background image

ESR service routers. ESR-Series. Functionality description. Version 1.12.0

415

esr(config)#  ip access-list extended BYPASS
esr(config-acl)# rule 

1

esr(config-acl-rule)#  action permit
esr(config-acl-rule)# match protocol udp
esr(config-acl-rule)#  match source-address any
esr(config-acl-rule)# match destination-address any
esr(config-acl-rule)#  match source-port 

68

esr(config-acl-rule)#  match destination-port 

67

esr(config-acl-rule)# enable
esr(config-acl-rule)#  exit
esr(config-acl)#  rule 

2

esr(config-acl-rule)#  action permit
esr(config-acl-rule)#  match protocol udp
esr(config-acl-rule)#  match source-address any
esr(config-acl-rule)#  match destination-address any
esr(config-acl-rule)#  match source-port any
esr(config-acl-rule)#  match destination-port 

53

esr(config-acl-rule)# enable
esr(config-acl-rule)# exit
esr(config)# ip access-list extended INTERNET
esr(config-acl)# rule 

1

esr(config-acl-rule)#  action permit
esr(config-acl-rule)# match protocol any
esr(config-acl-rule)# match source-address any
esr(config-acl-rule)# match destination-address any
esr(config-acl-rule)# enable
esr(config-acl-rule)#  exit
esr(config)# ip access-list extended WELCOME
esr(config-acl)# rule 

10

esr(config-acl-rule)# action permit
esr(config-acl-rule)# match protocol tcp
esr(config-acl-rule)# match source-address any
esr(config-acl-rule)# match destination-address any
esr(config-acl-rule)# match source-port any
esr(config-acl-rule)# match destination-port 

443

esr(config-acl-rule)# enable
esr(config-acl-rule)# exit
esr(config-acl)# rule 

20

esr(config-acl-rule)# action permit
esr(config-acl-rule)# match protocol tcp
esr(config-acl-rule)# match source-address any
esr(config-acl-rule)# match destination-address any
esr(config-acl-rule)# match source-port any
esr(config-acl-rule)# match destination-port 

8443

Summary of Contents for ESR-10

Page 1: ...ESR service routers ESR 10 ESR 12V ESR 12VF ESR 14VF ESR 20 ESR 21 ESR 100 ESR 200 ESR 1000 ESR 1200 ESR 1500 ESR 1700 User manual Functionality description 29 10 2020 Firmware version 1 12 0 ...

Page 2: ...2 3 LLDP MED configuration 17 2 3 1 Configuration algorithm 17 2 3 2 Voice VLAN configuration example 18 2 4 Sub interface termination configuration 19 2 5 Configuration algorithm 20 2 5 1 Sub interface configuration example 21 2 6 Q in Q termination configuration 22 2 6 1 Configuration algorithm 22 2 6 2 Q in Q configuration example 25 2 7 USB modems configuration 25 2 7 1 USB modems configuratio...

Page 3: ...neling management 57 3 1 GRE tunnel configuration 57 3 1 1 Configuration algorithm 57 3 1 2 IP GRE tunnel configuration example 61 3 2 DMVPN configuration 63 3 2 1 Configuration algorithm 63 3 2 2 Configuration example 65 3 3 L2TPv3 tunnel configuration 70 3 3 1 Configuration algorithm 70 3 3 2 L2TPv3 tunnel configuration example 72 3 4 IPsec VPN configuration 74 3 4 1 Route based IPsec VPN config...

Page 4: ...figuration example 138 5 4 BGP configuration 139 5 4 1 Configuration algorithm 139 5 4 2 Configuration example 149 5 5 BFD configuration 151 5 5 1 Configuration algorithm 151 5 5 2 Configuration example of BFD with BGP 154 5 6 PBR routing policy configuration 156 5 6 1 Configuration algorithm of Route map for BGP 156 5 6 2 Configuration example 1 Route map for BGP 160 5 6 3 Configuration example 2...

Page 5: ...hm for setting Hello holdtime Hello interval and Keepalive holdtime for the LDP process 195 6 3 2 Algorithm for setting Hello holdtime Hello interval and Keepalive holdtime for the specific neighbor 195 6 3 3 Configuration example 196 6 4 LDP tag filtering configuration 197 6 4 1 Configuration algorithm 197 6 4 2 Configuration example 198 6 5 L2VPN Martini mode configuration 199 6 5 1 L2VPN VPWS c...

Page 6: ...ation algorithm 275 7 5 2 Firewall configuration example 281 7 5 3 Configuration example of application filtering DPI 283 7 6 Access list ACL configuration 285 7 6 1 Configuration algorithm 285 7 6 2 Access list configuration example 287 7 7 IPS IDS configuration 288 7 7 1 Base configuration algorithm 288 7 7 2 Configuration algorithm for IPS IDS rules autoupdate from external sources 289 7 7 3 Re...

Page 7: ...ing remote access client via PPPoE 341 9 4 1 Configuration algorithm 341 9 4 2 Configuration example 343 9 5 Configuring remote access client via PPTP 344 9 5 1 Configuration algorithm 344 9 5 2 Configuration example 346 9 6 Configuring remote access client via L2TP 347 9 6 1 Configuration algorithm 347 9 6 2 Configuration example 349 10 Service management 352 10 1 DHCP server configuration 352 10...

Page 8: ...y configuration 388 11 4 1 Configuration algorithm 388 11 4 2 Zabbix agent configuration example 390 11 4 3 Zabbix agent configuration example 391 11 5 Syslog configuration 394 11 5 1 Configuration algorithm 395 11 5 2 Configuration example 397 11 6 Integrity check 398 11 6 1 Configuration process 398 11 6 2 Configuration example 398 11 7 Router configuration file archiving 398 11 7 1 Configuratio...

Page 9: ...tem configuration 431 14 2 1 Recommendations 432 14 2 2 Warnings 432 14 2 3 Configuration example 432 14 3 Password usage policy configuration 432 14 3 1 Recommendations 433 14 3 2 Configuration example 433 14 4 AAA policy configuration 433 14 4 1 Recommendations 434 14 4 2 Warnings 434 14 4 3 Configuration example 434 14 5 Remote management configuration 435 14 5 1 Recommendations 435 14 5 2 Conf...

Page 10: ... data This manual provides descriptions algorithms and examples of how to configure the ESR series service router functionality hereafter referred to as the router or device 1 2 Target Audience This user manual is intended for technical personnel that performs device installation configuration and monitoring via command line interface CLI as well as the system maintenance and firmware update proce...

Page 11: ...PP Configuration Configuration algorithm Configuration example Bridge configuration Configuration algorithm Example of bridge configuration for VLAN and L2TPv3 tunnel Example of bridge configuration for VLAN Configuration example of the second VLAN tag adding removing Dual Homing configuration Configuration algorithm Configuration example Mirroring configuration SPAN RSPAN Configuration algorithm ...

Page 12: ... optional esr config if gi no switchport forbidden default vlan 5 Set L2 interface operation mode esr config if gi mode switchport 6 Set the combined mode of the physical interface esr config if gi mode hybrid Only for ESR 1000 1200 1500 1700 7 Set L2 interface operation mode esr config if gi switchport access Only for ESR 10 12V F 14VF 20 21 100 200 This mode is the default mode and is not displa...

Page 13: ...witchport general allowed vlan add VID untagged For ESR 1000 1200 1500 1700 VID VLAN identifier set in the range of 2 4094 10 Enable the processing of Ethernet frames of all created VLANs on the interface optionally esr config if gi switchport trunk allowed vlan auto all Only for ESR 10 12V F 14VF 20 21 100 200 esr config if gi switchport general allowed vlan auto all Only for ESR 1000 1200 1500 1...

Page 14: ... 64 VLAN 2000 for gi1 0 1 2 port esr 1000 config interface gi1 0 1 esr 1000 config if gi mode switchport esr 1000 config if gi switchport forbidden default vlan esr 1000 config if gi switchport general allowed vlan add 2 64 2000 tagged 2 1 4 Configuration example 3 Enabling VLAN processing in tagged and untagged modes Objective Configure gi1 0 1 ports for packet transmission and reception in VLAN ...

Page 15: ...ell as to receive similar information 2 2 1 Configuration algorithm Step Description Command Keys 1 Enable LLDP on the router esr config lldp enable 2 Enable the LLDPDU receiving and proceeding on the physical interface esr config if gi lldp receive 3 Enable LLDPDU transmission on the physical interface esr config if gi lldp transmit 8 Set the LLDPDU sending period optionally esr config lldp timer...

Page 16: ... system name optionally esr config lldp system name NAME NAME system name set by the string of up to 255 characters By default coincides with the specified hostname 2 2 2 Configuration example Objective Organize the LLDPDU exchange and proceeding between ESR 1 and ESR 2 routers Solution R1 configuration Enable LLDP globally on the router esr config lldp enable Enable the receiving and transmission...

Page 17: ...lows to transmit network policies VLAN ID DSCP priority 2 3 1 Configuration algorithm Step Description Command Keys 1 Enable LLDP on the router esr config lldp enable 2 Enable LLDPDU transmission on the physical interface esr config if gi lldp transmit 3 Enable MED LLDP enhancement on the router esr config lldp med fast start enable 4 Create network policy esr config network policy NAME NAME netwo...

Page 18: ...e subscriber device will send Ethernet frames of the specified application in a tagged form 9 Set a network policy on the interface esr config if gi lldp network policy NAME NAME network policy name set by the string of up to 31 characters 2 3 2 Voice VLAN configuration example Voice VLAN VLAN ID in receiving of which an IP phone switches to the trunk mode with the specified VLAN ID for VoIP traff...

Page 19: ...xit Configure LLDP on the interface and set a network policy esr config interface gigabitethernet 1 0 1 esr config if gi lldp transmit esr config if gi lldp receive esr config if gi lldp network policy VOICE_VLAN esr config if gi exit 2 4 Sub interface termination configuration To terminate Ethernet frames of a certain VLAN on a specific physical interface you need to create a sub interface with t...

Page 20: ...ptionally esr config subif ip vrf forwarding VRF VRF VRF name set by the string of up to 31 characters 4 Specify the IPv4 IPv6 address and subnet mask for the interface to be configured or enable IP address obtain dynamically esr config subif ip address ADDR LEN ADDR LEN IP address and subnet mask length defined as AAA BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes value...

Page 21: ...mitionUnit size MTU above 1500 will be active only when using the system jumbo frames command optional esr config subif mtu MTU MTU MTU value in bytes Default value 1500 9 Enable recording of the current interface usage statistics optional esr config subif history statistics 10 Override the MSS Maximum segment size field in incoming TCP packets optional esr config subif ip tcp adjust mss MSS esr c...

Page 22: ...ader which is comes before C VLAN is an Outer Tag also known as S VLAN Service VLAN Using of double tags in Ethernet frames is describing by 802 1ad protocol 2 6 1 Configuration algorithm Step Description Command Keys 1 Create a sub interface of a physical interface possible if the physical interface is in routeport or hybrid mode esr config interface gigabitethernet PORT S VLAN or interface tengi...

Page 23: ...esr config qinq if ip vrf forwarding VRF VRF VRF name set by the string of up to 31 characters 5 Specify the IPv4 IPv6 address and subnet mask for the interface to be configured or enable IP address obtain dynamically esr config qinq if ip address ADDR LEN ADDR LEN IP address and subnet mask length defined as AAA BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes values of 1...

Page 24: ...e of the entry update varies from 0 5 1 5 TIME 9 Change MTU MaximumTransmitionUnit size MTU above 1500 will be active only when using the system jumbo frames command optionally esr config subif mtu MTU MTU MTU value in bytes Default value 1500 10 Enable recording of the current interface usage statistics optional esr config subif history statistics 11 Override the MSS Maximum segment size field in...

Page 25: ...USB modems you may use USB hubs Up to 10 USB modems can be configured in the system at the same time 2 7 1 USB modems configuration algorithm Step Description Command Keys 1 After USB modem connection wail until the system detects the connected device 2 Define which number of the device is allocated to the connected USB modem esr show cellulars status modem The connected device identifier will be ...

Page 26: ...g user enable 9 Set the dial up number for connection to the mobile network esr config cellular profile number WORD WORD dial up number for connection to a mobile network set by the string of up to 15 characters 10 Set the method of user authentication in the mobile network optional esr config cellular profile allowed auth TYPE TYPE method of user authentication in a mobile network none PAP CHAP M...

Page 27: ... value takes values in the range of 128 16383 Default value 1500 20 Change the maximum size of processed MTU MaximumTransmissionUnit packets MTU above 1500 will be active only when using the system jumbo frames command optional esr config cellular modem mtu MTU MTU MTU value in bytes Default value 1500 21 Set the preferable USB modem operation mode in the mobile network optional esr config cellula...

Page 28: ... APN or any other necessary address Below you can see the example of connection to MTS APN esr config cellular profile apn internet mts ru If necessary create user name password dial up number and authentication number esr config cellular profile user mts esr config ppp user password ascii text mts esr config cellular profile number 99 esr config cellular profile allowed auth PAP Proceed to config...

Page 29: ...ock source SOURCE SOURCE synchronization source Internal default synchronize with an internal source line synchronize with a linear signal 4 Specify MTU Maximum Transmition Unit size for physical interfaces esr config if gi mtu MTU MTU MTU value for E1 and Multilink interfaces may take values in the range of 128 1500 5 Specify frame check hash algorithm optionally esr config if gi switchport e1 cr...

Page 30: ...s 15 Enable authentication override optionally esr config e1 ppp chap refuse 16 Set authentication username optionally esr config e1 ppp chap username NAME NAME user name 17 Allow any non null IP address to be accepted as a local IP address from the neighbour optionally esr config e1 ppp ipcp accept address 18 Set IP address that is sent to a remote party for the further allocation optionally esr ...

Page 31: ...e interval after which the router sends a keepalive message optionally esr config e1 ppp timeout retry TIME TIME time in seconds 2 8 2 Configuration example Objective Configure PPP connection to the opposite side with IP address 10 77 0 1 24 via ToPGARE SFP using 1 8 channel slots for data transmission the clock source is the opposite side Solution Switch gigabitethernet 1 0 3 interface on which T...

Page 32: ...on algorithm Step Description Command Keys 1 Configure aggregation group esr config interface multilink IF IF interface name 2 Specify the description of configured aggregation group optionally esr config multilink description DESCRIPTION DESCRIPTION aggregation group description set by the string of up to 255 characters 3 Specify the time interval during which the statistics on the aggregation gr...

Page 33: ...nt to a remote party for the further allocation esr config multilink ppp iccp remote address ADDR ADDR IP address of a remote gateway 11 Specify a user for remote party authentication and switch to the specified user configuration mode esr config multilink chap username NAME NAME user name set by the string of up to 31 characters 12 Set encrypted or unencrypted password for a specific user to auth...

Page 34: ...onds after which the router sends a keepalive message optionally esr config multilink ppp timeout retry TIME TIME time in seconds takes values of 1 255 Default value 3 19 Specify the maximum packet size for MLPP interface esr config multilink mrru MRRU MRRU maximum size of a received packet for MLPP interface takes value in the range of 1500 10000 20 Bind e1 port to the physical interface esr conf...

Page 35: ...ltilink security zone trusted esr config multilink exit esr config exit Enable interface e1 1 0 1 interface e1 1 0 2 into MLPPP 3 aggregation group esr config interface e1 1 0 1 esr config e1 ppp multilink esr config e1 ppp multilink group 3 esr config e1 exit esr config interface e1 1 0 2 esr config е1 ppp multilink esr config е1 ppp multilink group 3 esr config е1 exit 2 10 Bridge configuration ...

Page 36: ...lly esr config bridge description DESCRIPTION DESCRIPTION network bridge description set by the string of up to 255 characters 5 Connect sub interface qinq interface L2GRE tunnel or L2TPv3 tunnel with the network bridge Connected interfaces tunnels and network bridges automatically become participants of the shared L2 domain optionally esr config if gi bridge group BRIDGE ID esr config if l2tpv3 b...

Page 37: ...kes values of 1 32 For advanced IPv4 addressing features see section IP addressing configuration esr config bridge ipv6 address IPV6 ADDR LEN IPV6 ADDR LEN IP address and prefix of a subnet defined as X X X X X EE where each X part takes values in hexadecimal format 0 FFFF and EE takes values of 1 128 For advanced IPv6 addressing features see section IPv6 addressing configuration You can specify s...

Page 38: ...1 Prohibit unknown unicast traffic switching when a destination MAC address is not included in the switching table in the given bridge Optionally relevant only for ESR 1000 1200 1500 1700 esr config bridge unknown unicast forwarding disable 12 Set the lifetime of IPv4 IPv6 entries in the ARP table studied on the given bridge optionally esr config bridge ip arp reachable time TIME or esr config bri...

Page 39: ...1 0 11 gi1 0 12 interfaces to VLAN 333 esr config interface gigabitethernet 1 0 11 12 esr config if mode switchport esr config if switchport general allowed vlan add 333 tagged Create bridge 333 map VLAN 333 to it and specify membership in trusted zone esr config bridge 333 esr config bridge vlan 333 esr config bridge security zone trusted esr config bridge enable Specify the affilation of L2TPv3 ...

Page 40: ...rity zone LAN1 esr config zone exit esr config security zone LAN2 esr config zone exit Map VLAN 50 to gi1 0 11 gi1 0 12 interfaces esr config interface gigabitethernet 1 0 11 12 esr config if gi switchport general allowed vlan add 50 tagged Map VLAN 60 to gi1 0 14 interface esr config interface gigabitethernet 1 0 14 esr config if gi switchport general allowed vlan add 60 tagged Create bridge 50 m...

Page 41: ...r config zone pair rule enable esr config zone pair rule exit esr config zone pair exit esr config exit To view an interface membership in a bridge use the following command esr show interfaces bridge 2 10 4 Configuration example of the second VLAN tag adding removing Objective The gigabitethernet 1 0 1 interface receives Ethernet frames with various VLAN tags It is necessary to redirect them to t...

Page 42: ...ies with the same MAC address that will be sent to an active interface when switching optionally esr config backup interface mac duplicate COUNT COUNT amount of packets copies takes values of 1 4 3 Specify the number of packets per second that will be sent to an active interface when switching optionally esr config backup interfacemac per second COUNT COUNT amount of MAC addresses per second takes...

Page 43: ...l allowed vlan add 50 55 esr config if gi exit Main configuration step Make gigabitethernet 1 0 10 redundant for gigabitethernet 1 0 9 esr config interface gigabitethernet 1 0 9 esr config if gi backup interface gigabitethernet 1 0 10 vlan 50 55 To view information on redundant interfaces use the following command esr show interfaces backup 2 12 Mirroring configuration SPAN RSPAN Traffic mirroring...

Page 44: ...mirroring mode in case of using remote mirroring esr config port monitor remote 3 Define the mode of the port transmitting mirrored traffic optional esr config port monitor mode MODE MODE mode network combined data transfer and mirroring default monitor only mirroring only 4 Enable mirroring in the interface configuration mode esr config if gi port monitor interface IF DIRECTION IF interface from ...

Page 45: ...hernet 1 0 5 еsr1000 config if gi port monitor interface gigabitethernet 1 0 11 For gi 1 0 5 interface specify the remote mirroring mode еsr1000 config if gi port monitor remote 2 13 LACP configuration LACP is a link aggregation protocol that allows multiple physical links to be combined into a single logical link This process allows to increase the communication link bandwidth and robustness 2 13...

Page 46: ... long long long timeout short short timeout Default value long 4 Create and switch to the aggregated interface configuration mode esr config interface port channel ID ID sequence number of a channel aggregation group takes values of 1 12 5 Configure the required parameters of aggregated channel 6 Switch to the physical interface configuration mode esr config interface IF TYPE IF NUM IF TYPE interf...

Page 47: ...ystem jumbo frames command optional esr config subif mtu MTU MTU MTU value in bytes Default value 1500 12 Enable recording of the current interface usage statistics optional esr config subif history statistics 13 Override the MSS Maximum segment size field in incoming TCP packets optional esr config subif ip tcp adjust mss MSS esr config subif ipv6 tcp adjust mss MSS MSS MSS value takes values in ...

Page 48: ... 1 gi1 0 2 physical interfaces into the created link aggregation group esr config interface gigabitethernet 1 0 1 2 esr config if gi channel group 2 mode auto Further port channel configuration is performed by analogy to the common physical interface 2 14 AUX configuration AUX configuration is used to specify parameters for interacting with external devices connected via serial interfaces to the E...

Page 49: ...mber of data bits sent 7 8 Default is 8 FMODE data flow control mode Takes the following values software sowtware flow control hardware hardware flow control disabled flow control disabled Default is disabled PMODE parity bit setting mode Takes the following values odd a check for oddness even a check for evenness none parity bit is not set Default is none SPEED a speed of a serial interface in bp...

Page 50: ...TCP port number to be used as the TCP port number to connect to the ESR via telnet optional Note cannot be used in conjunction with the modem inout command esr config line aux transport telnet port PORT PORT TCP port number for console server mode Takes values in the range of 1 65535 2 14 2 Configuration examples Objective 1 Configure IP communication between two ESRs on the serial port using mode...

Page 51: ...urity zone pair xx self esr 21 1 config zone pair rule 1 esr 21 1 config zone pair rule action permit esr 21 1 config zone pair rule enable esr 21 1 config zone pair rule exit esr 21 1 config zone pair exit esr 21 1 config Specify that the interfaces belong to the security zone esr 21 1 config interface serial 1 0 2 esr 21 1 config serial security zone xx esr 21 1 config serial exit esr 21 1 confi...

Page 52: ...zone pair rule action permit esr 21 2 config zone pair rule enable esr 21 2 config zone pair rule exit esr 21 2 config zone pair exit esr 21 2 config Specify that the interfaces belong to the security zone esr 21 2 config interface serial 1 0 2 esr 21 2 config serial security zone xx esr 21 2 config serial exit esr 21 2 config Objective 2 Set up IP connectivity between two ESRs on a Serial port us...

Page 53: ...interface voice port 1 sip user phone 001 profile sip 1 exit interface voice port 2 sip user phone 002 profile sip 1 caller id mode fsk bell exit Solution Configure the first ESR 21 Configure the parameters for negotiation with the modem esr 21 1 config line aux 2 esr 21 1 config line aux flowcontrol hardware esr 21 1 config line aux modem inout esr 21 1 config line aux exit esr 21 1 config Config...

Page 54: ... config interface serial 1 0 2 esr 21 1 config serial security zone xx esr 21 1 config serial exit esr 21 1 config Enable dialing by number esr 21 1 config interface serial 1 0 2 esr 21 1 config serial dialer string 002 esr 21 1 config serial dialer esr 21 1 config serial exit esr 21 1 config Configure the second ESR 21 Configure negotiation parameters esr 21 2 config line aux 2 esr 21 2 config li...

Page 55: ...al modem settings for Objective 2 for modem 1 enable the 22bis protocol disable the speakers on both modems Solution Create a line with additional modem initialization parameters for the first ESR 21 where AT N1 enable 22bis on modem mode ATM0L0 disable modem speaker esr 21 1 config chat script dial_test ABORT BUSY ABORT NO CARRIER ABORT ERROR AT OK AT F OK AT N14 OK ATM0L0 OK ATD T CONNECT esr 21...

Page 56: ...e the use of the modem initialization string esr 21 2 config interface serial 1 0 2 esr 21 2 config serial dialer string 000 modem script answer_test esr 21 2 config serial exit esr 21 2 config 2 14 3 Adapter soldering schemes RJ 45 DB 25 pinout RJ 45 RJ 45 pinout rolled over cable ...

Page 57: ...on is a network packet tunneling protocol Its main purpose is to encapsulate packets of the OSI model network layer into IP packets GRE may be used for VPN establishment on 3rd level of OSI model In ESR router implemented static unmanageable GRE tunnels i e tunnels are created manually via configuration on local and remote hosts Tunnel parameters for each side should be mutually agreeable otherwis...

Page 58: ... part takes values of 0 255 7 Specify the GRE tunnel encapsulation mode esr config gre mode MODE MODE GRE tunnel encapsulation mode ip encapsulation of IP in GRE ethernet encapsulation of Ethernet frames in GRE Default value ip 8 Set the IP address of a tunnel local side only in ip mode esr config gre ip address ADDR LEN ADDR LEN IP address and prefix of a subnet defined as AAA BBB CCC DDD EE wher...

Page 59: ...000 Default value 1500 12 Specify the TTL lifetime for tunnel packets optionally esr config gre ttl TTL TTL TTL value takes values in the range of 1 255 Default value Inherited from encapsulated packet 13 Specify DSCP for the use in IP header of encapsulated packet optionally esr config gre dscp DSCP DSCP DSCP code value takes values in the range of 0 63 Default value inherited from encapsulated p...

Page 60: ...ess ADDR ADDR IP address to check GRE tunnel capability 21 Change the time interval during which the statistics on the tunnel load is averaged optional esr config gre load average TIME TIME interval in seconds takes values of 5 150 Default value 5 22 Enable sending snmp trap about tunnel enabling disabling esr config gre snmp init trap 23 Enable the mechanism of IP addresses iterative query using ...

Page 61: ...e Access Server management 3 1 2 IP GRE tunnel configuration example Objective Establish L3 VPN for company offices using IP network with GRE protocol for traffic tunneling IP address 115 0 0 1 is used as a local gateway for the tunnel IP address 114 0 0 10 is used as a remote gateway for the tunnel IP address of the tunnel at the local side is 25 0 0 1 24 Solution Pre configure interfaces on the ...

Page 62: ...ner regardless of their GRE tunnel existence and settings validity Optionally you may specify the following parameters for GRE tunnel Enable GRE header checksum calculation and inclusion into a packet with encapsulated packet for outbound traffic esr config gre local checksum Enable check for GRE checksum presence and validity for inbound traffic esr config gre remote checksum Specify a unique ide...

Page 63: ...uch a connection clients NHC over an encrypted IPsec tunnel send their internal tunnel address and external NBMA address to the NHRP server NHS When a client wants to connect to another NHC it sends a request to the server to find out its external address Having received a response from the server the client can now independently establish a connection to the remote branch 3 2 1 Configuration algo...

Page 64: ...R IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 8 Define the destination of multicast traffic esr config gre ip nhrp multicast dynamic nhs ADDR dynamic send to all peers with which there is a connection nhs send to all static configured servers ADDR send to specifically configured server defined as AAA BBB CCC DDD where each part takes values of 0 255 9 Enable the abi...

Page 65: ...namic Routing Protocol BGP Ipsec In our example we will have a HUB router and two branches The HUB is the DMVPN server NHS and the branches are DMVPN clients NHC External IP addres of Hub 150 115 0 5 External IP address of Spoke 1 180 100 0 10 External IP address of Spoke 2 140 114 0 4 IPsec VPN parameters IKE Diffie Hellman group 2 encryption algorithm AES128 authentication algorithm SHA1 IPsec e...

Page 66: ...our example this will be BGP esr config router bgp 65005 esr config bgp address family ipv4 esr config bgp af neighbor 10 10 0 8 esr config bgp neighbor remote as 65008 esr config bgp neighbor enable esr config bgp neighbor exit esr config bgp af neighbor 10 10 0 4 esr config bgp neighbor remote as 65004 esr config bgp neighbor enable esr config bgp neighbor exit esr config bgp af enable Configure...

Page 67: ...licy exit esr config security ipsec vpn IPSECVPN esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel route esr config ipsec vpn ike gateway IKEGW esr config ipsec vpn ike ipsec policy IPSECPOLICY esr config ipsec vpn enable Map IPsec to the GRE tunnel so that clients can establish an encrypted connection esr config gre ip nhrp ipsec IPSECVPN dynamic Enable NHRP and the tunnel e...

Page 68: ...y for NHS specify particular destination addresses When creating an IKE gateway for NHC the destination address will be any esr config security ike proposal IKEPROP esr config ike proposal encryption algorithm aes128 esr config ike proposal dh group 2 esr config ike proposal exit esr config security ike policy IKEPOLICY esr config ike policy pre shared key ascii text encrypted 8CB5107EA7005AFF esr...

Page 69: ...urity ipsec vpn IPSECVPN_HUB esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel route esr config ipsec vpn ike gateway IKEGW_HUB esr config ipsec vpn ike ipsec policy IPSECPOLICY esr config ipsec vpn enable esr config security ipsec vpn IPSECVPN_SPOKE esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel route esr config ipsec vpn ike gateway IKEGW_SPOKE esr ...

Page 70: ...he partner 3 3 1 Configuration algorithm Step Description Command Keys 1 Configure L3 interface from which a L2TPv3 tunnel will be built 2 Create a L2TPv3 tunnel and switch to its configuration mode esr config tunnel l2tpv3 INDEX INDEX tunnel identifier set in the range of for ESR 10 12V F 14VF 1 10 for ESR 20 21 100 200 1 250 for ESR 1000 1200 1500 1700 1 500 3 Specify the description of the conf...

Page 71: ... local port UDP UDP UDP port number in the range of 1 65535 10 Define remote UDP port if UDP was selected as encapsulation method esr config l2tpv3 remote port UDP UDP UDP port number in the range of 1 65535 11 Assign the broadcast domain for encapsulation in the tunnel s L2TPV3 packets esr config l2tpv3 bridge group BRIDGE ID BRIDGE ID bridge identification number takes values in the range of for...

Page 72: ...of 5 150 Default value 5 17 Enable recording of the current tunnel usage statistics optional esr config subif history statistics It is also possible to configure the L2TPv3 tunnel QoS in basic or advanced mode see section QoS management BRAS functionality see section BRAS Broadband Remote Access Server management 3 3 2 L2TPv3 tunnel configuration example Objective Establish L2 VPN for company offi...

Page 73: ...t esr config l2tpv3 enable esr config l2tpv3 exit Create sub interface for switching of traffic coming from the tunnel into LAN with VLAN id 333 esr config interface gi 1 0 2 333 Define the inherence of sub interface to a bridge that should be mapped to LAN for bridge configuration see Section Configuration of PPP via E1 esr config subif bridge group 333 esr config subif exit When settings are app...

Page 74: ...de esr config tunnel vti TUN TUN device tunnel name 2 Specify the local IP address of the VTI tunnel esr config vti local address ADDR ADDR IP address of a local gateway 3 Specify the remote IP address of the VTI tunnel esr config vti remote address ADDR ADDR IP address of a remote gateway 4 Specify the IP address of the VTI tunnel local side esr config vti ip address ADDR LEN ADDR LEN IP address ...

Page 75: ... the following values des 3des blowfish128 blowfish192 blowfish256 aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr camellia128 camellia192 camellia256 Default value 3des 11 Define Diffie Hellman group number optionally esr config ike proposal dh group DH GROUP DH GROUP Diffie Hellman group number takes values of 1 2 5 14 15 16 17 18 Default value 1 12 Specify IKE authentication mode optionally ...

Page 76: ...nfig ike gw version VERSION version IKE protocol version v1 only or v2 only Default value v1 only 20 Set the route based mode esr config ike gw mode route based 21 Specify the action for DPD optionally esr config ike gw dead peer detection action MODE MODE DPD operation mode restart connection restarts clear conection stops hold connection holds none the mechanism is disabled no action is taken De...

Page 77: ...rotocol for IPsec optionally esr config ipsec proposal protocol PROTOCOL PROTOCOL encapsulation protocol takes the following values Default value esp 29 Create an IPsec policy and switch to its configuration mode esr config security ipsec policy NAME NAME IPsec policy name set by the string of up to 31 characters 30 Bind IPsec profile to IPsec policy esr config ipsec policy proposal NAME NAME IPse...

Page 78: ... in the range of 0 63 Default value 63 36 Set VPN activation mode esr config ipsec vpn ike establish tunnel MODE MODE VPN activation mode by request connection is enabled by an opposing party route connection is enabled when there is traffic routed to the tunnel immediate tunnel is enabled automatically after applying the configuration 37 Bind IKE gateway to IPsec VPN esr config ipsec vpn ike gate...

Page 79: ...e the connection release set by the lifetimekilobytes command Takes values in the range of 4 86400 Default value Keys re approval before the expire of time 540 seconds before Keys re approval before the expire of traffic volume and amount of packets disabled 41 Set the level of margin seconds margin packets margin kilobytes values random spread optionally esr config ipsec vpn ike rekey randomizati...

Page 80: ...ace gi 1 0 1 esr config if gi ip address 180 100 0 1 24 esr config if gi security zone untrusted esr config if gi exit Create VTI tunnel Traffic will be routed via VTI into IPsec tunnel Specify IP addresses of WAN border interfaces as local and remote gateways esr config tunnel vti 1 esr config vti local address 180 100 0 1 esr config vti remote address 120 11 5 1 esr config vti enable esr config ...

Page 81: ...y hexadecimal 123FFF esr config ike policy proposal ike_prop1 esr config ike policy exit Create IKE protocol gateway For this profile specify VTI tunnel policy protocol version and mode of traffic redirection into the tunnel esr config security ike gateway ike_gw1 esr config ike gw ike policy ike_pol1 esr config ike gw mode route based esr config ike gw bind interface vti 1 esr config ike gw versi...

Page 82: ...a VTI into IPsec tunnel Specify IP addresses of WAN border interfaces as local and remote gateways esr config tunnel vti 1 esr config vti remote address 180 100 0 1 esr config vti local address 120 11 5 1 esr config vti enable esr config vti exit To configure security zones rules you should create ISAKMP port profile esr config object group service ISAKMP esr config object group service port range...

Page 83: ...entication algorithm Use the following parameters to secure IPsec tunnel esr config security ipsec proposal ipsec_prop1 esr config ipsec proposal authentication algorithm md5 esr config ipsec proposal encryption algorithm aes128 esr config ipsec proposal exit Create a policy for IPsec tunnel For the policy specify the list of IPsec tunnel profiles that may be used for node negotiation esr config s...

Page 84: ...oposal encryption algorithm ALGORITHM ALGORITHM encryption protocol takes the following values des 3des blowfish128 blowfish192 blowfish256 aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr camellia128 camellia192 camellia256 5 Define Diffie Hellman group number esr config ike proposal dh group DH GROUP DH GROUP Diffie Hellman group number takes values of 1 2 5 14 15 16 17 18 6 Specify the authen...

Page 85: ...w mode MODE MODE mode of traffic redirection into the tunnel takes the following values policy based traffic is redirected based on the subnets specified in the policies route based traffic is redirected based on routes whose gateway is a tunnel interface 15 Specify the action for DPD optionally esr config ike gw dead peer detection action MODE MODE DPD operation mode restart connection restarts c...

Page 86: ...IPsec tunnel remote gateway esr config ike gw remote address ADDR ADDR IP address of a remote gateway 22 Set recipient s subnet IP address as well as IP and port esr config ike gw remote network ADDR LEN protocol TYPE ID port PORT ADDR LEN subnet IP address and mask of a sender The parameter is defined as AAA BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes values of 1 32 ...

Page 87: ...f IPsec tunnel optionally esr config ipsec policy lifetime seconds SEC packets PACKETS kilobytes KB SEC IPsec tunnel lifetime after which the re approval is carried out Takes values in the range of 1140 86400 seconds PACKETS number of packets after transmitting of which the IPsec tunnel re approval is carried out Takes values in the range of 4 86400 KB traffic amount after transmitting of which th...

Page 88: ...r of transmitted packets or bytes optionally esr config ipsec vpn ike rekey disable 38 Configure the start of IKE connection keys re approval before the expiration of the lifetime optionally esr config ipsec vpn ike rekey margin seconds SEC packets PACKETS kilobytes KB SEC time interval in seconds remaining before the connection release set by the lifetimeseconds command Takes values in the range ...

Page 89: ...ution R1 configuration Configure external network interface and identify its inherence to a security zone esr configure esr config interface gigabitethernet 1 0 1 esr config if gi ip address 120 11 5 1 24 esr config if gi security zone untrusted esr config if gi exit To configure security zones rules you should create ISAKMP port profile esr config object group service ISAKMP esr config object gro...

Page 90: ...100 0 1 esr config ike gw local network 10 0 0 0 16 esr config ike gw remote address 120 11 5 1 esr config ike gw remote network 192 0 2 0 24 esr config ike gw mode policy based esr config ike gw exit Create security parameters profile for IPsec tunnel For the profile select Diffie Hellman group 2 AES 128 bit encryption algorithm and MD5 authentication algorithm Use the following parameters to sec...

Page 91: ...on algorithm in the profile The given security parameters are used for IKE connection protection esr config security ike proposal ike_prop1 esr config ike proposal dh group 2 esr config ike proposal authentication algorithm md5 esr config ike proposal encryption algorithm aes128 esr config ike proposal exit esr config Create IKE protocol policy For the policy specify the list of IKE protocol profi...

Page 92: ...le tunnel using the enable command esr config security ipsec vpn ipsec1 esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel immediate esr config ipsec vpn ike gateway ike_gw1 esr config ipsec vpn ike ipsec policy ipsec_pol1 esr config ipsec vpn enable esr config ipsec vpn exit esr config exit To view the tunnel status use the following command esr show security ipsec vpn status...

Page 93: ...AAA DDD takes values of 0 255 and EE takes values of 1 31 5 Define Diffie Hellman group number optionally esr config ike proposal dh group DH GROUP DH GROUP Diffie Hellman group number takes values of 1 2 5 14 15 16 17 18 Default value 1 6 Create an IKE profile policy and switch to its configuration mode esr config security ike policy NAME NAME IKE policy name set by the string of up to 31 charact...

Page 94: ...cters 16 Set the subnet from which IP clients will be issued only for server esr config pool ip prefix ADDR LEN ADDR LEN address and prefix of the subnet 17 Create an IKE gateway and switch to its configuration mode esr config security ike gateway NAME NAME IKE protocol gateway name set by the string of up to 31 characters 18 Bind IKE policy esr config ike gw ike policy NAME NAME IKE protocol poli...

Page 95: ...er The parameter is defined as AAA BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes values of 1 32 TYPE protocol type takes the following values esp icmp ah eigrp ospf igmp ipip tcp pim udp vrrp rdp l2tp gre ID IP identification number takes values of 0x00 0xFF PORT TCP UDP port takes values of 1 65535 25 Specify the IP address of IPsec tunnel local gateway esr config ike ...

Page 96: ...et by the string of up to 31 characters 33 Specify IPsec authentication algorithm optionally esr config ipsec proposal authentication algorithm ALGORITHM ALGORITHM authentication algorithm takes values of md5 sha1 sha2 256 sha2 384 sha2 512 Default value sha1 34 Specify IPsec encryption algorithm optionally esr config ipsec proposal encryption algorithm ALGORITHM ALGORITHM encryption protocol take...

Page 97: ...ig security ipsec vpn NAME NAME VPN name set by the string of up to 31 characters 40 Define the matching mode of data required for VPN enabling esr config ipsec vpn mode MODE MODE VPN operation mode takes the following values ike manual 41 Bind IPsec policy to VPN esr config ipsec vpn ike ipsec policy NAME NAME IPsec policy name set by the string of up to 31 characters 42 Set the DSCP value for th...

Page 98: ...y esr config ipsec vpn ike rekey margin seconds SEC packets PACKETS kilobytes KB SEC time interval in seconds remaining before the connection release set by the lifetimeseconds command Takes values in the range of 4 86400 Default value 540 PACKETS number of packets remaining before the connection release set by the lifetimepackets command Takes values in the range of 4 86400 Default value disabled...

Page 99: ...ed XAUTH connection will be withheld A new IP address will be assigned to the new XAUTH connection The INITIAL_CONTACT notification will be ignored anyway replace established XAUTH connection will be deleted The previously used IP address will be used for the new XAUTH connection keep established XAUTH connection will be withheld A new XAUTH connection will be rejected 3 4 6 Remote Access IPsec VP...

Page 100: ...oup service exit Create IKE protocol profile Select Diffie Hellman group 2 3DES encryption algorithm and SHA1 authentication algorithm in the profile The given security parameters are used for IKE connection protection esr config security ike proposal IKEPROP esr config ike proposal dh group 2 esr config ike proposal authentication algorithm sha1 esr config ike proposal encryption algorithm 3des e...

Page 101: ...etection action clear esr config ike gw mode policy based esr config ike gw xauth access profile XAUTH esr config ike gw exit Create security parameters profile for IPsec tunnel Specify 3DES encryption algorithm and SHA1 authentication algorithm in the profile Use the following parameters to secure IPsec tunnel esr config security ipsec proposal IPSECPROP esr config ipsec proposal authentication a...

Page 102: ...ity zones rules you should create ISAKMP port profile esr config object group service ISAKMP esr config addr set port range 500 4500 esr config addr set exit Create IKE protocol profile Select Diffie Hellman group 2 3DES encryption algorithm and SHA1 authentication algorithm in the profile The given security parameters are used for IKE connection protection esr config security ike proposal IKEPROP...

Page 103: ...sr config ike gw exit Create security parameters profile for IPsec tunnel Specify 3DES encryption algorithm and SHA1 authentication algorithm in the profile Use the following parameters to secure IPsec tunnel esr config security ipsec proposal IPSECPROP esr config ipsec proposal authentication algorithm md5 esr config ipsec proposal encryption algorithm aes128 esr config ipsec proposal exit Create...

Page 104: ...unnels dedicated for transmission of routing information and traffic between different virtual routers VRF Lite configured on a router LT tunnel might be used for organization of interaction between two or more VRF using firewall restrictions 3 5 1 Configuration algorithm Step Description Command Keys 1 Create LT tunnels for each of existing VRF esr config tunnel lt ID ID tunnel identifier set in ...

Page 105: ...nnels esr config lt enable 8 For each VRF configure required routing protocols via LT tunnel 9 Specify the time interval during which the statistics on the tunnel load is averaged optionally esr config lt load average TIME TIME interval in seconds takes values of 5 150 Default value 5 10 Specify the size of MTU packets that can be passed by the bridge optionally possible if only VLAN is included i...

Page 106: ...disable esr config lt ip address 192 168 0 1 30 esr config lt exit esr config tunnel lt 2 esr config lt ip vrf forwarding vrf_2 esr config lt ip firewall disable esr config lt ip address 192 168 0 2 30 esr config lt exit Designate LT tunnel from VRF which is necessary to establish link with for each LT tunnel and activate them esr config tunnel lt 1 esr config lt peer lt 2 esr config lt enable esr...

Page 107: ... enabled on the interface through which traffic arrives 4 1 1 Configuration algorithm Step Description Command Keys 1 Enable QoS on the interface tunnel network bridge If QoS policy is not assigned on the interface the interface operates in BasicQoS mode esr config if gi qos enable 2 Set the trust mode for 802 1p and DSCP codes values in incoming packets optionally esr config qos trust MODE MODE t...

Page 108: ...f incoming packets and outgoing queues The given match works for incoming interfaces tunnels bridge on which QoS is enabled optionally esr config qos map cos queue COS to QUEUE COS service classifier in 802 1q packet tag takes values in the range of 0 7 QUEUE queue identifier takes values in the range of 1 8 Default values CoS 0 queue 1 CoS 1 queue 2 CoS 2 queue 3 CoS 3 queue 4 CoS 4 queue 5 CoS 5...

Page 109: ...ng the queue number Default value 8 9 Define the weights for corresponding weighted queues esr config qos wrr queue QUEUE bandwidth WEIGHT QUEUE queue identifier takes values in the range of 1 8 WEIGHT weight value takes values in the range of 1 255 The default value weight 1 for all queues 10 Set the outgoing traffic rate limiting for a certain queue or interface in total The command is relevant ...

Page 110: ...Default value Disabled 4 1 2 Configuration example Objective Configure the following restrictions on gigabitethernet 1 0 8 interface transfer DSCP 22 traffic into 8th priority queue DSCP 14 traffic into 7th weighted queue limit transfer rate to 60Mbps for 7th queue Solution In order to make 8th queue a priority queue and 2nd to 8th queues weighted ones limit the quantity of priority queues to 1 es...

Page 111: ...n ESR routers classification of incoming traffic is possible on both incoming and outgoing interfaces Step Description Command Keys 1 Create access lists to define the traffic to which the advanced QoS should be applied See Section Access list ACL configuration 2 Create QoS class and switch to the class parameters configuration mode esr config class map NAME NAME name of the class being created se...

Page 112: ...lue takes values of 0 7 8 Create QoS policy and switch to the policy parameters configuration mode esr config policy map NAME esr config policy map NAME name of the policy being created set by the string of up to 31 characters 9 Specify QoS policy description optionally esr config policy map description description description up to 255 characters 10 Set the committed outgoing bandwidth for the po...

Page 113: ...s operation mode optionally esr config class policy map mode MODE MODE class mode fifo FIFO mode First In First Out gred GRED mode Generalized RED red RED mode Random Early Detection sfq SFQ mode SFQ queue allocates flow based packets transmission Default value FIFO 17 Specify the class priority in WRR process if required esr config class policy map priority class PRIORITY PRIORITY priority of cla...

Page 114: ...f 1 1000000 MIN minimum size of a queue in bytes takes value in the range of 1 1000000 PROBABILITY probability of packet drop takes values of 0 100 When specifying the values the following rules should be fulfilled MAX 2 MIN LIMIT 3 MAX 22 Specify GRED Generalized Random Early Detection parameters if required esr config class policy map random detect precedence PRECEDENCE LIMIT MAX MIN PROBABILITY...

Page 115: ...ig if gi qos enable 25 Define the QoS policy on a configured interface tunnel network bridge to classify input and prioritize output traffic esr config if gi service policy input output NAME NAME QoS policy name set by the string of up to 31 characters 4 2 2 Configuration example Objective Classify incoming traffic by a subnet 10 0 11 0 24 10 0 12 0 24 label it by DSCP 38 and 42 and segregate by a...

Page 116: ... 0 255 255 255 0 esr config acl rule match destination address any esr config acl rule enable esr config acl rule exit esr config acl exit Create classes fl1 and fl2 specify the respective access control lists configure labelling esr config class map fl1 esr config class map set dscp 38 esr config class map match access group fl1 esr config class map exit esr config class map fl2 esr config class ...

Page 117: ...e interfaces policy on gi 1 0 19 interface ingress for classification purposes and gi1 0 20 egress for applying restrictions and SFQ mode for default class esr config interface gigabitethernet 1 0 19 esr config if gi qos enable esr config if gi service policy input fl esr config if gi exit esr config interface gigabitethernet 1 0 20 esr config if gi qos enable esr config if gi service policy outpu...

Page 118: ...tion example VRF Lite configuration Configuration algorithm Configuration example MultiWAN configuration Configuration algorithm Configuration example IS IS configuration Configuration algorithm Configuration example 5 1 Static routes configuration Static routing is a type of routing in which routes are defined explicitly during the router configuration without dynamic routing protocols 5 1 1 Conf...

Page 119: ...EE IPv6 address and mask of a subnet defined as X X X X X EE where each X part takes values in hexadecimal format 0 FFFF and EE takes values of 1 128 IPV6 ADDR client IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF resolve when specifying the given parameter gateway IPv6 address will be recursively calculated through the routing table If the recursive ca...

Page 120: ... zone for the gi1 0 2 interface R1 will be connected to R2 device via the given interface for the further traffic routing esr config interface gi1 0 2 esr config if gi security zone LAN esr config if gi ip address 192 168 100 1 30 esr config if gi exit Specify 128 107 1 2 30 address and the WAN zone for the gi1 0 3 interface R1 interface will be connected to the Internet via this interface esr con...

Page 121: ...g interface gi1 0 2 esr config if gi security zone LAN esr config if gi ip address 192 168 100 2 30 esr config if gi exit Create a default route by specifying the IP address of R1 router gi1 0 2 interface 192 168 100 1 as a nexthop esr config ip route 0 0 0 0 0 192 168 100 1 You can use the following command to check the routing table esr show ip route 5 2 RIP Configuration RIP is a distance vecto...

Page 122: ...en specifying the command the prefix length mast match the specified one le when specifying the command the prefix length mast be less than or match the specified one ge when specifying the command the prefix length mast be more than or match the specified one default route default route filtration esr config pl deny object group OBJ GROUP NETWORK NAME ADDR LEN IPV6 ADDR LEN eq LEN le LEN ge LEN l...

Page 123: ...ult value 180 seconds 13 Set time interval after which the route removing is carried out optionally esr config rip timers flush TIME TIME time in seconds takes values of 1 65535 When setting the value consider the following rule timersinvalid 60 Default value 240 seconds 14 Enable subnets advertising esr config rip network ADDR LEN ADDR LEN subnet address set in the following format AAA BBB CCC DD...

Page 124: ...tes advertising NAME name of the route map that will be used for advertised OSFP routes filtration and modification set by the string of up to 31 characters esr config rip redistribute bgp AS route map NAME AS stand alone system number takes values of 1 4294967295 NAME name of the route map that will be used for advertised BGP routes filtration and modification set by the string of up to 31 charac...

Page 125: ...p rip neighbor ADDR ADDR IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 21 Enable subnet summarization optionally esr config if gi ip rip summary address ADDR LEN ADDR LEN IP address and subnet mask defined as AAA BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes values of 1 32 5 2 2 RIP configuration example Objective Configure RIP on the route...

Page 126: ... timers update 25 When all required settings are done enable the protocol esr config rip enable To view the RIP routing table use the following command esr show ip rip 5 3 OSFP configuration OSPF is a dynamic routing protocol based on link state technology and using shortest path first Dijkstra algorithm 5 3 1 Configuration algorithm Step Description Command Keys 1 Configure OSFP precedence for th...

Page 127: ...or the global mode for ESR 1000 1200 1500 1700 500000 for ESR 20 21 100 200 300000 for ESR 10 12V F 14VF 30000 Default value for VRF 0 esr config ipv6 protocols ospf max routes VALUE 3 Enable the output of OSPF neighbor state information optionally esr config router ospf log adjacency changes esr config ipv6 router ospf log adjacency changes 4 Create IP subnets lists that will be used for further ...

Page 128: ...config pl deny object group OBJ GROUP NETWORK NAME ADDR LEN IPV6 ADDR LEN eq LEN le LEN ge LEN le LEN 6 Add OSFP process to the system and switch to the OSFP process parameters configuration mode esr config router ospf ID vrf VRF ID stand alone system number takes values of 1 65535 VRF VRF instance name set by the string of up to 31 characters within which the routing protocol will operate esr con...

Page 129: ...te map NAME NAME name of the route map that will be used for filtration and modification of advertised directly connected subnets set by the string of up to 31 characters esr config ipv6 ospf redistribute connected route map NAME esr config ospf redistribute rip route map NAME NAME name of the route map that will be used for advertised RIP routes filtration and modification set by the string of up...

Page 130: ...F and EE takes values of 1 128 16 Specify the area type esr config ospf area area type TYPE no summary TYPE area type stub sets stub value stub area no summary command in conjunction with the stub parameter forms the totallystubby area only the default route is used to transfer information outside the area nssa sets nssa value NSSA area no summary command in conjunction with the nssa parameter for...

Page 131: ...ress IPV6 ADDR LEN advertise not advertise IPV6 ADDR LEN IPv6 address and mask of a subnet defined as X X X X X EE where each X part takes values in hexadecimal format 0 FFFF and EE takes values of 1 128 advertise when specifying the command instead of the subnets included in a subnet specified a total subnet will be advertised not advertise the subnets included in a subnet specified will not be a...

Page 132: ...n seconds takes values of 1 65535 Default value 40 seconds esr config ipv6 ospf vlink dead interval TIME 24 Set the time interval in seconds after which the router selects DR in the network esr config ospf vlink wait interval TIME TIME time in seconds takes values of 1 65535 Default value 40 seconds esr config ipv6 ospf vlink wait interval TIME 25 Define authentication algorithm esr config ospf vl...

Page 133: ...alues of 1 65535 esr config if gi ipv6 ospf instance ID 31 Define the interface inherence to a specific OSPF process area esr config if gi ip ospf area AREA_ID AREA_ID area identifier defined as AAA BBB CCC DDD where each part takes values of 0 255 esr config if gi ipv6 ospf area AREA_ID 32 Enable the routing via OSFP on the interface esr config if gi ip ospf esr config if gi ipv6 ospf 33 Enable t...

Page 134: ...s after which the router re sends a packet that has not received a delivery confirmation for example a DatabaseDescription packet or LinkStateRequest packets esr config if gi ip ospf restransmit interval TIME TIME time in seconds takes values of 1 65535 Default value 5 seconds esr config if gi ipv6 ospf restransmit interval TIME 39 Set the time interval in seconds after which the router sends the ...

Page 135: ... in DR selection process in NMBA networks The interface priority should be greater than zero 43 Define the network type for OSPF neighborhood establishment esr config if gi ip ospf network TYPE TYPE network type broadcast broadcast connection type non broadcast NBMA connection type point to multipoint point to multipoint connection type point to multipoint non broadcast point to multipoint NBMA co...

Page 136: ...h neighbouring routers The router should be in 1 1 1 1 identifier area and announce routes received via RIP Solution Pre configure IP addresses on interfaces according to the network structure shown in figure Create OSPF process with identifier 10 and proceed to the OSPF protocol configuration mode esr config router ospf 10 Create and enable the required area esr config ospf area 1 1 1 1 esr confi...

Page 137: ...nterface gigabitethernet 1 0 15 esr config if gi ip ospf instance 10 esr config if gi ip ospf area 1 1 1 1 esr config if gi ip ospf esr config if gi exit esr config exit 5 3 3 OSPF stub area configuration example Objective Change 1 1 1 1 area type area should be stub Stub router should advertise routes received via RIP Solution Pre configure OSPF protocol and IP addresses on interfaces according t...

Page 138: ...area configuration mode esr config ospf area 1 1 1 1 Create and enable virtual link with the identifier 0 0 0 3 esr config ospf area virtual link 0 0 0 3 esr config ospf vlink enable For R3 router proceed to 1 1 1 1 area configuration mode esr config ospf area 1 1 1 1 Create and enable virtual link with the identifier 0 0 0 1 esr config ospf area virtual link 0 0 0 1 esr config ospf vlink enable R...

Page 139: ...5 4 BGP configuration BGP protocol is designed to exchange subnet reachability information among autonomous systems AS i e router groups united under a single technical control that uses interdomain routing protocol for defining packet delivery routes to other AS Transmitted information includes a list of AS that are accessible through this system Selection of the optimal routes is based on effect...

Page 140: ...x routes VALUE esr config vrf ip protocols bgp max routes VALUE esr config vrf ipv6 protocols bgp max routes VALUE 3 Enable the output of BGP neighbor state information optional esr config router bgp log neighbor changes esr config ipv6 router bgp log neighbor changes 4 Enable ECMP and define the maximum amount of equal routes to a destination point esr config router bgp maximum paths VALUE VALUE ...

Page 141: ...s of 1 128 OBJ GRP NETNAME IP addresses profile name set by the string of up to 31 characters LEN LEN 1 LEN 2 prefix length may take values 1 32 in prefix IP lists for IPv4 and 1 128 for IPv6 eq when specifying the command the prefix length mast match the specified one le when specifying the command the prefix length mast be less than or match the specified one ge when specifying the command the p...

Page 142: ... X part takes values in hexadecimal format 0 FFFF and EE takes values of 1 128 OBJ GRP NETNAME IP addresses profile name set by the string of up to 31 characters LEN LEN 1 LEN 2 prefix length may take values 1 32 in prefix IP lists for IPv4 and 1 128 for IPv6 eq when specifying the command the prefix length mast match the specified one le when specifying the command the prefix length mast be less ...

Page 143: ...ds takes values of 1 65535 Default value 60 seconds 9 Set time interval after which the opposing party is considered to be unavailable Optional esr config bgp af timers holdtime TIME TIME time in seconds takes values of 1 65535 Default value 180 seconds 10 Set the time of minimum and maximum delay during which it is prohibited to establish a connection in order to prevent frequent disconnections O...

Page 144: ...f the route map that will be used for filtration and modification of advertised directly connected subnets set by the string of up to 31 characters esr config bgp af redistribute rip route map NAME NAME name of the route map that will be used for advertised RIP routes filtration and modification set by the string of up to 31 characters esr config bgp af redistribute ospf ID ROUTE TYPE 1 ROUTE TYPE...

Page 145: ...rmation advertisement configuration mode esr config bgp af exit 18 Add BGP neighbor and switch to the BGP process parameters configuration mode esr config bgp neighbor ADDR IPV6 ADDR ADDR neighbor s IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 IPV6 ADDR client IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 19 Specify neigh...

Page 146: ...ctor client 26 Set IP IPv6 router address that will be used as source IP IPv6 address in transmitted BGP route information updates optionally esr config bgp neighbor update source ADDR IPV6 ADDR ADDR source IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 IPV6 ADDR source IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 27 Enabl...

Page 147: ...mode is selected add subnet filtering in incoming or outgoing updates Mandatory when configuring eBGP for subnet advertisement esr config bgp neighbor af prefix list PREFIX LIST NAME in out PREFIX LIST NAME name of a subnet list being configured set by the string of up to 31 characters in incoming routes filtering out outgoing routes filtering 34 Set the mode in which the default route is always s...

Page 148: ...ath nearest replace the nearest private AS in the AS path with a nearby public AS replace replace all private AS numbers with the number of the current BGP process Default value all 38 Enable routing information exchange esr config bgp neighbor af enable It often happens especially when configuring iBGP that in one bgp process you need to configure several bgp neighbor with the same parameters To ...

Page 149: ...uring subnet 185 0 0 0 30 proprietary IP address 185 0 0 1 neighbour IP address 185 0 0 2 AS20 Solution Configure required network interfaces esr R3 config interface gigabitethernet 1 0 1 esr R3 config if gi ip address 185 0 0 1 30 esr R3 config if gi exit esr R3 config interface gigabitethernet 1 0 2 esr R3 config if gi ip address 219 0 0 1 30 esr R3 config if gi exit esr R3 config interface giga...

Page 150: ... security zone wan esr R3 config if gi exit esr R3 config interface gigabitethernet 1 0 2 esr R3 config if gi security zone wan esr R3 config if gi exit Create a route map which will be used later when configuring enabling advertising to routers from another AS esr R3 config route map bgp general esr R3 config route map rule 1 esr R3 config route map rule match ip address 80 66 0 0 24 esr R3 confi...

Page 151: ...onfig bgp neighbor af route map bgp general out esr R3 config bgp neighbor af enable esr R3 config bgp neighbor af exit esr R3 config bgp neighbor exit Enable protocol operation esr R3 config bgp enable esr R3 config bgp exit To view BGP peers information use the following command esr show ip bgp 2500 neighbors To view BGP routing table use the following command esr show ip bgp 5 5 BFD configurati...

Page 152: ...imum interval after which the neighbor should generate BFD message Globally optionally esr config ip bfd min rx interval TIMEOUT TIMEOUT interval after which the BFD message should be sent by the neighbor takes values in milliseconds in the range of 200 65535 for ESR 1000 1200 1500 1700 and 300 65535 for ESR 10 12V F 20 21 100 200 By default 300 ms on ESR 10 12V F 14VF 20 21 100 200 200 ms on ESR ...

Page 153: ...CCC DDD where each part takes values of 0 255 IF interface or interface group TUN tunnel type and number VRF VRF name set by the string of up to 31 characters multihop key for setting TTL 255 for BFD mechanism operation through the routed network 9 Switch BFD session to the passive mode so that BFD messages will not be sent until the messages from BFD neighbor are received Globally optional esr co...

Page 154: ...nterval TIMEOUT TIMEOUT interval after which the BFD message should be sent by the neighbor takes values in milliseconds in the range of 200 65535 for ESR 1000 1200 1500 1700 and 300 65535 for ESR 10 12V F 20 21 100 200 By default 300 ms on ESR 10 12V F 14VF 20 21 100 200 200 ms on ESR 1000 1200 1500 1700 13 Set the amount of dropped packets at which the BFD neighbor is considered to be unavailabl...

Page 155: ... 0 1 esr config bgp neighbor bfd enable esr config bgp neighbor enable esr config bgp neighbor ex esr config bgp af enable esr config bgp af exit R2 configuration Preconfigure Gi1 0 1 interface esr config interface gigabitethernet 1 0 1 esr config if gi ip firewall disable esr config if gi ip address 10 0 0 2 24 Configure eBGP with BFD esr config router bgp 200 esr config bgp address family ipv4 e...

Page 156: ... ORDER ORDER rule number takes values of 1 10000 3 Specify the action that should be applied for routing information esr config route map rule action ACT ACT allocated action permit routing information reception or advertising is permitted deny denied 4 Set BGPAS Path attribute value in the route for which the rule should work optionally esr config route map rule match as path begin end contain AS...

Page 157: ...resses profile that includes BGPNext Hop attribute value in the route for which the rule should work optionally esr config route map rule match ip next hop object group OBJ GROUP NETWORK NAME OBJ GROUP NETWORK NAME name of the IP addresses profile that includes destination subnets prefixes set by the string of up to 31 characters esr config route map rule match ipv6 next hop object group OBJ GROUP...

Page 158: ...range of 0 4294967295 15 Set RIP Tag attribute value in the route for which the rule should work esr config route map rule match tag rip TAG RIP RIP Tag attribute value takes values in the range of 0 65535 16 Set BGP AS Path attribute value that will be added to the beginning of AS Path list optionally esr config route map rule action set as path prepend AS PATH track TRACK ID AS PATH stand alone ...

Page 159: ...6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 20 Specify Next Hop value that will be set in the route received by BGP optionally esr config route map rule action set ip next hop NEXTHOP blackhole unreachable prohibit NEXTHOP gateway IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 blackhole packets to this subnet will be removed...

Page 160: ...ute is learnt in another way 23 Specify BGP MED value that will be set in the route optionally esr config route map rule action set metric bgp METRIC METRIC BGP MED attribute value takes values in the range of 0 4294967295 24 Add filtration and modification of routes in incoming or outgoing directions esr config bgp neighbor route map NAME DIRECTION NAME name of the route map having been configure...

Page 161: ...te map rule exit esr config route map exit In AS 2500 BGP process enter neighbour parameter configuration esr config router bgp 2500 esr config bgp address family ipv4 esr config bgp af neighbor 185 0 0 2 Map the policy to routing information esr config bgp neighbor route map from as20 in 5 6 3 Configuration example 2 Route map for BGP Objective For the whole transmitted routing information from c...

Page 162: ...te map to as20 out esr config bgp neighbor exit esr config bgp exit esr config exit 5 6 4 Route map based on access control lists Policy based routing configuration algorithm Step Description Command Keys 1 Create a route map for IP routes filtration and modification esr config route map NAME NAME router map name set by the string of up to 31 characters 2 Create a route map rule esr c onfig route ...

Page 163: ...ig if gi ip policy route map NAME NAME configured routing policy name set by the string of up to 31 characters 5 6 5 Route map based on access control lists Policy based routing configuration example Objective Distribute traffic between Internet service providers based on user subnets First assign IP address to interfaces Route traffic from addresses 10 0 20 0 24 through ISP1 184 45 0 150 and traf...

Page 164: ...config acl rule match protocol any esr config acl rule action permit esr config acl rule enable esr config acl rule exit esr config acl exit Create a policy esr config route map PBR Create rule 1 esr config route map rule 1 Specify ACL as a filter esr config route map rule match ip access group sub20 Specify nexthop for sub20 esr config route map rule action set ip next hop verify availability 184...

Page 165: ...rics values Proceed to TE 1 0 1 interface esr config interface tengigabitethernet 1 0 1 Map the policy the respective interface esr config if te ip policy route map PBR 5 7 VRF Lite configuration VRF Virtual Routing and Forwarding is a technology designed for isolation of routing information that belongs to different classes e g routes of a specific client 5 7 1 Configuration algorithm Step Descri...

Page 166: ... routes VALUE 4 Enable and configure dynamic traffic routing protocols Static OSPF BGP IS IS in VRF instance optional See the related sections Static routes configuration OSPF configuration and BGP configuration 5 In the configuration mode of physical logical interface tunnel DNAT SNAT rule DAS server or SNMPv3 user specify the name of VRF instance for which the mode will be used optionally esr co...

Page 167: ...any esr config zone rule match destination address any esr config zone rule match protocol tcp esr config zone rule match source port any esr config zone rule match destination port any esr config zone rule action permit esr config zone rule enable esr config zone rule exit Create interface mapping assign IP addresses specify an inherence to a security zone esr config interface gigabitethernet 1 0...

Page 168: ... 50 4 Specify interfaces or tunnels which are gateways in the route created by MultiWAN service esr config wan rule outbound interface IF tunnel TUN WEIGHT IF interface name TUN tunnel name WEIGHT tunnel or interface weight defined in the range of 1 255 If the value is equal 2 than 2 times more traffic will be transmit via the given interface than via the interface with the default value A route w...

Page 169: ...ation IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 13 Enable the target check esr config wan target enable Commands for 14 17 items should be applied on interfaces tunnels in MultiWAN 14 Enable WAN mode on the interface for IPv4 IPv6 stack esr config if gi wan load balance enable esr config if gi ipv6 wan load balance enable 15 Set the amount of ineff...

Page 170: ...ddress gateway defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 18 This command will be checking the IP addresses from the integrity check list If all default at least one using the chack all key of the tested hosts is unavailable the gateway is considered unavailable esr config if gi wan load balance target list check all NAME NAME run check on the basis of a certain...

Page 171: ...faces еsr config wan rule outbound interface tengigabitethernet 1 0 2 еsr config wan rule outbound interface tengigabitethernet 1 0 1 Enable the created balancing rule and exit the rule configuration mode еsr config wan rule enable еsr config wan rule exit Create a list for the connection integrity check еsr config wan load balance target list google Create integrity check target esr config target...

Page 172: ...r connection check еsr config if wan load balance target list google In te1 0 2 interface configuration mode enable WAN mode and exit еsr config if wan load balance enable еsr config if exit To switch into redundancy mode configure the following Proceed to WAN rule configuration mode еsr config wan load balance rule 1 MultiWAN function may also work in redundancy mode when traffic is directed to t...

Page 173: ...on password for the L2 layer optional esr config isis authentication domain key ascii text CLEAR TEXT encrypted ENCRYPTED TEXT CLEAR TEXT password set by the string of 8 characters ENCRYPTED TEXT encrypted password of 8 bytes 16 characters in hexadecimal format 0xYYYY or YYYY 6 Set a list of keys for authentication optional esr config isis authentication domain key chain KEYCHAIN KEYCHAIN key list...

Page 174: ...2 only operate only on level 2 12 Set the type of metric to be used in the IS IS process optional esr config isis metric style narrow wide transition LEVEL narrow accepts and generates TLVs on network reachability of the old type wide accepts and generates TLVs on network reachability of the new type transition accepts and generates TLVs on network reachability of the new and old type LEVEL IS IS ...

Page 175: ...n level level 1 operate only on level 1 level 2 only operate only on level 2 16 Set the lifetime of own LSP optional esr config isis max lsp lifetime TIME LEVEL TIME time in seconds takes values of 1 65535 LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level 2 17 Set a timeout before the next SPF calculation optional esr config isis spf timeout TI...

Page 176: ...nfig isis redistribute ipv6 bgp AS route map NAME is type LEVEL esr config isis redistribute ospf ID ROUTE TYPE route map NAME is type LEVEL ID process number takes values of 1 65535 ROUTE TYPE route type intra area OSPF process routes advertising within a zone inter area OSPF process routes advertising between zones external1 OSPF format 1 external routes advertising external2 OSPF format 2 exter...

Page 177: ...ween zones NAME name of the route map that will be used for advertised IS IS routes filtration and modification set by the string of up to 31 characters LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level 2 esr config isis redistribute rip route map NAME is type LEVEL NAME name of the route map that will be used for advertised RIP routes filtrati...

Page 178: ...LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level 2 19 Add subnets filtering in incoming or outgoing updates optional esr config isis prefix list ipv6 LIST_NAME LIST_NAME in out LIST NAME name of a subnet list being configured set by the string of up to 31 characters in incoming routes filtration out advertised routes filtration 20 Add subnets ...

Page 179: ... metric VALUE LEVEL VALUE number may take values 1 16777215 LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level 2 26 Set defines which routing layer on the interface the current IS IS process will run on optional esr config if gi isis circuit type LEVEL LEVEL IS IS protocol operation level level 1 operate only on level 1 level 1 2 operate on leve...

Page 180: ...al esr config if gi isis csnp interval TIME LEVEL TIME time in seconds takes values of 1 65535 LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level 2 31 Set the interval for generating and sending PSNP optional esr config if gi isis psnp interval TIME LEVEL TIME time in seconds takes values of 1 65535 LEVEL IS IS protocol operation level level 1 o...

Page 181: ...orithm LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level 2 35 Set the password for hello packet authentication optionally esr config if gi isis authentication key ascii text CLEAR TEXT encrypted ENCRYPTED TEXT LEVEL CLEAR TEXT password set by the string of 8 characters ENCRYPTED TEXT encrypted password of 8 bytes 16 characters in hexadecimal fo...

Page 182: ...protocol configuration mode ESR1 config router isis 1 Set the number of the zone in which the router will operate and its system ID ESR1 config isis net 49 0001 1111 1111 1111 00 Configure the router to operate only on the first layer of the IS IS protocol ESR1 config isis is type level 1 Set the operation of the router with a narrow metric on the first level ESR1 config isis metric style narrow l...

Page 183: ...nfiguration will be the same on both interfaces ESR2 config if gi isis instance 2 ESR2 config if gi isis enable Proceed to the ESR3 router configuration ESR3 config router isis 3 ESR3 config isis net 49 0002 3333 3333 3333 00 ESR3 config isis is type level 2 ESR3 config isis metric style wide level 2 ESR3 config isis enable ESR3 config if gi isis instance 3 ESR3 config if gi isis enable The neighb...

Page 184: ...ation algorithm L2VPN VPWS configuration example L2VPN VPLS configuration algorithm L2VPN VPLS configuration example L2VPN Kompella mode configuration L2VPN VPLS configuration algorithm L2VPN VPLS configuration example L3VPN configuration Configuration algorithm Configuration example MPLS traffic balancing Configuration example Operation with the bridge domain within MPLS Assignment of MTU when op...

Page 185: ... 0 255 3 In the context of the address family ipv4 settings specify interfaces for enabling LDP process esr config ldp af ipv4 interface IF TUN IF an interface s name specified in the form described in Section Types and naming order of router interfaces TUN the name of the tunnel is specified as described in section Types and naming order of router tunnels 4 Enable LDP process esr config ldp enabl...

Page 186: ...resses must be assigned to the interfaces the firewall must be disabled and one of the internal routing protocols must be configured ESR pre configuration hostname ESR router ospf 1 area 0 0 0 0 enable exit enable exit interface gigabitethernet 1 0 1 ip firewall disable ip address 10 10 10 1 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 1 1 1 1 32 ip ospf instance 1 ip ospf ex...

Page 187: ...dp ESR config ldp router id 1 1 1 1 ESR config ldp enable ESR config ldp address family ipv4 ESR config ldp af ipv4 interface gigabitethernet 1 0 1 ESR config ldp af ipv4 if end ESR hostname ESR1 router ospf 1 area 0 0 0 0 enable exit enable exit interface gigabitethernet 1 0 1 ip firewall disable ip address 10 10 10 2 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 4 4 4 4 32 i...

Page 188: ...tput will show the parameters of the neighboring pier obtained from the multicast hello messages The LDP session should be in the Operational state ESR show mpls ldp discovery detailed Local LDP ID 1 1 1 1 Discovery sources Interfaces gigabitethernet 1 0 1 Hello interval 5 seconds Transport IP address 1 1 1 1 LDP ID 4 4 4 4 Source IP address 10 10 10 2 Transport IP address 4 4 4 4 Hold time 15 sec...

Page 189: ...nterval and Keepalive holdtime settings Let s consider an example of configuring Hello holdtime for an LDP session If the Hello Holdtime and Hello Interval parameters are not specified the default values are used If parameters are specified the priority of values for address family will be higher than for globally configured values ESR sh mpls ldp discovery detailed Local LDP ID 4 4 4 4 Discovery ...

Page 190: ...overy sources Interfaces gigabitethernet 1 0 4 Hello interval 5 seconds Transport IP address 4 4 4 4 LDP ID 1 1 1 1 Source IP address 10 10 10 1 Transport IP address 1 1 1 1 Hold time 15 seconds Proposed hold time 60 15 local peer seconds ESR show running config mpls mpls ldp router id 4 4 4 4 discovery hello holdtime 50 discovery hello interval 10 address family ipv4 interface gigabitethernet 1 0...

Page 191: ...configuration mode set Hello holdtime on the specified interface esr config ldp af ipv4 if discovery hello holdtime TIME TIME Time in seconds in the range of 3 65535 Default value 15 3 In the LDP address family configuration mode set Hello interval on the specified interface esr config ldp af ipv4 if discovery hello interval TIME TIME Time in seconds in the range of 3 65535 Default value 5 6 2 3 A...

Page 192: ... and hello interval 10 seconds parameters for the entire LDP process For the neighbor with address 1 1 1 1 set the Keepalive holdtime to 150 seconds Solution ESR ESR config mpls ESR config mpls ldp ESR config ldp discovery hello holdtime 40 ESR config ldp discovery hello interval 10 ESR config ldp neighbor 1 1 1 1 ESR config ldp neig keepalive 150 Check To view hello parameters ESR ESR sh mpls ldp...

Page 193: ...seconds Keepalive holdtime 180 seconds Hold timer is a matching parameter the smallest is chosen This example shows that the ESR after matching set 30 seconds If after matching the Hello interval is greater than the Hold timer then the Hello interval will be equal to Hold timer 3 ESR routers have the possibility to flexibly configure Hello holdtime Hello interval and Keepalive holdtime parameters ...

Page 194: ... 1 1 1 1 keepalive 160 discovery targeted hello holdtime 30 discovery targeted hello interval 10 exit exit ESR sh running config mpls mpls ldp router id 1 1 1 1 neighbor 4 4 4 4 keepalive 160 targeted discovery targeted hello holdtime 30 discovery targeted hello interval 45 exit exit exit ESR sh running config mpls mpls ldp router id 1 1 1 1 keepalive 160 discovery hello holdtime 90 discovery targ...

Page 195: ... Keepalive holdtime for the specific neighbor 1 Configure the LDP see section LDP configuration 2 В режиме конфигурации LDP соседа задать Hello holdtime esr config ldp neig discovery targeted hello holdtime TIME TIME Time in seconds in the range of 3 65535 Default value 45 3 In the LDP neighbor configuration mode set Hello interval esr config ldp neig discovery targeted hello interval TIME TIME Ti...

Page 196: ...or with address 4 4 4 4 set the Keepalive holdtime to 150 seconds Solution ESR ESR config mpls ESR config mpls ldp ESR config ldp discovery targeted hello holdtime 40 ESR config ldp discovery targeted hello interval 10 ESR config ldp neighbor 4 4 4 4 ESR config ldp neig keepalive 150 Check To view hello parameters of the targeted LDP session ESR ESR1 sh mpls ldp discovery detailed Targeted hellos ...

Page 197: ...1 Configure the LDP see section LDP configuration 2 Create network type object group esr config object group network NAME NAME name of a subnet list being configured set by the string of up to 31 characters 3 Describe the subnets for which labels will be assigned esr config object group network ip prefix ADDR LEN ADDR LEN IP address and subnet mask defined as AAA BBB CCC DDD EE where each part AAA...

Page 198: ...LS esr config object group network ip prefix 10 10 0 0 24 ESR_B esr config object group network ADV_LABELS esr config object group network ip prefix 10 10 0 0 24 esr config object group network ip prefix 192 168 2 0 24 Apply the created object group on both routers ESR_A и ESR_B esr config mpls esr config ldp ldp esr config ldp advertise labels ADV_LABELS Check On ESR_B make sure that the label is...

Page 199: ...Keys 1 Configure the LDP see section LDP configuration 2 Create pw class in the system and switch to the pw class configuration mode esr config l2vpn pw class WORD WORD Имя pw class длинной 1 31 символов 3 Add a description for pw class optional esr config l2vpn pw class description LINE LINE Описание Задается в виде строки длинной 1 255 символов 4 Set the MTU value for the pseudo wire included in...

Page 200: ...ение по умолчанию ethernet 10 Create a pseudo wire and switch to its parameters configuration mode esr config l2vpn p2p pw PW_ID LSR_ID PW_ID идентификатор psewdowire задается в виде числа в диапазоне 1 4294967295 LSR_ID идентификатор LSR до которого строится pseudo wire задаётся в виде AAA BBB CCC DDD где каждая часть принимает значения 0 255 11 Add a description for pseudo wire optional esr conf...

Page 201: ...ddresses on interfaces according to the network structure shown in the figure above Organize the exchange of routes between PE1 and PE2 using IGP OSPF IS IS RIP On the PE1 router create a sub interface from which traffic from CE1 will be received PE1 configure PE1 config interface gigabitethernet 1 0 4 100 PE1 config subif exit Set the MTU value on the interface towards PE2 to 9600 to avoid MTU ov...

Page 202: ...he virtual channel pw will be created later Since in this example the default parameters will be applied to pw it will be sufficient to specify the class name PE1 config mpls l2vpn PE1 config l2vpn pw class for_p2p_VLAN100 PE1 config l2vpn pw class exit Create a new l2vpn of type p2p and add pw to router PE3 take the pw identifier as VID for convenience in this case 100 PE1 config l2vpn p2p to_PE2...

Page 203: ...pls l2vpn PE2 config l2vpn pw class for_p2p_VLAN100 PE2 config l2vpn pw class exit PE2 config l2vpn p2p to_PE1_VLAN100 PE2 config l2vpn p2p interface gigabitethernet 1 0 4 100 PE2 config l2vpn p2p pw 100 1 1 1 1 PE2 config l2vpn pw pw class for_p2p_VLAN100 PE2 config l2vpn pw enable PE2 config l2vpn pw exit PE2 config l2vpn p2p enable PE2 config l2vpn p2p end PE2 commit PE2 confirm Make sure that ...

Page 204: ... optional esr config l2vpn pw class encapsulation mpls status tlv disable Default value status tlv enable 7 Create vpls domain in the system and switch to the vpls domain configuration mode esr config l2vpn vpls NAME NAME name of the p2p service set by the string of up to 31 characters 8 Enable vpls tunnel esr config l2vpn vpls enable 9 Add bridge domain esr config l2vpn vpls bridge group ID ID br...

Page 205: ... is the same as the LSR_ID esr config l2vpn pw neighbor address ADDR ADDR router IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 15 Enable pseudo wire esr config l2vpn pw enable 16 If the topology of the VPLS domain to be created requires more than one pseudo wire repeat steps 10 to 14 17 If it is necessary to change the default settings for a targeted LDP session see s...

Page 206: ...irewall PE1 config interface gigabitethernet 1 0 1 PE1 config if gi mtu 9600 PE1 config if gi ip firewall disable PE1 config if gi exit Allow packets with an mpls header to be received on the interface towards the mpls network in this example the interface towards PE2 PE1 config mpls PE1 config mpls forwarding interface gigabitethernet 1 0 1 Configure the LDP protocol and enable neighbor detection...

Page 207: ...irm Configure PE2 and PE3 routers in the same way as PE1 PE2 configure PE2 config bridge 10 PE2 config bridge enable PE2 config bridge exit PE2 config interface gigabitethernet 1 0 4 100 PE2 config subif bridge group 10 PE2 config subif exit PE2 config interface gigabitethernet 1 0 2 PE2 config if gi mtu 9600 PE2 config if gi ip firewall disable PE2 config if gi exit PE2 config mpls PE2 config mpl...

Page 208: ...face gigabitethernet 1 0 1 PE3 config if gi mtu 9600 PE3 config if gi ip firewall disable PE3 config if gi exit PE3 config mpls PE3 config mpls forwarding interface gigabitethernet 1 0 1 PE3 config mpls exit PE3 config mpls PE3 config mpls ldp PE3 config ldp enable PE3 config ldp router id 3 3 3 3 PE3 config ldp address family ipv4 PE3 config ldp af ipv4 interface gigabitethernet 1 0 1 PE3 config ...

Page 209: ... 1 100 Ethernet Up 2 2 2 2 100 Ethernet Up The LDP neighborhood is established pseudowire has moved to UP status The l2vpn configuration is now complete 6 6 L2VPN Kompella mode configuration Unlike Martini mode where all operation is done by the LDP in this mode the LDP does only operate with transport labels Autodetection not typical of LDP signaling and the construction of a pseudowire connectio...

Page 210: ...rms ASN nn where ASN may take values 1 65535 nn may take values 1 65535 ADDR nn where ADDR specified as AAA BBB CCC DDD EE AAA DDD may take values 0 255 nn may take values 1 65535 4ASN nn where 4ASN may take values 1 4294967295 nn may take values 1 65535 8 Specify route target import for the given VPLS instance esr config bgp route target import RT RT Route target value specified in one of the fol...

Page 211: ... 1 65535 10 Specify ve id esr config bgp ve id ID ID VPLS instance identifier specified in the range 1 16384 11 Specify vpn id esr config bgp vpn id ID ID VPN identifier specified in the range 1 4294967295 12 Specify ve range optional esr config bgp ve range RANGE RANGE range of VPLS border device identifiers 8 100 13 Specify mtu optional esr config bgp mtu VALUE VALUE MTU value 552 10000 14 Enabl...

Page 212: ...ust work within the same broadcast domain Solution Pre requisite Enable Jumbo frames support with the system jumbo frames command the device must be rebooted for the changes to take effect Сonfigure IP addresses on interfaces according to the network structure shown in the figure above Organize the exchange of routes between PE1 PE2 PE3 and RR using IGP OSPF IS IS ...

Page 213: ...dress 10 30 0 2 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 3 mtu 9500 ip firewall disable ip address 10 31 0 2 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 10 10 0 4 32 ip ospf instance 1 ip ospf exit mpls ldp router id 10 10 0 4 address family ipv4 interface gigabitethernet 1 0 2 exit interface gigabitethernet 1 0 3 exit exit enable exit forwarding inte...

Page 214: ...or route reflector client RR config bgp neighbor update source 10 10 0 4 RR config bgp neighbor address family l2vpn vpls RR config bgp neighbor af send community extended RR config bgp neighbor af enable RR config bgp neighbor af exit RR config bgp neighbor enable RR config bgp neighbor exit RR config bgp neighbor 10 10 0 3 RR config bgp neighbor remote as 65500 RR config bgp neighbor route refle...

Page 215: ... gigabitethernet 1 0 3 mtu 9500 ip firewall disable ip address 10 22 0 1 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 10 10 0 1 32 ip ospf instance 1 ip ospf exit mpls ldp router id 10 10 0 1 address family ipv4 interface gigabitethernet 1 0 1 exit interface gigabitethernet 1 0 2 exit interface gigabitethernet 1 0 3 exit exit enable exit forwarding interface gigabitethernet 1...

Page 216: ...p neighbor af exit PE1 config bgp neighbor enable PE1 config bgp neighbor exit PE1 config bgp enable PE1 config bgp exit Check that the BGP session with RR is successfully established Configuration of BGP on PE2 PE1 sh ip bgp neighbors BGP neighbor is 10 10 0 4 BGP state Established Neighbor address 10 10 0 4 Neighbor AS 65500 Neighbor ID 10 10 0 4 Neighbor caps refresh enhanced refresh restart aw...

Page 217: ...ip ospf exit interface gigabitethernet 1 0 3 mtu 9500 ip firewall disable ip address 10 31 0 1 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 10 10 0 2 32 ip ospf instance 1 ip ospf exit mpls ldp router id 10 10 0 2 address family ipv4 interface gigabitethernet 1 0 1 exit interface gigabitethernet 1 0 2 exit interface gigabitethernet 1 0 3 exit exit enable exit forwarding inter...

Page 218: ...ty extended PE2 config bgp neighbor af enable PE2 config bgp neighbor af exit PE2 config bgp neighbor enable PE2 config bgp neighbor exit PE2 config bgp enable PE2 config bgp exit Check that the session with RR is successfully established PE2 sh ip bgp neighbors BGP neighbor is 10 10 0 4 BGP state Established Neighbor address 10 10 0 4 Neighbor AS 65500 Neighbor ID 10 10 0 4 Neighbor caps refresh ...

Page 219: ...ress 10 21 0 2 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 3 mtu 9500 ip firewall disable ip address 10 22 0 2 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 10 10 0 3 24 ip ospf instance 1 ip ospf exit mpls ldp router id 10 10 0 3 address family ipv4 interface gigabitethernet 1 0 2 exit interface gigabitethernet 1 0 3 exit exit enable exit forwarding inter...

Page 220: ...enable PE3 config bgp exit Check that the BGP session is successfully established The next step is to create a bridge domain on each PE router and include an interface Attachment circuit AC that looks towards CE PE1 PE1 config bridge 1 PE1 config bridge enable PE1 config bridge exit PE1 config interface gigabitethernet 1 0 4 PE1 config if gi mode switchport PE1 config if gi bridge group 1 PE3 sh i...

Page 221: ...0 MAC address a8 f9 4b ac 4d 15 Last change 4 minutes and 22 seconds Mode Routerport PE2 PE2 config bridge 1 PE2 config bridge enable PE2 config bridge exit PE2 config interface gigabitethernet 1 0 4 PE2 config if gi mode switchport PE2 config if gi bridge group 1 PE2 sh interfaces bridge 1 Bridges Interfaces bridge 1 gi1 0 4 PE2 sh interfaces status bridge 1 Interface bridge 1 status information ...

Page 222: ... state Up Administrative state Up Supports broadcast Yes Supports multicast Yes MTU 1500 MAC address a8 f9 4b ac df f0 Last change 1 minute and 24 seconds Mode Routerport Next perform the VPLS configuration PE1 Switch to the L2VPN configuration context and include the previously created bridge domain PE1 config mpls PE1 config mpls l2vpn PE1 config l2vpn vpls l2vpn PE1 config l2vpn vpls bridge gro...

Page 223: ...eight Path 65500 100 1 1 10 PE1 sh ip bgp l2vpn vpls all neighbor 10 10 0 4 advertise routes Origin codes i IGP e EGP incomplete Route Distinguisher VID VBO VBS Next hop Metric LocPrf Path 65500 100 1 1 10 10 10 0 1 100 i Подробный вывод анонсируемого маршрута PE1 sh ip bgp l2vpn vpls all neighbor 10 10 0 4 advertise routes ve id 1 block offset 1 BGP routing table entry for 65500 100 VE ID 1 VE Bl...

Page 224: ...10 10 0 2 100 i In the l2vpn table you can see its routes as well as routes from PE1 PE2 sh ip bgp l2vpn vpls all Status codes valid best i internal S stale Origin codes i IGP e EGP incomplete Codes Route Distinguisher VID VBO VBS Next hop Metric LocPrf Weight Path 65500 100 2 1 10 i 65500 100 1 1 10 10 10 0 1 100 0 i The calculated service marks can be viewed as follows 1 PE2 sh mpls l2vpn bindin...

Page 225: ...3 config l2vpn vpls bridge group 1 PE3 config l2vpn vpls autodiscovery bgp PE3 config bgp rd 65500 100 PE3 config bgp route target export 65500 100 PE3 config bgp route target import 65500 100 PE3 config bgp ve id 3 PE3 config bgp vpn id 3 PE3 config bgp exit PE3 config l2vpn vpls enable Check the routing information in PE3 PE3 sh ip bgp l2vpn vpls all Status codes valid best i internal S stale Or...

Page 226: ...ighbor 10 10 0 1 MTU 1500 Last change 00 06 08 Status Up Check the network availability of client equipment CE CE3 ping 192 168 0 1 PING 192 168 0 1 192 168 0 1 56 84 bytes of data 192 168 0 1 ping statistics 5 packets transmitted 5 received 0 packet loss time 4004ms rtt min avg max mdev 0 173 0 208 0 290 0 045 ms CE3 ping 192 168 0 2 PING 192 168 0 2 192 168 0 2 56 84 bytes of data 192 168 0 2 pi...

Page 227: ... distribution 3 Create VRF esr config ip vrf VRF VRF VRF instance name set by the string of up to 31 characters 4 Specify route distinguisher for the given VRF esr config vrf rd RD RD Route distinguisher value specified in one of the following forms ASN nn where ASN may take values 1 65535 nn may take values 1 65535 ADDR nn where ADDR specified as AAA BBB CCC DDD EE AAA DDD may take values 0 255 n...

Page 228: ...as AAA BBB CCC DDD EE AAA DDD may take values 0 255 nn may take values 1 65535 4ASN nn where 4ASN may take values 1 4294967295 nn may take values 1 65535 6 Specify route target export for the given VRF esr config vrf route target export RT RT Route target value specified in one of the following forms ASN nn where ASN may take values 1 65535 nn may take values 1 65535 ADDR nn where ADDR specified a...

Page 229: ...000 1200 150 0 1700 1 500000 ESR 20 21 100 200 1 300000 ESR 10 12V 12VF 14VF 1 30000 8 In the context of address family VPNv4 BGP configuration enable extended attribute transfer esr config bgp neighbor af send community extended 6 7 2 Configuration example Objective Configure L3VPN based on MPLS technology between ESR1 and ESR3 The final result of the configuration is the appearance of connectivi...

Page 230: ...er ospf 1 router id 1 1 1 1 area 0 0 0 0 enable exit enable exit interface loopback 1 ip address 1 1 1 1 32 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 10 ip firewall disable ip address 10 10 10 1 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 40 ip firewall disable ip address 40 40 40 1 30 ip ospf instance 1 ip ospf exit system jumbo frames ...

Page 231: ...a 0 0 0 0 enable exit enable exit interface loopback 1 ip address 2 2 2 2 32 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 10 ip firewall disable ip address 10 10 10 2 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 20 ip firewall disable ip address 20 20 20 2 30 ip ospf instance 1 ip ospf exit system jumbo frames ...

Page 232: ...a 0 0 0 0 enable exit enable exit interface loopback 1 ip address 3 3 3 3 32 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 20 ip firewall disable ip address 20 20 20 1 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 30 ip firewall disable ip address 30 30 30 1 30 ip ospf instance 1 ip ospf exit system jumbo frames ...

Page 233: ...a 0 0 0 0 enable exit enable exit interface loopback 1 ip address 4 4 4 4 32 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 40 ip firewall disable ip address 40 40 40 2 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 30 ip firewall disable ip address 30 30 30 2 30 ip ospf instance 1 ip ospf exit system jumbo frames ...

Page 234: ...Router IP 2 2 2 2 128 Full BDR 00 39 gi1 0 1 10 10 10 10 2 4 4 4 4 128 Full BDR 00 32 gi1 0 1 40 40 40 40 2 ESR1 show ip ospf O 40 40 40 0 30 150 10 dev gi1 0 1 40 ospf1 1970 01 08 1 1 1 1 O 30 30 30 0 30 150 20 via 40 40 40 2 on gi1 0 1 40 ospf1 1970 01 08 3 3 3 3 O 1 1 1 1 32 150 0 dev lo1 ospf1 1970 01 08 1 1 1 1 O 4 4 4 4 32 150 10 via 40 40 40 2 on gi1 0 1 40 ospf1 1970 01 08 4 4 4 4 O 20 20 ...

Page 235: ...0 1 20 exit ESR3 mpls ldp address family ipv4 transport address 3 3 3 3 interface gigabitethernet 1 0 1 20 exit interface gigabitethernet 1 0 1 30 exit exit enable exit forwarding interface gigabitethernet 1 0 1 20 forwarding interface gigabitethernet 1 0 1 30 exit ESR4 mpls ldp address family ipv4 transport address 4 4 4 4 interface gigabitethernet 1 0 1 30 exit interface gigabitethernet 1 0 1 40...

Page 236: ... ESR3 config vrf ip protocols bgp max routes 1000 ESR3 config vrf rd 65500 100 ESR3 config vrf route target export 65500 100 ESR3 config vrf route target import 65500 100 ESR3 config vrf exit ESR1 show mpls ldp neighbor Peer LDP ID 2 2 2 2 Local LDP ID 1 1 1 1 State Operational TCP connection 2 2 2 2 33933 1 1 1 1 646 Messages sent received 1059 1070 Uptime 17 32 07 LDP discovery sources gigabitet...

Page 237: ...R3 config router bgp 65500 ESR3 config bgp router id 3 3 3 3 ESR3 config bgp enable ESR3 config bgp neighbor 1 1 1 1 ESR3 config bgp neighbor remote as 65500 ESR3 config bgp neighbor update source 3 3 3 3 ESR3 config bgp neighbor enable ESR3 config bgp neighbor address family ipv4 unicast ESR3 config bgp neighbor af enable ESR3 config bgp neighbor af exit ESR3 config bgp neighbor address family vp...

Page 238: ...s 192 168 32 2 30 exit interface loopback 1 ip address 10 100 0 1 24 exit route map OUTPUT rule 1 match ip address 10 100 0 0 24 action permit Configure eBGP between ESR1 and CE_SiteA CE_SiteA router bgp log neighbor changes router bgp 65505 router id 192 168 32 1 neighbor 192 168 32 1 remote as 65500 allow local as 1 update source 192 168 32 2 address family ipv4 unicast route map OUTPUT out enab...

Page 239: ...s 192 168 32 1 30 Создаем route map route map OUTPUT rule 1 action permit Configure eBGP between ESR1 and CE_SiteA ESR1 router bgp 65500 vrf Customer1 router id 192 168 32 1 neighbor 192 168 32 2 remote as 65505 update source 192 168 32 1 address family ipv4 unicast Allow BGP routes to be transmitted to the peer ESR1 route map OUTPUT out enable exit enable exit Allow forwarding routes from VRF to ...

Page 240: ...ddress 192 168 32 6 30 exit interface loopback 1 ip address 10 100 1 1 24 exit route map OUTPUT rule 1 match ip address 10 100 1 0 24 action permit ESR1 show ip bgp 65500 vrf Customer1 neighbors 192 168 32 2 advertise routes Status codes u unicast b broadcast m multicast a anycast valid best Origin codes i IGP e EGP incomplete Network Next Hop Metric LocPrf Weight Path u 10 100 1 0 24 192 168 32 1...

Page 241: ...ipv4 unicast network 10 100 1 0 24 exit enable ESR3 Configure interface to the CE direction ESR3 interface gigabitethernet 1 0 2 ip vrf forwarding Customer1 description Customer1 ip firewall disable ip address 192 168 32 5 30 Create a route map in which we specify the subnets allowed to be advertised ESR3 route map OUTPUT rule 1 action permit Configure eBGP between ESR3 and CE_SiteB ESR3 router bg...

Page 242: ...S traffic balancing ESR routers have a multi core architecture One of the first links in processing incoming traffic is the load balancer daemon lbd which performs two main functions 1 Distributes the load evenly among all router CPUs 2 Detects abnormal situations with high load on some CPUs and redistributes processing from these CPUs to less loaded ones ESR1 show ip bgp vpnv4 unicast all Status ...

Page 243: ...ration with the bridge domain within MPLS To organize L2VPN service you need to configure a bridge domain on the device create the required AC PW LDP signaling and include all the necessary elements in this bridge domain cpu load balance mpls passenger ip Enables the possibility to look beyond the MPLS header to find the IP header and add ip src and ip dst to the hash calculation cpu load balance ...

Page 244: ...Switching takes into account the DST MAC in the frames but does not take into account the VLAN tags present on the frames thus switching within a bridge domain is not VLAN aware The bridge domain can operate in two transport modes ethernet or vlan Transport mode sets the rules for handling traffic to and from the bridge domain In LDP signaling ethernet mode Raw mode type 5 is used by default A tra...

Page 245: ...d in the bridge domain so the vlan tag vlan id 100 from incoming traffic will be removed before being placed in Pseudowire 10 respectively restored when traffic to the AC side On the other side the AC on PE2 is an interface which means that traffic will pass through without modification in either direction 2 Vlan Tagged mode If AC is a subinterface the vlan tag is saved before putting it in the br...

Page 246: ...2 config mpls l2vpn PE2 config l2vpn pw class MTU_example PE2 config l2vpn pw class encapsulation mpls mtu 9000 PE2 config l2vpn pw class exit PE2 config mpls l2vpn PE2 config l2vpn vpls MTU_Example_PW PE2 config l2vpn vpls pw 200 10 10 0 1 PE2 config l2vpn pw pw class PE2 config l2vpn pw pw class MTU_example View created pw class PE2 sh mpls l2vpn pw class PW class Neighbor PW ID Status Status tl...

Page 247: ... Version 1 12 0 247 Consider the example In the figure above PE1 raises two pseudowires Pseudowire 10 to PE2 and Pseudowire 20 to PE3 respectively For signaling with PE2 the MTU will be set to 2000 pw class TO_PE2 for PE3 the MTU will be 3000 pw class TO_PE3 ...

Page 248: ...he pseudowire will be DOWN Reason MTU mismatch PE1 config l2vpn vpls l2vpn_MTU PE1 config l2vpn vpls autodiscovery bgp PE1 config bgp mtu 2000 PE2 sh mpls l2vpn vpls l2vpn_MTU PWs PW ID 2 Neighbor 10 10 0 1 MTU 2000 Last change 00 00 10 Status Down Reason MTU mismatch By default the bridge domain has an MTU of 1500 bytes It is worth noting that bridge domain automatically selects the lowest MTU va...

Page 249: ...come the lowest MTU bridge 100 1500 The lowest MTU value MTU gi1 0 1 2000 MTU gi1 0 2 3000 CE3 sh interfaces bridge Bridges Interfaces bridge 100 gi1 0 1 2 CE3 sh interfaces status bridge 100 Interface bridge 100 status information Description Operational state UP Administrative state Up Supports broadcast Yes Supports multicast Yes MTU 1500 MAC address a8 f9 4b aa 11 00 Last change 1 minute and 4...

Page 250: ...c 4d 16 5 hours 25 minutes and 2 Routerport seconds gi1 0 2 Up Up 1500 a8 f9 4b ac 4d 17 4 days 4 hours 49 Switchport minutes and 40 seconds gi1 0 3 Up Up 1800 a8 f9 4b ac 4d 18 4 days 1 hour 49 Switchport minutes and 38 seconds bridge 2 Up Up 1500 a8 f9 4b ac 4d 15 1 day 1 hour 27 minutes Routerport and 28 seconds CE1 sends packets of 1500 bytes CE2 sends packets of 1800 bytes respectively Since ...

Page 251: ...ity description Version 1 12 0 251 Similar behavior when passing traffic in the L3VPN service If CE1 sends a packet with a higher MTU than on the interface facing the client gi1 0 2 or towards the mpls core gi1 0 1 the packet will be discarded ...

Page 252: ...ithm Access list configuration example IPS IDS configuration Base configuration algorithm Configuration algorithm for IPS IDS rules autoupdate from external sources Recommended open rule update source IPS IDS configuration example with auto update rules Basic user rules configuration algorithm Basic user rules configuration example Extended user rules configuration algorithm Extended user rules co...

Page 253: ...privileges elevation esr config aaa authentication enable NAME METHOD 1 METHOD 2 METHOD 3 METHOD 4 NAME list name set by the string of up to 31 characters Authentication methods local authentication by local user base tacacs authentication by TACACS server list radius authentication by RADIUS server list ldap authentication by LDAP server list 3 Set the method for iterating over authentication met...

Page 254: ...e range of 1 15 Default value 0 7 Set the lifetime of local user password optional esr config security passwords lifetime TIME TIME password lifetime in days Takes values in the range of 1 365 Default The lifetime of local user password is unlimited 8 Set a limit on the minimum length of local user password and ENABLE password optional esr config security passwords min length NUM NUM minimum numbe...

Page 255: ...mber of digits in the password Takes values in the range of 0 128 Default value 0 14 Set the minimum number of special characters in the local user password and ENABLE password optional esr config security passwords special case COUNT COUNT minimum number of special characters in the password Takes values in the range of 0 128 Default value 0 15 Add user in the local database and switch to the use...

Page 256: ... dscp DSCP DSCP DSCP code value takes values in the range of 0 63 Default value 63 2 Set the global number of iterative queries to the last active RADIUS server optional esr config radius server retransmit COUNT COUNT amount of iterative requests to RADIUS server takes values of 1 10 Default value 1 3 Set the global value of the interval after which the router assumes that the RADIUS server is not...

Page 257: ...6 bytes size set by the string of 16 32 characters 7 Prioritize the use of a remote RADIUS server optional esr config radius server priority PRIORITY PRIORITY remote server priority takes values in the range of 1 65535 The lower value the higher the priority of server is Default value 1 8 Set the interval after which the router assumes that the RADIUS server is not available optional esr config ra...

Page 258: ...r config aaa authentication enable NAME METHOD 1 METHOD 2 METHOD 3 METHOD 4 NAME list name set by the string of up to 31 characters default default list name METHOD authentication methods enable authentication by enable passwords tacacs authentication by TACACS radius authentication by RADIUS ldap authentication by LDAP 12 Set the method for iterating over authentication methods optional esr confi...

Page 259: ...ng of up to 31 characters Created in step 9 7 2 2 AAA configuration algorithm via TACACS Step Description Command Keys 1 Set the DSCP code global value for the use in IP headers of TACACS server egress packets optional esr config tacacs server dscp DSCP DSCP DSCP code value takes values in the range of 0 63 Default value 63 2 Set the global value of the interval after which the router assumes that...

Page 260: ...ASCII characters ENCRYPTED TEXT encrypted password 8 16 bytes size set by the string of 16 32 characters 6 Set the port number to communicate with remote TACACS server optional esr config tacacs server port PORT PORT number of TCP port to exchange data with a remote server takes values of 1 65535 Default value 49 for TACACS server 7 Prioritize the use of a remote TACACS server optional esr config ...

Page 261: ...following authentication method in the chain break if the server returned FAIL abandon authentication attempts If the server is unavailable continue authentication attempts by the following methods in the chain Default value chain 11 Configure the list of CLI commands accounting methods optional esr config aaa accounting commands stop only tacacs 12 Configure tacacs in the list of user session acc...

Page 262: ...ig ldap server bind authenticate root dn NAME NAME DN of a user with administration rights set by the string of up to 255 characters 4 Specify the password of a user with administrator rights under which authorization will take place on the LDAP server when searching for users esr config ldap server bind authenticate root password ascii text TEXT encrypted ENCRYPTED TEXT TEXT string 8 16 ASCII cha...

Page 263: ...ame set by the string of up to 127 characters Default value priv lvl 10 Set the DSCP code global value for the use in IP headers of LDAP server egress packets optional esr config ldap server dscp DSCP DSCP DSCP code value takes values in the range of 0 63 Default value 63 11 Add LDAP server to the list of used servers and switch to its configuration mode esr config ldap server host IP ADDR IPV6 AD...

Page 264: ...rver is Default value 1 15 Set IPv4 IPv6 address that will be used as source IPv4 IPv6 address in transmitted LDAP packets esr config ldap server source address ADDR IPV6 ADDR ADDR source IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 IPV6 ADDR source IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 16 Set LDAP as authenticati...

Page 265: ...s of iterating over methods chain if the server returned FAIL proceed to the following authentication method in the chain break if the server returned FAIL abandon authentication attempts If the server is unavailable continue authentication attempts by the following methods in the chain Default value chain 19 Switch to the corresponding terminal configuration mode esr config line TYPE TYPE console...

Page 266: ... esr config line telnet exit esr config exit To view the information on RADIUS server connection settings use the following command esr show aaa radius servers To view the authentication profiles use the following command esr show aaa authentication 7 3 Command privilege configuration Command privilege configuration is a flexible tool that allows you to assign baseline user privilege level 1 15 to...

Page 267: ...level 10 show interfaces 7 4 Configuration of logging and protection against network attacks 7 4 1 Configuration algorithm Step Description Command Keys 1 Enable protection against ICMP flood attacks esr config ip firewall screen dos defense icmp threshold NUM NUM amount of ICMP packets per second set in the range of 1 10000 2 Enable protection against land attacks esr config firewall screen dos d...

Page 268: ...nuke 8 Enable the blocking of TCP packets with the FIN flag set and the ACK flag not set esr config ip firewall screen spy blocking fin no ack 9 Enable the blocking of various type ICMP packets esr config ip firewall screen spy blocking icmp type TYPE ICMP type may take the following values destination unreachable echo request reserved source quench time exceeded 10 Enable the protection against I...

Page 269: ...kets icmp fragment 17 Enable the blocking of fragmented IP packets esr config ip firewall screen suspicious packets ip fragment 18 Enable the blocking of ICMP packets more than 1024 bytes esr config ip firewall screen suspicious packets icmp fragment 19 Enable the blocking of fragmented TCP packets with the SYN flag esr config ip firewall screen suspicious packets syn fragment 20 Enable the blocki...

Page 270: ...pecialized packets type takes the following values icmp fragment ip fragment large icmp syn fragment udp fragment unknown protocols 7 4 2 Description of attack protection mechanisms Command Description ip firewall screen dos defense icmp threshold The given command enables the protection against ICMP flood attacks When the protection is enabled the amount of all types ICMP packets per second for o...

Page 271: ...flag set and 139 destination port are blocked The attack leads to the older Windows versions up to 95 version failure ip firewall screen spy blocking fin no ack The given command enables the blocking of TCP packets with the FIN flag set and the ACK flag not set These packets are specialized and it is possible to determine a victim operational system by the respond ip firewall screen spy blocking i...

Page 272: ...given command enables the protection against ip spoofing attacks When the protection is enabled the router checks packets for matching the source address and routing table entries and in case of mismatch the packet is dropped For example if a packet with source address 10 0 0 1 24 arrives to the Gi1 0 1 interface and the given subnet is located after the Gi1 0 2 interface in the routing table it i...

Page 273: ...e given command enables the blocking of fragmented UDP packets ip firewall screen suspicious packets unknown protocols The given command enables the blocking of packets with the protocol ID contained in IP header equal to 137 and more 7 4 3 Configuration example of logging and protection against network attacks Objective Protect LAN and ESR router from land syn flood ICMP flood network attacks and...

Page 274: ...fig if gi security zone WAN esr config if gi ip address 10 0 0 1 24 esr config if gi exit Enable the protection against land syn flood ICMP flood attacks esr config ip firewall screen dos defense land esr config ip firewall screen dos defense syn flood 100 src dst esr config ip firewall screen dos defense icmp threshold 100 Configure the logging of detected attacks esr config ip firewall logging s...

Page 275: ...5 Disable filtration of packets for which it was not possible to determine belonging to any known connection and which are not the beginning of a new connection optional may reduce the performance esr config ip firewall sessions allow unknown 6 Select firewall operation mode optional esr config ip firewall mode MODE MODE firewall operation mode may take the following values stateful stateless Defa...

Page 276: ...cp connect timeout TIME TIME lifetime of TCP session in connection is being established state takes values in seconds 1 8553600 Default value 60 seconds 13 Determine the lifetime of TCP session in connection is being closed state after which it is considered to be outdated optional esr config ip firewall sessions tcp disconnect timeout TIME TIME lifetime of TCP session in connection is being close...

Page 277: ... ip firewall sessions udp assured timeout TIME TIME lifetime of UDP session in connection is confirmed state takes values in seconds 1 8553600 Default value 180 seconds 18 Determine the lifetime of UDP session in connection is not confirmed state after which it is considered to be outdated esr config ip firewall sessions udp wait timeout TIME TIME lifetime of UDP session in connection is not confi...

Page 278: ...dress optional parameter If the parameter is not specified a single IPv6 address is set by the command The addresses are defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 22 Create services lists which will be used during filtration esr config object group service obj group name obj group name service profile name set by the string of up to 31 characters 23 Specify ser...

Page 279: ...erver l2tp openvpn pptp or tunnels gre ip4ip4 l2tp lt pppoe pptp optional esr config if gi ip firewall disable 29 Create an interzone interaction rule set esr config security zone pair src zone name1 dst zone name2 src zone name up to 12 characters dst zone name up to 12 characters 30 Create an interzone interaction rule set esr config zone pair rule rule number rule number 1 10000 31 Specify rule...

Page 280: ...38 Set TCP UDP ports profile for which the rule should work if the protocol is specified esr config zone rule match not source port PORT SET NAME PORT SET NAME set by the string of up to 31 characters When specifying the any value the rule will work for any sender recipient TCP UDP port 39 Set the destination TCP UDP ports profile for which the rule should work if the protocol is specified esr con...

Page 281: ...g mode while packets are transmitted between one Bridge group participants optional available only for ESR 1000 1200 1500 1700 esr config bridge ports firewall enable 1 When using the not key the rule will work for values which are not included in a specified profile Each match command may contain not key When using the key packets that do not meet the given requirement will fall under the rule Yo...

Page 282: ...ct group network WAN_GATEWAY esr config object group network ip address range 192 168 23 3 esr config object group network exit To transfer traffic from LAN zone into WAN zone create a pair of zones and add a rule allowing ICMP traffic transfer from R1 to R2 Rules are applied with the enable command esr config security zone pair LAN WAN esr config zone pair rule 1 esr config zone pair rule action ...

Page 283: ...outer could response to the ICMP requests from LAN zone add a rule allowing ICMP traffic transfer from R1 to ESR esr config security zone pair LAN self esr config zone pair rule 1 esr config zone pair rule action permit esr config zone pair rule match protocol icmp esr config zone pair rule match destination address LAN esr config zone pair rule match source address LAN_GATEWAY esr config zone pai...

Page 284: ...fig interface gi1 0 1 esr config if gi ip address 10 0 0 1 24 esr config if gi security zone WAN esr config if gi exit esr config interface gi1 0 2 esr config if te ip address 192 168 0 1 24 esr config if te security zone LAN esr config if te exit To configure security zones rules you should create profile of the applications that should be blocked esr config object group application APP esr confi...

Page 285: ...f zones and add a rule allowing all traffic to pass Rules are applied with the enable command esr config security zone pair LAN WAN esr config zone pair rule 1 esr config zone pair rule action permit esr config zone pair rule enable esr config zone pair rule exit esr config zone pair pair exit To view port membership in zones use the following command esr show security zone To view zone pairs and ...

Page 286: ...tch protocol id ID ID IP identification number takes values of 0x00 0xFF 6 Set sender IP addresses for which the rule should work optional esr config acl rule match source address ADDR MASK any ADDR sender IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 MASK IP address mask defined as AAA BBB CCC DDD where each part takes values of 0 255 Mask bits set to zero specify IP...

Page 287: ...uld work optional Can not be used with IP Precedence esr config acl rule match dscp DSCP DSCP DSCP code value takes values in the range of 0 63 14 Set IP Precedence code for which the rule should work optional Can not be used with DSCP esr config acl rule match ip precedence IPP IPP IP Precedence code value takes values in the range of 0 7 15 Set VLAN ID for which the rule should work optional esr...

Page 288: ...les ESR devices allow you to download current rules from open sources on the Internet or from a corporate server Using the CLI you can also create your own specific rules By default ESR devices have a basic set of rules from EmergingThreats designed for testing and verifying system health 7 7 1 Base configuration algorithm Step Description Command Keys 1 Create IPS IDS security policy esr config s...

Page 289: ...f gi service ips enable 7 7 2 Configuration algorithm for IPS IDS rules autoupdate from external sources Step Description Command Keys 1 Switch to the autoupdate configuration mode esr config ips auto upgrade 2 Specify a name and enter the configuration mode of the user update server esr config ips auto upgrade user server WORD WORD server name set by the string of up to 32 characters 3 Specify th...

Page 290: ...ese rules describe well known botnets and control servers Sources Shadowserver org Zeus Tracker Palevo Tracker Feodo Tracker Ransomware Tracker https rules emergingthreats net open suricata rules ciarmy rules These rules describe malicious hosts by the classification of the www cinsarmy com project https rules emergingthreats net open suricata rules compromised rules These rules describe well know...

Page 291: ...ps rules emergingthreats net open suricata rules emerging icmp_info rules These rules contain signatures of ICMP information messages https rules emergingthreats net open suricata rules emerging imap rules These rules contain signatures of vulnerabilities in the IMAP protocol signs of incorrect use of the IMAP protocol https rules emergingthreats net open suricata rules emerging inappropriate rule...

Page 292: ... of the SMTP protocol https rules emergingthreats net open suricata rules emerging sql rules These rules contain vulnerability signatures for SQL DBMS https rules emergingthreats net open suricata rules emerging telnet rules These rules contain signatures of vulnerabilities in the telnet protocol signs of incorrect use of the telnet protocol https rules emergingthreats net open suricata rules emer...

Page 293: ...the ESR to allow the names of the IPS IDS rule update sources esr config domain lookup enable esr config domain name server 8 8 8 8 Create IPS IDS security policy esr config security ips policy OFFICE esr config ips policy description My Policy esr config ips policy protect network group LAN Allow IPS IDS operation on the bridge 1 LAN interface esr config bridge 1 esr config bridge service ips ena...

Page 294: ... user server upgrade interval 4 esr config ips upgrade user server exit esr config auto upgrade user server C2 Botnet esr config ips upgrade user server description Abuse ch Botnet C2 IP Blacklist esr config ips upgrade user server url https sslbl abuse ch blacklist sslipblacklist rules esr config ips upgrade user server upgrade interval 4 esr config ips upgrade user server exit 7 7 5 Basic user r...

Page 295: ...L PROTOCOL take values any ip icmp http tcp udp When specifying the any value the rule will work for any protocols 7 Set sender IP addresses for which the rule should work esr config ips category rule source address ip ADDR ip prefix ADDR LEN object group OBJ_GR_NAME policy object group protect external any ADDR sender IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 ADD...

Page 296: ...ach part AAA DDD takes values of 0 255 and LEN takes values of 1 32 OBJ_GR_NAME name of IP addresses profile that contains recepient IP address set by the string of up to 31 characters protect sets recepient addresses protect addresses defined in IPS IDS policy external sets external addresses defined in IPS IDS policy as recepient addresses When specifying the any value the rule will work for any...

Page 297: ...n Version 1 12 0 297 Step Description Command Keys 12 Define the message that IPS IDS will record to the log when this rule will trigger esr config ips category rule meta log message MESSAGE MESSAGE text message specified by a string of up to 129 characters ...

Page 298: ...empt not suspicious not suspicious traffic unknown unknown traffic bad unknown potentially bad traffic attempted recon information leak attempt successful recon limited information leak successful recon largescale large scale information leak attempted dos denial of service attempt successful dos denial of service attempted user attempt to obtain user privileges unsuccessful user unsuccessful atte...

Page 299: ...CMP event inappropriate content inappropriate content was detected policy violation potential breach of corporate privacy default login attempt login attempt using a standard login password 14 Set DSCP code value for which the rule should work optional esr config ips category rule ip dscp DSCP DSCP DSCP code value takes values in the range of 0 63 15 Set the packet lifetime TTL value for which the...

Page 300: ... 19 Set ICMP Sequence ID value for which the rule should work Applicable only for protocol icmp value optional esr config ips category rule ip icmp sequence id SEQ ID SEQ ID ICMP Sequence ID value takes a value in the range 0 4294967295 20 Set ICMP TYPE value for which the rule should work Applicable only for protocol icmp value optional esr config ips category rule ip icmp type TYPE TYPE ICMP TYP...

Page 301: ...ang client body connection content type cookie file data header header names host method protocol referer request line response line server body start start code start msg uri user agent See the Suricata 4 X documentation for the meaning of the keywords https suricata readthedocs io en suricata 4 1 4 rules http keywords html 25 Set HTTP protocol URI LEN keyword value for which the rule will trigge...

Page 302: ...es from the beginning of the contents of the packet to check Only applicable in conjunction with the payload content command optional esr config ips category rule payload offset OFFSET OFFSET the number of offset bytes from the beginning of the packet contents takes a value in the range 1 65535 By default it is checked from the beginning of the content 30 Set the size of the contents of packets fo...

Page 303: ...ets with the same IP recipient 34 Specify threshold handling method esr config ips category rule threshold type threshold limit both threshold display a message every time a threshold is reached limit issue a message no more than COUNT times per time interval SECOND both threshold and limit combination A message will be generated if during the SECOND time interval there were COUNT or more packets ...

Page 304: ...le source port any esr config ips category rule destination port any We will indicate our server as the recipient address esr config ips category rule destination address ip 192 168 1 10 Attacker can send packets from any address esr config ips category rule source address any Set traffic direction esr config ips category rule direction one way The rule will trigger on packets larger than 1024 byt...

Page 305: ...ription set by the string of up to 255 characters 3 Create extended rule and switch to its configuration mode esr config ips category rule advanced SID SID rule number takes values of 1 4294967295 4 Specify the rule description optional esr config ips category rule advanced description DESCRIPTION DESCRIPTION description set by the string of up to 255 characters 5 Specify the given rule force esr ...

Page 306: ...ption programs infected sites and other types IPS on ESR devices can use the following sets of rules provided by Kaspersky SafeStream II IP address Reputation Data a set of IP addresses with contextual information that reports suspicious and malicious hosts URLs of malicious links a set of URLs corresponding to dangerous links and websites URLs of phishing links a set of URLs recognized by Kaspers...

Page 307: ...ontent provider storage device DEVICE DEVICE label and partition name on the external storage in the format of usb Partion_name mmc Partion_name 5 Set the time to reboot the device after receiving the certificate esr config content provider reboot immediately time HH MM SS Restart the device after receiving the certificate time HH MM SS The time at which esr will reboot hours minutes seconds 6 Ena...

Page 308: ...ice ips enable 11 Create IPS IDS security policy esr config security ips policy WORD 1 31 WORD 1 31 12 Specify the IP address profile that IPS IDS will protect esr config ips policy protect network group OBJ GROUP NETWORK_NAME OBJ GROUP NETWORK NAME protected IP addresses profile name set by the string of up to 32 characters 13 Enter the vendor configuration section esr config ips policy vendor ka...

Page 309: ...ous Hash Data Feed Malicious Hashes data streams Mobile Malicious Hash Data Feed mobile Malicious Hashes data streams IP Reputation Data Feed IP address data streams Mobile Botnet Data Feed mobile Botnet data streams P SMS Trojan Data Feed P SMS Trojan data stream Ransomware URL Data Feed Ransomware URL data stream Botnet C C URL Exact Data Feed Botnet C C URL Exact data stream Phishing URL Exact ...

Page 310: ...e number of downloadable rules esr config ips vendor category rules count number number 17 Enable category enable 18 Switch to the IPS IDS configuration mode esr config security ips 19 Assign IPS IDS security policy esr config ips policy NAME NAME security policy name set by the string of up to 32 characters 20 Use all ESR rosiurces for IPS IDS optional esr config ips perfomance max 21 Set USB dri...

Page 311: ... profile that IPS IDS will protect object group network objectgroup0 ip prefix 192 168 30 0 24 exit Enable IPS on the interface interface gigabitethernet 1 0 1 service ips enable exit Configure security policy security ips policy policy0 protect network group objectgroup0 vendor kaspersky category MaliciousURLsDF rules action alert rules count 100 enable exit category MobileBotnetCAndCDF rules act...

Page 312: ...ry MaliciousHashDF rules action alert rules count 1 enable exit category MobileMaliciousHashDF rules action alert rules count 1 enable exit category PSMSTrojanDF rules action alert rules count 1 enable exit category PhishingURLsDF rules action alert rules count 1000 enable exit category RansomwareURLsDF rules action alert rules count 1000 enable exit exit exit Assign an IPS policy to the service a...

Page 313: ...his command you can find out if the content provider has downloaded rules from the EDM server based on the presence of the md5 checksum and when the next update is scheduled for the device show security ips counters esr 20 show security ips counters TCP flows processed 191 Alerts generated 0 Blocked by ips engine 7 Accepted by ips engine 51483 Shows the traffic passed through IPS IDS and the actio...

Page 314: ...tion Command Keys 1 Switch to the interface tunnel network bridge configuration mode for which it is necessary to configure VRRP esr config interface IF TYPE IF NUM IF TYPE interface type IF NUM F S P F frame 1 S slot 0 P port esr config tunnel TUN TYPE TUN NUM TUN TYPE tunnel type TUN NUM tunnel number esr config bridge BR NUM BR NUM bridge number 2 Configure the required parameters on the interf...

Page 315: ...ocesses there is a change of master then in another process the roles will also be changed esr config if gi vrrp group GRID GRID VRRP router group identifier takes values in the range of 1 32 esr config if gi ipv6 vrrp group GRID 8 Set the IP address that will be used as a source IP address for VRRP messages esr config if gi vrrp source ip IP ADDR sender IP address defined as AAA BBB CCC DDD where...

Page 316: ...uter would try to take the Master role from the current lower priority Master router esr config if gi vrrp preemption disable esr config if gi ipv6 vrrp preemption disable 15 Set the time interval after which the higher priority Backup route will try to take the Master role from the current lower priority Master router esr config if gi vrrp preemption delay TIME TIME timeout takes value in seconds...

Page 317: ...or ipv6 vrrp in MASTER status esr config if gi ipv6 vrrp timers nd refresh TIME TIME time in seconds takes values of 1 65535 Default value 5 22 Specify the amount of ND messages sent in the update period for ipv6 vrrp in MASTER status esr config if gi ipv6 vrrp timers nd refresh repeat NUM NUM amount takes values of 1 60 Default value 0 23 Specify the amount of ND packets sendings after setting ip...

Page 318: ...192 168 1 1 24 R1 config subif vrrp ip 192 168 1 1 Enable VRRP R1 config subif vrrp R1 config subif exit Configure R2 in the same manner 8 1 3 Configuration example 2 Objective Establish virtual gateways for 192 168 20 0 24 subnet in VLAN 50 and 192 168 1 0 24 in VLAN 60 using VRRP with Master sync feature To do this you have to group VRRP processes IP addresses 192 168 1 1 and 192 168 20 1 are us...

Page 319: ...P group identifier R1 config subif vrrp group 5 Enable VRRP R1 config subif vrrp R1 config subif exit Configure VRRP for 192 168 20 0 24 subnet in the created sub interface Specify unique VRRP identifier R1 config sub interface gi 1 0 6 60 R1 config subif vrrp id 20 Specify virtual gateway IP address 192 168 1 20 R1 config subif vrrp ip 192 168 20 1 Specify VRRP group identifier R1 config subif vr...

Page 320: ... VRRP according to the section VRRP configuration algorithm 2 Add Tracking object to the system and switch to the Tracking object parameters configuration mode esr config tracking ID ID Tracking object number takes values of 1 60 3 Specify a rule for keeping track of VRRP process status esr config tracking vrrp VRID not state master backup fault VRID trackable VRRP router identifier takes values i...

Page 321: ... AAA BBB CCC DDD where each part takes values of 0 255 resolve when specifying this parameter gateway IP address will be recursively calculated through the routing table If the recursive calculation fails to find a gateway from a directly connected subnet then this route will not be installed into the system IF an IP interface name specified in the form described in Section Types and naming order ...

Page 322: ...ess where each part takes values of 0 255 7 The interval at which pings are sent esr config bridge vrrp track ip seconds seconds time interval in seconds 3 60 Default value is 10 8 The number of pings that are sent when monitoring a remote address esr config bridge vrrp track ip packets packets packets number of packets to be sent 1 5 Default value 5 8 2 2 Configuration example Objective Virtual g...

Page 323: ...ce gigabitethernet 1 0 1 switchport forbidden default vlan exit interface gigabitethernet 1 0 1 741 ip firewall disable ip address 192 168 0 2 24 vrrp id 10 vrrp ip 192 168 0 1 24 vrrp exit interface gigabitethernet 1 0 2 switchport forbidden default vlan exit interface gigabitethernet 1 0 2 742 ip firewall disable ip address 192 168 1 1 30 exit ...

Page 324: ...ewall disable ip address 10 0 1 1 24 exit Solution There is no need in any changes in router R2 since subnet 10 0 1 0 24 is terminated on it and as soon as router R2 is vrrp master packets will be transmitted to corresponding interface As soon as R1 becomes vrrp master route for packets must be created with destination IP address from network 10 0 1 0 24 Create tracking object with corresponding c...

Page 325: ...onfiguration example 9 1 Configuring server for remote access to corporate network via PPTP protocol PPTP Point to Point Tunneling Protocol is a point to point tunneling protocol that allows a computer to establish secure connection with a server by creating a special tunnel in a common unsecured network PPTP encapsulates PPP frames into IP packets for transmission via global IP network e g the In...

Page 326: ...y IP address set by the string of up to 31 characters ADDR range starting IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 5 Specify IP addresses list from which dynamic IP addresses are leased to remote users by PPTP esr config pptp server remote address object group OBJ GROUP NETWORK NAME address range FROM ADDR TO ADDR OBJ GROUP NETWORK NAME name of the IP addresses p...

Page 327: ...nteraction rules between zones or disable firewall see section Firewall configuration esr config pptp server security zone NAME NAME security zone name set by the string of up to 31 characters 12 Enable server esr config pptp server enable 13 Specify outgoing packets DSCP priority optionally esr config pptp server dscp DSCP DSCP outgoing packets dscp priority 0 63 14 Enable MPPE encryption for PPT...

Page 328: ...J GROUP NETWORK NAME OBJ GROUP NETWORK NAME name of the IP addresses profile that includes required WINS servers addresses set by the string of up to 31 characters 9 1 2 Configuration example Objective Configure PPTP server on a router PPTP server address 120 11 5 1 Gateway inside the tunnel for connecting clients 10 10 10 1 IP address pool for lease 10 10 10 5 10 10 10 25 DNS servers 8 8 8 8 8 8 ...

Page 329: ...0 10 25 esr config object group network exit Create PPTP server and map profiles listed above esr config remote access pptp remote workers esr config pptp local address object group pptp_local esr config pptp remote address object group pptp_remote esr config pptp outside address object group pptp_outside esr config pptp dns servers object group pptp_dns Select authentication method for PPTP serve...

Page 330: ...llowing command esr show remote access configuration pptp remote workers 9 2 Configuring server for remote access to corporate network via L2TP protocol L2TP Layer 2 Tunneling Protocol is a sophisticated tunneling protocol used to support virtual private networks L2TP encapsulates PPP frames into IP packets for transmission via global IP network e g the Internet L2TP may be used for tunnel establi...

Page 331: ...ber 4 Specify the IP address of the local gateway or disable firewall for the PPTP server esr config l2tp server local address object group OBJ GROUP NETWORK NAME ip address ADDR OBJ GROUP NETWORK NAME name of the IP addresses profile that includes local gateway IP address set by the string of up to 31 characters ADDR range starting IP address defined as AAA BBB CCC DDD where each part takes value...

Page 332: ...chap is allowed 8 Include the L2TP server in a security zone and configure interaction rules between zones see section Firewall configuration esr config l2tp server security zone NAME NAME security zone name set by the string of up to 31 characters 9 Specify user name when using local authentication base esr config l2tp server username NAME NAME user name set by the string of up to 12 characters 1...

Page 333: ...ssionUnit for the server optionally MTU above 1500 will be active only when using the system jumbo frames command esr config l2tp server mtu MTU MTU MTU value takes values in the range of 1280 1500 Default value 1500 17 Define the list of DNS servers that will be used by remote users optionally esr config l2tp server dns servers object group OBJ GROUP NETWORK NAME OBJ GROUP NETWORK NAME name of th...

Page 334: ...ork ip address range 8 8 8 8 esr config object group network ip address range 8 8 4 4 esr config object group network exit Create L2TP server and map profiles listed above esr config remote access l2tp remote workers esr config l2tp local address ip address 10 10 10 1 esr config l2tp remote address address range 10 10 10 5 10 10 10 15 esr config l2tp outside address ip address 120 11 5 1 esr confi...

Page 335: ...ame fedor To view L2TP server configuration use the following command esr show remote access configuration l2tp remote workers 9 3 Configuring server for remote access to corporate network via OpenVPN protocol OpenVPN is a sophisticated tool based on SSL that implements Virtual Private Networks VPN enables remote access and solves many different tasks related to data transmission security 9 3 1 Co...

Page 336: ...agrams 5 Define type of connection with a private network via OpenVPN server esr config openvpn server tunnel TYPE TYPE encapsulation protocol takes the following values ip point to point connection ethernet L2 domain connection 6 Specify IP addresses list from which dynamic IP addresses are leased to remote users in L2 mode by OpenVPN server only for tunnel ethernet esr config openvpn server addr...

Page 337: ...l configuration esr config openvpn server security zone NAME NAME security zone name set by the string of up to 31 characters 11 Define the additional parameters for a specified OpenVPN server user when using a local base for user authentication esr config openvpn server username NAME NAME user name set by the string of up to 31 characters 12 Define a subnet for the specified user of the OpenVPN s...

Page 338: ...default route advertising for OpenVPN connections which leads to the replacement of the default route on the client side optionally esr config openvpn server redirect gateway 21 Enable the advertising of specified subnets the gateway is OpenVPN server IP address optionally esr config openvpn server route ADDR LEN ADDR LEN subnet address set in the following format AAA BBB CCC DDD EE network IP add...

Page 339: ...128 bits key size md4 rsa md4 md5 rsa md5 mdc2 rsa mdc2 8 160 bits key size sha sha1 rsa sha rsa sha1 rsa sha1 2 dsa dsa sha dsa sha1 dsa sha1 old ripemd160 rsa ripemd160 ecdsa with sha1 8 224 bits key size sha 224 rsa sha 224 8 256 bits key size sha 256 rsa sha 256 8 384 bits key size sha 384 rsa sha 384 8 512 bits key size sha 512 rsa sha 512 whirlpool Default value sha 9 3 2 Configuration examp...

Page 340: ...rotocol esr config openvpn tunnel ip esr config openvpn protocol tcp Announce LAN subnets that will be available via OpenVPN connection and define DNS server esr config route 10 10 0 0 20 esr config openvpn dns server 10 10 1 1 Specify previously imported certificates and keys that will be used with OpenVPN server esr config openvpn certificate ca ca crt esr config openvpn certificate dh dh pem es...

Page 341: ...e or a point to point connection that is used to transmit IP packets and also works with PPP features This allows applying conventional PPP oriented software to configure the connection that uses not serial communication link but packet oriented network for example Ethernet to organize a classical connection with login and password for Internet connections In addition IP address on the opposite si...

Page 342: ...AME security zone name set by the string of up to 31 characters 7 Enable a configured profile esr config pppoe enable 8 Specify authentication method optionally esr config pppoe authentication method METHOD METHOD authentication method possible values chap mschap mschap v2 eap pap Default value chap 9 Enable the opt out of receiving the default route from PPPoE server optionally esr config pppoe i...

Page 343: ...ts optional esr config pppoe ip tcp adjust mss MSS MSS MSS value takes values in the range of 500 1460 Default value 1460 15 Enable recording of the current tunnel usage statistics optional esr config pppoe history statistics It is also possible to configure the PPPoE client QoS in basic or advanced mode see section QoS management proxy see section HTTP HTTPS traffic proxying Traffic monitoring se...

Page 344: ...point tunneling protocol that allows establishing secure connection with a server by creating a special tunnel in a common unsecured network PPTP encapsulates PPP frames into IP packets for transmission via global IP network e g the Internet PPTP may be used for tunnel establishment between two local area networks РРТР uses an additional TCP connection for tunnel handling 9 5 1 Configuration algor...

Page 345: ... value takes values in the range of for ESR 10 12V F 14VF 552 9600 for ESR 20 21 552 9500 for ESR 100 200 1000 1200 15 00 1700 552 10000 Default value 1500 7 Specify the user and set an encrypted or unencrypted password to authenticate the remote party esr config pptp username NAME password ascii text WORD encrypted HEX NAME user name set by the string of up to 31 characters WORD unencrypted passw...

Page 346: ...ge statistics optional esr config pptp history statistics 14 Change the time interval in seconds after which the router sends a keepalive message optional esr config pptp ppp timeout keepalive TIME TIME time in seconds takes values of 1 32767 Default value 10 15 Change the number of failed data link tests before breaking the session optional esr config pptp ppp failure count NUM NUM the number of ...

Page 347: ...eling Protocol is a sophisticated tunneling protocol used to support virtual private networks L2TP encapsulates PPP frames into IP packets for transmission via global IP network e g the Internet L2TP may be used for tunnel establishment between two local area networks L2TP uses an additional UDP connection for tunnel handling L2TP protocol does not provide data encryption therefore it is usually c...

Page 348: ...uthenticate the remote party esr config l2tp username NAME password ascii text WORD encrypted HEX NAME user name set by the string of up to 31 characters WORD unencrypted password set by the string of 8 64 characters may include 0 9a fA F characters HEX encrypted password set by the string of 16 128 characters 7 Select a key authentication method for IKE connection esr config l2tp ipsec authentica...

Page 349: ...e time interval during which the statistics on the tunnel load is averaged optionally esr config l2tp load average TIME TIME interval in seconds takes values of 5 150 Default value 5 14 Change the time interval in seconds after which the router sends a keepalive message optional esr config l2tp ppp timeout keepalive TIME TIME time in seconds takes values of 1 32767 Default value 10 15 Change the n...

Page 350: ... security zone esr config l2tp security zone VPN Specify ipsec authentication method esr config l2tp ipsec authentication method pre shared key Specify ipsec security key esr config l2tp ipsec authentication pre shared key ascii text password Enable L2TP tunnel esr config l2tp enable To view the tunnel status use the following command esr show tunnels status l2tp To view sent and received packet c...

Page 351: ...ESR service routers ESR Series Functionality description Version 1 12 0 351 esr show tunnels configuration l2tp ...

Page 352: ...server is able to send additional options to network devices for example default router IP address of the router used as default gateway domain name domain name which will be used by client while solving host names via domain name system DNS dns server list of domain name server addresses for the current network that should be known by the client Server addresses are listed in descending order of ...

Page 353: ...BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes values of 1 32 esr config ipv6 dhcp server network IPV6 ADDR LEN IPV6 ADDR LEN IP address and prefix of a subnet defined as X X X X X EE where each X part takes values in hexadecimal format 0 FFFF and EE takes values of 1 128 5 Add IPv4 IPv6 addresses range to the address pool of configurable DHCP server esr config dhcp serv...

Page 354: ...ues in hexadecimal format 0 FFFF MAC MAC address of the client which will be given the IP address defined as XX XX XX XX XX XX where each part takes the values of 00 FF 7 Specify the list of default gateway IPv4 addresses which will be transmitted by DHCP server to clients through DHCP option 3 esr config dhcp server default router ADDR ADDR default gateway IP address defined as AAA BBB CCC DDD wh...

Page 355: ...rver max lease time TIME 11 Specify the lease time for which a client will be given IP address optionally This time will be used if a client did not request the certain lease time esr config dhcp server default lease time TIME TIME maximal IP address lease time sets in format DD HH MM where DD amount of days takes values of 0 364 HH amount of hours takes values of 0 23 MM amount of minutes takes t...

Page 356: ...ons Solution Create trusted security zone and determine the inherence of the network interfaces being used to zones esr configure esr config security zone trusted esr config zone exit Create address pool named Simple and add IP address range intended for server clients lease into this pool Specify parameters of the subnet that the pool belongs to and the lease time for addresses esr configure esr ...

Page 357: ... esr config zone rule match source port dhcp_client esr config zone rule match destination port dhcp_server esr config zone rule action permit esr config zone rule enable esr config zone rule exit esr config zone pair exit Enable server operation esr config ip dhcp server esr config exit To view the list of leased addresses use the following command esr show ip dhcp binding To view the configured ...

Page 358: ...name set by the string of up to 31 characters 6 Specify VRF instance in which the given rule group will operate optionally esr config dnat ruleset ip vrf forwarding VRF VRF VRF name set by the string of up to 31 characters 7 Set the rule group scope The rules will be applied only to traffic coming from a certain zone or interface esr config dnat ruleset from zone NAME interface IF tunnel TUN defau...

Page 359: ... icmp ICMP_TYPE ICMP_COD E TYPE NAME ICMP_TYPE ICMP message type takes values of 0 255 ICMP_CODE ICMP message code takes values of 0 255 Any value points at any message code TYPE NAME ICMP message type name 13 Specify the action translation of source address and port for the traffic meeting the requirements of match commands esr config dnat rule action destination nat off pool NAME netmap ADDR LEN...

Page 360: ... config security zone TRUST esr config zone exit esr config interface gigabitethernet 1 0 1 esr config if gi security zone TRUST esr config if gi ip address 10 1 1 1 25 esr config if gi exit esr config interface tengigabitethernet 1 0 1 esr config if te ip address 1 2 3 4 29 esr config if te security zone UNTRUST esr config if te exit Create IP address and port profiles required for configuration ...

Page 361: ...pplied with enable command esr config dnat ruleset DNAT esr config dnat ruleset from zone UNTRUST esr config dnat ruleset rule 1 esr config dnat rule match destination address NET_UPLINK esr config dnat rule match protocol tcp esr config dnat rule match destination port SRV_HTTP esr config dnat rule action destination nat pool SERVER_POOL esr config dnat rule enable esr config dnat rule exit esr c...

Page 362: ...ses pool name set by the string of up to 31 characters 3 Set the range of IP addresses which will replace a source IP address esr config snat pool ip address range IP ENDIP IP IP address of the beginning of the range defined as AAA BBB CCC DDD where each part takes values of 0 255 ENDIP IP address of the end of the range defined as AAA BBB CCC DDD where each part takes values of 0 255 If IP addres...

Page 363: ...r The rules are proceeded in ascending order esr config snat ruleset rule ORDER ORDER rule number takes values of 1 10000 11 Specify the profile of IP addresses sender recipient for which the rule should work esr config snat rule match not source destination address OBJ GROUP NETWORK NAME OBJ GROUP NETWORK NAME IP addresses profile name set by the string of up to 31 characters Any value points at ...

Page 364: ...k used during translation static option for static NAT organization The parameter is defined as AAA BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes values of 1 32 interface FIRST_PORT LAST_PORT specify the translation to the interface IP address If the range of TCP UDP ports is additionally specified the translation will occur only for the sender TCP UDP ports included in...

Page 365: ...TRUST esr config if gi exit esr config interface tengigabitethernet 1 0 1 esr config if te ip address 100 0 0 99 24 esr config if te security zone UNTRUST esr config if te exit For SNAT function configuration and definition of rules for security zones create LOCAL_NET LAN address profile that includes addresses which are allowed to access the public network and PUBLIC_POOL public network address p...

Page 366: ...t attributes specify that the rules are applying only to packets transferred to public network into the UNTRUST zone Rules include a check which ensures that data source address belongs to LOCAL_NET pool esr config snat ruleset SNAT esr config snat ruleset to zone UNTRUST esr config snat ruleset rule 1 esr config snat rule match source address LOCAL_NET esr config snat rule action source nat pool ...

Page 367: ...dress profile that includes addresses which are allowed to access the public network and PUBLIC_POOL public network address profile esr config object group network LOCAL_NET esr config object group network ip address range 21 12 2 2 21 12 2 254 esr config object group network exit esr config object group network PUBLIC_POOL esr config object group network ip address range 200 10 0 100 200 10 0 249...

Page 368: ... 12 2 1 should be defined as a gateway address On the router you should create the route for public network Specify this route as a default using the following command esr config ip route 0 0 0 0 0 200 10 0 254 esr config exit 10 4 Static NAT configuration Static NAT static NAT sets a unique match between two addresses In other words when passing through the router the address is changed to anothe...

Page 369: ...e exit For Static NAT configuration create LOCAL_NET LAN address profile that includes local subnet and PUBLIC_POOL public network address profile esr config object group network LOCAL_NET esr config object group network ip prefix 21 12 2 0 24 esr config object group network exit esr config object group network PUBLIC_POOL esr config object group network ip prefix 200 10 0 0 24 esr config object g...

Page 370: ... requests for addresses from the PROXY translation pool you should launch ARP Proxy service ARP Proxy service is configured on the interface that IP address from PROXY address profile subnet belongs to esr config interface tengigabitethernet 1 0 1 esr config if te ip nat proxy arp PROXY To enable 200 10 0 0 24 network access for LAN devices they should be configured for routing 21 12 2 1 should be...

Page 371: ...ttp proxy listen ports OBJ_GROUP_NAME OBJ_GROUP_NAME port profile name set by string of up to 31 characters 9 Specify a listening port for proxying optional esr config ip https proxy listen ports OBJ_GROUP_NAME OBJ_GROUP_NAME port profile name set by string of up to 31 characters 10 Specify a base port for proxying optional esr config ip https proxy redirect port PORT PORT port number set in the r...

Page 372: ...for traffic entering the ESR itself 17 Create an interzone interaction rule set esr config zone pair rule rule number rule number 1 10000 18 Specify rule description optional esr config zone rule description description description up to 255 characters 19 Specify the given rule force esr config zone rule action action log action permit log activation key for logging of sessions established accordi...

Page 373: ... url https speedtest net esr config object group url url https www speedtest net esr config object group url exit Create a profile esr config ip http profile list1 esr config profile default action permit esr config profile urls local test1 action redirect redirect url http test loc esr config profile exit Enable proxying on the interface by profile list esr config interface gi 1 0 1 esr config if...

Page 374: ...o account transmission times and uses algorithms to achieve high precision time synchronization 10 6 1 Configuration algorithm Step Description Command Keys 1 Enable NTP esr config ntp enable 2 Set the IP address of the NTP server or NTP synchronization participant esr config ntp server peer IP IP destination IP address gateway defined as AAA BBB CCC DDD where each part takes values of 0 255 3 Set...

Page 375: ...inding profile 9 Specify the key binding profile name optional esr config ntp authentication key chain WORD WORD key binding profile name 10 Activate key based authentication for NTP optional esr config ntp authentication enable 11 Enable the mode of receiving broadcast messages from NTP servers for the global configuration and all existing VRFs optional esr config ntp broadcast client enable 12 S...

Page 376: ...l esr set date TIME DAY MONTH YEAR TIME system timer defined as HH MM SS where HH hours takes the value of 0 23 MM minutes takes the value of 0 59 SS seconds takes the value of 0 59 DAY day of the month takes values of 1 31 MONTH month takes the following values January February March April May June July August September October November December YEAR year takes values of 2001 2037 10 6 2 Configur...

Page 377: ...sr config ntp end esr commit esr confirm Command to view the current configuration of the NTP protocol esr show ntp configuration Command to view the current state of NTP servers peers First do the following specify security zone for gi1 0 1 interface configure the IP address for the gi1 0 1 interface to provide IP connectivity to the NTP server Example security zone untrust exit object group serv...

Page 378: ...ESR service routers ESR Series Functionality description Version 1 12 0 378 esr show ntp peers ...

Page 379: ...network protocol designed for traffic accounting and analysis Netflow allows transmitting traffic information source and destination address port quantity of information from the network equipment sensor to the collector Common server may serve as a collector 11 1 1 Configuration algorithm Step Description Command Keys 1 Specify Netflow protocol version esr config netflow version VERSION VERSION N...

Page 380: ...ollector IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 7 Set the Netflow service port on the statistics collection server esr config netflow host port PORT PORT UDP port number in the range of 1 65535 Default value 2055 8 Enable statistics sending to the Netflow server in the interface tunnel network bridge configuration mode esr config if gi ip netflow export 11 1 2 ...

Page 381: ...n 11 2 sFlow configuration sFlow is a computer network wireless network and network device monitoring standard designed for traffic accounting and analysis 11 2 1 Configuration algorithm Step Description Command Keys 1 Set the rate of sending the unchanged user traffic packets to sFlow collector esr config sflow sampling rate RATE RATE rate of sending the user traffic packets to the collector take...

Page 382: ... Enable statistics sending to the sFlow server in the interface tunnel network bridge configuration mode esr config if gi ip sflow export 11 2 2 Configuration example Objective Establish accounting for traffic between trusted and untrusted zones Solution Create two security zones for ESR networks esr configure esr config security zone TRUSTED esr config zone exit esr config security zone UNTRUSTED...

Page 383: ...STED direction esr config security zone pair TRUSTED UNTRUSTED esr config zone pair rule 1 esr config zone pair rule action sflow sample esr config zone pair rule match protocol any esr config zone pair rule match source address any esr config zone pair rule match destination address any esr config zone pair rule enable Enable sFlow on the router еsr config sflow enable sFlow configuration for tra...

Page 384: ...is community takes the values v1 or v2c VIEW NAME SNMP view profile name set by the string of up to 31 characters VRF VRF instance name set by the string of up to 31 characters for which access will be granted 3 Set the value of SNMP variable that contains contact information esr config snmp server contact CONTACT CONTACT contact information sets by string with 255 characters length 4 Set the DSCP...

Page 385: ... TEXT password set by the string of 8 to 16 characters encrypted when specifying a command an encrypted password is set ENCRYPTED TEXT encrypted password of 8 to 16 bytes from 16 to 32 characters in hexadecimal format 0xYYYY or YYYY 12 Enable filtration and set the profile of IP addresses from which SNMPv3 packets with the given SNMPv3 user name can be received esr config snmp user client list NAM...

Page 386: ...ermitting or denying the access to one or another OID for user esr config snmp user view VIEW NAME VIEW NAME name of SNMP view profile on which based access to OID set by the string up to 31 characters 17 Enable SNMP notifications transmission to the specified IP address and switch to SNMP notifications configuration mode esr config snmp server host IP ADDR IPV6 ADDR vrf VRF IP ADDR IP address def...

Page 387: ...nce guide Version 1 12 0 20 Create the snmp view profile permitting or denying the access to one or another OID for community SNMPv2 and user SNMPv3 esr config snmp server enable traps TYPE VIEW NAME SNMP view profile name set by the string of up to 31 characters 11 3 2 Configuration example Objective Configure SNMPv3 server with authentication and data encryption for admin user ESR router IP addr...

Page 388: ...nmp user enable Define receiver server of Trap PDU messages esr config snmp server host 192 168 52 41 11 4 Zabbix agent proxy configuration Zabbix agent agent designed to monitor the device as well as execute remote commands from the Zabbix server The agent can operate in two modes passive and active To operate in passive mode by default you need an allow rule in the firewall tcp protocol port 100...

Page 389: ...ent proxy optional esr config zabbix port PORT esr config zabbix proxy port PORT PORT port that will be listened by zabbix agent proxy may take values in the range of 1 65535 Default value 10050 6 Allow remote commands execution by zabbix agent proxy when using active mode esr config zabbix remote commands esr config zabbix proxy remote commands 7 Specify the address from which the server will int...

Page 390: ...server Solution In the context of the agent settings specify the address of the zabbix server and the address from which the server will interact esr config zabbix server 192 168 32 101 esr config zabbix source address 192 168 39 170 To activate the active mode specify hostname active server and also enable the execution of remote commands esr config zabbix hostname ESR agent esr config zabbix act...

Page 391: ...ESR service routers ESR Series Functionality description Version 1 12 0 391 11 4 3 Zabbix agent configuration example Create the host ...

Page 392: ...result to the server Using the c key with the number of packets in the test is mandatory Without this key the ping command will not stop on its own and the test will not be considered complete Ping in VRF zabbix_get s HOST CONN p 10050 k system run sudo netns exec n backup sudo ping 192 168 32 101 c 5 W 2 The command above will be executed in the specified VRF with backup name Fping zabbix_get s H...

Page 393: ...ackup sudo traceroute 192 168 32 179 Iperf zabbix_get s HOST CONN p 10050 k system run sudo iperf c 192 168 32 101 u b 100K i 1 t 600 The client ESR that received this command from the server will execute iperf command to the specified server in our example up to 192 168 32 101 and return the result to the server Iperf in VRF zabbix_get s HOST CONN p 10050 k system run sudo netns exec n backup sud...

Page 394: ...is also possible to execute commands that do not require privileges such as snmpget cat pwd wget and others Example of the snmpget command execution 11 5 Syslog configuration Syslog system log standard for sending and registering messages about events occurring in the system is used in networks operating over IP ...

Page 395: ...y configure the system none disables the output of syslog messages to the console 2 Set the level of syslog messages that will be displayed during remote connections Telnet SSH optionally esr config syslog monitor SEVERITY 3 Enable the process of logging user commands entered to the local syslog server optionally esr config syslog cli commands 4 Enable the saving of syslog messages of a specified ...

Page 396: ...tion Syslog configuration example TRANSPORT data transfer protocol optional parameter takes values TCP data transmission is carried out by TCP UDP data transmission is carried out by UDP PORT number of TCP UDP port optional parameter takes values of 1 65535 default value is 514 8 Enable debugging output during device boot optionally esr config syslog reload debugging 9 Enable message enumeration o...

Page 397: ...n First do the following Specify zone for gi1 0 1 interface Configure IP address for gi1 0 1 interface Main configuration step Create a file on the router for syslog the level of messages for logging info esr config syslog file ESR info Specify the IP address and parameters of the remote Syslog server esr config syslog host SERVER 192 168 17 30 info udp 514 Set the logging of failed authentication...

Page 398: ...ow syslog ESR 11 6 Integrity check Integrity check involves checking the integrity of stored executable files 11 6 1 Configuration process Step Descritpion Command Keys 1 Launch system integrity check esr verify filesystem detailed detailed detailed information output to the console 11 6 2 Configuration example Objective Check file system integrity Solution Launch integrity check esr verify filesy...

Page 399: ...path PATH PATH defines the protocol server address location and prefix of the file name on the server 6 Set a period of time for automatic configuration backup optional relevant only for auto mode esr config ahchive time period TIME TIME periodicity of automatic redundancy of the configuration takes the value in minutes 1 35791394 Default value 720 minutes 7 Set the maximum number of locally saved...

Page 400: ...s esr config archive path tftp 172 16 252 77 esr example esr example cfg esr config archive count backup 30 Set the interval for the configuration backup if there are no changes esr config archive time period 1440 Enable archiving of router configuration by timer and upon successful configuration change esr config archive auto esr config archive by commit After applying this configuration once a d...

Page 401: ...VRF VRF instance name set by the string of up to 31 characters 2 Set the password for authentication on remote RADIUS server esr config radius server key ascii text TEXT encrypted ENCRYPTED TEXT TEXT string of 8 16 ASCII characters ENCRYPTED TEXT encrypted password 8 16 bytes size set by the string of 16 32 characters 3 Create AAA profile esr config aaa radius profile NAME NAME server profile name...

Page 402: ...fig subscriber control aaa das profile NAME NAME DAS profile name set by the string of up to 31 characters 11 Select RADIUS server profile to obtain the user service parameters esr config subscriber control aaa services radius profile NAME NAME RADIUS server profile name set by the string of up to 31 characters 12 Select RADIUS server profile to obtain the user session parameters esr config subscr...

Page 403: ...ets whose URL is included in the list of URL assigned by the filter name command esr config subscriber default service filter action ACT ACT allocated action permit traffic transfer is permitted deny traffic transfer is denied redirect URL redirect to the specified URL will be carried out set by the string of up to 255 characters 20 Specify the actions that should be applied for HTTP HTTPS packets...

Page 404: ... the interval after which currently unused URL lists will be removed optional esr config subscriber control unused filters remove delay DELAY DELAY time interval in seconds takes values of 10800 86400 28 Specify the interval after which if a user has not sent any packets the session is considered to be outdated and is removed from the device optional esr config subscriber default service session t...

Page 405: ...onfig subscriber control ip proxy source address ADDR ADDR source IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 35 Specify URL address of the server providing lists of traffic filtration applications optional esr config subscriber control apps server url URL URL reference address set by the string from 8 to 255 characters 36 Enable the application control on the inter...

Page 406: ...oftWLC from repositories The BRAS license is obligatory for router after its activation you can start device configuring Create 3 security zones according to the network structure depicted in esr configure esr config security zone trusted esr config zone exit esr config security zone untrusted esr config zone exit esr config security zone dmz esr config zone exit Configure public port parameters a...

Page 407: ... config if gi service policy dynamic downstream esr config if gi exit The module which is responsible for AAA operations is based on eltex radius and available by SoftWLC IP address Numbers of ports for authentication and accounting in the example below are the default values for SoftWLC Define parameters for interaction with the module esr config radius server host 192 0 2 20 esr config radius se...

Page 408: ... esr config acl rule match destination port 67 esr config acl rule enable esr config acl rule exit esr config acl rule 11 esr config acl rule action permit esr config acl rule match protocol udp esr config acl rule match source address any esr config acl rule match destination address any esr config acl rule match source port any esr config acl rule match destination port 53 esr config acl rule en...

Page 409: ...trol default service esr config subscriber default service class map INTERNET esr config subscriber default service filter name local defaultservice esr config subscriber default service filter action permit esr config subscriber default service default action redirect http 192 0 2 20 8080 eltex_portal esr config subscriber default service session timeout 3600 esr config subscriber default service...

Page 410: ...ity zone pair dmz trusted esr config zone pair rule 10 esr config zone pair rule action permit esr config zone pair rule match protocol any esr config zone pair rule match source address any esr config zone pair rule match destination address any esr config zone pair rule enable esr config zone pair rule exit esr config zone pair exit Enable DHCP transmitting from trusted to dmz esr config securit...

Page 411: ...e pair rule exit esr config zone pair rule exit esr config security zone pair dmz self esr config zone pair rule 20 esr config zone pair rule action permit esr config zone pair rule match protocol icmp esr config zone pair rule match source address any esr config zone pair rule match destination address any esr config zone pair rule enable esr config zone pair rule exit esr config zone pair rule e...

Page 412: ...o do this add the following to the users file in the directory with FreeRADIUS server configuration files User profile MACADDR Cleartext Password MACADDR User name User Name USER_NAME Maximum session lifetime Session Timeout SECONDS Maximum session lifetime when the system is idle Idle Timeout SECONDS Session statistics update time Acct Interim Interval SECONDS Service name for a session A the ser...

Page 413: ...lients conf file client BRAS ipaddr 192 168 1 1 secret password Add the following strings to the users file specify a client MAC address instead of MAC 54 E1 AD 8F 37 35 Cleartext Password 54 E1 AD 8F 37 35 User Name Bras_user Session Timeout 259200 Idle Timeout 259200 Cisco AVPair subscriber policer rate in 1000 Cisco AVPair subscriber policer rate out 1000 Cisco AVPair subscriber policer burst i...

Page 414: ...exit Create AAA profile esr config aaa radius profile bras_radius esr config aaa radius profile radius server host 192 168 1 2 esr config aaa radius profile exit esr config aaa radius profile bras_radius_servers esr config aaa radius profile radius server host 192 168 1 2 esr config aaa radius profile exit Specify parameters for the DAS server esr config das server das esr config das server key as...

Page 415: ...nfig acl rule exit esr config ip access list extended INTERNET esr config acl rule 1 esr config acl rule action permit esr config acl rule match protocol any esr config acl rule match source address any esr config acl rule match destination address any esr config acl rule enable esr config acl rule exit esr config ip access list extended WELCOME esr config acl rule 10 esr config acl rule action pe...

Page 416: ...a ru esr config object group url url https ya ru esr config object group url exit Configure and enable BRAS define NAS IP as address of the interface interacting with RADIUS server gigabitethernet 1 0 2 in the example esr config subscriber control esr config subscriber control aaa das profile bras_das esr config subscriber control aaa sessions radius profile bras_radius esr config subscriber contr...

Page 417: ...0 esr config subif bridge group 10 esr config subif ip firewall disable esr config subif exit Configure SNAT for gigabitethernet 1 0 2 port esr config nat source esr config snat ruleset factory esr config snat ruleset to interface gigabitethernet 1 0 2 esr config snat ruleset rule 10 esr config snat rule description replace source ip by outgoing interface ip address esr config snat rule match prot...

Page 418: ... Series Functionality description Version 1 12 0 418 esr sh subscriber control sessions status Session id User name IP address MAC address Interface Domain 1729382256910270473 Bras_user 10 10 0 3 54 e1 ad 8f 37 35 gi1 0 3 10 ...

Page 419: ...a digit from 1 to 5 2 Configure a primary SIP proxy server and registration server esr config sip profile proxy primary 3 Configure a SIP proxy server esr config voip sip proxy ip address proxy server IP IP proxy server IP address 4 Configure a SIP proxy server port esr config voip sip proxy ip port proxy server PORT PORT number of proxy server UDP port takes values of 1 65535 If standard 5060 por...

Page 420: ... SIP profile number set in the form of a digit from 1 to 5 14 Assign a dial plan to the current SIP profile esr config sip profile dialplan pattern DNAME DNAME name of the dial plan set by the string of up to 31 characters 15 Enable SIP profile esr config sip profile enable 13 2 FXS FXO ports configuration algorithm Step Description Command Keys 1 Switch to the FXO FXS ports configuration mode esr...

Page 421: ...t from which and to which the FXO set will send and receive SIP messages esr config voice port fxo sip port PORT PORT UDP port number 10 Assign the user name matched with the port esr config voice port fxo sip user display name LOGIN LOGIN user name displayed in the Display Name field set by the string of up to 31 characters 11 Configure a login for authentication esr config voice port fxo authent...

Page 422: ... the string of up to 1024 characters The rules for creating regular expressions are described in section Dial plan configuration example 3 Enable the dial plan esr config dial ruleset enable 13 4 PBX server configuration algorithm Step Description Command Keys 1 PBX server configuration esr config pbx 2 Enable PBX server esr config pbx enable 3 Create a routing plan esr config pbx ruleset rule_nam...

Page 423: ... a NAT interaction policy optional esr config pbx profile nat comedia force port both comedia send media stream to PBX port regardless of SDP instructions force port use rport even if it is not present both combines comedia and force port 11 Selecting a SIP profile routing plan esr config pbx profile ruleset NAME NAME name of the routing plan set by the string of up to 31 characters 12 Create a su...

Page 424: ...specify it 5 Specify the authentication name esr config pbx reg server username user user username for this trunk on the upstream domain set by the string of up to 31 characters 6 Specify the authentication password esr config pbx reg server authentication password password user password for this trunk on the upstream domain set by the string of up to 16 characters 7 The use of SIP profile for the...

Page 425: ...s use an embedded SIP server as registration server esr config voip sip proxy ip address registration server 192 0 2 5 Configure a registration server port esr config voip sip proxy ip port registration server 5080 If standard 5060 port is used you do not need to specify it Enable registration esr config voip sip proxy registration Enable proxy server and registration server esr config voip sip pr...

Page 426: ... 1 esr config sip profile dialplan pattern firstDialplan This completes the configuration of a dial plan for SIP profile Enable SIP profile esr 12v config sip profile enable This completes the baseline configuration of SIP profile esr config sip profile exit The next step is to configure subscriber ports esr config interface voice port 1 Specify a subscriber number esr config voice port fxs sip us...

Page 427: ...3 numbers will be switched locally xABCD S calls to all other numbers will be directed to SIP proxy Enable the dial plan esr config dial ruleset enable Dial plan configuration is finished esr config dial ruleset exit Regular expression structure Sxx Lxx where xx random values of S and L timers dialplan limits The basis is designators for dialled digits sequence to be written Dialed digits sequence...

Page 428: ...a sequence of digits Example 8 770 after digit 8 a continious tone will output when dialing number 8770 Number dialing deny If at the end of pattern add symbol the dialing of numbers corresponding to the template will be blocked Example 8 10X xxxxxxx 8 xxx xxxxxxx expression allows dialing only intercity numbers and exclude international calls Replacement of number dialing timers values Timers val...

Page 429: ...dically changed it is convenient to use the reserved word local as the server address which means sending the corresponding sequence of digits to the device s own address Example 123 local call on number 123 will be locally processed within the device 13 8 FXO port configuration Objective Add the ability to make a call to PSTN subscriber through the ESR 12V FXO port Solution Enable FXO port esr co...

Page 430: ...the FXO set 9x local 5064 This completes the baseline configuration of outgoing calls to PSTN To make a call to PSTN you should dial the callee number with the specified prefix FXO set phone number To receive calls from PSTN you should select the subscriber that will receive all calls from PSTN let it be a subscriber with number 305 Enable the Hostline PSTN to IP service esr config voice port fxo ...

Page 431: ...to always disable unused physical interfaces with the shutdown The command is described in detail in the Interface monitoring and configuration section of the CLI Command Reference It is recommended to always set the system clock to synchronize with trusted network time sources NTP The NTP setup algorithm is described in the NTP configuration section of this manual For detailed information on the ...

Page 432: ...ice failure 14 2 3 Configuration example Objective Configure the storage of event messages of info level and higher in a syslog file on the device and configure transmission of these events to an external syslog server Limit the file size to 512kb Enable rotation of 3 files Enable syslog message enumeration Solution Configure the storage of syslog messages in the file esr config syslog file tmpsys...

Page 433: ...rcase letters at least 4 digits and at least 2 special characters The password must contain all 4 types of characters Solution Enable the default password reset request for admin user esr config security passwords default expered Set the password lifetime to 30 days and prohibit the use of the previous 12 passwords esr config security passwords lifetime 30 esr config security passwords history 12 ...

Page 434: ...on The no password command for the admin user also does not remove the admin user s password but resets it to its default value After applying this command the admin user password is no longer displayed in the configuration and becomes password Attention You must have a user with privilege level 15 or an ENABLE password configured before you can set the admin user to downgrade privileges 14 4 3 Co...

Page 435: ...de break esr config line console esr config line console login authentication CONSOLE esr config line console exit esr config line ssh esr config line ssh login authentication SSH esr config line ssh exit Configure logging esr config logging userinfo esr config logging aaa esr config syslog cli commands 14 5 Remote management configuration For more information on remote access configuration comman...

Page 436: ...nfig ip ssh encryption algorithm aes192ctr disable esr config ip ssh encryption algorithm arcfour disable esr config ip ssh encryption algorithm arcfour128 disable esr config ip ssh encryption algorithm arcfour256 disable esr config ip ssh encryption algorithm blowfish disable esr config ip ssh encryption algorithm cast128 disable esr config ip ssh key exchange algorithm dh group exchange sha1 dis...

Page 437: ... incorrectly set flags and logging of the protection mechanism esr config ip firewall screen spy blocking syn fin esr config logging firewall screen spy blocking syn fin esr config ip firewall screen spy blocking fin no ack esr config logging firewall screen spy blocking fin no ack esr config ip firewall screen spy blocking tcp no flag esr config logging firewall screen spy blocking tcp no flag es...

Page 438: ...ions 1 hour in example esr config ip firewall sessions tcp estabilished timeout 3600 Firewall was disabled on interface ip firewall disable However access for active sessions from the port was not closed according to security zone pair rules after including this interface to security zone removing from ip firewall disable configuration and applying changes Changes in Firewall configuration will be...

Page 439: ...ronous traffic transmission is occurred In case of asynchronous routing Firewall will forbid incorrect ingress traffic which does not open new connection and does not belong any established connection for security reasons Allowing rule in Firewall does not solve the problem Firewall should be disabled on the ingress interface esr config if gi ip firewall disable How to save the local copy of the r...

Page 440: ...o com support Sevicedesk https servicedesk eltex co ru Visit Eltex official website to get the relevant technical documentation and software benefit from our knowledge base send us online request or consult a Service Centre Specialist in our technical forum Official website http eltex co com Technical forum http eltex co ru forum Knowledge base https docs eltex co ru display EKB Eltex Knowledge Ba...

Reviews: