Avaya BSGx4e Operation Guide
Contents
1. so cos ee e e xs 30 Overview pages nea i a d tek RR ak Pa A AAA WURDE EUER A 31 NN47928 502 3 System gt Overview gt System Information panel 32 System gt Overview gt Shell panel 24 444 sev y Fee HER HH RY dad 32 System gt Overview gt System Hardware panel 32 Services PAGE eek ved need dgeey se Seis Pe beh ep eee Gua eee RE PER US 33 System gt Services gt Web Configuration panel 34 System gt Services gt Telnet Configuration panel 34 System gt Services gt SNTP Configuration panel llle 35 System gt Services gt SSH Configuration panel 0 35 System gt Services gt DNS Configuration panel 36 COMAS UE Dd as a eA ACH OO ae ee 88 ART 36 DNS server SOUICES 11 ee 37 Application scenario DNS backup configuration 38 System gt Services gt Dynamic DNS Settings 39 Configuration peste AA A a ORE EY 39 User accounts page i eco Ru RUE E a eee Pea Y eg 41 Technical reference llle 41 jk enun MM MCI 41 Default configuration lt 44 2 oak ek y e A RR ERR ER RA RAO A 42 ale PT rTm 42 Passwords e a E MER PEOR P RU doy d gs d S 43 Configuratio cT 43 System gt User Accounts gt Users tab ooo ooo o 43 System gt User Accounts gt Groups tab 4 45 cas eos ee uw ds 45 System2. See Figure 44 on page 193 for application scenario examples NOTE A static ARL map assigns a priority to a specific MAC address LAN port combination That priority setting applies regardless of the priority settings made in this section See Data Switch ARL on page 101 Priority scheduling After the incoming traffic has been classified and sent to the priority queues the scheduling method determines how those queues are emptied You can set the BSGX4e to use one of two scheduling methods a Weighted Fair Queuing WFQ All queues are serviced depending on the weight assigned to the queue The weighting of the four queues is HIGHESTQ 8 HIGHQ 4 LOWQ 2 LOWESTO 1 For every 8 packets sent from the HIGHESTQ queue 4 packets are sent from the HIGQ queue 2 packet are sent from the LOWQ queue and 1 packet is sent from the LOWESTQ queue All queues eventually receive service but all queues can also experience delay Fixed Queuing All packets are serviced from the highest priority queue first then the next lower priority queue is serviced and so on Starvation can occur in lower priority queues because the traffic load from a higher priority queue can prevent lower priority queues from being serviced NN47928 502 Appendix 12 Quality of service QoS overview Figure 44 Layer 2 QoS Application Scenarios Classify by IEEE CoS Bit Value Classify by Port VLANs span across physical loca
3. eth0 BSGX4e NAT on by default ppp n vif n vpn n NOTE Do not select eth1 LAN This option is to be removed in future releases Status Enable or disable NAT on off Security gt NAT gt Policy tab This tab page defines the NAT policy type and the applicable address and or port to be translated If NAT is enabled on an interface but no policy is defined outbound LAN traffic has its address translated to the defined WAN address Fill in the fields as follows ignore the range to fields as they are to be removed in the next release ld The policy ID number Enter a number or use new to let the Web Ul assign a number Type Select the type of policy to implement e static Maps one public WAN address to one private LAN address rport Redirect port Maps the specified address port of a private LAN address to a public WAN address e raddr Redirect address Maps the specified private LAN address to a public WAN address port Address The address entered here depends upon the policy type selected in the Type field See Application scenarios on page 136 For redirect policies this is a private address For static policies this is a public address Port If policy Type rport has been selected enter the port number of the address that was entered into the Address field NN47928 502 5 Security pages NAT Security gt NAT gt Public tab This tab page i
4. lo loo Auto yes no RE Auto yes no This page has three tabs a Port tab is where you configure the LAN switch ports a Mirror tab is a diagnostic tool where you can mirror one port to another a Stats tab displays port statistics Data gt Switch gt Ports tab All ports are configured by default for auto negotiation of speed and duplex mode flow control is disabled and the port is enabled You can modify each port s default configuration The port can be manually configured for e speed of 10Base T or 100Base T e duplex mode of half or full duplex and e flow control to provide back pressure forced collision for half duplex mode and pause frames for full duplex mode NOTE Flow control must not be enabled if layer 2 QoS is enabled See QoS page on page 98 To modify a port s configuration click the port number in the display to open the properties page then click Modify to open the configuration page NN47928 502 3 Data pages Switch Port Display only The port being configured Speed The speed and duplex mode Auto Auto negotiate speed and duplex mode e 10Half 10Base T speed half duplex 10Full 10Base T full duplex 100Half 100Base T speed half duplex 100Full 100Base T full duplex Default is auto Enabled Port is enabled or disabled Default is yes enabled Flow Ctrl When enabled provides back pressure forced collision for ha
5. DNS1 IP address of a DNS server This value is stored and is then applied as the user settings shown in Table 8 DNS2 IP address of a DNS server to use if DNS1 is not available This value is stored and is then applied as the user settings shown in Table 8 Source The source of the DNS relay s configuration Your choices here are user The last server or servers specified for the DNS1 and DNS2 parameters auto The actual source depends on the choice made here combined with the Source field of the DNS client page 36 The next table shows how the DNS client and DNS relay interact to determine the relay s configuration source NN47928 502 79 Relays Table 8 Sources for DNS relay configuration Source Parameter Setting Can DHCP PPP provide DNS Did user provide DNS Client 3 Data pages Source of DNS DNS Relay DNS Client configuration configuration Relay configuration User settings in user any or null D EO DNS Relay auto DHCP or PPP yes ES DHCP or PPP User settings in auto DHCP or PPP no fe DNS Relay User settings in auto user ES yes DNS Client User settings in auto user no DNS Relay auto auto yes DHCP or PPP User settings in auto auto no yes DNS Client User settings in auto auto no b DNS Relay Sessions and cache tabs The Sessions tab shows current DNS sessions that are active in the BSGX4e The Cache tab shows the history of DNS exchange
6. Netmask 0 0 0 0 255 0 0 0 255 255 0 0 255 255 255 0 Gatewa 172 16 0 1 127 0 0 1 172 16 13 149 192 168 1 1 Interface etho loo etho ethi Active Active Active Active Active Dynamic Dynamic Dynamic Dynamic ARP RIP Dynamic routes are automatically created when IP interface are created or enabled It is possible to delete dynamic routes but this is not recommended Use the following procedure to create a static route 1 Click New to open the configuration page 2 Fill in the fields as follows Destination Destination IP addresses and mask for which the route applies To add a default route to the table specify the destination as 0 0 0 0 or enter the word default Gateway IP address of the gateway The gateway must be reachable from the BSGX4e Do not use this field if you specified an interface address Interface Output interface for the route Do not use this field if you specified a gateway address NN47928 502 87 Routing 88 3 Data pages Data gt Routing gt ARP Address Resolution Protocol ARP is a network layer protocol that automatically maps IP addresses to hardware Media Access Control MAC addresses Use the ARP page to manually create an ARP table entry to delete an entry to flush the table of all entries and to configure an ARP proxy NOTE ARP traffic is essential for the maintenance of the ARP table Therefore the manufacturer r
7. System gt Services gt SNTP Configuration panel You can use the SNTP client to automatically set the time in the BSGX4e The SNTP client is disabled by default requiring the time to be set manually Use the Initial Setup Wizard to set the time manually Rather than using this client service you can configure the BSGX4e as an SNTP relay See Data gt Relays gt SNTP page on page 83 for the SNTP relay function Configure the following parameters to enable the SNTP client click Update when finished Enabled Enables or disables the SNTP client Source Source of the SNTP server configuration auto dhcp user auto From the DHCP server if possible otherwise the last user provided configuration Default dhcp From the DHCP server If the DHCP server cannot provide a configuration the server address is set to 0 0 0 0 user User provided configuration Server 1 IP address or FQDN of an SNTP server Server 2 Optional backup IP address or FQDN of an SNTP server Server 3 Optional backup IP address or FQDN of an SNTP server Server 4 Optional backup IP address or FQDN of an SNTP server Gmt Offset Time zone offset from Greenwich Mean Time GMT 4 lt hh mm gt positive or negative hours and minutes Default is 00 00 Sync Interval Interval for re synchronization of the internal clock to the network time external clock in days Range is 1 31 Default is 7 System gt Serv
8. address supplied by DHCP client Domain name supplied by DHCP client Source auto dhcp The default configuration relies on the DHCP client to provide the DNS server addresses The DHCP client is enabled by default on WAN interfaces that use a dynamic address For WAN interfaces that use a static address the DHCP client is disabled and you must manually configure the DNS client See the appropriate section in WAN on page 70 for specifics on WAN configuration The BSGX4e also includes a DNS relay feature that can be used to override the DNS client with a specific server address For more information see Data Relays DNS page on page 78 Configuration The parameters can be set as follows click Update when finished DNS1 Default is 0 0 0 0 with the Source is set to auto Leave blank 0 0 0 0 if Source is set to auto dhcp or ppp Enter an IP address for the primary DNS server if Source is set to user NOTE If Source is set to auto you can enter an address here that is applied if a DHCP or PPP server cannot be found See Application scenario DNS backup configuration DNS2 This is a backup server to DNS1 The description for DNS1 also applies here Domain Domain name for the unit Enter a name if Source is set to user This value is cleared if Source is set to auto dhcp or ppp The DNS client adds the domain to the host before querying the DNS server Example If the specified name is ho
9. 2 Out Traps Total SNMP Traps generated Silent Drops Total number of In PDUs silently dropped NN47928 502 2 System pages SSL SSL This section describes configuring the Secure Socket Layer SSL SSL provides a secure connection to any device contacting the BSGX4e on well known port 443 with TCP protocol This applies primarily to the WAN interface but is also applicable to the LAN interface Traffic over an SSL connection is encrypted and authenticated to prevent eavesdropping tampering or forgery Figure8 SSL configuration MyUnit 192 168 1 1 ih e EZ s D System SSL Key System Overview Services User Accounts SSL Key DHCP Server Radius TACACS SNMP SSL O Modify Upgrade Type rsa Bits 1024 Status ok Configuration License Logging Information Logging Modules The BSGX4e has a private SSL key a certificate signing request CSR and a certificate by default You can normally create a new key and accompanying certificate only if the existing key s security has been compromised Application notes The Web Ul accommodates one key and certificate You cannot delete these in the Web UI However you can cause a new key or certificate to be generated by modifying the key or CSR profile a Ifyou modify the key profile a new key is generated and a new CSR is generated a Ifyou modify the CSR profile a new request is generated You can also del
10. IP address or domain name A list of routers on the client s subnet Enter multiple routers separated by a comma List the servers in order of preference tftp server name IP address or text Identifies a TFTP server Supported by some DHCP clients required by others time offset Time format in hours minutes HH MM or in seconds NNNN The time offset from Coordinated Universal Time UTC Specify time East of UTC as positive and West as negative 3 Click Update when finished NN47928 502 51 DHCP server 2 System pages System gt DHCP Server gt Host tab The configuration parameters on this page are optional Use them to reserve a specific IP address for a given MAC address and assign an option group to that address Click New to open the configuration page You can modify existing host profiles by clicking the Id number on the display page You can delete host profiles by activating the check box next to the profile on the display page then click Delete Fill in the fields as follows click Update when finished Id A unique identification number Use new or enter a whole number MACAddress The MAC address of the host IPAddress The IP address to assign to this host The address must be within the subnet defined for the interface OptionGroup Choose an option group from the drop down list If you choose a different group than that assigned to the entire interf
11. O Modify SNMP uses a Management Information Base MIB database The MIBs are described in IETF RFC 1213 SNMP traps are supported The SNMP agent replies only to SNMP version 2c requests Apart from the system group which can be configured with write permissions all MIBs are in read only mode in this version The SNMP agent sends the following traps ColdStart The BSGX4e has restarted WarmStart SNMP agent has restarted LinkUp An interface has become active LinkDown An interface has become inactive Authentication SNMP authentication has failed such as when the wrong Fail community name is used SNMP traps are sent on port 162 this cannot be changed Port 161 used by the SNMP agent must be open in the firewall to allow access for SNMP clients to reach the agent See SNMP security policy on page 127 56 NN47928 502 2 System pages SNMP Configuration The SNMP agent is enabled by default but not configured Traps are disabled by default and no community is configured System gt SNMP gt Agent tab Click Modify to configure the SNMP agent Enabled Enables the agent boolean The agent is initially enabled Port Port on which the agent listens The default is port 161 range to DO NOT USE This field is removed in the next release SysLoc SNMP system location sysLocation MIB physical location of the hardware SysCon SNMP system contact sysContact MIB contact person for this har
12. an SSL key is available The PEMData field shows the actual CSR in the standard PEM format The PEMData field on the tab page displays the certificate request This can be the self signed certificate generated by the SSL module or it can be a certificate signed by an external certificate authority System gt SSL gt Certificates tab This page is where you designate the certificate as self signed or you import an external certificate You must have generated a key and a CSR before enacting this page If a new key and CSR has been generated click the Modify then Update buttons to set this page to its defaults which is a self signed certificate generated by the SSL module The only parameter you can set on the configuration page Modify button is the Signed field Your choice are self and NULL a The default is self for a self signed certificate a Select NULL if you have a certificate from an external certificate authority The certificate must be in PEM format with no header before the BEGIN CERTIFICATE phrase Copy the certificate text and paste it into the Certificate text box The certificate is checked to ensure it is in the correct PEM format If the format is incorrect the certificate is rejected an error message displays and the Status field on the tab page shows invalid certificate NN47928 502 61 Upgrade 2 System pages Upgrade 62 Figure 9 System Status Overview Services Us
13. e Any user account that specifies RADIUS or TACACS for remote authentication uses the password from the authentication server If the server cannot be reached the password defined in the BSGX4e user account is used e Authentication records are mapped to users by their user account name Every user account that specifies external authentication must have its own authentication record Up to twenty authentication records can be referenced e Disabling an authentication record suspends authentication for the corresponding user account This prevents log ins by the user account until either its authentication record is re enabled or its authentication method Auth field is changed e Deleting a user account also deletes its authentication record e Clients are compatible with standard RADIUS or TACACS servers e Normal operation fully encrypts the body of the packet for secure communication TACACS uses TCP port 49 for transport RADIUS use UDP ports 1812 and 1813 e Client activity is reported in the system log page 30 NN47928 502 53 RADIUS and TACACS 2 System pages Configuration Perform the following steps to create a RADIUS or TACACS authentication record NOTE A user account page 43 must be configured for external authentication before the corresponding authentication record is created System gt Radius The Radius page displays existing authentication records and contains the buttons for adding a new record or
14. e besteffort Best effort indicates no QoS processing In this case traffic that exceeds the link rate is discarded Committed Committed upstream bandwidth rate for this quality group in bps Do not specify a value if the QG field is BE The minimum rate is 64000 NOTE The sum total of committed rates for all quality groups must not exceed 90 of the specified QoS link rate Burst If Type is car enter a bandwidth value in bps to allow this group to burst data above the committed rate Typically the rate is set equal to the QoS link Do not specify a value if the QG field is BE IPToS IP ToS value to be written into each packet assigned to this quality group decimal 0 255 Enter no if no ToS value is to be written If supported by the upstream router the ToS value can notify the router to minimize delay cost or maximize throughput routing 114 NN47928 502 4 Quality pages Group page COS CoS value to be written into each packet assigned to this quality group decimal 0 7 Enter no if no CoS value is to be written If supported by the upstream router the CoS value can notify the router if VLAN traffic is to be prioritized as defined by the IEEE 802 1p standard DownstreamQoS Reserves incoming bandwidth for non TCP traffic Intended primarily for the voice and control quality groups See page 118 Using wizards The Initial Setup wizard can configure the QoS with common default se
15. e synflood SYN synchronization packets are repeatedly sent to every port on the server using fake IP addresses SYN flooding can result in denial of service e espflood Encapsulated Security Payload ESP flood An ESP flood sends bad IPsec traffic Packets are discarded after the threshold rate limit is reached e unknowipprotoflood This flood activity type refers to floods for IP protocols other than those listed specifically e stpflood Spanning Tree Protocol STP flood An STP flood sends bad STP packets Packets are discarded after the threshold rate limit is reached e cdpflood Cisco Discovery Protocol CDP flood A CDP flood sends CDP packets at a high rate Packets are discarded after a threshold rate limit is reached e unknowntypeflood This flood activity type refers to floods targeting Ethernet activities other than ARP STP and CDP IDS flood settings IDS uses a threshold value in packets second to detect a flood attack You can modify the thresholds for the protocols listed in this section Change the threshold by clicking the name in the Protocol column in the display pane When the properties pages opens click Modify The following protocols can be modified Default threshold Protocol packets sec dhcp 10 dns 20 esp 100 ike 100 mgcp 255 radius 1 100 radius 2 100 rip 20 sip 255 snmp 300 sntp 10 tftp 100 unknown IP proto 500 unknown por
16. gt User Accounts gt Rights 4 4445 virago 46 DHCP Server 426s ee ee t ES PEE EERE OHO Re de a EPA ERE 47 Functional characteristics ooo 48 Config ration 2s quadr Y exce RAKED A ded 48 System gt DHCP Server gt Pooltab 0 00 0 eee eee 48 System gt DHCP Server gt Lease tab llis llle 49 System gt DHCP Server gt Option tab 2 sos Ry 9 aaa 49 System gt DHCP Server gt Host tab 0200002 52 System gt DHCP Server gt VendorClass tab 02 52 RADIUS and DAUAC SES S ya ecoute Oe ae Re dL De ae a ae SON CL 53 Technical reference ee eee 53 CORA UTA ea 20908 are ees obe X Oe A CIRC DR 54 System gt RadiUsS 0 eee 54 System gt TACACS sua heed vad eee ete ewe eee wh bans hy ewe as 55 SNMP sy lt A eec FCR RECS RICE dopo A e CY ARANA epar VeRO e eR 56 Configuration vue e eee che RW E S CU E ACER RR ACE ICE HR HERR Ca ECCO IE 57 System gt SNMP gt Avent tab usus kee NOR OR CORR Re duta COR n 57 System gt SNMP gt Traps tab i sssch s o A RR OR ay 57 System gt SNMP gt Community tab 4 5444 dus ue OE e ROC CORREOS 57 System gt SNMP gt Statistics tab 222i 58 oo a hu ERE ta a a ARANA CAN A ata 59 Application notes iaa aia RA a ARA RD 59 Configuration serine uber ade Hole godes Ml ba A a deis 60 System gt SSL gt Key tab casa aaa aa Aa e ENG du 60 NN47928 502 System gt SSL gt Cert ReqStab o ooo o
17. page displays existing authentication records and contains the buttons for adding a new record or deleting an existing record Configure a TACACS authentication record click New to open the configuration page You can modify an existing record by clicking the User name on the display page You can delete a record by activating the check box next to the profile on the display page then click Delete Fill in the fields a described here click Update when finished User The user account to which the authentication record applies The user account must specify TACACS authentication Enabled Enable disable the TACACS client The default is no disabled Server IP address or FQDN of the TACACS server that the client uses Key Shared key for the client as determined by the server If the key includes a space character enclose the entire value in double quotes NN47928 502 55 SNMP 2 System pages SNMP The BSGX4e contains an SNMP agent that allows for remote monitoring The BSGX4e cannot be configured through SNMP in the current version Figure 7 SNMP agent configuration MyUnit 192 168 1 1 m System SNMP Agent System see Overview Services 3 User Accounts SNMP Agent DHCP Server Radius TACACS SNMP Enabled on Port 161 169 SysDesc BSGX4e HW 4 0 4 SW 2 1 0 00E 0113 Copyright Nortel Networks SysLoc Fremont CA USA Operations SysCon Jane Manager SysName Remote Mgr
18. severity levels 67 T tagged VLAN 103 technical support session 64 Telnet 34 TFTP relay 80 ToS type of service 100 192 traps SNMP 56 U unit name 31 untagged VLAN 103 user accounts 41 43 206 Index User Agent defined 175 MGCP 179 SIP 176 user mode 22 V video 113 virtual interface 75 VLAN address range 73 configuration 76 LAN ports 103 number of 76 QoS 100 191 tagged untagged 103 virtual interface 75 VLSM Variable Length Subnet Mask 94 Voice Activity Detection 177 180 voice identifying 195 VoIP analog devices 175 gateway 175 VPN Virtual Private Network configuration 152 description 147 Ww WAN configuration 70 web server 34 Web UI connecting to 25 introduction 21 login 25 Weighted Fair Queuing WFQ 192 NN47928 502
19. 43 login problems 25 M MAC address proxy ARP 89 routing to 86 static ARP 88 switch by 101 max call display 29 maximum licensed calls 168 173 media streams 161 message destinations 66 message type and severity 66 MGCP operational statistics 174 MIB 56 mirroring 97 modem 175 177 180 MoS Mean Opinion Score 107 MTU max transmission unit 71 Multicasting 94 multi line support MLS 177 multimedia 113 N NAPT network address port translation 132 NAT Network Address Translation 132 Network Address Translation NAT interfaces display 134 policies 133 policy configuration 134 public address 135 numbering plan 181 O Operations Pane 24 NN47928 502 Index P packet fragment attacks 141 packet size see MTU password 43 authentication 44 45 PAT port address translation 132 permissions 46 permissions read write 42 Phone port 162 175 Phone port gateway 171 phone analog 175 point to point tunnel 147 policing 194 port mirroring 97 PPP link 73 Qos 121 PPTP 139 140 prioritize traffic 194 priority queues 191 proxy ARP 89 PSTN 162 Q Qos ARP PPP 121 call bandwidth 198 control signal 121 167 172 downstream 118 initial config wizrd 115 Layer 2 and 3 190 layer 2 LAN 98 link WAN 110 111 media streams 161 overview 193 PPTP 140 quality group 112 quality class defined 194 setting 114 quality group associate with 195 configure 112 defaults 116 defined 1
20. 502 User agent RFC2833 Enable disable RFC 2833 for DTMF Default is yes RFC 2833 provides out of band DTMF event reports Distortion from compression and decompression can prevent recognition of pure DTMF tones Out of band DTMF sends the information by separate RTP packets Payload If RFC 2833 is enabled the RTP dynamic payload type can be specified The payload code indicates the payload format per RFC 1889 Range is 96 127 Default is 101 MLS Disable this feature off or specify the method used to invoke a second line or to switch between lines if connected to a multi line phone or PBX Default is RFC3264 RFC2976 Use Out Band DTMFs signals using the SIP Signalling INFO method RFC3264 Send In Band DTMFs signals coded within the voice data packets If MLS and VAD are both enabled VAD packets are not transmitted but received VAD packets are processed MPT If a modem is connected to the FXS port enables modem pass through and forces media to G 711 echo cancellation Default is off Fax If a fax is connected to the FXS port enables fax pass through and either forces media to G 711 echo cancellation on or enables re negotiation of the CODEC with the remote party when a fax tone is detected auto Default is off VAD Enables Voice Activity Detection VAD silence suppression Default is no Enabling VAD allows the unit to avoid sending silent RTP packets thus conserving
21. 61 System gt SSL gt Certificates tab aeaea 61 el A E ee ee ee er eee eer EAN 62 System gt Upgrade cov ecb eeed Ged bed RUAN CA EEA Go RO OY EES 62 COAH SUSTO A Aa as m 63 System gt Configuration gt Save Restore 0 00 e ee ee eee 63 DAVE a ad td a ed oa eee GO ae Sah equis 63 RESTOTE ais PhP 4s RE UR Pe eee Peewee C RG EG Pe SC SEES es 63 License eb ep Sela EGG dee ro ee pa a le ee a 64 Logging informati n 4 4 a e uc 3 ATARI e 64 System gt Logging Info gt Logging Destination panel 65 System gt Logging Info gt Counters Info panel ooooooo o o 65 System gt Logging Info gt Logging Map panel ooo 66 Logging modules vividos AR RIEN AGRAR A go ART RR d 67 3 Data pages 69 WAN grada do ee ee eee 70 Interfaces e A o A AR CAR RR ES 70 Data gt Interfaces IP pale abra ARG a eed be RS we 70 IP display panes decrecer node ERR RACE RAE Rae EERE SE qo 71 IP config ration sss v 3 69 EERE SESE TY Go RAS ER ESR Se COR SES 71 IP StatistiCe x o bac eae bee be tbe AAA 72 VLAN Config WablDIL seis 0 4 ea ee dede o atra 73 Data gt Interfaces gt PPP DB a dh 3c Rr AAA ARA SE BQ 73 PPP configuration summary 24 6466 4c ke o ERRARE ERRARE 74 Configuring a PPP prone zx a 3 aa nee 74 Data gt Interfaces gt VLAN o cociocincanda ARRA AY ARS 75 Technical TeIerenCe sca ne roate dr E acta Roe n eds 76 Configuration overview dica arco AR
22. A Note the Interface designator listed on the display page You need this in Step 3 2 Configure the IKE pre shared key Security gt IKE Main Office Branch Office Peer 194 23 7 34 195 178 11 11 Key x359QWa78b3112 x359QWa78b3112 NN47928 502 153 IPSec IKE and VPN 154 5 Security pages 3 Configure the vpn n interface as a WAN IP interface Data gt IP Interface value Main office vpnO from Step 1 Branch office vpnO IP Addr Mask 10 10 10 1 24 10 10 10 2 24 MTU 1500 default 1500 default DHCP client off default off default Status up default up default Speed auto default auto default 4 Create firewall policies for a LAN vpn n all traffic a WAN gt BSGX4e for security associations source IP UDP dport 500 a WAN gt BSGX4e for ESP traffic source IP ESP prot Security gt Policy Main office Policy 1 Policy 2 Policy 3 Index new new new From eth1 ethO ethO To vpnO self self Source IP any 194 23 7 34 194 23 7 34 range to Dest IP any any any range to Source port any any any range to Dest port any 500 any range to Proto any udp esp NAT 0 0 0 QoS ToS any any any Sequence begin begin begin action allow allow allow NN47928 502 5 Security pages Branch office IPSec IKE and VPN Policy 1 Policy 2 Policy 3 Index new new new From eth1 ethO ethO To vpnO se
23. Data gt Switch gt Mirror tab ys ke exe eae CE CONCI TR AAA 97 Data Switch gt Stats taD Un css etis IP Ut Re do OR ae AS 97 OOS Page vee eee eie cud eee edie aa ee 98 Data gt Switch gt IEEE tab oye une LC UC AO CR eed 100 Data gt Switch gt Porttab sss e o RR E RR 100 Data gt Switch TOS DE 2g a O CR MAR Re 100 Data gt Switch gt Settings tab i q ca Xara AAA 100 Data gt Switth gt AR oui oko doo e 3C dex Sed CS d ange odd 101 Technical referentes ia ii Vu eR EERE BRERA EES 101 Configuration procedure uus ach accea EE AMES ES 102 Clearing the table i award CE ars rata a Drako 102 Data gt Switch gt VLAN 4 2 445 45 sisas RED RO Re ER cd 103 Technical referente ss uso acc ug ORO SOROR EE 103 Configuration procedure i c ves e e y ox y x gd 104 4 Quality pages 105 org o P AN 105 Calls DALE sosise dd XU Rd C EA ERRADA A ARALAR 106 Quality gt Calls gt Quality tab 244444246044 60Gb Rx Ro ed 107 Quality gt Calls gt Alarms tab soso RERO OH ERE ER RO 107 Quality gt Calls gt Analyser tab sss re XX GRR RR RS 107 I4 EC ee SPS CEO He eRe me 110 Quality gt Link gt Link tab iden wa kh AREAS RRR REE HERO 110 Quality gt Link gt Stats tab e 4 edo ed ye yh d Ee Vue aaa s es 111 Gro p Dage ics REG ROGER E ERE ed E A AA A eo 112 Quality gt Group gt Grouptab o o ooooooooooo ooo o 112 Configuring a new quality PrOUD i vias cack AR RAR OR SO 114 Using Wizards saa oe ka 8S REMARKS REA na
24. NN47928 502 4 Quality pages Calls page Quality gt Calls gt Quality tab The Quality tab page is display only and appears as shown above in Figure 31 when calls are active in the BSGX4e Terminology EP ID EP Name Endpoint LAN phone identification number or name MOS LQ MOS CQ R Fact Mean Opinion Score Listening Quality Mean Opinion Score Conversation Quality and R Factor These values depend on the codec used and the level of traffic disruption for example packet loss delay and jitter MOS is measured on a scale of 1 to 5 R Factor is measured on a scale of O to 93 RTP Rx Number of RTP packets received from the source Loss Packets loss rate Calculated from number of packet not received number of packet received but lost in jitter buffer theoretical number of packets anticipated Codec Codec used by the source If the codec used is not supported by the Calls Analyser it is not listed and no voice quality measurement is provided The following voice codecs are supported by the BSGX4e G 711 U law PCMU 64 Kbps G 726 ADPCM 16 24 32 Kpbs G 711 A law PCMA G 729 class not 729D or 729E 8 Kbps G 723 class 5 3 6 3 Kpbs Quality Calls Alarms tab The display on the Alarms page shows the quantity of alarms in three categories low quality excessive burst and excessive delay Quality Calls Analyser tab The Analyser page shows the jitter buffer JB settings alarm trigge
25. Phone port has been configured for MGCP that configuration profile must be deleted before the port can be re configured for SIP Configuration In the display pane click New to open the configuration page If a User Agent has already been defined click the Port identifier in the display to open the Properties page then Modify to open the configuration page To delete an entry enable the check box next to the port number on the display page then click Delete Fill in the fields as follows Click Update when finished Port Enter 1 for the port number This is the only value accepted Name Name for this User Agent profile UserlD User ID of the SIP account required AuthID Authentication ID of the SIP account Password Authentication password of the SIP account Codec1 Most preferred codec and packet time selection PCMU 10 PCMU 20 PCMA 10 PCMA_20 G729A_10 G729A_20 NOTUSED Default is PCMU 20 Codec2 Second preferred codec and packet time selection PCMU 10 PCMU 20 PCMA 10 PCMA_20 G729A_10 G729A_20 NOTUSED Default is PCMA 20 Codec3 Third preferred codec and packet time selection PCMU 10 PCMU 20 PCMA 10 PCMA_20 G729A_10 G729A_20 NOTUSED Default is G729A 20 Codec4 Fourth preferred codec and packet time selection PCMU 10 PCMU 20 PCMA 10 PCMA_20 G729A_10 G729A_20 NOTUSED Default is NOTUSED NN47928 502 6 Voice pages NN47928
26. Pmon CDP Netflow Agent Filter Stats Calls Current History Statistics Statistics IP TCP UDP ICMP 23 Window components 1 Web UI introduction 24 Operations pane The following links perform system operations for the current session e Log Out Logs out the user and returns to the log in screen Unsaved configuration changes are kept unless the unit restarts e Save Changes Saves configuration changes to nonvolatile memory When configuration changes are pending the Save Changes button turns red e Factory Defaults Erases the current configuration stored in memory and restores the original default configuration of the unit e Reboot System Logs out the user and restarts the BSGX4e with the configuration stored in memory Unsaved configuration changes are discarded and the browser connection to the unit is lost Operation pane notes a Configuration changes Any configuration change you make takes effect immediately when you click an Update or Apply button in the page that appears However those buttons do not store the change in memory so unsaved changes are lost if the unit reboots You must use the Save Changes button for permanent storage a Reloading defaults The Factory Defaults button erases any configuration changes you have made and saved into memory This button also resets the eth1 LAN interface to the default address of 192 168 1 1 Added user accounts are erased leaving the two default a
27. Possible messages are Idle The analog device is on hook OB OutBouna Calling The analog device is off hook or a phone number is being dialed OB OutBound Proceeding The remote party is ringing IB InBound Proceeding The analog device is ringing Disconnecting The remote party is disconnected Connected The analog device is in communication Line 2 This field is populated when the multi line support option page 177 is enable which it is by default The messages are the same as for Line 1 MGCP page The MGCP User Agent window has three tabbed pages a Configuration Parameters of the User Agent port a Settings MGCP protocol as it applies to the User Agent a Status Operational status of the User Agent Read the section introduction on page 175 for reference Voice gt User Agent gt MGCP gt Configuration tab This page configures the parameters for the User Agent port Prerequisites e You must have an account with an MGCP service provider and have the MGCP session controller configured and operational e Ifthe FXS port has been configured for SIP that configuration profile must be deleted before the port can be re configured for MGCP Configuration In the display pane click New to open the configuration page If a User Agent has already been defined click the Port identifier in the display to open the Properties page then Modify to open the configuration page To delete an en
28. RFC 4028 The default is 90 seconds Applicable if SE Enable is yes On Hold Timer Maximum interval of time that the User Agent can be put on hold with no audio or music on hold seconds If the on hold timer expires the call is disconnected The default is 180 seconds 3 minutes No Answer Maximum interval of time that the User Agent can be ringing without Timer being answered seconds If the no answer timer expires the call is rejected with an assigned reason of either ring timeout or call forwarding on no answer if the feature is enabled page 181 The default is 60 seconds End of dial Whether the hash character indicates the end of the dialed digit digit string if it does the character is stripped from the digit string yes no The default is yes Inter Digit Maximum time allowed seconds between the dialing of digits The Timeout secs default is 3 seconds When the interdigit timer expires the gateway assumes that the digit string is complete and interprets it according to its numbering plan This timer does not apply to an emergency call when the gateway receives the emergency number 911 the call is placed immediately 178 NN47928 502 6 Voice pages User agent Voice gt User Agent gt SIP gt Status tab This page displays the status of the SIP User Agent The field entries are as follows RegStatus Reports if the User Agent is correctly registered with the SIP server Line 1
29. added or modification of existing account Access Access methods allowed to this user ssh Secure Shell SSH Web Web User Interface Web UI cli Command Line Interface CLI telnet Remote access through a Telnet session ftp File Transfer Protocol FTP If you do not select any access methods the access defined for the groups to which this user is assigned is used Auth Internal or external password authorization SHA Internal authorization Default RADIUS External authorization page 53 TACACS External authorization page 53 NOTE For external authorization you must also configure an authentication client profile Follow the RADIUS and TACACS page links above Group1 Assign the user account to a user group Group1 is required all other groups are optional A user can be assigned to up to five groups Review the section Rights on page 42 to determine the appropriate group Group2 5 Optional additional user groups to which a user account can be assigned To remove a user from a group select none for the group parameter Password The password for the user account The authorization method Auth field determines whether the password is authenticated internally by the BSGX4e or externally by a RADIUS or TACACS server For external authentication you must also configure an authentication client profile See the links in the Auth field above You can leave this field
30. alive messages sent to the MGC server Enter zero 0 to disable Default is 0 EP Timeout Endpoint timeout interval in seconds The default is 3600 seconds one hour See Endpoint Status Handling on page 174 Max Calls Call Admission Control Maximum number of MGCP calls allowed simultaneously Default is 50 Change this default per your license agreement The number of allowable calls is defined by your license agreement Your choices are BSGX4e 10 or 30 calls Signaling QoS The QoS quality group for protection of the MGCP signaling messages Group The group must have been already created See Quality gt Group gt Group tab on page 112 Select the appropriate group from the drop down list Status tab This tab page displays the operational status of the MGCP session controller The fields are self explanatory The MGC Server Ready field indicates whether or not the server is active Calls tab This tab page displays statistics on the current call traffic The fields are mostly self explanatory This displayed data includes when a call is active between A party and B party the state outbound or inbound the protocol the quality and the start time and duration of the call Endpoints tab This tab page displays the LAN endpoints devices as registered through the MGCP session controller NN47928 502 173 Session control 6 Voice pages 174 The fields are mostly self explanatory CA Po
31. and calls status on the Calls tab e Messages tab The fields report error data except for the following which report normal packet traffic WanMsgRecvCount WanMsgProcCount LanMsgRecvCount LanMsgProcCount TotalMsgRxCount MsgPerSec e Calls tab The section Total outbound calls from LAN applies to calls that originated from LAN endpoints The section Total inbound calls from WAN applies to calls that originated from the MGCP server A local call from a LAN endpoint to another LAN endpoint is shown twice in the statistics it is counted both as a LAN outbound call and as a WAN inbound call This is this without Direct Media enabled NN47928 502 6 Voice pages User agent User agent NOTE The User agent applies to only the BSGX4e The BSGX4e can act as a VoIP gateway allowing analog devices to use either SIP or MGCP In the BSGX4e this gateway is called a User Agent The User agent allows an analog device phone modem or fax machine to use VoIP as its communication media The analog device must be connected to the BSGX4e s Phone FXS port The device connected to the Phone port can be a single analog device or it can be a gateway device that in turn connects to multiple analog devices Dependencies The SIP or MGCP session controller must be configured before the User Agent is enabled See the section Session control on page 164 Only one configuration profile is allowed for the User Agent Co
32. be protected from packet loss This is accomplished by protecting them with a QoS quality group You create a quality group for this feature see Group page on page 112 The ARP PPP page is where you assign these functions to that quality group Figure 36 ARP PPP QoS page tt e VB SI Quality Quality ARP Link Group Downstream QoS ARP Group Settings ARP PPP QG Control Q New Q Modify For more discussion on control protocols under QoS see the section Media and control signals on page 196 NOTE As an alternative to manual process described in this section you can use the Initial Setup Wizard to create a control quality group with the appropriate values and associations This is described under Using wizards on page 115 NN47928 502 121 ARP PPP page 4 Quality pages Configuration This page is where you assign the ARP PPP control signals to a quality group However you must have first created that quality group The complete process to put control signals under QoS requires the following two steps 1 Create a quality group as described under Quality gt Group gt Group tab on page 112 Use the following values Name lt as desired gt Link ethO QG A2 Type CAR Committed 64000 Burst 200000 IPToS no COS no DownstreamQoS yes 2 On either the ARP tab or PPP tab click New to open the configuration page Select the quality group na
33. blank if you are using external authentication However you can create a password here that can be used if the external server cannot be reached Inherit Whether or not the user account inherits access and authorization settings from the groups to which it belongs Default is yes Enabled Whether or not the user account is enabled Default is yes 44 NN47928 502 2 System pages User accounts page System gt User Accounts gt Groups tab System Group Management With the Groups tab active on the User Accounts page click New to create a profile cen o O web cli SHA To modify an existing profile O Delete click the profile name then click Modify To remove a group profile select the check box next to the profile name then click Delete Fill in the fields as follows click Update when finished Name Name of the new user group to be added or the existing user group to be modified Access Access methods allowed to user accounts in this group A user account uses these access values only if its own access values are not specified and the access values of any preceding groups in its group list are also not specified ssh Secure Shell Web Web User Interface Web Ul cli Command Line Interface telnet Telnet ftp File Transfer Protocol Authorization Internal or external password authorization A user account uses the authentication met
34. deleting an existing record Every authentication record that accesses the same RADIUS server must specify the same field values except for the User and Secret fields To configure a RADIUS authentication record click New to open the configuration page You can modify an existing profile by clicking the User name on the display page You can delete a profile by activating the check box next to the profile on the display page then click Delete Fill in the fields a described here click Update when finished User The user account to which the authentication record applies The user account must specify Radius authentication Enabled Enable disable the Radius client The default is no disabled Automatic Automatically binds the client to the interface specified in the Interface field Select yes if DHCP is in use The default is no no binding Auth FQDN or IP address of the Radius authorization server that the client uses Secret Shared secret the client uses for security Bind Binding IP address for the client The IP address of the interface that the server references Typically this is the IP address of the WAN interface Specify this value only if DHCP is not in use Interface Physical interface through which RADIUS communicates if the Automatic field is yes ethO WAN To clear the parameter specify none 54 NN47928 502 2 System pages RADIUS and TACACS System gt TACACS The TACACS
35. gt IKE gt SAtab 2 0 0 0 eee 152 pg tec tse ape as aah ee Ge ee ee eee AA A 152 Configuration examples i664 8 cece ee ee bbe Sheba ee eee eed ees 152 NN47928 502 7 6 Voice pages 159 Medias aiii ye ds ea a e 161 Voice gt Media gt Settings sa a aga a 161 obit io e cece repro eee ahead ieta ae 161 Voice gt Media gt GaM eee 162 Voice gt Media gt Local Jitter Buffer oooooooococoo o 162 Settings A hee Kee Re RAN SUR QS Qo de wala Mare ee eas 162 Stats tab secesia onea eased eee bead Mee e bee a hae 163 SESSION Control 1934024 rr Cheah px Madea bare es 164 Voice gt Session Control gt SIP Servers 240 s rr 164 Config ration tab 42444446428 rr Ae RR CY aras 165 Status tab 166 Voice gt Session Control gt SIP Control i4 4 cadeadese dav caba 167 Control tab sads au ra Noctes nete opc data dd d 167 Status AD a a Er eg 169 CIS LAD ies jeg See eri e en aa aaa 169 Endpoints tabs rocas dra rra da REET Re a C ee 169 Voice gt Session Control gt SIP Statistics vies ku ke o e OR e OS 171 Voice gt Session Control gt SIP LAN Gateway o ooo ooo o o 171 Voice gt Session Control gt MGCP Server c es ae dra rentar 171 Configuration tab uc a BEAR A Pee ARA ag da RETR EA 172 Status tab a gor uer das a is 172 Voice gt Session Control gt MGCP Control sso RE os 172 Control tab nec ce eed ed Red Rad HG ERE RARE TP SEES TR TS ES 172 Status taberna oi ba EO
36. of the BSGX4e a The SIP domain must be the LAN IP address of the BSGX4e a The SIP proxy port must be the one configured as the LAN Rx port in the SIP session controller See Control tab on page 167 a No SIP outbound proxy is needed a NAT firewall traversal must be disabled Configuration example For a Cisco SIP phone 7960 firmware POS3 07 5 00 the following configuration is required interactive menu or text configuration file proxy_register 1 enabled proxy1_address LAN IP address of the BSGX4e proxy1_port LAN Rx port of the SIP session controller outbound_proxy lt blank gt nat_enabled 0 domain LAN IP address of the BSGX4e IP address change If the IP address of the BSGX4e changes all SIP registrations expire and all VoIP services stop working If this happens you have two choices for remedy a Wait for the SIP server to finish its registration process or a Manually unregister and re register your SIP phones To force the User Agent to re register disable then re enable it on the User Agent configurations pages page 176 for SIP User Agent or page 179 for MGCP User Agent 170 NN47928 502 6 Voice pages Session control Voice gt Session Control gt SIP Statistics This page shows cumulative operational statistics for SIP signaling control messages on the Messages tab and calls status on the Calls tab e Messages tab The fields report error data except for the following which report normal packet
37. one fragment overlaps the offset of another fragment For example if the offset of the first fragment is O and its length is 800 the offset of the second fragment must be 800 If it is less than 800 the second fragment overlaps the first fragment This condition might indicate an attack e fragoverrun Triggers when a reassembled fragmented datagram exceeds the declared IP data length or the maximum datagram length By definition no IP datagram can be larger than 65 535 bytes systems that try to process these large datagrams can crash This type of fragmented traffic can indicate a denial of service attempt e fragtooshort Triggers when any IP fragment other than the final fragment is less than 400 bytes indicating that the fragment is likely to be intentionally crafted Small fragments can be used in DOS attacks or in an attempt to bypass security measures or detections Protection against all other anomalies is enabled by default and cannot be disabled Table 25 lists the other anomalies NN47928 502 141 IDS 142 5 Security pages Table 25 Packet anomaly attacks IP ICMP TCP RTP Version Length Header SSRC ID fragmentation TTL Flags Time to Live Checksum Length Options Security gt IDS gt Protection tab This page enables disables protection against flood attacks scans and spoofing These threats can be used in denial of service attacks All protection types are enabled by default Thi
38. page starting with sequence 1 Its treatment acceptance or rejection is determined by the first policy that the packet matches Therefore the sequential order of firewall policies is important You can specify the sequential position of a policy To do so use the Sequence parameter on the configuration page to specify the beginning or end of the sequence or a position within the sequence Policy sequence numbers are always evenly spaced Thus when a new policy is inserted within the sequence policy sequence numbers might be reassigned The following example demonstrates the process a Assume that policies with sequence numbers 3 and 5 exist and a new policy is to be inserted between them b The command specifies 4 as the sequence number of the new policy c However the new policy is actually created as policy 5 and the existing policies are re numbered as 3 and 7 The new policy sequence 3 5 7 allows future policies to be inserted into the sequence NN47928 502 125 Policy 5 Security pages 126 Default security policies This section describes the basic set of firewall security policies needed for the WAN interface The following notes apply to the tables in this section a Parameters not shown in the table are populated with any or a null value a The From To fields in the security policies use this terminology ethO pppO WAN eth1 vif n LAN self BSGX4e Table 15 shows a summary of the de
39. page click Modify and enter values as described below NOTE The emergency numbers are set by the country code entered into System gt Overview gt System Information panel on page 32 In this software release you cannot override these settings here on the Modify page LCBMode Local call backup mode INT Integrated Gateway for the Line FXO port LGW LAN Gateway for a SIP PSTN gateway on the LAN Only one gateway can be configured The default is INT ECPolice Emergency call number for police The default is 911 ECFire Emergency call number for fire The default is 911 ECAmbulance Emergency call number for ambulance The default is 911 ECMisc Emergency call number for other services The default is 911 OBAccess Outbound access prefix digit such as 9 in 9 555 1001 Applies only to hosted PBX service The default is 9 AreaCode Area code of this installation such as 408 in 408 555 1001 COPrefix Central office prefix of this installation such as 555 in 408 555 1001 ENLength Extension number length such as 4 for the last four digits in 408 555 1001 The default is 4 ECthroughFXO Force the emergency call ECNumber to be routed through the Line port or gateway in normal mode that is not in survival mode A no setting routes emergency calls through VoIP when in normal mode Default is yes NN47928 502 6 Voice pages Local call routing The following example de
40. place emergency calls First In First Out a queued method for storing and retrieving data 199 FQDN FTP FXO FXS Gos HTTP HTTPS ICMP IDS IKE IPsec LAN LCR MAC MIB MGC MGCP NAS NAT NTP PCM PMON 200 Appendix 13 Glossary Fully Qualified Domain Name consisting of host and domains for example www yahoo com The host is www the second level domain is yahoo and the top level domain is com File Transfer Protocol an application layer protocol that uses TCP and Telnet services to transfer data files between machines or hosts Foreign Exchange Office provides interface on a VoIP device to connect to a PSTN Foreign Exchange Station device interface that connects to an analog device such as a POTS telephone or fax machine Guarantee of Service Hypertext Transfer Protocol protocol for transferring files on the Web HTTP over SSL protocol enabling the secured transmission of Web pages Internet Control Message Protocol extension of the Internet Protocol IP used to generate message and control packets Intrusion Detection System defends the device from attacks arriving from the WAN Internet Key Exchange protocol used to negotiate the initial security association between gateways of a VPN tunnel Internet Protocol a packet based protocol for delivering data across networks Internet Protocol Security protocol used to secure VPNs across an IP network Local Area Network Local Call Routing
41. quality group must be high enough to accommodate those spikes Therefore ensure that you have sufficient WAN bandwidth to create the needed high bandwidth quality group SIP video is discussed in Group page on page 112 NN47928 502 197 Call capacity Appendix 12 Quality of service Call capacity A common question is how many calls can be supported by a particular BSGX4e model with a given interface type The call capacity varies with such factors as the interface encapsulation codec and available bandwidth Table 26 provides a call bandwidth value for the various interfaces of BSGX4e and the most common codecs The available WAN bandwidth can be affected by numerous factors You need to measure or estimate your effective bandwidth through the BSGX4e and where applicable through any modems switch or other device immediately upstream from the BSGX4e Remember that QoS is limited to 90 of the WAN link rate and the quality group carrying the call also has a specific bandwidth limit The calculations in the table include the packet header size for the various interfaces and encapsulation methods 198 Table 26 Bandwidth for each call Model Interface Call size link type Encapsulation CODEC bps F200 Ethernet G 729 20 ms 39200 Ethernet Ethernet G 729 10 ms 70400 Ethernet G 711 20 ms 95200 Ethernet G 711 10 ms 126400 VLAN G 729 20 ms 40800 VLAN G 729 10 ms 73600 VLAN G 711
42. reduces the load on hosts that do not support routing protocols e The BSGX4e is installed at the edge of the network and is intended to run NAT Thus it only listens to RIP messages on its WAN interface or interfaces it does not support RIP on its LAN interface e RIP requires a firewall security policy for incoming messages on port 520 CAUTION An open port on the WAN interface can be a security risk e RIP broadcasts routing information to its neighboring routers Therefore it consumes some of the bandwidth Configuration The only parameters you can change are starting RIP and selecting the version NN47928 502 3 Data pages Switch On the Daemon tab of the RIP page click Modify to open the configuration page and change the settings as needed The Routes tab displays the routes that the RIP daemon has stored NOTE You must create a firewall policy to allow RIP responses into the BSGX4e See RIP security policy on page 129 Switch The LAN switch in the BSGX4e implements a non blocking switch fabric enabling packet switching at wire speed over all ports The switch provides four LAN ports displayed as 0 1 through 0 4 The switch also has an uplink port displayed as 0 0 This port is not configurable and is made visible only for diagnostic purposes Port O connects the LAN switch to the processing functions of the BSGX4e Within the BSGX4e the switch passes traffic from LAN hosts to the LAN switch inte
43. select a vendor the session controller formats call ID codes to operate with the switch multi line feature The following softswitches are supported Broadsoft Sylantro Nortel CS 2000 selected LG Nortel phone models 6812 and 6830 Siemens and Other appear as other options but are not currently supported Future versions may support Siemens and other vendors In this release forking is disabled by default if Siemens or Other is selected Enable Forking Enable and disable forking support If you select Sylantro as your switch type you must enable forking For all other switch types you must disable forking Mutti line forking Multi line forking is the capability to route an incoming SIP call to multiple phones with the same number at different locations Examples of this scenario include an engineer with phones at an office desk and lab station an executive with multiple offices a receptionist who has desks in different locations Multi line forking routes an incoming call to all phone locations for these users Many softswitch vendors offer this feature but they all employ proprietary designs and implementation Forking is managed by the SIP server with which the BSGX4e communicates The forking parameter should be enabled for those softswitches that specifically support SIP forking Other softswitches may use a proprietary multi line function that functions the same as SIP forking The forking parameter need not be enab
44. settings in SNTP Client auto user User settings in SNTP Relay auto auto yes e DHCP auto auto no s User settings in d SNTP Client auto auto no ag User settings in SNTP Relay Sessions tab This page shows the current SNTP sessions active in the BSGX4e 84 NN47928 502 3 Data pages Relays Data gt Relays gt DHCP page Figure 18 Relay DHCP page MyUnit 192 168 1 1 M e 2 2 a WAN Data Relay DHCP Interfaces IP Relay DHCP PPP VLAN Enabled yes Relays Server 198 172 54 10 DNS O Modify TFTP SNTP DHCP The DHCP relay proxies requests from devices on the BSGX4e LAN to a server located on the WAN To the devices on the LAN the BSGX4e appears as a server to the server on the WAN the BSGX4e appears as a client For clarification e The BSGX4e has a DHCP client that obtains an IP addresses for the unit from an external DHCP server This client is normally enabled on the WAN interface Optionally it can also be enabled on the LAN interface e The BSGX4e has a DHCP server to provide IP addresses to devices on the LAN This server is enabled by default You must perform these tasks to make the DHCP relay functional 1 Disable the DHCP server on the LAN interface DHCP server on page 47 2 Ensure DHCP client is not enabled on the LAN interface Data Interfaces IP page on page 70 Disable NAT on the WAN interface Security NAT Interfaces t
45. show logging internal To avoid filling the log which can cause a denial of service IDS reports only one attack for every 04 attacks detected Voice ACL The Access Control List ACL is a list of policy entries that determine which LAN endpoints are allowed to place and receive calls for both SIP and MGCP devices By default the ACL includes a policy that allows all LAN endpoints to place and receive calls To deny an endpoint call access a policy denying access must be added to the ACL Figure 40 Voice ACL page MyUnit 192 168 1 1 mt 11 G i ct Security Security Voice A Policy NAT Voice ACL ALG Id Seq Epid Platform IP MAC Address Action IDs Software Deviceld Type Stats Voice ACL BH 1 1 any any any any allow v y y 0 IPSer any any any 0 IKE O Delete Q New The fields in this display are explained in the configuration instructions below except for the Stats fields That field reports the number of times an endpoint has been matched to this policy When an endpoint attempts to place or receive a call authentication is performed Information about the endpoint is compared to the policy entries in the ACL to determine if the endpoint is given access Information about the endpoint is provided by the session controller and if available by the Cisco Discovery Protocol CDP The session controller provides MAC address IP address signaling type and endpoint ID The CDP can
46. store this as a user configuration A warning message displays stating the changes are to be applied when Source is user or auto user 5 Click OK to return to the configuration page Click Cancel to close the configuration page Since Source is left at auto the user configuration is not activated unless a DHCP or PPP server cannot be located When this occurs the DNS Configuration panel displays the user defined configuration DNS Configuration DNS1 10 10 10 128 DNS2 20 20 20 52 Domain myplace com Source auto user Qo Modify NN47928 502 2 System pages Services page System gt Services gt Dynamic DNS Settings Attention Dynamic DNS is not yet supported The Dynamic DNS service allows a remote host on the Internet to stay connected to the BSGX4e WAN port When the BSGX4e is configured with a dynamic IP address on its WAN port remote hosts cannot stay connected as the address of the BSGX4e changes Dynamic DNS allows the domain name data held in a name server to be updated in real time This allows the BSGX4e servers and other network devices to use a dynamic IP address but still have a permanent domain name NOTE To use this feature open an account with a dynamic DNS service and register a host name alias for the BSGX4e with the service provider Two dynamic DNS services have been qualified for use with the BSGX4e dyndns org and no ip com Dynamic DNS is disabled by default Configu
47. the RIP message information to maintain the routes in the RIP table Functional characteristics include 86 Routing table entries can be dynamic automatic or static manual A dynamic ARP entry is automatically configured when an IP interface is created or enabled It is deleted when the IP interface is removed or disabled A static ARP entry is manually configured and must be manually deleted Static routes cannot be modified after creation You must delete the route and re create it The ARP table only maps IP addresses within the IP sub network assigned to the device ARP runs over Ethernet only It does not run on non Ethernet interfaces such as PPP frame relay or VPN interfaces Each packet contains a destination IP address If the destination address is within the address range specified for a route the route is applied to the packet A default route does not specify a destination address range instead it applies to any packet to which no other route applies The destination address is entered as 0 0 0 0 NN47928 502 3 Data pages Data gt Routing gt Routes Table Routing View dynamic routes and configure static routes in the routing table on this page Figure 19 Routing Table page WAN M Data Routing Table Interfaces IP Ppp VLAN Relays ONS TFTP SNTP DHCP Routing Routes Table Routing Table Destination O 0 0 0 0 C 127 0 0 0 D 172 16 0 0 O 192 168 1 0 O Delete O New
48. the key When key generation starts the key used by the SSL server is deleted and a new SSL connection cannot be created until a new key is available When key generation completes the key used by the SSL server is set to the newly generated key New SSL connections can then be created To generate a new key click the Modify button on the Keys tab page and change the Bits parameter the only parameter you can modify Modifying this profile causes a new key to be generated Alternately use the CLI command del ssl key rsa Type Type of encryption The BSGX4e uses only RSA Bits Number of bits in key 512 768 1024 2048 Default is 1024 NN47928 502 2 System pages SSL System gt SSL gt Cert Reqs tab This page is where you can create a new Certificate Signing Request CSR if needed A valid key must first be configured A CSR exists by default It is an X509 certificate and is self signed by the SSL module To generate a new CSR modify any of the parameters on this page Alternately you can delete the CSR with the CLI command del ssl csr x509 Then come back to the Cert Req tab and click the Modify and Update buttons to regenerate the default profile The fields on the CSR configuration page are self explanatory The Status field on the tab page displays the following no key There is no SSL key waiting for key The certificate request is being generated generator ok Generation is complete
49. the next available proxy server When a higher priority server becomes available the session controller switches back to that server If the current SIP proxy server goes down and no other server is available the session controller repeatedly attempts to reconnect to the proxy server and resumes call service as soon as the server comes back up Inbound servers The SIP session controller can accept inbound messages from additional SIP servers if those servers are configured in the server profile A single IP address or a range of addresses can be specified for the IBServer1 IBServer2 and IBServer3 parameters The firewall is automatically updated to accept SIP messages from the additional inbound servers Status tab The Status tab displays information for all SIP servers The following status messages are also displayed Active Yes This server profile is in use Mode DNS SRV DNS locates the proxies Manual The proxy servers are specified explicitly Proxy1 In use This proxy is currently in use Proxy2 Ready This proxy is available but is not currently in use Proxy3 Down This proxy is not available but is in an active state 166 NN47928 502 6 Voice pages Session control Voice gt Session Control gt SIP Control The Session Control page contains configuration and display tabs for processing VoIP control signals The page has four tabs a Control Configuration parameters for contr
50. the opposite order as listed NN47928 502 3 Data pages Interfaces Configuration procedure Virtual interface Perform the following procedure on the Data Interfaces VLAN page to create a virtual interface profile for a VLAN Virtual interfaces are displayed as vif n where n is O through 15 A VLAN cannot be configured on a PPP pppn WAN interface 1 Click New to open the configuration page 2 Fill in the fields VID Specify the VID that was created on the Switch VLAN page See the NOTE above interface This parameter is required Physical Ethernet interface on which the virtual interface is configured eth1 for the LAN interface default eth0 for the WAN interface If eth0 is specified the WAN port is automatically assigned to the VLAN Status Enables the virtual interface on off Default is on Comment Optional comment The comment can be up to 256 characters if it contains spaces enclose the string in quotation marks Special CLI characters such as and lt tab gt are not allowed 3 Proceed to Data gt Interfaces gt IP page on page 70 to assign an IP address to the VIF To modify an existing profile click the profile s VID number to open the properties page then Modify to open the configuration page To delete a profile a Go to Data Interfaces IP page on page 70 and delete the virtual interface vif that is associated with the VID to be deleted VID VIF associ
51. the telephone service that the device provides without the assistance of a VoIP call server on the WAN Media Access Control a MAC address is a hardware address that uniquely identifies each network device Management Information Base the hierarchical database used by the simple network management protocol SNMP to describe the particular device being monitored MIB objects are identified using ASN 1 syntax Media Gateway Controller Media Gateway Control Protocol Network Access Server a gateway device that acts as the single point of access to a resource the device references an authentication server to determine if access is granted Network Address Translation also known as Network Address Translator Network Time Protocol see SNTP Pulse Code Modulation Protocol Monitoring tool available to trace incoming traffic NN47928 502 Appendix 13 Glossary PoE POTS PPP PPPoE PSTN PVC QoS RADIUS RIP RTCP RTP SA SC SFC SFTP SHA SIP SIP UA SLIC SNMP SNTP SRV SSH SSL SSP NN47928 502 Power over Ethernet transmission of DC power over an Ethernet cable by carrying power in the unused 4 5 and 7 8 wires PoE allows devices to be installed at remote locations where there is no external power source Plain Old Telephone Service Point to Point Protocol protocol used over serial lines to support Internet connections PPP protocol over Ethernet used to connect the WAN interface of the device to a
52. through the WAN or LAN ports The server supports HTTP and HTTPS HTTP over SSL protocols The BSGX4e Web server is enabled by default and is configured to use the standard ports 80 HTTP and 443 HTTPS The Web Ul uses the HTTP port by default You can disable the server or change the access ports with the Modify button Click Update when finished Firewall security policies must allow Web access from the WAN ethO0 pppo vifo terminating in the BSGX4e self This requires access for TCP traffic being routed to ports 80 and 443 These security policies already exist by default If you change the port configuration for the Web server you must create new security policies System gt Services gt Telnet Configuration panel Telnet allows access to the BSGX4e through a remote terminal session This is required to access the CLI The workstation connected to the BSGX4e WAN or LAN must have a Telnet client The BSGX4e Telnet server is enabled by default and is configured to use the standard port 23 You can disable the server or change the port with the Modify button Click Update when finished A firewall security policy must allow Telnet access from the WAN terminating in the BSGX4e self This requires access for TCP traffic being routed to ports 23 A security policy already exists by default If you change the port configuration for the Telnet server you must create a new security policy NN47928 502 2 System pages Services page
53. using an internal FTP client Default is auto Server IP address or FQDN of the TFTP or FTP server User User name if downloading files by FTP Password Password if downloading files by FTP 82 NN47928 502 3 Data pages Relays Files tab All files that you want to cache have to be named specifically This page is where you specify the files and where you view all existing cached files The cache can list up to 50 files To specify files for caching click New on the Files tab page fill in the fields as follows and click Update when finished To delete an entry enable the check box next to the Index number on the display page then click Delete Index Enter any number from 1 to 50 that is not already in use Name The exact name of the file to be cached Data gt Relays gt SNTP page Figure 17 Relay SNTP page MyUnit 192 168 1 1 m e 2 E gt Data Relay SNTP Settings WAN Y in IP PPP VLAN SNTP Settings Relays Enabled on DNS Source user TFTP Server vww SNTPserver com SNTP GMT 5 hours DHCP Routing Routes Table O Modify ARP RIP Switch Status Port Qos ARL VLAN The SNTP relay proxies requests from devices on the BSGX4e LAN to a server located on the WAN To the devices on the LAN the BSGX4e appears as a server to the server on the WAN the BSGX4e appears as a client NOTE To use SNTP relay devices on the LAN must be configured either th
54. 1 System System Status Current Calls 125 ae 100 150 Application 2 1 0 00E 0074 Services IDS Attacks 458 User Accounts DHCP Leases 0 Total Calls 750 Uptime Oy Od Oh 11m 36s Radius Call Server winsip Connected dl 4 O p CPU Util tale 21 00 SSL Upgrade DHCP Server Configuration License Logging Information 11 00K Logging Modules e 9 90K 8 80K e 7 70K 6 60K 5 50K al 4 40K 3 30K l 2 20K 1 10K 0 0 0 00 Call Quality History Average last 30 calls Routing PPS Packets Per Second y gt SI LO e w 21 04 06 Firewall denied Id 0 Src 192 168 15 132 40712 Dst 192 168 15 160 14368 Proto UDP If 0 Internet The system status page is display only there are no configuration items Descriptions of the panels in the display pane follow System gt Status gt Current Calls panel This panel is a speedometer type display that gives visual indication of the current call load You can change the scale of the display by setting the maximum calls parameter in the Session Controller located under the Voice button in the Web UI The default display is set for 50 calls See the section Voice gt Session Control gt SIP Control on page 167 for configuration details Perform the following steps to set the maximum call limit in either SIP or MGCP protocols 1 Click the Voice button and navigate to the Session Control section in the menu pane 2
55. 1 800 466 7835 Outside North America go to the following web site to obtain the phone number for your region www nortel com callus Getting help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers you can use an Express Routing Code ERC to quickly route your call to a specialist in your Nortel product or service To locate the ERC for your product or service go to www nortel com erc 18 NN47928 502 About this guide How to get help Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller NN47928 502 19 About this guide 20 How to get help NN47928 502 1 Web UI introduction 1 WEB Ul INTRODUCTION This chapter describes the layout organization and navigation features of the BSGX4e Web User Interface Web UI The Web UI is a graphical interactive interface accessible through a Web browser It allows for interactive administration and monitoring of the BSGX4e functions and is accessed through either HTTP or HTTPS protocols For more information about remote Web access see System gt Services gt Web Configuration panel on page 34 Use the Web UI to perform various configuration tasks on the BSGX4e The following list demonstrates some of the common tasks a a manage user accou
56. 132 NN47928 502 5 Security pages NAT e Default configurations The WAN port is pre configured with an Ethernet ethO interface NAT is enabled and provides global address translation for outbound sessions initiated from the LAN The private LAN addresses are translated to the public address of the WAN port A default firewall policy allows all traffic from LAN eth1 to WAN ethO If you need a VLAN PPP or VPN for the interface you must manually configure it and apply NAT e Upto 16 NAT public IP addresses can be configured e NAT can create a public address that is outside the subnet of the WAN interface e The BSGX4e also supports an Application Layer Gateway ALG which enables FTP TFTP or PPTP traffic through the firewall and NAT See the section ALG on page 139 Configuration Configure a NAT profile if you need address and port translation more specific than the default configurations described above Any such translation requires both a NAT profile and a firewall policy Configuration overview Here are the three basic NAT configurations that you can implement depending on the Type field on the NAT policy page e Inbound Address Translation The NAT profile maps the private LAN address of the target device to the public address created in the profile The firewall policy detects inbound traffic destined for the public address and applies the NAT policy to it This translates the public address to the private add
57. 20 Table 14 Packet security processing vxo yc skewed hea HEaH ET RG EEE ER 124 Table 15 Default firewall policies BSGX4e lees 126 Table 16 Firewall policies for PPP 4 154 mom s Ry aa 127 Table 17 Firewall policies for VLAN issus yk Feed ewe a AR 127 Table 18 Firewall Policies for SNMP 5 ac e eb ede eke EMR eH aa 128 Table 19 Firewall policies for DHCP relay cig 661 4424 x xx 128 Table 20 Firewall policies for VPN llle 128 Table 21 Security policies for relay 2 0 0 eee eee eee 129 Table 22 Security policy for RIP eee ee 129 Table 23 WAN subnet configuration gue cue Geka Oe Tee c e C 8 978 135 Table 24 Protocols for which IDS attack protection applies 141 Table 25 Packet anomaly attacks 4 44404 ac ORC DR a RCR R ER 142 Table 26 Bandwidth for each call 42 222 ERROR xao AE C A 198 NN47928 502 List of tables NN47928 502 About this guide Introduction ABOUT THIS GUIDE This section provides information about the intended audience for this guide how this guide is organized typographical conventions and how to get help Introduction This document describes the operation of the Web User Interface Web UI for the BSGX4e model For a list of all BSGX4e technical documents see Documentation on page 17 The BSGX4e device is deployed as customer premise equipment and provides a unified solution for voice and data services BSGX4e is designed for use i
58. 20 ms 96800 VLAN G 711 10 ms 129600 PPPoE G 729 20 ms 42400 PPPoE G 729 10 ms 76800 PPPoE G 711 20 ms 98400 PPPoE G 711 10 ms 132800 NN47928 502 Appendix 13 Glossary 3PCC ACL ADC ALG ARL ARP CAC CDP CLI co DAC DHCP DNS DSP EAC EP ESH ESP Failover FIFO NN47928 502 APPENDIX 13 GLOSSARY 3rd Party Call Control Access Control List policies that determine which LAN endpoints can place and receive calls Analog Digital Converter Application Layer Gateway Address Resolution Logic Address Resolution Protocol protocol to automatically map IP addresses to hardware MAC addresses Call Admission Control Cisco Discovery Protocol Command Line Interface Central Office refers to the connection to the PSTN Digital Analog Converter Dynamic Host Configuration Protocol used to assign and manage IP addresses for a network Domain Name Server Digital Signal Processor a special purpose CPU that provides ultra fast instruction sequences which are commonly used in math intensive signal processing Endpoint Access Control Endpoint port of a gateway or a phone Endpoint Status Handling session controller feature that monitors status of LAN endpoints Encapsulated Security Payload protocol that defines the encrypted packets sent through a VPN tunnel Backup system used to continue operations if the main device go down during a power interruption an analog telephone connected to the device can
59. 3 DATA PAGES MyUnit 192 168 1 1 WAN This chapter describes the configuration and status Interfaces pages available from the Data button on the button bar The functional topics of the pages are listed in the menu pane of the Web UI window as shown on the left here VLAN Relays us The Data pages consist of various status and Sen statistics displays and configuration pages related DHCP to the WAN and LAN switch interfaces relayed Routing network services and traffic routing Routes Table Switch Status Port QoS ARL VLAN The Data menu provides the following functions WAN page 70 Configure the physical parameters of the WAN interface Interfaces page 70 Configure the various interfaces that can be associated with the WAN and LAN ports Relays page 78 Configure DNS TFTP SNTP and DHCP relays for LAN devices Routing page 86 Display ARP table add static routes configure proxy ARP enable RIP daemon Switch page 95 Display LAN switch status configure LAN ports set up layer 2 QoS map MAC addresses to ports configure VLAN on the LAN switch NN47928 502 69 WAN 3 Data pages WAN This section is where you configure the BSGX4e network WAN interface Your choices are a Ethernet ethO default a PPP pppn a VLAN vifn The BSGX4e has an ethO interface configured by default To modify this interface or to add the other interface types see the next section Interfa
60. 5 to create the corresponding virtual interface The VID associates the virtual interface with the VLAN To modify an existing profile click the profile s VID number to open the properties page then Modify to open the configuration page To delete a profile a Go to Data gt Interfaces gt IP page on page 70 and delete the virtual interface vif that is associated with the VID to be deleted VID VIF association is shown on the page in the next step b Go to Data gt Interfaces gt VLAN on page 75 and delete the VLAN profile associated with the VID c On the Data gt Switch gt VLAN page enable the check box next to the VID number the click Delete NN47928 502 4 Quality pages Introduction 4 QUALITY PAGES MyUnit 192 168 1 1 m This chapter describes the configuration and status puru pages available from the Quality button on the button tae bar The functional topics of the pages are listed in the Group menu pane of the Web UI window as shown on the left Dovmstream QoS here ARP PPP The Quality pages consist of various status and statistics displays and configuration pages related to QoS and Downstream QoS Introduction The following list summarizes the configuration and status functions on the Quality menu Calls page 106 Displays various data relating to call quality call alarms and other performance data Link page 110 Configures the QoS WAN link Displays link perfo
61. 93 media and control signals 196 media stream 161 queues 191 R RAM 32 read write permissions 42 NN47928 502 relay services 78 reload configuration 24 restore configuration 63 R Factor 107 RIP Routing Information Protocol routing dynamic and static 86 intro 86 RIP 94 routing table 87 routing engine 30 RSA encrypted 60 RTP ports range 161 running time 30 32 S save changes 24 scan protection 144 secure gateway 147 Secure Socket Layer See SSL security associations 147 security policies constraints 12 create new 13 defaults 126 Initial Configuration Wizard 127 sequence of 125 WAN interfaces 127 security packet processing 124 server failover 166 service code 181 service interruption 185 services defaults 33 session controller 164 171 195 severity levels system log 67 SIP operational statistics 171 server 164 SIP Data 113 SIP forking 168 SIP video 113 SNMP 56 SNTP client 35 relay 83 software image 62 upgrade 62 spoof attacks 144 SSH server 35 SSL certificate 61 205 Certificate Signing Request 61 intro 59 key 59 60 static IP address 25 statistics cumulative downstream QoS 120 IP interface 72 QoS link best effort 111 quality groups 116 statistics instant call quality 107 quality groups 117 status system overview 29 subnet 135 survivability 30 syslog 65 system information 31 system log 64 destinations 66 external server 65
62. A as described in RFC 4308 It is configured with 3DES encryption and SHA authentication Configuration In the display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished To modify an existing proposal click the Name in the display to open the Properties page then Modify to open the configuration page The pre defined VPN A proposal cannot be modified To delete an entry enable the check box next to the policy name on the display page then click Delete Name Enter a unique name for this proposal Encrypt Enter an encryption algorithm For the AES algorithm you can select a key size 128 192 or 256 bits If you select AES without a key size IPsec uses the smallest key size supported by both peers Your options are 3DES AES AES 128 AES192 AES256 The default is 3DES NN47928 502 5 Security pages IPSec IKE and VPN Authentication Specify an authentication method Your options are MD5 SHA Security IPSec Parameters tab Define the IPsec parameters for lifetimes of an IPsec security association and the Diffie Hellman DH group to use for session key exchange The BSGX4e has two pre defined lifetime parameters a Lifetime The initial value used for negotiations with the remote host a Maximum Lifetime The maximum value the BSGX4e accepts during negotiations Configuration In the display pane click Modify t
63. Addr Mask 192 168 100 1 MTU 1500 default DHCP Client off default Status up default Speed auto default 4 Enable NAT on the vpnO interface Security NAT Interface vpn1 Status on 156 NN47928 502 5 Security pages IPSec IKE and VPN 5 Create firewall policies for a LAN gt vpn n all traffic a WAN gt BSGX4e for security associations source IP UDP dport 500 a WAN gt BSGX4e for ESP traffic source IP ESP prot a VPN gt BSGX4e for ICMP protocol ping Security gt Policy Policy 1 Policy 2 Policy 3 Policy 4 Index new new new new From eth1 ethO ethO vpnO To vpnO self self self Source IP any 10 254 254 254 10 254 254 254 any range to Dest IP any any any any range to Source port any any any any range to Dest port any 500 any any range to Proto any udp esp icmp NAT 0 0 0 0 QoS ToS any any any any Sequence begin begin begin begin action allow allow allow allow 6 Create a route table entry for vpnO Data gt Routes Table Destination 0 0 0 0 Gateway not required Interface vpnO NOTE This route with Destination 0 0 0 0 sends all traffic on the tunnel unless the traffic has another explicit route This also applies to VoIP traffic NN47928 502 157 IPSec IKE and VPN 5 Security pages 158 NN47928 502 6 Voice pages 6 VOICE PAGES MyUnit 192 168 1 1 This chapter describes configuring the vari
64. Best Effort traffic on the WAN ethO tle1 link Statistics for quality groups are on the Quality gt Group page discussed in the next section NN47928 502 111 Group page 4 Quality pages Group page The Quality gt Group page has three tabs a Group Create and configure the quality groups used in QoS a Stats Cumulative performance statistics for quality groups a Live Instantaneous performance statistics for quality groups Figure 34 Quality group page MyUnit 192 168 1 1 a 97 Quality gt QoS Group Quality Link Group Downstream QoS QoS Group boues Link OG Type Committed Burst IPTOS COS DownstreamQos O appaos eth C3 car 64000 400000 no no yes O control etho A2 car 64000 200000 no no yes O voicegos etho Al policed 500000 0 no no yes O Delete Q New Quality gt Group gt Group tab The Group page is where you create and configure the quality groups used in QoS A quality group guarantees bandwidth for the media assigned to it and it designates a quality class which assigns priority The quality group also enables Downstream QoS which is discussed on page 118 See also Appendix 12 Quality of service for a summary of the over all QoS configuration procedure and for a technical description of QoS implementation in the BSGX4e Common or recommended quality groups are e VoIP This is the most common use of QoS You must create a quality group for the two
65. Center 18 Getting help from a specialist by using an Express Routing Code 18 Getting help through a Nortel distributor or reseller 19 1 Web Ul introduction 21 Window Components 4 cire kok 09 Saka he ha ee Rd ee d 22 Button bat sc 99 we ee ee ee ee Pee REESE he ee ORE ee 22 Assistance 1CONS moi RR EG ERR Se Gee WEGEN a ee ee a eS 22 Menu pane zoseeRex9mh R4 dence Rud daa ed Bae 23 System DUTTON ya decedere ce He die c Cd Cc ee GO tec ds 23 Data button 2 eee ERR SS RR Ogee ERES eee eee s 23 Quality DUTOT pepe S ER GYRE GU REX XU e RE SER ES 23 Sec rity DUTTON RESTER TETTE 1 IT IT AN 1 23 Voice bulto i led ad dee LES ee a ern 23 Monitor button 0 es 23 Operations pane eee eh 24 Display pane 24 Usage Notes 44 252 05 ts Red ohh She SRS ie qu keep tte dd op dan ee dus 25 Browser Requirements celle 25 Connecting to the BSGX4e sls 25 NOLES yie ega a Iii ex Xxx URS EXPE VAR EUER BE ware S ee e ate oe 25 Entering numerical data dica du Ga SLR GREE RARA AAA A A 26 2 System pages 27 otatus PAGS au cia a sy e ex CP OP ae Cae oa ee wk RE Rex EE Red n 29 System gt Status gt Current Calls panel cuv neue ee aia das 29 System gt Status gt System panel ssl eee 30 System gt Status gt Call Quality History panel lees 30 System gt Status gt Routing PPS panel llle 30 System gt Status gt System Log panel
66. Configure the SIP or MGCP server 3 Select that server on the SIP or MGCP control page 4 Set the Max Calls field on the SIP or MGCP control page NN47928 502 29 Status page 2 System pages 30 System gt Status gt System panel This panel displays the information shown in the following table Table 3 System gt Status gt System panel information Application The software version running in the unit IDS attacks The number of attempted attacks detected by the Intrusion Detection System DHCP leases The number of IP address leases issued when the BSGX4e functions as a DHCP server to LAN devices Total calls The cumulative number of calls processed by the BSGX4e during the indicated uptime Uptime Cumulative running time since the last bootup Displayed in years y days d hours h minutes m and seconds s Call server The call server SIP or MGCP currently configured and operational status of the connection Survivability status If VoIP services are unreachable the BSGX4e still provides service between IP phones on its LAN and can send some number of calls to the PSTN through the FXO port or an FXO gateway Connected status VoIP services are reachable CPU Util Graphical presentation of current CPU utilization System gt Status gt Call Quality History panel Graphical display of call quality based on Mean Opinion Score averaged from the last 30 calls System Sta
67. DHCP has not assigned an IP address to ethO Otherwise the columns describe the DHCP lease for the IP address assigned e The Speed column reports the current negotiated speed for ethO a FULL100 100 Mbps full duplex mode a HALF100 100 Mbps half duplex mode a FULL10 10 Mbps full duplex mode a HALF10 10 Mbps half duplex mode e The Configured Speed column reports the speed setting in the ethO configuration either AUTONEG auto negotiation enabled or a specific speed and duplex mode FULL100 HALF100 FULL10 or HALF10 IP configuration To configure a new interface click New to open the configuration page Fill in the fields as shown below Click Update when finished To modify an existing interface click the Inter designator in the display to open the Properties page then Modify to open the configuration page To delete an entry enable the check box next to the Inter designator on the display page then click Delete CAUTION Do not configure a PPP interface as an IP interface The PPP profile page 73 creates the pppO interface Interface Select the interface to be configured This is applicable to eth n vif n and value vpn n interfaces IP Addr You can specify a static address mask using dotted decimal or CIDR mask notation for example 192 168 15 33 255 255 255 0 or 192 168 15 33 24 You must disable the DHCP client if you specify a static address on an interface Virtual interfaces vifn and vpnn req
68. DNS page The DNS relay proxies requests such as those required for Web browsing and email from devices located on the BSGX4e LAN to a server located on the WAN To a LAN device the BSGX4e appears to be a server to the WAN server the BSGX4e appears to be a client Figure 15 Relay DNS page MyUnit 192 168 1 1 m CREASTI Data Relay DNS Settings WAN Interfaces Settings IP PPP VLAN DNS Settings Relays DNS TFTP SNTP DHCP Routing Routes Table O Modify ARP RIP Switch Enabled off DNS1 0 0 0 0 DNS2 0 0 0 0 Source auto Status Port Qos ARL VLAN NN47928 502 3 Data pages Relays The BSGX4e maintains a cache of successful DNS exchanges Ifa DNS request is already in the cache the BSGX4e can reply to the request without referencing a DNS server As described below if the DNS relay configuration source is set to auto the actual configuration used depends on the settings of the DNS client See System gt Services gt DNS Configuration panel on page 36 for DNS client configuration NOTE To use DNS relay devices on the LAN must be configured either through DHCP server options see page 49 or manually with the IP address of the BSGX4e LAN as their DNS server Settings tab To configure the DNS relay click Modify on the Settings tab page fill in the fields as follows and click Update when finished Enabled Yes to enable Default is no yes
69. GX4e interface for which the server supplies addresses Default is eth1 LAN Enabled 1 Enables or disables the DHCP server for the designated interface Default is enabled Subnet 1 The subnet that is to be served Must be a subnet of the interface Default is 192 168 1 0 Netmask 1 The netmask for the subnet Default is 255 255 255 0 IP 1 The beginning address for the range of IP addresses that the server can assign to hosts Must be within the BSGX4e s subnet Default is 192 168 1 50 range to 1 The ending address for the range of IP addresses Default is 192 168 1 250 Broadcast The broadcast address for the subnet Default is 192 168 1 255 Lease The length of lease Range is 1 7 days Default is 7 Gateway The network gateway address Default is 192 168 1 1 OptionGroup The name of an option group to be sent to the host Default is none 1 These fields are required All remaining fields are populated with intelligent default values if left blank These fields can be modified after initial creation System gt DHCP Server gt Lease tab This is a display only page that shows the current leases The Expired field shows an asterisk if the current system time is greater than the end time of the lease This indicates that the lease has expired The BSGX4e can accommodate a maximum of 500 leases for all pools System gt DHCP Server gt Option tab The Option page is where you create
70. HA DH768 15 BLOWFISH MDS DH1024 16 BLOWFISH MDS DH768 4 l l Security gt IKE gt Policy tab An IKE policy is a set of security parameters used when negotiating an IKE SA with a remote secure gateway Sixteen predefined IKE policies are provided offering every combination of encryption algorithm hash digest and Diffie Hellman group available The IKE policies that the BSGX4e can accept or offer are listed in order of priority NOTE To negotiate an IKE SA the remote gateway must have an IKE policy configured to match one of the local predefined IKE policies This page is display only You cannot add to or modify these policies Security gt IKE gt Preshared tab This page is where you name the preshared key and the identify remote gateway with which the VPN is being established An IKE preshared key record specifies the preshared key used to encrypt Internet Security Association and Key Management Protocol ISAKMP messages An IKE preshared key record defines the key similar to a password used to authenticate a remote secure gateway ISAKMP differs from other key exchange protocols to separate it from security association management and key management exchanges NN47928 502 5 Security pages IPSec IKE and VPN Every IKE SA negotiation refers to a preshared key record to get the key value shared with the peer that is the remote secure gateway Usually each VPN has its own preshared key record The same pr
71. If you are planning to put the PPTP service under QoS management to give priority to VPN traffic you must create a quality group and a new outbound firewall policy that associates that quality group See the section Policy on page 125 for creating firewall policies If you define the firewall policy to capture all PPTP traffic on its well known port 1723 you capture both the signal and control traffic and route it to the quality group If you want to prioritize only the control traffic configure the firewall policy to capture GRE protocol from any port IDS 140 The Intrusion Detection System IDS is designed for protection against attacks that are destined for the BSGX4e or its LAN network The IDS is enabled by default and it must remain enabled to sustain protection for your local network Figure 39 IDS page MyUnit 192 168 1 1 th e G Security IDS Anomaly Security NAT ALG IDS IDS Anomaly Voice ACL nm fragoverlap yes IKE fragoverrun yes fragtooshort yes IDS inspects all inbound and outbound network traffic and identifies patterns that can indicate system attacks IDS identifies the following types of attacks e Packet anomaly Protects the unit from abnormal packets that intend to crash the destination Packet anomalies are configured using the fragoverlap fragoverrun and fragtooshort commands See Security gt IDS gt Anomaly tab on page 141 e Scan Protec
72. N OR Sah wo atada 173 Calls taurina Reda tge daed ee aip chee ede ed E RR es 173 E dp ints tabes sanr are acs SUC ac e CCS qol ec pra o een eines 173 Voice gt Session Control gt MGCP Statistics llle 174 User agent ccc ed lemen eg ns pede eee ew vq ee ex dad de dade es 175 Dependencias eE CRETA a c re 175 DIP page 434 heed e Paw ed Sei e dd da es 176 Voice gt User Agent gt SIP gt Configuration tab 176 Voice gt User Agent gt SIP gt Settings tab oooooooooo 178 Voice gt User Agent gt SIP gt Status tab 024 179 MGCP pages ee Pe eee ee p Rune BS wy ere el ee ale be ido RIRs 179 Voice gt User Agent gt MGCP gt Configuration tab 179 Voice gt User Agent gt MGCP gt Settings tab o o oooooo 180 Voice gt User Agent gt MGCP gt Status tab ooo oo o 181 Voice gt User Agent gt Numbering Platt circa tas 181 Configuration cisco pd e de RE DERE OPER ESE BER ES 182 Configuration and application examples 182 Local Call routing ciar AAA AAA ROC RO Rar Pe ed 185 Voice gt Local Call Routing gt Account tab 44 ve eeu eevee n 185 Config ratiori ia AAA AAN RC Lewes d 186 Voice gt Local Call Routing gt Connection tab o o oooooo oo 186 Voice gt Local Call Routing Settings tab 2 4 4 cde eo 4 esd m 186 8 NN47928 502 Appendix 12 Quality of service 189 Conf
73. NN47928 502 89 Routing 90 3 Data pages a Works with static or dynamic WAN IP address assignments depending on the configuration The more standard configurations like that in Configuration example 1 can use a dynamic address More specialized configurations like that in Configuration example 2 require a static address a Automatically creates dynamic ARP route table entries and firewall security policies as needed Deleting or disabling a proxy ARP removes the corresponding ARP route table entries and security policy a Serves as a proxy for a LAN device in the outbound direction For the reverse traffic direction the LAN device must be configured with the BSGX4e as its default gateway A separate proxy must be configured for inbound and outbound traffic a User can create static firewall security policies for existing proxy ARP configuration profiles a A proxy can be established for a specific IP address o Maximum of 32 proxies can be configured Configuration Terminology ethO WAN interface eth1 LAN interface vifn Virtual interface In the display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished To modify an existing entry click its Id number in the display pane To delete an existing entry activate the check box next to the profile on the display page then click Delete To configure a new proxy ARP 1 Navigate to the Data gt Rou
74. P and PPP functions when they contact their external devices This quality group is associated with these functions on the ARP PPP configuration page In the Web UI this association can be viewed at a ARP PPP control signal stream Quality gt ARP PPP page on page 121 NN47928 502 115 Group page 116 QoS defaults 4 Quality pages If the wizard was used with the Default button the various pages under the Quality button in the Web UI displays the settings in the following tables These pages are where you can modify the default settings Table 11 Qos link rate defaults BSGX4e Upstream Rate Downstream Rate BSGX4e Ethernet 800000 1500000 Table 12 QoS groups defaults BSGX4e Quality Policer Committed Burst Downstream Name Link Class Type Rate Rate IPToS COS QoS voiceqos ethO A1 strict 500000 0 no no yes control ethO A2 CAR 64000 200000 no no yes Quality gt Group gt Stats You can view cumulative performance statistics for quality groups on the Stats tab of the Group page The displayed statistics are as follows Packets in Total number of packets offered to and received by the quality group Packets out Total number of packets forwarded on the primary output These packets were protected because they arrived within the committed rate Downgraded Total number of packets downgraded and forwarded to the Best Effort packets quality group This applies only to CAR policing and represen
75. PPPoE access concentrator Public Switched Telephone Network Permanent Virtual Circuit Quality of Service techniques used to assure a given level of performance as measured by the transmission rate and error rates Remote Authentication Dial In User Service a client server protocol and software that enables remote authentication of users attempting to log in to the unit Routing Information Protocol protocol for exchanging routing information within a network Real Time Transport Control Protocol or RTP Control Protocol Real Time Transfer Protocol Security Association used by IKE and IPsec to determine how data is encrypted decrypted and authenticated by the secure gateways Session Controller Stateful Flow Controller Simple File Transfer Protocol can be used to transfer software upgrades to the device Strong password HAshing Session Initiation Protocol SIP User Agent Subscriber Line Interface Circuit Simple Network Management Protocol protocol to monitor and control devices in a TCP IP network Simple Network Time Protocol an adaptation of the Network Time Protocol NTP used to synchronize computer clocks in the Internet DNS method messages for location of services Secure Shell protocol used to secure remote connections to the unit Secure Socket Layer protocol used to secure remote connections to the unit SIP Signaling Proxy SIP session controller feature that relays SIP messages between SIP endpoints and SIP server
76. Parameters From To Address Eth0 Vif1 1 1 1 2 255 255 255 255 Vif1 Eth0 1 1 1 0 255 255 255 0 Proxy ARP 1 1 1 0 24 WAN Eth0 LAN Eth1 VifO VoIP VLAN 192 168 3 0 24 Vif1 Data VLAN 192 168 2 0 24 eon Physical Network y i I L I Logical Network NN47928 502 93 Routing 94 3 Data pages Data gt Routing gt RIP Figure 24 RIP page MyUnit 192 168 1 1 M 4 Data gt Routing RIP gt Daemon WAN Interfaces IP PPP VLAN Relays DNS TFTP SNTP DHCP Routing Routes Table ARP RIP Switch Daemon RIP Daemon Started no Version v2 O Modify E The BSGX4e executes dynamic routing by enabling RIP Routing Information Protocol RIP is a simple routing protocol that is part of the TCP IP protocol suite The BSGX4e supports RIP versions 1 and 2 The RIP daemon is disabled by default and must be started manually When started it listens for RIP messages on the WAN interface and uses that information to store routes in a table Functional characteristics e For RIP to be effective all routers in the network must support RIP version 1 or version 2 Version 2 is recommended RIP v2 supports RIP v1 capabilities and also provides a Variable Length Subnet Masks VLSMs Support for next hop addresses which allows route optimization in certain environments Multicasting Multicasting instead of broadcasting
77. T gt Interfaces tab oo ooo 134 Security gt NAT gt Policy TADA a ae 134 Security gt NAT gt Public tab o oooooooooo meo 135 Application scenarios 400 694 844484 ROS ERA AAA 136 AL 4 d TEE Cede X Rx d Ama x ai BRA dod adr 139 security gt ALG page vsu sew sa ee UR ee ee RO el oe a dent 139 OoS and PPTP eS dct ela ds 140 IDS o A Sq EE AA A dC aac Ca dc TAR rg E d 140 Security gt IDS gt Anomaly tab css ecu au x eee eee OR ERA 141 Security gt IDS gt Protection tab 2 aeee eren 142 IDS flood BICEDUD darts d dg d ane de QR RR CR RICCA e ak c ied 142 IDS flood settings 4 3 23 a a RC A REWER TRO Re e CRUS e RR ed 143 BITE 144 IDS SDOO creere deg doy rh a a ARA A Hox d Seo GO dod 144 Security gt IDS gt Attacks tab 224r PERXES CHS 3X EA E e dre s 145 Voice ACLARA ii 145 Configuration 4 2033 9C er ERO YE AAA 146 IPSec IKE and VPN coda oe a ata 147 TPS66 eee aide e Up Rd RR GOR Se PAGE ai a ES 147 Security IPSec gt Policy tals esis y 939 96 4009 e No oe a e aae C 147 Security gt IPSec gt Proposals tab amp is sd AA XR RA 148 Security gt IPSec gt Parameters tab 0 000 eee eee ee 149 Security gt IPSec gt SA tab 2 0 0 cc ee eee 149 dg PPP crm 150 Security gt IKE gt Policy Tabo 444444 ira ARA 150 Security gt IKE gt Preshared tab o ooo ooo 150 Security gt IKE gt Parameters tab 00 000 151 Security
78. United States of America US O Modify Temp Unsupported Up time Oy 8d 16h 51m 40s Reset by softwere reset CPU TEL LAN WAN System Hardware Board Description Mainboard ICAD40 1 FXS 1 FXO 4 Port Switch Builtin ethernet 100BaseTx 31 Overview page 2 System pages 32 System gt Overview gt System Information panel The System Information panel shows various high level system configuration items Further detail for some of the items Bootcode Ver Version of the bootloader program App Ver System software version System Type Model designation of this unit Memory RAM expressed as used available Up time Cumulative running time since the last bootup Displayed in years y days d hours h minutes m and seconds s MAC 0 MAC address for the WAN interface MAC 1 MAC address for the LAN interface You can configure the following parameters with the Modify button click Update when finished Unit name The BSGX4e unit name displayed to the left of the button bar Country The country of operation Default is USA This selection sets several parameters that affect the characteristics of an analog phone connected to the Phone port See the paragraph below for more details NOTE The drop down list of names has a divider line The BSGX4e is certified for operation in those countries above the line In those countries listed below the line
79. User log in page enter the default log in codes User name admin Password PlsChgMe If you want to use the Initial Setup Wizard for the basic configurations tasks select e the Setup Wizard check box to immediately open the wizard See the Initial Setup Guide on the Documentation CD for more information Notes e Fontsize You may have to adjust the font size in the browser If the text appears to be overrunning its boundaries or overlapping other areas decrease the text size Use the command on the View menu or the keyboard shortcuts Ctrl and Crt e Log in failure If your log in fails on a new unit retry the log in procedure to ensure you did not make a typing error Also your PC can have a static IP address rather than using DHCP to obtain a dynamic address If log in fails after having configured the unit likely causes are a VLAN assigned to the port to which your PC is connected or the IP address of the LAN switch has been changed Use the CLI connected to the serial port to view or change parameters to re establish the Web UI connection e Connection failure If you are working on more than one BSGX4e you must clear the private data from the browser before connecting your PC to a different BSGX4e The BSGX4e places cookies and browser history records into your browser The cookies and browser history records prevent you from successfully connecting to a new BSGX4e unit NN47928 502 25 Usage notes 1 Web UI
80. WEB UI Operation Guide BSGX4e Business Services Gateway NN47928 502 Software Release 2 1 1 NN47928 502 BSGX4e 1 2 Business Services Gateway Document Status Standard Document Version 01 01 Document Number NN47928 502 Date July 2008 Copyright 2008 Nortel Networks All Rights Reserved The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks Trademarks Nortel the Nortel logo and the Globemark are trademarks of Nortel Networks Microsoft MS MS DOS Windows and Windows NT are trademarks of Microsoft Corporation All other trademarks and registered trademarks are the property of their respective owners NN47928 502 CONTENTS About this guide 15 IMtFTOUCHON aaa leon ROI 2L T 22 TOME 15 Intended audience 15 Organization lt si 4 amp eee ys ces DUeg cc eee RY be eee we ea hae ewe Rs 16 Text conventions xxu tee eee ee ad a eee ee E eee eee Ces 17 Documentation llle 17 How toget Helpo ig duo acd AN 18 Getting help from the Nortel Web site 2 2000000 eee 18 Getting help over the phone from a Nortel Solutions
81. ab on page 134 Create a security policy to allow traffic from the external DHCP server to the DHCP relay DHCP relay security policy on page 128 5 Configure the DHCP relay Enabled Enable yes or disable no the DHCP relay Default is no Server IP address or FQDN of the external DHCP server NN47928 502 85 Routing 3 Data pages Routing This section describes the routing configuration options in the BSGX4e which consists of a routing protocol table and an Address Resolution Protocol ARP table When a network node sends data to an IP address on its subnet segment it broadcasts an ARP request to resolve the IP address to an Ethernet MAC address Technical reference The configuration topics in this section refer to three separate protocols that each maintain their own data structure Each protocol is used for a separate purpose a ARP runs over Ethernet It translates an IP addresses to a MAC addresses on Ethernet networks a Internet Protocol IP operates at a higher level to route IP packets to addresses on the Internet It automatically records dynamic entries in a routing table to define routes to destination IP addresses Static routes can also be configured a The Routing Information Protocol RIP uses a routing daemon RIP is used in the BSGX4e only if the daemon is manually started The daemon then listens for RIP messages on the WAN interface from other routers on the network It uses
82. abled by default NN47928 502 99 Switch 100 3 Data pages Data gt Switch gt IEEE tab This classification type is used with VLANs and relies on priority bits in the VLAN header to indicate the priority The priority bits need to be set in the LAN device that is part of the VLAN Use Table 10 above to determine the value to set See the network configuration examples in Figure 44 on page 193 This IEEE 802 1p priority notation is commonly called CoS class of service It is three bits in the User field of the ISL frame header If you need to change the BSGX4e priority queue associated with a bit value perform these steps 1 Click the bit value in the IEEE column to open the properties page 2 Click Modify to open the configuration page 3 Select the appropriate priority level from the Priority drop down list and click Update Data gt Switch gt Port tab This classification type assigns a priority queue to each LAN port thereby classifying all traffic flowing through that port Note in Table 10 that all ports are associated with the LOWESTQ queue by default To change the association of a port perform these steps 1 Click the bit value in the Switch QoS Port column to open the properties page 2 Click Modify to open the configuration page 3 Select the appropriate priority level from the Priority drop down list and click Update Data gt Switch gt ToS tab This classification type uses the eight bi
83. absolute bandwidth rate Traffic that exceeds the designated rate is discarded a CAR committed access rate A max committed absolute rate plus the ability to use available BE bandwidth up to a min latency designated limit Traffic that exceeds the committed rate is queued and then bursts into any BE space available between Num packets ACCESS min A quality group is then assigned to a quality class A quality class defines a stream s sensitivity to latency and loss That information TERMINAS is then used to prioritize and process traffic waiting in queue during times in which the WAN link is full max loss NN47928 502 Appendix 12 Quality of service QoS overview Figure 46 GoS process flow LAN BSGX4e GoS Processing o WAN Link Za dd l 3 r Bandwidth l l l l a Video Video and Other pe Sei gt Quality Media I Group l Media Stream Stream l Quality Quality Class Assignment l Prioritized Transmission Sources identification Group Queuing Priorities over Guaranteed Band width Routing to Assignment GoS Bandwidth l l and Policing Functional characteristics Functional characteristics of GoS include The sum total of bandwidth allocated to all quality groups can be up to 90 of available WAN bandwidth The minimum bandwidth allocation to any quality group is 64 Kbps Bandwidth all
84. ace A VLAN can also be created on the Ethernet WAN interface ethO of the BSGX4e A VLAN cannot be configured on a PPP pppn WAN interface By default no VLANs or virtual interfaces are configured A LAN port is configured as tagged or untagged when it is assigned to a VLAN See Data gt Switch gt VLAN on page 103 for more details A VLAN on any interface restricts access by allowing only the subnet addresses defined by the VLAN Thus when a VLAN is activated on a LAN port the LAN switch can no longer be accessed through that port A VLAN can be created on the Ethernet WAN of the BSGX4e to establish trunking to a switch In this configuration the WAN is accessible only by the trunk A VLAN requires firewall security policies to define which traffic to accept or reject Configuration overview The complete VLAN configuration process requires the following steps 1 Assign one or more LAN switch ports to the VLAN Skip this step if you are creating a VLAN for the WAN of a BSGX4e Data gt Switch gt VLAN on page 103 Create the virtual interface vifn profile for the VLAN and associate it to the physical interface Configure the virtual interface and assign an IP address to it VLAN configuration on page 73 Create one or more firewall security policies so that the firewall allows traffic through the virtual interface VLAN security policies on page 127 To delete a VLAN delete the above configurations in
85. ace Pool tab page this setting overrides the interface setting for this specific host Description Optional text to help identify the host System gt DHCP Server gt VendorClass tab The configuration parameters on this page are optional Use them to assign an option group to a specific vendor class identifier of a LAN host You can also specify an interface physical or virtual to further define the option group application The option group can be applied only to the specified vendor class on the specified interface Click New to open the configuration page You can modify existing host profiles by clicking the Id number on the display page You can delete host profiles by activating the check box next to the profile on the display page then click Delete Fill in the fields as follows click Update when finished Id A unique identification number Use new or enter a whole number VendorClass The vendor class of the host device This data is in the vendor s documentation or on their Web site Interface The interface optional Default is none OptionGroup Choose an option group from the drop down list This assignment applies only to this vendor class This setting overrides the interface setting for this vendor class 52 NN47928 502 2 System pages RADIUS and TACACS RADIUS and TACACS The BSGX4e includes both the Remote Authentication Dial In User Service RADIUS and Terminal Access Con
86. ace display pages wg ys eee ed da db 70 Figure 13 PPP interface page sercrci nsa rca candor RE X Rd ox ded ee c dex 73 Figure 14 VLAN interface page uu d d eq xo rd eoe aa 75 Figure 15 Relay DNS page sas qaaa aa ARA RACE Kd ARA dod 78 Figure 16 Relay TFTP page 6 c e0a x REA ERR e 81 Figure 17 Relay SNTP page sexe ee AAA NEAL OCC 83 Figure 18 Relay DHCP page sra Vado Y tra e 85 Figure 19 Routing Table page 22444464240 Kee da a ad deed 87 Fig re 20 ARP Table page ss rca std oso accedo 88 Figure 21 Proxy ARP page eee 89 Figure 22 Proxy ARP General configuration example 91 Figure 23 Proxy ARP Subnet with firewall ceooeoooooomo oo 93 Figure 24 RIP page eR eh 94 Figure 25 LAN status page i 24 22 duo wu be dnR a oe ada RR ae S Ros d 95 Figure 26 LAN ports pag eee 96 Figure 27 LAN Port QoS Page elle 98 Figure 28 Layer 2 QoS functionality 5232 aw A A RR eee GO 99 Figure 29 ARL page eme 101 Figure 30 VLAN LAN switch 42544 49 xy UAOEIACAUN SON Re RE EL 103 Figure 31 Quality calls pases is aqux XO AAA AAA ACA LAC 106 Figure 32 Calls analyzer flows i5 aa 108 Piste c3 Qualip link p ge qaos aea quesos ne ce o e d Oe eo 110 Figure 34 Quality group page esas 3 RO RO e RARA 112 Figure 35 Downstream QoS page llle 119 Pigure 30 ARPS PPP QoS pag rra a Re d be dc e 121 Figure 37 NAT page eee es 132 Figure 38 S
87. ality groups see Downstream QoS page on page 118 This feature provides inbound bandwidth for VoIP payload and control streams that use UDP by limiting TCP traffic QoS overview 190 The BSGX4e Business Gateway uses QoS to manage internal traffic contention that is created when LAN traffic coming into the unit from the four high speed LAN ports exceed the capacity of the internal routing engine or the uplink capacity of the WAN port There are two points of traffic contention within the BSGX4e a Layer 2 Traffic coming into the four LAN ports creates a 400 Mbps flow that goes to a 100 Mbps router a Layer 3 Traffic from the router plus other traffic processed by the BSGX4e such as VoIP flows from the session controller are routed to the WAN whose capacity is determined by your service contract The layer 2 and layer 3 QoS processes work independent of each other Accordingly this section discusses layer 2 and layer 3 QoS separately During those periods of low congestion QoS does not significantly affect traffic But when high traffic levels cause congestion QoS guarantees quality service for all QoS managed applications up to bandwidth limits NN47928 502 Appendix 12 Quality of service QoS overview Quality of service Layer 2 Traffic contention on the LAN side of the BSGX4e is caused by the four 100 Mbps LAN ports feeding a single 100 Mbps router This contention is managed by routing traffic into four prior
88. ality pages Table 13 WAN encapsulation options BSGX4e WAN Network device encapsulation encapsulation Ethernet pppoa vc VLAN pppoa llc PPPoE pppohdlc fr Terminology LLC Logical Link Control VC MUX Virtual Circuit Multiplexing Quality gt Downstream QoS gt Status tab The status tab indicates whether or not Downstream QoS is enabled in a quality group Note that you must configure the Downstream QoS link before you can enable this feature in a quality group Quality gt Downstream QoS gt Stats tab The statistics tab page displays three categories of WAN link performance data a Protected group Statistics for the quality traffic through the protected downstream bandwidth a Non Protected group passed Statistics for non quality traffic that has passed through the unprotected downstream bandwidth a Non Protected group dropped Statistics for non quality traffic that has been dropped in the unprotected downstream bandwidth The displayed statistics are self explanatory 120 NN47928 502 4 Quality pages ARP PPP page ARP PPP page Both ARP address resolution protocol and PPP point to point protocol use a control signal to establish and maintain their traffic flow through the WAN port If you are using either or both of these protocols you can experience traffic stoppage if the control signal is interrupted at times of heavy traffic load through the WAN Therefore these control signals must
89. and factory use The destination server must have a UDP logger Syslog Messages are sent in syslog format to the syslog logger specified in the System gt Logging Info gt Logging Destination panel on this page Internal Messages are stored in an internal buffer of limited size filled in FIFO order but irretrievable after the unit restarts The messages are displayed in the System gt Status gt System Log panel File 66 Messages are stored in an internal file of limited size filled in FIFO order and retrievable after the unit reboots The contents are the same as the System Log display on the Status page These logs are also saved in the compact flash in the cfOusr log directory A directory is created for each day and includes one or several log files Files can be exported to an external device using SFTP Files can be viewed using the following Unix commands through a CLI terminal BSGX4e gt cd log BSGX4e gt Is 2008 01 09 2008 01 10 BSGX4e gt cd 2008 01 09 BSGX4e gt Is 0 1 BSGX4e gt cat 1 15 21 27 No need to upgrade ids hw for s w version 2 1 15 21 30 DHCPS no vendor fixing 15 21 30 Using system DNS display continues NN47928 502 2 System pages Logging modules Table 5 describes the message severity levels and shows the default destinations Table 5 System message severity Severity Message Level Level Description Default Destination 0 Emergenc
90. and trigger alarms if quality falls below a given level Wide Area Network Also known as the World Wide Web or www the collection of sites accessible through the Internet Web browser A client program that initiates requests to a Web server and displays the 202 information that the server returns NN47928 502 Index Numerics 802 1p 191 911 185 A access user defaults 42 ACL Access Control List 145 alarms call 106 107 ALG Application Layer Gateway 139 analog device connecting 162 ARL Address Resolution Logic 101 ARP dynamic and static 86 interfaces 89 proxy ARP 89 Qos 121 table 88 attacks IDS 140 authentication record configure 54 authentication password 43 authorization password 44 45 B bandwidth allocation 196 committed 11 in QoS 193 Best Effort 111 bootloader upgrade 62 browser font size 25 Button Bar 22 C call bandwidth 198 call features 181 call load 29 calls maximum licensed 168 173 Certificate Signing Request 61 CLI command shell 32 codec supported 107 codecs user agent 175 command shell 32 configuration display 63 NN47928 502 INDEX configuration file 63 control signal 167 172 control signals 113 CoS class of service 100 191 country 31 country of operation 32 current calls 29 D default configuration 24 denial of service 142 DHCP client 47 71 relay 85 server 47 DHCP and DNS 48 DHCP client 72 DiffServ 192 Dire
91. at can be used to identify a data stream are destination IP destination port protocol and type of service ToS value Also consider wether or not the protected traffic should have downstream QoS enabled which provides bandwidth for incoming non TCP traffic PPP interfaces If you configure a PPP WAN interface it needs security polices similar to the ethO default policies shown above If you use the Initial Setup Wizard for the PPP or frame relay interfaces it creates these policies automatically For any interface you configure manually you must also create the needed firewall policies Table 16 shows the policies created by the Initial Setup Wizard for a PPP interface If you are performing a manual configuration these are the policies you must create Table 16 Firewall policies for PPP From To DPort Protocol Action eth1 pppO any any allow pppO self 161 UDP allow pppO self 22 TCP allow pppO self 80 TCP allow pppO self 443 TCP allow VLAN security policies VLANs are normally created on the eth1 LAN interface To emulate the default security policies you must create the policies shown in Table 17 See Data Interfaces VLAN on page 75 for reference Table 17 Firewall policies for VLAN From To IP Address S DPort Protocol vif n self any any any vif n ethO any any any pppO SNMP security policy As described in the section SNMP on page 56 BSGX4e s SNMP agent requires a firewall policy to al
92. ation is shown on the page in the next step b Go to Data Interfaces VLAN on page 75 and delete the VLAN profile associated with the VID c Go to Data Switch VLAN and enable the check box next to the VID number then click Delete NN47928 502 77 3 Data pages Relays This section describes using the BSGX4e as a relay for devices on its LAN that request DNS TFTP SNTP or DHCP services The BSGX4e acts as a proxy and forwards any such requests to the servers on the WAN specified by the services configurations To a LAN device the BSGX4e appears to be a server to the WAN server the BSGX4e appears to be a client All relays are disabled by default The DNS relay is enabled by default All other relays are disabled Under the System button on the button bar the BSGX4e can also be configured with a client for DNS and SNTP services and as a DHCP server BSGX4e clients get their DNS and SNTP data from servers on the WAN and then provides it for internal functions The DHCP server is enabled by default to provide IP addresses to your LAN devices See the sections Services page on page 33 and DHCP server on page 47 for more information For clarification the BSGX4e also has a DHCP client on its WAN interface that obtains an IP address for the unit from a DHCP server This client is enabled by default See Data gt Interfaces gt IP page on page 70 to access this parameter Data gt Relays gt
93. ccounts admin and user CAUTION After configuring the BSGX4e for your site export a configuration file and store it on a separate host so that you can retrieve the configuration if problems arise See Configuration on page 63 Display pane The display pane displays the Web pages as you click on functional buttons or menu links These pages can be interactive configuration pages or informational status pages The page in the display pane can be segmented into panels for different types of data NN47928 502 1 Web UI introduction Usage notes Usage notes This section provides helpful notes on using the Web UI Browser Requirements The BSGX4e has been tested with Microsoft Internet Explorer and Mozilla FireFox browsers Internet Explorer must have the Adobe Shockwave Flash Object add on Firefox must have the Adobe Flash Player plugin Use the browser s Manage Add ons Explorer or Add ons FireFox command to obtain the plugin Connecting to the BSGX4e The basic BSGX4e installation and cabling is covered in the Quick Start Guide and the Installation Guide on the Documentation CD The following steps instruct you on accessing the Web UI 1 Connect a PC to one of the BSGX4e LAN ports labeled 1 through 4 on the box 2 Open a Web browser The BSGX4e has been tested with Microsoft Internet Explorer and Mozilla FireFox Enter http 192 168 1 1 in the address bar of your browser 4 On the
94. ces Interfaces The Interfaces section is where you configure the WAN and LAN interface protocols You can configure the following interfaces on the BSGX4e Table 6 WAN interfaces BSGX4e IP over Ethernet ethn PPP over Ethernet pppn VLAN vifn IP over VPN vpnn Data gt Interfaces gt IP page BSGX4e proprietary interface terminology ethO WAN eth1 LAN This page is where you configure a WAN or LAN IP interface and view configuration data The BSGX4e has an ethO andpeth1 interface by default Figure 12 IP Interface display pages m e 2 ay Data Interface IP WAN Interfaces 1P IP Interfaces PPP nter IP Address Mask MTU DHCP client Lease obtained Lease expires MAC Address VLAN C etho 172 16 13 149 1500 on FRI FEB 22 23 35 13 2008 SAT FEB 23 23 35 13 2008 00 15 93 00 02 CA Relays 255 255 0 0 DNS M ssthi 192 168 1 1 1500 off N A N A 00 15 93 00 02 CB N A N A TFTP 255 255 255 0 SNTP O Delete DHCP O new Routing Routes Table Sp figured Spe FULL100 AUTONEG 70 NN47928 502 3 Data pages Interfaces A IP display pane The display pane Figure 12 above shows the parameters of each WAN or LAN interface This is also where you configure new interfaces and delete existing entries Most of the fields are self explanatory Below are a few fields that need some explanation e The Lease obtained and Lease expires columns display N A if DHCP is off or
95. control signal messages and call traffic a SIP LAN gateway page 171 Configures the LAN for a gateway connection e User agent BSGX4e page 175 a SIP MGCP page 176 page 179 Configures the SIP or MGCP User Agent for analog devices a Numbering plan page 181 Configures the User Agent for number based special features e Local call routing page 185 Sets emergency phone connection to a PSTN and establishes LAN to LAN calls when a VoIP server is not reachable NN47928 502 6 Voice pages Media Media Voice gt Media gt Settings This page configures various parameters for processing video and VoIP media streams including associating the VoIP QoS quality group with the session controller VoIP control signals are associated in the session controller settings page 167 You must create the quality groups before proceeding with this section See the section Group page on page 112 Configuration There are technical notes below the table discussing direct media and the default video bandwidth Click Modify to open the configuration page The configuration parameters are as follows Direct media Enables use of direct media RTP connections between two endpoints enabled on the BSGX4e LAN Default is no RTP ports Range of RTP ports to use low high range to The RTP range must contain at least 1000 values and must not overlap ports configured for existing services in the BSGX4e Normally tw
96. ct Media 161 DNS client backup scenario 38 configuration 36 DNS relay configure 79 current sessions 80 intro 78 source 80 DNS with DHCP 48 DNS configuration source 37 DNS dynamic 39 Downstream QoS 118 E emergency calls 185 encapsulation types 120 endpoint call access 145 endpoints 167 172 configuring 169 LAN 169 173 ESP Encapsulated Security Payload 147 Ethernet ethO 70 F Factory Defaults 24 203 failover MGCP 171 failover SIP 166 fax 175 177 180 firewall security policies 125 session controller 164 timer 131 Fixed Queuing 192 flood attack 142 FXO port 162 FXS port 162 175 G gateway on Phone port 171 gateway analog 175 Gos defined 193 functional characteristics 195 H hardware components 32 IDS flood attack 142 packet anomalies 141 scan attacks 144 spoof attacks 144 IDS Intrusion Detection System 140 IKE Internet Key Exchange configuration 150 description 147 firewall policy 151 Initial Configuration Wizard 115 interface display 70 Ethernet ethO 70 internal log 64 IP address dynamic 47 IP ToS 114 IPsec configuration 147 description 147 J jitter buffer 162 jitter buffer settings 107 L LAN switch 204 Index description 95 duplex mode 96 flow control 96 ports 96 QoS 98 speed 96 status 95 LAN to LAN calls 161 185 LINE port 162 link rate 111 link QoS 110 local call routing 185 Log Out 24 log system 64 login 25
97. ct technical support it is important to provide both system information and hardware information about the unit This information is displayed at System gt Overview gt System Information panel on page 32 However the system internal log displays its most recent entries at System gt Status gt System Log panel on page 30 The Logging Information page allows you to configure the destination of each message type based on severity level and the network configuration for external destinations It also displays logging statistics Counters Info 64 NN47928 502 2 System pages Logging information System gt Logging Info gt Logging Destination panel This panel is where you configure the external server to receive UDP and or syslog messages Log messages are compliant with the syslog protocol The UDP section can also be configured to send raw UDP messages to a PC that is reachable from the BSGX4e External logging is not configured by default Click the Modify button to open the configuration page UDP Logger IP For messages with UDP destination NOTE This is for customer support and factory use The destination must be running a UDP logger UDP Logger Port For messages with UDP destination Port of the receiving UDP logger Default is 2000 Sys log IP For messages with syslog destination IP address of a receiving Syslog logger Syslog Port For messages with syslog destination Port of a rec
98. d and authenticated by the secure gateways When configured the BSGX4e can function as a secure gateway After IPsec SAs are established the VPN becomes operational using IPsec tunneling to secure IP traffic between LANs Each IP packet sent between LANs is encrypted inside an Encapsulated Security Payload ESP packet during transmission between the secure gateways IPSec IPsec provides data confidentiality data integrity and data authentication between peers Configuration consists of creating a policy and a proposal and configuring operational parameters Figure 41 IPSec page LS Le A rr rl a t e 7 G Security IPSec gt Policy Security NAT ALG 105 IPSec Policies Voice ACL Name Gatewa Resolved IP Address Local Remote Proposal Interface IPSec Cl Homeoffice 172 158 25 148 172 158 25 148 192 168 2 12 172 158 10 1 VPN A vpnO IKE O Delete Q New Security gt IPSec gt Policy tab An IPsec policy specifies the two secure networks that a VPN tunnel connects and the security parameters used to encrypt and decrypt traffic between the two networks The creation of an IPsec policy also allows a VPN interface to be configured for the policy Configuration In the display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished If a policy has already been defined click the Name in the display to open the Properties page then Modif
99. d proxies it to an external server To the LAN hosts the BSGX4e appears to be the server To the external server the BSGX4e appears to be the requesting host You must disable the DHCP server to use the DHCP relay The relay is disabled by default a DHCP client page 72 The DHCP client requests a dynamic address from an external server The DHCP client can be enabled on either the WAN or LAN ports but not both It is most common on the WAN with interfaces that do not require a static IP address The DHCP client can be enabled on the LAN if you have a DHCP server connected to the LAN Figure 6 DHCP Server Pages MyUnit 192 168 1 1 t System DHCP Server Pool System Overview Services User Accounts DHCP Server Pool DHCP Server f Interface Enabled Subnet Netmask IP Broadcast Gatewa OptionGroup Rede O ethi Yes 192 168 1 0 255 255 255 0 192 168 1 50 192 168 1 255 192 168 1 1 none TACACS 192 168 1 250 SNMP Q Delete SSL Q ew Upgrade Configuration Operations NN47928 502 47 DHCP server 2 System pages Functional characteristics The DHCP server as implemented in the BSGX4e has the following characteristics a Supports one address range per LAN interface eth1 or vifn Up to four virtual interfaces vif can be configured on the LAN ports one on each port a Address range must be within the subnet of the interface a Up to four servers can be configured one on each interface con
100. decs Up to four codecs can be configured The order in which they are listed is the order in which negotiations are attempted If you configure any codec as NOT USED negotiation attempts stop at that point Codecs listed below this are ignored The supported codecs are G 711 u law PCMU G 711 a law PCMA and G 729 all with 10 ms or 20 ms RTP packet interval Currently Fax T 38 is not supported The Phone FXS port must be properly configured for the User Agent to function Setting the Country parameter configures the Phone port for the supported countries See the section System gt Overview gt System Information panel on page 32 for the list of supported countries CAUTION Phone port manual configuration must be performed only by professional personnel with a technical understanding of these telephony parameters NN47928 502 175 User agent 6 Voice pages 176 SIP page The SIP User Agent window has three tabbed pages a Configuration Parameters of the User Agent port a Settings Protocols and parameters of the User Agent a Status Operational status of the User Agent Read the section introduction on page 175 for reference Voice gt User Agent gt SIP gt Configuration tab This page configures the parameters for the SIP User Agent Prerequisites e You must have an account with a SIP service provider and have the account s user ID authentication ID and authentication password e Ifthe
101. dex new Proto any From eth0 NAT 1 To self QoS Source IP any ToS any range to Dest IP 172 108 134 210 public Sequence begin range to Source port any Action allow Dest port any 136 NN47928 502 5 Security pages NAT 2 Redirect port example This example maps a Web server on the LAN to a port on the public WAN A request sent from any public address on the WAN using port 12999 is forwarded to the Web server on the BSGX4e LAN a b NN47928 502 On the Interfaces tab click New then select the interface and enable NAT We use ethO in this example On the Policy tab click New to open the configuration page Configure a policy that defines the policy type and identifies the Web server s private addresses and port to be translated Id new For this example we say that ID 2 is automatically assigned Type rport Address 10 0 1 101 private address of Web server Port 80 web port Move to the Security gt Policy page and Static tab Click New to open the configuration page Configure a policy that maps the public WAN address port to the appropriate NAT policy which identifies the private addresses Index new Proto tcp From eth0 NAT 2 To self QoS Source IP any ToS any range to Dest IP any Sequence begin range to Source port any Action allow Dest port 12999 137 NAT 5 Security pages 3 Static NAT example This policy ma
102. dica CAT ARANA 76 Configuration procedure Virtual interface o oooooo o 77 Relays RARA RES Aa rias 78 Data gt Relays gt DNS page cenuicrcdsiaanas da 78 Settings TAO E EA AREAS Ha AA AA 79 Sessions and cache tabs csse es oec ue e b E y n 80 Data gt Relays gt TFTP pag cox cay bes oh Oe ARAS 80 Settings Tab aded Add rc AMER EAE Eepe antti iratan 82 Sessions D oo i ees deed Se arde Sed eae A dedo a 82 Cache ME RR 82 Piles ta 20 4h ee he SS AA AR AAA 83 Data gt Relays gt SNIP page iodide ewes XU A he dae ek ee REE eS 83 Settings tab state ERAS ARRE CE HR ERR UY 84 SESSIONS 4D suasque v No AAA ea AS 84 Data gt Relays gt DHCP pate 4 6o e664 24 8 Oo RAG a DERN ETE RR SG 85 ROU sse ee Si asc dux Hee a a 86 Technical reference id eh Ce eae Ed bE RAG AAA 86 Data gt Routing gt Routes Table s 26 404464444696 4 68 AE ARR arde 87 NN47928 502 5 Data gt Routing gt ARP corsa pr be ee A E Gu SOR EDAD 88 ARP DIDI DID V iow E cake ed babe ahaa eed ear aay ae 88 Proxy ARP tab 4 44 4 Festa 44 ee AA AAA 89 Data gt Routing gt RIP 2 ee 94 Functional characteristics 64 00 4 4 4 2404 RRA RA RO 94 Config ration s e ad ka ae ee inp EERE PS RR CR ESE PERO 94 corpo Ws ee oa ua yea ae ARE ea Ga eee AN 95 Data gt Switch gt Status page vidriado eee A RARA AAA eS 95 Portpage wea 4s ek eee Pee eee ees ee ew Cede de e de dw ds 96 Data gt Switch gt Ports tab 6 6 8 sz vx 9 wa AAA ARANA 96
103. disabled DHCP enabled Ethernet eth PPP pppn VLAN vifn VPN vpnn In addition to the DHCP client the BSGX4e also has a DHCP server for the LAN page 47 and a DHCP relay that proxies requests from the LAN to an external server page 85 You can apply only one of these three services to any given interface the other two must be disabled IP statistic Each configured IP interface has a tabbed page that displays performance statistics Access this page by clicking the Inter designator in the display pane then click the Statistics tab 72 NN47928 502 3 Data pages Interfaces A VLAN configuration As part of the VLAN configuration process the Data gt Interfaces gt IP page is where you configure the virtual interface vifn as an IP interface NOTE You must have created the virtual interface before performing this task See Data gt Interfaces gt VLAN on page 75 for VLAN process details Procedure Follow the instructions under the IP configuration heading above a Select vifn from the Interface drop down list on the configuration page a Assign an IP address a Create firewall security policies for the vifn interface See VLAN security policies on page 127 Data gt Interfaces gt PPP page You can configure the BSGX4e to use a PPP link as its primary WAN interface It is designated as PPPoE on the BSGX4e After the PPP profile is created you can view it as the pppn interface in the Data g
104. disconnects your line Length Expected length of this number entry StripCount Number of digits to strip off from the beginning of the number Prepend Digits to prepend to the beginning of the number Configuration and application examples Phone number prepend This example configures a numbering plan entry to prepend a zero 0 to every phone number of length nine 9 that begins with a one 1 For example if the phone number dialed is 123456789 the phone number called by the SIP User Agent is 0123456789 Number 1 Type Number Length 9 Prepend 0 NN47928 502 6 Voice pages User agent Do not disturb This example configures two numbering plan entries to enable disable use of the Do Not Disturb feature such that a To set Do Not Disturb for a phone enter 78 a To clear the Do Not Disturb state for a phone enter 79 Set Do Not Disturb Number 78 Type Service Feature SDND set do not disturb Clear Do Not Disturb Number 79 Type Service Feature CDND clear do not disturb Forward all calls This example configures two numbering plan entries to enable disable use of the Call Forwarding feature such that a To forward all calls to another phone the entry is 90 followed by the phone number and the hash character For example to forward calls to phone extension 4985 enter 904985 a To clear call forwarding for a phone enter 91 Set Forward All Number 90 Type Service Featu
105. dware SysName SNMP system name sysName MIB administrator assigned to this hardware The display page contains a SysDesc field that is read only It reports basic hardware and software versions of the host that is running the BSGX4e System gt SNMP gt Traps tab Click Modify to configure SNMP traps Enabled Enable disable transmission of traps Default is no disabled Comm The community string to authenticate access IP IP address of the management station that receives traps range to DO NOT USE This field is removed in the next release System gt SNMP gt Community tab Click New to add an SNMP community Community The community string Used to authenticate access permission IP IP address of the management station that sends SNMP requests Access Select read or read write NN47928 502 57 SNMP 58 2 System pages System gt SNMP gt Statistics tab The statistic page is a read only display of the SNMP agent performance You can update the display with the Refresh button and delete accumulated statistics with the Clear button Field definitions are as follows Out Pkts Total number of Out SNMP messages In Pkts Total number of In SNMP messages In BadCommunityNames Total number of In messages with an unknown community name In BadVersions Total number of In messages with an unsupported SNMP v
106. e then Modify to open the configuration page Profile Default is 0 and cannot be changed L2 Interface Layer 2 interface name Only one interface eth0 is supported at this time Active Specify yes to activate the profile Specify no to de activate the profile A profile must be activated to enable PPP link negotiation the profile must be de activated before it can be modified The default is no AuthProto Authentication protocol PAP CHAP The default is PAP On the BSGX4e a PPPoE interface also has MSCHAPV1 and MSCHAPV2 protocol options NN47928 502 3 Data pages Interfaces SelflP Mask Optional static IP address and subnet mask 1 2 3 4 8 for the pppn interface Enter any if none is provided Default is any MTU Maximum Transmission Unit MTU of the interface 296 1492 bytes The default is 1492 bytes MRU Maximum Receive Unit MRU of the interface 296 1492 bytes The default is 1492 bytes RestartTime Time interval before a request is re sent in milliseconds The default is 3000 3 seconds ServiceName Optional service name up to 30 characters to identify the profile Username Account user name up to 64 characters for logging in to the PPP access concentrator Password Account log in password up to 32 characters Data gt Interfaces gt VLAN This section is where you assign the VLAN to an interface thereby creating the virtual i
107. ecommends this traffic be protected from packet loss by placing it in a QoS quality group See the section ARP PPP page on page 121 for configuration instructions ARP Table tab Figure 20 ARP Table page MyUnit 192 168 1 1 I e 2 5 Data ARP ARP Table WAN Interfaces ARP Table IP PPP Relays DNS TFTP SNTP DHCP Routing Routes Table ARP RIP VLAN ARP Table Host Hn 172 16 0 1 n 172 16 13 149 n 192 168 1 222 O Delete O New O Flush MAC 00 00 00 00 C6 7F 00 15 93 00 02 CA 00 14 D1 35 16 E9 Type Dynamic Dynamic Dynamic This tab page is where you create a static ARP entry for a known host by associating the hosts s IP address with its MAC address Click New to open the configuration page The fields are self explanatory Click Flush to delete all dynamic entries from the ARP table NN47928 502 3 Data pages Routing Proxy ARP tab Figure 21 Proxy ARP page Data ARP Proxy ARP WAN Interfaces Proxy ARP IP PPP VLAN Proxy ARP Id From IP s Roly To Enable oS Oo i ethO 192 168 1 100 255 255 255 255 IME ethi es SNTP Delete DHCP gt Nas Routing Q New Routes Table ARP RIP Proxy ARP enables the BSGX4e to transparently connect hosts that belong to different networks without having to configure default gateways routes or other network parameters This section describes the general proxy ARP configuration process It al
108. ecurity ALG page o ooo 139 NN47928 502 11 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Figure 45 Figure 46 List of figures IDS Page 2624044 sarta rs bea be TR EORR 140 Voice ACL page 2 2 pr ERR ox Er eee eee ies 145 IPSec page uos dev et decks Sud woe S xeu diets da dn ug 147 IKE Page tarta ERU LE au pe Nudes dd ix 150 Layer 2 QoS contention llle 191 Layer 2 QoS Application Scenarios lun 193 GoS Quality Class Matrix leeren 194 GOS process oW A po a AS kee ae 195 NN47928 502 List of tables LIST OF TABLES Table 1 Web UI operation guide organization llle 16 Table 2 Text conventions 2442 9m YE oye Bed eee PPA Pe Ee eg ed 17 Table 3 System gt Status gt System panel information 30 Table 4 User rights permissions acceded eee ERE ETOH AA RES 42 Table 5 System message severity se cus ue eS FRAP GALEN EERE s egy e d 67 Table 6 WAN interfaces risa RARA A 70 Table 7 DHCP client status by interface 2 o e RR x ye 72 Table 8 Sources tor DNS relay configuration 4 2 664464 o RR 80 Table 9 Sources for SNTP relay configuration llle 84 Table 10 Default priority classification settings oooooooooo 99 Table 11 Qos link rate defaults 116 Table 12 QoS groups defaults BSGX4e 0 0 o o o o o ooo 116 Table 13 WAN encapsulation options lee 1
109. ed ERROR The hostname specified is not a fully qualified domain name ERROR The hostname specified does not exist or in not in this user account ERROR The hostname specified does not exist or not in this user account ERROR When talking to IP server 2 System pages Dynamic DNS Settings service default no ip com Enabled User Password Host name icad no ip com Period 60 minutes ForceUpdatePeriod 30 days Wildcard nochg Registered IP 66 206 164 201 Last update TO M 01 00 00 00 Next forced update SAT JAN 31 00 00 00 19 Status Q Modify ERROR The username and password pair do not match a real user NN47928 502 2 System pages User accounts page User accounts page This page is where you manage the user account security features of the BSGX4e The user accounts determine who can access the BSGX4e and what permissions they are granted Figure5 User Accounts Page System Status User Accounts Name Access Auth Groupi Group3 Group5 Password Inherit Radius Group2 Group4 Enabled TACACS o admin ssh web cli telnet SHA admins admins admins SNMP users admins O user web di SHA users users users 4543 users users O Delete Q New Technical reference This section contains technical descriptions and reference information Terminology Terminology applicable to user accounts Access How you connect to the BSGX4e Web CLI SSH Telnet FTP Authorization lo
110. ed out of the table Static entries remain in the table until the table is manually flushed with the Clear button Prioritizing Traffic by MAC Address You can prioritize specific LAN traffic with static ARL entries but not with dynamic entries Four priority queues are available LOWESTQ LOWQ HIGHQ and HIGHESTO See QoS page on page 98 for more discussion of priority queues By specifying a priority queue when you map a destination MAC address to a port all packets with that address port combination are routed to the specified priority queue regardless of the LAN QoS settings on the QoS page on page 98 Aging Interval for Dynamic Entries The aging interval determines when dynamic entries are flushed The default is 304 seconds This parameter can be changed with the CLI command config switch arl age xxxx Where xxxx seconds Range is 16 to 4080 seconds in multiples of 16 Any number entered is rounded to the next multiple of 16 Received packets that match a static ARL table entry use the priority setting of that entry This setting overrides all other layer 2 QoS settings page 98 for the port including port ToS and 802 1p This feature cannot be disabled Configuration procedure Perform the following steps to configure a static ARL table entry 1 Click New in the ARL display page to open the configuration page 2 Fill in the fields as follows State You must select Static The Dynamic entry is n
111. eiving Syslog logger Default is 514 Syslog Facility For messages with syslog destination Syslog facility to use localn where n is 0 7 System gt Logging Info gt Counters Info panel These are read only fields that display the following information NN47928 502 MsgQTxErrors Number of errors when sending to a message queue MsgQRxErrors Number of errors when receiving from a message queue LogTxCount Number of messages sent LogRxCount Number of messages received Errors Number of generic errors from the logging system 65 Logging information 2 System pages System gt Logging Info gt Logging Map panel This page is where you configure each message type for one or more destinations or no destination As described in the next section each functional module in the BSGX4e can be configured for which message types it sends Message types are defined by severity level Click the Modify button to open the configuration page Each message type can be configured for the following destinations Console Messages are displayed on the RS 232 console This applies whether or not you are logged in to the CLI NOTE Excessive messages to the console can prevent you from entering CLI commands UDP Messages are sent in raw UDP format to the UDP logger specified in the System gt Logging Info gt Logging Destination panel panel of this page NOTE This is for customer support
112. eld only if this security policy is used to identify a traffic stream for QoS management See Quality gt Group gt Group tab on page 112 ToS IP ToS tag value decimal byte This field is ignored if ToS is specified in firewall and NAT policies This is used only if the preceding QoS parameter is configured Sequence Position of the new policy within the policy sequence Begin End Position If Position is specified the index number specifies where the policy is inserted in the sequence See Technical reference on page 125 action Indicates whether a packet matching the policy is accepted or rejected allow deny Dynamic tab The firewall dynamically opens and closes ports for some data traffic This page display these dynamic policies TCP based applications such as Telnet and FTP and HTTP applications open connections to external servers which can be left idle for extended periods Leaving a port open and idle creates a security risk The BSGX4e has a firewall timer to terminate idle TCP and HTTP connections The default settings are TCP timer 7200 sec HTTP timer 300 sec You must use the CLI to change these settings Use the command conf firewall tcp NN47928 502 131 NAT 5 Security pages NAT Network Address Translation NAT provides security by hiding the internal addresses of the LAN private network from the public Internet and it provides economy by mapping mu
113. elds as follows and click Update when finished Enabled Enables the TFTP relay Default is off Server IP address or FQDN of the external TFTP server If using the DHCP client option leave this field blank DHCP Enable to have the TFTP server address provided by the DHCP client on the WAN interface of the BSGX4e on off Do not enable if you specified a server address for the Server parameter Default is off Allow Types of TFTP messages to relay get all Default is get Sessions Maximum number of concurrent TFTP sessions This ensures that the CPU is not monopolized by TFTP packet relays Default is 50 Sessions tab This page shows the current TFTP sessions active in the BSGX4e Cache tab This page is where you enable and configure the caching feature You must also specify which files to cache on the Files tab page To configure caching click Modify on the Cache tab page fill in the fields as follows and click Update when finished Enabled Enables TFTP file caching Default is off Size Size of the file cache in MB 1 16 Default is 6 MB Refresh Cache refresh interval in minutes Default is 240 minutes 4 hours Download Method for downloading files into the cache auto Files are saved to the cache while being downloaded by the TFTP relay function tftp Files are downloaded into the cache using an internal TFTP client ftp Files are downloaded into the cache
114. er Accounts DHCP Server Radius TACACS SNMP SSL Upgrade Configuration License Logging Information Logging Modules Operations Upgrade system image MyUnit 192 168 1 1 th System Upgrade Software Select an image to upgrade slot 1 2 0 2 01A 0004 Tue 02 20 2007 18 17 49 16 amp slot 2 2 1 0 00E 0135 Sun 11 25 2007 21 21 16 48 Bootloader Load File Browse O Upgrade Application image to boot from Slot Default Detail 1 O 2 0 2 01A 0004 Tue 02 20 2007 18 17 49 16 e 2 1 0 00E 0135 Sun 11 25 2007 21 21 16 48 Use the Upgrade page to import new system software image files and bootloader files You can store two image files and define which to use for booting the system The manual configuration and user settings you made persist through an image upgrade You acquire system update files at Nortel s support Web site System Upgrade Perform the following steps to import a new software image 1 2 3 Use the Browse button to navigate to the file stored in Step 1 Acquire the new image file and store it on the PC connected to the BSGX4e In the upper panel select the slot in which to load the new image Normally this is the slot that is not currently in use In the lower panel the slot to boot from is automatically detected as the slot to which the new image was loaded Click the Upgrade button The importing process takes a few minutes You are notified whe
115. ersion In ASNParseErrs Total number of In messages with ASN 1 BER errors In BadCommunityUses Total number of In messages with a disallowed operation In NoSuchNames Total number of In messages with nosuchName in error status field In Toobigs Total number of In messages with tooBig in error status field In GenErrs Total number of In messages with genErr in error status field In ReadOnlys Total number of In messages with readOnly in error status field In TotalSetVars Total number of Set Request PDUs processed successfully In TotalReqVars Total number of Get Request and Get Next PDUs In GetNexts Total number of Get Next PDUs In GetRequests Total number of Get Request PDUs In GetResponses Total number of Get Response PDUs In SetRequests Total number of Set Request PDUs Out TooBigs Total number of Out Messages with tooBig in error status field In Traps Total number of SNMP Trap PDUs accepted and processed Out GenErrs Total number of Out Messages with genErr in error status field Out NoSuchNames Total number of Out Messages with noSuchName in error status field Out GetNexts Total SNMP Get Next PDUs generated Out GetRequests Total SNMP Get Request PDUs generated Out GetResponses Total SNMP Get Response PDUS generated Out SetRequests Total SNMP Set Request PDUs generated Enable AuthenTraps Permission to generate authentication failure traps enabled 1 disabled
116. erview page 31 Listing of more detailed system data Change the unit name and country Set parameters of the command shell used for CLI e Services page 33 Enable and configure ports for HTTP S and telnet connections Configure DNS SNTP and SSH services e Useraccounts page 41 Create and modify user accounts Assign groups and privileges Assign passwords e DHCP server page 47 The BSGX4e can provide DHCP service for devices connected to the LAN eth1 vifn Modify the default profile or create a new one e RADIUS page 53 Configure RADIUS authentication service e TACACS page 53 Configure TACACS authentication service NN47928 502 27 28 2 System pages SNMP page 56 Configuration for remote monitoring of the system SSL page 59 Configure key and certificates for SSL encryption Upgrade page 62 Load software and bootloader upgrades Switch between software configurations Configuration page 63 Display current system configuration parameters Export or import a configuration file License page 64 Copyright statements from developers whose code is used in the Web UI Logging information page 64 Configure message logging for which types of messages are sent to which destinations Logging modules page 67 Configure modules system functions for which message types are logged NN47928 502 2 System pages Status page Status page Figure 2 Status page MyUnit 192 168 1
117. eshared key value must be configured at the remote secure gateway All IKE negotiations run over UDP on port 500 A firewall security policy must be configured to allow incoming UDP traffic to destination port 500 from the remote secure gateway The BSGX4e does not support aggressive mode IKE negotiations the remote secure gateway must be configured to use main mode The peer can be specified by a fixed IP address or by a host name The DNS server resolves a host name to its current IP address The IPsec SAs negotiated are determined by the configuration of IPsec policies and IPsec proposals Configuration In the display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished To modify an existing proposal click the Peer name in the display to open the Properties page then Modify to open the configuration page To delete an entry enable the check box next to the policy name on the display page then click Delete Peer Host name or IP address of the remote gateway peer Enter an IP address or host name Key Name of the preshared key up to 50 characters The same preshared key must be configured at the remote gateway Security IKE Parameters tab The IKE security association is re negotiated when its lifetime expires the shorter the lifetime the more frequently the IKE SA is re negotiated Therefore a shorter lifetime increases security The BSGX4e has tw
118. ession control functions perform this sequence of tasks 1 Configure access to one or more SIP MGCP servers 2 Configure the SIP MGCP session controller 3 Configure the SIP MGCP user agent 4 Configure any SIP MGCP devices connected to the LAN ports NOTE The firewall is automatically configured to allow traffic between the session controller and the SIP or MGCP servers Voice gt Session Control gt SIP Server The SIP server configuration profile determines how the BSGX4e session controller accesses SIP proxy servers to provide VoIP service This page has two tabs a Configuration Server access configuration profile for the session controller a Status Displays all the servers the server in use and their operational status A server profile can specify up to three SIP proxy servers or it can specify no servers If no server is explicitly specified the session controller locates a SIP proxy server using the DNS service page 36 The DNS service is disabled by default NN47928 502 6 Voice pages Configuration tab Session control Click New to open the configuration page There are technical notes below the table discussing proxy servers and inbound servers The configuration parameters for the SIP server profile are as follows Name Enter a name for the server profile being created Domain Registrar domain for registering SIP phones FQDN IP address This parameter is required Pr
119. ete the key certificate request and certificate with the Command Line Interface CLI console del ssl key rsa del ssl csr x509 del ssl cert x509 Then the steps for a new SSL configuration are a Generate a new SSL key with the default values On the Keys tab click Modify then Update b Generate a new SSL CSR On the Cert Req tab click Modify then Update c Generate or import the SSL certificate On the Certificates tab click Modify then Update NN47928 502 59 SSL 60 2 System pages During the time that a profile is being regenerated a new SSL connections cannot be established The Status field on the Keys page displays generating during the generation process and displays OK when the process completes The Cert Reqs and Certificates tabs also have a status field Configuration As explained above the default SSL configuration is applicable in most situations This section explains the configuration parameters in those situations where you need to regenerate a key or a certificate or a key and a certificate Any modification to the Keys or Cert Reqs profile causes regeneration System gt SSL gt Key tab The BSGX4e has a private SSL key by default which is randomly seeded 1024 bit and RSA encrypted Normally a new private key does not need to be generated unless the security of the existing key had been compromised The process for generating a new key can take several minutes depending on the size of
120. f spoof attacks Therefore by default spoof protection is not needed on LAN interfaces a IDS assumes that a VPN secures its traffic from spoof attacks VPN interfaces are trusted The default setting for each interfaces is eth1 trusted vpn trusted eth0 untrusted ppp untrusted vif WAN untrusted fr untrusted vif LAN trusted NOTE Spoof detection for a VPN interface must always be set as trusted You can change the trusted untrusted setting of an interface by clicking its name in the IDS Spoofing gt Interface column of the display pane When the properties page opens click Modify This section displays all interfaces with a valid static or dynamic IP address If an interface is not displayed an address problem is indicated NN47928 502 5 Security pages Voice ACL Security gt IDS gt Attacks tab This is a display only page that lists a count of the various attacks the IDS has detected The Refresh button updates the statistics The Clear button resets the counters to 0 NOTE To protect itself from being overwhelmed by a denial of service attack the IDS counter is limited to reporting 64 packets per second Thus the actual packet rate can be greater than the value reported by the IDS counter Total IDS attacks are reported on the Web UI home page in the System pane IDS also reports attacks as Warning entries in the system log The log can be viewed on the Web UI home page or with the CLI command
121. fault policies for the BSGX4e Table 15 Default firewall policies BSGX4e Destination port From To Protocols Usage 22 ethO self TCP UDP SSH SFTP 23 ethO self TCP Telnet 80 ethO self TCP HTTP 443 ethO self TCP HTTPS TLS SSL any eth1 self any any eth1 ethO any Additional security policies This section describes additional policies that you must add for various features in the BSGX4e QoS quality groups The BSG4Xe applies QoS by assigning selected traffic streams to a quality group VoIP traffic is assigned in the Media and Session Control sections certain system control signals are assigned in the Quality section For all other traffic that you want under QoS management you must create a security policy The configuration of that policy specifies how the traffic stream is detected for example by address or port and the quality group to which it is assigned As an example scenario a commercial store has a point of sale credit card reader that must not experience significant delay The card reader is known to the BSG4Xe by address port 10 10 10 120 7750 A quality group named credit was created for the card reader traffic The security policy has the following configuration From lt LAN interface gt To lt WAN interface gt NN47928 502 5 Security pages Policy Source IP 10 10 10 120 Source port 7750 QoS credit Other elements th
122. fication type from the Type drop down list Select the desired scheduling method from the Scheduling drop down list Click Update when finished Data gt Switch gt ARL Address Resolution Logic ARL maps MAC addresses to specific LAN ports This enables packets to be switched between ports based on the destination MAC address in the packet Figure 29 ARL page MyUnit 192 168 1 1 fe e 2 G Dl ADSL Data gt Switch ARL Management ATM Interfaces IP Switch ARL Age PPP State Description of entry VLAN Mac 00 14 D1 35 23 B7 MAC Address Relays Priority isa Priority associated with this entry LOWESTQ LOWQ HIGHQ HIGHESTQ DNS Ports E Port s associated with this MAC address O MII to 4 TFTP SNTP Update DHCP Routing Routes Table Switch ARL Table Index State Mac Priori Port n 1 Static 00 00 00 00 A5 6B LOWQ 4 r 2 Dynamic 00 14 D1 35 16 E9 N A 3 r 3 Dynamic 00 15 93 00 30 C7 N A MII Q Clear Q New Technical reference Dynamic Entries A MAC address learning process automatically builds the ARL table as a forwarding database It creates are dynamic entries that are regularly flushed from the table at a given interval NN47928 502 101 Switch A 102 3 Data pages Static Entries You can add entries to the ARL table The entries created are static entries static entries are not ag
123. figured on the LAN ports a Upto 500 IP addresses can be configured on each server a Options can be enabled for each interface vendor class or MAC address a Lease information is saved in non volatile memory so it can be retrieved immediately after a restart a The DHCP server relies on DNS for name address translation It connects to a DNS server through the DNS client page 36 which must be appropriately configured a The DHCP relay page 78 and DHCP client page 71 must both be disabled on eth1 to implement the DHCP server Configuration Perform the following tasks to configure the DHCP server System gt DHCP Server gt Pool tab The DHCP server pool is where you configure the network parameters and assign an option group A DHCP pool is automatically created for the eth1 LAN interface when the BSGX4e is first initialized after bootup IP addresses are leased from the address pool To create a new pool for a virtual vifn interface click New to open the configuration page and fill in the fields as described below To modify an existing pool click eth1 vifn in the display to open the properties page then click Modify to open the configuration page You can delete interface profiles by activating the check box next to the profile on the display page then click Delete Fill in the fields as follows click Update when finished 48 NN47928 502 2 System pages DHCP server interface 1 The BS
124. fines the local numbering plan as follows prefix for outbound calls OBAccess 9 area code 408 central office prefix COPrefix 555 length of extension number ENLength 4 This configuration supports calls as follows Number dialed Action 2210 Four digit call so only local accounts are checked 9411 Outbound prefix so number is interpreted as outbound call for 411 95552210 Outbound prefix but also central office prefix so only local accounts are checked for 2210 96872210 Outbound prefix but not central office prefix so route 6872210 to PSTN 914085552210 Central office prefix so only local accounts are checked for 2210 NN47928 502 187 Local call routing 6 Voice pages 188 NN47928 502 Appendix 12 Quality of service Configuration summary APPENDIX 12 QUALITY OF SERVICE This Appendix provides a technical description of the theory and application of QoS Quality of Service in the BSGX4e QoS is a method to reserve bandwidth and establish transmission priorities for critical services during those times when your Internet link is at full capacity The most common application of QoS in the BSGX4e is for VoIP where it provides uninterrupted service Configuration summary This summary describes the layer 3 QoS configuration process The layer 2 configuration process is relatively simple and is covered in the section QoS page on page 98 The QoS configuration process for SIP MGCP de
125. g in security protocol SHA RADIUS TACACS Rights Operation permissions read write NN47928 502 41 User accounts page 2 System pages Default configuration User interface with the BSGX4e is managed with user accounts user groups and user rights The BSGX4e is delivered with following predefined configurations e Two user groups One for administrators admins and one for other users users The admins user group is granted all access modes and the users user group is granted only Web and CLI access e Two user accounts One for administrators admin and one for other users user The admin account belongs to both predefined user groups admins and users the user account belongs only to the users user group Access passwords are controlled in the user accounts e Three rights identifiers One for the admins user group admin and the other two for the users user group useradv and userbasic These identifiers are displayed on the Rights tab page All rights are granted to admins the two identifiers for the users user group grant read only permission to some commands and read write permission to other commands See Table 4 Each field on a Web UI page is a command parameter and the Update button executes the command A command acts on a configurable parameter referred to as an object Each object has an authority setting of either Admins or Users which works with the rights identifier to determine the perm
126. group See Security Policy Static tab on page 130 NN47928 502 113 Group page 4 Quality pages Configuring a new quality group If you need to create a new quality group click New in the Group tab page and fill in the fields as described below Click Update when finished To modify an existing group click the Name in the display to open the properties page then Modify QoS Group Configure the quality group to prioritize traffic to open the configuration page To delete an entry enable the check box next to the group name on the display page then click Delete Name Name of the quality group to be created Link QoS link which is the WAN link over which QoS transmits This setting must be ethO QG QoS quality class for setting priority A1 A2 A3 B1 B2 B3 C1 C2 C3 BE Default is A1 BE best effort specifies no QoS prioritizing Up to 10 quality groups can be assigned to the same GoS class Type Policing method car policed besteffort The default is policed e policed Strict policing at an absolute bandwidth rate Traffic that exceeds the rate is discarded e car committed access rate A committed absolute rate plus the ability to burst into available BE bandwidth up to the designated burst limit Traffic that exceeds the committed rate is either burst into BE space or is discarded Traffic that exceeds the burst rate is discarded
127. groups configure options and assign the options to groups The option group can then be assigned to a specific interface host or vendor class as needed A DHCP option contains information that is sent to a LAN client when it is assigned an IP address by the DHCP server It typically describes a network configuration and various services that are available on the network Functional characteristics The Group Option feature has the following characteristics NN47928 502 49 DHCP server 2 System pages A group cannot be deleted if it is referenced by another configuration entry on the Pool or Host pages A group cannot be renamed if it is referenced by another configuration entry on the Pool or Host pages A group cannot be modified after being created If you need to change the group option parameters you must delete the option and create a new one An option code can be assigned to different groups with the same or different value for each group Multiple option codes can be assigned to the same group A maximum of 32 groups can be created Configuration The Option page is divided into DHCP Group and DHCP Option sections as shown here 50 DHCP Group No information available O Delete O new Click New under the DHCP Group heading and enter a name for the new group DHCP Option Click New under the DHCP Option and configure the Pi ge parameters as follows O ton Id Enter a number If you enter new t
128. h of all quality groups cannot exceed 90 of the QoS link rate CAUTION Do not enter a link rate that is higher than your actual bandwidth If quality group bandwidth is configured based on this excessive rate you can experience interrupted service from the applications under QoS management The BSGX4e supports just one QoS link which is the WAN interface This is designated as ethO for the BSGX4e model You cannot configure the QoS link on a virtual interface such as VPN or VLAN or on PPP NN47928 502 4 Quality pages Configure the QoS link as follows 1 Click New to open the configuration page 2 The appropriate Interface normally displays by default Select it from the drop down list if necessary 3 Enter the network connection rate in bits per second bps into the Max field This is normally the uplink rate indicated by your network service provider However if Link page QoS Link Configure the bandwidth of the specified interface mment for this link speed of the link 64000 100000000 bps your actual rate is significantly different than the indicated rate use the actual The eth0 link on the BSGX4e is limited at 100 000 000 bps 4 Add a comment as desired Click Update when finished Quality gt Link gt Stats tab This tab page provides performance data on packet and byte traffic The displayed data is self explanatory The display shows cumulative statistics for all
129. hat the client points to depends on a combination of configuration settings e The BSGX4e default configuration includes the DNS client Source set to auto The DNS client looks for a server address first from a DHCP server then from a PPP server and finally from the last stored user defined address If no address can be found from any source the displayed address is 0 0 0 0 The DHCP client on the WAN port is also enabled by default The DHCP client searches for a DHCP server on the WAN for all interface types except PPP With the DNS client Source set to auto the DNS client obtains an address from the DHCP server found by the search If none is found the DNS client searches for a PPP server which cannot be found if a PPP interface is not defined The DNS client then looks for the last user defined address e Ifa PPP interface has been configured on the WAN port the DHCP client has to be disabled The DNS client cannot contact the DHCP client so it next attempts to get a DNS address from the PPP server If the PPP server does not provide a DNS address the DNS client looks for the last user defined address If no address can be found from any source the displayed address is 0 0 0 0 e If Source is set to dhcp the DNS client relies on the DHCP client to obtain a server address as in the preceding paragraphs If the DHCP client fails to obtain an address there are no further searches and the displayed address is 0 0 0 0 e If Source is
130. he analog device is on hook OB OutBound Calling The analog device is off hook or a phone number is being dialed OB OutBound Proceeding The remote party is ringing IB InBound Proceeding The analog device is ringing Disconnecting The remote party is disconnected Connected The analog device is in communication Voice gt User Agent gt Numbering Plan This feature applies only to a SIP User Agent not an MGCP User Agent When an analog device such as a phone is connected to the Phone port a numbering plan might be needed to make full use of the features of the device The SIP User Agent uses a numbering plan to interpret any feature related string entered from the analog device The numbering plan consists of a collection of entries each defining how a specific string from an analog device is to be interpreted Each string is categorized as either a phone number to be dialed or a service code to invoke a feature The User Agent compares the string from the device to the entries in the numbering plan and translates it as needed before the string is sent to the SIP server e For phone numbers the string of digits can be translated as follows a Digits can be stripped from the beginning of the number a Digits can be prepended to the beginning of the number e For service codes the digits dialed are sent without modification For the user to activate a service he or she enters the defined number string and adds a hash cha
131. he configuration page The configuration parameters are as follows Mode Jitter buffer type fixed adaptive Default is adaptive Maximum Maximum delay ms introduced by the jitter buffer Applicable only to adaptive mode Default is 120 ms Nominal Nominal delay ms introduced by the jitter buffer Default is 40 ms Minimum Minimum delay ms introduced by the jitter buffer Applicable only to adaptive mode Default is 20 ms NN47928 502 6 Voice pages Stats tab The following statistics are available on the Stats page NN47928 502 Media Port 1 Phone FXS 2 Line FXO RxFrames Number of packets received CurrJitter Current average jitter detected CurrDelay Current packet delay due to the jitter buffer ms MinDelay Minimum packet delay due to the jitter buffer ms MaxDelay Maximum packet delay due to the jitter buffer ms Overflowed Number of packets dropped due to overflow Underrun Number of packets dropped due to underrun OutOfOrder Number of packets out of sequential order Duplicated Number of packets dropped due to duplication LateDropped Number of packets dropped due to late arrival 163 Session control 6 Voice pages Session control 164 This sections is where you configure SIP and MGCP servers the session controller and the SIP LAN gateway if needed These pages also display SIP MGCP statistics To configure either SIP or MGCP s
132. he group The user can log in with either SHA or external password Users are allowed three log in attempts After that the console is locked against all log ins for 15 minutes or until the BSGX4e is power cycled All invalid log in attempts are recorded in the audit log The admin user can change the password on any user account that has internal authentication Configuration Perform the following steps to create new or modify existing user accounts groups and rights You can create up to 20 user accounts and 10 user groups NOTE If you are using RADIUS or TACACS authentication read the section RADIUS and TACACS on page 53 before configuring a user account here System gt User Accounts gt Users tab System User Accounts You can create up to 20 user accounts es Password Auth Groupi Group2 Group3 Group5 Group E O user web cli HA users Users user e With the Users tab active on es the User Accounts page click ze New to create a profile To modify an existing profile click the profile name then click Modify To remove a user account select the check box next to the account name then click Delete Note that you cannot remove the predefined admin and user accounts NN47928 502 43 User accounts page 2 System pages Fill in the fields as follows click Update when finished Name Log in name of new account being
133. he next sequential number is automatically assigned Group Select the group name to which you are applying an option Code Select the option code to apply to the selected group NN47928 502 2 System pages DHCP server Value Enter an appropriate value for the selected code bootfile name Text Identifies a bootstrap file domain name Text The domain name the client must use when resolving host names through a DNS domain name servers IP address A list of DNS servers available to the client Enter multiple servers separated by a comma List the servers in order of preference NOTE Read the DNS entry under the Functional characteristics on page 48 for reference ntp servers IP address or domain name A list of NTP time sync servers available to the client Enter multiple servers separated by a comma List the servers in order of preference option 150 IP address Proprietary DHCP option Location of a TFTP server for proprietary terminals Cisco for example option 151 IP address Proprietary DHCP option Location of a SIP server for proprietary terminals Cisco for example option 160 IP address Proprietary DHCP option Location of a TFTP server for proprietary terminals Polycom for example option 161 IP address Proprietary DHCP option Location of an FTP server for proprietary terminals Polycom for example routers
134. hod specified here only if its own authentication method is not specified and the authentication method of any groups in its group list are also not specified SHA Internal authentication Default RADIUS External authentication page 53 TACACS External authentication page 53 For external authentication you must also configure an authentication client profile Follow the RADIUS and TACACS page links above Allow All Whether or not users associated with this group are allowed all rights or held to only those defined on the Rights page Default is no NN47928 502 45 User accounts page 2 System pages 46 System gt User Accounts gt Rights NOTE The two permissions Access mode allowed are read and write The execut permission is not used As explained in the section Rights on page 42 the permissions for any given command are defined by the combination of the rights identifier and the object name in the command s authority parameter Each page in the Web UI is the equivalent of a command The three predefined identifier profiles and the groups to which a user account is assigned determines the rights that a user has The default users groups and rights cover all usage scenarios If you create new user accounts you can copy these default configurations to accomplish the access authorization and rights combination you desire With the Rights tab active on the User Accounts page click Ne
135. ic non TCP experiences only minimal packet loss and delay When you designate a QoS quality group as the downstream carrier it does not apply the upstream QoS parameters to the downstream traffic The function of the quality group in the downstream direction is to identify quality traffic create the Classifier policy and process the stream through the downstream QoS queuing mechanism CAUTION Enabling Downstream QoS in too many quality groups can result in excessive A restriction of TCP traffic causing unacceptable delays in affected applications Downstream QoS is recommended for VoIP applications and the ARP PPP control signals If you have other non TCP applications for which you have created a quality group they can also utilize Downstream QoS However depending on your bandwidth and level of Internet usage having too many Downstream QoS quality groups can cause a noticeable reduction in the responsiveness of TCP based application 118 NN47928 502 4 Quality pages Downstream QoS page Figure 35 Downstream QoS page MyUnit 192 168 1 1 M Quality Downstream Qos Link link YA Status M Stats Quality Downstream QoS Link linerate 1000000 bps encapsulation ethernet O modify Quality gt Downstream QoS gt Link tab The link tab is where you specify the downstream link rate and encapsulation type The BSGX4e uses the encapsulation type to add overhead bandwidth to the downs
136. ices gt SSH Configuration panel The SSH server in the BSGX4e provides secure remote access to the BSGX4e client device over an insecure network such as the Internet SSH version 2 is supported The BSGX4e SSH server is enabled by default The default configuration is Port 22 Host Keys 640 bit DSA Authentication Methods keyboard password and public key Services SSH and SFTP You can disable the server or change the configuration parameters with the Modify button Click Update when finished A firewall security policy must allow SSH access from the WAN terminating in the BSGX4e self This requires access for TCP traffic being routed to port 22 A security policy already exist by default If you change the port configuration for the SSH server you must create a new security policy A workstation connected to the BSGX4e s WAN or LAN must provide an SSH client such as PuTTY and SSH secure shell NN47928 502 35 Services page 2 System pages System gt Services gt DNS Configuration panel The Domain Name Service DNS client in the BSGX4e sends requests to a DNS server on the WAN A DNS request is used to obtain an IP address required by the BSGX4e such as the IP address of a server that was specified by an FQDN Two DNS servers can be configured a primary server and a secondary The DNS client is always active The default configuration of the DNS client is DNS1 address supplied by DHCP client DNS2
137. iguration SUMMALY ua desse y RR AR a ACA Ve ES 189 SIP MGCP Traffic llle 189 Other o x gus RP See he Y Y x vx aL RR Ra v qoa aae eg eA 190 OOS OV IV Wu 94 4 Sse NOV A RS ER LONE E A Ra LA P 190 Quality of service Layer 2 04 6 4 46494 34 09 KG REY Rec Re KORR Re Red 191 Priority ClassiNCation ua qne y edo OUI e de Roca s e d Can D C C 191 Priority scheduling 24460645 44084644640 A ACE ORE A ORA GO E Y e X RE 192 Guarantee of service Layer B3 o o o o ooo oo ooo 193 Functional characteristics ado yc 624 tbe ROC RU HR Ee EA 195 Media and control signalS ooo ene 196 Managing other traffic nauuna aaee 197 Call capacity 944 4424 264 aciari AAA AAA 198 Appendix 13 Glossary 199 Index 203 NN47928 502 9 NN47928 502 List of figures LIST OF FIGURES Figure 1 Components of the Web Ul page uso uus es needa Ne SEES 22 Figure 2 Status Page i224 cbs See be Y eh ee ee eee A 29 Figure 3 Overview page llle 31 Figure 4 Services page crios ate aoad Sopa aE A ee RUE A DEO ee erate ee Bee 33 Figure 5 User Accounts Page eee 41 Figure 6 DHCP Server Pages eee 47 Figure 7 SNMP agent configuration ira wa ra ra pa ees 56 Figure 8 SSL configuration 4 4 6 bab Ro RR GORGE RAE E A 59 Figure 9 Upgrade system image ora p E CR RARAS Re 62 Figure 10 Configuration file Save Restore iliis err caca aa ONE XX 63 Figure 11 Logging information serra a e ENG EME 64 Figure 12 IP Interf
138. ination IP QoS BSGX4e ethO pppO frn vpn IP address gt lt quality group created for hdlc atm relays RIP security policy The RIP routing daemon see Data Routing RIP on page 94 listens for messages on port 520 Configure the security policy shown in Table 22 if you enabled RIP Table 22 Security policy for RIP From To DPort Protocol ethO BSGX4e 520 UDP pppO NN47928 502 129 Policy 130 5 Security pages Security gt Policy page This page is where you view existing policies and configure new ones The page has two tabs Static and Dynamic Dynamic policies are those created automatically by applications running on the BSGX4e Static policies are created manually or by the Initial Setup Wizard Security gt Policy gt Static tab This page is where you create new security policies As discussed above some default policies exist and the Initial Setup Wizard creates policies if PPP or frame relay encapsulation is selected You must create policies manually for VPN and VLAN Some specialized applications can require a unique security policy Perform the following process to create a new security policy In the display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished A security policy cannot be modified You must delete the policy and create a new one with the modified parameters To delete an entry enable the check box next to the port n
139. introduction 26 Entering numerical data The underlying architecture of the Web Ul allows you enter numerical data in decimal hexadecimal or octal format If you enter configuration data in hexadecimal or octal and then view the corresponding display page you see the number has been converted to decimal This can cause confusion for an ID field where the number is used only to identify a record or profile Nortel recommends that you use decimal numbers in these fields The Web UI processes any number that begins with Ox as hexidecimal and processes as any number that begins with O as octal NN47928 502 2 System pages 2 SYSTEM PAGES MyUnit 192 168 1 1 m This chapter describes the configuration and status ron pages available from the System button on the button Overview bar The functional topics of the pages are listed in the Services menu pane of the Web UI window as shown in the lead figure on the left DHCP Server Radius ET The System Status page is the home page of the Web SNMP UI and is the page appears when you log in SSL Upgrade Configuration License Logging Information Logging Modules The following list provides an overview of the configuration and status functions on the System menu e Status page 29 Graphical displays showing call load and other operational data Software version and other system data displayed A system log viewer shows the latest log entries e Ov
140. ios NN47928 502 3 Data pages Switch Figure 28 Layer 2 QoS functionality BSGX4e is LAN Switch Engine 100 Mbps Layer 2 QoS Priority scheduling is performed by either gt Weighted Fair Queuing gt Fixed Priority gt WFQ Weights HIGHESTQ LOWQ N LOWESTQ Incoming packets are classified by either gt Port Number gt 802 1p Tag bit value A gt ToS DiffServ Tag bit value O amp 400 Mbps The configuration process consists of configuring a priority classification type IEEE port or ToS and a priority scheduling method WFQ or fixed See the section Quality of service Layer 2 on page 191 for a technical reference on these items Layer 2 QoS is always operating with the following default settings a Classification type Port See Table 10 below for the default settings of each type a Scheduling method WFQ These settings treat all LAN traffic the same effectively disabling layer 2 QoS You must modify these settings to accomplish prioritizing of traffic Table 10 Default priority classification settings Priority classification types Priority queue Port IEEE ToS bit value bit value LOWESTQ All ports 1 2 0 15 LOWQ 0 3 16 31 HIGHQ 4 5 32 47 HIGHESTQ 6 7 48 63 Layer 2 QoS cannot operate if flow control is enabled on any LAN port See Data gt Switch A gt Ports tab on page 96 for flow control status Flow control is dis
141. issions being granted See the next section for more detail NOTE This predefined user management configuration cannot be deleted or renamed Rights Whether you have read or read write permissions for each command is determined by the rights identifier which assigns access modes based on a combination of the group and the object authority settings Your user account determines to which group you belong and the object authority is set at the factory Table 4 demonstrates this principle Table 4 User rights permissions Log in Identifier Group Object Permissions admin admin admins Admins read write user useradv users Admins read user userbasic users Users read write 42 NN47928 502 2 System pages User accounts page Passwords Passwords are set in the User Account configuration page You are advised to change the default passwords during setup of the BSGX4e The default passwords are admin user admin user user netcat Password authentication can be internal SHA or external RADIUS and TACACS For external authentication you must also configure the RADIUS or TACACS client page 53 after configuring the user account You can have a situation where the user account is set for SHA authentication but the groups the user account belongs to are set for one of the external authentication servers This does not create a conflict even if the user account is configured to inherit the authorization properties from t
142. ity queues which are labeled HIGHESTQ HIGHQ LOWQ and LOWESTQ Figure 43 shows this contention and the priority queues Figure 43 Layer 2 QoS contention Routing Engine 100 Mbps Priority scheduling is performed by either gt Weighted Fair Queuing gt Fixed Priority b LOWQ N LOWESTQ HIGHESTQ Incoming packets are classified by either gt Port Number gt 802 1p Tag bit value gt ToS DiffServ Tag bit value G 0 400 Mbps Priority classification Incoming traffic is detected for a priority queue by setting the BSGX4e LAN switch to use one of the three following classifications types See QoS page on page 98 for the configuration process a Port number Associate each BSGX4e LAN port with a priority queue a IEEE 802 1p bit value CoS Used with VLANs Configure the LAN devices to set the appropriate 802 1p priority bit value for the desired priority level The BSGX4e associates that value with a priority queue This IEEE 802 1p priority notation is commonly called CoS class of service It is three bits in the User field of the ISL frame header NN47928 502 191 QoS overview 192 a Appendix 12 Quality of service ToS type of service DiffServ bit Configure the LAN devices to set the appropriate ToS priority bit value 8 bits in the IP header for the desired priority level The BSGX4e associates that value with a priority queue
143. led for those switches Each phone registers with the BSGX4e session controller as a SIP endpoint The endpoint is identified to a specific user by the phone number and the phone s IP address NN47928 502 6 Voice pages Session control Any incoming SIP call for a given user is then routed by the SIP server to all of that user s registered endpoints with that phone number Forking also applies to an analog phone connected to the BSGX4e User Agent The session controller registers the phone as an endpoint associated with a given user The maximum number of forked lines a user can have is determined by the configuration of the SIP server Ifthe number exceeds the limit of the server new registration requests are declined Status tab This tab page displays the operational status of the SIP session controller SSC The fields are self explanatory The SSC Server Ready field indicates whether or not the server is active Calls tab This tab page displays statistics on the current call traffic The fields are mostly self explanatory The section Total outbound calls from LAN applies to calls that originated from LAN endpoints The section Total inbound calls from WAN applies to calls that originated from the SIP server A local call from a LAN endpoint to another LAN endpoint is shown twice in the statistics it is counted both as a LAN outbound call and as a WAN inbound call Endpoints tab This tab page displays the LAN endp
144. lf duplex mode and pause frames for full duplex mode Default is no disabled Data Switch Mirror tab This tab page configures port mirroring which duplicates traffic from one port to another CAUTION Port mirroring is intended for troubleshooting only When finished remove A the mirroring configuration so that unit performance is not degraded Technical reference e Mirroring can be configured either for outbound traffic or for both inbound outbound traffic e Port mirroring applies to LAN ports only e The mirroring port and the port being mirrored should have the same speed e To stop mirroring set the Direction parameter to none Configuration In the display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished To delete an entry enable the check box next to the port number on the display page then click Delete Port Port whose traffic is mirrored 0 1 2 3 4 To Destination port where the mirrored traffic goes 1 2 3 4 If mirroring is in progress the default is the current destination port Direction Direction of traffic to mirror both out none Default is both Specify none to suspend mirroring Data gt Switch gt Stats tab This tab page displays traffic statistics for each port NN47928 502 97 Switch 98 3 Data pages QoS page The LAN switch in the BSGX4e unit provides a layer 2 Quality of Se
145. lf self Source IP any 195 178 11 11 195 178 11 11 range to Dest IP any any any range to Source port any any any range to Dest port any 500 any range to Proto any udp esp NAT 0 0 0 Q0S ToS any any any Sequence begin begin begin action allow allow allow 5 Create a route table entry for vpnO Data gt Routes Table Main office Branch office Destination 192 168 2 0 24 10 10 10 2 24 Gateway not required not required Interface vpnO vpnO BSGX4e to ISP example This example shows a typical configuration for a VPN between two BSGX4es located at a main office and a branch office You need the following network information to accomplish this task The values shown are used in the example Shared key value is x232skd24scefk3o IP addresses used are as follows BSGX4e 192 168 100 1 ISP 192 168 100 2 VPN gateway at ISP 10 254 254 254 NN47928 502 155 IPSec IKE and VPN 5 Security pages Configuration 1 Configure IPSec policy Security gt IPSec Name Tunnel Gateway 10 254 254 254 Local 192 168 100 1 range to Remote 192 168 100 2 range to Proposal VPN A Note the Interface designator shown on the display page You need this in Step 3 2 Configure the IKE pre shared key Security IKE Peer 10 254 254 254 Key x232skd24scefk3o 3 Configure the vpn n interface as a WAN IP interface Data IP Interface Value vpn1 from Step 1 IP
146. low SNMP client to reach the agent Create the policy shown in Table 18 NN47928 502 127 Policy 5 Security pages Table 18 Firewall Policies for SNMP From To IP Address DPort Protocol eth0 self any 161 UDP pppO DHCP relay security policy If you are using the DHCP relay rather than the default DHCP server for LAN devices you must create the firewall policy defined in Table 19 See Data Relays DHCP page on page 85 for reference Table 19 Firewall policies for DHCP relay From To Source IP SPort DPort Protocol ethO eth1 DHCP server 67 67 UDP pppO vif n on WAN gt VPN security policies If you created a VPN it needs firewall policies for certain protocols plus a policy for all traffic from the LAN to the VPN WAN interface The vpn to self policy is specifically for a VPN to your ISP The other policies are for two private networks to connect See VPN on page 152 for reference Table 20 Firewall policies for VPN From To Source IP DPort Protocol eth1 vpnO any any any ethO self remote 500 UDP gateway ethO self remote any ESP gateway vpn n self any any ICMP 128 NN47928 502 5 Security pages Policy Relay security policies If you want to protect relay traffic see Relays on page 78 with QoS you must create a security policy see Table 21 to identify the relay traffic and assign it to the designated quality group Table 21 Security policies for relay From To Dest
147. lt is off Fax If a fax is connected to the FXS port enables fax pass through and either forces media to G 711 echo cancellation on or enables re negotiation of the CODEC with the remote party when a fax tone is detected auto Default is off VAD Enables Voice Activity Detection VAD silence suppression Default is no Enabling VAD allows the unit to avoid sending silent RTP packets thus conserving resources However VAD can silence very low sounds lowering voice quality If MLS and VAD are both enabled VAD packets are not transmitted but received VAD packets are processed Up Enables disables the MGCP User Agent Default is yes Voice gt User Agent gt MGCP gt Settings tab This page modifies the MGCP protocol as it applies to the User Agent The MGCP protocol can be modified for inter operability purposes within the MGCP environment These settings do not apply to the Session Controller Click Modify to open the configuration page Fill in the fields as follows Click Update when finished DomainFormat MAC address is the only format supported in this release MasReTxNum Maximum number of re transmissions when a request does not 180 get an answer Default is 5 NN47928 502 6 Voice pages User agent Voice gt User Agent gt MGCP gt Status tab This page displays the status of the SIP User Agent The LineStatus field entries are as follows Inactive The port is not up Idle T
148. ltiple private addresses or ports to one public address The basic purpose of NAT as applied in the BSGX4e is to multiplex traffic from the internal network and present it to the Internet as if it was coming from a single IP address Figure 37 NAT page MyUnit 192 168 1 1 mt e G Security gt NAT Interfaces Security NAT ALG IDS NAT Interfaces Voice ACL Interface Status Alias o etho on 0 0 0 0 IPSec IKE r vifo on 20 20 20 20 O Delete Q New Technical reference NAT is designed to provide security and utility to WAN interfaces Applying NAT to a LAN interface is not contemplated in this document NAPT network address port translation or PAT port address translation are common terms associated with NAT The technical difference between NAPT PAT and NAT is whether or not the port number in the IP header is translated This document uses the term NAT to generically refer to all translation e In general NAT is accomplished by configuring NAT policies and corresponding security policies The BSGX4e provides three NAT policy types a Static A direct 1 to 1 translation of a private LAN address to a public address Normally configured for sessions initiated on the LAN a Redirect address Translates addresses of incoming WAN to LAN traffic based on IP address a Redirect port Translates addresses of incoming WAN to LAN traffic based on address port combination
149. me from Step 1 and click Update 122 NN47928 502 5 Security pages 5 SECURITY PAGES MyUnit 192 168 1 1 Lu This chapter describes the configuration and status pages available from the Security button on the button bar The functional topics of the pages are listed in the menu pane of the Web UI window as ALG shown here on the left Security Policy NAT E nes The Security pages consist of various status and statistics displays iode and configuration pages related to the firewall intrusion detection ve and various network security technologies The following list summarizes the configuration and status functions on the Security menu Policy page 125 Create static firewall security policies View static and dynamic policies NAT page 132 Configure Network Address Translation policies on the WAN interface for LAN address translation Enabled by default on BSGX4e ALG page 139 Enable disable the Application Layer Gateway for FTP TFTP and PPTP traffic Enabled by default IDS page 140 Enable disable the Intrusion Detection System for protection against anomaly flood scan and spoof attacks Enabled by default Voice ACL page 145 Maintain the Access Control List to control which LAN endpoints are allowed to place and receive calls A default policy exits to allow all endpoints IPSec IKE VPN page 147 Create VPNs which include configuring IPSec and IKE to establish
150. n it is finished and prompted to reboot the system Perform these steps to import a new bootloader file 1 2 Use the Browse button to navigate to the file stored in Step 1 3 Click the Upgrade button You are notified when it is finished Acquire the bootloader file and store it on the PC connected to the BSGX4e NN47928 502 2 System pages Configuration Configuration The Configuration page has two tabs a Text Based shows a display of the current user configurations These are listed as CLI commands a Save Restore is where you import and export a configuration file Figure 10 Configuration file Save Restore ft TACACS System Configuration Commands SNMP E Upgrade Configuration Select a configuration file to restore License saaie informei UN Load File Fusion_12 2 07 cfg cpy Browse Logging Modules v O Restore Operations Download configuration O Dovnload Best practises After performing any manual configurations save the changes export a configuration file and store it outside of the BSGX4e so that you can re import the configuration in the event of an emergency recovery System gt Configuration gt Save Restore Save To save a file with the current configuration settings click the Download button You are prompted to select the storage location on the PC connected to the BSGX4e Restore Perform the following to restore a configuration using a sa
151. n small and medium sized enterprises Intended audience This document is designed for use by network managers administrators and technicians who are responsible for the installation and operation of networking equipment in enterprise and service provider environments Knowledge of telecommunication and internet protocol IP technologies is assumed NN47928 502 15 About this guide Organization Organization The following table describes the organization and content of this Web User Interface Ul Operation Guide Table 1 Web Ul operation guide organization Chapters Contents 1 Web UI Layout organization and navigation features of the Web Ul introduction 2 System Configuration and status pages available from the System button pages Network services User accounts LAN DHCP server External authentications SNMP SSL System upgrade Logging 3 Data pages Configuration and status pages available from the Data button IP interfaces WAN interface options Network relay services Routing tables ARP and RIP LAN switch configurations VLAN 4 Quality pages Configuration and status pages available from the Quality button Quality of Service QoS configuration 5 Security Configuration and status pages available from the Security button pages Firewall policies NAT ALG ACL IPSec IKE 6 Voice pages Configuration and status pages available from the Voice button QoS associations FXS FXO ports Session c
152. nection Displays existing local calls a Settings Configuration parameters for the Line port The BSGX4e can provide backup PSTN phone service if VoIP service is unavailable If there is power to the unit local call routing LCR connects internal LAN to LAN calls and it routes external calls to the LINE FXO port where they are converted from IP to analog The LINE port connects to a PSTN at the central office A VoIP service interruption can happen if the WAN connection fails the call server connection fails or no call server is available However it is not considered a service interruption when a VoIP call cannot be placed due to lack of bandwidth e Local Calls In LCR mode LAN VoIP phones and analog phones on the PHONE port of the 2xx series models can place and receive local calls meaning LAN to LAN calls which do not go out to the WAN Local calls are established through the BSGX4e acting as a VoIP server e External Calls Limited external call service is available through the LINE port when connected to a PSTN line to a central office Only outgoing calls are supported Only basic telephone services are supported e Emergency Calls All emergency calls 911 in North America are routed by LCR to the LINE port This is true whether or not VoIP service is available When VoIP call service resumes external calls are automatically received and placed as before Voice gt Local Call Routing gt Account tab Fo
153. nt with various settings to determine the optimal configuration e SIP data Multimedia applications using SIP such as whiteboards and data transfer clients are placed into the appqos quality group This is a special name that the session controller recognizes You must manually create this group Multimedia applications register with the session controller The session controller detects the multimedia data streams and assigns them to the appqos quality group This assignment is automatic so a separate action is not needed to associate this quality group with the session controller ARP PPP You are advised to place these control signals under QoS management You must first create a control group then assign the ARP PPP signals to it That assignment is performed on ARP PPP page on page 121 Note that the Initial Setup Wizard creates a control quality group for this purpose and performs the needed assignment The recommended configurations for the SIP data and ARP PPP quality groups are Parameter Value QG C3 SIP Data Group A2 ARP PPP Group Type CAR Committed 64000 Burst 200000 Downstream Yes QoS Parameters not shown here can be left at their default values If you need to create a quality group for traffic that is not detected by the session controller or does not have configuration page in the Web UI you must create a firewall policy to identify the data stream and assign it to the quality
154. nterface VIF This section also includes an overview of the entire VLAN virtual LAN configuration process A VLAN is an independent network formed as a logical subcomponent of a physical network Since a VLAN functions as a separate network its traffic is isolated from traffic on other VLANs and traffic on the rest of the physical network Figure 14 VLAN interface page 255 255 0 0 MD ethi 192 168 1 1 255 255 255 0 O vifo 1 1 1 1 255 255 255 0 O Delete Q New 1500 off N A N A 1500 off N A N A 00 15 93 00 02 CB N A 00 15 93 00 02 CB N A Data Interface VLAN VLAN Interfaces VID Interface Status VIF Comment Oo X ethi on vifo O Delete O New Data Interface IP IP Interfaces Inter IP Address Mask MTU DHCP client Lease obtained Lease expires MAC Address Speed Configured Speed C etho 172 16 13 149 1500 on SAT FEB 23 10 54 12 2008 SUN FEB 24 10 54 12 2008 00 15 93 00 02 CA FULL100 AUTONEG N A N A NN47928 502 75 Interfaces 76 3 Data pages Technical reference The VLAN function in the BSGX4e has the following characteristics The BSGX4e supports IEEE 801 Q which allows up to 64 VLANs across the four LAN switch ports Up to 16 virtual interfaces vifO vif15 can be created on the Interface gt IP configuration page VLANs are integrated into the host IP stack as separate layer 2 Ethernet interfaces A VLAN is most commonly created on the LAN eth1 interf
155. nts and access levels set up VoIP components and other voice related parameters establish VPN or VLAN configurations configure network services such as DNS DHCP SNTP and SNMP configure LAN and WAN ports configure firewall intrusion detection IPsec and security policies monitor performance upgrade software The Web UI accesses most BSGX4e configuration parameters However you must use CLI commands for some variable settings See the CLI Reference document NN47928 502 21 Window components 1 Web UI introduction Window components This section describes the main components that are visible in the Web UI window 22 Figure 1 Components of the Web Ul page U4EA ICAD Windows Internet Explorer OX Assistance Icons Button Bar QO le mv19216013 4tut roe asp Home Page Information Unit Name Help and Adress User Mode Current Calls System 200 239 300 Application 2 1 0 00E 0053 333 Total Calls A Uptime Oy 6d 22h 52m 35s Call Server Not iim H i CPU Util 3 00 Menu Pane e p Ee Page Display ER Pane Routing PPS Packets Per Second Operations Pane Panel within the DisplayPane Button bar Each button represents a category of functions which appear as links in the menu pane on the left side of the window The Web UI is open when the System Status page appears Assistance icons Assistance icons provide the following services Information Provides produc
156. o open the configuration page Fill in the fields as shown below Click Update when finished Lifetime The security association lifetime used for negotiations The default is 28800 sec 8 hours Maximum The maximum allowed security association lifetime lifetime The default is 86400 sec 24 hours DH group Diffie Hellman group to use for session key exchange Your options are dh1024 dh768 nopfs auto The default is auto which provides for automatic negotiation Use the value nopfs to disable perfect forward secrecy Security gt IPSec gt SA tab This tab page displays negotiated security associations You can clear the display with the Clear button NN47928 502 149 IPSec IKE and VPN 5 Security pages 150 IKE The Internet Key Exchange IKE protocol provides utility services for IPSec It defines how pairs of secure gateways negotiate IKE security associations IKE SAs The IKE SAs that the BSGX4e negotiates are determined by the configuration of IKE preshared keys and IKE parameters Figure 42 IKE page MyUnit 192 168 1 1 M e e G Security cen NAT ALG IDs IKE Policies Voice ACL Priority Encryption Hash Group IPSec 1 3DES SHA DH1024 Yu 2 3DES SHA DH768 3 3DES MDS DH1024 4 3DES MDS DH768 5 AES SHA DH1024 6 AES SHA DH768 7 AES MDS DH1024 8 AES MDS DH768 9 DES SHA DH1024 10 DES SHA DH768 11 DES MDS DH1024 12 DES MDS DH768 13 BLOWFISH SHA DH1024 14 BLOWFISH S
157. o ports in the range are used for each media connection one for RTP and the other for RTCP Default range is 13000 14999 AudioQoS QoS quality group to which the VoIP media is assigned This group has to be created prior to this step The Initial Setup Wizard creates a quality group named voiceqos for purpose MaxConn This field is for engineering use only Do not change the existing value DefaultVideoBW Sets the video quality group bandwidth for a given session when the SIP video application uses a codec that is not recognized by the BSGX4e Default is 640000 bps Direct media By default media stream routes are established between each device endpoint and the BSGX4e The BSGX4e then bridges them to establish the end to end communication path to the devices on the BSGX4e LAN If Direct Media is enabled media routes are established directly between two LAN endpoints for a BSGX4e LAN to LAN call Default video bandwidth The DefaultVideoBW parameter allows you to specify a default video bandwidth when the video codec does not specify the required bandwidth for a session This occurs when the Session Description Protocol SDP codec does not contain bandwidth data or when the video application is using a codec not supported by the BSGX4e See SIP video on page 113 for more discussion NN47928 502 161 Media 162 6 Voice pages Voice gt Media gt Gain The Gain page of the BSGX4e 2xx series models has tw
158. o pre defined lifetime parameters a Lifetime The initial value used for negotiations with the remote host a Maximum Lifetime The maximum value the BSGX4e accepts during negotiations Configuration In the display pane click Modify to open the configuration page Fill in the fields as shown below Click Update when finished Lifetime Specify the IKE SA lifetime for negotiations The initial setting is 86400 sec 24 hours Maximum Specify the maximum allowed IKE SA lifetime lifetime The initial setting is 259200 sec 72 hours NN47928 502 151 IPSec IKE and VPN 5 Security pages Security gt IKE gt SA tab This tab page displays negotiated security associations You can clear the display with the Clear button VPN A VPN is a method of creating a secure private network over a shared insecure public network A VPN is established by creating all the security IPsec and IKE routing and firewall policies between the peer hosts The IPSec policy contains the network information that connects the peers of the VPN Up to 10 VPN tunnels can be created concurrently To send WAN traffic through the VPN tunnel the traffic is routed out the IP interface assigned to the tunnel vpn n The traffic is encrypted before it is sent The IP interface allows features such as the VoIP session controller and user agent to be used across the VPN The basic procedure to create a VPN is as follows 1 Configure IPSec policy
159. o tabs FXO Gain and FXS Gain These settings modify the DSP gain for the PHONE FXS and LINE FXO ports The BSGX4e 4xx models do not have a PHONE port so the do not have an FXS Gain tab Impedance can also be modified with the Command Line Interface The LINE port connects the BSGX4e to the PSTN and provides limited backup phone service if SIP or MGCP servers are not available and 911 service The PHONE port on the BSGX4e allows you to connect an analog device such as a phone or fax for conversion to IP transport See Local call routing on page 185 for more details on backup and 911 service Each port has a Tx transmit DAC and Rx receive ADC setting Negative numbers are allowed and are indicated with a dash The Tx and Rx defaults for FXO are O dB and for FXS they are 6 dB Voice gt Media gt Local Jitter Buffer The jitter buffer adds small delay to incoming packets in order to regularize the packet flow and reduce jitter This page has two tabs a The Settings tab for configuring the buffer and a The Stats tab for monitoring performance The buffer length can be specified as fixed or adaptive A fixed length buffer has an absolute length an adaptive buffer has a minimum and maximum limit within which it varies with traffic demand When modifying the buffer length increased length causes more delay and less loss decreasing the length causes more loss and less delay Settings tab Click Modify to open t
160. o where a BSGX4e has been inserted into a existing network that was using a firewall appliance for WAN interface The result of this configuration is that the firewall still functions as if connected directly to the Internet In this configuration you cannot have VoIP devices connected to the LAN side of the firewall in the data VLAN Vif1 VoIP devices must be connected directly to the BSGX4e LAN Proxies The two proxy routes needed for this scenarios are as follows Field Value Proxy 1 Value Proxy 2 Id ID 3 gt ID 4 gt From ethO vif To vif1 ethO IP 1 1 1 2 32 1 1 1 0 24 Enable yes yes Firewall security policy and QoS group This configuration requires a firewall security policy for the incoming ethO vif1 traffic which you must add manually This example uses the default QoS quality group control to perform the downstream QoS functions You must create this quality group if it was not already created by the Initial Setup Wizard See Quality gt Group gt Group tab on page 112 for a detailed discussion On the Security gt Policy page create a new policy with the following parameter values and leave all other parameters at default values See the section Policy on page 125 for general instructions on security policies From ethO To vif1 DestIP 1 1 1 2 QoS control NN47928 502 3 Data pages Routing Figure 23 Proxy ARP Subnet with firewall Proxy ARP
161. ocated to a quality group is guaranteed This means bandwidth is taken from BE and reserved for the quality group as needed per session up to the specified limit The amount of reserved bandwidth is determined for each session request with the remaining guaranteed bandwidth left for BE traffic Multiple media streams can be assigned to one quality group Multiple quality groups can be assigned to one quality class Voice streams from IP phones are identified automatically by the session controller in the BSGX4e An IP phone identifies itself by registering with the session controller when it is first connected to the unit The quality group defined for VoIP is associated with the session controller Other media streams managed by GoS must be manually configured to define how they are identified This is accomplished by creating security policies which have fields to identify a stream and associate it with a quality group See Managing other traffic on page 197 for more discussion The GoS processing described here applies to outbound traffic Downstream QoS can be enabled to accommodate inbound traffic See the section Downstream QoS page on page 118 for details NN47928 502 195 QoS overview Appendix 12 Quality of service 196 Media and control signals Various devices and functions use both a media payload stream and a control signal stream For a critical device or function you protect the media stream by putting it
162. oints devices registered through the SIP session controller The fields are mostly self explanatory Act Calls Real time count of currently active calls for the endpoint Reg Timeout The number of seconds before the call registration expires The initial value is taken from the Expires field of the SIP REGISTER method The value is decremented each second Technical Reference Endpoint status handling Endpoint status handling saves LAN endpoint information in non volatile memory so it can be retrieved after a restart This is done when the LAN endpoint is registered to the SIP server This function is not configurable for the SIP session controller Configuring endpoints This section provides guidelines to configure the SIP endpoints to be managed by the BSGX4e For an endpoint to be able to place and receive calls it must be a Allowed access by the Access Control List ACL a Registered with the SIP server through the SIP session controller These requirements also apply to the SIP User Agent page 175 because the session controller handles it as an endpoint However unlike other endpoints an ACL entry cannot be configured to disallow the User Agent NN47928 502 169 Session control 6 Voice pages Endpoints register with the SIP server through the session controller To be able to be registered the SIP endpoints must be configured as follows a SIP registration must be enabled a The SIP proxy must be the LAN IP address
163. ol signal processing and association of the QoS signaling quality group QoS media streams are detected by the media settings page 161 a Status SIP session controller operational status display a Calls Display of call traffic through the session controller a Endpoints LAN endpoints devices registered through the SIP session controller Control tab Configure the parameters for detecting VoIP control signals and routing them to the SIP server on this tab page A server profile page 164 must be configured before it can be specified for use by the session controller Click Modify to open the configuration page The configuration parameters for the SIP server profile are as follows Server Select the name of the SIP server profile to be used from the drop down list This is the server configured on the SIP Server page page 164 Local Domain Local domain for LAN endpoints SIP messages that do not match the domain are discarded Optional WAN Rx Port Port on which to listen for SIP signaling messages from the WAN Enter the port number or the beginning number of a range Default is 5060 range to Ending number of the WAN port range LAN Rx Port Port on which to listen for SIP signaling messages from the LAN Enter the port number or the beginning number of a range Default is 5060 range to Ending number of the LAN port range Timer T1 Minimum retransmission time interval millisecond
164. ontroller User agent Local call routing Appendix 12 Quality of service A technical description of the theory and application of QoS Appendix 13 Glossary Appendix 13 Glossary Glossary of industry and BSGX4e terminology Index NN47928 502 About this guide Text conventions Text conventions This guide uses the ftext font conventions described in the following table Table 2 Text conventions Font Purpose NOTE Emphasizes information to improve product use Caution Indicates how to avoid equipment damage or faulty application f Warning Issues warnings to avoid personal injury italic Shows book titles special terms or emphasis label screen font screen font Shows on screen labels and commands Shows screen font as displayed in a terminal and command option choices Shows a command to enter exactly as written bold screen font Indicates a command variable that is replaced with a value italic Cross Indicates a hypertext link to another section or to a Web page reference glossary Indicates a hypertext link to the glossary entry that defines the marked term Documentation BSGX4e documentation is on the BSGX4e Series Documentation CD ROM shipped with the unit The following guides are available on the CD ROM a BSGX4e Hardware Installation Guide a BSGX4e Initial Configuration Guide a BSGX4e Quick Start Guide a BSGX4e Web UI Operation G
165. or to create firewall and NAT policies for the affected protocols ALG is enabled by default for all three protocols ALG works by creating dynamic holes in the firewall and changing IP addresses in application protocol headers For reference a FTP File Transfer Protocol is commonly used to transfer files over the Internet a TFTP Trivial File Transfer Protocol is a simple version of the FTP protocol used to transfer files over the Internet a PPTP Point to Point Tunneling Protocol is a networking technology that supports multi protocol virtual private networks VPN enabling remote users to access corporate networks securely across Microsoft computer networks and other point to point protocol PPP enabled networks Figure 38 Security ALG page MyUnit 192 168 1 1 M e 2 E gt Security ALG Security Policy NAT Security ALG ALG IDS Voice ACL IPSec IKE FTP yes PPTP yes TFTP yes O Modify NOTE NAT must be enabled on the WAN interface to apply ALG NAT is enabled by default on the ethO interface of the BSGX4e model See NAT on page 132 Security gt ALG page The ALG page is where you enable disable ALG on the specified protocols ALG is enabled by default for the three protocols Click Modify to open the configuration page Select no from the drop down list to disable ALG for any of the protocols NN47928 502 139 IDS 5 Security pages QoS and PPTP
166. ot valid MAC The destination MAC address in format xx Xx Xx Xx Xx Xx Priority The priority queue to route all traffic for the destination address Ports The LAN port or ports associated with this MAC address Ports 1 4 are the LAN ports to which you connect your LAN devices NOTE Do not map port 0 to an address Port 0 is an internal port in the LAN switch and is made visible only for diagnostic purposes 3 Click Update when finished Clearing the table The Clear button flushes all entries dynamic and static from the table The table rebuilds immediately after clearing so new dynamic entries appear instantly NN47928 502 3 Data pages Switch Data gt Switch gt VLAN This section describes the procedure for assigning the BSGX4e LAN ports to VLANs This is the first part of the entire VLAN configuration process which is detailed under Data gt Interfaces gt VLAN on page 75 Figure 30 VLAN LAN switch MyUnit 192 168 1 1 Data ea e 2 En Routing Data gt Switch VLAN Routes Table Switch VLAN Management VID VLAN Name WAN Pi P2 P3 P4 r 2 VoIP VLAN u T n 2 Data VLAN E d O Delete Q New Technical reference e A port is configured as tagged or untagged when it is assigned to the VLAN VLANs handle packets as follows a Untagged ports transmit untagged packets and tagged ports transmit tagged packets a Untagged packets delivered to an untagged
167. ous settings for the SIP MGCP servers and controllers the User ETE Agent local call routing and other IP telephony related Local Jitter Buffer settings Session Control SIP Server SIP Control SIP Statistics SIP LAN Gateway MGCP Server MGCP Control MGCP Statistics Media Settings These pages are also where you associate the QoS quality groups with the SIP MGCP servers and controllers User Agent SIP MGCP Numbering Plan Local Call Routing Account The following list provides an overview of the configuration and status functions on the Voice menu button e Media a Settings page 161 Configures Direct Media RTP ports and sets the maximum simultaneous calls Identifies the VoIP media quality group and default video bandwidth a Gain page 162 Sets the transmit receive gain for the Phone FXS and Line FXO ports a Local jitter buffer page 162 Configures the jitter buffer and displays statistics e Session controller page 164 a SIP MGCP server page 164 page 171 Creates a configuration profile for server access Displays server status a SIP MGCP control page 167 page 172 Configures parameters of the session controller and associates the control signal quality group Displays session controller status active calls and registered endpoints NN47928 502 159 160 6 Voice pages a SIP MGCP statistics page 171 page 174 Displays cumulative operational statistics for
168. oxy1 First SIP proxy server either a fully qualified domain name FQDN or an IP address If no proxy server is specified the session controller uses DNS to find its proxy servers Port1 Port number of the first proxy server The default is 5060 Proxy2 Optional second SIP proxy server FQDN IP address Port2 Port number of the second proxy server The default is 5060 Proxy3 Optional third SIP proxy server FQDN IP address Port3 Port number of the third proxy server The default is 5060 IBServer1 Optional additional inbound servers single address or range The firewall is automatically updated to allow the session control to receive SIP messages from these additional servers IBServer2 Optional additional inbound servers single address or range IBServer3 Optional additional inbound servers single address or range Retries Number of retries before a SIP server is blacklisted The default is 4 retries Specifying 0 disables call server failover Blacklist Blacklist timer in seconds The default is 60 seconds 10 minutes Heartbeat Indicates whether server heartbeat monitoring is enabled yes no By checking for the server heartbeat the session controller can determine whether the server is available The default is yes See caution note below HBTimer1 Time interval between heartbeat packets for active servers in seconds The defa
169. p KAS RR de ER EER SEEGERS 115 Quality gt Group gt Siew a iy sar dde Rees iod cc Ce cO LR CRI CR RS 116 Quality gt Group gt Live esae ay ey 6h 4 Fes A RO RNC E ROCA A ROC e 117 Downstream QoS page 118 Quality gt Downstream QoS gt Link tab llle 119 Quality gt Downstream QoS gt Status tab o o oo ooo o 120 Quality gt Downstream QoS gt Stats tab o ooooooooo oo 120 ARP PPP DIO cs AA a yee AEG AAA RAS AS AAA 121 oni eyerrcrttrtdrscis br does ie edad es 122 6 NN47928 502 5 Security pages 123 oecurity OVEIVIE Weoo rre a aa 124 Poly duae VO ab d dora d AAA AR AAA LAC G 125 Technical reference i5 hee e p RE dE e us qe 125 Default security policies 14 44 Ax PRX GCEACRX RAR AAA RRA 126 Additional security policies 2 0 a 126 This section describes additional policies that you must add for various features in the BSGX4e 0 2 eee 126 Qos quality groups sess 2254804 ds A aa 126 Relay security policieS oo eee ee 129 RIP Security DOMO e ck sonsos KER Oe hee ae Ree on Tte ens 129 Security gt Policy page 4a AAA A RR 130 Security gt Policy gt Static tabu va ques see ee eho exe ON ORO XR a ES 130 Dynamic Tabs iaa ay ROC KOH E OCA ORT RE Y COE P 131 NAT irse AA E KEG T OR d ded qd a a qaod aera 132 Technical reference 204 46 4 2 cube aa NUR UE WEE ree ee Ire d 132 CONMMSUTANON iu ok REA A AUR qe Ro RU RC edd c RR dod e dcl 133 Security gt NA
170. page 147 2 Configure the IKE pre shared key page 150 3 Configure the vpn n interface as a WAN IP interface page 70 4 Create firewall policies for page 128 a LAN gt vpn n all traffic a WAN gt BSGX4e for security associations source IP UDP port 500 a WAN gt BSGX4e for ESP traffic source IP ESP protocol a VPN gt BSGX4e for tunneling to ISP 5 Create a route table entry for vpn n page 86 Configuration examples The following examples show two common VPN scenarios a Office to office a BSGX4e to ISP Office to office example This example shows a typical configuration for a VPN between two BSGX4es located at a main office and a branch office This example can generally apply to a BSGX4e tunneling to any VPN capable device on the WAN 152 NN47928 502 5 Security pages IPSec IKE and VPN You need the following network information to accomplish this task The values shown are used in the example Shared key value x359QWa78b3112 Main office IP addresses Main office gateway 195 178 11 11 Main office LAN subnet 192 168 1 0 24 Branch office IP addresses Branch office gateway 194 23 7 34 Branch office LAN subnet 192 168 2 0 24 Configuration 1 Configure IPSec policy Security gt IPSec Main Office Branch Office Name Main Branch Gateway 194 23 7 34 195 178 11 11 Local 192 168 1 0 24 192 168 2 0 24 range to Remote 192 168 2 0 24 192 168 1 0 24 range to Proposal VPN A VPN
171. pe static To ethO Address 172 100 10 20 Source IP 192 168 2 30 NAT 2 Profile 3 Policy tab From ethO Type raddr To self Address 192 168 2 30 Dest IP 172 100 10 20 NAT 3 NN47928 502 135 NAT 5 Security pages Application scenarios The following examples demonstrate how to configure common NAT application scenarios See the section Technical reference on page 132 for existing defaults 1 Redirect address example This example maps a private LAN address to a specific public WAN address This policy allows incoming traffic from a specific public address on the WAN to a private address on the BSGX4e LAN a On the Interfaces tab click New then select the interface and enable NAT The example uses ethO b On the Policy tab click New to open the configuration page Configure a policy that defines the policy type and identifies the private address to be translated Id new For this example the ID 1 is automatically assigned Type raddr Address 10 0 1 120 private Port any c On the Public tab click New to open the configuration page Enter a WAN IP address as the NAT public address For this example 172 108 134 210 is used d Move to the Security gt Policy page and Static tab Click New to open the configuration page Configure a policy that maps the public address to a NAT policy which identifies the private addresses In
172. pecify three MGCP servers for failover purposes The failover description on page 166 applies also to MGCP However unlike SIP MGCP servers cannot be located by DNS NN47928 502 171 Session control 172 6 Voice pages Configuration tab Click New to open the configuration page The configuration parameters for the MGCP server profile are as follows Name Name of the server profile to be created MGC1 First Media Gateway Controller either a fully qualified domain name FQDN or an IP address Port1 Port number for mgc1 Default is 2727 MGC2 Optional second Media Gateway Controller FQDN IP address Port2 Port number for mgc2 Default is 2727 MGC3 Optional third Media Gateway Controller FQDN IP address Port3 Port number for mgc3 Default is 2727 Retries Number of retries before an MGC server is blacklisted Entering 0 disables call server failover Default is 5 retries Blacklist Blacklist timer in seconds Default is 600 seconds 10 minutes Status tab The Status tab displays information for the active server profile The following status massages are also displayed Active Yes This server profile is in use MGC1 In use This server is currently in use MGC2 Ready This server is available but is not currently in use MGC3 Down This server is not available but is in an active state Voice gt Session Control gt MGCP Control The Session Con
173. port are internally tagged with the VLAN ID to which the port belongs this enables those packets to be switched a Untagged packets arriving at a tagged port are discarded it is undetermined to which port to assign untagged packets a Tagged packets arriving at a port other than the VLAN port identified by the VLAN ID in the packets are dropped a IEEE 802 1p packets are considered untagged packets a A port can be assigned to more than one VLAN However only one of those ports can be configured as untagged the others have to be tagged e You can create 64 VLANs on the LAN switch e A VLAN on any interface restricts access to only the subnet addresses defined by the VLAN When a VLAN is activated on a LAN port the LAN switch can no longer be accessed through that port NN47928 502 103 Switch 104 3 Data pages Configuration procedure The following procedure creates a VLAN ID assigns a port to that VLAN and configures the tagging characteristics of the port 1 Click New to open the configuration page 2 Fill in the fields as follows VID VLAN identification number 1 4094 VLAN name Name or description of the VLAN It can be up to 32 alphanumeric characters P1 P2 P3 VLAN state of the LAN port or P4 not member of the VLAN default U untagged port T tagged port If the VLAN is for the WAN leave all ports with the default 3 Proceed to Data gt Interfaces gt VLAN on page 7
174. provide Device ID platform and software version NN47928 502 145 Voice ACL 146 Configuration 5 Security pages In the display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished To delete an entry enable the check box next to the Id number on the display page then click Delete Id Enter a numeric identifier of the policy or enter new for auto numbering MAC Address MAC address of the endpoint in xx xx xx xx xx format Epld Endpoint identifier in alphanumeric format Software Software version of the endpoint Platform Platform type of the endpoint DevicelD Device ID of the endpoint Seq Sequence number of the policy IP IP address or range of address for the endpoints Beginning address if entering a range of addresses range to Ending IP address if entering a range of addresses Type Signaling type of the endpoint any mgcp sip Allow Whether the device is allowed or denied call access Default is allow NN47928 502 5 Security pages IPSec IKE and VPN IPSec IKE and VPN The BSGX4e supports Virtual Private Networks VPNs using the IP security IPsec protocol An IPsec VPN serves as a point to point tunnel interface See page 152 for the VPN configuration process IPsec uses the Internet Key Exchange IKE protocol to set up its security associations SAs SAs determine how data is encrypted decrypte
175. ps an address on the LAN to an address on the WAN for outgoing traffic This configuration is opposite of the redirect NAT examples above Here the public address is in the NAT policy and the private address is in the firewall policy a On the Interfaces tab click New then select the interface and enable NAT We use ethO in this example b On the Public tab click New to open the configuration page Enter a WAN IP address as the NAT public address For this example we use 172 168 134 65 c On the Policy tab click New to open the configuration page Configure a policy that defines the policy type and identifies the public address to be translated Id new For this example we say that ID 3 is automatically assigned Type static Address 172 168 134 65 public Port any d Move to the Security gt Policy page and Static tab Click New to open the configuration page Configure a policy that maps the private LAN address to a NAT policy which identifies the public addresses Index BEN Proto any From ethl NAT 3 To eth0 Qos Source IP 10 0 1 103 private ToS any range to Dest IP any Sequence begin range to Source port any Action allow Dest port any 138 NN47928 502 5 Security pages ALG ALG The Application Layer Gateway ALG allows FTP TFTP and PPTP through the firewall and NAT as trusted traffic This precludes the need for an administrat
176. r Committed 64000 Burst Note 1 Downstream yes QoS Note 1 Set the burst rate to at least 200000 if you have a high rate bandwidth If your bandwidth is less than 200 Kbps set the burst rate equal to your bandwidth rate e Ifyou have only a few devices and functions under QoS less than 10 IP phones in operation you can assign the media and control signals to the same quality group Since the control signal is small it does not consume a significant amount of the quality group bandwidth Also since there is no Control quality group the media group can be made 64 Kbps larger NN47928 502 Appendix 12 Quality of service QoS overview Managing other traffic Any media stream can be placed under QoS management if the stream can be uniquely identified For any given media stream to be processed by QoS the BSGX4e must be able to distinguish that stream from all others and it must be able to identify the type of communication it contains voice video or data The BSGX4e automatically detects SIP voice and video streams by the SIP applications registering with the session controller but a non SIP video or data stream must be manually identified This is accomplished by configuring a security policy page 130 for the non SIP stream where you can identify it by any of several parameters and assign it to a quality group CAUTION A video stream can have high spikes of bandwidth demand The bandwidth A allocated to a video
177. r local call routing the BSGX4e needs to know the telephone numbers of the local endpoints An LCR account provides that information when the user ID or endpoint ID does not as is the case if those fields are alphabetic or alphanumeric For example when a SIP account is defined by a name string the LCR account defines the telephone number of that account NOTE LCR accounts are not required if the IDs of the LAN endpoints are numeric not alphanumeric If LCR accounts are not configured VoIP phones with alphanumeric IDs can only receive calls from other VoIP phones that allow the entry of alphanumeric IDs Other entities are not able to place calls to VoIP phones having alphanumeric IDs NN47928 502 185 Local call routing 6 Voice pages 186 Configuration In the display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished To delete an entry enable the check box next to the DN number on the display page then click Delete DN Phone number of the account A 4 digit extension for local calls is acceptable Type Signaling protocol used by the endpoint SIP MGCP ID ID of the SIP or MGCP endpoint Voice gt Local Call Routing gt Connection tab This tab page displays existing LCR connections Voice gt Local Call Routing gt Settings tab This tab page configures various parameters that define how the LCR functions To change parameter values on this
178. racter For example if the Do Not Disturb feature is defined to be 78 then the user enters 78 to activate the service NOTE The SIP User Agent must be configured before the numbering plan is configured See page 176 NN47928 502 181 User agent 6 Voice pages 182 Configuration In the display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished If a numbering plan has already been defined click the Number in the display to open the Properties page then Modify to open the configuration page To delete an entry enable the check box next to the Number in the display page then click Delete Number String translated by this entry If Type is Number this field denotes the beginning digits of the number to be translated Type Indicates whether the entry is for a number or a service code Number Service Feature If Type is Service select one of the following service codes None No feature applied Default SDND Set Do Not Disturb SIP server marks the SIP gateway as busy CDND Clear Do Not Disturb SFWA Set Forward All calls CFWA Clear Forward All SFWB Set Forward on Busy CFWB Clear Forward on Busy SFWNA 1 Set Forward No Answer Forwards the call after the no answer timer expires Timer is set in the SIP User Agent page 178 Default is 60 sec CFWNA Clear Forward No Answer BXFER Blind Transfer Transfers a call and
179. ration Configure the BSGX4e dynamic DNS after opening an account with one of the qualified service providers Click the Modify button in the display pane and fill in the fields as follows click Update when finished Service Select the service from the pull down list with which you opened an account Enabled Disabled by default Select yes to enable User The user name of the dynamic DNS account Password The password of the dynamic DNS account Host name Host name user name domain of the dynamic DNS account user domain ext Period Refresh period Update with current IP address if it does not match the registered IP address Range is 10 to 1440 min Default is 60 ForcedUpdate Forced refresh whether or not IP address has changed to avoid Period expiration of host name Range is 24 to 35 days Default is 30 Wildcard When enabled resolves domain ext to the same IP address as domain ext Wildcards must be enabled on both the server and client Choices are nochg Use when wildcard is not enabled on server default on Client enabled off Client disabled NN47928 502 39 Services page 40 When configured and enabled the display panel appears similar to the Dynamic DNS Settings panel in the figure to the right Most of the fields are self explanatory The Status field displays the following comments GOOD GOOD Additional nochg updates cause the hostname to become block
180. re SFWA Set Forward All Clear Forward All Number 91 Type Service Feature CFWA Clear Forward All NN47928 502 183 User agent 6 Voice pages Forward no answer This example configures two numbering plan entries to enable disable use of the Call Forwarding No Answer feature such that a To forward unanswered calls to another phone the entry is 93 followed by the phone number and the hash character t For example to forward unanswered calls to phone extension 4985 enter 934985 To clear unanswered call forwarding for a phone enter 94 Set forward no answer Number 93 Type Service Feature SFWNA Set Forward No Answer Clear forward no answer Number 94 Type Service Feature CFWNA Clear Forward No Answer Blind transfer This example configures a numbering plan entry to enable the use of the blind transfer feature such that a 184 The user can transfer an existing call to another number and disconnect from the call The sequence of user actions to transfer a call to extension 4567 is A call is in progress Press the phone s Flash button Enter 224567 Hang up Configure blind transfer Number 22 Type Service Feature BXFER blind transfer NN47928 502 6 Voice pages Local call routing Local call routing The Local Call Routing page has three tabs a Account Create an account that identifies the dialing number of a phone on the LAN a Con
181. resources However VAD can silence very low sounds lowering voice quality If MLS and VAD are both enabled VAD packets are not transmitted but received VAD packets are processed Up Enables disables the SIP User Agent Default is yes 177 User agent 6 Voice pages Voice gt User Agent gt SIP gt Settings tab This page modifies the SIP protocol as it applies to the User Agent These settings do not apply to the Session Controller Click Modify to open the configuration page Fill in the fields as follows Click Update when finished Timer T1 Minimum retransmission time interval milliseconds per RFC 3261 The default is 500 milliseconds Timer T2 Maximum retransmission time interval milliseconds per RFC 3261 The default is 4000 milliseconds Timer B Timeout interval for INVITE transactions milliseconds per RFC 3261 The default is 32000 milliseconds RegExpire Timeout interval for expiration of the endpoint registration seconds The default is 3600 seconds 1 hour SE Enable Enables Session Expires support see SE Timer and MIN SE Timer per RFC 4028 The default is no SE Timer Maximum session interval if no session refresh requests are received seconds per RFC 4028 If the timer expires the session ends The default is 1800 seconds 30 minutes Applicable if SE Enable is yes MIN SE Timer Minimum session interval that the User Agent can accept seconds per
182. ress e Inbound Port Translation The NAT profile contains the private LAN address and port number of the target device The firewall policy detects inbound traffic destined for a specific public address and port number and applies the NAT policy to it This translates the public address and port number to the private address and port number e Outbound Address Translation The NAT profile contains the public static WAN address The firewall policy detects outbound traffic from a private LAN address and applies the NAT policy to it This translates the private address to the public address The NAT page contains three tabs as detailed below On all tab pages a Click New to open the configuration page Fill in the fields and click Update when finished a To delete an entry enable the check box next to the entry on the display page then click Delete a On the Interfaces tab if an interface has already been defined click the Interface name in the display to open the properties page then Modify to open the configuration page NN47928 502 133 NAT 134 5 Security pages Security gt NAT gt Interfaces tab This tab page is where you enable NAT on the selected WAN interface This page also displays any interfaces on which NAT has been configured Click New to open the configuration page Fill in the fields as follows Interface Select the interface All configured interfaces are available from the drop down list
183. rface eth1 Traffic destined for the Internet is then routed to the WAN interface The switch also routes traffic from a host on one LAN port to a host another LAN port A functional LAN switch requires configuration of both the LAN ports this section and the eth1 LAN interface The eth1 interface is configured by default See Data gt Interfaces gt IP page on page 70 for the interface display Data gt Switch gt Status page This page is a status display of the LAN port configurations Figure 25 LAN status page MyUnit 192 168 1 1 M a G P t P DNS 4 Switch Status TFTP SNTP DHCP Routing Switch Status ANE 0 0 up 100Full None RIP 0 1 DOWN 10Half None Switch 0 2 up 100Full None Status 0 3 DOWN 10Half None Port 0 4 DOWN 10Half None QoS ARL VLAN Clicking on the port number takes you to the same configuration page as the Data gt Switch gt Port tab NN47928 502 95 Switch 96 3 Data pages Port page This page is where you configure the BSGX4e LAN ports and view port related statistics Figure 26 LAN ports page MyUnit 192 168 1 1 M 2 G Lr p I DNS A Data gt Switch Port TFTP SNTP DHCP Routing Switch Port Management Routes Table Dort Speed Enabled Flow Ctrl ARP Auto yes no Auto yes no lz RIP Switch Status Port Qos ARL VLAN E lo ua El Auto yes no
184. rmance data Group page 112 Configures quality groups which guarantee bandwidth and manage priority for each flow under QoS upstream Displays performance data Identifies which group is used for downstream QoS prioritizing Downstream QoS page 118 Activates a downstream QoS on the WAN link Displays operational status and performance data ARP PPP page 121 Assigns ARP and PPP control traffic to a quality group NN47928 502 105 Calls page 4 Quality pages Calls page The Quality gt Calls page has three tabs 106 a Quality Displays various quality statistics including MoS scores by endpoint ID number a Alarms Displays statistics on quality burst and delay alarms a Analyser Configures voice quality monitoring including alarms and thresholds Figure 31 Quality calls page MyUnit 192 168 1 1 th Quality Call Quality y m Wei Rams aver Calls Quality EP ID 5101231081 5101231083 5101231065 5101231084 5101231079 5101231032 5101231085 5101231063 5101231066 5101231069 5101231075 5101231090 5101231094 5101231038 EP Name 5101231081 5101231083 5101231065 5101231084 5101231079 5101231032 5101231085 5101231063 5101231066 5101231069 5101231075 5101231090 5101231094 5101231038 MOS CQ 4 18 4 16 4 18 4 16 4 18 4 18 4 18 4 18 4 18 4 18 4 18 4 14 4 18 4 18 R Fact 92 91 92 91 92 92 92 92 92 92 92 90 92 92
185. rough DHCP server options see page 49 or manually to use the BSGX4e as their SNTP server NN47928 502 83 Relays 3 Data pages Settings tab To configure the DNS relay click Modify on the Settings tab page fill in the fields as follows and click Update when finished Enabled Yes to enable Default is no Source The source of the SNTP relay s configuration Your choices here are user The last server specified for the Server parameter auto The actual source depends on the choice made here combined with the Source field of the SNTP client page 35 even if it is disabled Table 9 below shows how the SNTP client and SNTP relay interact to determine the relay s configuration source Server IP address or FQDN of an external SNTP server This value is stored but is used only when the source parameter is user GMT Local time offset from Greenwich Mean Time in hours Default is 0 Specify this offset only if the LAN devices cannot provide their own offset If the devices can provide an appropriate offset set this parameter to 0 Table 9 Sources for SNTP relay configuration Source Parameter Setting Can DHCP Did user provide provide SNTP SNTP Client Source of SNTP SNTP Relay SNTP Client configuration configuration Relay configuration user any or null L User settings in SNTP Relay auto DHCP yes da DHCP User settings in ial bd t i SNTP Relay auto user BE User
186. rs and threshold settings Configure these parameters through the Modify button Alarms are reported in the system log as INFORM messages The internal system log is discussed in System Status System Log panel on page 30 The Calls Analyser simulates a jitter buffer to analyze VoIP media streams and report information such as packet loss delay and jitter Based on these parameters it calculates R Factors Mean Opinion Scores updated in real time over the duration of calls and displays the outcome on the Quality and Alarms tabs NN47928 502 107 Calls page 4 Quality pages The Calls Analyser reports statistics for VoIP media streams that flow through the routing engine in the external internal and internal internal directions Whether or not Direct Media is enabled also affects which flows are analyzed As shown below in Figure 32 flows measured by the Calls Analyser are e External calls Inbound flows from WAN to LAN and from WAN to User Agent e Local calls Flows between LAN phones and flows from LAN to analog phones Note that flows between LAN phones are analyzed only if Direct Media is disabled With Direct Media enabled the session controller establishes RTP flows directly between two LAN phones The Call Analyser cannot measure those direct flows With Direct Media disabled the routing engine bridges the RTP flows between LAN phones and both flows can be measured by the Call Analyser See Voice gt Media gt Setting
187. rt Port to which call signals are sent extracted from the last MGCP message received from the MGCP server including a Notified Entity Act Calls Currently active calls for the endpoint It is incremented each time the LAN endpoint places or receives a call It is decremented when the call is torn down EP Timeout Number of seconds before the registration expires The initial value is taken from the EP timeout setting The value is decremented each second Endpoint status handling Endpoint status handling saves LAN endpoint information in non volatile memory so it can be retrieved after a restart This is done when the LAN endpoint is registered to the MGCP session controller This function is not configurable for the MGCP session controller The session controller periodically checks the status of each LAN endpoint using the MGCP method AUEP When a LAN endpoint answers the endpoint timer remaining active time is reset If the endpoint does not answer the MGCP session controller marks it as down and rejects all calls terminating at that endpoint The only configurable value in Endpoint Status Handling is the value of the endpoint timer The default timer value is 3600 seconds one hour This value can be changed by the EP Timeout parameter on the Control tab on page 172 Voice gt Session Control gt MGCP Statistics This page shows cumulative operational statistics for MGCP signaling control messages on the Messages tab
188. rvice QoS feature This feature enables prioritization of network traffic coming into the BSGX4e through its LAN ports See the relevant sections in the chapter 4 Quality pages on page 105 for layer 3 QoS This page has four tabs a IEEE tab maps IEEE 802 1p CoS bit values to priority queues a Port tab sets a priority level applied to all traffic through the port a Setting tab sets the prioritizing type and the scheduling method a ToS tab maps the ToS DiffServ values to priority queues Creating static Address Resolution Logic ARL maps with specified priorities overrides the priority settings in this section See Data gt Switch gt ARL on page 101 Figure 27 LAN Port QoS Page m e nd VLAN Data gt Switch Qos IEEE Relays TFTP SNTP DHCP Switch QoS IEEE s Routes Table 2 LOWQ LOWESTQ LOWESTQ LOWQ HIGHQ HIGHQ HIGHESTQ HIGHESTQ ARP RIP Switch Status Port QoS ARL Isp doy dor P foo do Since the BSGX4e has four LAN ports to send traffic to one WAN interface the unit must prioritize the incoming LAN traffic to resolve contention Layer 2 QoS ensures that higher priority traffic is routed while lower priority traffic could be delayed or discarded This is accomplished by classifying traffic and routing it to one of four priority queues as shown in Figure 28 below See QoS overview on page 190 for a detailed discussion of QoS and diagrams showing specific application scenar
189. s Data gt Relays gt TFTP page TFTP relay function proxies file requests between devices located on the BSGX4e LAN and a single server located on the WAN To the devices on the LAN the BSGX4e appears as a server to the server on the WAN the BSGX4e appears as a client 80 NN47928 502 3 Data pages Figure 16 Relays Relay TFTP page MyUnit 192 168 1 1 M WAN Interfaces IP Settings TFTP Settings DNS TFTP SNTP Enabled Server DHCP on vwwtftpserver com off Allow all DHCP Routing Routes Table ARP RIP Switch Status Port Qos ARL VLAN Sessions 50 Q Modify You can cache frequently requested files If the requested file is in the cache the BSGX4e can reply to the request without contacting the server File caching provides the following benefits Avoiding unnecessary WAN bandwidth usage for frequently requested files especially if there are several user devices such as VoIP phones Improved scalability of VoIP service from a service provider by reducing load on the central file servers that are used for provisioning user devices NOTE To use TFTP relay devices on the LAN must be configured either through DHCP server options see page 49 or manually to use the BSGX4e as their TFTP server NN47928 502 81 Relays 3 Data pages Settings tab To configure the TFTP relay click Modify on the Settings tab page fill in the fi
190. s 201 Stateful TACACS TCP TDM Telnet TFTP UA UDP VLAN VIF VolP VPM VPN VQM WAN Web Appendix 13 Glossary Maintains the last known or current status of an application Terminal Access Controller Access Control System Plus is a protocol that provides access control for routers network access servers and other networked computing devices with one or more centralized servers TACACS provides separate authentication authorization and accounting services and uses the TCP protocol Transmission Control Protocol packet switching protocol used with the Internet Protocol IP Time Division Multiplex Protocol that provides remote terminal connection service Trivial File Transfer Protocol User Agent also known as the integrated gateway it is the device software that enables an analog device connected to an FXS port to place and receive calls User Datagram Protocol a connectionless protocol that allows direct delivery and receipt of datagrams without acknowledgements or guarantee of delivery Virtual LAN a logical subcomponent of a physical network functions as a separate network to isolate its traffic from the rest of the network Virtual interface a virtual WAN interface created for VLANs Voice over Internet Protocol Voice Processing Module Virtual Private Network a means for secure communication across an insecure network such as the Internet Voice Quality Monitoring tool to measure voice quality
191. s Default is 500 ms Timer T2 Maximum retransmission time interval milliseconds Default is 4000 ms Timer B Timeout interval for INVITE transactions in seconds Default is 16 seconds Timer F Timeout interval for non INVITE transactions in seconds Default is 32 seconds Timer C Timeout interval for proxy INVITE transactions in seconds Default is 180 seconds 3 minutes NN47928 502 167 Session control 6 Voice pages 168 Max Calls Call Admission Control Maximum number of SIP calls allowed simultaneously Default is 50 Change this default per your license agreement The number of allowable calls is defined by your license agreement Your choices are BSGX4e 10 or 30 calls NOTE This field also sets the display scale on the System Status page See System gt Status gt Current Calls panel on page 29 Signaling QoS The QoS quality group for protection of the SIP signaling messages The Group Initial Setup Wizard creates a quality group named voiceqos for this purpose Select the appropriate group from the drop down list Relay Unknown Allow unknown content types to be relayed to the SIP server Default is Content Types yes Switch Type Vendor of server that provides forking function BSGX4e interoperates with various softswitches that offer multi line forking capabilities These switches require special handling by the session controller The details are described below When you
192. s on page 161 for more discussion on Direct Media Figure 32 Calls analyzer flows g Calls Analyzed Calls Not S a a ae te Analog user agent Phone LAN internal Phones 108 NN47928 502 4 Quality pages Calls page Calls analyser configuration Open the configuration page by clicking the Modify button Change the default values as needed NN47928 502 JB Type Whether to emulate a static or adaptive jitter buffer static adaptive Default is static JB Minimum Minimum size of the simulated jitter buffer Default is 10 JB Maximum Maximum size of the simulated jitter buffer Default is 60 JB Nominal Nominal level of the simulated jitter buffer Default is 30 Roundtrip Delay Estimate of round trip delay if no RTCP records are detected in milliseconds Default is 60 milliseconds Quality Enable alarms for low quality R factor Default is yes Burst Enable alarms for excessive bursting Default is yes Delay Enable alarms for excessive delay Default is yes R Quality Alarm trigger for low quality R Factor Default is 60 R Burst Alarm trigger for excessive bursting Default is 60 Burst Min Minimum alarm trigger for excessive bursting duration in milliseconds Default is 500 milliseconds Delay Max Maximum alarm trigger for excessive delay in milliseconds Default is 450 milliseconds Min Quality Alert Minimum duration until the low quali
193. s described below the BSGX4e factory configuration has a basic set of firewall policies defined Additionally you are required or advised to create new policies for some of the features that you enable The section Additional security policies provides those instructions Technical reference The BSGX4e firewall is initially set to block all traffic by default However the BSGX4e model has a set of basic firewall policies configured by default for common applications that are normally allowed access from the Internet see Table 15 These policies are defined as follows a Traffic from WAN to LAN is rejected a Traffic from LAN to WAN is allowed a Traffic from LAN to the BSGX4e is allowed a Web HTTP HTTPS Telnet FTP SFTP and SSH traffic from the WAN terminating at the BSGX4e is allowed all other WAN traffic to the unit is rejected If the Initial Setup Wizard is used to configure either BSGX4e model it also creates a number of policies for PPP or frame relay WAN interfaces see Table 16 Observe these constraints when working with security policies a The firewall is always active It cannot be disabled a Security policies cannot be edited To change a policy delete the policy and then re create it with the desired changes a Up to 128 security policies can be created An incoming packet can match more than one security policy The packet is compared to the policies in order of the sequence value Seq on the display
194. s tab page is divided into four sections e IDS flood activity Use this section to enable disable the different types of flood activity All activities are enabled by default e IDS flood settings Use this section to change the default threshold for certain protocols e IDS scan Use this section to enable disable certain protocols and to change their default timeout value e DS spoof Use this section to change the default trusted untrusted classification of each interface IDS flood activity The IDS detects floods targeted at protocols and services by using a threshold value to detect a flood attack All protocol protection is enabled by default You can disable a protocol flood detection by clicking the protocol flood name in the display pane When the properties pages opens click Modify The following protocol based attacks are detected by BSGX4e e udpflood In a UDP flood UDP packets are sent to inactive services ports the receiver then replies with an ICMP Destination Unreachable packet The flood results in Denial of Service due to sending out several ICMP packets e icmpflood An ICMP flood sends over sized or an excessive number of ICMP packets This can crash the TCP IP stack causing the unit to stop responding to TCP IP requests NN47928 502 5 Security pages IDS e arpflood In an ARP flood 250 ARP request per second are accepted Over this limit indicates a potential DoS attack
195. s where you assign public IP addresses to the WAN interface Up to 16 addresses can be assigned Fill in the fields as follows Address The public address to be assigned to the WAN interface The beginning address when specifying a range range to The ending address when specifying a range Interface Select none default if the public address you entered is within the subnet range of the WAN If you are creating a public subnet outside of the existing WAN subnet select the WAN interface to which it applies See also the WAN subnet section below Note that eth1 is not a valid selection This option is to be removed in future releases WAN subnet A special application of NAT is where you are creating a public WAN address that is outside of the defined address range for the WAN In this case you must create a ANAT public address profile a An outbound static NAT profile and a related firewall policy a Aninbound redirect NAT profile and a related firewall policy Table 23 shows the required configurations for an example where a device on the Internet at 172 100 10 20 must connect with a device on the BSGX4e LAN at 192 168 2 30 The BSGX4e WAN eth0 has a static address of 172 150 12 100 22 Table 23 WAN subnet configuration NAT Profile Firewall Policy Profile 1 Interfaces tab Enable NAT onethO N A Public tab Address 172 100 10 20 range to 172 100 10 35 Profile 2 Policy tab From eth1 Ty
196. set to ppp and a PPP interface is configured on the WAN port the DNS client uses the PPP server to obtain an address If the PPP server fails to provide an address there are no further searches and the displayed address is 0 0 0 0 NN47928 502 37 Services page 38 2 System pages e If Source is set to user you must enter an address into the DNS1 field The DNS client does not perform any further address searches Application scenario DNS backup configuration This example shows how a user configuration can be stored as a backup while using the auto DHCP or auto PPP configuration If a DHCP or PPP server cannot be provide a DNS address the user configuration is automatically implemented by the DNS client 1 The default configuration tries to auto connect to a DHCP server then a PPP server The server provides the DNS addresses and the domain name 2 Click Modify to DNS Configuration DNS1 172 16 1 100 DNS2 172 16 1 101 Domain u4estech com Source auto dhcp Q Modify open the DNS Ports configuration Configure DNS parameters of the system page Enter a server address MEINER Gl into the DNS1 O Update field and a O Cancel DNS1 10 10 10 128 known DNS pns2 20 20 20 52 Domain mypl ce com Use USER DHCP or PPP configuration or let the client choose AUTO ary DNS server is box secondary server into DNS2 if desired Leave the Source as auto Click Update to
197. so includes an application scenario where a BSGX4e is inserted into an existing network that used a firewall router NAT appliance as its WAN interface In this scenario the firewall becomes a device on a BSGX4e VLAN thus creating a sub network that is proxied to the Internet through BSGX4e s WAN interface When a host on a network accessible to the BSGX4e s WAN port sends an ARP request through the BSGX4e to a device on its LAN the BSGX4e responds to the request by supplying its own MAC address WAN port s MAC as proxy for the LAN device The sending host caches the BSGX4e s MAC address with the proxy device s IP address All subsequent traffic between the hosts sent as normal as if on the same subnet is then routed by the BSGX4e A similar process occurs in the reverse direction When a host on the BSGX4e s LAN sends an ARP request to a host on a remote network the BSGX4e responds with the LAN s MAC address The process then repeats as described in the preceding paragraph Technical reference a Proxy ARP is applicable to both WAN and LAN interfaces Can be enabled or disabled on each interface and works with VLANs on WAN or LAN interfaces NOTE If you use a VLAN with proxy ARP the VLAN must be created before the proxy is configured See Data Interfaces VLAN on page 75 a Can be establish only from interfaces that use ARP which are ethO eth1 and vifn A proxy ARP is not supported on PPP VPN or FR interfaces
198. ss to establish a functioning PPP link as the WAN interface 1 Disable the DHCP client on the ethO WAN interface page 71 2 Create a PPP profile This displays as the pppO IP interface this section 3 Create security policies for the pppO interface page 127 4 Enable NAT for the pppO interface page 134 5 Create a QoS group to protect the PPP control signal ARP PPP page on page 121 NOTE The Initial Setup Wizard performs all of these steps after completing the WAN QoS and VoIP pages of the wizard To remove a PPP link perform the above tasks in reverse order However do not delete the QoS group if it is also being used by ARP Perform the following steps to delete the PPP profile created in Step 2 1 De activate the PPP profile a Open the PPP profile page by clicking the Profile number in the Interface PPP display page b Click Modify to open the configuration page c Set the Active field to no and click Update You return to the profile page 2 Delete the profile a enable the check box next to the profile number on the display page b Click Delete Configuring a PPP profile Note that only one PPP profile can be configured In the Data Interfaces PPP display pane click New to open the configuration page Fill in the fields as shown below Click Update when finished If a profile has already been defined click the 0 in the Profile column in the display to open the Properties pag
199. st and the specified domain is domain com the query is for host domain com Source Source of the DNS configuration profile user dhcp ppp auto See the following paragraph for details Default is auto 36 NN47928 502 2 System pages Services page The DNS client determines the DNS configuration to use based on the current value of its Source parameter user The DNS client retrieves the latest address domain entered by the user dhcp The DNS client uses the address provided by an external DHCP server that was discovered by the BSGX4e s DHCP client The DHCP client must be enabled on the interface where the DHCP server is located If a DHCP server cannot provide an address the DNS1 and DNS2 fields are set to 0 0 0 0 ppp The DNS client uses the DNS address provided by a PPP server on the WAN A PPP interface must be active on the WAN port Ifthe PPP server cannot provide an address DNS1 and DNS2 fields are set to 0 0 0 0 auto The DNS client gets its configuration automatically It first attempts to get the default Configuration from a DHCP or PPP server If that fails it uses the latest user defined configuration stored in memory See the following section DNS server sources for more detail The auto parameter displays in one of three variations indicating the source of DNS configuration in use auto dhcp auto ppp auto user DNS server sources Determining the DNS server on the WAN t
200. t Interfaces gt IP display Figure 13 PPP interface page Data gt PPP PPP Profiles Profile Interface L2Interface Active SelfIP AuthProto MRU MTU Restartlime ServiceName Username Password LinkStatu o pppo etho yes 0 0 0 0 PAP 1492 1492 3000 PPP Serv uname Activating 255 255 255 255 O Delete Q Refresh Data Interface IP IP Interfaces MAC Address Speed p pe Configured Speed C etho 10 10 10 10 1500 off N A N A 00 15 93 00 02 CA HALF10 AUTONEG 255 255 255 0 7 sthi 192 168 1 1 1500 off N A N A 00 15 93 00 02 CB N A N A 255 255 255 0 C popo 0 0 0 0 1500 off N A N A 00 15 93 00 02 CA N A N A 0 0 0 0 O Delete Q New PPP establishes the session between the BSGX4e and your service provider using its own Link Control Protocol The BSGX4e s PPP client discovers and authenticates a PPP access concentrator and negotiates parameters including an IP address to establish the PPP link The client supports a single PPP session and is compliant with RFC 1661 PPP RFC 2516 PPPoE and RFC 1662 PPPoHDLC CAUTION The PPP protocol uses a control signal to establish and maintain a connection over the WAN link This signal is critical to sustaining traffic through the link and should be protected using QoS See the section ARP PPP page on page 121 NN47928 502 73 Interfaces 3 Data pages 74 PPP configuration summary You must perform the following proce
201. t 600 NN47928 502 143 IDS 144 5 Security pages IDS scan IDS scan protection is activated for ICMP pings UDP port and TCP SYN messages A threshold value determines the number of messages sent that constitute an attack When IDS detects a scan attack it bans traffic for that protocol for the timeout interval All scan types are enabled by default You can disable a scan type or changes the timeout value Click the scan name on the page to open the properties page then click Modify The scan attacks monitored by the BSGX4e are e udpportscan A port scan is a series of messages sent by a potential system intruder to determine which services the system includes The services are each associated with a well known port number Port scanning suggests where the intruder can probe for weaknesses e tcpsynscan A TCP SYN scan is a series of messages sent with the TCP Syn flag set e pingsweep ICMP requests are sent to multiple hosts A ping sweep locates network devices that are active and responding and so can be targets for an attack IDS spoof IDS spoof detection can be activated for all IP interfaces as listed below It classifies each as a trusted or untrusted interface The basic assumptions of spoof detection are a IDS assumes that spoof attacks arrive from the WAN and by default assigns untrusted status to WAN interfaces a IDS assumes that LAN traffic is safe and the LAN is not a likely source o
202. t information by opening a new browser window and connecting to the Web page of the manufacturer Help Displays an overview of the BSGX4e features and services User mode Selects the desired user mode S Simple mode Field explanations are displayed in the Web UI pages A Advanced mode Field explanations are not provided Home Returns the Web UI to its home page which is the System Status page NN47928 502 1 Web UI introduction Menu pane Window components Click a link in the menu pane to load a corresponding configuration page in the display pane A list of menus changes appears with each button on the button bar System button System Status Overview Services User Accounts DHCP Server Radius TACACS SNMP SSL Upgrade Configuration License Logging Information Logging Modules Security button Security Security Policy NAT ALG IDS Voice ACL IPSec IKE NN47928 502 Data button WAN Interfaces IP PPP VLAN Relays DNS TFTP SNTP DHCP Routing Routes Table ARP RIP Switch Status Port QoS ARL VLAN Voice button Media Settings Gain Local Jitter Buffer Session Control SIP Server SIP Control SIP Statistics SIP LAN Gateway MGCP Server MGCP Control MGCP Statistics User Agent SIP MGCP Numbering Plan Local Call Routing Account Quality button Quality Calls Link Group Downstream QoS ARP PPP Monitor button Monitor Protocol
203. the BSGX4e is not certified for operation but you can use it for activities such as lab tests and field trials NOTE After changing the Country parameter Save the change and Reboot the system to implement the change Countries have differing telephony standards including ring tones ring cadence and emergency numbers The Country parameter loads country specific default values into the unit This affects Phone port parameters and LCR settings See Voice Local Call Routing Settings tab on page 186 You can create ring tone patterns that override the country defaults using the CLI command conf voice fxs ring System Overview Shell panel This panel displays the configurable characteristics of the command shell used for the CLI You can configure the Width Prompt and Timeout parameters with the Modify button The configuration page is self explanatory Click Update when finished System Overview System Hardware panel This pane displays version levels the main hardware components of the BSGX4e NN47928 502 2 System pages Services page Services page The services page is where you enable and configure various network services Web server Enabled by default Telnet server Enabled by default SNTP client Disabled by default SSH server Enabled by default DNS servers Disabled by default Dynamic DNS client Disabled by default a a Figure 4 User Accounts DHCP Server Radi
204. the security functions NN47928 502 123 Security overview 5 Security pages Security overview The BSGX4e security features enabled firewall IDS and NAT ALG These security features process each incoming packet as follows 124 1 Incoming packets are sorted by the information in the packet The information used from layer 2 layer 3 and layer 4 is listed in Table 14 Table 14 Packet security processing Layer 2 Layer 3 Layer 4 Data link Network Transport From interface Source IP address Protocol ICMP UDP TCP GRE or ESP To interface Destination IP address Source port IP ToS tag for GoS quality Destination port treatment only The packets are then compared to the firewall security policies for its interface If the packet matches a policy the policy action determines if the packet is accepted or discarded If the firewall accepts a packet then the IDS checks if the packet format is normal known as a sanity check Abnormally formatted packets are discarded IDS also checks whether the packet can be considered an attack and if so discards it If the packet is valid it is delivered to the destination interface If the packet is identified as valid information in its header is modified by NAT ALG to guard private IP information from public entities NN47928 502 5 Security pages Policy Policy This page is where you configure new firewall security policies and view existing policies A
205. ting gt ARP page Proxy ARP tab 2 Click New to open the configuration page 3 Fill in the fields Id Enter new to create a new entry From To Select the interfaces that correspond to the direction of the traffic If a VLAN has been configured its virtual interface is in the drop down list IP The destination address and mask for which this proxy is being created lt address mask gt Enable To enable of disable this proxy function 4 Click Update when finished NN47928 502 3 Data pages Routing Configuration example 1 The diagram in Figure 22 shows two proxies established one in each direction between a subnet on the WAN and a subnet on the BSGX4e LAN The two proxies would be configured as follows Field Value Proxy 1 Value Proxy 2 Id lt ID 1 gt lt ID 2 gt From ethO eth1 To eth1 ethO IP 192 168 152 0 24 192 168 2 0 24 Enable yes yes Figure 22 Proxy ARP General configuration example Subnet A 192 168 2 0 24 1 l ARP request to 192 168 152 0 l BscX4e responds to request l and proxies traffic I ARP request to 192 168 2 0 BSGX4e responds to request and proxies traffic Subnet B 192 168 152 0 24 Proxy ARP Parameters From To Address Eth0 Eth1 192 168 152 0 255 255 255 0 Eth1 Eth0 192 168 2 0 255 255 255 0 NN47928 502 91 Routing 92 3 Data pages Configuration example 2 The diagram in Figure 23 shows the scenari
206. tions Locations trunked to a single port Classify by ToS DIffServ Bit Value Guarantee of service Layer 3 The BSGX4e implements QoS through a patented process called Gos Guarantee of Service which applies to outbound LAN gt WAN traffic Rather than providing standard QoS with its linear ranking of quality levels based on one quality factor GoS provides quality groups that establish guaranteed bandwidth for QoS managed NN47928 502 193 QoS overview Appendix 12 Quality of service 194 applications and it uses a matrix of ten quality classes that combine different levels of prioritizing based on latency delay and loss discarded data characteristics see Figure 45 Loss and latency are used to calculate the most intelligent queuing priorities to achieve the highest quality transmission for all media types Figure 45 GoS Quality Class Matrix MAX Typically voice media requires low latency and jitter while video and data media requires low loss Quality Class Examples A3 High latency low loss MIN C1 Low latency high loss BE Best Effort no prioritizing Highest latency highest loss MAX As shown in Figure 46 each type of media stream identified for GoS management is first assigned to a quality group A quality group specifies the amount of bandwidth guaranteed for the media stream and applies the policing type There are two types of policing a Strict An
207. traffic WanMsgRecvCount WanMsgProcCount LanMsgRecvCount LanMsgProcCount TotalMsgRxCount MsgPerSec e Calls tab The section Total outbound calls from LAN applies to calls that originated from LAN endpoints The section Total inbound calls from WAN applies to calls that originated from the SIP server A local call from a LAN endpoint to another LAN endpoint is shown twice in the statistics it is counted both as a LAN outbound call and as a WAN inbound call This is this without Direct Media enabled Voice gt Session Control gt SIP LAN Gateway If a gateway device is attached to the BSGX4e s LAN switch an IP address is required for the gateway An optional domain name can also be provided Click Modify to access the configuration page Domain Domain name for the SIP gateway IP Addr IP address for the SIP gateway Single address or beginning of range range to Ending address of range port Signaling Rx port for the SIP gateway Single port or beginning of range Default is 5060 range to Ending port of range Voice gt Session Control gt MGCP Server The MGCP server configuration profile determines how the BSGX4e session controller accesses MGCP servers to provide VoIP service This page has two tabs a Configuration Server access configuration profile for the session controller a Status Displays the server in use and its operational status The server profile allows you to s
208. traffic flows that comprise VoIP media and control signal You must then associate this group with the session controller The session controller detects the VoIP flows and assigns them to this quality group Configure the session controller association on the following pages The VoIP media is associated on the Web UI page Voice gt Media gt Settings on page 161 The VoIP control signal is associated on the Web UI page Voice gt Session Control gt SIP Control on page 167 Note that the Initial Setup Wizard creates a voiceqos quality group for this purpose and configures the needed associations 112 NN47928 502 4 Quality pages Group page e SIP video Protecting SIP video stream under QoS requires special considerations due to the characteristics of the stream Video has a moderate average rate but experiences high peaks that can reach 3 Mbps a Use only with high bandwidth installations of at least 1 5 Mbps a SIP video is detected by the session controller and assigned to a quality group named video This is a special name that the session controller recognizes You must create this quality group as described in this section a Configure the video quality group with CAR policing to allow the peaks to burst into best effort space Note that this can cause discarded packets a This configuration must be performed by technical personnel experienced with VoIP and QoS processing This personnel can experime
209. tream link calculation NOTE The network device directly upstream from BSGX4e can affect overhead as described in the next paragraph Select an encapsulation type that accommodates this device The actual downstream bandwidth can be significantly affected by the router or other device that is immediately upstream from the BSGX4e This device can add or remove encapsulation For BSGX4e to make the most accurate calculation it needs to consider the affect on overhead of this device Therefore the encapsulation field on this page offers an extended list for protocols to choose from Table 13 below shows which encapsulation types are from BSGX4e and which are to accommodate an upstream device Perform the following steps to configure downstream QoS 1 On the Link tab page click New to E modify the link parameters Configure the profile of the downstream link i i Waerste 50000 WAN interface line rate 2 Enter the WAN data rate 1n bps into Minn E ethernet x ES of the WAN interface the linerate field Normally this is the oun downstream bandwidth indicated by e your service provider 3 Select a WAN link encapsulation method from the drop down list Normally this is the same encapsulation as was configured for the WAN Data gt WAN However if you are connecting to a device upstream that encapsulates a frame relay modem for example then select that encapsulation type NN47928 502 119 Downstream QoS page 4 Qu
210. trol page contains configuration and display tabs for processing VoIP control signals The page has four tabs a Control Configuration parameters for control signal processing and association of the QoS signaling quality group VoIP media streams are detected by the media settings page 161 a Status MGCP session controller operational status display a Calls Display of call traffic through the session controller a Endpoints LAN endpoints devices registered through the MGCP session controller Control tab Configure the parameters for detecting VoIP control signals and routing them to the MGCP server on this tab page A server profile page 171 must be configured before it can be specified for use by the session controller NN47928 502 6 Voice pages Session control Click Modify to open the configuration page Server Select the name of the MGCP server profile to be used from the drop down list This is the server configured on the MGCP Server page page 171 WAN Rx Port Port on which to listen for MGCP signaling messages from the WAN Enter the port number or the beginning number of a range Default is 2427 range to Ending number of the WAN port range LAN Rx Port Port on which to listen for MGCP signaling messages from the LAN Enter the port number or the beginning number of a range Default is 2727 range to Ending number of the LAN port range Keep Alive Interval between keep
211. troller Access Control System Plus TACACS clients to establish external authentication security rather than using the default internal SHA method To use either service you must first establish an account on a RADIUS or TACACS server That can be your company s server or a commercial service provider These clients provide external password authentication by sending the log in password to an external server for authentication The default SHA uses authentication internal to the BSGX4e Technical reference The process to establish RADIUS or TACACS authentication is as follows 1 Establish an account on the RADIUS or TACACS server The account information you receive must include the server address user name secret key and password 2 Create a new user account or modify an existing account see User accounts page on page 41 On the user account configuration page The user name must be the same as for the RADIUS or TACACS account Select RADIUS or TACACS for the authorization field The password field is optional since the external account password is actually used for log in A password entered here is used as backup if the external server cannot be reached 3 On the RADIUS or TACACS configuration pages Select the user for which the RADIUS or TACACS account was established Enter the RADIUS or TACACS server IP address and the secret key The authentication clients in the BSGX4e have the following characteristics
212. try enable the check box next to the port number on the display page then click Delete NN47928 502 179 User agent 6 Voice pages Fill in the fields as follows Click Update when finished Port Number of the FXS port Name Name for this User Agent profile UserlD Authentication information required by the MGCP server Codec1 Most preferred codec and packet time selection PCMU 10 PCMU 20 PCMA 10 PCMA 20 G729A 10 G729A 20 NOTUSED Default is PCMU 20 Codec2 Second preferred codec and packet time selection PCMU 10 PCMU 20 PCMA 10 PCMA_20 G729A_10 G729A_20 NOTUSED Default is PCMA 20 Codec3 Third preferred codec and packet time selection PCMU_10 PCMU_20 PCMA_10 PCMA_20 G729A_10 G729A_20 NOTUSED Default is G729A_20 Codec4 Fourth preferred codec and packet time selection PCMU_10 PCMU_20 PCMA_10 PCMA_20 G729A_10 G729A_20 NOTUSED Default is NOTUSED RFC2833 Enable disable RFC 2833 for DTMF Default is yes RFC 2833 provides out of band DTMF event reports Distortion from compression and decompression can prevent recognition of pure DTMF tones Out of band DTMF sends the information by separate RTP packets Payload If RFC 2833 is enabled the RTP dynamic payload type can be specified Range is 96 127 Default is 101 MPT If a modem is connected to the FXS port enables modem pass through and forces media to G 711 echo cancellation Defau
213. ts in the Type of Service ToS field of the IP header to indicate priority The priority bits value needs to be set in the LAN device Use Table 10 above to determine the value to set If you need to change the BSGX4e priority queue associated with a bit value perform these steps 1 Click the bit value in the Switch QoS ToS column to open the properties page 2 Click Modify to open the configuration page 3 Select the appropriate priority level from the Priority drop down list and click Update Data gt Switch gt Settings tab This tab is where you specify which classification type and scheduling method to use The defaults are Port classification type and WFQ scheduling method Classification types were described in the preceding sections The scheduling methods are a WFQ weighted fair queuing All queues are serviced depending on the weight assigned to the queue a Fixed All packets are serviced from the highest priority queue first then the next lower priority queue is serviced and so on See the section Priority scheduling on page 192 for more discussion NN47928 502 3 Data pages Switch NOTE To guarantee uninterrupted service for a critical application such as VoIP use fixed scheduling and assign that service to the HIGHESTO queue To change the classification type or scheduling method perform these steps 1 2 3 4 Click Modify to open the configuration page Select the desired classi
214. ts packets that arrived above the committed rate but below the burst rate Packets Total number of packets dropped dropped Strict Policing Packets dropped if traffic exceeds the committed rate CAR Policing Packets dropped if traffic exceeds the burst rate Bytes in Byte count for the Packets in counter Bytes out Byte count for the Packets out counter Bytes dropped Byte count for the Packets dropped counter Bytes downgraded Byte count for the Downgraded packets counter NN47928 502 4 Quality pages Group page Quality gt Group gt Live You can view instantaneous performance statistics one second interval for quality groups on the Live tab of the Group page The displayed statistics are as follows NN47928 502 Input rate Output rate Offered rate to the quality group Overall output rate of the quality group including protected and downgraded traffic Primary output rate Output rate of the protected traffic Downgrade output rate Output rate of downgraded non protected traffic This rate applies only to quality groups that use CAR Packet loss rate Rate of packets dropped by the quality group Strict Policing Packets dropped if traffic exceeds the committed rate CAR Policing Packets dropped if traffic exceeds the burst rate Data loss rate Packet loss rate translated to bytes per second Packet loss ratio Ratio comparing total packets o
215. ts the unit from useless packets that intend to locate holes in the firewall Protection is configured using the IDS scan commands udpportscan tcpsynscan and pingsweep e Flood Protects the unit from excess incoming packets that can overload the unit Flood detection is configured using the udpflood icmpflood arpflood synflood espflood unknowipprotoflood stpflood cdpflood and unknowntypeflood commands The protection threshold can be changed for these protocols and services DHCP DNS ESP IKE MGCP RADIUS1 RADIUS2 RIP SIP SNMP SNTP TFTP as well as unknown protocols or unknown ports See IDS flood activity on page 142 NN47928 502 5 Security pages IDS e Spoof Protects the LAN network and the unit from intrusion IDS spoof protection is applicable for all configured untrusted interfaces Table 24 lists the protocols that are inspected Table 24 Protocols for which IDS attack protection applies Attack Ethernet protocols Unknown IP type ARP STP CDP others protocols IP UDP TCP ESP ICMP RTP Anomaly XXX X Flood X X X X X X Scan X X X Security IDS Anomaly tab This page enables disables protection against packet fragment anomaly attacks All anomaly attack types are enabled by default To disable an attack type click the anomaly name on the Anomaly tab page When the properties page opens click the Modify button The following attacks are detected e fragoverlap The offset of
216. ttings There is also a QoS wizard where you must enter all data manually The Initial Setup wizard provides non technical users with a simplified interface to configure the basic parameters in the BSGX4e that leave the unit in a functional state For technical users the wizard provides a convenient way to quickly configure basic features during installation and provides a general example of parameter settings Quality groups On the QoS page of the Initial Setup wizard the user can create the two quality groups deemed necessary for uninterrupted service of the BSGX4e s critical functions one for VoIP devices voiceqos and one for ARP PPP control signals control The user can click the Defaults button or manually enter the required data The only inputs required by the wizard are a Upstream QoS link rate a Downstream QoS link rate a WAN encapsulation type a Committed bandwidth for voice and control quality groups All other QoS parameters are pre configured by the wizard The voiceqos quality group processes both the VoIP media stream and the control signal stream The wizard automatically associates both streams with the voiceqos quality group In the Web UI these associations can be viewed at a VoIP media stream Voice gt Media gt Settings on page 161 a VoIP control signal stream Voice gt Session Control gt SIP Control on page 167 The control quality group processes the control signals when needed for the AR
217. tus Routing PPS panel Graphical display of data packet rate through the BSGX4e routing engine The routing engine in the BSGX4e consists of the QoS quality groups the routing table and NAT System Status System Log panel Displays last 15 messages sent to the internal log Each log entry begins with a letter in parentheses which maps to the first letter of the severity level of the log entry listed here in descending order of severity Emergency Notice Alert Inform See Logging information on page 64 for related information Critical Debug Error Trace NN47928 502 2 System pages Warning Overview page Overview page The system overview page displays system information and it contains the following configurable parameters a the unit name displayed on the Web UI left of the button bar a the country of operation which affects telephony settings a configuration of the CLI command shell Figure 3 User Accounts DHCP Server Radius TACACS SNMP SSL Upgrade Configuration License Logging Information Logging Modules The panels in the display pane are described in the following sections NN47928 502 Overview page O Modify System Information Shell MyUnit Width 80 Prompt ICAD Timeout 60 min Unit Name Bootcode Ver 1 1 0 01 App Ver 2 1 0 00E 0053 System Type ICAD40 Memory 105 128 MB MACO 00 15 93 00 02 CA MAC1 00 15 93 00 02 CB Serial A628000058 Country
218. ty alarm is cleared Default is 3 Clear seconds Min Burst Alert Clear Minimum duration until the excessive bursting alarm is cleared Default is 3 seconds Min Delay Alert Clear Minimum duration until the excessive delay alarm is cleared Default is 3 seconds 109 Link page 4 Quality pages Link page 110 The Quality gt Link page is where you specify the upstream bandwidth for the QoS link This relates to the quality groups you configure for QoS in the section Group page on page 112 which is next The total bandwidth of all quality groups cannot exceed 90 of the link rate See also Appendix 12 Quality of service for a technical description of QoS implementation in the BSGX4e This section relates to layer 3 QoS functions See QoS page on page 98 for layer 2 QoS functions The Quality gt Link page has two tabs a Link Specify the bandwidth for the QoS network WAN link a Stats Displays performance statistic for Best Effort traffic on the WAN link Figure 33 Quality link page MyUnit 192 168 1 1 Quality QoS Link Link stats y Quality Calls i Group Downstream Qos QoS Link Interface Max Comment O etho 1000000 O Delete O new Quality gt Link gt Link tab The QoS link is the upstream bandwidth of the BSGX4e This value affects the quality groups that reserve bandwidth for your protected applications The total reserved bandwidt
219. uide a BSGX4e CLI Reference Guide The guides are provided in portable document format PDF The PDF files are also available on the Nortel Web site www nortel com To view PDF files use Adobe Acrobat Reader 5 0 or newer from your workstation If you do not have the Adobe Acrobat Reader installed on your system you can obtain it free from the Adobe Web site www adobe com NN47928 502 About this guide How to get help How to get help This section explains how to get help for Nortel products and services Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site www nortel com support This site provides quick access to software documentation bulletins and tools to address issues with Nortel products More specifically the site enables you to e download software documentation and product bulletins e search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues e sign up for automatic notification of new software and documentation for Nortel equipment e open and manage technical support cases Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site and have a Nortel support contract you also get help over the phone from a Nortel Solutions Center In North America call 1 800 4NORTEL
220. uire a static address MTU Maximum Transmission Unit MTU of the interface in bytes This sets the maximum packet size Default is 1500 bytes DHCP client Enable disable the DHCP client on off Default for ethO is on Default for eth1 is off The DHCP client is off by default when creating a new interface See the DHCP client section below for more discussion See the notes for the IP Addr Mask field above Status Whether the interface is enabled or disabled up down Default is up NN47928 502 71 Interfaces 3 Data pages Speed Applicable only to the ethO interface on the BSGX4e Whether the speed and duplex mode for the interface is auto negotiated or explicitly specified For auto negotiation choose Auto default To specify speed and duplex mode select 10Half 10 Mbps half duplex 10Full 10 Mbps full duplex 100Half 100 Mbps half duplex 100Full 100 Mbps full duplex DHCP client The DHCP client obtains a dynamic address from an external server for the interface on which the client is enabled The client can be enabled on either the WAN or LAN interface but not both Enable the DHCP client on the LAN if you have a DHCP server on the LAN The DHCP client is enabled on the WAN by default for the Ethernet interface of the BSGX4e and it is disabled for all other interfaces This information is summarized in Table 7 Table 7 DHCP client status by interface DHCP
221. ult is 30 seconds HBTimer2 Time interval between heartbeat packets for temporarily unavailable Servers in seconds The default is 15 seconds CAUTION Ensure the Heartbeat parameter is enabled A The BSGX4e can operate in local call routing mode page 185 after start up During start up if the session controller cannot connect with a SIP server because network connectivity is still setting up the BSGX4e implements local call routing Normal operation resumes only when the heartbeat monitor detects a signal from the SIP server NN47928 502 165 Session control 6 Voice pages Server failover Server failover prevents VoIP service interruption by accessing backup proxy servers if configured in the server profile The session controller detects that the call server might be down ifit a Cannot connect to the call server WAN interface unplugged no IP route and so on a Does not receive SIP replies from it When a proxy server might be down the session controller attempts some number of retries before it marks the server as down The server profile specifies the number of retries If the proxy server is still unavailable after the retries it is marked as down for the duration of the blacklist timer which is set in the server profile After the timer expires for a downed server the session controller attempts to re contact the downed server While a SIP proxy server is marked as down the session controller uses
222. umber on the display page then click Delete Fill in the configuration page fields as follows Index Specify new if the new policy is to be at the beginning or end of the policy sequence otherwise specify a number to indicate where the policy is to be inserted in the sequence see Technical reference above From Interface from which the packet originated self eth0 eth1 ppp n vif n vpn n Specify self for packets originating from the BSGX4e See Additional security policies above for reference To Interface to which the packet is destined self ethO eth1 pppo vif n vpn n Specify self for packets destined for the BSGX4e See Additional security policies above for reference Source IP Source IP address Default is any range to Beginning address of a range Dest IP Destination IP address Default is any range to Ending address of a range Source Source port number Default is any range to Beginning port number of a range Dest Destination port number Default is any range to Ending port number of a range Proto Protocol specified in the packet udp tcp icmp esp gre any Default is any NAT ID number of the NAT profile to be referenced Change this field only if this security policy is used with a NAT profile See NAT on page 132 Default is 0 NN47928 502 5 Security pages Policy QoS Name of a QoS quality group Change this fi
223. under QoS management But in many cases the media stream does not transmit if the control signal is interrupted so the control signal must also be protected from packet loss by assigning it to a quality group For any device or function where you want both media and control streams to be managed by QoS you must decide if you want both streams be in the same quality group or separate quality groups NOTE The Initial Setup Wizard creates a control quality group if the Default button on the QoS page is clicked This quality group is designed for the control signals of ARP and PPP protocols see page 121 Control signals from other functions can also use this quality group These guidelines help you determine the most efficient use of QoS e The minimum bandwidth allocation to a quality group is 64 Kbps But typically a control signal consists of a small data rate If you put each control signal into its own quality group you can limit the number of quality groups you can create since the sum of all bandwidth allocated to quality groups cannot exceed 90 of available bandwidth e One scheme is to create a Control quality group and assign all control signals to that group This is practical when you have several devices and functions that use small control signals As a general guideline this scheme applies if you operate more than 10 IP phones The recommended configuration for this quality group is Link ethO QG A2 Type ca
224. us TACACS SNMP SSL Upgrade Configuration License Logging Information Logging Modules ill Services page MyUnit 192 168 1 1 Q Modify Web Configuration Telnet Configuration DNS Configuration Enabled yes Enabled yes DNSi 172 16 1 100 HTTP Port 80 Port 23 DNS2 172 16 1 101 HTTPS Port 443 Domain udestech com Source auto dhcp Q Modify Q Modify Q Modify SNTP Configuration SSH Configuration Dynamic DNS Settings Enabled off Enabled yes service Source auto dhcp Port 22 Enabled off Server1 172 161 100 HostKeys 640bit User Server2 0 0 0 0 keyboard Password eee Server3 0 0 0 0 A 77d Host name publickey Server 0 0 0 0 Period 60 minutes Services ssh sftp Gmt ForceUpdatePeriod 30 days Offset 90 00 Wildcard nochg Sync a OTT Registered IP 0 0 0 0 LastSync N A Last update Pe A NextSync N A AT Q Modify Next forced update SAAN 1977 Status Q Modify Note that with some of these services DNS SNTP DHCP rather than having the BSGX4e act as the service client you can configure it as a relay that forwards LAN requests to an external server See the section Relays on page 78 The panels in the services page are described under the following headings NN47928 502 33 Services page 2 System pages 34 System gt Services gt Web Configuration panel The Web server allows remote administration of the BSGX4e using the Web UI connected
225. ut to total packets in Data loss ratio Ratio comparing total bytes out to total bytes in Average packet size Average packet size in bytes 117 Downstream QoS page 4 Quality pages Downstream QoS page Attention Downstream QoS is not yet supported Downstream QoS manages WAN link inbound bandwidth to provide quality protection for specified incoming data streams This is intended primarily to ensure adequate bandwidth for incoming VoIP and ARP PPP control streams It is applied by enabling the Downstream QoS field in a quality group Downstream QoS functions differently than the upstream QoS described in the preceding sections Downstream processing is based on differentiating non quality TCP traffic from quality non TCP traffic Incoming traffic is processed by the Routing Engine with the Classifier as the first process A quality group that has its Downstream QoS parameter set creates a policy in the Classifier All traffic that does not match the quality group criteria is routed to a delaying queue In practice IP voice and control streams use non TCP protocols With these streams under Downstream QoS protection the remaining traffic mostly TCP is queued The delay resulting from queuing causes TCP traffic to limit itself which leaves most of the bandwidth available for non TCP traffic By limiting required bandwidth for non quality TCP traffic which is normally Web pages and email quality traff
226. ved configuration file 1 2 3 4 Ensure the target configuration file is on the PC connected to the BSGX4e Click Browse and navigate to the configuration file Click the Restore button to import the configuration Reboot the system to implement the configuration Changes are saved automatically in this process NN47928 502 63 License 2 System pages License This is a display page that lists the copyrights of other companies products used in the BSGX4e Logging information Figure 11 Logging information M System Logging Information System Status Overview Logging Destination Logging Map Services UDP Logger IP 0 0 0 0 User Accounts UDP Logger Port 2000 Emergency Map internal DHCP Server Syslog IP 0 0 0 0 Alert Map internal Radius Syslog Port 514 Critical Map internal TACACS Syslog Facility localO Eno pap internal SNMP Counters Info Warning Map internal sst erus 5 Notice Map internal Upgrade oppien Inform Map internal MsgQRxErrors 0 DUE NN Configuration ebug Map LogTxCount 12829 Hinc License race Map LogRxCount 12829 Logging Information Erro 0 Logging Modules O modify O Modif The BSGX4e logs event and error messages to various internal and external destinations Most of these logs are intended to assist in troubleshooting during a technical support session and do not provide useful information for normal operations If you need to conta
227. vices is shorter than for other media types because these devices are automatically detected by the BSGX4e s session controller All other traffic has to be manually identified Therefore two configuration summaries are provided SIP MGCP Traffic The following list summarizes the configuration steps you must perform to make QoS functional 1 Configure the WAN interface Interfaces on page 70 2 Configure the media settings SIP or MGCP server and User Agent BSGX4e Voice gt Media gt Settings on page 161 Session control on page 164 User agent on page 175 Configure the QoS link Link page on page 110 Create quality groups Group page on page 112 Configure Downstream QoS if this feature is enabled in any quality group Downstream QoS page on page 118 6 Associate the quality groups with the session controller Voice gt Media gt Settings on page 161 Voice gt Session Control gt SIP Control on page 167 Note the special group that applies to the ARP PPP control signals ARP PPP page on page 121 NN47928 502 189 QoS overview Appendix 12 Quality of service Other traffic The configuration procedure for any other traffic stream to which you want to apply QoS is basically the same except for Step 6 Rather than associating the quality group to the session controller you must create a firewall policy and specify the quality group there Be cautious about enabling Downstream QoS in too many qu
228. w to create a profile System Rights Management Rights To modify an existing profile click the profile name then click Modify To remove an identifier select the check box next to the identifier name then click Delete Note that you cannot remove the predefined admin useradv Or useradv identifier Fill in the fields as follows click Update when finished Identifier Name for new identifier profile Access mode Permissions granted by this record Select all that apply read View data write Change parameter values NOTE execute is not used at this time Group name Name of the user group granted rights by this profile Object name Each object command has an authority field that is set to Admins or Users Select the name that sets the desired permissions in conjunction with the user group that was selected Group Object Permissions admins Admins read write users Admins read users Users read write NN47928 502 2 System pages DHCP server DHCP server The DHCP server in the BSGX4e provides dynamic IP addresses to hosts connected to its LAN ports This service is enabled by default Optionally you can assign static addresses to LAN hosts For clarification the BSGX4e also includes two other DHCP features a DHCP relay page 85 Rather than having the DHCP server providing addresses to LAN hosts the relay service receives the host s DHCP request an
229. y Emergency operation error Internal buffer 1 Alert Alert level operation error Internal buffer 2 Critical Critical operation error Internal buffer 3 Error Low level operation error Internal buffer 4 Warning Warnings such as a system attack Internal buffer 5 Notice Notices Internal buffer 6 Inform Informative messages Internal buffer 7 Debug Debug messages such as receipt ofa Not logged SIP signaling packet 8 Trace Trace messages Not logged Logging modules This pages lists the functional modules in the BSGX4e and shows which message types are mapped to that function This page is intended to be used only for troubleshooting during a technical support session You may be directed by the support technician to change the severity mapping or to change the destination mapping previous section CAUTION Do not change the severity mapping unless so directed by technical support A personnel Enabling the debug and trace messages degrades system performance To change the message mapping of any function 1 Click the module name in the display panel to open the properties page 2 Click the Modify button to open the configuration page 3 Enable or disable the desired message types and click Update when finished NOTE Changes are not persistent Any changes you make are reverted to the default settings with the next reboot NN47928 502 67 Logging modules 2 System pages 68 NN47928 502 3 Data pages
230. y to open the configuration page To delete an entry enable the check box next to the policy name on the display page then click Delete NN47928 502 147 IPSec IKE and VPN 5 Security pages 148 Name Enter a unique name for this VPN Gateway Enter the IP address of the remote secure gateway Local Enter a local IP address secured by the VPN Typically this is a sub network of the BSGX4e LAN 192 168 1 0 24 Valid entries are addresses specified as a range or as a subnet x x x x yy If specifying a range enter the beginning address range to If specifying a range for the local IP enter the ending address Remote Enter a remote IP address secured by the VPN Valid values are addresses specified as a range or as a subnet x x x x yy If specifying a range enter the beginning address range to If specifying a range for the local IP enter the ending address Proposal Enter the name of the IPsec proposal The default value is VPN A which is a proposal pre defined in the BSGX4e Security gt IPSec gt Proposals tab An IPsec proposal is a set of security parameters used when negotiating an IPsec security association with a remote secure gateway IPsec proposals are referenced by the IPsec policies The initial BSGX4e configuration provides a predefined IPsec proposal named VPN A This predefined proposal conforms with the recommendations for a standard IPsec cryptographic suite called VPN
Download Pdf Manuals
Related Search