Administration of the Avaya G350 Media Gateway - Avaya Support
Administration of the Avaya G350 Media Gateway - Avaya Support Administration of the Avaya G350 Media Gateway - Avaya Support
Configuring policySource and destination port rangeTo specify a range of source and destination ports to which the rule applies, use the followingcommands, followed by either port name or port number range criteria:●●●tcp source-port — the rule applies to TCP packets from ports that match the definedcriteriatcp destination-port — the rule applies to TCP packets to ports that match thedefined criteriaudp source-port — the rule applies to UDP packets from ports that match the definedcriteria● udp destination-port — the rule applies to UDP packets to ports that match thedefined criteriaThis command also sets the IP protocol parameter to TCP or UDP.The port name or number range criteria can be any of the following:● a range — type range, followed by two port numbers, to set a range of port numbers towhich the rule applies●●●equal — type eq, followed by a port name or number, to set a port name or port number towhich the rule appliesgreater than — type gt, followed by a port name or port number, to apply the rule to allports with a name or number greater than the specified name or numberless than — type lt, followed by a port name or port number, to apply the rule to all portswith a name or number less than the specified name or number● any — type any to apply the rule to all port names and port numbersUse the no form of the appropriate command to specify that the rule does not apply to the portsdefined by the command.The following command specifies a source TCP port named telnet for rule 1 in access controllist 301:G350-001(ACL 301/ip rule 1)# tcp source-port eq telnetThe following command specifies any destination UDP port less than 1024 for rule 3 in QoS list404:G350-001(QoS 404/rule 3)# udp destination-port lt 1024The following command specifies any destination TCP port in the range 5000 through 5010 forrule 1 in access control list 301:G350-001(ACL 301/ip rule 1)# tcp destination-port range 5000 5010The following command specifies any source TCP port except a port named http for rule 7 inaccess control list 304:G350-001(ACL 304/ip rule 7)# no tcp source-port eq http264 Administration of the Avaya G350 Media Gateway
Defining rulesICMP type and codeTo apply the rule to a specific type of ICMP packet, use the icmp command. This commandsets the IP protocol parameter to ICMP, and specifies an ICMP type and code to which the ruleapplies. You can specify the ICMP type and code by integer or text string, as shown in theexamples below. To apply the rule to all ICMP packets except the specified type and code, usethe no form of this command.The following command specifies an ICMP echo reply packet for rule 1 in QoS list 401:G350-001(QoS 401/rule 1)# icmp Echo-ReplyThe following command specifies any ICMP packet except type 1 code 2 for rule 5 in accesscontrol list 321:G350-001(ACL 321/ip rule 5)# no icmp 1 2TCP Establish bit (access control lists only)Use the tcp established command to specify that the rule only applies to packets that arepart of an established TCP session. Use the no form of this command to specify that the ruleapplies to all TCP packets. In either case, the command also sets the IP protocol parameter toTCP.The following command specifies that rule 6 in access control list 301 only matches packets thatare part of an established TCP session:G350-001(ACL 301/ip rule 6)# tcp establishedOperationUse the operation command, followed by the name of a composite operation, to specify anoperation for the G350 to perform on a packet when the packet matches the rule. For anexplanation of composite operations, see Composite operations on page 266.The operation field for access control lists has a default value of Permit. See Pre-configuredcomposite operations for access control lists on page 266.The operation field for QoS lists has a default value of Trust-DSCP-CoS. See Pre-configuredcomposite operations for QoS lists on page 267.The following command specifies that rule 4 in access control list 302 drops packets that matchthe rule, and causes the G350 to send a trap and reset the connection when the packet isdropped:G350-001(ACL 304/ip rule 4)# operation Deny-Notify-RstNote:Note:Composite operation names are case-sensitive.Issue 3 January 2005 265
- Page 214 and 215: Configuring IPSec VPN3. Exit crypto
- Page 216 and 217: Configuring IPSec VPN9. Exit crypto
- Page 218 and 219: Configuring IPSec VPNIPSec VPN main
- Page 220 and 221: Configuring IPSec VPN2. Use the set
- Page 222 and 223: Configuring IPSec VPNConfiguring th
- Page 224 and 225: Configuring IPSec VPNip-rule 30sour
- Page 226 and 227: Configuring IPSec VPNFull or partia
- Page 228 and 229: Configuring IPSec VPN2. Configure b
- Page 230 and 231: Configuring IPSec VPNip-rule 4sourc
- Page 232 and 233: Configuring IPSec VPNip-rule 10sour
- Page 234 and 235: Configuring IPSec VPN2. Configure B
- Page 236 and 237: Configuring IPSec VPNip-rule 20sour
- Page 238 and 239: Configuring IPSec VPNInterface vlan
- Page 240 and 241: Configuring IPSec VPN3. Allowed ICM
- Page 242 and 243: Configuring IPSec VPNip access-cont
- Page 244 and 245: Configuring IPSec VPNip-rule 70sour
- Page 246 and 247: Configuring IPSec VPNFigure 21: Ful
- Page 248 and 249: Configuring IPSec VPNConfiguration
- Page 250 and 251: Configuring IPSec VPNip-rule 30sour
- Page 252 and 253: Configuring IPSec VPN252 Administra
- Page 254 and 255: Configuring policyAccess control li
- Page 256 and 257: Configuring policyDefining policy l
- Page 258 and 259: Configuring policyAttaching policy
- Page 260 and 261: Configuring policyDevice-wide polic
- Page 262 and 263: Configuring policyEditing and creat
- Page 266 and 267: Configuring policyComposite operati
- Page 268 and 269: Configuring policy●●●CoS —
- Page 270 and 271: Configuring policyThe following com
- Page 272 and 273: Configuring policySimulating packet
- Page 274 and 275: Configuring policy-based routingPol
- Page 276 and 277: Configuring policy-based routingCon
- Page 278 and 279: Configuring policy-based routing●
- Page 280 and 281: Configuring policy-based routingMod
- Page 282 and 283: Configuring policy-based routingEdi
- Page 284 and 285: Configuring policy-based routingIn
- Page 286 and 287: Configuring policy-based routingThe
- Page 288 and 289: Setting synchronizationIf, for any
- Page 290 and 291: FIPSFigure 26: Image of the cryptog
- Page 292 and 293: FIPSSupported algorithmsThe cryptog
- Page 294 and 295: FIPSSecurity levelThe cryptographic
- Page 296 and 297: FIPSTable 14: Roles and required id
- Page 298 and 299: FIPSTable 15: Critical security par
- Page 300 and 301: FIPSCSP access rights within roles
- Page 302 and 303: FIPSTable 18 shows Role and Service
- Page 304 and 305: FIPSTable 18: Role and service acce
- Page 306 and 307: FIPSPassword guidelinesBelow are ge
- Page 308 and 309: FIPS2. Define the PMI (Primary Mana
- Page 310 and 311: FIPS10. Physically disconnect all n
- Page 312 and 313: FIPS18. To configure all interfaces
Defining rulesICMP type and codeTo apply <strong>the</strong> rule to a specific type <strong>of</strong> ICMP packet, use <strong>the</strong> icmp command. This commandsets <strong>the</strong> IP protocol parameter to ICMP, and specifies an ICMP type and code to which <strong>the</strong> ruleapplies. You can specify <strong>the</strong> ICMP type and code by integer or text string, as shown in <strong>the</strong>examples below. To apply <strong>the</strong> rule to all ICMP packets except <strong>the</strong> specified type and code, use<strong>the</strong> no form <strong>of</strong> this command.The following command specifies an ICMP echo reply packet for rule 1 in QoS list 401:<strong>G350</strong>-001(QoS 401/rule 1)# icmp Echo-ReplyThe following command specifies any ICMP packet except type 1 code 2 for rule 5 in accesscontrol list 321:<strong>G350</strong>-001(ACL 321/ip rule 5)# no icmp 1 2TCP Establish bit (access control lists only)Use <strong>the</strong> tcp established command to specify that <strong>the</strong> rule only applies to packets that arepart <strong>of</strong> an established TCP session. Use <strong>the</strong> no form <strong>of</strong> this command to specify that <strong>the</strong> ruleapplies to all TCP packets. In ei<strong>the</strong>r case, <strong>the</strong> command also sets <strong>the</strong> IP protocol parameter toTCP.The following command specifies that rule 6 in access control list 301 only matches packets thatare part <strong>of</strong> an established TCP session:<strong>G350</strong>-001(ACL 301/ip rule 6)# tcp establishedOperationUse <strong>the</strong> operation command, followed by <strong>the</strong> name <strong>of</strong> a composite operation, to specify anoperation for <strong>the</strong> <strong>G350</strong> to perform on a packet when <strong>the</strong> packet matches <strong>the</strong> rule. For anexplanation <strong>of</strong> composite operations, see Composite operations on page 266.The operation field for access control lists has a default value <strong>of</strong> Permit. See Pre-configuredcomposite operations for access control lists on page 266.The operation field for QoS lists has a default value <strong>of</strong> Trust-DSCP-CoS. See Pre-configuredcomposite operations for QoS lists on page 267.The following command specifies that rule 4 in access control list 302 drops packets that match<strong>the</strong> rule, and causes <strong>the</strong> <strong>G350</strong> to send a trap and reset <strong>the</strong> connection when <strong>the</strong> packet isdropped:<strong>G350</strong>-001(ACL 304/ip rule 4)# operation Deny-Notify-RstNote:Note:Composite operation names are case-sensitive.Issue 3 January 2005 265