Page 1: Command Reference
Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.
Page 3: Revision History
Revision history May 2006 Standard 1.00. This document is a new NTP. It was created to support the Secure Multimedia Controller 2450. Secure Multimedia Controller Page 3 of 126 Command Reference...
Page 4 Page 4 of 126 Revision history NN10300-091 Standard 1.00 May 2006...
Page 5: Table Of Contents
How to get help ......Getting help from the Nortel web site ......
Page 6 Configuration menu ......System menu ..........Date and Time menu .
Page 7 IP reassembly ..........Appendix B: Firewall limits ....125 Secure Multimedia Controller Command Reference...
Page 8 Page 8 of 124 Contents NN10300-091 Standard 1.00 May 2006...
Page 9: About This Document
About this document This document is a global document. Contact your system supplier or your Nortel representative to verify that the hardware and software described are supported in your area. Subject This document describes Secure Multimedia Controller (SMC) 2450 system architecture, software and hardware requirements, components, and network connections.
Page 10: Intended Audience
• Communication Server 1000E: Upgrade Procedures (553-3041-258) Intended audience This document is intended for individuals responsible for installation, configuration, administration, and maintenance of the SMC 2450. Conventions Terminology In this document, the following systems are referred to generically as system: •...
Page 11: Related Information
Secure Multimedia Controller: Implemention guide (553-3001-225) • Secure Multimedia Controller: Planning and engineering guide (NN42320-200) Online To access Nortel documentation online, click the Technical Documentation link under Support & Training on the Nortel home page: www.nortel.com Secure Multimedia Controller Command Reference...
Page 12 Page 12 of 126 About this document CD-ROM To obtain Nortel documentation on CD-ROM, contact your Nortel customer representative. NN10300-091 Standard 1.00 May 2006...
Page 13: How To Get Help
How to get help This chapter explains how to get help for Nortel products and services. Getting help from the Nortel web site The best way to get technical support for Nortel products is from the Nortel Technical Support web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
Page 14: Getting Help From A Specialist By Using An Express Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: www.nortel.com/erc...
Page 15: Main Menu
Main menu After you complete the initial Secure Multimedia Controller (SMC) system setup and perform a successful connection and logon, the Main menu of the command line interface (CLI) appears. For more information about the CLI and how to use it, see Secure Multimedia Controller: Implemention guide (553-3001-225).
Page 16 Table 1 Main menu commands Command Description diff Displays the pending configuration changes. Only pending changes made during your current administrator session are included. Pending changes made by other CLI or browser-based interface (BBI) administrator sessions are not included. validate Validates pending configuration changes made during your current administration session.
Page 17 Cancels all pending configuration changes made during your current administration session. The revert command does not affect: • applied changes • pending changes made by other CLI or BBI sessions Secure Multimedia Controller Command Reference...
Page 18 Table 1 Main menu commands Command Description paste [<global key Restores a saved configuration dump file that includes encrypted private import password>] keys. When you create a configuration dump using the Dump command, you create a password to decrypt the private keys. When you enter the Paste command, you are prompted to supply the password.
Page 19: Information Menu
Displays runtime information for all SMCs in the cluster. The runtime information includes: • CPU usage • hard disk usage • status of important applications such as Web server, SNMP, and Internet server • secure UNIStim proxy and firewall information Secure Multimedia Controller Page 19 of 126 Command Reference...
Page 20 Table 2 Information menu (/info) Command Description host Displays runtime information for the specified SMC host. The runtime information includes: • CPU usage • hard disk usage • status of important applications such as Web server, SNMP, and Internet server •...
Page 21 Description about Displays system information such as the product type and version of the running build. alarms Lists the alarms generated in the system. dump Displays the current configuration information available in the Information menu. Secure Multimedia Controller Command Reference...
Page 22: Info_Host Menu
Info_host menu The Info_host menu (/info/host) provides configuration, status, and statistics information about the host runtime, link, Ethernet, and syslog parameters. Table 3 identifies and describes the Info_host menu commands. Table 3 Info_host menu (/info/host) Command Description status Displays the runtime and application status for the specified host. <Host number>...
Page 23: Information_Net Menu
The Route Information menu (/info/net/route) provides access to information about static routes. Table 5 identifies and describes the Route Information menu commands. Table 5 Route Information menu (/info/net/route) Command Description static Displays all static routes configured on the system. page page Secure Multimedia Controller Command Reference...
Page 24: Vrrp Information Menu
VRRP Information menu The VRRP Information menu (/info/net/vrrp) provides access to information about the status and configuration of VRRP. Table 6 identifies and describes the VRRP Information menu commands. Table 6 VRRP Information menu (/info/net/vrrp) Command Description status Displays the status for the VRRP Virtual Router ID (vrid). Displays the VRRP settings such as high availability (HA), VRRP advertisement interval, gratuitous ARP (GARP) delay interval, GARP broadcast interval, Advanced Failover Check (AFC), and Preferred Master...
Page 25: Administration Information Menu
Displays the current SSH configuration settings: enabled or disabled. Displays the current BBI configuration settings such as status (enabled or disabled), service port number for HTTP and HTTPS, and certificate information for Secure Sockets Layer (SSL). Secure Multimedia Controller Command Reference...
Page 26: Statistics Information Menu
Statistics Information menu The Statistics Information menu (/info/stats) provides access to information about SMC statistics. Table 8 identifies and describes the Statistics Information menu commands. Table 8 Statistics Information menu (/info/stats) Command Description fwattack Displays historical statistics for approximately 130 firewall attacks against which the SMC provides protection.
Page 27 UsecProxy — number of clients that come in as secure but have an invalid fingerprint of the SMC Public Key — Number of clients that are deleted as a result of too many server retransmissions Secure Multimedia Controller Command Reference...
Page 28 Page 28 of 126 Information menu NN10300-091 Standard 1.00 May 2006...
Page 29: Configuration Menu
SMC. For menu items, see “Network Configuration menu” on page Displays the Multimedia Security menu, which you can use to configure multimedia security on the SMC. For menu items, see “Multimedia Security menu” on Secure Multimedia Controller Page 29 of 126 page Command Reference...
Page 30 Table 9 Configuration menu (/cfg) Command ptcfg <SCP/SFTP/TFTP/FTP server> <server host name/IP address> <file name> NN10300-091 Standard 1.00 Description Saves the current configuration, including private keys and certificates, to a file on the selected server. The information is saved in a plain-text file, and you can later restore the configuration by using the gtcfg command.
Page 31 The password phrase enables encryption. When restoring a configuration that includes secret information, use the global Paste command. Before pasting the configuration, you are prompted to reenter the password phrase. Secure Multimedia Controller Command Reference...
Page 32: System Menu
System menu Using the System menu (/cfg/sys), you can configure system-wide parameters. Table 10 identifies and describes the System menu commands. Table 10 System menu (/cfg/sys) Command Description time Configures the date, time, time zone, and Network Time Protocol (NTP). For menu items, see “Date and Time menu” on Changes Domain Name System (DNS) parameters.
Page 33: Date And Time Menu
> time <HH:MM:SS> Sets the system time using a 24-hour clock format. Nortel recommends that you reboot the SMC after entering a time change that is greater than 1 minute. tzone Sets the system time zone. When entered without a parameter, you are prompted to select your time zone from a list of continents/oceans, countries, and regions.
Page 34 NTP menu Using the NTP menu (/cfg/sys/time/ntp), you can add or delete Network Time Protocol (NTP) servers that synchronize system time. Table 12 identifies and describes the NTP menu commands. Table 12 NTP menu (/cfg/sys/time/ntp) Command list del <index number> <NTP server IP address>...
Page 35: Dns Servers Menu
Adds a new DNS server to the list at the specified index position. All existing items at the specified index number and higher are incremented by one position. Removes the DNS server from the specified index number and inserts it at the specified index number. Secure Multimedia Controller Command Reference...
Page 36: Cluster Menu
Cluster menu Using the Cluster menu (/cfg/sys/cluster), you can configure the SMC host IP address and cluster Management IP (MIP) address. Table 14 identifies and describes the Cluster menu commands. Table 14 Cluster menu (/cfg/sys/cluster) Command <Management IP address> host <cluster host number>...
Page 37 SMC in the cluster. Note 1: The license restriction applies only to secure UNIStim users. Note 2: Type cur within the Cluster Host screen to see the current license for the SMC. Secure Multimedia Controller Command Reference...
Page 38 To increase the number of secure UNIStim users in an SMC cluster, you need to access the MAC address of each SMC device using this command and send the MAC address back to Nortel for license generation. hwplatform Displays the hardware platform model number.
Page 39: Access List Menu
There is only one access list, which applies to all remote management features. By default, the management network is added to the access list. Secure Multimedia Controller page 113.
Page 40 Requests for remote management access from any client whose IP address is not on the access list are dropped. You can ping the SMC host from an IP address not listed in the access list. When you add a client IP address to the access list, that client can access all enabled remote management features.
Page 41: Administrative Applications Menu
For menu items, see “SSH Administration menu” on page You need to add an entry into the access list for the client before it can administer the SMC through SSH. See “Access List menu” on page Secure Multimedia Controller Command Reference...
Page 42 Table 17 Administrative Application menu (/cfg/sys/adm) Command snmp audit auth Telnet Administration menu Using the Telnet Administration menu (/cfg/sys/adm/telnet), you can enable or disable remote Telnet access to the SMC CLI. By default, Telnet access is disabled. Note: Telnet is not a secure protocol. All data (including the password) between a Telnet client and the SMC is unencrypted and unauthenticated.
Page 43 The SMC uses iptables to implement access control to its management interfaces (SSH, Telnet, HTTP, and HTTPS). Iptables inspect packets above SMC-1 in the TCP/IP stack. The SMC can limit external access to internal system management software that uses sockets to communicate. Secure Multimedia Controller Command Reference...
Page 44 Table 19 identifies and describes the SSH Administration menu commands. Table 19 SSH Administration menu (/cfg/sys/adm/ssh) Command sshkeys SSH Host Keys menu Using the SSH Host Keys menu (/cfg/sys/adm/ssh/sshkeys), you can generate and manage SSH host keys. Table 20 identifies and describes the SSH Administration menu commands. Table 20 SSH Administration menu (/cfg/sys/adm/ssh/sshkeys) Command...
Page 45 Configures BBI access using HTTP (non-secure). For menu items, see “HTTP Configuration menu” on Configures BBI access using HTTPS with Secure Sockets Layer (SSL). For security reasons, Nortel recommends that you use SSL with the BBI. For menu items, see “SSL Configuration menu” on page...
Page 46 BBI access using HTTPS. HTTPS uses Secure Sockets Layer (SSL) to provide server host authentication, encryption of management messages, and encryption of passwords for user authentication. For security reasons, Nortel recommends that you use SSL with the BBI. By default, SSL is disabled. NN10300-091 Standard 1.00...
Page 47 Enables or disables SSL Version 2. sslv3 y | n Enables or disables SSL Version 3. certs Configures server certificates and external Certificate Authority certificates required for SSL. See “Certificate Management menu” on page 48 page page for menu items. Secure Multimedia Controller Command Reference...
Page 48 Certificate Management menu Using the Certificate Management menu (/cfg/sys/adm/web/ssl/certs), you can add or remove server certificates and external Certificate Authority (CA) certificates required for SSL. Table 25 identifies and describes the Certificate Management menu commands. Table 25 Certificate Management menu (/cfg/sys/adm/web/ssl/certs) Command serv NN10300-091...
Page 49 Adds a signed server certificate. After you enter this command, the system expects you to paste the PEM certificate into the CLI. When you finish pasting the certificate, add three periods (...) and press <Enter> to return to the CLI. Secure Multimedia Controller Command Reference...
Page 50 CA Certificate Management menu Using the CA Certificate Management menu (/cfg/sys/adm/web/ssl/certs/ca), you can administer SSL external CA certificates. Table 27 identifies and describes the CA Certificate Management menu commands. Table 27 CA Certificate Management menu (/cfg/sys/adm/web/ssl/certs/ca) Command Description list Lists all configured CA certificates. Removes a CA certificate from the configuration.
Page 51 | n Enables or disables the automatic delivery of alarm messages to the SNMP trap hosts. Alarm messages indicate serious conditions that can require administrative action. Secure Multimedia Controller page Command Reference...
Page 52 Table 28 SNMP Administration menu (/cfg/sys/adm/snmp) Command Description rcomm Displays the current read community value. You can change the value. There is no restriction on the input string. The default read community value is Public. users Displays the SNMP Users menu, which you can use to list, add, and remove USM users.
Page 53 SNMP get requests, receive enabled trap event and alarm messages, or both. the user must enter for access. selected on the SNMP Administration menu (/cfg/sys/adm/snmp), you can encode SNMP traffic between the user and the SMC using the encryption string. Secure Multimedia Controller Command Reference...
Page 54 Trap Hosts menu Using the Trap Hosts menu (/cfg/sys/adm/snmp/hosts), you can add, remove, or list hosts that receive SNMP event or alarm messages from the SMC cluster. Table 30 identifies and describes the Trap Hosts menu commands. Table 30 Trap Hosts menu (/cfg/sys/adm/snmp/hosts) Command list del <index number>...
Page 55 64 characters. Configures the name for the system. The name can have a maximum of 64 characters. Configures the name of the system location. The location can have a maximum of 64 characters. Secure Multimedia Controller Command Reference...
Page 56 Advanced SNMP Settings menu Using the Advanced SNMP Settings menu (/cfg/sys/adm/snmp/adv), you can configure advanced SNMP options. Table 32 identifies and describes the Advanced SNMP Settings menu commands. Table 32 Advanced SNMP Settings menu Command Description trapsrcip Configures the source IP address for SNMP traps generated from the auto | unique | mip SMC: •...
Page 57 Note 3: To find audit entries in the RADIUS server log, define a suitable string in the RADIUS server dictionary (for example, Nortel-SMC-Audit-Trail) and map this string to the vendor type value. Note 4: If your RADIUS system uses another number for vendor...
Page 58 Table 33 Audit menu (/cfg/sys/adm/audit) Command RADIUS Audit Servers menu Using the RADIUS Audit Servers menu (/cfg/sys/adm/audit/servers), you can add, modify, and delete information about RADIUS audit servers. Table 34 identifies and describes the Radius Audit Servers menu commands. Table 34 Radius Audit Servers menu (/cfg/sys/adm/audit/servers) Command list...
Page 59 RADIUS server password. Moves a RADIUS audit server up or down in the list of configured servers. To view all servers currently added to the configuration, use the List command. Secure Multimedia Controller page Command Reference...
Page 60: Platform Logging Menu
Table 36 identifies and describes the Radius Authentication Servers menu commands. Table 36 Radius Authentication Servers menu (/cfg/sys/adm/auth/servers) Command list add <IP address> <TCP port number> <shared secret> insert <index number to insert at> <IP address of RADIUS authentication server to add> move <index number to move>...
Page 61 Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance. For more information, see Secure Multimedia Controller: Planning and engineering (NN42320-200).
Page 62 Command Description debug y | n Enables or disables specialized debugging log messages. By default, this setting is disabled. Enable it only as directed by Nortel technical support. sourceip Specifies the source IP address for logs generated from the SMC.
Page 63 Adds a new firewall log to the list at the specified index position. All existing items at the specified index number and higher are incremented by one position. Removes the firewall log from the specified index number and inserts it at the specified index number. Secure Multimedia Controller Command Reference...
Page 64 Firewall Log menu Using the Firewall Log menu (cfg/sys/log/firewall), you can remotely send firewall logs to an external system log server using the standard remote syslog port. Table 39 identifies and describes the Firewall Log menu commands. Table 39 Firewall Log menu Command addr Log Archiving menu...
Page 65 For menu items, see “Firewall Log menu” on page Displays the UNIStim Log menu, which you can use to configure UNIStim log parameters. For menu items, see “UNIStim Log menu” on page Secure Multimedia Controller Command Reference...
Page 66 System Log menu Using the System Log menu (/cfg/sys/log/arch/syslog), you can configure system log parameters. The system logs contain information and errors generated during standard system operation. Table 41 identifies and describes the System Log menu commands. Table 41 System Log menu Command email <e-mail address>...
Page 67 Specifies the time interval for log rotation. The interval is specified in number of days and number of hours. Specifies the maximum size a log file can reach before triggering rotation. The size is specified in kilobytes. Secure Multimedia Controller Command Reference...
Page 68: User Menu
Table 43 identifies and describes the UNIStim Log menu commands. Table 43 UNIStim Log menu Command email <e-mail address> smtp <SMTP server IP address> int <days> <hours> size <max size (kb)> User menu Using the User menu (/cfg/sys/user), you can add, modify, delete, or list SMC user accounts, and change passwords.
Page 69 For menu items, see “User Edit menu” on Displays the SSH User menu, which provides options for administering SSH user access. For menu items, see “SSH User Admin menu” on page Secure Multimedia Controller page Command Reference...
Page 70 User Edit menu Using the User Edit menu (/cfg/sys/user/edit <user name>), you can change passwords and assign group privileges for the user account specified by the user name. Table 45 identifies and describes the User Edit menu commands. Table 45 User Edit menu (/cfg/sys/user/edit) Command password <admin password>...
Page 71 Enables the SSH account for the specified user name. Disables the SSH account for the specified user name. Deletes the SSH account. Groups menu Using the Groups menu (/cfg/sys/user/edit <user name>/groups), you can list, delete, or add groups. Secure Multimedia Controller Command Reference...
Page 72: Network Configuration Menu
Table 47 identifies and describes the Groups menu commands. Table 47 Groups menu (/cfg/sys/user/edit/groups) Command list del <Index number of entry to delete> add <Index number of entry to add> Network Configuration menu Using the Network Configuration menu (/cfg/net), you can configure ports, gateways, (PARP) Table 48 identifies and describes the Network Configuration menu...
Page 73 ARP (PARP) list or enable PARP support in the SMC. For menu items, see “Proxy ARP menu” on Note: Use this command for testing the SMC in a lab environment; not in production. page page Secure Multimedia Controller page Command Reference...
Page 74: Port Menu
Port menu Using the Port menu (/cfg/net/port <port_name>), you can configure the port characteristics for a specified port. Table 49 identifies and describes the Port menu commands. Table 49 Port menu (/cfg/net/port) Command autoneg on | off speed <port speed> mode full | half Interface menu Using the Interface menu (/cfg/net/if), you can configure IP address interfaces...
Page 75 HA. VRRP ensures that if the active SMC host fails, the redundant SMC host takes over. In an HA configuration, configure each participating IP address interface separately for VRRP. For menu items, see “VRRP Interface menu” on page Secure Multimedia Controller page Command Reference...
Page 76 Table 50 Interface menu (/cfg/net/if) Command mgmt VRRP Interface menu Using the VRRP Interface menu (/cfg/net/if <interface number>/vrrp), you can configure redundant interfaces when two SMCs are present in a cluster. VRRP ensures that if the active host fails, the backup host takes over. The SMC interfaces (ip1 and ip2) form a virtual router.
Page 77: Routes Menu
IP address and mask. Adds a new static route at a specific position (index number) in the index. Moves a static route from one position in the index to another. Secure Multimedia Controller Command Reference...
Page 78 parameter values. Both SMC hosts in the cluster must have the same configuration. Table 53 identifies and describes the VRRP Settings menu commands. Table 53 VRRP Settings menu (/cfg/net/vrrp) Command Description ha y | n Enables or disables HA. Two hosts must be previously installed and configured before you can enable HA.
Page 79: Proxy Arp Menu
Use Proxy ARP for testing the SMC in lab environments when IP address allocation is an issue. Do not use Proxy ARP in production; instead each interface should exist on its own subnet. IMPORTANT! Secure Multimedia Controller Command Reference...
Page 80 Table 54 identifies and describes the Proxy ARP menu commands. Table 54 Proxy ARP menu (/cfg/net/parp) Command Description enable y | n Enables or disables Proxy ARP for the cluster. Proxy ARP is disabled by default. iface Specifies the interface to proxy ARP messages for a subnet on a different interface.
Page 81: Multimedia Security Menu
You can consolidate frequently used services into a single service specification and then use it repeatedly in firewall rules. For menu items, see “Service menu” on page page 100. Secure Multimedia Controller page 112. Command Reference...
Page 82 Table 55 Multimedia Security menu (/cfg/smc) Command Description flow Displays the Flow Control menu, which you can use to specify the different flow parameters for SMC firewall rules. For menu items, see “Flow Control menu” on addzone Initiates the Addzone Wizard, which guides you through the steps to add a new security zone to the system.
Page 83: Security Zone Menu
For example, if a packet matches two rules in the system, and the rule with the lower number allows the packet, and the rule with the higher number denies the packet, the packet is allowed. Secure Multimedia Controller Command Reference...
Page 84 Table 56 identifies and describes the Security Zone menu commands. Table 56 Security Zone menu (/cfg/smc/) Command Description irule Displays the Inbound Access menu for the specified rule. For menu items, [rule_number] see “Inbound Access menu” on orule Displays the Outbound Access menu for the specified rule. For menu [rule_number] items, see “Outbound Access”...
Page 85: Inbound Access Menu
Displays the Flow Control menu, which you can use to specify flow control for the specified rule. The flow control applies only to this individual rule and the traffic that maps to it. For menu items, see “Flow Control menu” on page Secure Multimedia Controller Command Reference...
Page 86: Flow Control Menu
CLI or BBI. The SMC firewall logs follow Webtrends Extended Log Format (WELF). The location of the log file is /logs/firewall.log. Note: Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance.
Page 87: Outbound Access
Specifies the destination network for the traffic. service Details the protocol (TCP, UDP, ICMP) and ports for the traffic that matches this rule. If the service value is an asterisk (*), all types of traffic match this rule. Secure Multimedia Controller Command Reference...
Page 88 Enables rule logging. The location of the log file is /logs/firewall.log. Note: Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance. For more information, see Secure Multimedia Controller: Planning and engineering (NN42320-200).
Page 89: Smc Settings Menu
/logs/firewall.log. For menu items, see “Message Logging menu” on Note: Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance. For more information, see Secure Multimedia Controller: Planning and engineering (NN42320-200).
Page 90 SMC across all zones is 700 000. Traffic flowing between zones is counted as a concurrent connection within the intranet zone, so Nortel recommends that the zone have the highest maxconn value. The default value is 100000.
Page 91 Firewall logs can become quite large in high-traffic environments, slowing down the SMC and filling up disk space. Nortel recommends that you modify the firewall logging configuration appropriately if the log files are filling up too quickly.
Page 92 Enables verbose generation of log messages. By default, this parameter is disabled. Note: Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance. For more information, see Secure Multimedia Controller: Planning and engineering (NN42320-200).
Page 93 IP packets. ipopt Enables and disables logging of messages that are generated when attacks based on IP options occur. access Enables and disables logging of messages that are generated when a policy is accessed. Secure Multimedia Controller Command Reference...
Page 94 Thresholds menu Using the Threshold menu (/cfg/smc/settings/log/threshold), you can set the message threshold to limit the number of repetitive messages sent to the remote firewall log server (/cfg/sys/log/firewall). Messages are repetitive if more than the one message contains the same message ID, protocol, source IP address, destination IP address, source port, and destination port.
Page 95 Specifies the total message count allowed over the time period specified in the Period command. Note: Messages are counted; packets or bytes are not counted. period Specifies the time period over which messages are allowed. Secure Multimedia Controller Command Reference...
Page 96 ALG menu Using the ALG menu (/cfg/smc/settings/alg), you can enable or disable application layer gateway support for a variety of protocols. Without ALG support, some of these protocols are unable to traverse the SMC. Table 65 identifies and describes the ALG menu commands. Table 65 ALG menu Command...
Page 97 Custom Timeout menu Command Description name Specifies a custom timeout name. proto Specifies the allowed protocol. port Specifies the service port number. timeout Specifies the service timeout in terms of seconds. delete Removes the custom timeout. page Secure Multimedia Controller Command Reference...
Page 98 Port Bypass menu Using the Port Bypass menu (/cfg/smc/settings/portbypass), you can identify a specific set of TCP ports for which you want the SMC’s stateful processing to bypass. You can add, modify, and delete the IP addresses for the TCP ports you want to bypass.
Page 99 You can configure up to a maximum of eight multicast groups along with their source and destination network. Table 70 identifies and describes the Multicast Bypass menu commands. Table 70 Multicast Bypass menu Command Description enable Enables the Multicast Bypass feature. Secure Multimedia Controller Command Reference...
Page 100: Unistim Security Menu
Table 70 Multicast Bypass menu Command Description disable Disables the Multicast Bypass feature. mcastlist Displays the Multicast List menu, which you can use to add, modify, or delete multicast group info to the mcastlist to bypass. For menu commands, see “Multicast List menu” on Multicast List menu Using the Multicast menu (/cfg/smc/settings/multicast/mcastlist), you can add, modify, and delete multicast groups, source network, and destination...
Page 101 For menu items, see “Keys menu” on Displays the Advanced menu, which you can use to apply advanced UNIStim features. See “Advanced menu” on Enables secure UNIStim. Disables secure UNIStim. page 102. page 109. Secure Multimedia Controller page 106. Command Reference...
Page 102 Client menu Using the Client menu (/cfg/smc/unistim/client), you can segment clients and apply different policies to different clients as defined by the subnets. Table 73 identifies and describes the Client menu commands. Table 73 Client menu Command Description policy Displays the Policy menu. For menu items, see “Policy menu” on rule Displays the Rules menu.
Page 103 UNIStim server using a non-secure session, this parameter determines whether the SMC can upgrade the session to secure UNIStim. In some cases, a non-secure connection is not a problem; however, Nortel strongly recommends that you upgrade the policy to a secure session.
Page 104 Specifies the server type used for matching IP phone firmware. Currently, the choices are cs1k and mcs. For SMC 1.0, Nortel recommends that you use the default of cs1k because mcs does not officially support Secure UNIStim phone images.
Page 105 You can define how often the master and session keys to are renewed during communication. Because UNIStim sessions can be lengthy in terms of days and weeks, Nortel recommends the session keys change every day for each connection and the master keys update every few days.
Page 106 Table 77 identifies and describes the Rules menu commands. Table 77 Rules menu Command Description network Specifies the network to which this rule applies. policy Specifies the policy for these clients. Removes the client rule. Keys menu Using the Keys menu (cfg/smc/unistim/keys/), you can configure key handling and manipulation functionality.
Page 107 UNIStim phone if the primary keys on the SMC change. The current fingerprint on the IP phones must match the secondary key to enable the Auto command. Otherwise, you must manually enter the fingerprint on each IP phone. Secure Multimedia Controller Command Reference...
Page 108 Apply the new key before you save it to disk and activate it. Displays the public key associated with the stored private key. priv Displays the private key so you can save the key to disk. Nortel highly recommends that you encrypt the private key. Displays the public key fingerprint.
Page 109 Table 81 identifies and describes the RSA Throttling menu commands. Table 81 RSA Throttling menu Command Description ena | dis Enables or disables throttling. RSA throttling is enabled by default. Secure Multimedia Controller Command Reference...
Page 110: Smc Network Menu
Table 81 RSA Throttling menu Command Description sessions Specifies the maximum number of new sessions from a single client that are created in a given period of time. interval Sets the interval measurement for new session creation. SMC Network menu Using the SMC Network menu (/cfg/smc/network), you can display the different networks used in configuring the SMC.
Page 111 Displays a listing of subnets that comprise this network. An IP address of 0.0.0.0 defaults to all subnets. Subnets are defined by a network address and a mask. comment Specifies a comment for the network. Secure Multimedia Controller Command Reference...
Page 112: Service Menu
Service menu Using the Service menu (/cfg/smc/service), you can display the different services used in configuring the SMC firewall rules. Services map to a protocol and a series of port ranges. You can consolidate frequently used services into a single service specification, and then use it repeatedly in firewall rules.
Page 113: Boot Menu
After you reset the SMC to factory defaults, you can access the device only through a console terminal attached directly to the local serial port. You can then log on using the administration account (admin) and the default password (admin) to access the initial Setup utility. page 114. Secure Multimedia Controller Command Reference...
Page 114: Software Management Menu
Software Management menu Using the Software Management menu (/boot/software), you can load, activate, or remove SMC software upgrade packages. Table 85 identifies and describes the Software Management menu commands. Table 85 Software Management menu Command activate <software version> download <host name or IP address> <file name>...
Page 115: Software Patches Menu
Downloads an SMC software patch (.RPM files) from an FTP server. When prompted, enter the host name or IP address of the FTP server, and then enter the file name of the software patch. Removes an installed software upgrade package. Secure Multimedia Controller Command Reference...
Page 116 Page 116 of 126 Boot menu NN10300-091 Standard 1.00 May 2006...
Page 117: Maintenance Menu
Use the Maintenance menu (/maint) to administer technical support dumps, back up and restore system configuration, and check the applied configuration. Generate diagnostics logs or statistics only at the request of Nortel technical support. Table 87 identifies and describes the Maintenance menu commands.
Page 118: Tech Support Dump Menu
Tech Support Dump menu Using the Tech Support Dump menu (/maint/tsdump), you can create tech support dumps that you can copy to a disk or upload to an FTP server. Table 88 identifies and describes the Tech Support Dump menu commands. Table 88 Tech Support Dump menu Command...
Page 119: Unistim Connection Rate Menu
“UNIStim Bandwidth Rate menu” on Description Specifies the number of connections allowed per specified interval. If maxconn is set to 0, there is no limit. Specifies the interval in seconds. Secure Multimedia Controller page 119. 120. page Command Reference 120.
Page 120: Unistim Packet Rate Menu
UNIStim Packet Rate menu Using the UNIStim Packet Rate menu, you can specify the number of packets allowed over a specified interval. Table 89 identifies and describes the UNIStim Packet Rate menu commands. Table 91 UNIStim Packet Rate menu Command number interval UNIStim Bandwidth Rate menu...
Page 121: Appendix A: Selected Firewall Attacks
Certain Web servers have no limit on the mime headers that can be included in a client HTTP request. Due to this lack of limitation, an intruder can consume a lot of memory by sending a large headers. Secure Multimedia Controller Page 121 of 126 Command Reference...
Page 122: Ftp Bounce
FTP bounce When an attacker sends a Port command with an IP address and port number of another system, the server sends the data to that system. When you enable this check, the SMC checks if the data connection is to the same system as that of the control connection.
Page 123: Ip Spoofing
Certain popular TCP/IP implementations cannot properly take care of all the datagram reassembly cases. If the attacker sends datagram fragments in a certain sequence to such hosts, the hosts perform unpredictably. Secure Multimedia Controller Command Reference...
Page 124: Nn10300-091 Standard 1.00 May
Page 124 of 126 Appendix A: Selected firewall attacks NN10300-091 Standard 1.00 May 2006...
Page 125: Appendix B: Firewall Limits
Output rules. Each zone input/output has a maximum of 1024 rules. 700,000 total connections, which you can distribute among the six primary zones: management, intranet, and the four multimedia security zones Secure Multimedia Controller Page 125 of 126 Command Reference...
Page 126 Page 126 of 126 Appendix B: Firewall limits NN10300-091 Standard 1.00 May 2006...
Page 128 Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.

Nortel SMC 2450 Command Reference Manual

About this Document

How to Get Help

Main Menu

Information Menu

Configuration Menu

Boot Menu

Maintenance Menu

Appendix A: Selected Firewall Attacks

Appendix B: Firewall Limits

Quick Links

Command Reference

Related Manuals for Nortel SMC 2450

Summary of Contents for Nortel SMC 2450

Table of Contents