Administration of the Avaya G350 Media Gateway - Avaya Support
Administration of the Avaya G350 Media Gateway - Avaya Support Administration of the Avaya G350 Media Gateway - Avaya Support
Configuring policyEditing and creating rulesTo create or edit a policy rule, you must enter the context of the rule. If the rule already exists,you can edit the rule from the rule context. If the rule does not exist, entering the rule contextcreates the rule.To enter a rule context:1. Enter the context of the list in which you want to create or edit a rule.2. Type the command ip-rule, followed by the number of the rule you want to create or edit.For example, to create rule 1, type ip-rule 1.To view the existing rules in a list, enter the list’s context and type ip show-rule. Each liststarts with a default rule. Each new rule has the same default parameters as the default rule.The default rule appears as follows:Index Protocol IP Wildcard Port Operation----- -------- --- ---------------- --------------- ------------ ----Deflt Any Src Any Any PermitDst Any AnyThis rule permits all packets.Rule criteriaThis section describes the rule criteria you can define and includes the following topics:● IP protocol — instructions on how to define the protocol to which the rule applies● Source and destination IP address — instructions on how to define the source anddestination IP addresses to which the rule applies●●●IP protocolSource and destination port range — instructions on how to define the source anddestination port ranges to which the rule appliesICMP type and code — instructions on how to define packet matching by ICMP type orcodeTCP Establish bit (access control lists only) — instructions on how to define packetmatching for TCP packets by whether the ack bit is burned onTo specify the IP protocol to which the rule applies, use the ip-protocol command, followedby the name of an IP protocol. If you want the rule to apply to all protocol, use any with thecommand. If you want the rule to apply to all protocols except for one, use the no form of thecommand, followed by the name of the protocol to which you do not want the rule to apply.262 Administration of the Avaya G350 Media Gateway
Defining rulesThe following command specifies the UDP protocol for rule 1 in QoS list 401:G350-001(QoS 401/rule 1)# ip-protocol udpThe following command specifies any IP protocol except IGMP for rule 3 in access control list302:G350-001(ACL 302/ip rule 3)# no ip-protocol igmpSource and destination IP addressTo specify a range of source and destination IP addresses to which the rule applies, use thecommands source-ip and destination-ip, followed by the IP range criteria. The IP rangecriteria can be any of the following:●●●a range — type two IP addresses to set a range of IP addresses to which the rule appliesa single address — type host, followed by an IP address, to set a single IP address towhich the rule applies.wildcard — type host, followed by an IP address using wildcards, to set a range of IPaddresses to which the rule applies● any — type any to apply the rule to all IP addressesUse the no form of the appropriate command to specify that the rule does not apply to the IPaddress or addresses defined by the command.The following command specifies a source IP address of 10.10.10.20 for rule 1 in accesscontrol list 301:G350-001(ACL 301/ip rule 1)# source-ip host 10.10.10.20The following command allows any destination IP address for rule 3 in QoS list 404:G350-001(QoS 404/rule 3)# destination-ip anyThe following command specifies a source IP address in the range 10.10.0.0 through10.10.255.255 for rule 1 in access control list 301:G350-001(ACL 301/ip rule 1)# source-ip 10.10.0.0 0.0.255.255The following command specifies a source IP address outside the range 64.236.24.0 through64.236.24.255 for rule 7 in access control list 308:G350-001(ACL 308/ip rule 7)# no source-ip 64.236.24.0 0.0.0.255The following command specifies a source IP address in the range 64..24. for rule6 in access control list 350:G350-001(ACL 350/ip rule 6)# source-ip 64.*.24.*Issue 3 January 2005 263
- Page 212 and 213: Configuring IPSec VPNTo configure p
- Page 214 and 215: Configuring IPSec VPN3. Exit crypto
- Page 216 and 217: Configuring IPSec VPN9. Exit crypto
- Page 218 and 219: Configuring IPSec VPNIPSec VPN main
- Page 220 and 221: Configuring IPSec VPN2. Use the set
- Page 222 and 223: Configuring IPSec VPNConfiguring th
- Page 224 and 225: Configuring IPSec VPNip-rule 30sour
- Page 226 and 227: Configuring IPSec VPNFull or partia
- Page 228 and 229: Configuring IPSec VPN2. Configure b
- Page 230 and 231: Configuring IPSec VPNip-rule 4sourc
- Page 232 and 233: Configuring IPSec VPNip-rule 10sour
- Page 234 and 235: Configuring IPSec VPN2. Configure B
- Page 236 and 237: Configuring IPSec VPNip-rule 20sour
- Page 238 and 239: Configuring IPSec VPNInterface vlan
- Page 240 and 241: Configuring IPSec VPN3. Allowed ICM
- Page 242 and 243: Configuring IPSec VPNip access-cont
- Page 244 and 245: Configuring IPSec VPNip-rule 70sour
- Page 246 and 247: Configuring IPSec VPNFigure 21: Ful
- Page 248 and 249: Configuring IPSec VPNConfiguration
- Page 250 and 251: Configuring IPSec VPNip-rule 30sour
- Page 252 and 253: Configuring IPSec VPN252 Administra
- Page 254 and 255: Configuring policyAccess control li
- Page 256 and 257: Configuring policyDefining policy l
- Page 258 and 259: Configuring policyAttaching policy
- Page 260 and 261: Configuring policyDevice-wide polic
- Page 264 and 265: Configuring policySource and destin
- Page 266 and 267: Configuring policyComposite operati
- Page 268 and 269: Configuring policy●●●CoS —
- Page 270 and 271: Configuring policyThe following com
- Page 272 and 273: Configuring policySimulating packet
- Page 274 and 275: Configuring policy-based routingPol
- Page 276 and 277: Configuring policy-based routingCon
- Page 278 and 279: Configuring policy-based routing●
- Page 280 and 281: Configuring policy-based routingMod
- Page 282 and 283: Configuring policy-based routingEdi
- Page 284 and 285: Configuring policy-based routingIn
- Page 286 and 287: Configuring policy-based routingThe
- Page 288 and 289: Setting synchronizationIf, for any
- Page 290 and 291: FIPSFigure 26: Image of the cryptog
- Page 292 and 293: FIPSSupported algorithmsThe cryptog
- Page 294 and 295: FIPSSecurity levelThe cryptographic
- Page 296 and 297: FIPSTable 14: Roles and required id
- Page 298 and 299: FIPSTable 15: Critical security par
- Page 300 and 301: FIPSCSP access rights within roles
- Page 302 and 303: FIPSTable 18 shows Role and Service
- Page 304 and 305: FIPSTable 18: Role and service acce
- Page 306 and 307: FIPSPassword guidelinesBelow are ge
- Page 308 and 309: FIPS2. Define the PMI (Primary Mana
- Page 310 and 311: FIPS10. Physically disconnect all n
Defining rulesThe following command specifies <strong>the</strong> UDP protocol for rule 1 in QoS list 401:<strong>G350</strong>-001(QoS 401/rule 1)# ip-protocol udpThe following command specifies any IP protocol except IGMP for rule 3 in access control list302:<strong>G350</strong>-001(ACL 302/ip rule 3)# no ip-protocol igmpSource and destination IP addressTo specify a range <strong>of</strong> source and destination IP addresses to which <strong>the</strong> rule applies, use <strong>the</strong>commands source-ip and destination-ip, followed by <strong>the</strong> IP range criteria. The IP rangecriteria can be any <strong>of</strong> <strong>the</strong> following:●●●a range — type two IP addresses to set a range <strong>of</strong> IP addresses to which <strong>the</strong> rule appliesa single address — type host, followed by an IP address, to set a single IP address towhich <strong>the</strong> rule applies.wildcard — type host, followed by an IP address using wildcards, to set a range <strong>of</strong> IPaddresses to which <strong>the</strong> rule applies● any — type any to apply <strong>the</strong> rule to all IP addressesUse <strong>the</strong> no form <strong>of</strong> <strong>the</strong> appropriate command to specify that <strong>the</strong> rule does not apply to <strong>the</strong> IPaddress or addresses defined by <strong>the</strong> command.The following command specifies a source IP address <strong>of</strong> 10.10.10.20 for rule 1 in accesscontrol list 301:<strong>G350</strong>-001(ACL 301/ip rule 1)# source-ip host 10.10.10.20The following command allows any destination IP address for rule 3 in QoS list 404:<strong>G350</strong>-001(QoS 404/rule 3)# destination-ip anyThe following command specifies a source IP address in <strong>the</strong> range 10.10.0.0 through10.10.255.255 for rule 1 in access control list 301:<strong>G350</strong>-001(ACL 301/ip rule 1)# source-ip 10.10.0.0 0.0.255.255The following command specifies a source IP address outside <strong>the</strong> range 64.236.24.0 through64.236.24.255 for rule 7 in access control list 308:<strong>G350</strong>-001(ACL 308/ip rule 7)# no source-ip 64.236.24.0 0.0.0.255The following command specifies a source IP address in <strong>the</strong> range 64..24. for rule6 in access control list 350:<strong>G350</strong>-001(ACL 350/ip rule 6)# source-ip 64.*.24.*Issue 3 January 2005 263
Change language