For feedback and comments:
documentation.feedback@alcatel-lucent.com

Table of Contents Previous Next

Table of Contents

MULTISERVICE INTEGRATED SERVICE ADAPTER GUIDE
Preface
About This Guide
Audience
List of Technical Publications
Searching for Information
To search for specific information in this guide
To search for specific information in multiple documents
Technical Support
ISA Hardware
In This Section
In This Section
MS-ISA Overview
MS-ISM Overview
Application Assurance Hardware Features
AA System Support
Host IOM Support for AA on MS-ISA
Application Assurance
In This Section
In This Section
Application Assurance (AA) Overview
Application Assurance: Inline Policy Enforcement
AA Integration in Subscriber Edge Gateways
Fixed Residential Broadband Services
Dual-Stack Lite – DS-Lite
6to4 /6RD
Wireless LAN Gateway Broadband Services
Application-Aware Business VPN Services
SeGW Firewall Service
OAM Traffic Protection
S1-MME Traffic Protection
S1-U GTP Traffic Protection
Application Assurance System Architecture
AA ISA Resource Configuration
AA ISA Groups
AA ISA Groups
AA Group Partitions
Bypass Modes
Redundancy
No AA ISA Group Redundancy
Failure to Fabric
N+1 AA ISA Card Warm Redundancy
ISA Load Balancing
Asymmetry Removal
Asymmetry Removal Overview
Failure Modes
AARP Peered Node/Instance Configuration
Multi-Chassis Control Link (MC-CTL)
Multi-Chassis Datapath Shunts
Subscriber to Network Direction
Network to Subscriber Direction
AARP Operational States
ISA Overload Detection
AA Packet Processing
Divert of Traffic and Subscribers
Services and AA Subscribers
Spoke SDPs
Transit AA Subs
Transit AA-Sub App-Profile
Transit IP Policy and Transit Prefix Policy
static-remote-aa-sub Command
Static Transit AA-Sub Provisionings
DHCP Transit IP AA-Subs at DHCP Relay Node
RADIUS Transit AA-Subs
Seen-IP RADIUS Notification
Transit AA-Sub Persistence
Policers for Transit AA-Subs
ISA Host IOM for Transit Subs
AA Subscriber Application Service Definition
Application Profile
Application Profile Map
Application Service Options (ASOs)
ASO Overrides
AA-Sub Scale Mode
Application Identification
Application Assurance Identification Components
Protocol Signatures
Custom Protocols
Protocol Shutdown
Supported Protocol Signatures
Application Groups
Charging Groups
Applications
Application Filters
HTTP
HTTP Protocol
HTTP Session Persistency
HTTP Proxy Support
AA IP Prefix Lists
Statistics and Accounting
Per-AA-Subscriber Special Study
System Aspects
Application Assurance XML Volume Statistics and Accounting
AA Partition Traffic Type Statistics
Configurable AA-Subscriber Statistics Collection
AA-Performance Record for ISA Load
AA Partition Traffic Type Statistics
RADIUS Accounting AA Records
AA GX Based Usage Monitoring
Supported AVPs
Cflowd AA Records
TCP Application Performance
Volume Statistics
Comprehensive Statistics
Audio/Video (A/V) Application Performance
Application QoS Policy (AQP)
AQP Match Criteria
AQP Actions
Application Assurance Policers
Time of Day Policing Adjustments
Application Assurance HTTP Redirect
AA HTTP Policy Redirect
AA HTTP 404 Redirect
ICAP - Large Scale Category based URL Filtering
Local URL-List Filtering
URL-List Update
HTTP/HTTPS
HTTP Header Enrichment
HTTP In Browser Notification
Notification Interval
Success Verification
HTTP Notification Example
HTTP Notification Customization through Radius VSA
AA Mirroring to Offline Processing
Application Assurance Firewall
Stateful /Stateless Packet Filtering and Inspection with Application-Level Gateway (ALG) Support
Stateful /Stateless Packet Filtering and Inspection with Application-Level Gateway (ALG) Support
Denial Of Service (DOS) Protection
Policy Partitioned AA FW
Configuring AA FW
AA FW Logging
SeGW Firewall Protection
OAM traffic Firewall
S1- MME (SCTP) Firewall
SCTP PPID Filtering
S1-U GTP Traffic Protection
Service Monitoring and Debugging
CPU Utilization
CLI Batch: Begin, Commit and Abort Commands
Configuring Application Assurance with CLI
Provisioning AA ISA MDA
Configuring an AA ISA Group
Configuring Watermark Parameters
Configuring a Group Policy
Beginning and Committing a Policy Configuration
Aborting a Policy Configuration
Configuring an IP Prefix List
Configuring AA Session Filters
Configuring an Application Group
Configuring an Application
Configuring an Application Filter
Configuring an Application Profile
Configuring Suppressible App-Profile with SRRP
Configuring Application Service Options
Configuring a Policer
Configuring an Application QoS Policy
Configuring an Application and DNS IP Cache for URL Content Charging Strengthening
Configuring an HTTP Error Redirect
Configuring HTTP Header Enrichment
Configuring an HTTP Redirect Policy
Configuring a Captive Redirect HTTP Redirect Policy
Configuring ICAP URL Filtering
Configuring Local URL-List Filtering
Configuring HTTP Notification
Configuring AA Volume Accounting and Statistics
Configuring Cflowd Collector
Configuring AA Volume, TCP and RTP Performance Reporting
Application Assurance Command Reference
Hardware Commands
Admin Commands
ISA Commands
Application Assurance Commands
Persistence Commands
Show Commands
Tools Commands
Clear Commands
Debug Commands
Application Assurance Commands
Generic Commands
Hardware Commands
Application Assurance Commands
Group Commands
ISA Commands
Application Assurance Group Commands
Show Commands
Tools Commands
Clear Commands
Debug Commands
IP Tunnels
In This Section
In This Section
IP Tunnels Overview
Tunnel ISAs
Public Tunnel SAPs
Private Tunnel SAPs
IP Interface Configuration
GRE and IP-IP Tunnel Configuration
IP Fragmentation and Reassembly for IP Tunnels
Operational Conditions
QoS Interactions
OAM Interactions
Redundancy
Statistics Collection
Security
GRE Tunnel Multicast Support
IPv6 over IPv4 GRE Tunnel
IKEv2
IKEv2 TS-List
SHA2 Support
X.509v3 Certificate Overview
SROS X.509v3 Certificate Support
Local Storage
CA-Profile
CA Chain Computation
Certificate Enrollment
Certificate Revocation Check
Certificate/CRL Expiration Warning
Certificate/CRL/Key Cache
Auto CRL Update
Using Certificates For IPSec Tunnel Authentication
Trust-Anchor-Profile
Cert-Profile
Cert-Profile/trust-anchor-profile versus cert/trust-anchor
Certificate Management Protocol Version 2 (CMPv2)
OCSP
Video Wholesale Example
Multi-Chassis IPSec Redundancy Overview
Architecture
MC-IPSec Mastership Protocol (MIMP)
MIMP Protocol States
Election Logic
Protection Status
Other Details
Routing
Routing in Public Service
Routing in Private Services
Other Details About Shunting
MC-IPSec Aware VRRP
Synchronization
Automatic CHILD_SA Rekey
Responder Only
IPSec Deployment Requirements
IKEv2 Remote-Access Tunnel
IKEv2 Remote Access Tunnel – RADIUS-Based PSK/Certificate Authentication
IKEv2 Remote-Access Tunnel – EAP Authentication
IKEv2 Remote-Access Tunnel – Authentication without RADIUS
IKEv2 Remote-Access Tunnel – Address Assignment
IPv6 IPSec Support
IPv6 as Payload
IPv6 as Payload: Static LAN-to-LAN Tunnel
IPv6 as Payload: Dynamic LAN-to-LAN Tunnel
IPv6 as Payload: Remote-Access Tunnel
IPv6 as Encapsulation
Configuring IPSec with CLI
Provisioning a Tunnel ISA
Configuring a Tunnel Group
Configuring Router Interfaces for IPSec
Configuring IPSec Parameters
Configuring IPSec in Services
Configuring X.509v3 Certificate Parameters
Configuring MC-IPSec
Configuring MIMP
Configuring Multi-Chassis Synchronization
Configuring Routing for MC-IPSec
Configuring and Using CMPv2
Configuring OCSP
Configuring IKEv2 Remote-Access Tunnel
Configuring IKEv2 Remote — Access Tunnel with Local Address Assignment
IP Tunnel Command Reference
Configuration Commands
Hardware Commands
ISA Commands
IPSec Commands
Service Configuration Commands
IES Commands
VPRN Commands
IPSec Mastership Election Commands
Related Commands
CMPv2 Commands
Auto-Update Commands
Show Commands
Debug Commands
Tools Commands
Generic Commands
Hardware Commands
ISA Commands
Certificate Profile Commands
Internet Key Exchange (IKE) Commands
IPSec Configuration Commands
Interface SAP Tunnel Commands
IPSec Mastership Election Commands
IPSec RADIUS Commands
CMPv2 Commands
Auto-Update Command Descriptions
Show Commands
Debug Commands
Tools Commands
Video Services
In This Section
In This Section
Video Services
Video Groups
Video SAP
Video Interface
Multicast Information Policies
Duplicate Stream Protection
Duplicate Stream Selection
Stream Identification
Initial Sequence Identification
Packet Selection
Clock Recovery
Playout
Loss of Transport
Video Quality Monitoring
VoIP/Video/Teleconferencing Performance Measurements
Mean Opinion Score (MOS) Performance Measurements Solution Architecture
Retransmission and Fast Channel Change
RET and FCC Overview
Retransmission
Fast Channel Change (FCC)
Retransmission Client
Retransmission Server
Fast Channel Change Server
Logging and Accounting for RET and FCC
RET Server Session Stats
RET and FCC Server Concurrency
Prerequisites and Restrictions
Multi-Service ISA Support in the IOM-3 for Video Services
Prioritization Mechanism for RET vs. FCC
RET Features
Statistics ALU SQM MIB Additions
RET Server Multicast Tuning Parameters
FCC Features
FCC Hybrid Mode Support
Ad Insertion
Local/Zoned Ad Insertion
Transport Stream Ad Splicing
Ad Zones
Local/Zoned ADI Prerequisites and Restrictions
Configuring Video Service Components with CLI
Video Services Overview
Configuring an ISA-MS Module
Configuring a Video Group
Configuring a Video SAP and Video Interface in a Service
Basic Multicast Information Policy Configuration
Sample Configurations
Configuring RET/FCC Video Components with CLI
Configuring RET/FCC Video Features in the CLI
Configuring the RET Client
Configuring the RET Server
Configuring the FCC Server
Logging and Accounting Collection for Video Statistics
Configuring ADI Components with CLI
Configuring ADI in CLI
Configuring the RET Client
Configuring a Video Group
Configuring NTP
Configuring Channel Parameters
Configuring Service Entities
Video Command Reference
IP-TV Command Hierarchies
Hardware Commands
Video Group Commands
Video Policy Video Commands
Bundle and Channel Commands
Service Video Interface Commands
VPLS Commands
IES Commands
VPRN Commands
Show Commands
Clear Commands
Debug Commands
Video Services Commands
Generic Commands
Show Commands
Clear Commands
Debug Commands
Network Address Translation
In This Chapter
In This Chapter
Terminology
Network Address Translation (NAT) Overview
Principles of NAT
Application Compatibility
NAT Point-to-Point Tunneling Protocol (PPTP) Application Layer Gateway (ALG)
PPTP Protocol
Supported Control Messages
GRE Tunnel
PPTP ALG Operation
Multiple Sessions Initiated From the Same PPTP Client Node
Selection of Call IDs in NAT
Large Scale NAT
Port Range Blocks
Reserved Ports and Priority Sessions
Preventing Port Block Starvation
Dynamic Port Block Starvation in LSN
Dynamic Port Block Reservation
Timeouts
Watermarks
One-to-One (1:1) NAT
Static 1:1 NAT
Protocol Agnostic Behavior
Modification of Parameters in Static 1:1 NAT
Load Distribution over ISAs in Static 1:1 NAT
NAT-Policy Selection
Mapping Timeout
Logging
Restrictions
ICMP
L2-Aware NAT
Port Control Protocol (PCP)
DS-Lite and NAT64 Fragmentation
Overview
IPv6 Fragmentation in DS-Lite
NAT64
NAT Logging
Syslog/SNMP/Local-File Logging
Filtering LSN Events to System Memory
NAT Logging to a Local File
SNMP Trap Logging
NAT Syslog
LSN RADIUS Logging
RADIUS Logging and L2-Aware NAT
LSN and L2-Aware NAT Flow Logging
Large Scale NAT44 Flow Logging Configuration Example
NAT Stateless Dual-Homing
Configuration Considerations
Troubleshooting Commands
Deterministic NAT
Overview
Supported Deterministic NAT Flavors
Number of Subscribers per Outside IP and per Pool
Referencing a Pool
Outside Pool Configuration
Mapping Rules and the map Command in Deterministic LSN44
Hashing Considerations in Deterministic LSN44
Distribution of Outside IP Addresses Across MS-ISAs in an MS-ISA NA Group
Sharing of Deterministic NAT Pools
Simultaneous support of dynamic and deterministic NAT
Selecting Traffic for NAT
Inverse Mappings
MIB approach
Off-line Approach to Obtain Deterministic Mappings
Logging
Deterministic DS-Lite
Hashing Considerations in DS-Lite
Order of Configuration Steps in Deterministic DS-Lite
Enhanced Statistics in NAT — Histogram
Configuration
NAT – Multiple NAT Policies per Inside Routing Context
Restrictions
Multiple NAT Policies Per Inside Routing Context
Routing Approach for NAT Diversion
Filter-Based Approach
Multiple NAT Policies with DS-Lite and NAT64
Default NAT Policy
Scaling Considerations
Multiple NAT Policies and SPF Configuration Considerations
Multiple NAT Policies and Forwarding Considerations
Logging
ISA Feature Interactions
MS-ISA Use with Service Mirrors
LNS, Application Assurance and NAT
Subscriber Aware Large Scale NAT44
Universal Plug and Play Internet Gateway Device Service
Configuring UPnP IGD Service
2. Create a upnp-policy:
3. Configure the upnp-policy as created in Step 2 in the subscriber profile:
NAT ISA (Intra-Chassis) Redundancy
Active-Active ISA Redundancy Model
Start-up Conditions
Recovery
Adding Additional ISAs in the ISA Group
Configuring NAT
ISA Redundancy
NAT Layer 2-Aware Configurations
Large Scale NAT Configuration
NAT Configuration Examples
NAT Command Reference
Command Hierarchies
ISA Configuration Commands
NAT Service Configuration Commands
NAT Subscriber Management Commands
NAT Router Configuration Commands
NAT Admin Configuration Commands
Tools Commands
Show Commands
Clear Commands
Tools Commands
Filter Commands
Network Address Translation Configuration Commands
Generic Commands
ISA Configuration Commands
NAT Configuration Commands
NAT Service Configuration Commands
IPFlow Information Export Protocol Commands
AAA Policy Commands
NAT Subscriber Management Commands
L2TP Network Server
In This Chapter
In This Chapter
Subscriber agg-rate-limit on LNS
LNS Reassembly
Overview
Reassembly Function
Load Sharing Between the ISAs
Inter-chassis ISA Redundancy
MLPPPoE, MLPPP(oE)oA with LFI on LNS
Terminology
LNS MLPPPoX
MLPPP Encapsulation
MLPPPoX Negotiation
Enabling MLPPPoX
Link Fragmentation and Interleaving (LFI)
MLPPPoX Fragmentation, MRRU and MRU Considerations
LFI Functionality Implemented in LNS
Last Mile QoS Awareness in the LNS
BBB-ISA Processing
LNS-LAC Link
AN-RG Link
Home Link
Optimum Fragment Size Calculation by LNS
Encapsulation Based Fragment Size
Fragment size based on the max transmission delay
Selection of the Optimum Fragment Length
Upstream Traffic Considerations
Multiple Links MLPPPoX With No Interleaving
MLPPPoX Session Support
Session Load Balancing Across Multiple BB-ISAs
BB-ISA Hashing Considerations
Last Mile Rate and Encapsulation Parameters
Link Failure Detection
CoA Support
Accounting
Filters and Mirroring
PTA Considerations
QoS Considerations
Dual-Pass
Traffic Prioritization in LFI
Shaping Based on the Last Mile Wire Rates
Downstream Bandwidth Management on Egress Port
Sub/Sla-Profile Considerations
Example of MLPPPoX Session Setup Flow
Other Considerations
Configuration Notes
L2TP Network Server Command Reference
ISA Commands
MLPPP on LNS Commands
L2TP Network Server Commands
Generic Commands
LNS Commands
Network Address Translation (NAT) Commands
MLPPP on LNS Commands
Threat Management Service
In This Section
In This Section
TMS Service Introduction
Configuration Guidelines and Example
TMS Image Location
Configuration Example For TMS Interfaces on the SR OS
tms-interface "mda-1-1" create
address 20.folk.43/32
description "tms-1-1"
port 1/1
password "password=arbor zone-secret=admin"
exit
exit
configure router
interface "itfToArborCP"
address 10.12.0.1/24
port 3/2/4
exit
exit
configure router policy-options
policy-statement "exporttmsgrt"
entry 1
from
protocol vpn-leak
exit
action accept
exit
exit
entry 2
from
protocol tms
exit
action accept
exit
exit
exit
exit
Dynamic Control of IP Filter Entries
Threat Management Service Command Reference
Card Commands
MDA Commands
TMS Commands
Policy Commands
Show Commands
Threat Management Service Commands
Generic Commands
Card Commands
MDA Commands
Threat Management Service Interface Commands
Policy Commands
TMS-Related Show Commands
Clear Commands
Debug Commands
Appendix A: Common CLI Command Descriptions
In This Chapter
In This Chapter
Common Service Commands