Avaya 1000 Series Configuration Manual
  1. Manuals
  2. Brands
  3. Avaya Manuals
  4. Network Router
  5. 1000 Series
  6. Configuration manual

Avaya 1000 Series Configuration Manual

Secure router
Hide thumbs Also See for 1000 Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference, Manual
Avaya Secure Router 1000 Series
Configuration Guide
9.4
NN47262-501, 02.01
December 2010

Advertisement

Table of Contents
loading

Related Manuals for Avaya 1000 Series

Summary of Contents for Avaya 1000 Series

  • Page 1 Avaya Secure Router 1000 Series Configuration Guide NN47262-501, 02.01 December 2010...
  • Page 2 Product provided by Avaya including the selection, arrangement and While reasonable efforts have been made to ensure that the design of the content is owned either by Avaya or its licensors and is information in this document is complete and accurate at the time of protected by copyright and other intellectual property laws including the printing, Avaya assumes no liability for any errors.

  • Page 3: Table Of Contents

    Chapter 5: Multiple IP Helper Addresses on VLAN..............31 Chapter 6: TCP MSS Clamping....................33 Chapter 7: IP MULTIPLEXING....................37 IP Unnumbered Auto-Configuration........................37 Configure the Secure Router 1000 Series at Site A................39 Configure the Secure Router 1000 Series at Site B................39 Chapter 8: DHCP Relay......................41 Feature Overview............................41 Functionality..............................41...
  • Page 4 Layer Two Configurations:..........................87 MLPPP Configuration............................88 Configure the SR1004 at Site 1......................88 PPP and MLPPP Configuration........................88 Configure the SR3120 at the Main Site....................88 HDLC Configuration............................88 Configure the SR3120 at the Main Site....................89 HDLC Errors..............................89 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 5 Firewall behavior with invalid ACKs on TCP connections................127 Firewall ALG behavior...........................128 Chapter 24: IPSec EXAMPLES.....................133 Introduction to Security..........................133 Enabling Security Features........................133 Securing Remote Access Using IPSec VPN....................134 Access Methods............................135 Remote Access: User Group........................135 Remote Access: Mode Configuration....................135 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 6 Installing Licenses............................136 Example 1: Securely Managing the Secure Router 1000 Series Over an IPSec Tunnel......137 Step 1: Configure a WAN bundle of network type untrusted..............138 Step 2: Configure the Ethernet interface with trusted network type.............138 Step 3: Display the crypto interfaces....................138 Step 4: Add the route to the peer LAN....................139...
  • Page 7 Step 12: Display firewall policies in the Internet map in detail..............163 Step 13: Configure firewall policies for a group of mobile users to allow access to the local LAN..163 Step 14: Display firewall policies in the corp map................164 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 8 Configuring bundle uplink........................189 Configuring bundle uplink pvc 100.......................189 Configuring bundle uplink pvc 101.......................190 Configuring bundle uplink pvc 102.......................190 Configuring bundle uplink pvc 103.......................190 Configuring interface ethernet 0/1......................190 Configuring snmp..........................191 Configuring IP routes..........................191 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 9 Chapter 32: OSPF Routing Protocol..................209 Configuring the host name..........................209 Configuring interface ethernet 0........................209 Configuring interface bundle Dallas......................210 Configuring ospf............................210 Configuring ospf interface parameters......................210 Displaying neighbors.............................210 Displaying ospf routes...........................211 Displaying IP routes............................211 OSPF NBMA over Ethernet...........................211 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 10 Displaying All Configured RIP Interfaces......................241 Chapter 36: Static Routing....................243 Configure the Multilink Router A at Site A.....................243 Configure the Multilink Router B at site B.....................244 Chapter 37: VRRP enhancements..................245 Chapter 38: Trunk Group/Failover..................249 Configuration Details.............................249 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 11 Configure inband VLAN forwarding table.....................266 Configure rate limiting for vlans......................267 Configure SNMP...........................267 Chapter 42: WAN Interfaces....................269 T1/E1................................269 Module Configuration............................269 T1................................. 269 Bundle Configuration.............................270 Fractional T1............................270 T1..................................270 Configure a T1 PPP Bundle......................... 270 NxT1................................271 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 12 Configuring an IBGP Session between an Avaya Router and a 3rd Party Router.......295 Configuring an IBGP Multi-Hop Session between 2 Avaya Secure Routers........297 Configuring an IBGP Multi-Hop Session between an Avaya Router and a 3rd Party Router....298 Configuring EBGP Sessions.........................299 Configuring an EBGP Session between 2 Avaya Secure Routers............299...
  • Page 13 Secure router configuration for BGP......................341 Secure router configuration for OSPF......................342 Secure router configuration for RIPv2......................343 Chapter 49: Management Configuration Guide..............345 Simple Network Management Protocol......................345 Enterprise MIBs............................345 Standard MIBs............................349 SNMP Applications Supported........................350 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 14 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 15: Chapter 1: New In This Release

    QOS Strict Priority Queuing (SPQ) on page 229 • Capacity of QoS over Ethernet on page 231 • VRRP enhancements on page 245 • Independent VLAN Learning (IVL) Support on page 258 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 16 Numbering Plan And Type Of Number for ISDN on page 285 • Route tags for route redistribution on page 333 • Packet Capture of VLAN Packet with Filter Rules on page 338 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 17: Chapter 2: Preface

    Security, VLANs, VPN, WAN, and other key topics relevant to the configuration and operation of the Secure Router 1000 Series products. The Avaya Secure Router 1000 series includes the Secure Router 1004, Secure Router 1002, Secure Router 1001, and Secure Router 1001s models. In certain areas of this Configuration Guide when discussing features, the term SR1000 is utilized to refer to any of these models.

  • Page 18: Navigation

    • SNMP trap descriptions with default configurations Navigation Upon inserting the Avaya Secure Router Documentation CD into your CD-ROM drive. Click a link to open a PDF version of the target document. If you do not have Adobe Acrobat (version 4.0, or later) or Acrobat Reader installed on your PC, click the Adobe button on the navigation...

  • Page 19: Customer Service

    Adobe Acrobat Reader installed on your system, you can obtain it free from the Adobe website: http://www.adobe.com. Customer service Visit the Avaya Web site to access the complete range of services and support that Avaya provides. Go to www.avaya.com or go to one of the pages listed in the following sections.

  • Page 20: Getting Help From A Distributor Or Reseller

    Getting technical support from the Avaya Web site The easiest and most effective way to get technical support for Avaya products is from the Avaya Technical Support Web site at www.avaya.com/support.

  • Page 21: Chapter 3: Secure Router Basics

    Use the CLI to change the default settings. Enable Telnet Server After upgrading the Secure Router, telnet server is disabled by default. To enable the telnet server, use the following command: SR/config> telnet_server Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 22: Enable Web User Interface

    WAN ports. This key is different than the software upgrade key. To obtain a port upgrade key, contact your reseller or Avaya. You will be asked to provide the serial number, model number, and the number of ports that are currently active on your router.

  • Page 23: Daylight Saving Time Support

    Multiple SNTP Server support The Secure Router 1000 Series and 3120 provide support for the Multiple Simple Network Time Protocol (SNTP) Server feature. SNTP is a simple form of the Network Time Protocol (NTP), which is an internet protocol used for synchronization of computer clocks.
  • Page 24 The number of retries the NTP server performs, in the range 1 to 5. Default is 3. <server> The NTP server to use for updates. <timeout> The maximum response time, in the range 10 to 7200. Default is 1024. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 25: Multiple Syslog Server Support

    Multiple Syslog Server support Multiple Syslog Server support The Secure Router 1000 Series and 3120 provide support for multiple Syslog servers. A Syslog Server monitors incoming Syslog messages on UDP ports and decodes them for logging purposes. In addition, several network devices are now able to be configured to generate Syslog messages.

  • Page 26: Top Command

    Banner.txt file is now supported on all platforms. The banner.txt file is displayed logging into the router through telnet or SSH. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 27: Chapter 4: Source Ip Enhancements

    Chapter 4: Source IP Enhancements The Secure Router 1000 Series and 3120 provide support for adding source address information to existing services. The services modified to accept a source address are: • File Transfer • QoS Historical Statistics • RADIUS •...
  • Page 28 Procedure steps 1. To configure source addresses for a service, enter Configuration Mode. configure terminal 2. Enter the snmp-server subtree. snmp-server 3. Disable snmp server. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 29 Use the following procedure to configure Syslog server source address for all services. Procedure steps 1. To configure source addresses for a service, enter Configuration Mode. configure terminal 2. Enter the system logging subtree. system logging 3. Enter the syslog subtree. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 30 3. Enter the historical-stats subtree. historical-stats 4. Configure the source address. source-address {<A.B.C.D> | <interface-name>} Table 8: Variable definitions Variable Value <A.B.C.D> Specify source address by IP address. <interface-name> Specify source address by interface name. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 31: Chapter 5: Multiple Ip Helper Addresses On Vlan

    Chapter 5: Multiple IP Helper Addresses on VLAN The Secure Router 1000 Series and 3120 provide support for Multiple IP Helper. The Multiple IP Helper feature assists in broadcasting network traffic between client machines and servers residing on different subnets. There are situations in which a user may want to control which broadcast packets and protocols should be forwarded by the router.
  • Page 32 • netbios-ns -- NetBIOS name service • netbios-ss -- NetBIOS session service • tftp -- Trivial File Transfer Protocol • time -- Time <subinterface> The subinterface IP address. <type> The type of encapsulation to apply. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 33: Chapter 6: Tcp Mss Clamping

    <value> 7. To exit the tunnel configuration mode, enter: exit Configuring Ethernet Interface 1. To enter the configuration mode, enter: configure terminal 2. To select the Ethernet interface, enter: Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 34 <value> 6. To exit the Frame Relay PVC configuration mode, enter: exit 7. To exit the Frame Relay configuration mode, enter: exit 8. To exit the bundle configuration mode, enter: exit Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 35 <priority> <direction values {in|out}> 4. To specify the tcp-mtu for the policy, enter: ip tcp-mss <value> 5. To exit the firewall policy, enter: exit 6. To exit the firewall configuration mode, enter: exit Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 36 TCP MSS Clamping Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 37: Chapter 7: Ip Multiplexing

    Secure Routers on each side of the WAN connection. An IP multiplexing example is shown below; split subnet IP addressing is used in the example, with the WAN bundles running IP unnumbered. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 38 • A 32-bit host route to router 2: 192.168.0.6 255.255.255.255 wan 1 The two Secure Routers do not exchange information on manually configured IP routes, nor do they exchange information on any routes learned through auto-configuration with other Secure Routers. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 39: Configure The Secure Router 1000 Series At Site A

    Secure Router A would not install a network route to the remote Ethernet subnet since it would duplicate the Secure Router A Ethernet interface route. Configure the Secure Router 1000 Series at Site A SR> configure term SR/configure> interface ethernet 0 SR/configure/interface/ethernet>...
  • Page 40 IP MULTIPLEXING Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 41: Chapter 8: Dhcp Relay

    The DHCP relay feature eliminates the need for a DHCP server on every LAN, because DHCP requests can be relayed up to 4 DHCP servers on each ethernet interface including subinterfaces. Avaya 's implementation of DHCP relay is based on RFC 1532. BOOTP/ DHCP messages are relayed (vs. forwarded) between the server and client.

  • Page 42: Bootp Replies

    10.1.1.x addresses for packets from 192.168.20.1. However, there may be a limitation that the DHCP server does not allow configuration using IP addresses from a different subnet, although this is mentioned in the RFC. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 43: Command Line Interface

    Router/configure/interface/ethernet 0> dhcp-relay 20.1.1.2 Router/configure/interface/ethernet 0> dhcp-relay 20.1.1.3 Router/configure/interface/ethernet 0> dhcp-relay 20.1.1.4 Disabling DHCP Relay Router/configure/interface/ethernet 0> no dhcp-relay 20.1.1.1 Router/configure/interface/ethernet0> no dhcp-relay 20.1.1.2 Router/configure/interface/ethernet 0> no dhcp-relay 20.1.1.3 Router/configure/interface/ethernet 0> no dhcp-relay 20.1.1.4 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 44: Configuring The Gateway Address Field When Nat Is Enabled

    The following screen captures show the displayed results of issuing show commands relevant to DHCP relay, with and without gateway addresses configured. Figure 6: show dhcp_relay Command Figure 7: show dhcp_relay Command Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 45: Displaying Statistics

    Command Line Interface Displaying Statistics Figure 8: Displaying Ethernet Interface Statistics Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 46: Dhcp Limitations

    There are limitations when using DHCP relay on a Secure Router. DHCP can be enabled only on Ethernet interfaces (not on bundles). And last, DHCP can be enabled in IP routing (static and dynamic) mode, but not in IP Mux mode. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 47: Chapter 9: Dhcp Client On Ethernet Interfaces

    Chapter 9: DHCP Client on Ethernet interfaces The Secure Router 1000 Series and 3120 provide support for Dynamic Host Configuration Protocol (DHCP) for IPv4 clients on Ethernet interfaces. A DHCP client obtains configuration parameters such as an IP address. Using DHCP, a client can contact a central DHCP server that is responsible for maintaining a list of IP addresses available to be assigned on one or more subnets.
  • Page 48 The duration of the lease in the range 30 to 4294967. <hostname> The hostname of the DHCP client. <interface> The interface to work with. <interval> The timeout interval, in seconds, for the DHCPv4 client negotiation process. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 49: Chapter 10: Dhcp Server Configuration

    20.20.20.1 d. Configure the DNS server address for the pool. config/term/ip/dhcps> pool floor3 dnsserver 10.19.25.130 e. If applicable, exclude an address range or multiple address ranges within the address pool. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 50 SR1000/config> show ip dhcps statistics Note: If the SR1000 fails/recovers, it does not keep track of the DHCP bindings which were assigned before the router failed. Below is another example of DHCP server configuration. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 51: Configuring The Dhcp Server

    On the Secure Router, the DHCP server can understand Avaya-specific DHCP options used to configure Avaya IP Phones in full mode. When the IP phones are configured in full mode, they initiate a DHCP discover broadcast on the network to which they are attached. The Secure Router matches the IP Phone to the corresponding DHCP pool and returns all the DHCP options configured for that DHCP pool.
  • Page 52 DHCP pool. The first call server entered is the primary call server. The svpserver option configures dhcp option 151. Example: R1/configure/ip/dhcps/pool x # callserver 10.10.10.10 port 4200 appserver 20.20.20.20 svpserver 30.30.30.30 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 53 Specifies the IP address of the TFTP server. server> The maximum number of TFTP servers is 8. This parameter configures DHCP option 66 and option 150 (multiple TFTP severs). Example: R1/configure/ip/dhcps/pool x # tftpserver 10.10.10.30 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 54 DHCP Server Configuration Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 55: Chapter 11: Proxy Dns

    Chapter 11: Proxy DNS The Secure Router 1000 Series and 3120 provide support for Proxy DNS. Proxy DNS receives a request from a host, resolves the domain name through communication with the DNS server, and sends the response to the host. Proxy DNS is disabled by default.
  • Page 56 7. Add a DNS cache entry via the CLI. add-cache <domain> Table 10: Variable definitions Variable Value <A.B.C.D> The primary name server address. <domain> The domain to add to the proxy cache. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 57: Chapter 12: Configuring Authentication

    Chapter 12: CONFIGURING AUTHENTICATION Configuring Authentication Users can configure a RADIUS profile on the SR1000 to authenticate users centrally using a RADIUS server. A sample topology outlining Secure Router 1000 Series authentication: Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 58: Configure Secure Router 1000 Series Authentication

    Avaya/configure/aaa > radius Avaya/configure/aaa/radius > primary_server 10.1.1.2 Primary Radius server configured. Avaya/configure/aaa/radius > secondary_server 10.1.1.3 Secondary Radius server configured. Avaya/configure/aaa/radius > src_address 10.1.1.1 Radius Client Source Address configured. Avaya/configure/aaa/radius > shared_key avaya Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 59 Avaya/configure/aaa > show aaa status Below is an example of configuring Radius authentication with FreeRadius Server and establishing user levels. conf t authentication login default radius/local authentication protocols default ascii enable Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 60 Auth-Type := Local, User-Password ="bones" Service-Type = Level3-User Sulu Auth-Type := Local, User-Password ="helm" Service-Type = Level4-User • Dictionary file (/usr/local/share/freeradius/dictionary) Need to add in the different user levels #Avaya Dictionary: Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 61: Support For Vendor Specific Attribute (Vsa) On Radius Clients

    Secure Router Privilege Level 1 Login 2 Framed 3 Callback Login 4 Callback Framed 5 Outbound 6 Administrative 7 NAS Prompt 8 Authenticate Only 9 Callback NAS Prompt 10 Call Check 11 Callback Administrative Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 62 CONFIGURING AUTHENTICATION Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 63: Chapter 13: Accounting Under Tacacs Support

    Chapter 13: Accounting under TACACS support The Secure Router 1000 Series and 3120 provide support for Terminal Access Controller Access Control System (TACACS) accounting. This feature allows an administrator to audit user activity on a router at any date or time. TACACS accounting details what commands were issued by a particular user.
  • Page 64 • start_stop - Start and Stop records are sent. start> • stop_only - Only Stop records are sent. • wait-start - Start and Stop records are sent, but service starts after acknowledgement. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 65: Chapter 14: Compressed Rtp

    This example shows how to configure cRTP on the Secure Router 100x. SR1004/configure> interface bundle wan SR1004/configure/bundle wan> link t1 1 SR1004/configure/bundle wan> encapsulation ppp SR1004/configure/bundle wan> ip address 5.5.5.1 24 SR1004/configure/bundle wan> rtp Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 66: Configuring Crtp Timeout

    • All the contexts on that bundle/interface are occupied by other rtp-streams. • The UDP destination port number is not even or it’s not greater than 1024. • RTP version is not equal to 2. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 67: Configuring Interoperability With The Cisco 2800

    In this example, you must have a Secure Router on which the RTP and cRTP options are already configured. Cisco> enable Cisco> configure terminal Cisco(config)> interface serial0/1/0:0 Cisco(config-if)> encapsulation ppp Cisco(config-if)> ip address 5.5.5.2 255.255.255.0 Cisco(config-if)> ip rtp header-compression ietf-format Router(config-if)> ip rtp compression-connections 150 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 68 Compressed RTP Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 69: Chapter 15: Dte-To-Dte Multilink Frame Relay

    DLCI of 100 on both ends and an IP address in the 11.1.1.0/30 subnet. The AVC names and DLCI numbers can be different on each end if necessary. The frame switches are configured for DLCIs Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 70 DTE-to-DTE Multilink Frame Relay 101, 102, and 103 on the respective T1s. In this example, the Secure Router 1000 Series configurations are almost identical. The primary difference is the IP address assigned to the AVC. The configuration for the left Secure Router 1000 Series is shown below.

  • Page 71: Chapter 16: Igmp Configuration Guide

    IP addresses (the EXCLUDE list) from which it does not want to receive traffic. This indicates that the host wants to receive traffic only from other sources whose IP addresses are not listed in the EXCLUDE list. To receive traffic from Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 72: Igmp Commands

    Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 73: Igmp Configuration Examples

    In the following example for interface ethernet 0, the Robustness is configured to be 3. The Last Member Query count is configured to be 5. Router/configure/ip/igmp/interface ethernet0> robustness 3 Router/configure/ip/igmp/interface ethernet0> last-member-query-count 5 Router/configure/ip/igmp/interface ethernet0> exit 3 Router/configure> Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 74: Igmp Snooping

    This creates excessive traffic on the network and affects network performance. IGMP Snooping allows routers to monitor network traffic and determine hosts that want to receive multicast traffic. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 75: Cli Configuration Commands

    To enable IGMP Snooping globally: Host/configure #igs Host/configure/igs# snooping-enable To disable IGMP Snooping globally: Host/configure #igs Host/configure/igs# no snooping-enable To enable IGMP Snooping on a VLAN: Host/configure #igs Host/configure/igs#vlan 10 Host/configure/igs /vlan 10 # snooping-enable Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 76 To configure the max response time on a VLAN: Host/configure #igs Host/configure/igs#vlan 10 Host/configure/igs/vlan 10 # max-response-time 150 CLI Display commands This section describes the CLI commands used to display the IGMP Snooping configuration. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 77 Host # show igs groups all Sample output: Groups: Vid GroupIPAddress Interface 10 227.1.1.1 wan2 10 227.1.1.1 ethernet0/1 10 227.1.1.10 wan2 To display multicast routers learned or configured for IGMP snooping: Host # show igs mrouters Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 78 To redirect debug messages to “/flash1/IgsDbg.txt” and to disable console printing of debug messages: Host # debug igs file-logging To disable file logging and enable console printing of debug messages: Host # no debug igs file-logging Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 79 To disable timer related debug messages: Host # no debug igs timer To enable all debug messages: Host # debug igs all To disable all debug messages: Host # no debug igs all Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 80 IGMP CONFIGURATION GUIDE Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 81: Chapter 17: Ip Multiplexing Overview

    Forwarding traffic from different WAN links to separate Source Forwarding routers on the LAN Forwarding all WAN traffic to a single router on the Default IPMux Routes Forwarding to both LAN and WAN router Specific IPMux Routes Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 82: Proxy Arp And Packet Forwarding

    6. Forwarding Router 2 receives a packet on WAN2 and forwards it to directly connected router 2. 7. The echo reply from router 2 to router 1 is returned in the same manner. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 83: Addressing In Ip Multiplexing Networks

    • Split subnet • Secondary addressing Consider the following network, consisting of three remote sites. Two remote sites utilize Avaya equipment, while the third is a simple router/DSU combination. Five IP addressing schemes are provided below, all refer to the following network.

  • Page 84: Split Subnet

    IP MULTIPLEXING OVERVIEW Split Subnet This is similar to the single subnet scheme in that all four routers are in the same 28-bit subnet, but the Avaya products are on smaller, 30-bit subnets. Table 14: Split Subnet Addressing POP Router 192.1.1.1/28...

  • Page 85: Secondary Addressing: 30 Bit

    200.1.1.2/30 199.1.1.2/29 199.1.1.10/29 wan3: 199.1.1.18/29 Avaya 1 e0: wan 201.1.1.2/30 199.1.1.3/29 Router 1 201.1.1.1/30 primary 199.1.1.4/29 secondary Avaya 2 e0: wan1: 202.1.1.2/30 199.1.1.11/29 Router 2 202.1.1.1/30 primary 199.1.1.12/29 secondary Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 86: Pros And Cons Of Different Ip Addressing Schemes

    • OSPF – For Cisco-compatible and other routers, routing updates are sourced and detected only on primary addresses, therefore secondary addressing schemes are not usable. • BGP4 – Routing updates are fully functional over primary and secondary addresses. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 87: Chapter 18: Ppp, Mlppp, And Hdlc

    Site 2 connects to the main site over a single T1 link with PPP encapsulation. The Channelized T3 Router PPP parameters (for example,, the maximum transmit and receive byte sizes) are adjusted to comply with the Site 1 router configuration. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 88: Mlppp Configuration

    SR>/configure/interface/bundle> encap ppp SR>/configure/interface/bundle> ppp mtu 100-250-1000 mru 100-250-1000 SR>/configure/interface/bundle> ip addr 192.168.2.1 255.255.255.0 SR>/configure/interface/bundle> exit HDLC Configuration HDLC encapsulation may be substituted for PPP between the main site and site 2 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 89: Configure The Sr3120 At The Main Site

    In release 8.0.1 and higher, the router a SNMP bundle link down trap is sent when the link receives excessive HDLC errors. The following example shows a multilink PPP bundle Secure Router 1000 Series where bundle link E1 10 is having excessive HLDC errors. snmpTrapOID.0...
  • Page 90 The show system configuration command is updated to show the current settings for both the hdlc_error and hdlc_link_deactivate command. The output is displayed below for an Secure Router 1000 Series router: show system configuration Avaya Secure Router 1000 Series Configuration Guide...

  • Page 91: Avaya Secure Router 1000 Series Configuration Guide December

    HDLC Errors Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 92 If the router has the hdlc_link_deactivate command not set, then when the link that has excessive HDLC errors on it is clean of errors it will recover frame and the link will come up. To unset hldc_link_deactivate enter the command no system hdlc_link_deactivate. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 93: Chapter 19: Dial Backup Via External Modem

    Chapter 19: Dial Backup via External Modem The Secure Router 1000 Series and 3120 provide support for Dial Backup, which enables redundancy for routes. Backup routes using PPP bundles created over a dialup connection will become active when a primary route goes down.
  • Page 94 1. To configure dial backup, enter Configuration Mode. configure terminal 2. Create a dialer. dialer <name> 3. Configure async parameters. async 4. Configure the async port. port <port> 5. Configure the baud rate. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 95 <at_string> 18. Exit back a level. exit 19. Configure the dialer idle-timeout interval. idle-timeout <timeout> 20. Exit back a level. exit 21. To attach to a bundle, create a bundle. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 96 The idle timeout time, in the range 1 to 6000. Default is 180. <wait> The length of time to wait for dial delay, in the range 1 to 255. Default is 50. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 97: Chapter 20: Ip Packet Filter List

    • The order in which you enter the filtering rules is important. As the Secure Router is evaluating each packet, the Avaya OS tests the packet against each rule statement sequentially. After a match is found, no more rule statements are checked. For example, if you create a rule statement that explicitly permits all traffic, all traffic is passed since no further rules are checked.

  • Page 98: Example 2

    SR> save local Example 3 Example 3 focuses on a filter list where the network administrator is specifically denying all traffic from a specific external network (197.100.200.0/24) access through the Secure Router. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 99: Ip Packet Filtering On Vlan Subinterfaces

    SR> save local IP Packet Filtering on VLAN subinterfaces The Secure Router 1000 Series and 3120 provide support for IP packet filtering over VLAN subinterfaces. IP packet filtering involves the use of Access Control Lists (ACL) to filter network traffic by permitting or blocking packets at a router’s interface.
  • Page 100 2. Select the access-list. ip access-list <listname> 3. Insert the rule at a specific line number in the access-list. insert <rule_lineno> <rule_action> <protocol> <source> <destination> [sport] [dport] [icmptype] [icmpcode] [precedence] [tos] [flags] [log] [expire] Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 101 1. Display all access lists. show ip access-lists all 2. Display access list rules. show ip access-list-rules <all | [VLAN subinterface]> 3. Display access list statistics. show ip access-list-stats <VLAN subinterface> Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 102 IP Packet Filter List Table 26: Variable definitions Variable Value <VLAN subinterface> A single subinterface name or a range of subinterfaces (specified as ethernet0.1-5 which implies range of subinterfaces starting from ethernet0.1 till ethernet0.5.) Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 103: Chapter 21: Multilink Frame Relay Configuration

    Figure 14: Multilink Frame Relay with Three Sites Figure 17 provides greater detail, including the use of an SR3120 inside the cloud as a Frame Relay switching device, and SR3120 and Secure Router 1000 Series units at the CPE sites 1 and 2.

  • Page 104: Mfr Configuration

    T1s are up */ SR/configure/interface/bundle/fr> lmi ansi SR/configure/interface/bundle/fr/lmi> keepalive 8 SR/configure/interface/bundle/fr/lmi> exit SR/configure/interface/bundle/fr> pvc 16 /* pvc’s default cir set to 6144000 bps */ SR/configure/interface/bundle/fr/pvc> shaping cir 6144000 bcmax 6144000 bcmin 3072000 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 105: Configure The Secure Router 3120

    */ SR/configure/interface/bundle/fr> lmi ansi SR/configure/interface/bundle/fr/lmi> keepalive 10 SR/configure/interface/bundle/fr/lmi> exit SR/configure/interface/bundle/fr> pvc 31 /* pvc’s default cir set to 3072000 bps */ SR/configure/interface/bundle/fr/pvc> ip addr 10.0.2.1 255.255.255.252 SR/configure/interface/bundle/fr/pvc> enable SR/configure/interface/bundle/fr/pvc> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 106: Configure The Sr3120

    SR3120/configure/interface/bundle> link ct3 1 5-6 SR3120/configure/interface/bundle> description "3Mbps MFR to 1001" SR3120/configure/interface/bundle> encap fr SR3120/configure/interface/bundle> fr SR3120/configure/interface/bundle/fr> intf_type dce SR3120/configure/interface/bundle/fr> lmi ansi SR3120/configure/interface/bundle/fr/lmi> keepalive 10 SR3120/configure/interface/bundle/fr/lmi> exit SR3120/configure/interface/bundle/fr> pvc 31 SR3120/configure/interface/bundle/fr/pvc> exit 3 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 107: Chapter 22: Network Address Translation

    Static NAT Static NAT also requires a public address from the upstream service provider. Individual PCs within a LAN are assigned RFC 1918 reserved IP addresses to enable access to other PCs Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 108: Configuration For Dynamic And Static Nat

    100.1.1.6 tcp port 25 is translated to 192.168.1.6 tcp port 25 and so on. Figure 16: Dynamic and Static NAT Configuration for Dynamic and Static NAT SR> configure terminal SR/configure> interface bundle Trenton SR/configure/interface/bundle Trenton> nat SR/configure/interface/bundle Trenton/nat> enable dynamic Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 109: Configuration For Mapping Ports

    81 of the web server at private address 192.168.1.6 is mapped to the same TCP port of the public address. Figure 17: Mapping Ports Configuration for Mapping Ports SR> configure terminal SR/configure> interface bundle Trenton SR/configure/interface/bundle Trenton> nat SR/configure/interface/bundle Trenton/nat> enable dynamic SR/configure/interface/bundle Trenton/nat> enable static Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 110: Reverse Nat

    LAN is using real Internet IP addresses. Figure 18: Reverse NAT page 110 illustrates how reverse NAT would be applied. Figure 18: Reverse NAT Configuration for Reverse NAT SR> configure terminal SR/configure> interface ethernet 0 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 111: Nat-Failover For Firewalls

    50.1.1.5). If the primary goes down, the traffic should go through backup interface WAN2 (with PAT address 60.1.1.5). The PAT address will be the interface address through which the traffic goes to Internet. PAT allows multiple hosts to share the same IP address. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 112 (Ensure that the route to Internet through backup interface has a higher metric. Router/configure > ip route 0.0.0.0 0 wan1 metric 1 ip route 0.0.0.0 0 wan2 metric 2 Router/configure > Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 113: Chapter 23: Nat Configurations

    IP address. When traffic is sent to the public address listed in the static mapping, the Secure Router forwards the packets to the correct PC within the LAN, according to the mapping relationship established. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 114: Nat Configuration Examples

    Then add a policy with the source IP address range, and attach the NAT pool to the policy. Router/configure> firewall corp Router/configure/firewall corp> object Router/configure/firewall corp/object> nat-pool addresspoolDyna dynamic 60.1.1.1 60.1.1.2 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 115: Static Nat (One To One)

    Router/configure/firewall corp/policy 7 out> apply-object nat-pool addresspoolStat Router/configure/firewall corp/policy 7 out> exit 2 Router/configure> Port Address Translation (many to one) NAT allows multiple IP addresses to be mapped to one address. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 116: Cone Nat

    Router/configure/firewall corp/policy 2 out> exit 2 Router/configure> Cone NAT Network Address Translation (NAT) is used to map private address into public addresses through a NAT device. This is accomplished through address mangling and/or port mangling. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 117: Full Cone

    IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 118: Port Restricted Cone

    • Public phone cannot call private phone Ensure the phones and call servers are using STUN or a STUN like echo server for UNIStim. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 119: Nat Hairpinning

    ‘talk’ to each other on their apparent public IP addresses/ports. Hairpinning must be configured through CLI using the following commands: configure/firewall global > hairpinning-SelfIp configure/firewall global > no hairpinning-SelfIp Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 120: Troubleshooting Hairpinning Common Problems

    Ability to Enable/Disable Firewall ALGs All the firewall ALGs are enabled by default when the firewall is configured. It can become necessary to selectively disable ALGs in the firewall when applications fail due to Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 121 R1/configure/firewall global/algs > show firewall algs Firewall Algs Status ________________ _______ Enabled cuseeme Enabled Enabled Enabled gatekeeper Enabled h323 Enabled Enabled l2tp Enabled msgtcp Enabled msgudp Enabled Enabled mszone Enabled Enabled n2pe Enabled nntp Enabled Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 122 R1/configure/firewall global/algs > no ftp Firewall FTP Alg disabled R1/configure/firewall global/algs > no sip Firewall SIP Alg disabled R1/configure/firewall global/algs > show firewall algs Firewall Algs Status ________________ _______ Enabled cuseeme Enabled Enabled Disabled Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 123 Enabled Enabled l2tp Enabled msgtcp Enabled msgudp Enabled Enabled mszone Enabled Enabled n2pe Enabled nntp Enabled pcanywhere Enabled pptp Enabled Enabled rtsp554 Enabled rtsp7070 Enabled Disabled smtp Enabled Enabled tftp Enabled Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 124 R1/configure/firewall global/algs > show firewall algs Firewall Algs Status ________________ _______ Enabled cuseeme Enabled Enabled Disabled gatekeeper Enabled h323 Enabled Enabled l2tp Enabled msgtcp Enabled msgudp Enabled Enabled mszone Enabled Enabled n2pe Enabled nntp Enabled Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 125: Nat Acl Enhancements

    Enabled NAT ACL enhancements The Secure Router 1000 Series and 3120 provide support for NAT ACL enhancements. These enhancements add flexibility in configuring a network Access Control List. Access Control Lists are used to filter packets going to the global NAT subsystem. A separate ACL is allowed for static and dynamic address modules.
  • Page 126 7. Exit the access-list configuration to finish or create another. exit 8. Create an address pool. pool <poolname> 9. Specify the address pool range. Note that you can specify more than one range using the same command syntax. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 127: Firewall Behavior With Invalid Acks On Tcp Connections

    Use the following procedure to configure the reset-invalid-acks option. 1. Enter configuration mode: configure terminal 2. Specify global firewall configuration firewall global 3. To disable the reset-invalid-acks option, enter: no reset-invalid-acks Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 128: Firewall Alg Behavior

    This section describes firewall ALG behavior. Default behavior of firewall ALG With the Secure Router 1000 Series and 3120, firewall ALGs are disabled by default. To use the typical ALG set, a new cli command (enable-typical) has been added. This command...
  • Page 129 Changes to the DNS ALG The Secure Router 1000 Series and 3120 provide support for DNS ALG. The DNS ALG is used when a DNS client on an untrusted side wants to access a DNS server behind a NAT in trusted side.
  • Page 130 Net2Phone private SIP even in n2p protocol UDP Port 6801 Disabled clients pcanywhere Norton/ Symantec’s pcanywhere Rare use case protocol UDP Port 5632 Disabled version 5.0.0 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 131 Zone TCP Port 28801 Disabled Proxy transport system may not nntp Network New Transfer be reliable or Protocol TCP Port 119 Disabled stable netbios TCP Port 139 Disabled Rare use case Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 132 Number Setting aimudp AOL Instant Messager UDP Port 5190 Enabled ike Internet Key Exchange Protocol UDP Port 500 Disabled ils2 Microsoft NetMeeting over LDAP Internet Location Server TCP Port 1002 Disabled Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 133: Chapter 24: Ipsec Examples

    The VPN Management license is enabled by default. However, this is not backwards compatible with earlier 8.x releases where the VPN Management license is disabled by default. To see the licenses available in this release, enter: Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 134: Securing Remote Access Using Ipsec Vpn

    In a typical IPSec remote access scenario, the mobile user has connectivity to Internet and an IPSec VPN client loaded on their PC. The remote user connects to the Internet through their Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 135: Access Methods

    Avaya supports two types of IPSec remote access using VPNs. Remote Access: User Group One of the methods to achieve IPSec remote access in Avaya is the user group method. In this method, the administrator creates an IKE policy for a logical group of users such as a department in an organization.

  • Page 136: Installing Licenses

    • Basic VPN Management (vpn_mgmt) — allows users to manage a remote Secure Router. • Advanced VPN (advance_vpn) — allows users to manage remote LANs. To see the licenses available in this release, enter: Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 137: Example 1: Securely Managing The Secure Router 1000 Series Over An Ipsec Tunnel

    Example 1: Securely Managing the Secure Router 1000 Series Over an IPSec Tunnel To install the advanced VPN license and use all the security features available in this release, enter: /configure> system licenses advance_vpn Enter Security Upgrade License key: 024f3bc296b4ea7265...

  • Page 138: Step 1: Configure A Wan Bundle Of Network Type Untrusted

    Networks1/configure> interface ethernet 0 message: Configuring existing Ethernet interface Networks1/configure interface/ethernet 0> ip address 10.0.1.1 24 Networks1/configure/interface/ethernet 0> crypto trusted Networks1/configure/interface/ethernet 0> exit Step 3: Display the crypto interfaces Networks1> show crypto interfaces Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 139: Step 4: Add The Route To The Peer Lan

    Example 1: Securely Managing the Secure Router 1000 Series Over an IPSec Tunnel Interface Network Name Type --------- ------- ethernet0 trusted wan1 untrusted Step 4: Add the route to the peer LAN Networks1/configure> ip route 10.0.2.0 24 wan1 Step 5: Configure IKE to the peer gateway Networks1/configure>...

  • Page 140: Step 8: Configure The Ipsec Tunnel To The Remote Host

    IN to the name. Step 9: Display the IPSec policies Networks1> show crypto ipsec policy all Step 10: Display IPSec policies in detail Networks1> show crypto ipsec policy all detail Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 141: Step 11: Configure Firewall Policies To Allow Ike Negotiation Through Untrusted Interface

    Example 1: Securely Managing the Secure Router 1000 Series Over an IPSec Tunnel Step 11: Configure firewall policies to allow IKE negotiation through untrusted interface Networks1/configure> firewall internet Networks1/configure/firewall internet> policy 1000 in service ike self Networks1/configure/firewall internet/policy 1000 in> exit Networks1/configure/firewall internet>...

  • Page 142: Step 15: Enable Snmp On The Networks1 Router

    Step 19: When the SNMP manager starts managing Networks1 from the Networks2 LAN, display the IKE and IPSec SA tables Networks1> show crypto ike sa all Networks1> show crypto ike sa all detail Networks1> show crypto ipsec sa all Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 143: Example 2: Joining Two Private Networks With An Ip Security Tunnel

    Step 1: Configure a WAN bundle of network type untrusted Networks1/configure/interface/bundle wan1> link t1 1 Networks1/configure/interface/bundle wan1> encapsulation ppp Networks1/configure/interface/bundle wan1> ip address 172.16.0.1 24 Networks1/configure/interface/bundle wan1> crypto untrusted Networks1/configure/interface/bundle wan1> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 144: Step 2: Configure The Ethernet Interface With Trusted Network Type

    Key String has to be configured by the user Networks1/configure/crypto/ike/policy Networks2 172.16.0.2> key secretkey Networks1/configure/crypto/ike/policy Networks2 172.16.0.2> proposal 1 Networks1/configure/crypto/ike/policy Networks2 172.16.0.2/proposal 1> encryption-algorithm 3des-cbc Networks1/configure/crypto/ike/policy Networks2 172.16.0.2/proposal 1> exit Networks1/configure/crypto/ike/policy Networks2 172.16.0.2> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 145: Step 6: Display The Ike Policies

    The inbound tunnel applies the name that you provide for the outbound tunnel and adds the prefix IN to the name. Step 9: Display IPSec policies Networks1> show crypto ipsec policy all Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 146: Step 10: Display Ipsec Policies Detail

    Networks1> show firewall policy internet detail Step 14: Configure firewall policies to allow transit traffic from remote LAN to the local LAN Networks1/configure> firewall corp Networks1/configure/firewall corp> policy 1000 in address 10.0.2.0 24 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 147: Step 15: Display Firewall Policies In The Corp Map

    Step 19: After transit traffic is passed through the tunnel, display the IKE and IPSec SA tables Networks1> show crypto ike sa all Networks1> show crypto ike sa all detail Networks1> show crypto ipsec sa all Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 148: Example 3: Joining Two Networks With An Ipsec Tunnel Using Multiple Ipsec Proposals

    Networks2 router offers only one proposal. As a result of quick mode negotiation, the two routers are expected to converge on a mutually acceptable proposal, which is the proposal "IPSec ESP with AES (256-bit) and HMAC-SHA1" in this example. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 149: Step 1: Configure A Wan Bundle Of Network Type Untrusted

    Configuring existing Ethernet interface Networks1/configure interface/ethernet 0> ip address 10.0.1.1 24 Networks1/configure/interface/ethernet 0> crypto trusted Networks1/configure/interface/ethernet 0> exit Step 3: Display the crypto interfaces Networks1> show crypto interfaces Interface Network Name Type Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 150: Step 4: Add The Route To The Peer Lan

    Networks1/configure/crypto/ike/policy Networks2 172.16.0.2> exit Step 6: Display the IKE policies Networks1> show crypto ike policy all Step 7: Display the IKE policies in detail Networks1> show crypto ike policy all detail Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 151: Step 8: Configure Ipsec Tunnel To The Remote Host

    Step 10: Configure firewall policies to allow IKE negotiation through untrusted interface Networks1/configure> firewall internet Networks1/configure/firewall internet> policy 1000 in service ike self Networks1/configure/firewall internet/policy 1000 in> exit Networks1/configure/firewall internet> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 152: Step 11: Display Firewall Policies In The Internet Map

    Step 14: Display firewall policies in the corp map Networks1> show firewall policy corp Step 15: Display firewall policies in the corp map in detail Networks1> show firewall policy corp detail Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 153: Step 16: Repeat Steps 1 -15 With Suitable Modifications On Networks2 Prior To Passing Bi-Directional Traffic

    In this example, the client needs to access the corporate private network 10.0.1.0/24 through the VPN tunnel. The security requirements are as follows: Example • Phase 1: 3DES with SHA1, Xauth (Radius PAP) • Phase 2: IPSec ESP tunnel with AES256 and HMAC-SHA1 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 154: Step 1: Configure A Wan Bundle Of Network Type Untrusted

    Step 2: Configure the Ethernet interface with trusted network type Networks1/configure> interface ethernet 0 message: Configuring existing Ethernet interface Networks1/configure interface/ethernet 0> ip address 10.0.1.1 24 Networks1/configure/interface/ethernet 0> crypto trusted Networks1/configure/interface/ethernet 0> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 155: Step 3: Display The Crypto Interfaces

    Networks1/configure/crypto/dynamic/ike/policy sales/proposal 1> encryption-algorithm 3des-cbc Networks1/configure/crypto/dynamic/ike/policy sales/proposal 1> exit Networks1/configure/crypto/dynamic/ike/policy sales> client authentication radius pap Networks1/configure/crypto/dynamic/ike/policy sales> exit Networks1/configure/crypto/dynamic> Step 5: Display dynamic IKE policies Networks1> show crypto dynamic ike policy all Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 156: Step 6: Display Dynamic Ike Policies In Detail

    Networks1/configure/crypto/dynamic/ipsec/policy sales> exit Networks1/configure/crypto/dynamic> Step 8: Display dynamic IPSec policies Networks1> show crypto dynamic ipsec policy all Step 9: Display dynamic IPSec policies in detail Networks1> show crypto dynamic ike policy all detail Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 157: Step 10: Configure Radius Server (Applicable Only If Client Authentication Is Configured In Dynamic Ike Policy)

    Step 12: Display firewall policies in the Internet map Networks1> show firewall policy internet Step 13: Display firewall policies in the Internet map in detail Networks1> show firewall policy internet detail Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 158: Step 14: Configure Firewall Policies For A Group Of Mobile Users To Allow Access To The Local Lan

    10.0.1.0 network Step 18: After passing traffic through the tunnel, display the list of clients logged onto the VPN server and the IKE and IPSec SA tables Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 159: Example 5: Configuring Ipsec Remote Access To Corporate Lan With Mode-Configuration Method

    IP address assigned by the Internet Service Provider as the source address. The security requirements are as follows: Example • Phase 1: 3DES with SHA1, Mode Configuration • Phase 2: IPSec ESP tunnel with AES256 and HMAC-SHA1 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 160: Step 1: Configure A Wan Bundle Of Network Type Untrusted

    Step 2: Configure the Ethernet interface with trusted network type Networks1/configure> interface ethernet 0 message: Configuring existing Ethernet interface Networks1/configure interface/ethernet 0> ip address 10.0.1.1 24 Networks1/configure/interface/ethernet 0> crypto trusted Networks1/configure/interface/ethernet 0> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 161: Step 3: Display The Crypto Interfaces

    Networks1/configure/crypto/dynamic/ike/policy sales> client configuration Networks1/configure/crypto/dynamic/ike/policy sales/client/ configuration> address-pool 1 20.1.1.100 20.1.1.150 Networks1/configure/crypto/dynamic/ike/policy sales/client/ configuration> exit Networks1/configure/crypto/dynamic/ike/policy sales> exit Networks1/configure/crypto/dynamic> exit Step 5: Display dynamic IKE policies Networks1> show crypto dynamic ike policy all Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 162: Step 6: Display Dynamic Ike Policies In Detail

    Networks1/configure/crypto/dynamic> exit Step 8: Display dynamic IPSec policies Networks1> show crypto dynamic ipsec policy all Step 9: Display dynamic IPSec policies in detail Networks1> show crypto dynamic ipsec policy all detail Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 163: Step 10: Configure Firewall Policies To Allow Ike Negotiation Through Untrusted Interface

    Networks1/configure/firewall corp> policy 1000 in address 20.1.1.100 20.1.1.150 10.0.1.0 24 Networks1/configure/firewall corp/policy 1000 in> exit Note: The address range in this command typically matches the address range configured in the dynamic IKE policy (see Step 4). Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 164: Step 14: Display Firewall Policies In The Corp Map

    Networks1> show crypto dynamic clients Networks1> show crypto ike sa all Networks1> show crypto ike sa all detail Networks1> show crypto ipsec sa all Networks1> show crypto ipsec sa all detail Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 165: Ike Dead Peer Detection

    The ability to disable the anti-replay service is useful when using Diff-serv marking on a IPSec tunnel where you want to support voice traffic at a higher priority then data traffic. As the voice Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 166: Vpn-Only Mode

    Conversion procedure to VPN-only mode Host> file Host/file > Host/file > copy system.cfg firewall.cfg exit Host> conf t Host/configure > system security firewall-disable Host/configure> write mem Host/configure> exit Host> reboot Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 167 Host/file > copy system.cfg vpnonly.cfg Host/file > copy firewall.cfg system.cfg Host/file > exit Host> conf t Host/configure > no system security firewall-disable Host/configure> exit Host> reboot Displaying the configuration Host > show system security Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 168 IPSec EXAMPLES Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 169: Chapter 25: Ipsec Appendix

    Chapter 25: IPSec APPENDIX This appendix provides information about IPSec supported protocols and modes, encryption algorithms and block sizes, and Avaya IPSec and IKE default values. IPSec Supported Protocols and Algorithms The following tables provide supported protocol and algorithm information.

  • Page 170: Avaya Ike And Ipsec Defaults

    Parameter Name Avaya Default Value Mode Main mode Perfect forward secrecy Disabled Hash algorithm SHA1 Encryption algorithm Authentication method PreShared DH Group Group 1 Lifetime 86400 seconds Response type Initiator and responder Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 171: Ipsec Defaults

    Parameter Name Avaya Default Value Key management type Automatic Hash algorithm SHA1 Encryption algorithm 3DES Protocol Mode Tunnel Lifetime 3600 seconds Direction Position in SPD where policy added Perfect forward secrecy Disabled Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 172 IPSec APPENDIX Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 173: Chapter 26: Pki Certificate Support

    5. Enroll the certificate request. R1/configure/crypto> ca enroll ms2003 This command generates the certificate request in PEM format. 6. Import the router certificate. R1/configure/crypto/ca/import ms2003> router-certificate This command generates the certificate request in PEM format. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 174: Certificate Enrollment Using Scep

    5. Generate the Certificate request, send it to CA and import the certificate. Since here the enrollment method is SCEP, everything is done in a single command. R1/configure/crypto> ca enroll ms2003 Receive the router certificate from the CA server Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 175: Ike Negotiation With Dss

    2. Certificate validation can be done using CRLs or OCSP. OCSP supports real time certificate validation. OCSP Configuration 1. Configure OCSP Responder URL. R1/configure/crypto/ca/trustpoint ms2003> ocsp url http:// 192.168.114.3:2560/ 2. Enable OCSP R1/configure/crypto/ike/policy test1 11.1.1.1> ocsp OCSP enabled for this policy Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 176: Crl Configuration

    All the certificates are saved in Certificates.dat file and private keys are stored in Keys.dat file. Since private keys need to be securely stored, private keys are stored in an encrypted format. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 177: Chapter 27: Configuring Gre

    The parameter may have any of the following values: vpn_mgmt -- Enable VPN Mgmt License advance_vpn -- Enable Advance VPN To install the advanced VPN license and use all the security features available in this release, enter: Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 178: Gre Configuration Examples

    1. Configure the interface. SR> configure terminal Router/configure> interface bundle wan1 Router/configure/interface/bundle wan1> link t1 1 Router/configure/interface/bundle wan1> encapsulation ppp Router/configure/interface/bundle wan1> ip address 192.168.94.220 255.255.255.0 Router/configure/interface/bundle wan1> exit 2. Configure the tunnel. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 179 TTL: 30 Keepalive: disabled TOS: not set Path MTU discovery: disabled Key Value: not set Checksum: disabled Sequence Datagrams: disabled Tunnel Statistics: Bytes Rx 95112 Bytes Tx 60016 Packets Rx Packets Tx Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 180: Bridging Across Gre

    10.1.1.1 255.255.255.0 exit ethernet interface ethernet 1 ip address 192.168.3.1 255.255.255.0 vlan vlanid 10 exit vlan exit ethernet interface tunnel gre1 ip address 192.168.1.1 255.255.255.0 tunnel source 10.1.1.1 tunnel destination 10.1.1.2 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 181: Configuring Gre Site To Site With Ipsec

    SR/configure> firewall corp SR/configure/firewall corp> policy 100 in self 5. Check the status of the tunnel by entering: SR> show ip interface tunnel t0 6. Validate the tunnel configuration by entering: Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 182: Configuring Gre Site To Site With Ipsec And Ospf

    IP cloud that does not have multicast capabilities. In such scenarios, the ability to configure PIM over GRE tunnels helps in transporting multicast packets (both control and data) across a non-Multicast aware IP cloud. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 183: Router 1 Configuration

    Router 2 configuration Router 2/configure> interface tunnel t2 Router 2/configure/interface t2> ip address 100.45.167.2 255.255.255.0 Router 2/configure/interface t2> tunnel source 4.4.4.4 Router 2/configure/interface t2> tunnel destination 2.2.2.2 Router 2/configure/interface t2> exit tunnel Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 184 Configuring GRE Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 185: Chapter 28: Multipath Multicast

    HRW are not disruptive. RFC 2991 recommends to use HRW method to select the next-hop for multicast packet forwarding. or this reason, Avaya-only scenarios apply the HRW method as the default. This is similar to the Cisco Systems IPv6 multicast multipath implementation.

  • Page 186: Multipath Examples

    SR>show ip rpf <addr> <addr> - source or RP address When multipath is disabled, Avaya selects the nexthop address with lowest ip address. For equal cost routes the nexthops are stored in the increasing (ascending) order of IP address. show ip rpf command displays the selected path, based on the configured multipath method and the nexthops of the best route to the IP address passed.

  • Page 187: Chapter 29: Multilink Frame Relay

    Chapter 29: Multilink Frame Relay Frame Relay service providers can use Avaya products to offer multimegabit service of 3 to 24 Mb/s using standard T1 local loops. These services can be used for both Intranet and Internet applications. Depending on the needs of the customer, Avaya products can perform router functionality or be installed simply as a Multilink Frame Relay multiplexer in front of an existing router.

  • Page 188: Chicago - Secure Router Configuration

    1536000 bcmax 1536000 bcmin 1536000 be 1536000 Chicago-SR/configure/interface/bundle mad1/fr/pvc 100> exit 3 Configuring bundle lans1 Chicago-SR/configure> interface bundle lans1 Chicago-SR/configure/interface/bundle lans1> link ct3 1/1/2-6 Chicago-SR/configure/interface/bundle lans1> encapsulation fr Chicago-SR/configure/interface/bundle/lans1> fr Chicago-SR/configure/interface/bundle lans1/fr> intf_type dce Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 189: Configuring Pvc 101

    Chicago-SR/configure> interface bundle uplink Chicago-SR/configure/interface/bundle uplink> link t3 1/2 Chicago-SR/configure/interface/bundle uplink> encapsulation fr Chicago-SR/configure/interface/bundle uplink> fr Chicago-SR/configure/interface/bundle uplink/fr> intf_type nni Configuring bundle uplink pvc 100 Chicago-SR/configure/interface/bundle uplink/fr> pvc 100 Chicago-SR/configure/interface/bundle uplink/fr> desc "madison-lansing" Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 190: Configuring Bundle Uplink Pvc 101

    3072000 bcmin 3072000 be 6144000 Chicago-SR/configure/interface/bundle uplink/fr> exit 3 Configuring interface ethernet 0/1 Chicago-SR/configure> interface ethernet 0/1 Chicago-SR/configure/interface ethernet 0/1> speed 100 full_duplex Chicago-SR/configure/interface ethernet 0/1> ip address 10.1.1.2 255.255.255.0 Chicago-SR/configure/interface ethernet 0/1> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 191: Configuring Snmp

    101> ip addr 205.100.1.2 255.255.255.252 lans1-SR/configure/interface/bundle wan1/fr/pvc 101> policing cir 1536000 bc 1536000 be 6144000 lans1-SR/configure/interface/bundle wan1/fr/pvc 101> shaping cir 1536000 bcmax 1536000 bcmin 1536000 be 6144000 lans1-SR/configure/interface/bundle wan1/fr/pvc 101> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 192: Configuring Interface Bundle Wan1 Pvc 102

    205.1.3.0 255.255.255.0 205.1.1.134 1 lans1-SR/configure/ip> route 0.0.0.0 0.0.0.0 205.100.1.1 1 lans1-SR/configure/ip> exit Columbus - Secure Router Configuration SR> configure term SR/configure> hostname Columbus-Router Columbus-SR/configure> interface bundle dayt1 Columbus-SR/configure/interface/bundle dayt1> link ct3 1/1/1-3 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 193: Configuring Interface Bundle Dayt1 Pvc 104

    Columbus-SR/configure/interface bundle uplink/fr/pvc 104> desc "to internet " Columbus-SR/configure/interface bundle uplink/fr/pvc 104> switch 104 dayt1 Columbus-SR/configure/interface bundle uplink/fr/pvc 104> policing cir 1536000 bc 1536000 be 4608000 Columbus-SR/configure/interface bundle uplink/fr/pvc 104> shaping cir Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 194: Configuring Interface Bundle Uplink Pvc 105

    Columbus-SR/configure/snmp> system_id col-Router Columbus-SR/configure/snmp> trap_host 10.2.1.1 public Columbus-SR/configure/snmp> exit Configuring IP routes Columbus-SR/configure> ip Columbus-SR/configure/ip> route 0.0.0.0 0.0.0.0 10.1.2.1 1 Columbus-SR/configure/ip> exit Columbus-SR/configure> Dayton- Secure Router Configuration SR> configure term SR/configure> hostname lans1-Router Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 195: Configuring Interface Bundle Wan1

    104> shaping cir 3072000 bcmax 3072000 bcmin 3072000 be 4608000 lans1-SR/configure/interface/bundle wan1/fr/pvc 104> exit 3 Configuring interface ethernet 0/1 lans1-SR/configure> interface ethernet 0/1 lans1-SR/configure/interface ethernet 0/1> ip addr 205.1.3.1 255.255.255.0 lans1-SR/configure/interface ethernet 0/1> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 196: Configuring Frf.12

    (FRF.12) simultaneously on the same interface. DTE-DCE FRF.12 where DCE terminates the traffic Configure DTE-1: Example Configure a bundle: DTE-1/configure> interface bundle todce1 DTE-1/configure/interface todce1> link t1 1:1-2 DTE-1/configure/interface todce1> encap fr DTE-1/configure/interface todce1> fr Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 197: Dte-Dte Frf.12 With An Fr Cloud In The Middle

    DTE-1/configure/interface todce1/fr/interleave> enable DTE-1/configure/interface todce1/fr/interleave> hiprio crpcnt 50 brpcnt DTE-1/configure/interface todce1/fr/interleave> exit 3 Configure DTE-2: Example Configure a bundle: DTE-1/configure> interface bundle todce2 DTE-1/configure/interface todce2> link t1 1:1-2 DTE-1/configure/interface todce2> encap fr Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 198 DCE-1/configure/interface nnibundle> link t1 1:1-2 DCE-1/configure/interface nnibundle> encap fr DCE-1/configure/interface nnibundle> fr DCE-1/configure/interface nnibundle/fr> intf_type nni Configure the switched PVC 200: D CE-1/configure/interface nnibundle/fr> pvc 200 DCE-1/configure/interface nnibundle/fr/pvc 200>switch todte1:100 DCE-1/configure/interface nnibundle/fr/pvc 100>exit 3 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 199: Chapter 30: Ospf Routing Protocol - Frame Relay

    Chapter 30: OSPF Routing Protocol - Frame Relay The following example shows OSPF running between a Secure Router 1000 Series and a router over a serial T1 link with back-to-back Frame Relay. Figure 30: OSPF Over a Single T1 with Frame Relay Configuring the host name SR>...

  • Page 200: Configuring Interface Bundle Dallas

    Configuring interface ethernet 0 parameters SR/configure/router/ospf> interface ethernet0 area_id SR/configure/router/ospf/interface ethernet0> cost 10 SR/configure/router/ospf/interface ethernet0> exit 3 Displaying ospf parameters Execute show ip ospf int bundle to display interface specific OPSPF parameters. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 201: Chapter 31: Pim Quick Configuration

    PIM is protocol independent because it can leverage whichever unicast routing protocol is used to populate unicast routing table. There are two modes of PIM protocol – Dense mode (DM) and Sparse mode (SM). Avaya supports SM only. PIM-DM floods multicast traffic throughout the network initially and then generates prune messages as required.
  • Page 202 Configure CBSR period Router/configure/ip/pim/cbsr> period <time> Configure CBSR holdtime Router/configure/ip/pim/ cbsr>holdtime <time> Configure CBSR priority Router/configure/ip/pim/ cbsr>priority <value> RP commands Configure as candidate RP Router/configure/ip/pim>crp Configure as candidate RP address Router/configure/ip/pim/crp> address <A.B.C.D> Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 203 Configure PIM interface as border of PIM domain wan1>boundary PIM SSM Configure the SSM range Router/configure/ip/pim> ssm-range <group-address> <group-mask> The show and debug PIM commands are: SR>show ip pim global Display PIM global configuration Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 204: Pim Configuration Examples

    The following example enters the BSR mode. Router/configure/ip/pim> cbsr Router/configure/ip/pim/cbsr> The following command sets Ethernet1 as the BSR interface. Router/configure/ip/pim/cbsr> interface ethernet1 The following example sets the holdtime to 33 seconds. Router/configure/ip/pim/cbsr> holdtime 33 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 205 To configure the router such that the data from S addressed to G must exceed an average of 1024 KBytes per second before an SPT switch is initiated, enter: Router/configure/ip/pim> threshold-dr 1024 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 206 To set the time out (S, G) entries at 5 times the mrt-period value, enter: Router/configure/ip/pim> mrt-spt-mult 5 To display PIM global configuration settings, enter: Router/configure> show ip pim global PIM: Enabled Mode: Sparse Timers: Hello Interval: 145 Hello Hold Time: 60 Hello Priority: 15 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 207 Router/configure> show ip pim neighbors Neighbor Interface Uptime Expires Hello Priority --------------- ------------- -------- ---------------- -------------- Router/configure> To display RP information, enter: Router/configure> show ip pim rp Group/Mask RP ------------------ --------------- 224.0.0.0/4 10.10.1.1 Router/configure> Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 208 Candidate BSR Priority: 45 Candidate BSR Period: 30 Candidate BSR Hold Time: 2048 Candidate BSR Admin Scope: Disabled No BSR’s Router/configure/ip/pim> To reset PIM counters, enter: SR> clear ip pim statistics Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 209: Chapter 32: Ospf Routing Protocol

    Figure 31: Configuring OSPF Between a SR1001 and a Router Configuring the host name SR>configure terminal SR/configure/hostname SR Configuring interface ethernet 0 SR/configure> interface ethernet 0 SR/configure/interface/ethernet 0> ip address 10.10.10.1 24 SR/configure/interface/ethernet 0> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 210: Configuring Interface Bundle Dallas

    Execute show ip ospf neighbor list on the SR1001 to display the neighbor information. In this example, the state is in FULL adjacency with the router. Figure 32: show ip ospf neighbor list Command Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 211: Displaying Ospf Routes

    Figure 33: show ip routes ospf Command The metric shows a value of 2. By default, Avaya assigns a cost value of 1 to all interfaces. The cost can be changed by entering it under the appropriate interface in the OSPF command tree structure.
  • Page 212 ATTEMPT message that indicates no recent information has been received from the neighbor and that a greater effort is to be to contact that neighbor. To achieve this, up to four hello packets Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 213: Router Ospf

    Variable Value <A.B.C.D> The IP address. <areaid> The OSPF area ID. <interface> The interface to work with. <interval> The poll interval. <type> The network type. <X.X.X.X> The router ID IP address. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 214 OSPF Routing Protocol Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 215: Chapter 33: Qos Configuration

    Chapter 33: QOS Configuration Overview Avaya QoS ensures bandwidth guarantees throughout the Secure Router by implementing Random Early Detection (RED) to address congestion and Class Based Queuing (CBQ) to address traffic policing. This document discusses the CBQ features. Avaya's bandwidth management capability allows multiple agencies or customers to share access bandwidth on a WAN link in a controlled fashion to effectively and efficiently utilize available bandwidth.

  • Page 216: Definitions

    The classification type must be the same across a given level of traffic class. Note in Figure 1, that the classification type at the first level traffic class is the source IP address; for the second Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 217: Configuration For The Example In Figure 1

    Figure 34: Assigning Classification Types Configuration for the example in Figure 1 Create bundle AppTest SR/configure> interface bundle AppTest SR/configure/interface/bundle AppTest> link t1 1 SR/configure/interface/bundle AppTest> encap ppp SR/configure/interface/bundle AppTest> ip addr 199.1.1.1 255.255.255.252 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 218: Create Traffic Classes

    SR/configure/interface/bundle AppTest/qos> enable SR/configure/interface/bundle AppTest/qos> exit 3 VLAN Identifiers Figure 2 illustrates the classification based on VLAN identifiers. Note that these classes are leaf classes and do not have child classes. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 219: Configuration For Figure 2

    Default root-out cr 1024 br 2048 SR/configure/interface/bundle VLANtest/qos> class JonesInc SR/configure/interface/bundle VLANtest/qos/class JonesInc> add_vlan_id 24 SR/configure/interface/bundle VLANtest/qos/class JonesInc> exit SR/configure/interface/bundle VLANtest/qos> class SmithInc SR/configure/interface/bundle VLANtest/qos/class SmithInc> add_vlan_id 25-29 SR/configure/interface/bundle VLANtest/qos/class SmithInc> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 220: Historical Statistics

    Traffic Policing versus Traffic Shaping Policing controls the traffic by dropping packets or marking down their priority when the configured rate is exceeded. Shaping controls the traffic by delaying packets using a queuing Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 221: Need For Traffic Policing

    TOS or DSCP value, are not be supported for now. We will not support additional parameters that Cisco systems supports, like "extended burst" for CAR (committed access rate) and "excess burst" for policing. We feel, they introduce more Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 222: Configuring Traffic Policing

    "extended burst" parameter is needed to permit a large packet, by loaning tokens, when there are not enough tokens available at a given time for the entire packet. The Avaya policing algorithm allows for such "loaning of tokens" by default.

  • Page 223: Verifying Policing Status And Configuration

    CBQ-CR CBQ-BR Police Avg Out Avg In Packets Packets (kbps) (kbps) (kbps) (kbps) (kbps) Fwded Dropped +------------------+------+------+------+-------+-------+----------+---------- def-in 1100 999.7 999.7 1901.2 1999.6 1096 d1-def 998.9 998.9 d1-web 902.2 1000.6 R87> Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 224: Limitations

    This section provides a typical example of using the monitor option to collect policy statistics; including step-by-step CLI configuration details. Configuration Steps: The following are the step-by-step CLI configuration details to achieve this configuration. Config term interface bundle wan Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 225: Trusted Core Configuration

    10 br_percent 30 priority 2 add_class premium root-out cr_percent 30 br_percent 50 priority 3 add_class platinum root-out cr_percent 10 br_percent 50 priority 4 add_class gold root-out cr_percent 30 br_percent 50 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 226: Un-Trusted Access Configuration

    0 exit class enable cbq outbound exit Un-trusted Access Configuration This section provides a typical example of untrusted access configuration, including step-by- step CLI configuration details. Configuration Steps: Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 227: Traffic Policing Configuration

    The following are the step-by-step CLI configuration details to achieve a traffic policing configuration: Config term interface ethernet 0 add_class Video root-in add_class DataVoice root-in add_class UDP1500 Video add_class FTP DataVoice add_class Allother DataVoice class Video exit class Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 228: Burst Tolerance For Fr And Ppp

    The values can be configured in multiples of 5 ms. 1. Enter configuration mode: configuration terminal 2. Specify the PPP or FR WAN bundle to configure: interface bundle <wan> Specify the FR PVC to configure: Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 229: Qos Strict Priority Queuing (Spq)

    QoS section of the interface tree. All the clear and show commands are equivalent for SPQ as for CBQ. Mapping a traffic class to an SPQ queue on Ethernet interface 1. To enter configuration mode, enter: Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 230 2. To select the ethernet interface, enter: interface ethernet <port number, 0 or 1> 3. To specify qos chassis configuration, enter: 4. To enable SPQ, enter: enable spq output Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 231: Capacity Of Qos Over Ethernet

    Capacity of QoS over Ethernet Capacity of QoS over Ethernet The SR 3120, 1004 and 1002 support QOS Buffering up to 50000 Kbs. SR 1001and SR1001S support QOS Buffering up to 20000 Kbs Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 232 QOS Configuration Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 233: Chapter 34: Remote Access Vpn

    IP address of the client. Instead, the VPN server uses the identity of the VPN client to access the policies. Access Methods Avaya supports two types of IPSec remote access using VPNs. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 234: Remote Access: User Group

    Remote Access VPN Remote Access: User Group One of the methods to achieve IPSec remote access in Avaya is the user group method. In this method, the administrator creates an IKE policy for a logical group of users such as a department in an organization.

  • Page 235: Configuration Examples

    The SNMP response that is generated in Secure Router for a request from the management host is called self-generated traffic. The Avaya gateway provides a map called Self for self-generated traffic. This map is created automatically when the gateway comes up.
  • Page 236 1> encryption-algorithm 3des-cbc Router>1/configure/crypto/dynamic/ike/policy admin/proposal 1> client authentication radius pap To configure the IPSec policy for negotiating with VPN client needing access to the security gateway. Router/configure/crypto/dynamic> ipsec policy admin user-group Router/configure/crypto/dynamic/ipsec/policy admin> Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 237: Ipsec Remote Access Mode Configuration Group Method

    IP address assigned by the Internet Service Provider as the source address. The security requirements are as follows: 3DES with SHA1, Mode Config IPSec ESP tunnel with AES256 and HMAC-SHA1 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 238 Router>1/configure> crypto corp Router>1/configure/crypto> dynamic Router>1/configure/crypto/dynamic> ike policy IDCsales modecfg-group Router>1/configure/crypto/dynamic/ike/policy IDCsales> modeconfig-group Router>1/configure/crypto/dynamic/ike/policy IDCsales> local-address 172.16.0.1 To configure the user name (optional) for remote-id: Router>1/configure/crypto/dynamic/ike/policy IDCsales> remote-id email-id sampledata david@abc-corp.com Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 239 To configure the IPSec policy for negotiating with VPN clients needing access to the corporate private network 10.0.1.0. Router>1/configure/crypto/dynamic> ipsec policy IDCsales Router>1/configure/crypto/dynamic/ipsec/policy IDCSales> match address 10.0.1.0 24 Router>1/configure/crypto/dynamic/ipsec/policy IDCSales> proposal 1 Router>1/configure/crypto/dynamic/ipsec/policy IDCSales/proposal 1> encryption-algorithm aes256-cbc Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 240 Remote Access VPN Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 241: Chapter 35: Routing Information Protocol

    Execute show ip rip global to display RIP configuration information Figure 39: show ip rip global Command Displaying All Configured RIP Interfaces Execute show ip rip interface all to display information about all configured RIP interfaces. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 242 Routing Information Protocol Figure 40: show ip rip interface all Command Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 243: Chapter 36: Static Routing

    Multilink_Router_A/configure/interface/ethernet> ip addr 200.1.1.2 24 Multilink_Router_A/configure/interface/ethernet> exit Multilink_Router_A/configure> interface bundle wan1 Multilink_Router_A/configure/interface/bundle> link t1 1 Multilink_Router_A/configure/interface/bundle> encap ppp Multilink_Router_A/configure/interface/bundle> ip addr 10.1.1.2 255.255.255.252 Multilink_Router_A/configure/interface/bundle> exit Multilink_Router_A/configure> ip route 0.0.0.0 0.0.0.0 10.1.1.1 1 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 244: Configure The Multilink Router B At Site B

    Multilink_Router_B/configure/interface/ethernet> ip addr 198.1.1.1 255.255.255.0 Multilink_Router_B/configure/interface/ethernet> exit Multilink_Router_B/configure> interface bundle wan 1 Multilink_Router_B/configure/interface/bundle> link t1 Multilink_Router_B/configure/interface/bundle> encapp ppp Multilink_Router_B/configure/interface/bundle> ip addr 10.1.1.1 255.255.255.252 Multilink_Router_B/configure/interface/bundle> exit Multilink_Router_B/configure> ip route 200.1.1.0 255.255.255.0 10.1.1.2 1 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 245: Chapter 37: Vrrp Enhancements

    Chapter 37: VRRP enhancements The Secure Router 1000 Series and 3120 provide support for multiple VRRP enhancements. By design, VRRP eliminates a common point of failure present in static routing environments by specifying an election protocol to dynamically assign routing responsibility to a VRRP router on a LAN. VRRP is used to maintain availability at the IP address level.
  • Page 246 The IP address of the subinterface. <group> The VRRP group number, in the range 1 to 255. <interface> The interface to work with. <level> The priority level, in the range 1 to 254. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 247 • 0 - Gratuitous ARP • 1 - Active/Standby Mode • 2 - Promiscuous Mode <priority> The track priority. <type> The type of encapsulation to apply. <virtual IP> The virtual IP address to be used. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 248 VRRP enhancements Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 249: Chapter 38: Trunk Group/Failover

    IP address is utilized for the failover path. • The Secure Router 1000 Series is configured for failover on E0. When E0 loses link conectivity, it will failover to E1 and continue to pass traffic. When E0 recovers, traffic will be switched back.

  • Page 250: Configure The Wan Router For Failover Operation

    WAN Router/configure/interface/ethernet> ip address 199.1.1.1.6 255.255.255.252 WAN Router/configure/interface/ethernet> exit WAN Router/configure> interface bundle wan WAN Router/configure/interface/bundle> link t1 1 WAN Router/configure/interface/bundle> enc ppp WAN Router/configure/interface/bundle> ip address 10.1.1.1 255.255.255.252 WAN Router/configure/interface/bundle> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 251: Chapter 39: Vlan Tagging

    Baltimore uses frame relay and DC uses MLPPP.) Upgrading customer service by adding T1s to an Avaya product can be accomplished remotely (for example, at DC) after the T1 cable is connected. Thus, deploying a technician to reconfigure the unit is not necessary.

  • Page 252: Reston Configuration: Channelized T3 Router

    > The PVC uses a private address on the Reston end. reston/configure/interface/balt1/fr/pvc 100> ip addr 10.1.1.1 255.255.255.252 > The POP router is 205.1.1.1/30 reston/configure/interface/balt1/fr/pvc 100> ip source_forwarding 205.1.1.1 reston/configure/interface/balt1/fr/pvc 100> vlan reston/configure/interface/balt1/fr/pvc 100/vlan> vlanid Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 253: Configure Interface Bundle Dc1

    1 reston/configure/ip> route 0.0.0.0 0.0.0.0 10.1.1.5 1 reston/configure/ip> exit > The above route summarizes the customer access subnets. DC configuration: Multilink T1 Router Multilink_T1> configure terminal Multilink_T1/configure> hostname dc1 dc1/configure> Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 254: Configure Interface Ethernet 0

    The Ethernet interface must always have an IP address configured, or the interface will not function properly. If IP routing is not required, a dummy IP address must still be configured. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 255: Vlan Forwarding - Packets Are Already Tagged At The Ethernet Interface

    This example would be identical to the VLAN Forwarding example, except that only a single VLAN is supported on the Ethernet. interface ethernet 0 ip address 192.168.0.1 30 vlan vlanid 10 exit exit vlanfwd add vlanid 10 wan Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 256: Q Vlan Routing - Packets Are Tagged And Ip Routed Per Vlan

    Each VLAN is fully routed as a subinterface. Note: All interfaces use the same Source MAC. The Ethernet switch used in the example must support Independent VLAN Learning of MAC addresses. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 257: Multinetting (Ip Subinterfaces) Configuration

    - add a dummy IP address on the interface - do not configure the vlan and vlanid on the Ethernet - add each ethernet interface / tag to the vlanfwd list Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 258: Independent Vlan Learning (Ivl) Support

    VLAN tags. Packets are then switched on the outermost level of VLAN tags. However, the VLAN for management can only accept single tagged packets. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 259: Chapter 40: Serial Interface

    (Layer 2). The bundle configuration examples demonstrate linking of physical interfaces (modules) to logical interfaces (bundles). Module configuration occurs within the configure module tree of the Avaya CLI, and bundle configuration occurs within the configure interface bundle tree.

  • Page 260: Hdlc

    (layer two) parameters. Configure a V.35 HDLC bundle Example SR/configure> interface bundle toRouter SR/configure/interface/bundle> link serial 1 SR/configure/interface/bundle> encap hdlc SR/configure/interface/bundle> exit x.21 Serial Configuration The following examples illustrates x.21 bundle configuration: Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 261 Begin by adding WAN link(s) to this bundle and selecting encapsulation. SR/configure/interface/bundle MLPPP-B > link serial 1 SR/configure/interface/bundle MLPPP-B > link serial 2 SR/configure/interface/bundle MLPPP-B > encapsulation ppp SR/configure/interface/bundle MLPPP-B > ip address 192.168.100.101 SR> save local SR/configure/interface/bundle MLPPP-B > exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 262: Troubleshooting The Serial Link

    • Verify port alarm states Use the command "show module alarm serial <slot>/<port>" DTR/DSR alarms cause link outages. • Verify bundle configuration and statistics Use the command "show interface bundle <bundlename>" Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 263: Chapter 41: Vlan Forwarding With Qos

    POP. The Ethernet switch passes a VLAN trunk to the Secure Router 1000 Series that forwards traffic, based on the VLAN tags, from this interface to the multilink bundle. At the POP, tagged traffic is forwarded to a VLAN trunk port on the Ethernet switch. Routing between customer VLANs is provided by the POP router using subinterfaces on the Gigabit Ethernet VLAN trunk.

  • Page 264: Virtual Lan Domain

    10 Mb/s. Avaya provides QoS support to limit customer bandwidth using a committed rate and burst rate, ensuring that customers get consistent bandwidth performance as other customers are activated.

  • Page 265: Pop Configuration: Channelized T3 Router

    POP-SR3120/configure/vlanfwd > add vlanid 11-18 bldg1 POP-SR3120/configure/vlanfwd > management POP-SR3120/configure/vlanfwd/management> vlanid 4092 POP-SR3120/configure/vlanfwd/management> disable_ipfwd POP-SR3120/configure/vlanfwd/management> default_route 10.1.1.1 ethernet0 POP-SR3120/configure/vlanfwd/management> exit 2 Configure rate limiting for vlans POP-SR3120/configure> interface bundle bldg1 POP-SR3120/configure/interface bundle bldg1> no Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 266: Bldg1 Configuration: Multilink T1 Router

    Configure inband VLAN forwarding table bldg1-SR/configure/interface> vlanfwd bldg1-SR/configure/interface/vlanfwd> add vlanid 4092 ethernet0 bldg1-SR/configure/interface/vlanfwd> add vlanid 4092 uplink bldg1-SR/configure/interface/vlanfwd> add vlanid 11-18 ethernet0 bldg1-SR/configure/interface/vlanfwd> add vlanid 11-18 uplink Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 267: Configure Rate Limiting For Vlans

    18 cr 128 br 1024 bldg1-SR/configure/interface/bundle uplink> enable_cbq bldg1-SR/configure/interface/bundle uplink> exit Configure SNMP bldg1-SR/configure> snmp bldg1-SR/configure/snmp> community public ro bldg1-SR/configure/snmp> system_id bldg1-SR bldg1-SR/configure/snmp> trap_host 10.2.1.1 public bldg1-SR/configure/snmp> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 268 VLAN Forwarding with QOS Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 269: Chapter 42: Wan Interfaces

    The following example configures the operational and descriptive parameters for T1 number 6. Configure T1 Parameters SR/configure> module t1 6 SR/configure/module/t1> circuitId X1234567890 SR/configure/module/t1> contactInfo George_Anderson SR/configure/module/t1> description T1_to_Troy SR/configure/module/t1> framing esf SR/configure/module/t1> linecode b8zs SR/configure/module/t1> clock_source line SR/configure/module/t1> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 270: Bundle Configuration

    The following example creates a 1536 Kbps T1 bundle utilizing T1 number 4. This bundle uses IP unnumbered. Configure a T1 PPP Bundle SR/configure> interface bundle demo2 SR/configure/interface/bundle> link t1 4 SR/configure/interface/bundle> encap ppp SR/configure/interface/bundle> ip unnumbered ethernet0 SR/configure/interface/bundle> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 271: Nxt1

    PPP bundle with two or more linked T1s uses the multi-link protocol by definition. Configure an N x T1 MLPPP Bundle SR/configure> interface bundle demo3 SR/configure/interface/bundle> link t1 6-8 SR/configure/interface/bundle> encap ppp SR/configure/interface/bundle> ip addr 10.1.1.5 255.255.255.252 SR/configure/interface/bundle> exit Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 272 WAN Interfaces Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 273: Chapter 43: Backup Interface-Isdn

    & (ML) PPP negotiations are successful, the data can be transmitted similar to any other interface. Configuring ISDN as a 128Kbps Primary Interface The network topology map show below is used for this configuration. To configure the ISDN interface as the primary 128Kbps interface: Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 274 Router1> show isdn interfaces ISDN Information: wan1 -------------------------- caller - answer1 - answer2 - called-number 384010 spid1 3840200001 spid2 - idle-timeout 5 minutes connect-delay 10 seconds keep-alive 10000 ms disconnect-cause 17 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 275 BRI channel 1 statistics : -------------------------- call not yet established D channel statistics-------------------- Bytes Rx: 3062 Frames Rx: 509 Error Frames Rx: 0 Bytes Tx: 2050 Frames Tx: 510 Fail Tx: 0 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 276: Isdn As Backup Interface

    • Link-drop feature (e.g., Link errors might exceed the configured thresholds) Configuring ISDN as a 64Kbps Backup Interface The network topology map show below is used for this configuration. To configure the ISDN interface as the primary 128Kbps interface: Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 277 Note: Spid configuration is optional for most switch types, but not for basic ni. 7. Verify the ISDN interfaces. Router1> show isdn interfaces ISDN Information: wan1 -------------------------- caller - answer1 - Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 278 Maximum Transfer Unit: 1500 bytes Mac Address: 00:50:52:b2:c8:05 10. Display the ISDN statistics. Router1> show isdn statistics BRI channel 0 statistics : -------------------------- call not yet established BRI channel 1 statistics Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 279: Isdn Enhancements

    This is a result of changes in the way ISDN is configured. • Only static routing is supported on ISDN interface. Configuring Unnumbered IP over ISDN BRI Use the following procedure to configure unnumbered IP over ISDN BRI. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 280 <bundle_name> The bundle name, maximum 8 characters. <delay> The connect delay in seconds, in the range 1 to 60. <encap_type> The encapsulation protocol. Only PPP is supported. <interface> The interface name. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 281: Multiple Bri Bundles

    When the primary link is restored, the ISDN call is dropped and the traffic passes through the primary link as it did before. Use the following procedure to configure ISDN interface-based backup Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 282: Time Of Day Scheduling For Isdn

    ISDN call is not initiated. CLI Display The threshold for triggering the 2nd bundle can be configured using the following CLI. Host/configure >time-range <time-range name> NAME time-range - configure time-range SYNTAX time-range timeRangeName <cr> Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 283 Host/configure/interface/bundle bri/isdn > trigger-schedule ? NAME trigger-schedule - Configure time schedule for ISDN SYNTAX trigger-schedule timeRangeName <cr> DESCRIPTION timeRangeName -- Time Range name for ISDN time scheduling ( enter a word ) Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 284: Filtering Idle Timeout With Isdn

    OSPF -- OSPF VRRP -- VRRP ICMP -- ICMP IGMP -- IGMP PIM -- PIM RIP -- RIP BGP -- BGP Host/configure/interface/bundle bri/isdn/filter > outgoing ? NAME outgoing - Configure outgoing filter Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 285: Numbering Plan And Type Of Number For Isdn

    <numplan> Specifies the numbering plan. The <numplan> parameter can have any of the following values: • unknown: Unknown plan • isdn: ISDN/Telephony Numbering plan (default) • reserved: Telephony Numbering plan Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 286 • unknown: Unknown type • international: International type (default) • national: National type • network: Network Specific type • subscriber: Subscriber type • abbreviated: Abbreviated type • reserved: Reserved value 5 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 287: Chapter 44: Ppp Over Ethernet Client

    • The PPPoE virtual access interface will be automatically configured in the Internet security zone for transit traffic to flow from the trusted/corp side the inbound interface needs to be configured as trusted. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 288: Sample Pppoe Configuration

    1001/configure> interface virtual-access towan2 1001/configure/interface/virtual-access towan2> ip negotiated 1001/configure/interface/virtual-access towan2> protocol pppoe client 1001/configure/interface/virtual-access towan2> pppoe ethernet 1 1001/configure/interface/virtual-access towan2> ppp authentication pap sent-username test password mypass 1001/configure> ip route 10.1.1.0 24 towan2 10 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 289: Ipsec Over Pppoe Between Two Secure Routers

    0 ip address 20.1.1.2 255.255.255.0 crypto untrusted exit # trusted/corporate n/w interface configuration interface ethernet 1 ip address 10.1.1.1 255.255.255.0 crypto trusted exit # PPPoE Client configuration interface virtual-access test Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 290: Peer Vpn Gateway Configuration

    10.10.0.0 255.255.0.0 10.1.1.0 255.255.255.0 exit policy exit crypto IPSec over PPPoE between Secure router and Cisco Note: In this example, the Secure Router is configured as a PPPoE client. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 291 32 exit policy exit crypto firewall global algs exit algs max-connection-limit self 2048 exit firewall firewall internet nterface ethernet0/2 pppoe1 policy 101 in permit self exit policy exit firewall firewall corp Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 292 0.0.0.0 0.0.0.0 Serial0/0/0:0 ip route 50.1.1.0 255.255.255.0 Serial0/0/0:0 ip http server no ip http secure-server access-list 108 permit ip 30.1.1.0 0.0.0.255 50.1.1.0 0.0.0.255 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 293: Chapter 45: Configuring Bgp Features

    They need not be directly connected to make any peer relationship. IBGP Sessions need to be fully meshed to get EBGP routes advertised to all peers in the autonomous system. Configuring an IBGP Session between 2 Avaya Secure Routers. CONFIGURATION OF Avaya1: interface bundle ToAvaya2...

  • Page 294: Show Ip Bgp Neighbors

    BgpInternal which is the default group the neighbor is assigned to by default in an IBGP session. Connection state in the above output shows it as ESTABLISHED, which means the two Avaya’s have successfully formed a IBGP Connection. Avaya1> show ip bgp summary Avaya2>...

  • Page 295: Configuring An Ibgp Session Between An Avaya Router And A 3Rd Party Router

    Configuring IBGP Sessions Configuring an IBGP Session between an Avaya Router and a 3rd Party Router. CONFIGURATION OF Avaya1: interface bundle To3rdPartyRouter link t1 4 encapsulation ppp ip address 30.30.30.1 255.255.255.0 exit router bgp 100 neighbor 30.30.30.3 100 exit CONFIGURATION OF 3RD PARTY ROUTER: interface Serial3/0 ip address 30.30.30.3 255.255.255.0...
  • Page 296 BgpInternal which is the default group the neighbor is assigned to by default in an IBGP session. Connection state in the above output shows it as ESTABLISHED, which indicates the two Avaya’s have successfully formed a IBGP Connection. Avaya1> show ip bgp summary The following 3rd party router outputs shows internal link , which means neighbor 30.30.30.1...

  • Page 297: Configuring An Ibgp Multi-Hop Session Between 2 Avaya Secure Routers

    Configuring IBGP Sessions Configuring an IBGP Multi-Hop Session between 2 Avaya Secure Routers CONFIGURATION OF Avaya1: interface bundle ToAvaya2 link t1 4 encapsulation ppp ip address 40.40.40.1 255.255.255.0 exit interface loopback 1 ip address 60.60.60.1 255.255.255.255 exit ip route 60.60.60.2 255.255.255.255 40.40.40.2 1 router bgp 100 neighbor 60.60.60.2 100...

  • Page 298: Configuring An Ibgp Multi-Hop Session Between An Avaya Router And A 3Rd Party Router

    Avaya2/configure/router/bgp 100/neighbor 60.60.60.1 100> update_source 60.60.60.2 Examine the session status now: Avaya1> show ip bgp summary Avaya2> show ip bgp summary Configuring an IBGP Multi-Hop Session between an Avaya Router and a 3rd Party Router CONFIGURATION OF Avaya1 interface bundle To3rdPartyRouter...

  • Page 299: Configuring Ebgp Sessions

    60.60.60.1 update-source loopback 1 exit By adding update-source on Avaya and the 3rdPartyRouter we could establish an IBGP session between Avaya and 3rdPartyRouter. Show ip bgp summary on 3rdPartyRouter shows the State/PrefixRcd as 0 which could be Idle/Active otherwise.

  • Page 300: Configuring An Ebgp Session Between An Avaya Router And A 3Rd Party Router

    Connection state is ESTABLISHED Local host: 40.40.40.1, Local port: 179 Foreign host: 40.40.40.2, Foreign port: 1801 Avaya2> show ip bgp summary Configuring an EBGP Session between an Avaya Router and a 3rd Party Router CONFIGURATION OF Avaya1: interface bundle To3rdPartyRouter...
  • Page 301 BgpExternal which is the default group the neighbor is assigned to by default in an EBGP session. Connection state in the above output shows it as ESTABLISHED, which means the Avaya and 3rdPartyRouter have successfully formed a EBGP Connection. The following 3rdPartyRouter outputs shows external link, which means neighbor 30.30.30.1, is an EBGP neighbor and the BGP State shows it as ESTABLISHED.

  • Page 302: Configuring An Ebgp Multi-Hop Session Between An Avaya Router And A 3Rd Party Router

    Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Local host: 30.30.30.3, Local port: 11048 Foreign host: 30.30.30.1, Foreign port: 179 Configuring an EBGP Multi-Hop Session between an Avaya Router and a 3rd Party Router CONFIGURATION OF Avaya1:...
  • Page 303 EBGP Multi-Hop session. Connection state in the above output shows it as ESABLISHED, which means the Avaya and 3rdPartyRouter have successfully formed an EBGP Connection.

  • Page 304: Configuring An Ebgp Multi-Hop Session Between 2 Avaya Secure Routers

    External BGP neighbor may be up to 255 hops away in the above output means that the remote neighbor is an EBGP-Multi-hop neighbor. EBGP Peers over an unnumbered WAN interface needs to be configured as EBGP MULTI-HOP only. Configuring an EBGP Multi-Hop Session between 2 Avaya Secure Routers CONFIGURATION OF Avaya1:...
  • Page 305 Maximum prefixes is set to 128000 (warning : 106240) Current number of prefixes from this neighbor is 0 External BGP neighbor may be multi hops away Received 1 messages (0 bytes), 0 notifications, 0 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 306: Clearing Bgp Sessions

    A BGP Session needs to be cleared if there is any policy change or to bring up a peer which is already in an IDLE state. In Avaya BGP implementation a BGP Session can be cleared with respect to a peer, or multiple peers in a group together or all the peers in that particular unit.

  • Page 307: Configuring Advertising Routes To Bgp

    It runs a PATH calculation algorithm in selecting the best routes. In Avaya implementation we have different ways of advertising routes to other peers, redistribution of static , connected, OSPF and RIP routes.

  • Page 308: Announcing Connected Routes To Bgp

    100.1.1.0/24 to 3rdPartyRouter through redistribution. View the bgp table of 3rdPartyRouter to check the routes announced by Avaya1. 3rdPartyRouter>show ip bgp Announce the connected interface route 100.1.1.0 on to BGP Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 309: Announcing Ospf Routes To Bgp

    Avaya1 has an EBGP session with 3rdPartyRouter in ESTABLISHED state. Configure OSPF between Avaya1 and Avaya3 in OSPF area 0. Avaya1/configure> router routerid 100.1.1.3 Avaya1/configure> router ospf Avaya1/configure/router/ospf> int ethernet1 area 0 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 310 3rdPartyRouter>show ip bgp Pull back the announced route 150.1.1.0/24 Avaya1/config term>router bgp 100 Avaya1/config term/router bgp 100>no redistribute ospf Examine the bgp table of 3rdPartyRouter to see the routes. 3rdPartyRouter>show ip bgp Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 311: Announcing Rip Routes To Bgp

    View the bgp table of 3rdPartyRouter. 3rdPartyRouter>show ip bgp Announce the RIP learned routes from Avaya3 on to BGP. Avaya1/config term>router bgp 100 Avaya1/config term/router bgp 100>redistribute rip View the bgp table of 3rdPartyRouter now. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 312: Configuring Bgp Policies

    The policy can be configured to filter in/out routes, change PATH information, route attributes, communities, metric values etc. In Avaya's BGP Implementation the policy can be applied in different ways: • OutBound ROUTE_MAP Policy can only be applied to a Neighbor group. InBound Policy can only be applied to a neighbor directly.
  • Page 313 100 200 ? 18.1.1.0/24 20.1.1.1 20.1.1.1 100 200 ? 18.1.2.0/24 20.1.1.1 20.1.1.1 100 200 ? 18.1.3.0/24 20.1.1.1 20.1.1.1 100 200 ? 18.1.4.0/24 20.1.1.1 20.1.1.1 100 200 ? 18.1.5.0/24 20.1.1.1 20.1.1.1 100 200 ? Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 314: Route Aggregation

    Avaya1. Note the PATH information for that route, it says 100. Even though the routes 18.1.1.0 to 18.1.7.0 were advertised originally by 3rdPartyRouter, since Avaya1 is aggregating it, the source AS is 100 now. Do a summary only on Avaya1. Avaya1/configure/router/bgp 100>aggregate_address 18.1.0.0 255.255.248.0 summary_only Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 315: Suppress Map

    AS is still 100 in this case. In order to know which AS routes were used to do this aggregation 18.1.0.0/21 specify the keyword as_set, telling Avaya to send the AS_SET information to other peers. Avaya1/configure/router/bgp 100> aggregate_address 18.1.0.0 255.255.248.0 summary_only as_set...
  • Page 316 The above command would apply a route-map on the more specific routes and permit what matches the ip access list 1. Then the routes that were permitted by the route map are Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 317: Attribute Map

    Orig Next Hop Next Hop Metric LocPrf Path 18.1.1.0/24 20.1.1.1 20.1.1.1 100 200 ? 18.1.2.0/24 20.1.1.1 20.1.1.1 100 200 ? 18.1.3.0/24 20.1.1.1 20.1.1.1 100 200 ? 18.1.4.0/24 20.1.1.1 20.1.1.1 100 i Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 318 100 200 ? 18.1.0.0/21 20.1.1.1 20.1.1.1 100 i 18.1.5.0/24 20.1.1.1 20.1.1.1 100 200 ? 18.1.6.0/24 20.1.1.1 20.1.1.1 100 200 ? 18.1.7.0/24 20.1.1.1 20.1.1.1 100 200 ? Avaya2 has received the aggregate address 18.1.0.0/21. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 319: Route Map

    Avaya2> show ip bgp community aa_nn 0:100 Avaya2> show ip bgp community number 100 The above output shows that 18.1.0.0/21 has a community value of 100 set to it. Avaya has two ways of displaying the communities. Either by just giving a community number value or in a x:x notation like 0:100.
  • Page 320 Avaya2 has not received any routes from Avaya1. The route map that we applied on Avaya1 should have filtered 18.1.1.0, 18.1.2.0 and 18.1.3.0. By default an implicit deny all gets added to the route_map. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 321 BGP route table, local router ID is 100.1.1.3 Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Orig Next Hop Next Hop Metric LocPrf Path 18.1.0.0/21 20.1.1.1 20.1.1.1 100 i Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 322 BGP route table, local router ID is 100.1.1.3 Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Orig Next Hop Next Hop Metric LocPrf Path 18.1.0.0/21 20.1.1.1 20.1.1.1 100 i Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 323: Community List Filters

    Avaya1> show ip bgp community number 13107300 BGP route table, local router ID is 30.30.30.1 Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 324 Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Path 18.1.1.0/24 30.30.30.3 200 ? 18.1.5.0/24 30.30.30.3 200 ? 18.1.6.0/24 30.30.30.3 200 ? 18.1.7.0/24 30.30.30.3 200 ? Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 325 Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Path 15.1.2.0/24 30.30.30.3 200 ? 15.1.3.0/24 30.30.30.3 200 ? 18.1.1.0/24 30.30.30.3 200 ? 18.1.5.0/24 30.30.30.3 200 ? 18.1.6.0/24 30.30.30.3 200 ? Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 326: Distribute Lists

    BGP route table, local router ID is 30.30.30.1 Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Path 15.1.2.0/24 30.30.30.3 200 ? 15.1.3.0/24 30.30.30.3 200 ? 18.1.1.0/24 30.30.30.3 200 ? Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 327 200> Avaya1> show ip bgp table BGP route table, local router ID is 30.30.30.1 Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 328 30.30.30.3 200 ? POLICIES applied to Avaya are dynamic and the user does not have to clear the bgp session to take effect. All the policies from Avaya1 and Avaya2 are removed. Avaya2 gets all the routes received from 3rdPartyRouter through Avaya1.

  • Page 329: Filter Lists

    A filter-list can be directly applied either to a neighbor INBOUND or a group OUTBOUND. Avaya2 has the following routes received from Avaya1. Avaya2> show ip bgp table Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 330: Configuring Peer Groups

    Avaya2> show ip bgp table Configuring Peer Groups Peer Groups are used in Avaya to apply common policies to a set of neighbors. OUTBOUND policies can only be applied to peer groups. INBOUND policies are neighbor based.In Avaya BGP Implementation the policy can be applied in different ways. Avaya supports 3 types of Peer Groups.
  • Page 331 Configuring Peer Groups By default Avaya assigns a particular neighbor in to one of the following 3 neighbor groups depending on their type: • IBGP Neighbor > BgpInternal • EBGP Neighbor > BgpExternal • EBGP Multi-Hop Neighbor > BgpExternal_Rt Other than the above 3 default groups, a user can also create user-defined groups and assign neighbors to it.

  • Page 332: Avaya Secure Router 1000 Series Configuration Guide December

    If any of the above parameters needs to be set for all or a set of neighbors then it makes sense to put those policies under a group and apply those neighbor to that group. OUTBOUND Policies applied to Group improves the performance rather than having it on Peer based. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 333: Chapter 46: Route Tags For Route Redistribution

    The following output shows the route_map command tree from which you can configure the match tag and set tag commands. configure/policy/route_map rmap1 10 > match ? as_path community source-protocol configure/policy/route_map rmap1 10 > set ? as_path community distance local_preference metric metric_type origin Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 334 Route tags for route redistribution Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 335: Chapter 47: Configuring Packet Capture

    PCAP is primarily a debug tool and should be used only in this fashion as it can generate a substantial amount of output and can use a substantial amount of system resources. Example Configuring Packet Capture SR/debug/pcap> capture cap1 SR/debug/pcap/capture cap1> attach ethernet 0 SR/debug/pcap/capture cap1> count 1000 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 336 Number of outbound packets captured : 0 Actual capture size : 14896 bytes IP Packet Filter Statistics =========================== Inbound Packets : Matched 135 Unmatched 0 Outbound Packets : Matched 0 Unmatched 0 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 337: Statistics For Dropped Packets Support

    • VLAN packets dropped due to QoS(classification errors,queuing errors) • VLAN packets dropped due to RED • VLAN Input/Output interface • VLAN errors such as unrecognized VLAN id, multiple dot1q encapsulations in the packet, • Internal (system) errors Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 338: Packet Capture Of Vlan Packet With Filter Rules

    This parameter applies to the outer VLAN tag. [<vlan>] Specifies the VLAN ID. This parameter applies to the outer VLAN tag. [<vlan2>] Specifies the inner VLAN ID for a double tagged frame. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 339 Maximum number of sessions allowed : 5 capture configuration session interface: buffer size total pkts name : committed : active : (Kb) : captured : ================================================================================ vlan10 yes no ethernet0/1 1024 0 Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 340 Bytes Rx 5463 Bytes Tx 4521 Packets Rx 64 Packets Tx 64 Runts Rx 0 Collisions 0 Babbels Rx 0 Late Collisions 0 Err Packets Rx 0 Up/Down States (Phys) 0 Up/Down States (Admin) 0 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 341: Chapter 48: Secure Router Configuration For Dynamic Route Exchange Over Ipsec Tunnel Interoperability With Vpn Router

    0 ip address 10.10.10.1 24 crypto trusted exit interface ethernet 1 ip address 192.168.26.100 24 crypto untrusted exit interface tunnel toCes ip address 100.1.1.1 24 tunnel source 192.168.26.100 tunnel destination 192.168.27.100 Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 342: Secure Router Configuration For Ospf

    Ip unnumbered ethernet1 ip mtu 1500 tunnel source 192.168.26.100 tunnel destination 192.168.27.100 tunnel mode ipip tunnel protection toCes Avaya crypto untrusted exit router ospf interface toCes area 0 exit Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 343: Secure Router Configuration For Ripv2

    192.168.27.0 24 192.168.26.101 router routerid 192.168.26.100 router rip interface toCes mode 2 exit firewall corp policy 101 in exit exit firewall internet policy 100 in self exit exit Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 344 Secure Router Configuration for Dynamic Route Exchange over IPSec Tunnel interoperability with VPN Router Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 345: Chapter 49: Management Configuration Guide

    • Be notified when a link comes up (ntSRlinkUpTrap) ntEnterpriseDataTasmanMgmtchassis.mib Use chassis.mib to manage the platform. ntEnterpriseDataTasmanMgmtconfig.mib Use config.mib to manage configuration data on the router, in memory, or on the network. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 346 (ntSRenvPowerSupply1UpNotification, ntSRenvPowerSupply2UpNotification). ntEnterpriseDataTasmanMgmtdsx-te3.mib This MIB manages T3/E3 interfaces. Use this MIB to • Be notified when an alarm is generated (ntSRdsxT3E3AlarmOnTrap) • Be notified when an alarm is turned off (ntSRdsxT3E3AlarmOffTrap) Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 347 This MIB does not contain any traps. nortel.mib This MIB manages internal MIB processes. It must be compiled before any other MIBs are compiled. This does not contain any traps. Avaya Secure Router 1000 Series Configuration Guide December 2010...
  • Page 348 This MIB manages serial (v.35 type) interfaces. Use this MIB to: • Be notified when a serial interface alarm is on (ntSRserialIfAlarmOnTrap). • Be notified when a serial interface alarm is turned off (ntSRserialIfAlarmOffTrap). Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 349: Standard Mibs

    MIB objects for DS3 interface. This MIB does not contain any traps. rfc1643.mib MIB objects for Ethernet-like interface. This MIB does not contain any traps. rfc1657.mib This MIB manages specified BGP parameters. This MIB does not contain any traps. Avaya Secure Router 1000 Series Configuration Guide December 2010...

  • Page 350: Snmp Applications Supported

    These SNMP v1 and v2 MIBs can be compiled and used with many popular SNMP managers including, but not limited to: • HP Openview • MRTG • SNMPvC • NetID • NetCool Avaya Secure Router 1000 Series Configuration Guide December 2010...

Table of Contents