basic components Snmp basic commandsSimple Network Management Protocol Snmp Network management framework Identiﬁcation of a SmartNode via SnmpSnmp management information base MIB Snmp conﬁguration task list Setting basic system informationSnmp tools 271 Setting access community information Example Setting the system group objectsRo rw Or read/write access Nodecfg#snmp host IP-address-of-SN security Setting allowed host informationSpecifying the default Snmp trap target Nodecfg#snmp target IP-address-of-SNUsing the AdventNet Snmp utilities Displaying Snmp related informationUsing the MibBrowser AdventNet MibBrowser Settings Button on the ToolbarUsing the TrapViewer AdventNet TrapViewer displaying received trapsGeneric Type TimeStampEnterprise Speciﬁc TypeStandard Snmp version 1 traps Snmp interface traps 281 Sntp client conﬁguration Sntp client conﬁguration task list Unicast anycast multicast Deﬁning Sntp client operating modeSelecting Sntp time servers Deﬁning Sntp local UDP port Example Disabling the Sntp client operation Enabling and disabling the Sntp clientExample Enabling the Sntp client operation Deﬁning Sntp client poll intervalName #show clock local Deﬁning Sntp client constant offset to GMTDeﬁning the Sntp client anycast address Displays the local time, UTC and the offset of the localNodecfg#sntp-client anycast-address ip Example Enabling the Sntp client root delay compensationEnabling and disabling local clock offset compensation Example Showing Sntp client related information Example Disabling the Sntp client root delay compensationShowing Sntp client related information Debugging Sntp client operationNist Internet time service Recommended public Sntp time servers291 Dhcp conﬁguration Dhcp configuration DHCP-server and DHCP-client are illustrated in ﬁgure Enable DHCP-client on an IP interfaceDHCP-client conﬁguration tasks Example Enable DHCP-client on an IP interface ‘conﬁgure’ conﬁguration modeRelease or renew a Dhcp lease manually advanced Mode AnyExample Enable Dhcp debug monitor Get debug output from DHCP-clientDHCP-server conﬁguration tasks Conﬁgure DHCP-server proﬁlesNodecfg#proﬁle dhcp-server name Nodepf-dhcpsname#no defaultNodepf-dhcpsname#no netbios Nodepf-dhcpsname#network ipNodepf-dhcpsname#no next-server Use DHCP-server proﬁles and enable the DHCP-serverNodepf-dhcpsname#no bootﬁle boot All ip-addressCheck DHCP-server conﬁguration and status Deﬁne the bootﬁle Option 67 for the DHCP-serverDeﬁne the Tftp server Option 66 for the DHCP-server Get debug output from the DHCP-server Conﬁgure DHCP-relay Create/Modify DHCP-Relay proﬁleEnable/Disable DHCP-Relay Agent DNS conﬁguration Server-ip-address DNS conﬁguration task listEnabling the DNS resolver DNS relay diagram Enabling the DNS relay307 DynDNS conﬁguration DynDNS conﬁguration task list Creating a DynDNS account Conﬁguring the DNS resolverWord Conﬁguring basic DynDNS settingsConﬁguring the DynDNS server Troubleshooting Conﬁguring advanced DynDNS settings optionalMode DynDNS Deﬁning a mail exchanger for your hostname312 PPP conﬁguration 314 Nodeif-ipname#point-to-point PPP conﬁguration task listCreating an IP interface for PPP Nodeif-ipname#ipaddress dhcp Nodeif-ipname# no tcp adjust-mssNodeif-ipname#ipaddress Nodeif-ipname# ipaddress ip-addressNodeif-ipname#use proﬁle napt name Disable interface IP address auto-conﬁguration from PPPCreating a PPP subscriber Nodecfg # subscriber ppp nameChap pap chappap Optional outboundinbound user passwordNodesubscrname# dial inout Nodesubscrname# no identiﬁcationTrigger forced reconnect of PPP sessions using a timer Conﬁguring a PPPoE sessionTor AC-Name Creating a PPP proﬁle Case authentication is requiredConﬁguring PPP over a Hdlc Link Optional ﬁleNodepf-pppname#mtu min min max DefaultNodecfg #no proﬁle ppp name Nodepf-pppname#mru min min maxConﬁguring the local and remote PPP Mrru Min max max defaultDefault Name pf-ppp proﬁle# mrru minDisplaying PPP conﬁguration information Example Display PPP subscriber conﬁguration informationExample Display a PPP proﬁle Debugging PPPNodecfg #show pppoe name Nodecfg #show ppp links levelNodecfg #show ppp networks level Nodecfg #show port interface nameExample Display PPP link information LCPExample Display PPP network protocol information Example Display PPPoE informationSample conﬁgurations Without authentication, encapsulation multi, with NaptWith authentication, encapsulation PPPoE PPP over Ethernet PPPoEPPP over a Hdlc Link Serial Port Without authentication, numbered interfaceWith authentication, unnumbered interface PPP over a Hdlc Link E1T1 PortPPP Dial-up over Isdn PPP DialerCreate a dialer Following command creates a new PPP dialer Mode context csDial-up and login information for a certain Create outbound destinationsConﬁgure recovery strategy Create inbound destinations CaseE164 Name if-dialerdialer#inboundName inboundprovider#local-e164 Name inboundprovider#remote-e164Example Dial-on demand feature Debug dialer functionalityDial-up Dial-up on demandDial-up nailed Dial if possible, and never drop Mode context ip/interfaceDial-up on monitor CS context overview CS context conﬁguration components CS context conﬁguration task list Planning the CS conﬁgurationRemote ofﬁce in an Enterprise network Conﬁguring general CS settings Conﬁguring the clock sourceMode Operator execution Debugging the clock sourceNode sys#clock-sourceslot-number port-number Conﬁguring call routingSelecting PCM law compression Reference clockCreating and conﬁguring CS interfaces Specify call routingConﬁguring dial tones Conﬁguring voice over IP parametersConﬁguring an H.323 VoIP connection Conﬁguring Isdn portsConﬁguring FXS ports Conﬁguring a SIP VoIP connectionActivating CS context conﬁguration Nodectx-csswitch#show call-router status detail Nodectx-csswitch#show call-router config detailNode ctx-csswitch#debug call-router detail level LevelSmartNode in an Enterprise network Planning the CS context CS ConﬁgurationConﬁguring call routing Conﬁguring general CS settingsFirst we set clock-source to Isdn port 2/3 354 We want to use this proﬁle on our H.323 interfaces Conﬁguring VoIP settingsBecause we need G.723 as codec we enable Dtmf relay Conﬁguring BRI portsActivating the CS context conﬁguration Next we conﬁgure call signalingConﬁguring an H.323 VoIP connection Finally, activate the gateway and CS context TAB-CALLED-NUMBERShowing the running conﬁguration Conﬁguration script for our application looks as follows359 360 361 VPN conﬁguration Authentication EncryptionKey management Transport and tunnel modesPermanent IKE Tunnels Example Create an IPsec transformation proﬁle VPN conﬁguration task listCreating an IPsec transformation proﬁle Creating an IPsec policy proﬁleProcedure To create an IPsec policy proﬁle Mode Conﬁgure Creating/modifying an outgoing ACL proﬁle for IPsec Conﬁguration of an IP interface and the IP router for IPsec Displaying IPsec conﬁguration informationDebugging IPsec Example Display IPsec transformation proﬁlesExample Display IPsec policy proﬁles Example IPsec Debug OutputCreating an Ipsec transform proﬁle Key management IKEMain differences between manual & IKE Ipsec conﬁgurations Creating an Isakmp transform proﬁle Icy shall be used for multiple peers in transport Creating an Isakmp Ipsec policy proﬁleShould be used. Do not specify a peer, if this pol Mode. The peer can either be an IP address or aPolicy matching Creating/modifying an outgoing ACL proﬁle for IpsecConﬁguration of an IP interface and the IP router for Ipsec Sample conﬁguration snippetDebug ike event Debug ike errorUse proﬁle acl WANOut out Performance considerations Encrypted Voice Performance considerationsEnabling RTP encryption support Mode Context ip /interface if-name IPsec tunnel, DES encryption SmartNode conﬁgurationCisco router conﬁguration 379 380 CS interface conﬁguration CS interface conﬁguration task list CS interfaces on the CS contextNodeif-typeif-name#exit Examples Create CS interfaces and delete anotherNodeif-typeif-name#… 384 Table table-name Service service-name Nodeif- typeif-name #exitConﬁguring the interface mapping tables And/or Table in table-nameThat shall be applied to all call properties Speciﬁed directionIncoming call passing an interface mapping table Conﬁguring the precall service tables Call passing an input and an output mapping tableSupplementary service invocation command Supplementary service invocation commandsNumber to command Repeat to add other special number mapIsdn interface conﬁguration Isdn interface conﬁguration task list Isdn interfaces on the CS contextNodeif-isdn if-name#no use proﬁle Conﬁguring Dtmf dialing optionalConﬁguring an alternate Pstn proﬁle optional Deﬁnes an alternate Pstn proﬁle to be used forConﬁguring call waiting optional Name if-isdn if-name# no call-waiting Disable call-waitingConﬁguring ringback tone on Isdn user-side interfaces Disabling call-waiting on Isdn DSS1 network interfacesConﬁguring date/time publishing to terminals optional Conﬁguring Call-Hold on Isdn interfacesEnabling Display Information Elements on Isdn Ports Sending the connected party number Colp optional Deﬁning the ‘network-type’ in Isdn interfacesHome Office Isdn Advice of Charge support 398 Nodeif-isdnif- name# aoc-d automatic If there is no tariff information from the network forAll calls If there is not charge information from the networkIsdn Network Interface connected to phones Isdn User Interface Connected to a PBX switch etcFollowing table shows an overview of the AOC variants NoChargeAvailableTransmit Direction Mode interface isdn interfaceIsdn DivertingLegInformation2 Facility Receive Direction500 Nodeif-isdn#caller-nameNodeif-isdn#caller-name early-alerting Nodeif-isdn#caller-name ignore Outgoing Isdn call. This feature is disabledBy default AbsenceFXS interface conﬁguration FXS interface conﬁguration task list Conﬁguring a subscriber number recommendedConﬁguring ﬂash hook processing optional Mode Interface FXSConﬁguring caller-ID presentation optional Nameif-fxsname#no subscriberConﬁguring ringing-cadence optional Conﬁguring the Message Waiting Indication feature for FXS Ing-indication stutter-dial-tone Through Stuttered Dial ToneMat bell Frequency-shift keyingMat etsi FXS supplementary services description Call hold Call transferCall waiting Default enabledCall hold TernDrop active call Call waiting reminder ringDrop passive call Call toggleNameif-fxsname#no drop-passive ConferencingCall park PatternFXO interface conﬁguration FXO interfaces on the CS context FXO services description Creating an FXO interfaceNodeif-fxo name # Nodectx-csswitch#interface fxo nameDeleting an FXO interface FXO interface conﬁguration task list FXO off-hook on caller IDNodeif-fxoif-name# Conﬁguring when the digits are dialed optionalNodectx-csswitch#interface fxo if-name Nodeif-fxo if-name#Figuration mode Nodeif-fxoif-name#dial-after dial-tone timeout secondsNodeif-fxo if-name# Nodeif-fxo if-name #ring-number countConﬁguring how to detect a call has disconnected optional Min min-time max max-timeNodeif-fxo if-name#no connect-signal Battery-reversal tax-pulseConﬁguring the destination of the call FXO Mute dialingFXO interface examples RBS interface conﬁguration Conﬁguring an alternate Pstn proﬁle RBS interface conﬁguration task listCreating/Deleting a RBS interface Name Face, the ‘no’ form deletes an existing oneConﬁguring an alternate Tone-Set proﬁle Mode Interface RBSConﬁguring additional disconnect signals Conﬁguring B-Channel allocation strategyConﬁguring number of Rings before Off-Hook Nodeif-rbsif-name#no dial-after dial- tone timeout secondsNode#no debug ccrbs datapath error signaling Conﬁguring ready to dial strategySelected interface Node#show ccrbs call if-name detail levelPrints information about ongoing calls on Node#show ccrbs interface if-name detailInterface conﬁguration Interface conﬁguration task list Binding the interface to an H.323 gateway Examples Deﬁne the IP address of the remote H.323 entityConﬁguring an alternate VoIP proﬁle optional Speciﬁes the information transfer capability to Conﬁguring CLIP/CLIR support optionalNode if- h323 if-name #itc rx 3k1 Node if- h323 if-name #itc tx 3k1Nameif-h323if-name#early-proceeding Enabling ‘early-proceeding’ on H.323 interfacesEnabling the early call connect optional Nameif-h323name#early-connectEnabling the early call disconnect optional Enabling the via address support optionalIng connection should be established Conﬁguring status inquiry settings optionalNodeif-h323if-name# remoteport port AOC-D Support for H.323 Nodeif-h323if-name# no aoc-d emit Mode context cs/interfce h.323 interface-nameNodeif-h323if-name# no aoc-d SIP interface conﬁguration SIP SIP interface conﬁguration task listNodeif-sipif-name# no bind context Binding the interface to a SIP gatewayConﬁgure a remote host Sip-gateway gw-nameNodeif-sipif-name# no remote host Using an alternate VoIP proﬁle OptionalConﬁguring a local host Optional Nodeif-sipif-name# no local hostNodeif-sipif-name#use proﬁle voip Using an alternate SIP proﬁle OptionalUsing an alternate Tone-Set proﬁle Optional Nodeif-sipif-name#use proﬁle sip proMapping call-control properties in SIP headers Conﬁguring early call connect / disconnect OptionalConﬁguring address translation Optional Header Mapping SIP headers to call-control propertiesConﬁguring Isdn Redirecting Number Tunneling Over SIP Updating caller address parameters SIP Diversion Header 450 SIP Refer Transmission & Isdn Explicit Call Transfer support 452 Accept AOC Over SIP OptionalName if-sip interface#no aoc-d Name if-sip interface#no aoc-d emitEnabling the session timer Optional Enabling the SIP penalty-box feature OptionalDefault zero-ip Conﬁgure the SIP hold method OptionalCall router conﬁguration Call router configuration 458 Direct call routing vs. advanced call routing Call router conﬁguration task list Map out the goals for the call routerConﬁgure general call router behavior Enable advanced call routing on circuit interfacesConﬁgure address completion timeout Digit-collection timeout timeout Example Conﬁgure address completion timeoutAddress-completion timeout timeout Digit-collection terminating-char charExample Conﬁgure number preﬁx Procedure To conﬁgure number preﬁx Mode Context CSConﬁgure number preﬁx for Isdn number types National-preﬁx preﬁxConﬁgure call routing tables Create a routing tableCalling-e164 Regular Expressions Example Called party number routing tableCalled party number routing table Symbol Description Digit Collection Digit Collection Variants Example Digit collection of any number Dialed Selected Description Number Entry Calling party number routing table Number type routing tableNumbering plan routing table Name routing table IP address routing tableSmith must be escaped with a backslash \, because Presentation Indicator Routing TableURI routing table Dot . means ‘any character’ in a regular expressionScreening Indicator Routing Table Information transfer capability routing table 478 Day of Week Routing Table Default Any other unhandled case Mode context csTime of day routing table Example Day of week routing tableDeleting routing tables Procedure To delete an entire routing tableNode ctx-cs switch #routing-table Resulting running-conﬁg isConﬁgure mapping tables Node ctx-cs switch #no routing-tableExample Remove an entire routing table Delete the routing table table-nameType Description Input-Type Description Output-Type Sets the display name of the called Mapping table examples Input-type to output-type table-name Example Called and calling party manipulation mapping tableTo E.164 Mapping Tables Away the input-type and output-type486 487 Custom SIP URIs from called-/calling-e164 properties Other mapping tablesEnter the mapping table from which you want to remove an Node ctx-cs switch #mapping-tableDeleting mapping tables Creating complex functions Procedure To delete an entire mapping table Mode Context CSExample Remove an entire mapping table Example Create a complex function Deleting complex functionsSending-Complete Example Remove an entire complex functionDigit collection & sending-complete behavior Ingress interfaceCall-Router 323123# YesTrue Egress Interface Mode context cs / interface sip Complete-indication clearCreating call services Creating a hunt group serviceHunt group service Cause cause Node ctx-cs switch #service huntCall dest-service service-name Call dest-interface interface-nameDefault Behavior Class Cause Hunt Description Group Service Normal EventNo-user-responding Drop original call Unavailable Service orResource Option NotImplemented Invalid MessageProtocol Error Interworking Creating a distribution group service Distribution group serviceDest-service service-name Node ctx-cs switch #service distribuNodesvc-huntservice-name# route call With the ﬁrst conﬁgured destinationsDistribution-Group Min-Concurrent setting Call-router ‘limiter’ servicePriority service ‘Limiter’ service diagramPriority service diagram CS Bridge service-‘VoIP Leased Line’ BridgeBridge services diagram Conﬁguring the service second-dialtone Conﬁguration ExampleDeleting call services Activate the call router conﬁgurationTest the call router conﬁguration Example Create and test a routing table516 Call routing example network 518 CS context and call router elements 520 Conﬁgure partial rerouting Mode context cs/service aaa Mode context cs/interface sipEnable push-back aaa service Call rerouteEnable push-back hunt group service Enable push-back bridge serviceEnable push-back distribution-group service Enable push-back limiter serviceSIP call-router services Entering conference-service conﬁguration mode SIP conference-serviceSIP conference-service conﬁguration task list Name ctx-csswitch#no service sipConﬁguring the conference server SIP location-serviceMode Service SIP conference Ference-server host-name portSIP location-service conﬁguration task list Entering SIP location-service conﬁguration modeConﬁguring multi-contact behavior Binding a location serviceConﬁguring the hunt timeout SecondsTone conﬁguration Tone-set proﬁles Tone conﬁguration task list Conﬁguring call-progress-tone proﬁlesProcedure To conﬁgure a tone-set proﬁle Mode Conﬁgure Conﬁgure tone-set proﬁlesFor which a tone indication can be provided Enable tone-set proﬁleProcedure To assign a tone-set proﬁle to a Pstn interface Node#show proﬁle call-progress-tone Show call-progress-tone and tone-set proﬁlesExample Show tone-set proﬁle Name Ciﬁc with name nameFollowing example shows how to display the tone-set proﬁle 536 FXS port conﬁguration Shutdown and enable FXS ports Netherlands Bind FXS ports to higher layer applicationsConﬁgure country-speciﬁc FXS port parameters Other FXS port parameters Mode IC voice in systemEnter FXS port conﬁguration mode Nodeconﬁg#port fxs slot portExample FXO port conﬁguration Shutdown and enable FXO ports Bind FXO ports to higher layer applicationsNodeconﬁg#port fxo slot port Conﬁgure country speciﬁc FXO port parametersOther FXO port parameters Nodeprt-fxo slot/ port#useEnter FXO port conﬁguration mode Gateway conﬁguration Gateway between IP and CS contexts Gateway conﬁguration task list Mode Gateway H.323Enable the gateway Binding the gateway to an IP interfaceConﬁgure registration authentication service RAS Optional Ery auto gkid Conﬁgure H.235 Security optionalNode gw-h323h323#gatekeeper-discov Procedure To enable H.235 security on H.323 gateway 235 conﬁgurationNode gw-h323h323#h235security master \getcryptopassword h235-password masWord h235-password encrypted Node gw-h323h323#h235security passSignaling message Default setting isCommand show h235-securityshows the current setting Detail debug-levelAdvanced conﬁguration options optional Enabling H.245 TunnelingNodegw-h323h323#h245-tunneling Enables H.245 tunneling Enabling the fastconnect procedureEnabling the early H.245 procedure Nodegw-h323h323#faststart Enables the fastconnect procedureNodegw-h323h323#call-signaling-port Conﬁguring the trafﬁc class for H.323 signalingSetting the response timeout Port Naling connectionsIstration Setting the connect timeoutNal gateway H323 status detail level Nodecfg#debug gateway h323 errorNodecfg#debug gateway h323 signaling Nodecfg#debug gateway h323 tpktchanContext SIP gateway overview Routing Architecture From-URI-Host equal Remote Request-URI-Host equal Local Enter conﬁguration modeContext SIP Gateway conﬁguration task list Creating a context SIP gatewayCreating a transport interface Mode Context SIP GatewayMode Transport Interface Conﬁguring the IP bindingEnabling/disabling the context SIP gateway Binding location servicesConﬁguring a spoofed contact address Show status information TroubleshootingDebug commands Node#show context sip-gateway gwConﬁguration Examples ExampleOutbound Authentication Inbound Authentication Outbound Registration 569 Inbound Registration B2B User Agent with Registered Clients 572 VoIP proﬁle conﬁguration VoIP profile configuration Nodecfg#profile voip name VoIP proﬁle conﬁguration task listCreating a VoIP proﬁle Nodepf-voip name#Conﬁgure codecs Procedure Insert a codec at a speciﬁc position in the list Mode Proﬁle VoIPProcedure Remove a codec from the list Mode Proﬁle VoIP Conﬁguring the Cisco versions of the G.726 codecs Mode VoIP nameConﬁguring the transparent-clearmode codec Conﬁguring RTP payload types DefaultrtpsignalingConﬁguring Dtmf relay Nodepf-voip pf-name#dtmf-relayConﬁguring Cisco NSE for Fax Conﬁguring RTP payload type for transparent-clearmodeConﬁguring RTP payload type for Cisco NSE Nodepf-voip name#rtp payload-type nseConﬁguring the dejitter buffer advanced Jitter and dejitter bufferProcedure Conﬁgure the dejitter buffer AdaptiveEnabling/disabling ﬁlters advanced Max-delayDejitter buffer is allowed to introduce. This setting Is valid for all modesConﬁguring Fax transmission Illustrates the difference between Fax relay and Fax bypassFax relay and Fax bypass Nodepf-voipname#fax dejitter Nodepf-voipname#fax transmisSion bypass g711alaw64k Nodepf-voipname# fax transmisCED retransmission Mode proﬁle voip proﬁle-nameVolume Retransmission numberMethod default v150-vbdnse Default default No-Signal RetransmissionMode proﬁle voip pf-name Fax bypass methodNodepf-voip name#modem trans Modem bypass methodConﬁguring modem transmission Mission bypass g711alaw64kConﬁguring the trafﬁc class for Voice and Fax data Conﬁguring IP-IP codec negotiationHome ofﬁce in an enterprise network Home ofﬁce in an enterprise networkDescription Show the conﬁgured proﬁle Home ofﬁce with faxSoft phone client gateway 595 Disable Dtmf relay Show the conﬁgured proﬁle Pstn proﬁle conﬁguration Pstn proﬁle conﬁguration task list Creating a Pstn proﬁleProcedure Conﬁgure voice output gain Conﬁguring the echo cancellerProcedure Disable echo cancellation Mode Proﬁle Pstn Conﬁguring output gain600 SIP proﬁle conﬁguration Mapping from a SIP disconnect cause Entering the conﬁguration mode for a SIP proﬁleSIP proﬁle conﬁguration task list Namecfg#no profile name nameMapping to a SIP redirection code Mapping to a SIP causeMapping from a SIP redirection reason Q931-cause to sip-causeAuthentication Service Authentication Service conﬁguration task list Creating an Authentication ServiceCreating credentials Conﬁguring the authentication protocolConﬁguring a Realm Location Service Adding a domain Location Service conﬁguration task listCreating a Location Service Domain ExamplesMode Identity Creating an identityBound Authentication outbound faceAlias Nodeauthout#authenticate authentica Mode Authentication outboundAuthentication inbound face Nodeauthout#authenticate indexNodeauthin#authenticate index Mode Authentication inboundNodeauthin#authenticate authentica Nodeauthin#no authenticate indexMode Registration outbound Registration outbound facePort strict-route Noderegout#proxy host portStrict-route Noderegout#proxy index down posiNodeidentityname# no registration Noderegin# no lifetime default secRegistration inbound face InboundNodecallout#proxy host port Mode Call outboundCall outbound face Nodecallout#proxy index hostCall inbound face Mode Call outboundMode Call inbound Creating an identity group Inheriting from an identity group to an identityConﬁguring the Message Waiting Indication feature for SIP SubscriptionMode Message inbound NotiﬁcationMode Message inbound Message Waiting Indication through Call-Control This conﬁguration example, inheritance is used VoIP debugging Debugging strategy Verifying IP connectivity Following command will disable the ﬁlter completelyFiltering debug monitor output Example Verify IP connectivityUnit#debug ccisdn signaling Debugging call signalingDebugging Isdn signaling Overview Isdn debug monitorsVerify an incoming call Line Verify an outgoing call630 Debug isdn event slot port all layer2 layer3 Isdn layer 2 and 3 can be veriﬁed using a show commandVerify Isdn layer 2 and 3 status Stops Debugging FXS SignalingOverview FXS debug monitors For most verbose outputState to RINGING, that means it has accepted the call Debugging H.323 Signaling Overview H.323 debug monitors635 636 637 Debugging SIP signaling Using SmartWare’s internal call generator Way dejitter Debugging voice dataNo debug media-gate Way control detail levelWay rtp Way switchWay error Way dspHow to submit trouble reports to Patton Check system logs643 Appendix a Terms and deﬁnitions SmartWare architecture terms and deﬁnitions Also releasePression Ory BufferPots Tftp Appendix B Mode summary Mode overview, 1 Mode Overview, 2 Mode Overview, 3 Appendix C Command summary Ebnf syntax Other New Conﬁguration CommandsShow command history Show helpAppendix D Internetworking terms & acronyms Abbreviations NumericDSS1 MSN SAR Appendix E Used IP ports & available voice Codecs Webserver Used IP portsTelnet Available voice codecs