520-0051-01 BCP - Basic DDoS Configuration For SIP Access Environments

BCP - Basic DDoS
Configuration for SIP

Access Environments
Revision History
Version
520-0051-00
520-0051-01
Author
Patrick Manor
Pawel Borucki
Description of Changes
Initial Release
Update for DDoS2 (S-CX6.3.0F2)
Date Revision
Completed
01-24-2011
12-21-2011
Copyright 2010 Acme Packet, Inc. All Rights Reserved.
Status of this memo

Acme Packet Best Current Practices are working documents of the Professional Services department of
Acme Packet, Inc. Note that other groups may also distribute working documents as Best Current Practices.
Best Current Practices are working documents valid until explicitly deprecated, and may be updated,
replaced or deprecated by other documents at any time. It is recommended to use Best Current Practice as
reference material as well as to cite them in other works in progress.
Abstract
The use of the RFC 2119 keywords is an attempt to assign the correct requirement levels ("MUST",
"SHOULD", "MAY", etc.).
Distributed Denial of Service (DDoS) attacks are a legitimate threat to Voice over IP (VoIP) networks and
may severely impact the stability and performance of unprotected VoIP networks. These attacks may or may
not be malicious, however they should not affect the operation of current trusted users adversely.
This document outlines basic DDoS configuration techniques to be employed on the Acme Packet Session
Director (SD) for SIP Access environments. These configuration techniques will reduce the impact of these
attacks and help maintain a high level of service for legitimate, trusted users. The scope of this document is
limited to basic configuration and does not attempt to provide a complete solution for all DDoS attacks, which
require more advanced configuration.
Best Current Practices should be used when either (a) deploying a new SD, or (b) updating existing
configuration implemented before this document was available. When in conflict with Customer
requirements or desires, the Customers preference SHOULD take precedence.
Applicability
This document is applicable to NN3000 and NN4000 (S-C6.2.0 & above) Session Directors. The DDoS2
feature set is applicable to NN3820 and NN4500 (S-CX6.3.0F2 & above) Session Directors.
Best Current Practice
Basic DDoS Configuration for SIP Access Environments
Dec 2011
Contents
1
Introduction ............................................................................................................................................... 4
1.1
OVERVIEW ...........................................................................................................................................................4
1.2
INTENDED AUDIENCE ...........................................................................................................................................4
2 Approach ................................................................................................................................................... 5
2.1
GENERAL APPROACH ...........................................................................................................................................5
3 Test Environment ...................................................................................................................................... 6
3.1
TEST NETWORK....................................................................................................................................................6
4 Test Methodology ..................................................................................................................................... 7
4.1
MAXIMUM SIGNALING BANDWIDTH (MAX-SIGNALING-BANDWIDTH) ..................................................................7
4.2
MAX AND MIN UNTRUSTED SIGNALING PERCENTAGES (MAX-UNTRUSTED-SIGNALING MIN-UNTRUSTEDSIGNALING) ...................................................................................................................................................................... 7
4.3
MAXIMUM SIGNALING THRESHOLD (MAX-SIGNALING-THRESHOLD) ...................................................................7
4.4
BACKGROUND TRAFFIC........................................................................................................................................8
4.5
DDOS ATTACKS...................................................................................................................................................8
5 Design Goals ............................................................................................................................................. 9
5.1
CONFIGURATION GOALS ......................................................................................................................................9
5.2
CONFIGURATION NON-GOALS: .............................................................................................................................9
5.3
INHERENT CONFIGURATION BENEFITS .................................................................................................................9
6 Configuration Parameters ...................................................................................................................... 10
6.1
DDOS CONFIGURATION PARAMETER DESCRIPTIONS ......................................................................................... 10
6.1.1
Media Manager ......................................................................................................................................... 10
6.1.2
Realm Configuration ................................................................................................................................. 11
6.1.3
SIP Interface .............................................................................................................................................. 11
6.1.4
DDoS-2 for software release S-CX6.3.0F2 ............................................................................................... 11
Software release S-CX6.3.0F2 introduces DDoS-2 for platforms: SD 3820, SD 4500 CPU-1, SD 4500 CPU-2. .... 11
6.2
DDOS CONFIGURATION PARAMETER RESULTS ................................................................................................. 13
6.2.1
NN 4250 64k CAM 1Gb memory w/single copper GigE ........................................................................... 13
6.2.2
NN 4250 256k CAM 2Gb memory w/single copper GigE ......................................................................... 14
6.2.3
NN 4500 CPU-1 256k CAM 3Gb memory w/copper GigE........................................................................ 15
6.2.4
NN 4500 CPU-2 256k CAM 3Gb memory w/copper GigE........................................................................ 16
6.2.5
NN 3820 128k CAM 3Gb memory copper single GigE .......................................................................... 17
7 Observations/Limitations ....................................................................................................................... 18
8 Normative References ............................................................................................................................ 19
9 Authors Address .................................................................................................................................... 20
10
Disclaimer ............................................................................................................................................ 21
11
Full Copyright Statement .................................................................................................................... 22
12
Appendix A - NN 3820 PBRB Sample Configuration ....................................................................... 23
13
Appendix B - NN 3820 SSNHTN Sample Configuration................................................................... 33
14
Appendix C - NN 3820 SNB Sample Configuration .......................................................................... 44
15
Appendix D - Subscriber and Traffic Information for Background Traffic .................................... 57
Acronyms and Definitions

DDoS:
Distributed Denial of Service
SD:
Acme Packet Net-Net Session Director
PBRB:
SD Policy Based Realm Bridging SIP Access Model
SNB:
SD SIP NAT Bridge SIP Access Model
SSNHTN:
SD Single SIP NAT Hosted in Trusted Network SIP Access Model
VoIP:
Voice over IP
520-0051-01
Acme Packet Proprietary and Confidential
Page 2 of 57
GULP:
Internal Acme Tool to create SIP flooding and spoofing attacks
HA:
High Availability
BCP:
Best Current Practices
CHT:
Call Hold Time
CPS:
Calls/second
520-0051-01
Dec 2011
Page 3 of 57
Dec 2011
Introduction
1.1
Overview
This document is designed to provide a basic framework for DDoS configuration in SIP Access environments
for NN3000 and NN4000 series platforms. The configuration outlined herein is a collection of minimum
requirements for each access Session Director deployment, focused on reducing the impact of a DDoS
attack on a Session Director without further customized DDoS protection. The scope of this document is
limited to providing a minimum set of configuration settings to enable basic protection. The contents herein
cannot be considered advanced or customer specific in any way. Where appropriate, limitations of this
protection will be addressed throughout the course of this document. This document will not go into any
detail pertaining to the underlying SIP Access configurations.
All base configurations used during testing were created according to Best Current Practices.
Configuration guides are available for download from the Acme Packet Customer Support Portal
(https://support.acmepacket.com). Please contact your Acme Packet Systems Engineer for Best Current
Practice (BCP) documentation.
1.2
Intended Audience
This document is intended for use by Acme Packet Systems Engineers, third party Systems Integrators, and
end users of the Session Director. It assumes that the reader is familiar with basic operations of the Session
Director, and has attended the following training course(s) (or has equivalent experience):
EDU-CAB-C-CLI: Net-Net 3000/4000 Configuration Basics
EDU-ADV-OE: Net-Net Advanced Configuration
520-0051-01
Page 4 of 57
Dec 2011
Approach
2.1
General Approach
This document is designed to provide minimal DDoS settings for several SIP access configuration models
across current platforms supported by software release S-C(X)6.2.0 and S-CX6.3.0F2.
SD Access Configuration Models:
PBRB
SNB
SSNHTN
Policy Based Realm Bridging Model

SIP NAT Bridge Model
Single SIP NAT Hosted in Trusted Network Model
Best Current Practices [2] configurations for these models were used as base configurations for this
document.
Supported SD platforms:
Platform
NN 4250
NN 4250
NN 4500 (CPU1)
NN 4500 (CPU2)
NN 3820
CAM
64K
256K
256K
256K
128K
Memory
1Gb
2Gb
3Gb
3Gb
3Gb
Throughout the testing, bandwidth limitation parameters located in the media-manager configuration object
were modified to achieve the desired outcome. The testing methodology used for each
platform/configuration combination included application of a GULP generated severe DDoS attack to
compliment a defined level of trusted background traffic consisting of SIP Registrations and calls generated
from the EXFO protocol simulation tool.
Its important to remind the consumers of this document that the parameters defined herein are those
suggested to preserve the integrity of the Session Director.
520-0051-01
Page 5 of 57
3.1
Dec 2011
Test Environment
Test Network
Below is the test network used for testing. The SIP Access environment consists of SDs configured for High
Availability. A Linux server running OPENSIPS software operates as the registrar in the core network and
requires authentication on all SIP Registrations.
Real SIP endpoints are located in the access and core realms to verify real calls can be completed during a
DDoS attack.
520-0051-01
Page 6 of 57
Dec 2011
Test Methodology
The chosen test methodology aims to determine the maximum signaling bandwidth required per platform to
keep the CPU usage below 90%. Additionally, tests are performed to determine max and min untrusted
signaling percentages. Throughout the testing, parameters from the media-manager configuration object are
modified to limit the amount of traffic entering the SD to a point where no more than 89% of CPU resources
are consumed.
4.1
Maximum Signaling Bandwidth (max-signaling-bandwidth)
The maximum signaling bandwidth (max-signaling-bandwidth) is calculated per platform by sending SIP
OPTIONS packets with the max-forwards header set to 0. The SD will process this packet and response
with a 483 Too Many Hops. This method is used to remain consistent with Denial of Service Configuration
Guidelines BCP [1].
max-signaling-bandwidth = OPTIONS/sec * Bytes/OPTIONS
4.2
Max and Min Untrusted Signaling Percentages (max-untrusted-signaling min-untrusted-signaling)
With the max-signaling-bandwidth parameter set to the calculated value, the max-untrusted-signaling
and min-untrusted-signaling parameters in the media-manager configuration are modified until the defined
background traffic and applied DDoS attack consume approximately 89% of CPU resources. For purposes
of this document CPU consumption under the threshold of 89% is considered to be within an acceptable
range. The max-untrusted-signaling parameter is determined first by trial and error to find the maximum
setting acceptable. Following this, various min-untrusted-signaling parameter settings are exercised to
verify the CPU resources consumed remain under 89%. The highest acceptable min-untrusted-signaling
setting for each platform is listed in the results in Section 6.2, however lower min-untrusted-signaling
settings could safely be used.
4.3
Maximum Signaling Threshold (max-signaling-threshold)
The maximum-signaling-threshold value is defined as part of the realm-configuration object and governs
the number of SIP signaling messages which can be received from a given source during the period of time
defined in the tolerance-window (30 second default window). Once a trusted source exceeds this threshold it
will be demoted to the untrusted queue. Provisioning this provides further protection to the Session Director
by allowing it to remove a violating endpoint from the trusted queue, effectively preserving the integrity of that
queue for non-violating trusted sources.
Due to the nature of this setting, it is recommended each network administrator define a value based on
network usage. In absence of customized network analysis, it is recommended a value no less than 4000 be
used along with a defined tolerance-window of 30 seconds. As defined, a value of 4,000 was chosen with
the intention that it not affect those trusted users who are behaving properly or otherwise as expected under
520-0051-01
Page 7 of 57
Dec 2011
normal circumstances. In the event of either endpoint malfunction or malicious attack, this value will easily
be exceeded resulting in demotion to the offending source. Once exceeded, the violating source is noted in
both acmelog and log.sipd.
For example:
acmelog/log.sipd:
Dec 15 01:04:20.986 sipd@S-SBC: MINOR SigAddr[access:197.168.176.148:0=low:NONE]
ttl=86400 exceeded message threshold of 5
Dec 15 01:04:20.986 sipd@S-SBC: MINOR
recent(28): msgs=6 errs=0 adm fail=0
Dec 15 01:04:20.987 sipd@S-SBC: MINOR
lifetime: msgs=6 errs=0 adm fail=0
4.4
Background Traffic
The baseline of trusted traffic consists of SIP Registrations and calls and produces a total SD CPU Utilization
of 55% for all tests. This level of traffic was used to maintain consistency with the methodology used in the
Denial of Service Configuration Guidelines BCP [1]. This percentage of background trusted traffic was used
across all platform/configuration model combinations.
To create this traffic, the EXFO protocol simulation tool registers a group of access endpoints with unique IP
addresses to the SD and another group of core endpoints directly to the Registrar in the core network. Calls
are then initiated from the access endpoints to the core endpoints. Examples of actual subscriber and
background traffic information used for each test scenario is described in Appendix D
4.5
DDoS Attacks
DDoS attacks were generated from a PC running the Acme Packet tool GULP. GULP is located on the
direct subnet of the SIP interface of the access realm. The DDoS attack applied for this testing is a SIP
Register flood which creates a flood from approximately 1000 untrusted endpoints at line rate.
520-0051-01
Page 8 of 57
Dec 2011
Design Goals
5.1
Configuration Goals
Provide a calculated maximum signaling bandwidth for all SD platforms supported by software
release S-C(X)6.2.0 and S-CX6.3.0F2
Provide a design that requires minimal configuration and provides the most protection without
adversely affecting current trusted users.
No subscribers will be denied under the scope of this testing.
Provide protection against malicious and non-malicious SIP flooding attacks which will allow
unaffected service to trusted users.
Provide a mechanism for demotion based on a pre-determined allowance of SIP signaling messages
defined in the realm-configuration object element: maximum-signaling-threshold
Real trusted SIP endpoints can make calls during the DDoS attack.
5.2
Configuration non-goals:
It is a non-goal to provide a solution to all customer access environments. This document provides
base configuration for customers that do not wish to make advanced DDoS configurations, but wish
to have increased protection to what is currently provided.
It is a non-goal to define advanced DDoS configurations.
5.3
Inherent Configuration Benefits
Provide some protection against a SIP Register Avalanche conditions by throttling the registration
rate allowed
520-0051-01
Page 9 of 57
Dec 2011
Configuration Parameters
The following sections will discuss those DDoS parameter pertinent to the scope of this document. Its
important to note: the parameters used to satisfy the requirements and scope of this document cannot be
considered to be exhaustive. The parameters used are those which will be modified for this basic
configuration. These parameters are in three configuration areas: Media Manager, Realm Configuration, and
SIP Interface.
6.1
6.1.1
DDoS Configuration Parameter Descriptions

Media Manager
The following media-manager parameters are calculated for each test scenario.
Parameter
max-signaling-bandwidth
Value
The maximum bandwidth that the SD can
withstand (bytes/sec)
This is calculated as defined in the Test Methodology section above.
Parameter
max-untrusted-signaling
min-untrusted-signaling
Value
Maximum percentage of untrusted traffic
allowed (%)
Minimum percentage of untrusted traffic allowed
(%)
These parameters are set to values that do not allow a SIP Register flood attack to increase the total
CPU utilization percentage to over 89%. The background trusted traffic must not be adversely
affected.
The recommended values for these media-manager parameters for each test scenario are listed
later in section 6.2.
The following are Media Manager parameters that have platform specific defaults. For this document, these
defaults will be used and are indicated in the platform results later in section 6.2. These parameters are not
applicable for software release S-CX6.3.0F2.
Parameter
min-media-allocation
min-trusted-allocation
deny-allocation
520-0051-01
Page 10 of 57
6.1.2
Dec 2011
Realm Configuration
The following realm-config parameters are used in the basic DDoS configuration. Only the bold values
are changes from the default configuration
Parameter
access-control-trust-level
invalid-signal-threshold
average-rate-limit
maximum-signal-threshold
untrusted-signal-threshold
6.1.3
Access Realm
Core Realm
medium
1
high
0
0
0
0
4000
0
SIP Interface
The following sip-interface->sip-ports parameter should be used for access environments.
Parameter
allow-anonymous
6.1.4
Access Realm
Core Realm
registered
all
DDoS-2 for software release S-CX6.3.0F2
Software release S-CX6.3.0F2 introduces DDoS-2 for platforms: SD 3820, SD 4500 CPU-1, SD 4500 CPU2.
DDoS-2 increases the number of trusted endpoints to a maximum of 250K for SD 4500 and 125K for SD
3820.
It also increases the number of denied endpoints to a maximum 32K for SD 4500 and 16K for SD 3820.
In the new design, instead of providing a dedicated Traffic Manager flow for each endpoint, it provides 1024
TM-flows for each physical interface. A group of endpoints share one of the TM-flows.
Dynamic trusted endpoints are stored in the HASH table. Dynamic denied endpoints are stored in the CAM
table.
6.1.4.1
show commands
The command show acl info provides information about present usage of the HASH table.
show acl info
Access Control List Statistics:
|
# of entries |
% utilization
|
Reserved Entry Count
----------------------------------------------------------------------Denied
|
0
0.0%
32000
Trusted
|
3
0.0%
8000
Media
|
2
0.0%
64000
Untrusted
|
1
0.1%
2000
Dynamic Trusted |
4800
1.9%
250000
INTFC
|
2
----------------------------------------------------------------------Total CAM space used = 8 of 126976 (99.99% free)
Total HASH-table space used = 4800 of 250000 (98.08% free)
---------------------------------------------------------------------
520-0051-01
Page 11 of 57
Dec 2011
The command show acl all presents endpoints allocation per TM-flow. In the example below we can see 5
endpoints per TM-flow:
trusted entries:
intf:vlan Source-IP/mask
port/mask Destination-IP/mask
recv
drop
0/0:0
0.0.0.0
177.1.1.100
0
1/0:0
0.0.0.0
188.1.1.200
0
1/0:0
0.0.0.0
188.1.1.200
333676 0
dynamic trusted entries sharing IFD 0x1e600:
0/0:0
14.0.2.130
177.1.1.100
0
0/0:0
14.0.10.130
177.1.1.100
0/0:0
14.0.18.130
177.1.1.100
0/0:0
14.0.26.130
177.1.1.100
0/0:0
14.0.34.130
177.1.1.100
0/0:0
14.0.2.132
177.1.1.100
0
0/0:0
14.0.10.132
177.1.1.100
0/0:0
14.0.18.132
177.1.1.100
0/0:0
14.0.26.132
177.1.1.100
0/0:0
14.0.34.132
177.1.1.100
0/0:0
14.0.2.134
177.1.1.100
0
0/0:0
14.0.10.134
177.1.1.100
0/0:0
14.0.18.134
177.1.1.100
0/0:0
14.0.26.134
177.1.1.100
0/0:0
14.0.34.134
177.1.1.100
520-0051-01
port/mask prot type
index
ICMP static
65537
ICMP static
65539
5060
UDP
static
65541
5060
UDP
dynamic 132096 2
5060
5060
5060
5060
UDP
UDP
UDP
UDP
dynamic
dynamic
dynamic
dynamic
5060
UDP
dynamic 132097 2
5060
5060
5060
5060
UDP
UDP
UDP
UDP
dynamic
dynamic
dynamic
dynamic
5060
UDP
dynamic 132098 2
5060
5060
5060
5060
UDP
UDP
UDP
UDP
dynamic
dynamic
dynamic
dynamic
133120
134144
135168
136192
133121
134145
135169
136193
133122
134146
135170
136194
Page 12 of 57
6.2
Dec 2011
DDOS Configuration Parameter Results
Below are the recommended parameter setting for each platform and Access Model. The non-default values
are in bold.
6.2.1
NN 4250 64k CAM 1Gb memory w/single copper GigE

Platform
CAM
64K
Memory
1Gb
Software Release
Configuration Model
NN 4250
S-C6.2.0m4
PBRB
SSNHTN
SNB
media-manager
703040
options/s
2080
bytes/option
338
8
7
7
6
30
tolerance-window
32000
1000
deny-allocation
1000
realm-config (access)
medium
0
average-rate-limit
1
4000
0
realm-config (core)
high
average-rate-limit
520-0051-01
7
6
Page 13 of 57
6.2.2
Dec 2011
Platform
CAM
256K
Memory
2Gb
Software Release
Configuration Model
NN 4250
S-C6.2.0m4
PBRB
SSNHTN
SNB
media-manager
703040
options/s
2080
bytes/option
338
9
8
7
6
30
tolerance-window
32000
60000
deny-allocation
32000
medium
0
average-rate-limit
1
4000
0
realm-config (core)
high
average-rate-limit
520-0051-01
7
6
Page 14 of 57
6.2.3
Dec 2011
NN 4500 CPU-1 256k CAM 3Gb memory w/copper GigE
Platform
NN 4500 CPU-1
CAM
Memory
Software Release
Configuration Model
256K
3Gb
S-CX6.2.0m4 and
S-CX6.3.0f2
PBRB
SSNHTN
SNB
media-manager
1152580
options/s
3410
bytes/option
338
14
13
12
11
11
10
30
tolerance-window
min-media-allocation (only S-C6.2.0)
32000
min-trusted-allocation (only S-C6.2.0)
60000
deny-allocation (only S-C6.2.0)
32000
medium
average-rate-limit
1
4000
realm-config (core)
high
average-rate-limit
520-0051-01
Page 15 of 57
6.2.4
Dec 2011
NN 4500 CPU-2 256k CAM 3Gb memory w/copper GigE
Platform
NN 4500 CPU-2
CAM
Memory
Software Release
Configuration Model
256K
3Gb
S-CX6.2.0m4 and
S-CX6.3.0f2
PBRB
SSNHTN
SNB
media-manager
1767740
options/s
5230
bytes/option
338
15
14
13
12
12
11
30
tolerance-window
min-media-allocation (only S-CX6.2.0)
32000
min-trusted-allocation (only S-CX6.2.0)
60000
deny-allocation (only S-CX6.2.0)
32000
Medium
average-rate-limit
1
4000
realm-config (core)
High
average-rate-limit
520-0051-01
Page 16 of 57
6.2.5
Dec 2011
NN 3820 128k CAM 3Gb memory copper single GigE
Platform
NN 3820
CAM
Memory
Software Release
Configuration Model
128K
3Gb
S-CX6.2.0m4 and
S-CX6.3.0f2
PBRB
SSNHTN
SNB
media-manager
1041040
options/s
3080
bytes/option
338
11
10
10
9
10
9
30
tolerance-window
min-media-allocation (only S-CX6.2.0)
2000
min-trusted-allocation (only S-CX6.2.0)
4000
deny-allocation (only S-CX6.2.0)
32000
Medium
average-rate-limit
1
4000
realm-config (core)
High
average-rate-limit
520-0051-01
Page 17 of 57
Dec 2011
Observations/Limitations
The settings outlined in this document are beneficial when facing malicious or non-malicious flood attacks,
such as a REGISTER avalanche following a network outage. By limiting the amount of untrusted traffic to
the SD, the registration rate allowed will be throttled and the SD will not be overrun by the high rate of
registrations. However, there is an opportunity cost between the level of protection against a DDoS flood
attack and the convergence time for this type of avalanche condition. For example, raising the percentage of
untrusted bandwidth allowed will inevitably allow more untrusted traffic to traverse the SD, and minimize the
convergence time. The opportunity cost here is higher CPU usage during the flood, a result of higher
demand on the processor due to the increased level of registrations its required to process.
Additionally, when set as an option in the sip-configuration, reg-overload-protect requires the SD
temporarily promote a registering endpoint upon receipt of a 401/407 response from the real registrar. This
temporary promotion is in advance of the real and final promotion, which takes place following the 200 OK
response to a REGISTER request containing authentication credentials. During a registration avalanche
from untrusted sources, temporary promotion based on the initial REGISTER request sent from a specific
source helps minimize the amount of time it will take to promote the collective untrusted sources, to trusted
sources, effectively restoring service in the event of an outage as quickly as possible. This is also referred to
as: minimizing the convergence time. The addition of any SIP option relevant to DDoS, including regoverload-protect, would require additional testing. For customers with specific convergence requirements,
additional research must be conducted to arrive at an appropriate DDoS configuration prior to deployment.
A limitation of the configuration parameters described in this document is the handling of SIP message
spoofing. When a trusted user is spoofed" by another user or a defective trusted user sends many SIP
messages, the CPU utilization of the SD may spike to 100%. One safe-guard implemented as part of this
document is the establishment of a setting for maximum-signaling-threshold, defined in the realmconfiguration object. When set, this provides an entry level amount of protection by removing a violating
source from the trusted queue once the defined threshold is exceeded. To further handle this scenario, there
are additional advanced DDoS configurations that can be set. For example: if the desired outcome is to deny
violating sources from the hardware level, the access-control-trust-level should be set to low in the
realm-configuration object. This also requires the configuration of the untrusted-signal-threshold to
properly demote offending untrusted users to the deny list. This configuration does not fall into the scope of
this document and as a result has been omitted.
The DDoS configuration recommendations in this document are meant as a general baseline to help protect
the SD from DDoS. For more complete protection, DDoS configurations should be determined by the
examining the applicable environment and customizing based on the environment driven traffic flows and
load levels.
520-0051-01
Page 18 of 57
Dec 2011
Normative References
[1] Acme Packet, BCP Denial of Service Configuration Guidelines, 520-0015-00, Jul 2006.
[2] Acme Packet, BCP SIP Access Configuration on the 4000 Series Net-Net Session Directors, 520-000506, Oct 2011.
520-0051-01
Page 19 of 57
Dec 2011
Authors Address
Patrick Manor & Pawel Borucki

Acme Packet, Inc.
100 Crosby Dr
Bedford, MA 01730
email: pmanor@acmepacket.com or pborucki@acmepacket.com
520-0051-01
Page 20 of 57
10
Dec 2011
Disclaimer
The content in this document is for informational purposes only and is subject to change by Acme Packet
without notice. While reasonable efforts have been made in the preparation of this publication to assure its
accuracy, Acme Packet assumes no liability resulting from technical or editorial errors or omissions, or for
any damages resulting from the use of this information. Unless specifically included in a written agreement
with Acme Packet, Acme Packet has no obligation to develop or deliver any future release or upgrade or any
feature, enhancement or function.
520-0051-01
Page 21 of 57
11
Dec 2011
Full Copyright Statement
Copyright @ Acme Packet (2011). All rights reserved. Acme Packet, Session-Aware Networking, Net-Net
and related marks are trademarks of Acme Packet. All other brand names are trademarks or registered
trademarks of their respective companies.
This document and translations of it may be copied and furnished to others, and derivative works that
comment on or otherwise explain it or assist in its implantation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice,
disclaimer, and this paragraph are included on all such copies and derivative works. However, this document
itself may not be modified in any way, such as by removing the copyright notice or references to Acme
Packet or other referenced organizations, except as needed for the purpose of developing open standards.
The limited permission granted above are perpetual and will not be revoked by Acme Packet or its
successors or assigns.
This document and the information contained herein is provided on an AS IS basis and ACME PACKET
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE FO THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
520-0051-01
Page 22 of 57
12
Dec 2011
Appendix A - NN 3820 PBRB Sample Configuration
local-policy
from-address
*
to-address
*
source-realm
description
activate-time
deactivate-time
state
policy-priority
last-modified-by
last-modified-date
policy-attribute
next-hop
realm
action
terminate-recursion
carrier
start-time
end-time
days-of-week
cost
app-protocol
state
methods
media-profiles
lookup
next-key
eloc-str-lkup
eloc-str-match
media-manager
state
latching
flow-time-limit
initial-guard-timer
subsq-guard-timer
tcp-flow-time-limit
tcp-initial-guard-timer
tcp-subsq-guard-timer
tcp-number-of-ports-per-flow
hnt-rtcp
algd-log-level
mbcd-log-level
red-flow-port
red-mgcp-port
red-max-trans
red-sync-start-time
red-sync-comp-time
media-policing
app-signaling-bandwidth
tolerance-window
rtcp-rate-limit
trap-on-demote-to-deny
syslog-on-demote-to-deny
deny-allocation
anonymous-sdp
arp-msg-bandwidth
520-0051-01
access
Route all access traffic to core softswitch
N/A
N/A
enabled
none
admin@console
2010-10-23 02:50:22
172.16.124.61
core
none
disabled
0000
2400
U-S
0
SIP
enabled
single
disabled
enabled
enabled
86400
300
300
86400
300
300
2
disabled
NOTICE
NOTICE
1985
1986
10000
5000
1000
enabled
1041040
11
10
0
30
0
disabled
disabled
2000
4000
32000
disabled
32000
Page 23 of 57
Dec 2011
fragment-msg-bandwidth
0
rfc2833-timestamp
disabled
default-2833-duration
100
rfc2833-end-pkts-only-for-non-sig enabled
translate-non-rfc2833-event
disabled
media-supervision-traps
disabled
dnsalg-server-failover
disabled
last-modified-by
admin@console
last-modified-date
2010-11-08 15:08:49
network-interface
name
M00
sub-port-id
0
description
slot 0, port 0 vlan 0 serving realm access
hostname
ip-address
197.168.11.100
pri-utility-addr
197.168.11.101
sec-utility-addr
197.168.11.102
netmask
255.255.255.0
gateway
197.168.11.1
sec-gateway
gw-heartbeat
state
disabled
heartbeat
0
retry-count
0
retry-timeout
1
health-score
0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
admin@console
last-modified-date
2010-09-08 14:15:40
network-interface
name
M10
sub-port-id
0
description
slot 1, port 0 serving realm core
hostname
ip-address
192.168.12.100
pri-utility-addr
192.168.12.101
sec-utility-addr
192.168.12.102
netmask
255.255.255.0
gateway
192.168.12.1
sec-gateway
gw-heartbeat
state
disabled
heartbeat
0
retry-count
0
retry-timeout
1
health-score
0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
admin@console
last-modified-date
2010-10-23 02:43:39
network-interface
name
wancom1
sub-port-id
0
520-0051-01
Page 24 of 57

description
hostname
ip-address
pri-utility-addr
sec-utility-addr
netmask
gateway
sec-gateway
gw-heartbeat
state
heartbeat
retry-count
retry-timeout
health-score
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
last-modified-date
network-interface
name
sub-port-id
description
hostname
ip-address
pri-utility-addr
sec-utility-addr
netmask
gateway
sec-gateway
gw-heartbeat
state
heartbeat
retry-count
retry-timeout
health-score
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
admin-state
auto-negotiation
duplex-mode
speed
overload-protection
last-modified-by
last-modified-date
phy-interface
name
520-0051-01
Dec 2011
169.254.1.1
169.254.1.2
255.255.255.252
disabled
0
0
1
0
11
admin@172.41.1.61
2010-06-29 07:10:21
wancom2
0
169.254.2.1
169.254.2.2
255.255.255.252
disabled
0
0
1
0
11
admin@172.41.1.61
2010-06-29 07:10:43
M00
Media
0
0
00:08:25:01:3f:de
enabled
enabled
FULL
1000
disabled
admin@console
2010-06-29 09:04:30
M10
Page 25 of 57
operation-type
port
slot
virtual-mac
admin-state
auto-negotiation
duplex-mode
speed
overload-protection
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
wancom-health-score
overload-protection
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
wancom-health-score
overload-protection
last-modified-by
last-modified-date
realm-config
identifier
description
addr-prefix
network-interfaces
Media
0
1
00:08:25:01:3f:df
enabled
enabled
FULL
1000
disabled
admin@console
2010-06-29 09:04:44
wancom1
Control
1
0
8
disabled
admin@172.41.1.61
2010-06-29 08:07:10
wancom2
Control
2
0
9
disabled
admin@172.41.1.61
2010-06-29 08:07:49
access
Serving all access endpoints
0.0.0.0
mm-in-realm
mm-in-network
mm-same-ip
mm-in-system
bw-cac-non-mm
msm-release
qos-enable
generate-UDP-checksum
max-bandwidth
fallback-bandwidth
max-priority-bandwidth
max-latency
max-jitter
max-packet-loss
observ-window-size
parent-realm
dns-realm
media-policy
media-sec-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit
nat-trust-threshold
deny-period
cac-failure-threshold
untrust-cac-failure-threshold
520-0051-01
Dec 2011
M00:0
disabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
0
0
0
0
0
0
0
0
medium
1
4000
0
0
30
0
0
Page 26 of 57
ext-policy-svr
diam-e2-address-realm
symmetric-latching
pai-strip
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching
restriction-mask
accounting-enable
user-cac-mode
user-cac-bandwidth
user-cac-sessions
icmp-detect-multiplier
icmp-advertisement-interval
icmp-target-ip
monthly-minutes
net-management-control
delay-media-update
refer-call-transfer
dyn-refer-term
codec-policy
codec-manip-in-realm
constraint-name
call-recording-server-id
xnq-state
hairpin-id
stun-enable
stun-server-ip
stun-server-port
stun-changed-ip
stun-changed-port
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp
hide-egress-media-update
last-modified-by
last-modified-date
realm-config
identifier
description
addr-prefix
network-interfaces
mm-in-realm
mm-in-network
mm-same-ip
mm-in-system
bw-cac-non-mm
msm-release
qos-enable
max-bandwidth
fallback-bandwidth
max-latency
max-jitter
max-packet-loss
observ-window-size
parent-realm
dns-realm
media-policy
media-sec-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
520-0051-01
Dec 2011
disabled
disabled
none
32
enabled
none
0
0
0
0
0
disabled
disabled
disabled
disabled
disabled
xnq-unknown
0
disabled
0.0.0.0
3478
0.0.0.0
3479
disabled
disabled
admin@console
2010-10-22 23:41:13
core
Softswitch resides in this realm
0.0.0.0
M10:0
disabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
0
0
0
0
0
0
0
Page 27 of 57
class-profile
average-rate-limit
nat-trust-threshold
deny-period
ext-policy-svr
symmetric-latching
pai-strip
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching
restriction-mask
accounting-enable
user-cac-mode
user-cac-bandwidth
user-cac-sessions
icmp-target-ip
monthly-minutes
delay-media-update
refer-call-transfer
dyn-refer-term
codec-policy
constraint-name
xnq-state
hairpin-id
stun-enable
stun-server-ip
stun-server-port
stun-changed-ip
stun-changed-port
qos-constraint
sip-profile
sip-isup-profile
block-rtcp
last-modified-by
last-modified-date
redundancy-config
state
log-level
health-threshold
emergency-threshold
port
advertisement-time
percent-drift
initial-time
becoming-standby-time
becoming-active-time
cfg-port
cfg-max-trans
cfg-sync-start-time
cfg-sync-comp-time
gateway-heartbeat-interval
gateway-heartbeat-retry
gateway-heartbeat-timeout
gateway-heartbeat-health
media-if-peercheck-time
peer
520-0051-01
Dec 2011
0
high
0
0
0
0
30
0
0
disabled
disabled
none
32
enabled
none
0
0
0
0
0
disabled
disabled
disabled
disabled
disabled
xnq-unknown
0
disabled
0.0.0.0
3478
0.0.0.0
3479
disabled
disabled
admin@172.41.1.64
2010-08-09 12:11:13
enabled
INFO
75
50
9090
500
210
1250
180000
100
1987
10000
5000
1000
0
0
1
0
0
Page 28 of 57
name
state
type
destination
address
network-interface
destination
address
network-interface
Dec 2011
DDOS-SD1
enabled
Primary
169.254.1.1:9090
wancom1:0
169.254.2.1:9090
wancom2:0
peer
name
DDOS-SD2
state
enabled
type
Secondary
destination
address
169.254.1.2:9090
network-interface
wancom1:0
destination
address
169.254.2.2:9090
network-interface
wancom2:0
last-modified-by
admin@172.41.1.61
last-modified-date
2010-06-29 07:13:54
sip-config
state
enabled
operation-mode
dialog
dialog-transparency
enabled
home-realm-id
core
egress-realm-id
nat-mode
None
registrar-domain
*
registrar-host
*
registrar-port
5060
register-service-route
always
init-timer
500
max-timer
4000
trans-expire
32
invite-expire
180
inactive-dynamic-conn
32
enforcement-profile
pac-method
pac-interval
10
pac-strategy
PropDist
pac-load-weight
1
pac-session-weight
1
pac-route-weight
1
pac-callid-lifetime
600
pac-user-lifetime
3600
red-sip-port
1988
red-max-trans
10000
red-sync-start-time
5000
red-sync-comp-time
1000
add-reason-header
disabled
sip-message-len
4096
enum-sag-match
disabled
extra-method-stats
disabled
rph-feature
disabled
nsep-user-sessions-rate
0
nsep-sa-sessions-rate
0
registration-cache-limit
0
register-use-to-for-lp
disabled
options
max-udp-length=0
refer-src-routing
disabled
add-ucid-header
disabled
proxy-sub-events
pass-gruu-contact
disabled
sag-lookup-on-redirect
disabled
set-disconnect-time-on-bye
disabled
last-modified-by
admin@172.41.1.61
last-modified-date
2010-06-28 15:07:36
sip-interface
state
enabled
realm-id
access
description
IP+Port all access UAs signal to sip port
520-0051-01
Page 29 of 57
sip-port
address
port
transport-protocol
tls-profile
allow-anonymous
ims-aka-profile
carriers
trans-expire
invite-expire
max-redirect-contacts
proxy-mode
redirect-action
contact-mode
nat-traversal
nat-interval
tcp-nat-interval
registration-caching
min-reg-expire
registration-interval
route-to-registrar
secured-network
teluri-scheme
uri-fqdn-domain
trust-mode
max-nat-interval
nat-int-increment
nat-test-increment
sip-dynamic-hnt
stop-recurse
port-map-start
port-map-end
in-manipulationid
out-manipulationid
manipulation-string
sip-ims-feature
operator-identifier
anonymous-priority
max-incoming-conns
per-src-ip-max-incoming-conns
inactive-conn-timeout
untrusted-conn-timeout
network-id
ext-policy-server
default-location-string
charging-vector-mode
charging-function-address-mode
ccf-address
ecf-address
term-tgrp-mode
implicit-service-route
rfc2833-payload
rfc2833-mode
constraint-name
response-map
local-response-map
ims-aka-feature
enforcement-profile
route-unauthorized-calls
tcp-keepalive
add-sdp-invite
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by
last-modified-date
sip-interface
state
realm-id
description
sip-port
520-0051-01
Dec 2011
197.168.11.100
5060
UDP
registered
0
0
0
none
always
45
90
enabled
30
3600
enabled
disabled
disabled
all
3600
10
30
disabled
401,407
0
0
disabled
none
0
0
0
0
pass
pass
none
disabled
101
transparent
disabled
none
disabled
admin@console
2010-10-22 03:34:09
enabled
core
Interface to core softswitch
Page 30 of 57
address
port
transport-protocol
tls-profile
allow-anonymous
ims-aka-profile
carriers
trans-expire
invite-expire
proxy-mode
redirect-action
contact-mode
nat-traversal
nat-interval
tcp-nat-interval
min-reg-expire
route-to-registrar
secured-network
teluri-scheme
uri-fqdn-domain
trust-mode
max-nat-interval
nat-int-increment
nat-test-increment
sip-dynamic-hnt
stop-recurse
port-map-start
port-map-end
in-manipulationid
out-manipulationid
manipulation-string
sip-ims-feature
operator-identifier
anonymous-priority
max-incoming-conns
network-id
ext-policy-server
ccf-address
ecf-address
term-tgrp-mode
rfc2833-payload
rfc2833-mode
constraint-name
response-map
local-response-map
ims-aka-feature
enforcement-profile
tcp-keepalive
add-sdp-invite
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by
last-modified-date
steering-pool
ip-address
start-port
end-port
realm-id
network-interface
520-0051-01
Dec 2011
192.168.12.100
5060
UDP
all
0
0
0
none
none
30
90
disabled
300
3600
disabled
disabled
disabled
all
3600
10
30
disabled
401,407
0
0
disabled
none
0
0
0
0
pass
pass
none
disabled
101
transparent
disabled
none
disabled
admin@172.41.1.61
2010-06-28 15:10:43
197.168.11.100
49152
65535
access
Page 31 of 57
Dec 2011
last-modified-by
admin@console
last-modified-date
2010-09-07 19:33:29
steering-pool
ip-address
192.168.12.100
start-port
49152
end-port
65535
realm-id
core
network-interface
last-modified-by
admin@172.41.1.61
last-modified-date
2010-06-28 15:11:15
system-config
hostname
SD1.acmelab.com
description
Policy Based Realm Bridging
location
acmelab.com
mib-system-contact
Acme-SE
mib-system-name
SD1
mib-system-location
acmelab.com
snmp-enabled
enabled
enable-snmp-auth-traps
disabled
enable-snmp-syslog-notify
disabled
enable-snmp-monitor-traps
disabled
enable-env-monitor-traps
disabled
snmp-syslog-his-table-length
1
snmp-syslog-level
WARNING
system-log-level
WARNING
process-log-level
NOTICE
process-log-ip-address
0.0.0.0
process-log-port
0
collect
sample-interval
5
push-interval
15
boot-state
disabled
start-time
now
end-time
never
red-collect-state
disabled
red-max-trans
1000
red-sync-start-time
5000
red-sync-comp-time
1000
push-success-trap-state
disabled
call-trace
disabled
internal-trace
disabled
log-filter
all
default-gateway
172.41.0.1
restart
enabled
exceptions
telnet-timeout
0
console-timeout
0
remote-control
enabled
cli-audit-trail
enabled
link-redundancy-state
disabled
source-routing
disabled
cli-more
disabled
terminal-height
24
debug-timeout
0
trap-event-lifetime
0
default-v6-gateway
::
ipv6-support
disabled
cleanup-time-of-day
00:00
last-modified-by
admin@172.41.1.61
520-0051-01
Page 32 of 57
13
Dec 2011
Appendix B - NN 3820 SSNHTN Sample Configuration
local-policy
from-address
*
to-address
*
source-realm
description
activate-time
deactivate-time
state
policy-priority
last-modified-by
last-modified-date
policy-attribute
next-hop
realm
action
terminate-recursion
carrier
start-time
end-time
days-of-week
cost
app-protocol
state
methods
media-profiles
lookup
next-key
eloc-str-lkup
eloc-str-match
media-manager
state
latching
flow-time-limit
initial-guard-timer
subsq-guard-timer
tcp-flow-time-limit
hnt-rtcp
algd-log-level
mbcd-log-level
red-flow-port
red-mgcp-port
red-max-trans
red-sync-start-time
red-sync-comp-time
media-policing
tolerance-window
rtcp-rate-limit
deny-allocation
anonymous-sdp
arp-msg-bandwidth
520-0051-01
access
Route all access traffic to core Softswitch
N/A
N/A
enabled
none
admin@console
2010-10-26 02:36:14
172.16.124.61
core
none
disabled
0000
2400
U-S
0
SIP
enabled
single
disabled
enabled
enabled
86400
300
300
86400
300
300
2
disabled
NOTICE
NOTICE
1985
1986
10000
5000
1000
enabled
1041040
10
9
0
30
0
disabled
disabled
2000
4000
32000
disabled
32000
Page 33 of 57
Dec 2011
0
rfc2833-timestamp
disabled
100
disabled
disabled
disabled
last-modified-by
admin@console
last-modified-date
2010-11-05 19:49:25
network-interface
name
M00
sub-port-id
0
description
hostname
ip-address
197.168.11.100
pri-utility-addr
197.168.11.101
sec-utility-addr
197.168.11.102
netmask
255.255.255.0
gateway
197.168.11.1
sec-gateway
gw-heartbeat
state
disabled
heartbeat
0
retry-count
0
retry-timeout
1
health-score
0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
admin@console
last-modified-date
2010-09-08 14:15:40
network-interface
name
M10
sub-port-id
0
description
hostname
ip-address
192.168.12.100
pri-utility-addr
192.168.12.101
sec-utility-addr
192.168.12.102
netmask
255.255.255.0
gateway
192.168.12.1
sec-gateway
gw-heartbeat
state
disabled
heartbeat
0
retry-count
0
retry-timeout
1
health-score
0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
admin@console
last-modified-date
2010-10-26 02:38:11
network-interface
name
wancom1
sub-port-id
0
520-0051-01
Page 34 of 57

description
hostname
ip-address
pri-utility-addr
sec-utility-addr
netmask
gateway
sec-gateway
gw-heartbeat
state
heartbeat
retry-count
retry-timeout
health-score
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
last-modified-date
network-interface
name
sub-port-id
description
hostname
ip-address
pri-utility-addr
sec-utility-addr
netmask
gateway
sec-gateway
gw-heartbeat
state
heartbeat
retry-count
retry-timeout
health-score
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
admin-state
auto-negotiation
duplex-mode
speed
overload-protection
last-modified-by
last-modified-date
phy-interface
name
520-0051-01
Dec 2011
169.254.1.1
169.254.1.2
255.255.255.252
disabled
0
0
1
0
11
admin@172.41.1.61
2010-06-29 07:10:21
wancom2
0
169.254.2.1
169.254.2.2
255.255.255.252
disabled
0
0
1
0
11
admin@172.41.1.61
2010-06-29 07:10:43
M00
Media
0
0
00:08:25:01:3f:de
enabled
enabled
FULL
1000
disabled
admin@console
2010-06-29 09:04:30
M10
Page 35 of 57
operation-type
port
slot
virtual-mac
admin-state
auto-negotiation
duplex-mode
speed
overload-protection
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
wancom-health-score
overload-protection
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
wancom-health-score
overload-protection
last-modified-by
last-modified-date
realm-config
identifier
description
addr-prefix
network-interfaces
Media
0
1
00:08:25:01:3f:df
enabled
enabled
FULL
1000
disabled
admin@console
2010-06-29 09:04:44
wancom1
Control
1
0
8
disabled
admin@172.41.1.61
2010-06-29 08:07:10
wancom2
Control
2
0
9
disabled
admin@172.41.1.61
2010-06-29 08:07:49
access
0.0.0.0
mm-in-realm
mm-in-network
mm-same-ip
mm-in-system
bw-cac-non-mm
msm-release
qos-enable
max-bandwidth
fallback-bandwidth
max-latency
max-jitter
max-packet-loss
observ-window-size
parent-realm
dns-realm
media-policy
media-sec-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit
nat-trust-threshold
deny-period
520-0051-01
Dec 2011
M00:0
disabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
0
0
0
0
0
0
0
0
medium
1
0
0
0
30
0
0
Page 36 of 57
ext-policy-svr
symmetric-latching
pai-strip
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching
restriction-mask
accounting-enable
user-cac-mode
user-cac-bandwidth
user-cac-sessions
icmp-target-ip
monthly-minutes
delay-media-update
refer-call-transfer
dyn-refer-term
codec-policy
constraint-name
xnq-state
hairpin-id
stun-enable
stun-server-ip
stun-server-port
stun-changed-ip
stun-changed-port
qos-constraint
sip-profile
sip-isup-profile
block-rtcp
last-modified-by
last-modified-date
realm-config
identifier
description
addr-prefix
network-interfaces
mm-in-realm
mm-in-network
mm-same-ip
mm-in-system
bw-cac-non-mm
msm-release
qos-enable
max-bandwidth
fallback-bandwidth
max-latency
max-jitter
max-packet-loss
observ-window-size
parent-realm
dns-realm
media-policy
media-sec-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
520-0051-01
Dec 2011
disabled
disabled
none
32
enabled
none
0
0
0
0
0
disabled
disabled
disabled
disabled
disabled
xnq-unknown
0
disabled
0.0.0.0
3478
0.0.0.0
3479
disabled
disabled
admin@console
2010-10-26 02:34:06
core
0.0.0.0
M10:0
disabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
0
0
0
0
0
0
0
Page 37 of 57
class-profile
average-rate-limit
nat-trust-threshold
deny-period
ext-policy-svr
symmetric-latching
pai-strip
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching
restriction-mask
accounting-enable
user-cac-mode
user-cac-bandwidth
user-cac-sessions
icmp-target-ip
monthly-minutes
delay-media-update
refer-call-transfer
dyn-refer-term
codec-policy
constraint-name
xnq-state
hairpin-id
stun-enable
stun-server-ip
stun-server-port
stun-changed-ip
stun-changed-port
qos-constraint
sip-profile
sip-isup-profile
block-rtcp
last-modified-by
last-modified-date
redundancy-config
state
log-level
health-threshold
emergency-threshold
port
advertisement-time
percent-drift
initial-time
cfg-port
cfg-max-trans
cfg-sync-start-time
cfg-sync-comp-time
peer
520-0051-01
Dec 2011
0
high
0
0
0
0
30
0
0
disabled
disabled
none
32
enabled
none
0
0
0
0
0
disabled
disabled
disabled
disabled
disabled
xnq-unknown
0
disabled
0.0.0.0
3478
0.0.0.0
3479
disabled
disabled
admin@172.41.1.64
2010-08-09 12:11:13
enabled
INFO
75
50
9090
500
210
1250
180000
100
1987
10000
5000
1000
0
0
1
0
0
Page 38 of 57
name
state
type
destination
address
network-interface
destination
address
network-interface
Dec 2011
DDOS-SD1
enabled
Primary
169.254.1.1:9090
wancom1:0
169.254.2.1:9090
wancom2:0
peer
name
DDOS-SD2
state
enabled
type
Secondary
destination
address
169.254.1.2:9090
network-interface
wancom1:0
destination
address
169.254.2.2:9090
network-interface
wancom2:0
last-modified-by
admin@172.41.1.61
last-modified-date
2010-06-29 07:13:54
sip-config
state
enabled
operation-mode
dialog
dialog-transparency
enabled
home-realm-id
core
egress-realm-id
nat-mode
Public
registrar-domain
*
registrar-host
*
registrar-port
5060
always
init-timer
500
max-timer
4000
trans-expire
32
invite-expire
180
32
enforcement-profile
pac-method
pac-interval
10
pac-strategy
PropDist
pac-load-weight
1
pac-session-weight
1
pac-route-weight
1
pac-callid-lifetime
600
pac-user-lifetime
3600
red-sip-port
1988
red-max-trans
10000
red-sync-start-time
5000
red-sync-comp-time
1000
add-reason-header
disabled
sip-message-len
4096
enum-sag-match
disabled
extra-method-stats
disabled
rph-feature
disabled
0
0
0
disabled
options
max-udp-length=0
refer-src-routing
disabled
add-ucid-header
disabled
proxy-sub-events
pass-gruu-contact
disabled
disabled
disabled
last-modified-by
admin@console
last-modified-date
2010-10-14 15:41:59
sip-interface
state
enabled
realm-id
access
description
520-0051-01
Page 39 of 57
sip-port
address
port
transport-protocol
tls-profile
allow-anonymous
ims-aka-profile
carriers
trans-expire
invite-expire
proxy-mode
redirect-action
contact-mode
nat-traversal
nat-interval
tcp-nat-interval
min-reg-expire
route-to-registrar
secured-network
teluri-scheme
uri-fqdn-domain
trust-mode
max-nat-interval
nat-int-increment
nat-test-increment
sip-dynamic-hnt
stop-recurse
port-map-start
port-map-end
in-manipulationid
out-manipulationid
manipulation-string
sip-ims-feature
operator-identifier
anonymous-priority
max-incoming-conns
network-id
ext-policy-server
ccf-address
ecf-address
term-tgrp-mode
rfc2833-payload
rfc2833-mode
constraint-name
response-map
local-response-map
ims-aka-feature
enforcement-profile
tcp-keepalive
add-sdp-invite
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by
last-modified-date
sip-interface
state
realm-id
description
sip-port
520-0051-01
Dec 2011
197.168.11.100
5060
UDP
registered
0
0
0
none
always
45
90
enabled
30
3600
enabled
disabled
disabled
all
3600
10
30
disabled
401,407
0
0
disabled
none
0
0
0
0
pass
pass
none
disabled
101
transparent
disabled
none
disabled
admin@console
2010-10-26 02:58:13
enabled
core
Page 40 of 57
address
port
transport-protocol
tls-profile
allow-anonymous
ims-aka-profile
carriers
trans-expire
invite-expire
proxy-mode
redirect-action
contact-mode
nat-traversal
nat-interval
tcp-nat-interval
min-reg-expire
route-to-registrar
secured-network
teluri-scheme
uri-fqdn-domain
trust-mode
max-nat-interval
nat-int-increment
nat-test-increment
sip-dynamic-hnt
stop-recurse
port-map-start
port-map-end
in-manipulationid
out-manipulationid
manipulation-string
sip-ims-feature
operator-identifier
anonymous-priority
max-incoming-conns
network-id
ext-policy-server
ccf-address
ecf-address
term-tgrp-mode
rfc2833-payload
rfc2833-mode
constraint-name
response-map
local-response-map
ims-aka-feature
enforcement-profile
tcp-keepalive
add-sdp-invite
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by
last-modified-date
Dec 2011
192.168.12.100
5060
UDP
all
0
0
0
none
none
30
90
disabled
300
3600
disabled
disabled
disabled
all
3600
10
30
disabled
401,407
0
0
disabled
none
0
0
0
0
pass
pass
none
disabled
101
transparent
disabled
none
disabled
admin@172.41.1.61
2010-06-28 15:10:43
sip-nat
realm-id
domain-suffix
ext-proxy-address
ext-proxy-port
ext-address
520-0051-01
access
.access.com
1.1.1.1
5060
197.168.11.100
Page 41 of 57

home-address
home-proxy-address
home-proxy-port
route-home-proxy
address-prefix
tunnel-redirect
use-url-parameter
parameter-name
user-nat-tag
host-nat-tag
headers
Dec 2011
192.168.12.105
172.16.124.61
5060
disabled
*
disabled
none
-accessACCESSCall-ID Contact f From i Join m r
Record-Route Refer-To Replaces Reply-To
Route t To v Via
admin@console
2010-10-26 02:36:45
last-modified-by
last-modified-date
steering-pool
ip-address
197.168.11.100
start-port
49152
end-port
65535
realm-id
access
network-interface
last-modified-by
admin@console
last-modified-date
2010-09-07 19:33:29
steering-pool
ip-address
192.168.12.100
start-port
49152
end-port
65535
realm-id
core
network-interface
last-modified-by
admin@172.41.1.61
last-modified-date
2010-06-28 15:11:15
system-config
hostname
SD1.acmelab.com
description
Single NAT homed in Trusted Network
location
acmelab.com
mib-system-contact
Acme-SE
mib-system-name
SD1
mib-system-location
acmelab.com
snmp-enabled
enabled
disabled
disabled
disabled
disabled
1
snmp-syslog-level
WARNING
system-log-level
WARNING
process-log-level
NOTICE
0.0.0.0
process-log-port
0
collect
sample-interval
5
push-interval
15
boot-state
disabled
start-time
now
end-time
never
red-collect-state
disabled
red-max-trans
1000
red-sync-start-time
5000
red-sync-comp-time
1000
disabled
call-trace
disabled
internal-trace
disabled
log-filter
all
default-gateway
172.41.0.1
restart
enabled
exceptions
telnet-timeout
0
console-timeout
0
remote-control
enabled
cli-audit-trail
enabled
disabled
source-routing
disabled
520-0051-01
Page 42 of 57

cli-more
terminal-height
debug-timeout
trap-event-lifetime
default-v6-gateway
ipv6-support
cleanup-time-of-day
last-modified-by
last-modified-date
520-0051-01
Dec 2011
disabled
24
0
0
::
disabled
00:00
admin@console
2010-10-26 02:37:32
Page 43 of 57
14
Dec 2011
Appendix C - NN 3820 SNB Sample Configuration
media-manager
state
enabled
latching
enabled
flow-time-limit
86400
initial-guard-timer
300
subsq-guard-timer
300
tcp-flow-time-limit
86400
300
300
2
hnt-rtcp
disabled
algd-log-level
NOTICE
mbcd-log-level
NOTICE
red-flow-port
1985
red-mgcp-port
1986
red-max-trans
10000
red-sync-start-time
5000
red-sync-comp-time
1000
media-policing
enabled
1041040
10
9
0
tolerance-window
30
rtcp-rate-limit
0
disabled
disabled
2000
4000
deny-allocation
32000
anonymous-sdp
disabled
arp-msg-bandwidth
32000
0
rfc2833-timestamp
disabled
100
disabled
disabled
disabled
last-modified-by
admin@console
last-modified-date
2010-11-05 18:14:11
network-interface
name
M00
sub-port-id
0
description
hostname
ip-address
197.168.11.100
pri-utility-addr
197.168.11.101
sec-utility-addr
197.168.11.102
netmask
255.255.255.0
gateway
197.168.11.1
sec-gateway
gw-heartbeat
state
disabled
heartbeat
0
retry-count
0
retry-timeout
1
health-score
0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
11
hip-ip-list
520-0051-01
Page 44 of 57

ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
last-modified-date
network-interface
name
sub-port-id
description
hostname
ip-address
pri-utility-addr
sec-utility-addr
netmask
gateway
sec-gateway
gw-heartbeat
state
heartbeat
retry-count
retry-timeout
health-score
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
last-modified-date
network-interface
name
sub-port-id
description
hostname
ip-address
pri-utility-addr
sec-utility-addr
netmask
gateway
sec-gateway
gw-heartbeat
state
heartbeat
retry-count
retry-timeout
health-score
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
last-modified-date
network-interface
name
sub-port-id
description
hostname
520-0051-01
Dec 2011
admin@console
2010-09-08 14:15:40
M10
0
192.168.12.100
192.168.12.101
192.168.12.102
255.255.255.0
192.168.12.1
disabled
0
0
1
0
11
admin@console
2010-10-27 03:59:38
wancom1
0
169.254.1.1
169.254.1.2
255.255.255.252
disabled
0
0
1
0
11
admin@172.41.1.61
2010-06-29 07:10:21
wancom2
0
Page 45 of 57

ip-address
pri-utility-addr
sec-utility-addr
netmask
gateway
sec-gateway
gw-heartbeat
state
heartbeat
retry-count
retry-timeout
health-score
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
admin-state
auto-negotiation
duplex-mode
speed
overload-protection
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
admin-state
auto-negotiation
duplex-mode
speed
overload-protection
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
wancom-health-score
overload-protection
last-modified-by
last-modified-date
phy-interface
name
operation-type
port
slot
virtual-mac
wancom-health-score
overload-protection
last-modified-by
last-modified-date
realm-config
520-0051-01
Dec 2011
169.254.2.1
169.254.2.2
255.255.255.252
disabled
0
0
1
0
11
admin@172.41.1.61
2010-06-29 07:10:43
M00
Media
0
0
00:08:25:01:3f:de
enabled
enabled
FULL
1000
disabled
admin@console
2010-06-29 09:04:30
M10
Media
0
1
00:08:25:01:3f:df
enabled
enabled
FULL
1000
disabled
admin@console
2010-06-29 09:04:44
wancom1
Control
1
0
8
disabled
admin@172.41.1.61
2010-06-29 08:07:10
wancom2
Control
2
0
9
disabled
admin@172.41.1.61
2010-06-29 08:07:49
Page 46 of 57
identifier
description
addr-prefix
network-interfaces
access
0.0.0.0
mm-in-realm
mm-in-network
mm-same-ip
mm-in-system
bw-cac-non-mm
msm-release
qos-enable
max-bandwidth
fallback-bandwidth
max-latency
max-jitter
max-packet-loss
observ-window-size
parent-realm
dns-realm
media-policy
media-sec-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit
nat-trust-threshold
deny-period
ext-policy-svr
symmetric-latching
pai-strip
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching
restriction-mask
accounting-enable
user-cac-mode
user-cac-bandwidth
user-cac-sessions
icmp-target-ip
monthly-minutes
delay-media-update
refer-call-transfer
dyn-refer-term
codec-policy
constraint-name
xnq-state
hairpin-id
stun-enable
stun-server-ip
stun-server-port
stun-changed-ip
520-0051-01
Dec 2011
M00:0
disabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
0
0
0
0
0
0
0
0
medium
1
0
0
0
30
0
0
disabled
disabled
none
32
enabled
none
0
0
0
0
0
disabled
disabled
disabled
disabled
disabled
xnq-unknown
0
disabled
0.0.0.0
3478
0.0.0.0
Page 47 of 57
stun-changed-port
qos-constraint
sip-profile
sip-isup-profile
block-rtcp
last-modified-by
last-modified-date
realm-config
identifier
description
addr-prefix
network-interfaces
mm-in-realm
mm-in-network
mm-same-ip
mm-in-system
bw-cac-non-mm
msm-release
qos-enable
max-bandwidth
fallback-bandwidth
max-latency
max-jitter
max-packet-loss
observ-window-size
parent-realm
dns-realm
media-policy
media-sec-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit
nat-trust-threshold
deny-period
ext-policy-svr
symmetric-latching
pai-strip
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching
restriction-mask
accounting-enable
user-cac-mode
user-cac-bandwidth
user-cac-sessions
icmp-target-ip
monthly-minutes
delay-media-update
refer-call-transfer
dyn-refer-term
520-0051-01
Dec 2011
3479
disabled
disabled
admin@console
2010-10-27 04:01:09
core
0.0.0.0
M10:0
disabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
0
0
0
0
0
0
0
0
high
0
0
0
0
30
0
0
disabled
disabled
none
32
enabled
none
0
0
0
0
0
disabled
disabled
disabled
disabled
Page 48 of 57
codec-policy
constraint-name
xnq-state
hairpin-id
stun-enable
stun-server-ip
stun-server-port
stun-changed-ip
stun-changed-port
qos-constraint
sip-profile
sip-isup-profile
block-rtcp
last-modified-by
last-modified-date
realm-config
identifier
description
addr-prefix
network-interfaces
mm-in-realm
mm-in-network
mm-same-ip
mm-in-system
bw-cac-non-mm
msm-release
qos-enable
max-bandwidth
fallback-bandwidth
max-latency
max-jitter
max-packet-loss
observ-window-size
parent-realm
dns-realm
media-policy
media-sec-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit
nat-trust-threshold
deny-period
ext-policy-svr
symmetric-latching
pai-strip
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching
restriction-mask
accounting-enable
user-cac-mode
520-0051-01
Dec 2011
disabled
xnq-unknown
0
disabled
0.0.0.0
3478
0.0.0.0
3479
disabled
disabled
admin@172.41.1.64
2010-08-09 12:11:13
acme
Internal home realm
127.0.0.0/8
lo0:0
disabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
0
0
0
0
0
0
0
0
none
0
0
0
0
30
0
0
disabled
disabled
none
32
enabled
none
Page 49 of 57
Dec 2011
user-cac-bandwidth
0
user-cac-sessions
0
0
0
icmp-target-ip
monthly-minutes
0
disabled
delay-media-update
disabled
refer-call-transfer
disabled
dyn-refer-term
disabled
codec-policy
disabled
constraint-name
xnq-state
xnq-unknown
hairpin-id
0
stun-enable
disabled
stun-server-ip
0.0.0.0
stun-server-port
3478
stun-changed-ip
0.0.0.0
stun-changed-port
3479
qos-constraint
sip-profile
sip-isup-profile
block-rtcp
disabled
disabled
last-modified-by
admin@console
last-modified-date
2010-10-14 14:34:57
redundancy-config
state
enabled
log-level
INFO
health-threshold
75
emergency-threshold
50
port
9090
advertisement-time
500
percent-drift
210
initial-time
1250
180000
100
cfg-port
1987
cfg-max-trans
10000
cfg-sync-start-time
5000
cfg-sync-comp-time
1000
0
0
1
0
0
peer
name
DDOS-SD1
state
enabled
type
Primary
destination
address
169.254.1.1:9090
network-interface
wancom1:0
destination
address
169.254.2.1:9090
network-interface
wancom2:0
peer
name
DDOS-SD2
state
enabled
type
Secondary
destination
address
169.254.1.2:9090
network-interface
wancom1:0
destination
address
169.254.2.2:9090
network-interface
wancom2:0
last-modified-by
admin@172.41.1.61
last-modified-date
2010-06-29 07:13:54
sip-config
520-0051-01
Page 50 of 57
state
operation-mode
dialog-transparency
home-realm-id
egress-realm-id
nat-mode
registrar-domain
registrar-host
registrar-port
init-timer
max-timer
trans-expire
invite-expire
enforcement-profile
pac-method
pac-interval
pac-strategy
pac-load-weight
pac-session-weight
pac-route-weight
pac-callid-lifetime
pac-user-lifetime
red-sip-port
red-max-trans
red-sync-start-time
red-sync-comp-time
add-reason-header
sip-message-len
enum-sag-match
extra-method-stats
rph-feature
options
refer-src-routing
add-ucid-header
proxy-sub-events
pass-gruu-contact
last-modified-by
last-modified-date
sip-interface
state
realm-id
description
sip-port
address
port
transport-protocol
tls-profile
allow-anonymous
ims-aka-profile
carriers
trans-expire
invite-expire
proxy-mode
redirect-action
contact-mode
nat-traversal
nat-interval
tcp-nat-interval
min-reg-expire
route-to-registrar
secured-network
520-0051-01
Dec 2011
enabled
dialog
enabled
acme
Public
*
*
5060
always
500
4000
32
180
32
10
PropDist
1
1
1
600
3600
1988
10000
5000
1000
disabled
4096
disabled
disabled
disabled
0
0
0
disabled
max-udp-length=0
disabled
disabled
disabled
disabled
disabled
admin@console
2010-10-14 14:35:41
enabled
access
197.168.11.100
5060
UDP
registered
0
0
0
none
always
45
90
enabled
30
3600
enabled
disabled
Page 51 of 57
teluri-scheme
uri-fqdn-domain
trust-mode
max-nat-interval
nat-int-increment
nat-test-increment
sip-dynamic-hnt
stop-recurse
port-map-start
port-map-end
in-manipulationid
out-manipulationid
manipulation-string
sip-ims-feature
operator-identifier
anonymous-priority
max-incoming-conns
network-id
ext-policy-server
ccf-address
ecf-address
term-tgrp-mode
rfc2833-payload
rfc2833-mode
constraint-name
response-map
local-response-map
ims-aka-feature
enforcement-profile
tcp-keepalive
add-sdp-invite
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by
last-modified-date
sip-interface
state
realm-id
description
sip-port
address
port
transport-protocol
tls-profile
allow-anonymous
ims-aka-profile
carriers
trans-expire
invite-expire
proxy-mode
redirect-action
contact-mode
nat-traversal
nat-interval
tcp-nat-interval
min-reg-expire
route-to-registrar
secured-network
teluri-scheme
520-0051-01
Dec 2011
disabled
all
3600
10
30
disabled
401,407
0
0
disabled
none
0
0
0
0
pass
pass
none
disabled
101
transparent
disabled
none
disabled
admin@console
2010-10-27 04:01:32
enabled
core
192.168.12.100
5060
UDP
all
0
0
0
none
none
30
90
disabled
300
3600
disabled
disabled
disabled
Page 52 of 57
uri-fqdn-domain
trust-mode
max-nat-interval
nat-int-increment
nat-test-increment
sip-dynamic-hnt
stop-recurse
port-map-start
port-map-end
in-manipulationid
out-manipulationid
manipulation-string
sip-ims-feature
operator-identifier
anonymous-priority
max-incoming-conns
network-id
ext-policy-server
ccf-address
ecf-address
term-tgrp-mode
rfc2833-payload
rfc2833-mode
constraint-name
response-map
local-response-map
ims-aka-feature
enforcement-profile
tcp-keepalive
add-sdp-invite
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by
last-modified-date
sip-interface
state
realm-id
description
sip-port
address
port
transport-protocol
tls-profile
allow-anonymous
ims-aka-profile
carriers
trans-expire
invite-expire
proxy-mode
redirect-action
contact-mode
nat-traversal
nat-interval
tcp-nat-interval
min-reg-expire
route-to-registrar
secured-network
teluri-scheme
uri-fqdn-domain
520-0051-01
Dec 2011
all
3600
10
30
disabled
401,407
0
0
disabled
none
0
0
0
0
pass
pass
none
disabled
101
transparent
disabled
none
disabled
admin@172.41.1.61
2010-06-28 15:10:43
enabled
acme
127.255.255.254
5060
UDP
all
0
0
0
none
none
30
90
disabled
300
3600
disabled
disabled
disabled
Page 53 of 57
trust-mode
max-nat-interval
nat-int-increment
nat-test-increment
sip-dynamic-hnt
stop-recurse
port-map-start
port-map-end
in-manipulationid
out-manipulationid
manipulation-string
sip-ims-feature
operator-identifier
anonymous-priority
max-incoming-conns
network-id
ext-policy-server
ccf-address
ecf-address
term-tgrp-mode
rfc2833-payload
rfc2833-mode
constraint-name
response-map
local-response-map
ims-aka-feature
enforcement-profile
tcp-keepalive
add-sdp-invite
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by
last-modified-date
Dec 2011
all
3600
10
30
disabled
401,407
0
0
disabled
none
0
0
0
0
pass
pass
none
disabled
101
transparent
disabled
none
disabled
admin@console
2010-10-14 14:37:20
sip-nat
realm-id
domain-suffix
ext-proxy-address
ext-proxy-port
ext-address
home-address
home-proxy-address
home-proxy-port
route-home-proxy
address-prefix
tunnel-redirect
use-url-parameter
parameter-name
user-nat-tag
host-nat-tag
headers
last-modified-by
last-modified-date
access
.access.com
1.1.1.1
5060
197.168.11.100
127.0.0.100
127.0.0.101
5060
enabled
*
disabled
none
-accessACCESSCall-ID Contact f From i Join m r
Route t To v Via
admin@console
2010-10-14 14:40:27
sip-nat
realm-id
domain-suffix
ext-proxy-address
ext-proxy-port
ext-address
home-address
home-proxy-address
520-0051-01
core
.core.com
172.16.124.61
5060
192.168.12.100
127.0.0.101
Page 54 of 57

home-proxy-port
route-home-proxy
address-prefix
tunnel-redirect
use-url-parameter
parameter-name
user-nat-tag
host-nat-tag
headers
Dec 2011
5060
enabled
*
disabled
none
-coreCORECall-ID Contact f From i Join m r
Route t To v Via
admin@console
2010-10-27 03:59:10
last-modified-by
last-modified-date
steering-pool
ip-address
197.168.11.100
start-port
49152
end-port
65535
realm-id
access
network-interface
last-modified-by
admin@console
last-modified-date
2010-09-07 19:33:29
steering-pool
ip-address
192.168.12.100
start-port
49152
end-port
65535
realm-id
core
network-interface
last-modified-by
admin@172.41.1.61
last-modified-date
2010-06-28 15:11:15
system-config
hostname
SD1.acmelab.com
description
SIP NAT Bridge
location
acmelab.com
mib-system-contact
Acme-SE
mib-system-name
SD1
mib-system-location
acmelab.com
snmp-enabled
enabled
disabled
disabled
disabled
disabled
1
snmp-syslog-level
WARNING
system-log-level
WARNING
process-log-level
NOTICE
0.0.0.0
process-log-port
0
collect
sample-interval
5
push-interval
15
boot-state
disabled
start-time
now
end-time
never
red-collect-state
disabled
red-max-trans
1000
red-sync-start-time
5000
red-sync-comp-time
1000
disabled
call-trace
disabled
internal-trace
disabled
log-filter
all
default-gateway
172.41.0.1
restart
enabled
exceptions
telnet-timeout
0
console-timeout
0
remote-control
enabled
cli-audit-trail
enabled
disabled
source-routing
disabled
cli-more
disabled
terminal-height
24
520-0051-01
Page 55 of 57

debug-timeout
trap-event-lifetime
default-v6-gateway
ipv6-support
cleanup-time-of-day
last-modified-by
last-modified-date
520-0051-01
Dec 2011
0
0
::
disabled
00:00
admin@console
2010-10-14 14:38:12
Page 56 of 57
15
Dec 2011
Appendix D - Subscriber and Traffic Information for Background Traffic
For all platform/model combinations below, a varying rate of registration was used to create 7-10% of overall
CPU usage. Several techniques were used. For example, for the first test case below, a 10 reg/sec
registration rate with all endpoint registrations being forwarded through the SD to the registrar, and a 90
reg/sec registration rate with only local refreshes produce roughly the same CPU utilization. Below are calls
per second implemented on top of these registration baselines.
Model
PBRB
SSNHTN
SNB

Access
Core
Call/Sec
CHT (sec)
Concurrent Sessions
4800
4800
25
60
1500
4800
4800
23
60
1380
4800
4800
21
60
1260
Model
PBRB
SSNHTN
SNB

Access
Core
Call/Sec
CHT (sec)
Concurrent Sessions
4800
4800
25
60
1500
4800
4800
23
60
1380
4800
4800
21
60
1260
Model
PBRB
SSNHTN
SNB
NN 4500 CPU-1 256k CAM 3Gb Memory w/copper GigE

Access
Core
Call/Sec
CHT (sec)
Concurrent Sessions
4800
4800
60
60
3600
4800
4800
56
60
3360
4800
4800
50
60
3000
Model
PBRB
SSNHTN
SNB
NN 4500 CPU-2 256k CAM 3Gb Memory w/copper GigE

Access
Core
Call/Sec
CHT (sec)
Concurrent Sessions
9600
9600
102
60
6120
9600
9600
95
60
5700
9600
9600
80
60
4800
Model
PBRB
SSNHTN
SNB
NN 3820 128k CAM 3Gb Memory copper single GigE

Access
Core
Call/Sec
CHT (sec)
Concurrent Sessions
4800
4800
44
60
2640
4800
4800
40
60
2400
4800
4800
37
60
2220
SD Configuration note:
The registration-interval for the SIP Interface in the access realm was configured for 480 to
allow for level of registration traffic that was reasonably consistent. It was also set to this value to
make the initial registration time feasible for starting new tests.
520-0051-01
Page 57 of 57

520-0051-01 BCP - Basic DDoS Configuration For SIP Access Environments

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

520-0051-01 BCP - Basic DDoS Configuration For SIP Access Environments

Hochgeladen von

Copyright:

Verfügbare Formate

BCP - Basic DDoS

Configuration for SIP

Copyright 2010 Acme Packet, Inc. All Rights Reserved.

Status of this memo

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

Acronyms and Definitions

Distributed Denial of Service

Acme Packet Net-Net Session Director

SD Policy Based Realm Bridging SIP Access Model

SD SIP NAT Bridge SIP Access Model

SD Single SIP NAT Hosted in Trusted Network SIP Access Model

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

Internal Acme Tool to create SIP flooding and spoofing attacks

Best Current Practices

Call Hold Time

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

EDU-CAB-C-CLI: Net-Net 3000/4000 Configuration Basics

EDU-ADV-OE: Net-Net Advanced Configuration

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

Policy Based Realm Bridging Model

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

Maximum Signaling Bandwidth (max-signaling-bandwidth)

Max and Min Untrusted Signaling Percentages (max-untrusted-signaling min-untrusted-signaling)

Maximum Signaling Threshold (max-signaling-threshold)

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

No subscribers will be denied under the scope of this testing.

It is a non-goal to define advanced DDoS configurations.

Inherent Configuration Benefits

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

DDoS Configuration Parameter Descriptions

This is calculated as defined in the Test Methodology section above.

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

The following sip-interface->sip-ports parameter should be used for access environments.

DDoS-2 for software release S-CX6.3.0F2

Acme Packet Proprietary and Confidential

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

Acme Packet Proprietary and Confidential

port/mask prot type

Best Current Practice

Basic DDoS Configuration for SIP Access Environments

DDOS Configuration Parameter Results