background image

  

ESR series service routers

ESR-10, ESR-12V, ESR-12VF, ESR-14VF, ESR-20, 
ESR-21, ESR-100, ESR-200, ESR-1000, ESR-1200, 
ESR-1500, ESR-1511, ESR-3100, ESR-1700

User manual (29.06.2021)

Firmware version 1.13.0

Summary of Contents for ESR Series

Page 1: ...ESR series service routers ESR 10 ESR 12V ESR 12VF ESR 14VF ESR 20 ESR 21 ESR 100 ESR 200 ESR 1000 ESR 1200 ESR 1500 ESR 1511 ESR 3100 ESR 1700 User manual 29 06 2021 Firmware version 1 13 0 ...

Page 2: ...2 2 7 Network security functions 19 2 3 Main specifications 20 2 4 Design 33 2 4 1 ESR 1700 design 33 2 4 2 ESR 3100 design 35 2 4 3 ESR 1511 ESR 1510 design 38 2 4 4 ESR 1200 ESR 1000 design 42 2 4 5 ESR 200 ESR 100 design 45 2 4 6 ESR 21 design 48 2 4 7 ESR 20 design 49 2 4 8 ESR 12VF ESR 14VF design 51 2 4 9 ESR 12V design 54 2 4 10 ESR 10 design 56 2 4 11 Light Indication 59 2 5 Delivery Packa...

Page 3: ...n 81 6 Firmware update 85 6 1 Updating firmware via system resources 85 6 2 Updating firmware via bootloader 87 6 3 Secondary bootloader update U Boot 88 7 Safe configuration recommendations 91 7 1 General recommendations 91 7 2 Event logging system configuration 91 7 2 1 Recommendations 92 7 2 2 Warnings 92 7 2 3 Configuration example 92 7 3 Password usage policy configuration 92 7 3 1 Recommenda...

Page 4: ...e 110 8 5 Q in Q termination configuration 110 8 5 1 Configuration algorithm 110 8 5 2 Q in Q configuration example 113 8 6 USB modems configuration 114 8 6 1 USB modems configuration algorithm 114 8 6 2 Configuration example 117 8 7 PPP through E1 configuration 117 8 7 1 Configuration algorithm 118 8 7 2 Configuration example 120 8 8 MLPPP Configuration 121 8 8 1 Configuration algorithm 121 8 8 2...

Page 5: ...uration 166 9 3 1 Configuration algorithm 166 9 3 2 L2TPv3 tunnel configuration example 168 9 4 IPsec VPN configuration 171 9 4 1 Route based IPsec VPN configuration algorithm 171 9 4 2 Route based IPsec VPN configuration example 177 9 4 3 Policy based IPsec VPN configuration algorithm 182 9 4 4 Policy based IPsec VPN configuration example 188 9 4 5 Remote Access IPsec VPN configuration algorithm ...

Page 6: ...iguration 247 11 5 1 Configuration algorithm 248 11 5 2 Configuration example 259 11 6 BFD configuration 262 11 6 1 Configuration algorithm 262 11 6 2 Configuration example of BFD with BGP 266 11 7 PBR routing policy configuration 267 11 7 1 Configuration algorithm of Route map for BGP 267 11 7 2 Configuration example 1 Route map for BGP 272 11 7 3 Configuration example 2 Route map for BGP 273 11 ...

Page 7: ...me Hello interval and Keepalive holdtime for the LDP process 308 12 3 2 Algorithm for setting Hello holdtime Hello interval and Keepalive holdtime for the specific neighbor 309 12 3 3 Configuration example 309 12 4 LDP tag filtering configuration 310 12 4 1 Configuration algorithm 310 12 4 2 Configuration example 311 12 5 L2VPN Martini mode configuration 312 12 5 1 L2VPN VPWS configuration algorit...

Page 8: ... 13 4 3 Configuration example of application filtering DPI 400 13 5 Access list ACL configuration 402 13 5 1 Configuration algorithm 403 13 5 2 Access list configuration example 405 13 6 IPS IDS configuration 405 13 6 1 Base configuration algorithm 406 13 6 2 Configuration algorithm for IPS IDS rules autoupdate from external sources 407 13 6 3 Recommended open rule update source 407 13 6 4 IPS IDS...

Page 9: ...tion example 466 15 3 Configuring server for remote access to corporate network via OpenVPN protocol 468 15 3 1 Configuration algorithm 468 15 3 2 Configuration example 472 15 4 Configuring remote access client via PPPoE 474 15 4 1 Configuration algorithm 474 15 4 2 Configuration example 476 15 5 Configuring remote access client via PPTP 478 15 5 1 Configuration algorithm 478 15 5 2 Configuration ...

Page 10: ...2 2 Configuration example 518 17 3 SNMP configuration 520 17 3 1 Configuration algorithm 520 17 3 2 Configuration example 524 17 4 Zabbix agent proxy configuration 526 17 4 1 Configuration algorithm 526 17 4 2 Zabbix agent configuration example 528 17 4 3 Zabbix server configuration example 529 17 5 Syslog configuration 532 17 5 1 Configuration algorithm 533 17 5 2 Configuration example 535 17 6 I...

Page 11: ...tes in the RIB 572 20 2 SSH Telnet sessions which go through ESR router are closing 572 20 3 Firewall was disabled on interface ip firewall disable However access for active sessions from the port was not closed according to security zone pair rules after including this interface to security zone removing from ip firewall disable configuration and applying changes 572 20 4 LACP does not launch on ...

Page 12: ...t the router or the device 1 2 Target Audience This user manual is intended for technical personnel that performs device installation configuration and monitoring via command line interface CLI as well as the system maintenance and firmware update procedures Qualified technical personnel should be familiar with the operation basics of TCP IP protocol stacks and Ethernet networks design concepts 1 ...

Page 13: ... information tips or recommendations on device operation and setup Warnings inform users about hazardous conditions which may cause injuries or device damage and may lead to the device malfunctioning or data loss The information contains information on the use of the device ...

Page 14: ...sign ESR 10 design Light Indication Delivery Package 2 1 Purpose ESR series devices are the high performance multi purpose network routers Device combines traditional network features with a complex multi tier approach to routing security and ensures robust corporate environment protection Device has a built in firewall that enables protection of your and organization network environment and suppo...

Page 15: ...on Link aggregation allows to increase the communication link bandwidth and robustness Router supports static and dynamic link aggregation For dynamic aggregation link group management is performed via LACP protocol 2 2 2 MAC table functions Table 2 lists MAC address processing functions of the device Table 2 MAC address processing functions MAC table MAC address table sets the correspondence betw...

Page 16: ...nt firmware version this functionality is supported only by ESR 1000 router 2 2 4 Third layer functions of OSI model Table 4 lists third layer functions OSI Layer 3 Table 4 Third layer functions description OSI Layer 3 Static IP routes Administrator of the router can add or remove static entries into from the routing table Dynamic routing With dynamic routing protocols the device will be able to e...

Page 17: ...ain NAT Network Address Translation Network address translation is a mechanism that translates IP addresses and port numbers for transit packets NAT function allows to minimize the quantity of IP address used through translation of multiple internal network IP addresses into a single external public IP address NAT conceals local area network internal structure and allows to enhance its security Ro...

Page 18: ...guration functions Table 6 Basic management and configuration functions Configuration file download and upload Device parameters are saved into the configuration file that contains configuration data for the specific device ports as well as for the whole system The following protocols may be used for file transfers TFTP FTP and SCP Command line interface CLI CLI management is performed locally via...

Page 19: ...loss after re configuration If the configuration change is not confirmed in the specified time configuration will be rolled back to the last known state 2 2 7 Network security functions Table 7 lists network security functions of the device Table 7 Network security functions Security zones All router interfaces are distributed by security areas For each zone pair you can set the rules that determi...

Page 20: ...BASE X SFP SFP 2 x Hard disk installation slot 1 x Console RJ 45 1 x OOB port 2 x USB 2 0 ESR 3100 8 x Combo Ethernet 10 100 1000BASE T 1000BASE X 8 x 10GBASE R 1000BASE X SFP SFP 1 x Console RJ 45 2 x USB 3 0 1 x SD card slot ESR 1511 4 x Combo Ethernet 10 100 1000BASE T 1000BASE X 4 x Ethernet 10 100 1000BASE T RJ 45 4 x 10GBASE R 1000BASE X SFP SFP 2 x 40GBASE X QSFP 1 x Console RJ 45 1 x OOB p...

Page 21: ...Ethernet 10 100 1000BASE T 1000BASE X 12 x Ethernet 10 100 1000BASE T RJ 45 8 x 10GBASE R 1000BASE X SFP SFP 1 x Console RJ 45 2 x USB 2 0 1 x SD card slot ESR 1000 24 x Ethernet 10 100 1000BASE T RJ 45 2 x 10GBASE R 1000BASE X SFP SFP 1 x Console RJ 45 2 x USB 2 0 1 x SD card slot ESR 200 4 x Combo Ethernet 10 100 1000BASE T 1000BASE X 4 x Ethernet 10 100 1000BASE T RJ 45 1 x Console RJ 45 1 x US...

Page 22: ...000BASE T RJ 45 4 x 1000BASE X SFP 3 x Serial port RS 232 1 x Console RJ 45 1 x USB 3 0 1 x USB 2 0 1 x SD card slot ESR 20 2 x Combo Ethernet 10 100 1000BASE T 1000BASE X 2 x Ethernet 10 100 1000BASE T RJ 45 1 x Console RJ 45 1 x USB 3 0 1 x USB 2 0 1 x SD card slot ESR 14VF 8 x Ethernet 10 100 1000BASE T RJ 45 1 x 1000BASE X SFP 1 x Console RJ 45 4 x FXS 2 x USB 2 0 ...

Page 23: ...SR 12V 8 x Ethernet 10 100 1000BASE T RJ 45 1 x Console RJ 45 3 x FXS 1 x FXO 2 x USB 2 0 ESR 10 4 x Ethernet 10 100 1000BASE T RJ 45 2 x 1000BASE X SFP 1 x Console RJ 45 2 x USB 2 0 Types of optical transceivers ESR 1511 1000BASE X SFP 10GBASE R SFP 40GBASE X QSFP ESR 1700 ESR 3100 ESR 1500 ESR 1200 ESR 1000 1000BASE X SFP 10GBASE R SFP ...

Page 24: ...width in L2 mode hardware switching ESR 1700 ESR 1511 ESR 1500 ESR 1200 160 Gbps ESR 1000 88 Gbps Data transfer rate ESR 1511 electrical interfaces 10 100 1000Mbps optical interfaces 1 10 40 Gbps ESR 1700 ESR 3100 ESR 1500 ESR 1200 ESR 1000 electrical interfaces 10 100 1000Mbps optical interfaces 1 10Gbps ESR 200 ESR 100 ESR 21 ESR 20 ESR 14VF ESR 12V F ESR 10 electrical interfaces 10 100 1000Mbps...

Page 25: ...0 ESR 3100 ESR 1511 ESR 1500 ESR 1200 ESR 1000 500 ESR 200 ESR 100 ESR 21 ESR 20 250 ESR 14VF ESR 12V F ESR 10 10 Quantity of static routes ESR 1700 ESR 3100 ESR 1511 ESR 1500 ESR 1200 ESR 1000 ESR 200 ESR 100 ESR 21 ESR 20 11k ESR 14VF ESR 12V F ESR 10 1k ...

Page 26: ...0 ESR 1200 ESR 1000 512k ESR 200 ESR 100 ESR 21 ESR 20 256k ESR 14VF ESR 12V F ESR 10 4k VLAN support up to 4k active VLANs according to 802 1Q Number of BGPv4 BGPv6 routes ESR 1700 ESR 3100 ESR 1511 ESR 1500 ESR 1200 ESR 1000 5M ESR 200 ESR 100 ESR 21 ESR 20 2 5M ESR 14VF ESR 12V F ESR 10 1M ...

Page 27: ...1500 ESR 1200 ESR 1000 500k ESR 200 ESR 100 ESR 21 ESR 20 300k ESR 14VF ESR 12V F ESR 10 30k Number of RIP RIPng routes 10k MAC address table ESR 1700 ESR 1511 ESR 1500 ESR 1200 128k entries ESR 1000 16k entries ESR 3100 ESR 200 ESR 100 ESR 21 ESR 20 ESR 14VF ESR 12V F ESR 10 2k bridge entries ...

Page 28: ...3100 ESR 1511 ESR 1500 ESR 1200 ESR 1000 1 7M ESR 200 ESR 100 ESR 21 ESR 20 1 4M ESR 14VF ESR 12V F ESR 10 1M VRF Lite 32 L3 interfaces ESR 1700 ESR 3100 ESR 1500 ESR 1511 ESR 1200 ESR 1000 ESR 200 ESR 100 ESR 21 ESR 20 4000 ESR 14VF ESR 12V F ESR 10 200 ...

Page 29: ...d autodetection IEEE 802 3x Data flow control IEEE 802 3ad LACP link aggregation IEEE 802 1q VLAN virtual local networks IEEE 802 1v IEEE 802 3ac IEEE 802 3ae IEEE 802 1D IEEE 802 1w IEEE 802 1s Control Local control CLI Remote control TELNET SSH Physical specifications and ambient conditions Power supply ESR 1700 AC 176 264 V 50 60 Hz DC 36 72 V Power options single AC or DC power supply two AC o...

Page 30: ...y two AC or DC power supplies with hot swapping ESR 200 ESR 100 ESR 21 ESR 20 ESR 14VF ESR 12V F AC 100 264 V 50 60 Hz ESR 10 220 V 12 V 1 5 A DC power adapter Maximum power consumption ESR 1700 250 W ESR 3100 123 W ESR 1511 128 W ESR 1500 125 W ESR 1200 85 W ESR 1000 75 W ESR 200 25 W ESR 100 20 W ESR 21 32 W ESR 20 25 W ESR 14VF ESR 12V F 22 W ...

Page 31: ...00 5 5 kg max ESR 1000 3 6 kg max ESR 200 ESR 100 2 5 kg max ESR 21 3 15 kg max ESR 20 2 kg max ESR 14VF ESR 12V F ESR 10 1 kg max Dimensions WxHxD ESR 1700 440x88x490 mm ESR 3100 ESR 1511 ESR 1500 430x44x425 mm ESR 1200 ESR 1000 430x44x352 mm ESR 200 ESR 100 310х44x240 mm ESR 21 430х44x225 mm ESR 20 267х44x212 mm ...

Page 32: ...range ESR 1700 ESR 3100 ESR 1511 ESR 1500 ESR 1200 ESR 1000 ESR 200 ESR 100 ESR 21 ESR 20 10 to 45 C ESR 14VF ESR 12V F ESR 10 0 to 40 C Storage temperature range 40 to 70 C Operation relative humidity non condensing up to 80 Storage relative humidity non condensing from 10 to 95 Lifetime at least 15 years ...

Page 33: ...el Table 9 lists connectors LEDs and controls located on the front panel of ESR 1700 Table 9 Description of ESR 1700 connectors LEDs and front panel controls Front panel element Description 1 HDD1 Connector for HDD installation 2 HDD2 Connector for HDD installation 3 USB1 Port for USB device connection 4 USB2 Port for USB device connection 5 Combo Ports 1 4 4 ports of Gigabit Ethernet 10 100 1000B...

Page 34: ...onal key that reboots the device and resets it to factory default configuration Pressing the key for less than 10 seconds reboots the device Pressing the key for more than 10 seconds resets the terminal to factory settings 9 Console Console port RS 232 for local management of the device 10 OOB Ethernet port for router management ESR 1700 rear panel The rear panel of ESR 1700 is shown in the pictur...

Page 35: ... and 4 Figure 3 ESR 1700 right side panel Figure 4 ESR 1700 left side panel Side panels of the device have air vents for heat removal Do not block air vents This may cause the components to overheat which may result in device malfunction For recommendations on device installation see section Installation and connection 2 4 2 ESR 3100 design ESR 3100 front panel The front panel layout is depicted i...

Page 36: ...ent version Fan Fan operation LED RPS Redundant power supply LED 2 F Functional key that reboots the device and resets it to factory default configuration Pressing the key for less than 10 seconds reboots the device Pressing the key for more than 10 seconds resets the terminal to factory settings 3 Console Console port RS 232 for local management of the device 4 SD SD card connector 5 USB1 USB 3 0...

Page 37: ... Hot swappable removable ventilation modules 4 5 Place for installation of a redundant power supply ESR 3100 side panels The side panel layout of ESR 3100 is depicted in figures 7 and 8 Figure 7 ESR 3100 right side panel Figure 8 ESR 3100 left side panel Side panels of the device have air vents for heat removal Do not block air vents This may cause the components to overheat which may result in de...

Page 38: ...el element Description 1 Status Current device status LED Alarm Alarm LED VPN VPN gateway operation mode LED is not supported in the current version Flash Activity of exchange with data storage SD card or USB Flash Power Device power LED Master Failover mode operation LED is not supported in the current version Fan Fan operation LED RPS Redundant power supply LED 2 Console Console port RS 232 for ...

Page 39: ...gabit Ethernet 10 100 1000BASE X SFP 10 XG1 XG4 Slots for 10G SFP 1G SFP transceivers 11 XLG1 XLG2 Slots for 40G QSFP transceivers ESR 1500 front panel The front panel layout is depicted in figure 10 Figure 10 ESR 1500 front panel Table 14 lists connectors LEDs and controls located on the front panel of ESR 1500 Table 14 Description of ESR 1500 connectors LEDs and front panel controls Front panel ...

Page 40: ...anagement 4 SD SD card connector 5 USB1 Port for USB device connection 6 F Functional key that reboots the device and resets it to factory default configuration Pressing the key for less than 10 seconds reboots the device Pressing the key for more than 10 seconds resets the terminal to factory settings 7 USB2 Port for USB device connection 8 Ethernet 4 ports of Ethernet 10 100 1000BASE T 9 Combo P...

Page 41: ...3 Hot swappable removable ventilation modules 4 Place for installation of a redundant power supply ESR 1511 ESR 1500 side panels The side panel layout of ESR 1511 ESR 1500 is depicted in Figures 12 and 13 Figure 12 ESR 1511 ESR 1500 right side panel Figure 13 ESR 1511 ESR 1500 left side panel Side panels of the device have air vents for heat removal Do not block air vents This may cause the compon...

Page 42: ...nel of ESR 1200 Front panel element Description 1 SD SD card connector 2 USB1 Port for USB device connection 3 USB2 Port for USB device connection 4 1 12 12 ports of Gigabit Ethernet 10 100 1000BASE T RJ 45 5 Combo Ports 4 ports of Gigabit Ethernet 10 100 1000BASE X SFP 6 XG1 XG8 Slots for installation of 10G SFP 1G SFP transceivers 7 Status Current device status LED Alarm Alarm LED HA НА operatio...

Page 43: ...s 9 Console Console port RS 232 for local management of the device ESR 1000 front panel The front panel layout is depicted in 15 Figure 15 ESR 1000 front panel Table 17 lists sizes LEDs and controls located on ESR 1000 front panel Table 17 Description of connectors LEDs and controls located on ESR 1000 front panel Front panel element Description 1 SD SD card connector 2 USB1 Port for USB device co...

Page 44: ...key that reboots the device and resets it to factory default configuration Pressing the key for less than 10 seconds reboots the device Pressing the key for more than 10 seconds resets the terminal to factory settings 8 Console Console port RS 232 for local management of the device ESR 1200 1000 rear panel The rear panel of ESR 1000 is depicted in the figure below Figure 16 ESR 1000 rear panel Tab...

Page 45: ...and 18 Figure 17 ESR 1200 1000 right side panel Figure 18 ESR 1200 1000 left side panel Side panels of the device have air vents for heat removal Do not block air vents This may cause the components to overheat which may result in device malfunction For recommendations on device installation see section Installation and connection 2 4 5 ESR 200 ESR 100 design ESR 100 ESR 200 front panel The front ...

Page 46: ...RJ 45 4 Combo Ports 4 ports of Gigabit Ethernet 10 100 1000BASE X SFP 5 Power Device power LED Status Current device status LED Alarm Alarm LED Fan Fan operation LED 6 F Functional key that reboots the device and resets it to factory default configuration Pressing the key for less than 10 seconds reboots the device Pressing the key for more than 10 seconds resets the terminal to factory settings 7...

Page 47: ...uter Table 20 Rear panel connectors description Description 1 Earth bonding point of the device 2 Ventilation module ESR 100 ESR 200 side panels The side panel layout of ESR 200 ESR 100 is depicted in Figures 22 and 23 Figure 22 ESR 100 and ESR 200 right side panel Figure 23 ESR 100 and ESR 200 left side panel ...

Page 48: ...ower supply 2 Power Device power LED Status Device status LED Alarm Device alarm presence and level LED HA HA operation mode LED is not supported in the current version 3 F Functional key that reboots the device and resets it to factory default configuration pressing the key for less than 10 seconds reboots the device pressing the key for more than 10 seconds resets the device to factory default c...

Page 49: ...s description Description 1 Earth bonding point of the device ESR 21 side panels The side panel layout of ESR 21 is depicted in figures 26 and 27 Figure 26 ESR 21 left side panel Figure 27 ESR 21 right side panel Side panels of the device have air vents for heat removal Do not block air vents This may cause the components to overheat which may result in device malfunction For recommendations on de...

Page 50: ...ration mode LED is not supported in the current version 3 F Functional key that reboots the device and resets it to factory default configuration pressing the key for less than 10 seconds reboots the device pressing the key for more than 10 seconds resets the device to factory default configuration 4 Console Console port for local management of the device 5 SD SD card connector 6 USB1 USB 2 0 conn...

Page 51: ...d in figures 30 and 31 Figure 30 ESR 20 left side panel Figure 31 ESR 20 right side panel Side panels of the device have air vents for heat removal Do not block air vents This may cause the components to overheat which may result in device malfunction For recommendations on device installation see section Installation and connection 2 4 8 ESR 12VF ESR 14VF design The device has a metal housing ava...

Page 52: ...tion pressing the key for less than 10 seconds reboots the device pressing the key for more than 10 seconds resets the device to factory default configuration 5 USB1 USB2 2 USB connectors for connecting external USB devices 6 FXO PSTN external subscriber line LED 1 2 3 Internal subscriber terminals LED 7 FXO 1 FXO connector for connection PSTN external subscriber line only for ESR 12VF 8 FXS 1 FXS...

Page 53: ...nel The rear panel layout of ESR 12VF ESR 14 VF is depicted in figure 33 Figure 33 ESR 12VF ESR 14VF rear panel Table 26 lists rear panel connectors of the router Table 26 Rear panel connectors description Description 1 Earth bonding point of the device ...

Page 54: ... not block air vents This may cause the components to overheat which may result in device malfunction For recommendations on device installation see section Installation and connection 2 4 9 ESR 12V design The device has a metal housing available for 19 form factor rack mount housing size is 1U ESR 12V front panel The front panel layout is depicted in figure 36 Figure 36 ESR 12V front panel Table ...

Page 55: ...ts the device pressing the key for more than 10 seconds resets the device to factory default configuration 5 USB1 USB2 2 USB connectors for connecting external USB devices 6 FXO PSTN external subscriber line LED 1 2 3 Internal subscriber terminals LED 7 FXO 1 FXO connector for connection PSTN external subscriber line 8 FXS 1 FXS 2 FXS 3 3 connectors for internal subscriber terminals 9 1 8 8 ports ...

Page 56: ... air vents for heat removal Do not block air vents This may cause the components to overheat which may result in device malfunction For recommendations on device installation see section Installation and connection 2 4 10 ESR 10 design ESR 10 rear panel The rear panel layout of the device is depicted in figure 40 Figure 40 ESR 10 rear panel Table 29 lists connectors LEDs and controls located on th...

Page 57: ... local management of the device 4 USB1 USB2 2 USB connectors for connecting external USB devices 5 1 4 4 ports of Gigabit Ethernet 10 100 1000BASE T RJ 45 6 Optical Ports 2 ports of Gigabit Ethernet 100 1000BASE X SFP ESR 10 side panels The side panel layout of ESR 10 is depicted in figure 41 Figure 41 ESR 10 side panel Table 30 lists right panel controls of the router ...

Page 58: ...key for less than 10 seconds reboots the device pressing the key for more than 10 seconds resets the device to factory default configuration ESR 10 top panel The top panel layout of ESR 10 is depicted in figure 42 Figure 42 ESR 10 top panel Table 31 lists LEDs located on ESR 10 top panel Table 31 Description of front panel LEDs Top panel elemen t Description 1 Power Device power and operation stat...

Page 59: ...light indication Gigabit Ethernet copper interface statuses are represented by two LEDs green LINK ACT LED and amber SPEED LED Location of the copper interface LEDs is depicted in figure 43 SFP interface status is represented by two LEDs RX ACT and TX ACT depicted in figure 44 For light indication meaning see Tables 32 and 33 respectively Figure 43 Location of RJ 45 connector indicators Figure 44 ...

Page 60: ...hernet interface state Off Off The port is disabled or connection is not established Solid on Solid on Connection established Flashes X Data reception in progress X Flashes Data transfer is in progress The following table lists description of system indicator statuses and meanings Table 34 Status of system indicators Indicat or name Indicator function LED State Device State Status Current device s...

Page 61: ...one of the fans has stopped or is working at lower rpm RPS Backup power supply operation mode Green Backup power supply is installed and operational Off Backup power supply is not installed Red Backup power supply is missing or failed ESR 200 ESR 100 light indication Gigabit Ethernet copper interface and SFP interface statuses are represented by two LEDs green LINK ACT LED and amber SPEED LED Loca...

Page 62: ...rmal operation state Orange Device is booting up the software Alarm Device alarm presence and level indicator1 Power Device power LED Green Device power is OK Main power supply if installed is operational Orange Main power supply failure fault or the primary network is missing Off Device internal power supply failure Fan Cooling fan status Off All fans are operational Red One or more fans has fail...

Page 63: ...rs Figure 47 Location of RJ 45 connector indicators The following table lists description of system indicator statuses and meanings Table 38 Status of system indicators Indicator name Indicator function LED State Device State Power Device power LED Green Device power is OK Main power supply if installed is operational The main software is uploaded Red The main software is not loaded Off Device int...

Page 64: ...ESR Series User manual 64 Indicator name Indicator function LED State Device State HA HA operation mode LED is not supported in the current version ...

Page 65: ...established Solid on Solid on 1000Mbps connection is established X Flashes Data transfer is in progress Figure 48 Location of SFP connector indicators only for ESR 12VF ESR 14VF Figure 49 Location of RJ 45 connector indicators The following table lists description of system indicator statuses and meanings Table 40 Status of system indicators Indicator name Indicator function LED State Device State...

Page 66: ... adapter Conformity certificate Documentation optional Informational leaflet ESR 12V standard delivery package includes ESR 12V router Power cable 19 rack mounting kit Conformity certificate Documentation optional Informational leaflet ESR 12VF standard delivery package includes ESR 12VF router Power cable 19 rack mounting kit Conformity certificate Documentation optional Informational leaflet ESR...

Page 67: ...ing kit Conformity certificate Documentation optional Informational leaflet ESR 1000 standard delivery package includes ESR 1000 router 19 rack mounting kit Conformity certificate Documentation optional Informational leaflet ESR 1200 standard delivery package includes ESR 1200 router 19 rack mounting kit Conformity certificate Documentation optional Informational leaflet ESR 1500 standard delivery...

Page 68: ...ation optional Informational leaflet Power module PM 160 220 12 or PM 100 48 12 may be included in the ESR 1000 ESR 1200 delivery package on the customer s request Power module PM 160 220 12 may be included in the ESR 1500 ESR 1511 ESR 3100 delivery package on the customer s request Power module PM 350 220 12 or PM 350 48 12 may be included in the ESR 1700 delivery package on the customer s reques...

Page 69: ...nd mounting screws to fix the device case on the brackets To install the support brackets Figure 50 Support brackets mounting Align four mounting holes in the support bracket with the corresponding holes in the side panel of the device Use a screwdriver to screw the support bracket to the case Repeat steps 1 and 2 for the second support bracket 3 2 Device rack installation To install the device to...

Page 70: ...ice operation the power module can be in the main and reserve slot For information on priority see tables Description of connectors LEDs and controls located on router Power modules can be inserted and removed without powering the device off When additional power module is inserted or removed the router continues operation without reboot Figure 52 Power module installation Device ventilation syste...

Page 71: ...evice Depending on the delivery package the device can be powered by AC or DC electrical network To connect the device to AC power supply use the cable from the delivery package To connect the device to DC power supply use wires with a minimum cross section of 1 mm2 Turn the device on and check the front panel LEDs to make sure the terminal is in normal operating conditions 3 5 SFP transceiver ins...

Page 72: ...al 72 Figure 55 Installed SFP transceivers 3 5 2 Transceiver removal 1 Flip the module handle to unlock the latch Figure 56 Opening SFP transceiver latch 2 Remove the module from the slot Figure 57 SFP transceivers removal ...

Page 73: ...mand line interface security all commands are divided into 2 categories privileged and unprivileged Privileged commands basically include configuration commands Unprivileged commands include monitoring commands The system allows multiple users to connect to the device simultaneously 4 2 Types and naming procedure of router interfaces Network interfaces of various types and purposes are used for th...

Page 74: ...signation example gigabitethernet 1 0 12 10Gbps ports tengigabitethernet UNIT SLOT PORT Designation example tengigabitethernet 1 0 2 40Gbps ports fortygigabitethernet UNIT SLOT PORT Designation example fortygigabitethernet 1 0 2 Channel aggregation groups Designation of channel aggregation group includes its type and identifier port channel CHANNEL_ID Designation example port channel 6 It is permi...

Page 75: ...esignation examples gigabitethernet 1 0 12 100 10 tengigabitethernet 1 0 2 45 12 fortygigabitethernet 1 0 2 408 507 port channel 1 6 34 E1 interfaces Designation of E1 interface includes its type and identifier E1 interfaces identifier is as follows UNIT SLOT STREAM where UNIT number of a device in a device group SLOT number of device E1 module STREAM E1 flow sequence number Designation example e1...

Page 76: ... number modem MODEM NUM Designation example modem 1 FXS FXO ports Designation of FXS FXO ports includes its type and sequence number interface voice port NUM Designation example voice port 1 1 Number of interfaces of each type depends on the router model 2 The current firmware does not support for devices stacking A device number in unit device group can only take the value of 1 3 Some commands su...

Page 77: ... sequence number of a tunnel gre GRE_ID Designation example gre 1 SoftGRE tunnel Designation of SoftGRE tunnel includes the type and sequence number of a tunnel and optionally a virtual interface VLAN ID softgre GRE_ID VLAN Designation examples softgre 1 softgre 1 10 IPv4 over IPv4 tunnel Designation of IPv4 over IPv4 tunnel includes the type and sequence number of a tunnel ip4ip4 IPIP_ID Designat...

Page 78: ...HCP ports are open in order to obtain dynamic IP address from the provider All incoming connections from this zone to the router are blocked This security zone includes the following interfaces for ESR 10 12V GigabitEthernet 1 0 1 for ESR 12VF ESR 14VF GigabitEthernet 1 0 1 GigabitEthernet 1 0 9 for ESR 20 GigabitEthernet 1 0 1 for ESR 21 GigabitEthernet 1 0 1 for ESR 100 200 GigabitEthernet 1 0 1...

Page 79: ...self TCP 22 SSH ICMP UDP 67 DHCP Server UDP 123 NTP enabled Untrusted self UDP 68 DHCP Client enabled 5 2 Router connection and configuration ESR series routers are intended to perform border gateway functions and securing the user network when it is connected to public data networks Basic router configuration should include Assigning IP addresses static or dynamic to the interfaces that participa...

Page 80: ...Console port to the computer RS 232 port Launch terminal application e g HyperTerminal or Minicom and create a new connection VT100 terminal emulation mode should be used Specify the following settings for RS 232 interface Data rate 115200 bps Data bits 8 bits Parity none Stop bits 1 Flow control none 5 2 2 Applying the configuration change Any changes made in the configuration will take effect on...

Page 81: ...ce administration sessions To change admin password use the following commands esr configure esr config username admin esr config user password new password esr config user exit Creation of new users Use the following commands to create a new system user or configure the username password or privilege level esr config username name esr config user password password esr config user privilege privil...

Page 82: ...blic network you should assign parameters defined by the network provider default IP address subnet mask and gateway address to the device Example of static IP address configuration commands for Gigabit Ethernet 1 0 2 150 sub interface used for obtaining access to the router via VLAN 150 Interface parameters IP address 192 168 16 144 Subnet mask 255 255 255 0 Default gateway IP address 192 168 16 ...

Page 83: ...nterfaces IP address Interface Type 192 168 11 5 25 gigabitethernet 1 0 10 DHCP Configuring remote connection to router In the factory configuration remote access to the router may be established via Telnet or SSH from the trusted zone To enable remote access to the router from other zones e g from the public network you should create the respective rules in the firewall When configuring access to...

Page 84: ...132 16 0 5 132 16 0 10 to connect to the router with IP address 40 13 1 22 via SSH esr configure esr config object group network clients esr config addr set ip address range 132 16 0 5 132 16 0 10 esr config addr set exit esr config object group network gateway esr config addr set ip address range 40 13 1 22 esr config addr set exit esr config object group service ssh esr config port set port rang...

Page 85: ...command Specify IP address of the server being used as server For updates that utilize FTP or SCP server you should enter a username user parameter and a password password parameter Specify the name of the firmware file loaded onto the server as file_name parameter when using SCP the full path must be as folder parameter When the command is executed router will copy the file into its internal memo...

Page 86: ...0 7 build 141 f812808 date 18 02 2015 time Not Active 16 12 54 Use the following command to select the image esr boot system image 1 2 To update the secondary bootloader U Boot enter the following command Specify IP address of the server being used as server parameter For updates that utilize FTP or SCP server you should enter a username user parameter and a password password parameter Specify the...

Page 87: ...e 0 nae 1 Skip Load SYS UCORE for old 8xxB1 3xxB0 revision on default Hit any key to stop autoboot 2 Specify TFTP server address BRCM XLP316Lite Rev B0 u boot serverip 10 100 100 1 For version 1 5 and newer BRCM XLP316Lite Rev B0 u boot serverip 10 100 100 1 Specify router IP address BRCM XLP316Lite Rev B0 u boot ipaddr 10 100 100 2 For version 1 5 and newer BRCM XLP316Lite Rev B0 u boot ipaddr 10...

Page 88: ...at 0x7800000 1895825408 complete OK NAND write device 0 offset 0x1440000 size 0x6400000 104857600 bytes written OK Set the downloaded firmware as an image to start the system and reboot the router BRCM XLP316Lite Rev B0 u boot run set_bootpart_1 For version 1 5 and newer BRCM XLP316Lite Rev B0 u boot boot_system image1 BRCM XLP316Lite Rev B0 u boot reset 6 3 Secondary bootloader update U Boot Seco...

Page 89: ...pecify TFTP server address BRCM XLP316Lite Rev B0 u boot setenv serverip 10 100 100 1 For version 1 5 and newer BRCM XLP316Lite Rev B0 u boot serverip10 100 100 2 Specify router IP address BRCM XLP316Lite Rev B0 u boot setenv ipaddr 10 100 100 2 For version 1 5 and newer BRCM XLP316Lite Rev B0 u boot ipaddr 10 100 100 2 Specify the name of the bootloader file on the TFTP server BRCM XLP316Lite Rev...

Page 90: ...rom server 10 100 100 1 our IP address is 10 100 100 2 Filename esr1000 u boot bin Load address 0xa800000078020000 Loading done Bytes transferred 852648 d02a8 hex SF Detected MX25L12805D with page size 256 total 16777216 bytes 16384 KiB MX25L12805D at 0 0 is now current device Reboot the router BRCM XLP316Lite Rev B0 u boot reset ...

Page 91: ... physical interfaces with the shutdown The command is described in detail in the Interface monitoring and configuration section of the CLI Command Reference It is recommended to always set the system clock to synchronize with trusted network time sources NTP The NTP setup algorithm is described in the NTP configuration section of this manual For detailed information on the NTP configuration comman...

Page 92: ...ration example Objective Configure the storage of event messages of info level and higher in a syslog file on the device and configure transmission of these events to an external syslog server Limit the file size to 512kb Enable rotation of 3 files Enable syslog message enumeration Solution Configure the storage of syslog messages in the file esr config syslog file tmpsys syslog default info Confi...

Page 93: ...igits and at least 2 special characters The password must contain all 4 types of characters Solution Enables the default password reset request for admin user esr config security passwords default expered Set the password lifetime to 30 days and prohibit the use of the previous 12 passwords esr config security passwords lifetime 30 esr config security passwords history 12 Set a limit to the passwo...

Page 94: ...d for the admin user also does not remove the admin user s password but resets it to its default value After applying this command the admin user password is no longer displayed in the configuration and becomes password Attention You must have a user with privilege level 15 or an ENABLE password configured before you can set the admin user to downgrade privileges 7 4 3 Configuration example Object...

Page 95: ... line console login authentication CONSOLE esr config line console exit esr config line ssh esr config line ssh login authentication SSH esr config line ssh exit Configure logging esr config logging userinfo esr config logging aaa esr config syslog cli commands 7 5 Remote management configuration For more information on remote access configuration commands see SSH Telnet access configuration in th...

Page 96: ...isable esr config ip ssh encryption algorithm blowfish disable esr config ip ssh encryption algorithm cast128 disable esr config ip ssh key exchange algorithm dh group exchange sha1 disable esr config ip ssh key exchange algorithm dh group1 sha1 disable esr config ip ssh key exchange algorithm dh group14 sha1 disable esr config ip ssh key exchange algorithm ecdh sha2 nistp256 disable esr config ip...

Page 97: ...en spy blocking fin no ack esr config logging firewall screen spy blocking fin no ack esr config ip firewall screen spy blocking tcp no flag esr config logging firewall screen spy blocking tcp no flag esr config ip firewall screen spy blocking tcp all flags esr config logging firewall screen spy blocking tcp all flags Enable protection against fragmented ICMP packets and protection mechanism loggi...

Page 98: ...ration algorithm Configuration example Bridge configuration Configuration algorithm Example of bridge configuration for VLAN and L2TPv3 tunnel Example of bridge configuration for VLAN Configuration example of the second VLAN tag adding removing Dual Homing configuration Configuration algorithm Configuration example Mirroring configuration SPAN RSPAN Configuration algorithm Configuration example LA...

Page 99: ...processing of incoming untagged Ethernet frames based on the default VLAN s switching table VLAN ID 1 optional esr config if gi no switchport forbidden default vlan 5 Set L2 interface operation mode esr config if gi mode switchport 6 Set the combined mode of the physical interface esr config if gi mode hybrid Only for ESR 1000 1200 1500 1511 17 00 7 Set L2 interface operation mode esr config if gi...

Page 100: ...igure VLAN on the interface in tagged mode optionally esr config if gi switchport trunk native vlan VID For ESR 10 12V F 14VF 20 21 100 200 3100 VID VLAN identifier set in the range of 2 4094 esr config if gi switchport general allowed vlan add VID untagged For ESR 1000 1200 1500 1511 17 00 VID VLAN identifier set in the range of 2 4094 10 Enable the processing of Ethernet frames of all created VL...

Page 101: ...owed vlan remove 2 untagged esr config if gi no switchport general pvid 8 1 3 Configuration example 2 Enabling VLAN processing in tagged mode Objective Configure gi1 0 1 and gi1 0 2 ports for packet transmission and reception in VLAN 2 VLAN 64 VLAN 2000 Solution Create VLAN 2 VLAN 64 VLAN 2000 on ESR 1000 esr 1000 config vlan 2 64 2000 ...

Page 102: ... 200 Solution Create VLAN 2 VLAN 64 VLAN 2000 on ESR 100 ESR 200 esr config vlan 2 64 2000 Specify VLAN 2 VLAN 64 VLAN 2000 for gi1 0 1 port esr config interface gi1 0 1 esr config if gi mode switchport esr config if gi switchport forbidden default vlan esr config if gi switchport mode trunk esr config if gi switchport trunk allowed vlan add 2 64 2000 Specify VLAN2 to gi1 0 2 port esr config inter...

Page 103: ...s values of 1 10 Default value 4 5 Set IP address which will be transmitted to LLDP TLV as the management address optionally esr config lldp management address ADDR ADDR IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 One of the existent is set by default 6 Set the system description field which will be transmitted to LLDP TLV as the system description optionally esr co...

Page 104: ... config if gi lldp transmit R2 configuration Enable LLDP globally on the router esr config lldp enable Enable the receiving and transmission of LLDPDU on the gi 1 0 1 interface esr config interface gigabitethernet 1 0 1 esr config if gi lldp receive esr config if gi lldp transmit To view LLDP neighbors information use the following command esr show lldp neighbors To view more detailed information ...

Page 105: ...the router esr config lldp med fast start enable 4 Create network policy esr config network policy NAME NAME network policy name set by the string of up to 31 characters 5 Specify the application type esr config net policy application APP_TYPE APP TYPE type of the application for which network policy will be enabled Takes the following values voice voice signaling guest voice guest voice signaling...

Page 106: ...ged form 9 Set a network policy on the interface esr config if gi lldp network policy NAME NAME network policy name set by the string of up to 31 characters 8 3 2 Voice VLAN configuration example Voice VLAN VLAN ID in receiving of which an IP phone switches to the trunk mode with the specified VLAN ID for VoIP traffic reception and transmission VLAN ID transmission is performed by LLDP MED enhance...

Page 107: ...e interface and set a network policy esr config interface gigabitethernet 1 0 1 esr config if gi lldp transmit esr config if gi lldp receive esr config if gi lldp network policy VOICE_VLAN esr config if gi exit 8 4 Sub interface termination configuration To terminate Ethernet frames of a certain VLAN on a specific physical interface you need to create a sub interface with the number of VLAN frames...

Page 108: ...iven sub interface will operate optionally esr config subif ip vrf forwarding VRF VRF VRF name set by the string of up to 31 characters 4 Specify the IPv4 IPv6 address and subnet mask for the interface to be configured or enable IP address obtain dynamically esr config subif ip address ADDR LEN ADDR LEN IP address and subnet mask length defined as AAA BBB CCC DDD EE where each part AAA DDD takes v...

Page 109: ... 100000000 milliseconds Real time of the entry update varies from 0 5 1 5 TIME 8 Change MTU MaximumTransmitionUnit size MTU above 1500 will be active only when using the system jumbo frames command optional esr config subif mtu MTU MTU MTU value in bytes Default value 1500 9 Enable recording of the current interface usage statistics optional esr config subif history statistics 10 Override the MSS ...

Page 110: ...Tag also known as C VLAN Customer VLAN 802 1q header which is comes before C VLAN is an Outer Tag also known as S VLAN Service VLAN Using of double tags in Ethernet frames is describing by 802 1ad protocol 8 5 1 Configuration algorithm Step Description Command Keys 1 Create a sub interface of a physical interface possible if the physical interface is in routeport or hybrid mode esr config interfac...

Page 111: ...nterface will operate optionally esr config qinq if ip vrf forwarding VRF VRF VRF name set by the string of up to 31 characters 5 Specify the IPv4 IPv6 address and subnet mask for the interface to be configured or enable IP address obtain dynamically esr config qinq if ip address ADDR LEN ADDR LEN IP address and subnet mask length defined as AAA BBB CCC DDD EE where each part AAA DDD takes values ...

Page 112: ...o 100000000 milliseconds Real time of the entry update varies from 0 5 1 5 TIME 9 Change MTU MaximumTransmitionUnit size MTU above 1500 will be active only when using the system jumbo frames command optionally esr config subif mtu MTU MTU MTU value in bytes Default value 1500 10 Enable recording of the current interface usage statistics optional esr config subif history statistics 11 Override the ...

Page 113: ...SR Series User manual 113 8 5 2 Q in Q configuration example Objective Configure the termination of subnet 192 168 1 1 24 combination C VLAN 741 S VLAN 828 on the physical interface gigabitethernet 1 0 1 ...

Page 114: ...ice is allocated to the connected USB modem esr show cellulars status modem The connected device identifier will be specified in USB port field 3 Create parameter profile for USB modem and switch to the profile configuration mode esr config cellular profile ID ID identifier of USB modem parameter profile set in the range of 1 10 4 Specify parameter profile description optional esr config cellular ...

Page 115: ...e PAP CHAP MSCHAP MSCHAPv2 EAP Default value PAP 11 Limit the possibility of the use of IP addresses in mobile network esr config cellular profile ip version ipv4 ipv6 ipv4 IPv4 family ipv6 IPv6 family 12 Create USB modem in the router configuration and switch to the modem configuration mode esr config cellular modem ID ID USB modem identifier set in the range of 1 10 13 Specify modem description ...

Page 116: ... bytes Default value 1500 21 Set the preferable USB modem operation mode in the mobile network optional esr config cellular modem preferred mode MODE MODE preferable USB modem operation mode 2g 3g 4g 22 Disable the Firewall features on the interface or enable the interface in the security zone see Firewall configuration esr config subif ip firewall disable esr config subif security zone NAME NAME ...

Page 117: ...TS APN esr config cellular profile apn internet mts ru If necessary create user name password dial up number and authentication number esr config cellular profile user mts esr config ppp user password ascii text mts esr config cellular profile number 99 esr config cellular profile allowed auth PAP Proceed to configuring the USB modem and set the identifier corresponding to the device port that was...

Page 118: ...Specify MTU Maximum Transmition Unit size for physical interfaces esr config if gi mtu MTU MTU MTU value for E1 and Multilink interfaces may take values in the range of 128 1500 5 Specify frame check hash algorithm optionally esr config if gi switchport e1 crc FCS FCS frame check sequence 16 default FCS16 32 FCS32 6 Set check for transmission errors optionally esr config if gi switchport e1 framin...

Page 119: ...on override optionally esr config e1 ppp chap refuse 16 Set authentication username optionally esr config e1 ppp chap username NAME NAME user name 17 Allow any non null IP address to be accepted as a local IP address from the neighbour optionally esr config e1 ppp ipcp accept address 18 Set IP address that is sent to a remote party for the further allocation optionally esr config e1 ppp ipcp remot...

Page 120: ...pp timeout retry TIME TIME time in seconds 8 7 2 Configuration example Objective Configure PPP connection to the opposite side with IP address 10 77 0 1 24 via ToPGARE SFP using 1 8 channel slots for data transmission the clock source is the opposite side Solution Switch gigabitethernet 1 0 3 interface on which ToPGATE SFP is set into E1 operation mode esr configure esr config interface gigabiteth...

Page 121: ...cription DESCRIPTION DESCRIPTION aggregation group description set by the string of up to 255 characters 3 Specify the time interval during which the statistics on the aggregation group load is averaged optionally esr config multilink load average TIME TIME interval in seconds takes values of 5 150 Default value 5 4 Specify MTU Maximum Transmission Unit size for the aggregation group optionally MT...

Page 122: ...ncrypted or unencrypted password for a specific user to authenticate the remote party esr config ppp user password ascii text CLEAR TEXT encrypted ENCRYPTED TEXT CLEAR TEXT unencrypted password set by the string of 8 64 characters may include 0 9a fA F characters ENCRYPTED TEXT unencrypted password set by the string of 16 128 characters 13 Set the amount of attempts to send Configure Request packe...

Page 123: ...ru MRRU MRRU maximum size of a received packet for MLPP interface takes value in the range of 1500 10000 20 Bind e1 port to the physical interface esr config if gi switchport e1 SLOT SLOT slot identifier takes values in the range of 0 3 21 Put the physical port into SFPe1 module operation mode esr config if gi switchport mode e1 22 Enable MLPPP mode on E1 interface esr config e1 ppp multilink 23 I...

Page 124: ...multilink group 3 esr config e1 exit esr config interface e1 1 0 2 esr config е1 ppp multilink esr config е1 ppp multilink group 3 esr config е1 exit 8 9 Bridge configuration Bridge is a method of connection for two Ethernet segments on data link level without any higher level protocols such as IP Packet transmission is based on Ethernet addresses not on IP addresses Given that the transmission is...

Page 125: ...l2tpv3 bridge group BRIDGE ID BRIDGE ID bridge identification number takes values in the range of for ESR 10 12V F 14VF 1 50 for ESR 20 21 100 200 1 250 for ESR 1000 1200 1500 15 11 1700 3100 1 500 6 Connect the current network bridge with VLAN All interfaces and L2 tunnels that are members of the assigned VLAN are automatically included in the network bridge and become members of the shared L2 do...

Page 126: ...6 addressing features see section IPv6 addressing configuration You can specify several IPv4 IPv6 addresses separated by commas Up to 8 IPv4 IPv6 addresses can be assigned to the interface esr config bridge ip address dhcp For advanced DHCP client operation features see section DHCP Client management 9 Disable the Firewall features on the interface or enable the interface in the security zone see ...

Page 127: ...rwarding disable 12 Set the lifetime of IPv4 IPv6 entries in the ARP table studied on the given bridge optionally esr config bridge ip arp reachable time TIME or esr config bridge ipv6 nd reachable time TIME TIME lifetime of dynamic MAC addresses in milliseconds Allowed values are from 5000 to 100000000 milliseconds Real time of the entry update varies from 0 5 1 5 TIME It is also possible to conf...

Page 128: ...nfig vlan exit Create trusted security zone esr config security zone trusted esr config zone exit Add gi1 0 11 gi1 0 12 interfaces to VLAN 333 esr config interface gigabitethernet 1 0 11 12 esr config if mode switchport esr config if switchport general allowed vlan add 333 tagged ...

Page 129: ...ridge and tunnel identifiers should not match the VID unlike this example esr config tunnel l2tpv3 333 esr config l2tpv3 bridge group 333 8 9 3 Example of bridge configuration for VLAN Objective Configure routing between VLAN 50 10 0 50 0 24 and VLAN 60 10 0 60 0 24 VLAN 50 should belong to LAN1 VLAN 60 to LAN2 enable free traffic transmission between zones Solution Create VLAN 50 60 esr config vl...

Page 130: ...define IP address 10 0 60 1 24 and membership in LAN2 zone esr config bridge 60 esr config bridge vlan 60 esr config bridge ip address 10 0 60 1 24 esr config bridge security zone LAN2 esr config bridge enable Create firewall rules that enable free traffic transmission between zones esr config security zone pair LAN1 LAN2 esr config zone pair rule 1 esr config zone pair rule action permit esr conf...

Page 131: ...gabitethernet 1 0 1 interface in bridge 1 esr config interface gigabitethernet 1 0 1 esr config if gi bridge group 1 esr config if gi exit Include the gigabitethernet 1 0 2 828 sub interface in bridge 1 esr config interface gigabitethernet 1 0 2 828 esr config subif bridge group 1 esr config subif exit 8 10 Dual Homing configuration Dual Homing is a technology based on redundant links that creates...

Page 132: ...be sent to an active interface when switching optionally esr config backup interface mac duplicate COUNT COUNT amount of packets copies takes values of 1 4 3 Specify the number of packets per second that will be sent to an active interface when switching optionally esr config backup interfacemac per second COUNT COUNT amount of MAC addresses per second takes value of 50 400 4 Specify that it is ne...

Page 133: ...sr config if gi exit Main configuration step Make gigabitethernet 1 0 10 redundant for gigabitethernet 1 0 9 esr config interface gigabitethernet 1 0 9 esr config if gi backup interface gigabitethernet 1 0 10 vlan 50 55 To view information on redundant interfaces use the following command esr show interfaces backup 8 11 Mirroring configuration SPAN RSPAN Traffic mirroring is a feature of the route...

Page 134: ...f using remote mirroring esr config port monitor remote 3 Define the mode of the port transmitting mirrored traffic optional esr config port monitor mode MODE MODE mode network combined data transfer and mirroring default monitor only mirroring only 4 Enable mirroring in the interface configuration mode esr config if gi port monitor interface IF DIRECTION IF interface from which the frames will be...

Page 135: ...fig if gi port monitor interface gigabitethernet 1 0 11 For gi 1 0 5 interface specify the remote mirroring mode еsr1000 config if gi port monitor remote 8 12 LACP configuration LACP is a link aggregation protocol that allows multiple physical links to be combined into a single logical link This process allows to increase the communication link bandwidth and robustness 8 12 1 Configuration algorit...

Page 136: ...der and receiver src dst mac ip port balancing mechanism is based on source and destination MAC address IP address and port 3 Set LACP administration timeout esr config lacp timeout short long long long timeout short short timeout Default value long 4 Create and switch to the aggregated interface configuration mode esr config interface port channel ID ID sequence number of a channel aggregation gr...

Page 137: ...average TIME TIME interval in seconds takes values of 5 150 10 Set the lifetime of IPv4 IPv6 entries in the ARP table studied on the given interface optionally esr config subif ip arp reachable time TIME or esr config subif ipv6 nd reachable time TIME TIME lifetime of dynamic MAC addresses in milliseconds Allowed values are from 5000 to 100000000 milliseconds Real time of the entry update varies f...

Page 138: ...ns Netflow configuration and sFlow configuration routing protocols functionality see section Routing management VRRF protocol see section Redundancy management BRAS functionality see section BRAS Broadband Remote Access Server management IDS IPS functionality see section IPS IDS configuration 8 12 2 Configuration example Objective Configure aggregated link between ESR router and the switch Solutio...

Page 139: ... line aux NUM NUM a number of a serial interface from the range 1 3 2 Set the necessary serial interface parameters to communicate with the connected device optional These parameters are usually specified in the operation manual of the device to be connected By default the standard values will be used esr config line aux databits BITS esr config line aux flowcontrol FMODE esr config line aux parit...

Page 140: ...nterface description set by the string of up to 255 characters 4 When using the device to be connected as a modem set the serial interface to modem mode optional Note cannot be used in conjunction with the transport telnet port command esr config line aux modem inout 5 When using the ESR as a terminal server to control a connected device on the serial interface set the TCP port number to be used a...

Page 141: ...ic modem mode connected to each other by a telephone cable Solution Configure the first ESR 21 Configure negotiation parameters esr 21 1 config line aux 2 esr 21 1 config line aux flowcontrol hardware esr 21 1 config line aux exit esr 21 1 config Modems should be previously entered into automatic connection setting mode Modem compatibility verified Modem Zyxel U 336E Plus ...

Page 142: ...config interface serial 1 0 2 esr 21 1 config serial security zone xx esr 21 1 config serial exit esr 21 1 config Configure the second ESR 21 Configure negotiation parameters esr 21 2 config line aux 2 esr 21 2 config line aux flowcontrol hardware esr 21 2 config line aux exit esr 21 2 config Configure the required RS 232 interfaces esr 21 2 config interface serial 1 0 2 esr 21 2 config serial ip ...

Page 143: ...figuration is used as a PSTN emulation dialplan pattern factory_test description dialplan for factory test pattern S5 L5 00 1 3 local xABCD S enable exit sip profile 1 dialplan pattern factory_test enable proxy primary enable ip address proxy server 192 0 2 5 registration ip address registration server 192 0 2 5 exit exit interface voice port 1 sip user phone 001 profile sip 1 exit interface voice...

Page 144: ...fig zone pair rule 1 esr 21 1 config zone pair rule action permit esr 21 1 config zone pair rule enable esr 21 1 config zone pair rule exit esr 21 1 config zone pair exit esr 21 1 config Specify that the interfaces belong to the security zone esr 21 1 config interface serial 1 0 2 esr 21 1 config serial security zone xx esr 21 1 config serial exit esr 21 1 config Enable dialing by number esr 21 1 ...

Page 145: ...the security zone esr 21 2 config interface serial 1 0 2 esr 21 2 config serial security zone xx esr 21 2 config serial exit esr 21 2 config Objective 3 Use additional modem settings for Objective 2 for modem 1 enable the V 22bis protocol disable the speakers on both modems Solution Create a line with additional modem initialization parameters for the first ESR 21 where AT N1 enable V 22bis on mod...

Page 146: ...Y ABORT NO CARRIER AT OK AT F OK ATM0L0 RING ATAr CONNECT esr 21 2 config Enable the use of the modem initialization string esr 21 2 config interface serial 1 0 2 esr 21 2 config serial dialer string 000 modem script answer_test esr 21 2 config serial exit esr 21 2 config 8 13 3 Adapter soldering schemes RJ 45 DB 25 pinout RJ 45 RJ 45 pinout rolled over cable ...

Page 147: ...packet tunneling protocol Its main purpose is to encapsulate packets of the OSI model network layer into IP packets GRE may be used for VPN establishment on 3rd level of OSI model In ESR router implemented static unmanageable GRE tunnels i e tunnels are created manually via configuration on local and remote hosts Tunnel parameters for each side should be mutually agreeable otherwise transferred da...

Page 148: ...ss for tunnel installation esr config gre remote address ADDR ADDR gateway IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 7 Specify the GRE tunnel encapsulation mode esr config gre mode MODE MODE GRE tunnel encapsulation mode ip encapsulation of IP in GRE ethernet encapsulation of Ethernet frames in GRE Default value ip 8 Set the IP address of a tunnel local side only ...

Page 149: ...f up to 12 characters esr config gre ip firewall disable 11 Specify MTU size MaximumTransmissionUnit for the tunnel optionally MTU above 1500 will be active only when using the system jumbo frames command esr config gre mtu MTU MTU MTU value takes values in the range of for ESR 10 12V F 14VF 1280 9600 for ESR 20 21 1280 9500 for ESR 100 200 1000 1200 1500 1511 1700 3100 1280 10000 Default value 15...

Page 150: ...emote checksum 17 Enable the check for tunnel remote gateway availability optionally esr config gre keepalive enable 18 Change the keepalive packets timeout from the opposing party optional esr config gre keepalive timeout TIME TIME time in seconds takes values of 1 32767 Default value 10 19 Change the number of attempts to check the availability of a tunnel remote gateway optionally esr config gr...

Page 151: ...al esr config gre ip tcp adjust mss MSS MSS MSS value takes values in the range of 500 1460 Default value 1460 26 Enable recording of the current tunnel usage statistics optional esr config gre history statistics 27 Enable the tunnel esr config gre enable It is also possible to configure the GRE tunnel QoS in basic or advanced mode see section QoS management proxy see section HTTP HTTPS traffic pr...

Page 152: ...ip address 25 0 0 1 24 Also the tunnel should belong to the security zone in order to create rules that allow traffic to pass through the firewall To define the tunnel inherence to a zone use the following command esr config gre security zone untrusted Enable tunnel esr config gre enable esr config gre exit Create route to the partner s local area network on the router Specify previously created G...

Page 153: ...e tunnel status use the following command esr show tunnels status gre 10 To view sent and received packet counters use the following command esr show tunnels counters gre 10 To view the tunnel configuration use the following command esr show tunnels configuration gre 10 IPv4 over IPv4 tunnel configuration is performed in the same manner 9 2 DMVPN configuration DMVPN Dynamic Multipoint Virtual Priv...

Page 154: ...guration mode esr config tunnel gre INDEX INDEX tunnel identifier 3 Switch the GRE tunnel to multipoint mode esr config gre multipoint 4 Set an open password for NHRP packets optional esr config gre ip nhrp authentication WORD WORD unencrypted password set by the string of 1 8 characters may include 0 9a fA F characters 5 Specify the time during which a record about this client will exist on the N...

Page 155: ...ortcut 11 Map IPsec VPN to the mGRE tunnel optionally esr config gre ip nhrp ipsec WORD static dynamic WORD VPN name set by the string of up to 31 characters static static connection used for connection to NHS dynamic dynamically established connection configured for communication between NHC 12 Enable NHRP esr config gre ip nhrp enable 13 Organize IP connectivity using the dynamic routing protoco...

Page 156: ...s IKE Diffie Hellman group 2 encryption algorithm AES128 authentication algorithm SHA1 IPSEC encryption algorithm AES128 authentication algorithm SHA1 Solution Hub configuration Create GRE tunnel esr configure esr config tunnel gre 5 Specify the IP address of the interface bordering the ISP esr config gre local address 150 115 0 5 Specify MTU value esr config gre mtu 1416 ...

Page 157: ...r exit esr config bgp af neighbor 10 10 0 4 esr config bgp neighbor remote as 65004 esr config bgp neighbor enable esr config bgp neighbor exit esr config bgp af enable Configure IPsec for the Hub esr config security ike proposal IKEPROP esr config ike proposal encryption algorithm aes128 esr config ike proposal dh group 2 esr config ike proposal exit esr config security ike policy IKEPOLICY esr c...

Page 158: ...c vpn ike ipsec policy IPSECPOLICY esr config ipsec vpn enable Map IPsec to the GRE tunnel so that clients can establish an encrypted connection esr config gre ip nhrp ipsec IPSECVPN dynamic Enable NHRP and the tunnel esr config gre ip nhrp enable esr config gre enable Spoke configuration Perform the standard DMVPN configuration on the tunnel esr configure esr config gre tunnel gre 8 esr config gr...

Page 159: ...ular destination addresses When creating an IKE gateway for NHC the destination address will be any esr config security ike proposal IKEPROP esr config ike proposal encryption algorithm aes128 esr config ike proposal dh group 2 esr config ike proposal exit esr config security ike policy IKEPOLICY esr config ike policy pre shared key ascii text encrypted 8CB5107EA7005AFF esr config ike policy propo...

Page 160: ..._HUB esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel route esr config ipsec vpn ike gateway IKEGW_HUB esr config ipsec vpn ike ipsec policy IPSECPOLICY esr config ipsec vpn enable esr config security ipsec vpn IPSECVPN_SPOKE esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel route esr config ipsec vpn ike gateway IKEGW_SPOKE esr config ipsec vpn ike ips...

Page 161: ...d two branches The HUB is the DMVPN server NHS and the branches are DMVPN clients NHC When using the DMVPN scheme the hub must be a DR router Thus the routes of local subnets spoke 1 and spoke 2 will be relayed through the hub External IP addres of Hub 150 115 0 5 External IP address of Spoke 1 180 100 0 10 External IP address of Spoke 2 140 114 0 4 IPsec VPN parameters IKE Diffie Hellman group 2 ...

Page 162: ... hub DR you must set the maximum priority esr config tunnel gre 1 esr config gre ttl 16 esr config gre mtu 1416 esr config gre multipoint esr config gre security zone untrusted esr config gre local address 150 115 0 5 esr config gre ip address 10 10 0 1 28 esr config gre ip ospf instance 1 esr config gre ip ospf area 10 10 0 0 esr config gre ip ospf priority 255 esr config gre ip ospf esr config g...

Page 163: ...t esr config security ipsec policy ipsec_pol1 esr config ipsec policy proposal ipsec_prop1 esr config ipsec policy exit esr config security ipsec vpn ipsec_spoke esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel route esr config ipsec vpn ike gateway ike_spoke esr config ipsec vpn ike ipsec policy ipsec_pol1 esr config ipsec vpn enable esr config ipsec vpn exit Map IPsec to t...

Page 164: ... config gre ip ospf area 10 10 0 0 esr config gre ip ospf priority 0 esr config gre ip ospf esr config gre ip nhrp holding time 300 esr config gre ip nhrp map 10 10 0 1 150 115 0 5 esr config gre ip nhrp nhs 10 10 0 1 28 esr config gre ip nhrp multicast nhs esr config gre ip nhrp enable esr config gre enable esr config gre exit Create static routes for the subnets of the spoke interfaces 180 100 0...

Page 165: ...sal encryption algorithm aes128 esr config ipsec proposal pfs dh group 2 esr config ipsec proposal exit esr config security ipsec policy ipsec_pol1 esr config ipsec policy proposal ipsec_prop1 esr config ipsec policy exit esr config security ipsec vpn ipsec_spoke esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel route esr config ipsec vpn ike gateway ike_spoke esr config ipse...

Page 166: ...config zone pair rule exit esr config zone pair exit 9 3 L2TPv3 tunnel configuration L2TPv3 Layer 2 Tunnelling Protocol Version 3 is a protocol used for tunneling of 2nd level OSI model packets between two IP nodes IP or UDP is used as an encapsulation protocol L2TPv3 may be used as an alternative to MPLS P2P L2VPN VLL for L2 VPN establishment In ESR router implemented static unmanageable L2TPv3 t...

Page 167: ...P datagrams 7 Set local session identifier esr config l2tpv3 local session id SESSION ID SESSION ID session identifier takes values in the range of 1 200000 8 Set remote session identifier esr config l2tpv3 remote session id SESSION ID SESSION ID session identifier takes values in the range of 1 200000 9 Define local UDP port if UDP was selected as encapsulation method esr config l2tpv3 local port...

Page 168: ...interval during which the statistics on the tunnel load is averaged optionally esr config l2tpv3 load average TIME TIME interval in seconds takes values of 5 150 Default value 5 17 Enable recording of the current tunnel usage statistics optional esr config subif history statistics It is also possible to configure the L2TPv3 tunnel QoS in basic or advanced mode see section QoS management BRAS funct...

Page 169: ...lution Create L2TPv3 333 tunnel esr configure esr config tunnel l2tpv3 333 Specify local and remote gateways IP addresses of WAN border interfaces esr config l2tpv3 local address 21 0 0 1 esr config l2tpv3 remote address 183 0 0 10 ...

Page 170: ... id 333 esr config interface gi 1 0 2 333 Define the inherence of sub interface to a bridge that should be mapped to LAN for bridge configuration see Section Configuration of PPP via E1 esr config subif bridge group 333 esr config subif exit When settings are applied traffic will be encapsulated into the tunnel and sent to the partner regardless of their L2TPv3 tunnel existence and settings validi...

Page 171: ...ddress ADDR ADDR IP address of a local gateway 3 Specify the remote IP address of the VTI tunnel esr config vti remote address ADDR ADDR IP address of a remote gateway 4 Specify the IP address of the VTI tunnel local side esr config vti ip address ADDR LEN ADDR LEN IP address and prefix of a subnet defined as AAA BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes values of 1...

Page 172: ...r aes256ctr camellia128 camellia192 camellia256 Default value 3des 11 Define Diffie Hellman group number optionally esr config ike proposal dh group DH GROUP DH GROUP Diffie Hellman group number takes values of 1 2 5 14 15 16 17 18 Default value 1 12 Specify IKE authentication mode optionally esr config ike proposal authentication method METHOD METHOD key authentication method May take the followi...

Page 173: ...fig ike gw ike policy NAME NAME IKE protocol policy name set by the string of up to 31 characters 19 Specify IKE version optionally esr config ike gw version VERSION version IKE protocol version v1 only or v2 only Default value v1 only 20 Set the route based mode esr config ike gw mode route based 21 Specify the action for DPD optionally esr config ike gw dead peer detection action MODE MODE DPD o...

Page 174: ...es values of md5 sha1 sha2 256 sha2 384 sha2 512 Default value sha1 27 Specify IPsec encryption algorithm optionally esr config ipsec proposal encryption algorithm ALGORITHM ALGORITHM encryption protocol takes the following values des 3des blowfish128 blowfish192 blowfish256 aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr camellia128 camellia192 camellia256 Default value 3des 28 Specify encapsu...

Page 175: ...e approval is carried out Takes values in the range of 4 86400 seconds Default value 28800 seconds 32 Create IPsec VPN policy and switch to its configuration mode esr config security ipsec vpn NAME NAME VPN name set by the string of up to 31 characters 33 Define the matching mode of data required for VPN enabling esr config ipsec vpn mode MODE MODE VPN operation mode 34 Bind IPsec policy to IPsec ...

Page 176: ...onfiguration 37 Bind IKE gateway to IPsec VPN esr config ipsec vpn ike gateway NAME NAME IKE gateway name set by the string of up to 31 characters 38 Set the time interval value in seconds after which the connection is closed if no packet has been received or sent via SA optionally esr config ipsec vpn ike idle time TIME TIME interval in seconds takes values of 4 86400 39 Disable key re approval b...

Page 177: ...emaining before the connection release set by the lifetimekilobytes command Takes values in the range of 4 86400 Default value Keys re approval before the expire of time 540 seconds before Keys re approval before the expire of traffic volume and amount of packets disabled 41 Set the level of margin seconds margin packets margin kilobytes values random spread optionally esr config ipsec vpn ike rek...

Page 178: ... config interface gi 1 0 1 esr config if gi ip address 180 100 0 1 24 esr config if gi security zone untrusted esr config if gi exit Create VTI tunnel Traffic will be routed via VTI into IPsec tunnel Specify IP addresses of WAN border interfaces as local and remote gateways esr config tunnel vti 1 esr config vti local address 180 100 0 1 esr config vti remote address 120 11 5 1 esr config vti enab...

Page 179: ... config ike policy proposal ike_prop1 esr config ike policy exit Create IKE protocol gateway For this profile specify VTI tunnel policy protocol version and mode of traffic redirection into the tunnel esr config security ike gateway ike_gw1 esr config ike gw ike policy ike_pol1 esr config ike gw mode route based esr config ike gw bind interface vti 1 esr config ike gw version v2 only esr config ik...

Page 180: ...Specify IP addresses of WAN border interfaces as local and remote gateways esr config tunnel vti 1 esr config vti remote address 180 100 0 1 esr config vti local address 120 11 5 1 esr config vti enable esr config vti exit To configure security zones rules you should create ISAKMP port profile esr config object group service ISAKMP esr config object group service port range 500 esr config object g...

Page 181: ... the following parameters to secure IPsec tunnel esr config security ipsec proposal ipsec_prop1 esr config ipsec proposal authentication algorithm md5 esr config ipsec proposal encryption algorithm aes128 esr config ipsec proposal exit Create a policy for IPsec tunnel For the policy specify the list of IPsec tunnel profiles that may be used for node negotiation esr config security ipsec policy ips...

Page 182: ...ORITHM authentication algorithm takes values of md5 sha1 sha2 256 sha2 384 sha2 512 4 Specify IKE encryption algorithm esr config ike proposal encryption algorithm ALGORITHM ALGORITHM encryption protocol takes the following values des 3des blowfish128 blowfish192 blowfish256 aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr camellia128 camellia192 camellia256 5 Define Diffie Hellman group number ...

Page 183: ...ecurity ike gateway NAME NAME IKE protocol gateway name set by the string of up to 31 characters 12 Bind IKE policy esr config ike gw ike policy NAME NAME IKE protocol policy name set by the string of up to 31 characters 13 Specify IKE version optionally esr config ike gw version VERSION version IKE protocol version v1 only or v2 only 14 Set the mode of traffic redirection into the tunnel esr conf...

Page 184: ... protocol version v1 only or v2 only 19 Set sender s IP subnets esr config ike gw local network ADDR LEN protocol TYPE ID port PORT ADDR LEN subnet IP address and mask of a sender The parameter is defined as AAA BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes values of 1 32 TYPE protocol type takes the following values esp icmp ah eigrp ospf igmp ipip tcp pim udp vrrp rdp...

Page 185: ...IPsec authentication algorithm esr config ipsec proposal authentication algorithm ALGORITHM ALGORITHM authentication algorithm takes values of md5 sha1 sha2 256 sha2 384 sha2 512 26 Specify IPsec encryption algorithm esr config ipsec proposal encryption algorithm ALGORITHM ALGORITHM encryption protocol takes the following values des 3des blowfish128 blowfish192 blowfish256 aes128 aes192 aes256 aes...

Page 186: ...ation mode esr config security ipsecvpn NAME NAME VPN name set by the string of up to 31 characters 31 Define the matching mode of data required for VPN enabling esr config ipsec vpn mode MODE MODE VPN operation mode 32 Bind IPsec policy to VPN esr config ipsec vpn ike ipsec policy NAME NAME IPsec policy name set by the string of up to 31 characters 33 Set the DSCP value for the use in IP headers ...

Page 187: ...fig ipsec vpn ike rekey margin seconds SEC packets PACKETS kilobytes KB SEC time interval in seconds remaining before the connection release set by the lifetimeseconds command Takes values in the range of 4 86400 PACKETS number of packets remaining before the connection release set by the lifetimepackets command Takes values in the range of 4 86400 KB traffic volume in kilobytes remaining before t...

Page 188: ...ESR Series User manual 188 9 4 4 Policy based IPsec VPN configuration example Objective Configure IPsec tunnel between R1 and R2 R1 IP address 198 51 100 1 R2 IP address 203 0 113 1 ...

Page 189: ...oup service port range 500 esr config object group service exit Create IKE protocol profile Select Diffie Hellman group 2 AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile The given security parameters are used for IKE connection protection esr config security ike proposal ike_prop1 esr config ike proposal dh group 2 esr config ike proposal authentication algorithm m...

Page 190: ...l encryption algorithm aes128 esr config ipsec proposal exit Create a policy for IPsec tunnel For the policy specify the list of IPsec tunnel profiles that may be used for node negotiation esr config security ipsec policy ipsec_pol1 esr config ipsec policy proposal ipsec_prop1 esr config ipsec policy exit Create IPsec VPN For VPN specify IKE protocol gateway IPsec tunnel policy key exchange mode a...

Page 191: ...ig ike policy exit Create IKE protocol gateway For this profile specify VTI tunnel policy protocol version and mode of traffic redirection into the tunnel esr config security ike gateway ike_gw1 esr config ike gw ike policy ike_pol1 esr config ike gw remote address 198 51 100 1 esr config ike gw remote network 10 0 0 0 16 esr config ike gw local address 203 0 113 1 esr config ike gw local network ...

Page 192: ...n which the IPsec VPN server is waiting for incoming connections and clients make temporary connections to the server to gain access to network resources An additional feature of RA IPsec VPN is the ability to use the second IPsec authentication factor Extended Authentication XAUTH where the second authentication factor is the login password pair for the IPsec VPN client Ste p Description Command ...

Page 193: ...cation mode esr config ike policy authentication method METHOD METHOD key authentication method May take the following values xauth psk key two factor authentication method using a login password pair and previously obtained encryption keys 8 Set the client mode only for client esr config ike policy authentication mode client 9 Specify the lifetime of IKE protocol connection optionally esr config ...

Page 194: ...he subnet 17 Create an IKE gateway and switch to its configuration mode esr config security ike gateway NAME NAME IKE protocol gateway name set by the string of up to 31 characters 18 Bind IKE policy esr config ike gw ike policy NAME NAME IKE protocol policy name set by the string of up to 31 characters 19 Set the mode of traffic redirection into the tunnel esr config ike gw mode MODE MODE mode of...

Page 195: ...of the source only for server esr config ike gw local network ADDR LEN protocol TYPE ID port PORT ADDR LEN subnet IP address and mask of a sender The parameter is defined as AAA BBB CCC DDD EE where each part AAA DDD takes values of 0 255 and EE takes values of 1 32 TYPE protocol type takes the following values esp icmp ah eigrp ospf igmp ipip tcp pim udp vrrp rdp l2tp gre ID IP identification num...

Page 196: ...p to 31 characters LOGIN login for client set by the string of up to 31 characters 31 Define a dedicated IP termination interface for building IPsec VPN only for client esr config ike gw assign interface loopback INDEX INDEX interface index takes values of 1 65535 32 Create IPsec profile esr config security ipsec proposal NAME NAME IPsec protocol profile name set by the string of up to 31 characte...

Page 197: ...policy to profile esr config ipsec policy proposal NAME NAME IPsec protocol profile name set by the string of up to 31 characters 38 Specify the lifetime of IPsec tunnel optionally esr config ipsec policy lifetime seconds SEC packets PACKETS kilobytes KB SEC IPsec tunnel lifetime after which the re approval is carried out Takes values in the range of 1140 86400 seconds Default value 540 PACKETS nu...

Page 198: ...SCP code value takes values in the range of 0 63 Default value 63 43 Set VPN activation mode esr config ipsec vpn ike establish tunnel MODE MODE VPN activation mode by request connection is activated by the opposite side available for the server route the connection is activated when traffic routed to the tunnel appears it is available for the server immediate tunnel is enabled automatically after...

Page 199: ...ge of 4 86400 Default value 540 PACKETS number of packets remaining before the connection release set by the lifetimepackets command Takes values in the range of 4 86400 Default value disabled KB traffic volume in kilobytes remaining before the connection release set by the lifetimekilobytes command May take values 4 86400 Default value disabled 48 Set the level of margin seconds margin packets ma...

Page 200: ...tiator of the connection the previously used IP address will be assigned Otherwise the established XAUTH connection will be withheld A new IP address will be assigned to the new XAUTH connection never established XAUTH connection will be withheld A new IP address will be assigned to the new XAUTH connection The INITIAL_CONTACT notification will be ignored anyway replace established XAUTH connectio...

Page 201: ...ion algorithm 3DES authentication algorithm SHA1 IPSEC encryption algorithm 3DES authentication algorithm SHA1 XAUTH login client1 password password123 Solution R1 configuration Configure external network interface and identify its inherence to a security zone esr configure esr config security zone untrusted esr config zone exit esr config interface gigabitethernet 1 0 1 esr config if gi security ...

Page 202: ...sword for the IPsec VPN client esr config access profile XAUTH esr config access profile user client1 esr config profile password ascii text password123 esr config profile exit esr config access profile exit Create a pool of destination addresses from which IP clients will be issued IPsec VPN esr 1000 config address assignment pool CLIENT_POOL esr 1000 config pool ip prefix 192 0 2 0 24 esr 1000 c...

Page 203: ...config security ipsec IPSECVPN esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel by request esr config ipsec vpn ike gateway IKEGW esr config ipsec vpn ike ipsec policy IPSECPOLICY esr config ipsec vpn enable esr config ipsec vpn exit Allow esp protocol and udp ports 500 4500 in the firewall configuration for establishing IPsec VPN esr config security zone pair untrusted self...

Page 204: ...tion method xauth psk key esr config ike policy authentication mode client esr config ike policy proposal IKEPROP esr config ike policy exit Create an access profile and get in it a pair of username and password esr config access profile XAUTH esr config access profile user client1 esr config profile password ascii text password123 esr config profile exit esr config access profile exit Create a lo...

Page 205: ... config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel immediate esr config ipsec vpn ike gateway IKEGW esr config ipsec vpn ike ipsec policy IPSECPOLICY esr config ipsec vpn enable esr config ipsec vpn exit Allow esp protocol and udp ports 500 4500 in the firewall configuration for establishing IPsec VPN esr config security zone pair untrusted self esr config zone pair rule 1 esr co...

Page 206: ...aracters 4 Include each LT tunnel in a security zone and configure interaction rules between zones or disable firewall for LT tunnel esr config lt security zone NAME NAME security zone name set by the string of up to 12 characters esr config lt ip firewall disable 5 For each LT tunnel set the opposite LT tunnel number in another VRF esr config lt peer lt ID ID tunnel identifier set in the range of...

Page 207: ... of for ESR 10 12V F 14VF 1280 9600 for ESR 20 21 1280 9500 for ESR 100 200 1000 1200 1500 1511 1700 3100 1280 10000 Default value 1500 9 5 2 Configuration example Objective Organize interaction between hosts terminated in two VRF vrf_1 and vrf_2 Initial configuration hostname esr ip vrf vrf_1 exit ip vrf vrf_2 exit interface gigabitethernet 1 0 1 ip vrf forwarding vrf_1 ip firewall disable ip add...

Page 208: ... disable esr config lt ip address 192 168 0 2 30 esr config lt exit Designate LT tunnel from VRF which is necessary to establish link with for each LT tunnel and activate them esr config tunnel lt 1 esr config lt peer lt 2 esr config lt enable esr config lt exit esr config tunnel lt 2 esr config lt peer lt 1 esr config lt enable esr config lt exit If none of dynamic routing protocols is configured...

Page 209: ...e through which traffic arrives 10 1 1 Configuration algorithm Step Description Command Keys 1 Enable QoS on the interface tunnel network bridge If QoS policy is not assigned on the interface the interface operates in BasicQoS mode esr config if gi qos enable 2 Set the trust mode for 802 1p and DSCP codes values in incoming packets optionally esr config qos trust MODE MODE trust mode for 802 1p an...

Page 210: ...utgoing queues The given match works for incoming interfaces tunnels bridge on which QoS is enabled optionally esr config qos map cos queue COS to QUEUE COS service classifier in 802 1q packet tag takes values in the range of 0 7 QUEUE queue identifier takes values in the range of 1 8 Default values CoS 0 queue 1 CoS 1 queue 2 CoS 2 queue 3 CoS 3 queue 4 CoS 4 queue 5 CoS 5 queue 6 CoS 6 queue 7 C...

Page 211: ...ult value 8 9 Define the weights for corresponding weighted queues esr config qos wrr queue QUEUE bandwidth WEIGHT QUEUE queue identifier takes values in the range of 1 8 WEIGHT weight value takes values in the range of 1 255 The default value weight 1 for all queues 10 Set the outgoing traffic rate limiting for a certain queue or interface in total The command is relevant only for BasicQoS mode o...

Page 212: ... Configure the following restrictions on gigabitethernet 1 0 8 interface transfer DSCP 22 traffic into 8th priority queue DSCP 14 traffic into 7th weighted queue limit transfer rate to 60Mbps for 7th queue Solution In order to make 8th queue a priority queue and 2nd to 8th queues weighted ones limit the quantity of priority queues to 1 esr config priority queue out num of queues 1 Redirect DSCP 22...

Page 213: ...R routers classification of incoming traffic is possible on both incoming and outgoing interfaces Step Description Command Keys 1 Create access lists to define the traffic to which the advanced QoS should be applied See Section Access list ACL configuration 2 Create QoS class and switch to the class parameters configuration mode esr config class map NAME NAME name of the class being created set by...

Page 214: ... Create QoS policy and switch to the policy parameters configuration mode esr config policy map NAME esr config policy map NAME name of the policy being created set by the string of up to 31 characters 9 Specify QoS policy description optionally esr config policy map description description description up to 255 characters 10 Set the committed outgoing bandwidth for the policy in total esr config ...

Page 215: ... required esr config class policy map shape peak BANDWIDTH BURST 16 Specify class operation mode optionally esr config class policy map mode MODE MODE class mode fifo FIFO mode First In First Out gred GRED mode Generalized RED red RED mode Random Early Detection sfq SFQ mode SFQ queue allocates flow based packets transmission Default value FIFO 17 Specify the class priority in WRR process if requi...

Page 216: ...mited number of packets in a virtual queue takes values in the range of 2 4096 Default value 127 21 Specify RED Random Early Detection parameters if required esr config class policy map random detect LIMIT MAX MIN PROBABILITY LIMIT limited size of a queue in bytes takes values of in the range of 1 1000000 MAX maximum size of a queue in bytes takes value in the range of 1 1000000 MIN minimum size o...

Page 217: ...es the following rules should be fulfilled MAX 2 MIN LIMIT 3 MAX 23 Enable tcp headers compression protocol for the certain class traffic if required esr config class policy map compression header ip tcp 24 Enable QoS on the interface tunnel network bridge esr config if gi qos enable 25 Define the QoS policy on a configured interface tunnel network bridge to classify input and prioritize output tr...

Page 218: ...ESR Series User manual 218 ...

Page 219: ...ig acl rule match destination address any esr config acl rule enable esr config acl rule exit esr config acl exit Create classes fl1 and fl2 specify the respective access control lists configure labelling esr config class map fl1 esr config class map set dscp 38 esr config class map match access group fl1 esr config class map exit esr config class map fl2 esr config class map set dscp 42 esr confi...

Page 220: ... 1 0 19 interface ingress for classification purposes and gi1 0 20 egress for applying restrictions and SFQ mode for default class esr config interface gigabitethernet 1 0 19 esr config if gi qos enable esr config if gi service policy input fl esr config if gi exit esr config interface gigabitethernet 1 0 20 esr config if gi qos enable esr config if gi service policy output fl esr config if gi exi...

Page 221: ...ion Configuration algorithm Configuration example BFD configuration Configuration algorithm Configuration example of BFD with BGP PBR routing policy configuration Configuration algorithm of Route map for BGP Configuration example 1 Route map for BGP Configuration example 2 Route map for BGP Route map based on access control lists Policy based routing configuration algorithm Route map based on acce...

Page 222: ...parate advertising commands the router does not send routing information Prefix list the last implicit rule allows anything that is not explicitly denied by the previous rules Prefix list the last implicit rule allows anything that is not explicitly denied by the previous rules 11 1 2 OSPF protocol in out Default policy Advertising methods Filtering methods Filtering policy application levels Impo...

Page 223: ... E2 E1 11 1 3 IS IS protocol in out Default policy Advertising methods Filtering methods Filtering policy application levels Import Route information reception is not limited Network Redistribute Route map the last implicit rule denies anything that is not explicitly allowed by the previous rules Prefix list the last implicit rule denies anything that is not explicitly allowed by the previous rule...

Page 224: ...evious rules Prefix list the last implicit rule denies anything that is not explicitly allowed by the previous rules 11 1 5 eBPG protocol in out Default policy Advertising methods Filtering methods Filtering policy application levels Import Route information reception is not limited Network Redistribute Route map the last implicit rule denies anything that is not explicitly allowed by the previous...

Page 225: ... to a sender unreachable when specifying the command the packets to this subnet will be removed by the device a sender will receive in response ICMP Destination unreachable Host unreachable code 1 prohibit when specifying the command the packets to this subnet will be removed by the device a sender will receive in response ICMP Destination unreachable Communication administratively prohibited code...

Page 226: ...administratively prohibited code 13 METRIC route metric takes values of 0 255 bfd when specifying the given key the removal of static route in case of next hop unavailability is activated 11 2 2 Static routes configuration example Objective Configure Internet access for users in LAN 192 168 1 0 24 and 10 0 0 0 8 using the static routing On R1 device create gateway for Internet access Traffic withi...

Page 227: ... using R2 device as a gateway 192 168 100 2 esr config ip route 10 0 0 0 8 192 168 100 2 Create a route for interaction with the Internet using the provider gateway as a nexthop 128 107 1 1 esr config ip route 0 0 0 0 0 128 107 1 1 Specify the device name for R2 router esr hostname R2 Specify 10 0 0 1 8 address and the LAN zone for the gi1 0 1 interface R2 interface will be connected to 10 0 0 0 8...

Page 228: ...es at 3rd level of TCP IP stack via UDP port 520 11 3 1 Configuration algorithm Step Description Command Keys 1 Configure RIP precedence for the main routing table optionally esr config ip protocols rip preference VALUE VALUE protocol precedence takes values in the range of 1 255 Default value RIP 100 2 Configure RIP routing tables capacity optionally esr config ip protocols rip max routes VALUE V...

Page 229: ...r match the specified one default route default route filtration esr config pl deny object group OBJ GROUP NETWORK NAME ADDR LEN IPV6 ADDR LEN eq LEN le LEN ge LEN le LEN 5 Switch to the RIP process configuration mode esr config router rip esr config rip 6 Enable RIP esr config rip enable 7 Specify RIP authentication algorithm optionally esr config rip authentication algorithm cleartext md5 cleart...

Page 230: ...hout updating optionally esr config rip timers invalid TIME TIME time in seconds takes values of 1 65535 Default value 180 seconds 13 Set time interval after which the route removing is carried out optionally esr config rip timers flush TIME TIME time in seconds takes values of 1 65535 When setting the value consider the following rule timersinvalid 60 Default value 240 seconds 14 Enable subnets a...

Page 231: ...rs esr config rip redistribute ospf ID ROUTE TYPE route map NAME ID process number takes values of 1 65535 ROUTE TYPE route type intra area OSPF process routes advertising within a zone inter area OSPF process routes advertising between zones external1 OSPF format 1 external routes advertising external2 OSPF format 2 external routes advertising NAME name of the route map that will be used for adve...

Page 232: ...e via RIP optionally esr config if gi ip rip mode MODE MODE routes advertising mode multicast routes are advertised in multicast mode broadcast routes are advertised in broadcast mode unicast routes are advertised to the neighbours in unicast mode Default value multicast 20 Specify a neighbour s IP address for establishment of a relation in routes advertising unicast mode optionally esr config if ...

Page 233: ...witch to the RIP configuration mode esr config router rip Specify the networks to be advertised by protocol 115 0 0 0 24 14 0 0 0 24 и 10 0 0 0 24 esr config rip network 115 0 0 0 24 esr config rip network 14 0 0 0 24 esr config rip network 10 0 0 0 24 To advertise static routes by the protocol execute the following command esr config rip redistribute static Configure timer responsible for routing...

Page 234: ...ESR Series User manual 234 In addition to RIP protocol configuration open UDP port 520 in the firewall ...

Page 235: ... routes in the routing table takes values in the range of for ESR 1000 1200 1500 1511 1700 3100 1 500000 for ESR 20 21 100 200 1 300000 for ESR 10 12V F 14VF 1 30000 Default value for the global mode for ESR 1000 1200 1500 1511 1700 3100 500000 for ESR 20 21 100 200 300000 for ESR 10 12V F 14VF 30000 Default value for VRF 0 esr config ipv6 protocols ospf max routes VALUE 3 Enable the output of OSP...

Page 236: ... than or match the specified one esr config pl deny object group OBJ GROUP NETWORK NAME ADDR LEN IPV6 ADDR LEN eq LEN le LEN ge LEN le LEN 6 Add OSFP process to the system and switch to the OSFP process parameters configuration mode esr config router ospf ID vrf VRF ID stand alone system number takes values of 1 65535 VRF VRF instance name set by the string of up to 31 characters within which the ...

Page 237: ...ation set by the string of up to 31 characters esr config ipv6 ospf redistribute static route map NAME esr config ospf redistribute connected route map NAME NAME name of the route map that will be used for filtration and modification of advertised directly connected subnets set by the string of up to 31 characters esr config ipv6 ospf redistribute connected route map NAME esr config ospf redistrib...

Page 238: ... defined as X X X X X EE where each X part takes values in hexadecimal format 0 FFFF and EE takes values of 1 128 16 Specify the area type esr config ospf area area type TYPE no summary TYPE area type stub sets stub value stub area no summary command in conjunction with the stub parameter forms the totallystubby area only the default route is used to transfer information outside the area nssa sets...

Page 239: ...ise not advertise IPV6 ADDR LEN IPv6 address and mask of a subnet defined as X X X X X EE where each X part takes values in hexadecimal format 0 FFFF and EE takes values of 1 128 advertise when specifying the command instead of the subnets included in a subnet specified a total subnet will be advertised not advertise the subnets included in a subnet specified will not be advertised 19 Enable OSFP ...

Page 240: ... the hello interval value esr config ospf vlink dead interval TIME TIME time in seconds takes values of 1 65535 Default value 40 seconds esr config ipv6 ospf vlink dead interval TIME 24 Set the time interval in seconds after which the router selects DR in the network esr config ospf vlink wait interval TIME TIME time in seconds takes values of 1 65535 Default value 40 seconds esr config ipv6 ospf ...

Page 241: ... config bridge BR NUM BR NUM bridge number 30 Define the interface tunnel network bridge inherence to a specific OSPF process esr config if gi ip ospf instance ID ID process number takes values of 1 65535 esr config if gi ipv6 ospf instance ID 31 Define the interface inherence to a specific OSPF process area esr config if gi ip ospf area AREA_ID AREA_ID area identifier defined as AAA BBB CCC DDD w...

Page 242: ... router selects DR in the network esr config if gi ip ospf wait interval TIME TIME time in seconds takes values of 1 65535 Default value 40 seconds esr config if gi ipv6 ospf wait interval TIME 38 Set the time interval in seconds after which the router re sends a packet that has not received a delivery confirmation for example a DatabaseDescription packet or LinkStateRequest packets esr config if ...

Page 243: ...er than zero esr config if gi ip ospf neighbor IP eligible IPV6 ADDR neighbor s IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF eligible optional parameter allows the device to take part in DR selection process in NMBA networks The interface priority should be greater than zero 43 Define the network type for OSPF neighborhood establishment esr config if ...

Page 244: ...ospf bfd enable esr config if gi ipv6 ospf bfd enable 11 4 2 OSPF configuration example Objective Configure OSPF protocol on the router in order to exchange the routing information with neighbouring routers The router should be in 1 1 1 1 identifier area and announce routes received via RIP Solution Pre configure IP addresses on interfaces according to the network structure shown in figure Create ...

Page 245: ...g if gi ip ospf instance 10 esr config if gi ip ospf area 1 1 1 1 esr config if gi ip ospf esr config if gi exit esr config interface gigabitethernet 1 0 15 esr config if gi ip ospf instance 10 esr config if gi ip ospf area 1 1 1 1 esr config if gi ip ospf esr config if gi exit esr config exit 11 4 3 OSPF stub area configuration example Objective Change 1 1 1 1 area type area should be stub Stub r...

Page 246: ... is configured between two Area Border Routers ABR Pre configure OSPF protocol and IP addresses on interfaces according to the network structure shown in figure For R1 router proceed to 1 1 1 1 area configuration mode esr config ospf area 1 1 1 1 Create and enable virtual link with the identifier 0 0 0 3 esr config ospf area virtual link 0 0 0 3 esr config ospf vlink enable For R3 router proceed t...

Page 247: ... 0 12 ospf1 14 39 54 0 0 0 1 Since OSPF considers virtual link as the part of the area R1 routes received from R3 are marked as an intrazone and vice versa To view the neighbors use the following command esr show ip ospf neighbors 10 To view OSPF routing table use the following command esr show ip ospf 10 11 5 BGP configuration BGP protocol is designed to exchange subnet reachability information a...

Page 248: ...able for ESR 1000 1200 1500 1511 1700 3100 5000000 for ESR 20 21 100 200 2500000 for ESR 10 12V 12VF 14VF 1000000 Default value for VRF 0 esr config ipv6 protocols bgp max routes VALUE esr config vrf ip protocols bgp max routes VALUE esr config vrf ipv6 protocols bgp max routes VALUE 3 Enable the output of BGP neighbor state information optional esr config router bgp log neighbor changes esr confi...

Page 249: ...ring method create a list of rules that will be used to filter the advertised and received IP routes in the future esr config route map NAME NAME configured routing rule name set by the string of up to 31 characters 3 1 2 Create rule config route map rule ORDER ORDER rule number takes values of 1 10000 ...

Page 250: ...ng of up to 31 characters LEN LEN 1 LEN 2 prefix length may take values 1 32 in prefix IP lists for IPv4 and 1 128 for IPv6 eq when specifying the command the prefix length mast match the specified one le when specifying the command the prefix length mast be less than or match the specified one ge when specifying the command the prefix length mast be more than or match the specified one ge LEN 1 l...

Page 251: ...x list based filtering method create a list of IP networks that will be used to filter the advertised and received IP routes in the future esr config ip prefix list NAME NAME name of a subnet list being configured set by the string of up to 31 characters esr config ipv6 prefix list NAME ...

Page 252: ...cifying the command the prefix length mast match the specified one le when specifying the command the prefix length mast be less than or match the specified one ge when specifying the command the prefix length mast be more than or match the specified one ge LEN 1 le LEN 2 When specifying a command the prefix length must be greater than or equal to LEN but less than or equal to LEN1 When using obje...

Page 253: ...ed Optional esr config bgp af timers keepalive TIME TIME time in seconds takes values of 1 65535 Default value 60 seconds 9 Set time interval after which the opposing party is considered to be unavailable Optional esr config bgp af timers holdtime TIME TIME time in seconds takes values of 1 65535 Default value 180 seconds 10 Set the time of minimum and maximum delay during which it is prohibited t...

Page 254: ... config bgp address family ipv4 ipv6 unicast ipv 4 IPv4 family ipv 6 IPv6 family 15 Enable route advertising by BGP process obtained alternatively if necessary esr config bgp af redistribute static route map NAME NAME name of the route map that will be used for advertised static routes filtration and modification set by the string of up to 31 characters esr config bgp af redistribute connected rou...

Page 255: ...vertising between zones external1 OSPF format 1 external routes advertising external2 OSPF format 2 external routes advertising NAME name of the route map that will be used for advertised OSFP routes filtration and modification set by the string of up to 31 characters esr config bgp af redistribute bgp AS route map NAME AS stand alone system number takes values of 1 4294967295 NAME name of the rou...

Page 256: ...nfig bgp neighbor ADDR IPV6 ADDR ADDR neighbor s IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 IPV6 ADDR client IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 19 Specify neighbor description optionally esr config bgp neighbor description DESCRIPTION DESCRIPTION neighbor description set by the string of up to 255 characters ...

Page 257: ...6 router address that will be used as source IP IPv6 address in transmitted BGP route information updates optionally esr config bgp neighbor update source ADDR IPV6 ADDR ADDR source IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 IPV6 ADDR source IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 27 Enable the mode in which the r...

Page 258: ...bnet filtering in incoming or outgoing updates Mandatory when configuring eBGP for subnet advertisement esr config bgp neighbor af prefix list PREFIX LIST NAME in out PREFIX LIST NAME name of a subnet list being configured set by the string of up to 31 characters in incoming routes filtering out outgoing routes filtering 34 Set the mode in which the default route is always sent to the BGP neighbor...

Page 259: ...often happens especially when configuring iBGP that in one bgp process you need to configure several bgp neighbor with the same parameters To avoid configuration redundancy it is recommended to use bgp peer group in which you can describe common parameters and it is easy to identify the bgp peer group membership in the bgp neighbor configuration 11 5 2 Configuration example Objective Configure BGP...

Page 260: ...sr R3 config interface gigabitethernet 1 0 2 esr R3 config if gi ip address 219 0 0 1 30 esr R3 config if gi exit esr R3 config interface gigabitethernet 1 0 3 esr R3 config if gi ip address 80 66 0 1 24 esr R3 config if gi exit esr R3 config interface gigabitethernet 1 0 4 esr R3 config if gi ip address 80 66 16 1 24 esr R3 config if gi exit ...

Page 261: ...nfig if gi exit esr R3 config interface gigabitethernet 1 0 2 esr R3 config if gi security zone wan esr R3 config if gi exit Create a route map which will be used later when configuring enabling advertising to routers from another AS esr R3 config route map bgp general esr R3 config route map rule 1 esr R3 config route map rule match ip address 80 66 0 0 24 esr R3 config route map rule match ip ad...

Page 262: ...te map bgp general out esr R3 config bgp neighbor af enable esr R3 config bgp neighbor af exit esr R3 config bgp neighbor exit Enable protocol operation esr R3 config bgp enable esr R3 config bgp exit To view BGP peers information use the following command esr show ip bgp 2500 neighbors To view BGP routing table use the following command esr show ip bgp 11 6 BFD configuration BFD Bidirectional For...

Page 263: ... and 300 65535 for ESR 10 12V F 14VF 20 21 100 200 By default 1 second 4 Enable the logging of BFD protocol state changes optionally esr config ip bfd log adjacency changes 5 Set the minimum interval after which the neighbor should generate BFD message Globally optionally esr config ip bfd min rx interval TIMEOUT TIMEOUT interval after which the BFD message should be sent by the neighbor takes val...

Page 264: ...able Globally esr config ip bfd multiplier COUNT COUNT amount of dropped packets at which the neighbor is considered to be unavailable takes values in the range of 1 100 Default 5 8 Put BFD mechanism with the specified IP address into operation esr config ip bfd neighbor ADDR interface IF tunnel TUN local address ADDR multihop vrf VRF ADDR gateway IP address defined as AAA BBB CCC DDD where each p...

Page 265: ...UT TIMEOUT interval after which the BFD message should be sent by the neighbor takes values in milliseconds in the range of 200 65535 for ESR 1000 1200 1500 1511 1700 3100 and 300 65535 for ESR 10 12V F 20 21 100 200 By default 300 ms on ESR 10 12V F 14VF 20 21 100 200 200 ms on ESR 1000 1200 1500 1511 1700 3100 12 Set the minimum interval after which the BFD message is sent to the neighbor On the...

Page 266: ...y esr config if gi ip bfd passive 11 6 2 Configuration example of BFD with BGP Objective Configure eBGP between ESR R1 and R2 and enable BFD Solution R1 configuration Preconfigure Gi1 0 1 interface esr config interface gigabitethernet 1 0 1 esr config if gi ip firewall disable esr config if gi ip address 10 0 0 1 24 Configure eBGP with BFD esr config router bgp 100 esr config bgp address family ip...

Page 267: ... filters processing routing information when it is received from or sent to the neighbouring device Processing may include filtering based on various route criteria and setting attributes MED AS PATH community LocalPreference etc for the respective routes Also Route map may assign routes based on access control lists ACL S t e p Description Command Keys 1 Create a route map for IP routes filtering...

Page 268: ...h the rule should work optionally esr config route map rule match extcommunity EXTCOMMUNITY LIST EXTCOMMUNITY LIST extcommunity list defined as KIND AS N KIND AS N where KIND extcommunity type rt Route Target ro Route Origin N extcommunity number takes values of 1 65535 7 Set IP addresses profile including destination subnet values in the route optionally esr config route map rule match ip address...

Page 269: ...which the rule should work optionally esr config route map rule match metric bgp METRIC METRIC BGP MED attribute value takes values in the range of 0 4294967295 1 2 Set OSPF Metric attribute value in the route for which the rule should work esr config route map rule match metric ospf TYPE METRIC TYPE OSPF Metric attribute type takes values type 1 and type 2 METRIC OSPF Metric attribute value takes...

Page 270: ...th the given community should not be advertised to other BGP neighbors no export routes transmitted with the given community should not be advertised to eBGP neighbors but can be advertised to external neighbors in the confederation 1 8 Set BGP ExtCommunity attribute value that will be specified in the route optionally esr config route map rule action set extcommunity EXTCOMMUNITY LIST EXTCOMMUNIT...

Page 271: ...on administratively prohibited code 13 esr config route map rule action set ipv6 next hop IPV6 NEXTHOP IPV6 ADDR gateway IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 2 1 Specify BGP Local Preference attribute value that will be set in the route optionally esr config route map rule action set local preference PREFERENCE PREFERENCE BGP Local Preference ...

Page 272: ...outes out filtration and modification of advertised routes esr config ipv6 bgp neighbor route map NAME DIRECTION 11 7 2 Configuration example 1 Route map for BGP Objective Assign community for routing information coming from AS 20 First do the following Configure BGP with AS 2500 on ESR router Establish neighbouring with AS20 Solution Create a policy esr configure esr config route map from as20 Cr...

Page 273: ...e map from as20 in 11 7 3 Configuration example 2 Route map for BGP Objective For the whole transmitted routing information from community 2500 25 assign MED equal to 240 and define EGP routing information source First Configure BGP with AS 2500 on ESR Solution Create a policy esr config route map to as20 Create rule esr config route map rule 1 If community contains 2500 25 assign MED 240 and Orig...

Page 274: ...ER ORDER rule number takes values of 1 10000 3 Specify the action that should be applied for routing information esr config route map rule action ACT ACT allocated action permit routing information reception or advertising is permitted deny denied 4 Set ACL for which the rule should work optionally esr config route map rule match ip access group NAME NAME access control list name set by the string...

Page 275: ...o the operational one Solution Create ACL esr configure esr config ip access list extended sub20 esr config acl rule 1 esr config acl rule match source address 10 0 20 0 255 255 255 0 esr config acl rule match destination address any esr config acl rule match protocol any esr config acl rule action permit esr config acl rule enable esr config acl rule exit esr config acl exit esr config ip access ...

Page 276: ...lter esr config route map rule match ip access group sub30 Specify nexthop for sub30 and exit esr config route map rule action set ip next hop verify availability 80 16 0 23 10 esr config route map rule action set ip next hop verify availability 184 45 0 150 30 esr config route map rule exit esr config route map exit Rule 2 should provide traffic routing from the network 10 0 30 0 24 to address 80...

Page 277: ...on set by the string of up to 255 characters 3 Set the capacity of routing tables in configured VRF for IPv4 IPv6 optionally esr config vrf ip protocols PROTOCOL max routes VALUE PROTOCOL protocol type takes the following values ospf bgp VALUE amount of routes in the routing table takes values in the range of OSPF ESR 1000 1200 1500 1511 1700 3100 1 500000 ESR 20 21 100 200 1 300000 ESR 10 12V F 1...

Page 278: ...be used optionally esr config snat ruleset ip vrf forwarding VRF VRF VRF instance name set by the string of up to 31 characters 6 Configure LT tunnel to transmit traffic to global mode or to other VRFs if required See section LT tunnel configuration 11 8 2 Configuration example Objective ESR series router features 2 connected networks that should be isolated from other networks Solution Create VRF...

Page 279: ... esr config zone rule match destination port any esr config zone rule action permit esr config zone rule enable esr config zone rule exit esr config zone pair rule 2 esr config zone rule match source address any esr config zone rule match destination address any esr config zone rule match protocol tcp esr config zone rule match source port any esr config zone rule match destination port any esr co...

Page 280: ...g table use the following command esr show ip route vrf bit 11 9 MultiWAN configuration MultiWAN technology establishes a fail safe connection with redundancy of links from multiple providers and solves the problem involving traffic balancing between redundant links 11 9 1 Configuration algorithm Ste p Description Command Keys 1 Configure interfaces through which MultiWAN will operate set IP addre...

Page 281: ...ver 7 Enable wan rule esr config wan rule enable 8 Create a list of IP addresses to check the connection integrity and perform the switching to the list parameters configuration mode esr config wan load balance target list NAME NAME list name set by the string of up to 31 characters 9 Specify the check target and switch to the target parameters configuration mode esr config target list target ID I...

Page 282: ...in the range of 1 10 Default value 1 esr config if gi ipv6 wan load balance failure count VALUE 16 Set the amount of successful attempts to check the connection after which if successful the connection is considered to be active again optional esr config if gi wan load balance success count VALUE VALUE number of attempts takes values in the range of 1 10 Default value 1 esr config if gi ipv6 wan l...

Page 283: ...asis of a certain target list specified in item 7 check all run check on the basis of all targets in the list esr config if gi ipv6 wan load balance target list check all NAME 19 Write static routes through WAN esr config ip route SUBNET wan load balance rule ID METRIC ID identifier of the rule being created see item 2 METRIC route metric takes values of 0 255 esr config ipv6 route SUBNET wan load...

Page 284: ...e integrity check target esr config target list target 1 Specify address to be checked enable check for the specified address and exit еsr config wan target ip address 8 8 8 8 еsr config wan target enable еsr config wan target exit Configure interfaces In te1 0 1 interface configuration mode specify nexthop еsr config interface tengigabitethernet 1 0 1 еsr config if wan load balance nexthop 203 0 ...

Page 285: ...fig wan rule failover 11 10 IS IS configuration IS IS ISO standardized dynamic routing protocol based on link state It provides fast convergence and excellent scalability makes economical use of network bandwidth and uses the Dijkstra Algorithm to calculate the best routes A distinctive feature of the IS IS protocol is to work on top of the data link layer of the OSI model so it is not binded to a...

Page 286: ...on algorithm for the L1 layer optional esr config isis authentication area algorithm ALGORITHM ALGORITHM authentication algorithm cleartext unencrypted password md5 password is hashed by md5 algorithm 8 Set the authentication password for the L1 layer optional esr config isis authentication area key ascii text CLEAR TEXT encrypted ENCRYPTED TEXT CLEAR TEXT password set by the string of 8 character...

Page 287: ...es optional esr config isis address family ipv4 ipv6 ipv4 IPv4 family ipv6 IPv6 family 1 5 Set the update interval for own LSP optional esr config isis lsp refresh interval min max TIME LEVEL min minimum update generation interval max maximum update generation interval TIME time in seconds takes values of 1 65535 LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only ope...

Page 288: ... ipv6 bgp AS route map NAME is type LEVEL esr config isis redistribute ospf ID ROUTE TYPE route map NAME is type LEVEL ID process number takes values of 1 65535 ROUTE TYPE route type intra area OSPF process routes advertising within a zone inter area OSPF process routes advertising between zones external1 OSPF format 1 external routes advertising external2 OSPF format 2 external routes advertising...

Page 289: ...ute map that will be used for advertised RIP routes filtration and modification set by the string of up to 31 characters LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level 2 esr config isis redistribute static route map NAME is type LEVEL NAME name of the route map that will be used for advertised static routes filtration and modification set by...

Page 290: ...35 2 2 Enable the IS IS protocol on the interface esr config if gi isis enable 2 3 Enable the use of TLV 8 in hello packets optional esr config if gi isis hello padding 2 4 Set the priority when selecting DIS optional esr config if gi isis priority VALUE LEVEL VALUE number may take values 0 127 LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level ...

Page 291: ...rval TIME LEVEL TIME time in seconds takes values of 1 65535 LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level 2 3 1 Set the interval for generating and sending PSNP optional esr config if gi isis psnp interval TIME LEVEL TIME time in seconds takes values of 1 65535 LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 on...

Page 292: ...assword set by the string of 8 characters ENCRYPTED TEXT encrypted password of 8 bytes 16 characters in hexadecimal format 0xYYYY or YYYY LEVEL IS IS protocol operation level level 1 operate only on level 1 level 2 only operate only on level 2 3 6 Set the key list for hello packet authentication optionally esr config if gi isis authentication key chain KEYCHAIN LEVEL KEYCHAIN key list identifier s...

Page 293: ...Enable the IS IS process on the router ESR1 config isis enable Proceed to the interface configuration It is necessary to set the number of the IS IS process which will run on the interface and to enable the protocol itself to run on it ESR1 config if gi isis instance 1 ESR1 config if gi isis enable Proceed to the ESR2 router configuration ESR2 config router isis 2 Set the zone number the same as o...

Page 294: ... level 2 ESR3 config isis enable ESR3 config if gi isis instance 3 ESR3 config if gi isis enable The neighborhood establishment can be viewed with the show isis neighbors command Execute it on ESR2 ESR2 show isis neighbors IS IS 2 IS IS Level 1 Neighbors System ID Hostname Interface State Holdtime SNPA 1111 1111 1111 ESR1 gi1 0 2 Up 25 a8f9 4baa 1d42 IS IS Level 2 Neighbors System ID Hostname Inte...

Page 295: ...PWS configuration example L2VPN VPLS configuration algorithm L2VPN VPLS configuration example L2VPN Kompella mode configuration L2VPN VPLS configuration algorithm L2VPN VPLS configuration example L3VPN configuration Configuration algorithm Configuration example MPLS traffic balancing Configuration example Operation with the bridge domain within MPLS Assignment of MTU when operating with MPLS 12 1 ...

Page 296: ...necessary if router id is specified esr config ldp af ipv4 transport address ADDR ADDR defined as AAA BBB CCC DDD where each part takes values of 0 255 3 In the context of the address family ipv4 settings specify interfaces for enabling LDP process esr config ldp af ipv4 interface IF TUN IF an interface s name specified in the form described in Section Types and naming order of router interfaces T...

Page 297: ...ameters configuration see section Configuring session parameters in LDP t LDP session parameters configuration see section Configuring session parameters in targeted LDP 12 1 2 Configuration example Objective Configure LDP communication between peers Solution 1 ESR pre configuration First IP addresses must be assigned to the interfaces the firewall must be disabled and one of the internal routing ...

Page 298: ...0 1 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 1 1 1 1 32 ip ospf instance 1 ip ospf exit ESR1 pre configuration hostname ESR1 router ospf 1 area 0 0 0 0 enable exit enable exit interface gigabitethernet 1 0 1 ip firewall disable ip address 10 10 10 2 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 4 4 4 4 32 ip ospf instance 1 ip ospf exit ...

Page 299: ...SR1 config mpls ldp ESR1 config ldp router id 4 4 4 4 ESR1 config ldp enable ESR1 config ldp address family ipv4 ESR1 config ldp af ipv4 interface gigabitethernet 1 0 1 ESR1 config ldp af ipv4 if end ESR1 Check Enter the following commands at one of the piers The output will show the parameters of the neighboring pier obtained from the multicast hello messages ESR show mpls ldp discovery detailed ...

Page 300: ...interval 5 seconds Hold timer 15 seconds Keepalive holdtime 180 seconds Hold timer is a matching parameter the smallest is chosen This example shows that the ESR after matching the Hold timer is 10 seconds ESR sh mpls ldp discovery detailed Local LDP ID 4 4 4 4 Discovery sources Interfaces gigabitethernet 1 0 4 Hello interval 5 seconds Transport IP address 4 4 4 4 LDP ID 1 1 1 1 Source IP address ...

Page 301: ...obally configured values ESR show mpls ldp discovery detailed Local LDP ID 4 4 4 4 Discovery sources Interfaces gigabitethernet 1 0 4 Hello interval 5 seconds Transport IP address 4 4 4 4 LDP ID 1 1 1 1 Source IP address 10 10 10 1 Transport IP address 1 1 1 1 Hold time 15 seconds Proposed hold time 60 15 local peer seconds The parameters configured in address family can be configured for each ind...

Page 302: ...55 Keepalive interval 18 LDP discovery sources 12 2 1 Algorithm for setting Hello holdtime and Hello interval in the global LDP configuration Step Description Command Keys 1 Configure the LDP see section LDP configuration 2 In the LDP configuration mode set Hello holdtime esr config ldp discovery hello holdtime TIME TIME Time in seconds in the range of 3 65535 Default value 15 3 In the LDP configu...

Page 303: ...t the Keepalive parameter esr config ldp keepalive TIME TIME time in the range of 3 65535 seconds Default value 180 12 2 4 Algorithm for setting Keepalive holdtime parameter for the specific neighbor Step Description Command Keys 1 Configure the LDP see section LDP configuration 2 In the neighbor configuration mode set the Keepalive holdtime parameter esr config ldp neig keepalive TIME TIME time i...

Page 304: ...er manual 304 Solution ESR ESR config mpls ESR config mpls ldp ESR config ldp discovery hello holdtime 40 ESR config ldp discovery hello interval 10 ESR config ldp neighbor 1 1 1 1 ESR config ldp neig keepalive 150 ...

Page 305: ...seconds Proposed hold time 40 15 local peer seconds To view parameter of the established TCP session ESR ESR sh mpls ldp neighbor 1 1 1 1 Peer LDP ID 1 1 1 1 Local LDP ID 4 4 4 4 State Operational TCP connection 1 1 1 1 646 4 4 4 4 45414 Messages sent received 15 15 Uptime 00 06 31 Peer holdtime 150 Keepalive interval 50 LDP discovery sources 12 3 Configuring session parameters in targeted LDP By ...

Page 306: ...ESR Series User manual 306 Parameter targeted LDP Hold timer 45 seconds Keepalive holdtime 180 seconds ...

Page 307: ...nterval will be equal to Hold timer 3 ESR routers have the possibility to flexibly configure Hello holdtime Hello interval and Keepalive holdtime parameters the parameters can be set for the entire LDP process as well as for the corresponding neighbor Example output for the LDP process ESR sh running config mpls mpls ldp router id 1 1 1 1 keepalive 160 discovery targeted hello holdtime 30 discover...

Page 308: ... 4 4 Hold time 45 seconds Proposed hold time 45 45 local peer seconds ESR show mpls ldp neighbor 4 4 4 4 Peer LDP ID 4 4 4 4 Local LDP ID 1 1 1 1 State Operational TCP connection 4 4 4 4 51861 1 1 1 1 646 Messages sent received 10 10 Uptime 00 00 09 Peer holdtime 140 Keepalive interval 46 LDP discovery sources 1 1 1 1 4 4 4 4 12 3 1 Algorithm for setting Hello holdtime Hello interval and Keepalive...

Page 309: ...ig ldp neig discovery targeted hello interval TIME TIME time in the range of 1 65535 seconds Default value 5 4 In the LDP neighbor configuration mode set Keepalive holdtime esr config ldp neig keepalive TIME TIME time in the range of 3 65535 seconds Default value 180 12 3 3 Configuration example Objective Override hello holdtime 120 seconds and hello interval 30 seconds parameters for the entire t...

Page 310: ...tion 4 4 4 4 34879 1 1 1 1 646 Messages sent received 11 11 Uptime 00 01 05 Peer holdtime 150 Keepalive interval 50 LDP discovery sources 1 1 1 1 4 4 4 4 Hello interval 10 seconds Holdtime 40 seconds 12 4 LDP tag filtering configuration By default routers allocate a separate label to each FEC There are scenarios when it is necessary to allocate MPLS tags only for certain FECs 12 4 1 Configuration ...

Page 311: ...racters 12 4 2 Configuration example Objective Assign MPLS tags only to FEC 10 10 0 2 32 and 10 10 0 1 32 Solution On ESR_A and ESR_B create an object group ADV_LABELS type network and add to it the prefixes 10 10 0 1 32 and 10 10 0 2 32 respectively ESR_A esr config object group network ADV_LABELS esr config object group network ip prefix 10 10 0 1 32 esr config object group network ip prefix 10 ...

Page 312: ...sr sh mpls ldp bindings 192 168 2 0 24 esr 12 5 L2VPN Martini mode configuration L2VPN allows you to organize ethernet frames transmission through the MPLS domain Allocation and distribution of tunnel labels in this mode is carried out by means of the LDP In the implementation of L2VPN can be divided into two cases P2P point to point tunnel VPLS point to multipoint tunnel In both cases a virtual c...

Page 313: ...us tlv disable Default value status tlv enable 6 Create p2p class in the system and switch to the p2p class configuration mode esr config l2vpn p2p NAME NAME name of the p2p service set by the string of up to 31 characters 7 Specify Attached Circuit interface esr config l2vpn p2p interface IF TUN IF an interface s name specified in the form described in Section Types and naming order of router int...

Page 314: ...bor address is the same as the LSR_ID esr config l2vpn pw neighbor address ADDR ADDR router IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 14 Enable pseudo wire esr config l2vpn pw enable If it is necessary to change the default settings for a targeted LDP session see section Configuring session parameters in targeted LDP 12 5 2 L2VPN VPWS configuration example Objecti...

Page 315: ...nfig ldp router id 1 1 1 1 PE1 config ldp address family ipv4 PE1 config ldp af ipv4 interface gigabitethernet 1 0 1 PE1 config ldp af ipv4 if exit PE1 config ldp af ipv4 transport address 1 1 1 1 PE1 config ldp af ipv4 exit PE1 config ldp enable PE1 config ldp exit Create a pw class on the basis of which the virtual channel pw will be created later Since in this example the default parameters wil...

Page 316: ...fig ldp enable PE2 config ldp exit PE2 config mpls l2vpn PE2 config l2vpn pw class for_p2p_VLAN100 PE2 config l2vpn pw class exit PE2 config l2vpn p2p to_PE1_VLAN100 PE2 config l2vpn p2p interface gigabitethernet 1 0 4 100 PE2 config l2vpn p2p pw 100 1 1 1 1 PE2 config l2vpn pw pw class for_p2p_VLAN100 PE2 config l2vpn pw enable PE2 config l2vpn pw exit PE2 config l2vpn p2p enable PE2 config l2vpn...

Page 317: ...d in the pw class optional esr config l2vpn pw class encapsulation mpls mtu MTU MTU MTU value takes values in the range of 552 10000 Default value 1500 6 Disable status tlv messaging optional esr config l2vpn pw class encapsulation mpls status tlv disable Default value status tlv enable 7 Create VPLS domain in the system and switch to the VPLS domain configuration mode esr config l2vpn vpls NAME N...

Page 318: ... WORD WORD pw class name 1 31 characters long 14 Set the LSR address to which the pseudo wire is set Optional if the neighbor address is the same as the LSR_ID esr config l2vpn pw neighbor address ADDR ADDR router IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 15 Enable pseudo wire esr config l2vpn pw enable 16 If the topology of the VPLS domain to be created requires ...

Page 319: ...PE1 create a bridge group and enable it PE1 configure PE1 config bridge 10 PE1 config bridge enable PE1 config bridge exit On the Interface to the CE1 side include it in the created bridge group PE1 config interface gigabitethernet 1 0 4 100 PE1 config subif bridge group 10 PE1 config subif exit Set the MTU value on the interface towards PE2 to 9600 to avoid MTU overrun after encapsulating the MPL...

Page 320: ... on the basis of which the virtual channels pw will be created later Since in this example the default parameters will be applied to pw it will be sufficient to specify the class name PE1 config mpls l2vpn PE1 config l2vpn pw class for_vpls1 PE1 config l2vpn pw class exit Create a new l2vpn of vpls type and add pw to routers PE2 and PE3 take the pw identifier as VID for convenience in this case 10...

Page 321: ...erface gigabitethernet 1 0 2 PE2 config ldp af ipv4 if exit PE2 config ldp af ipv4 exit PE2 config ldp exit PE2 config mpls l2vpn PE2 config l2vpn pw class for_vpls1 PE2 config l2vpn pw class exit PE2 config l2vpn vpls vpls1 PE2 config l2vpn vpls enable PE2 config l2vpn vpls bridge group 10 PE2 config l2vpn vpls pw 100 1 1 1 1 PE2 config l2vpn pw pw class for_vpls1 PE2 config l2vpn pw enable PE2 c...

Page 322: ...g l2vpn pw pw class for_vpls PE3 config l2vpn pw enable PE3 config l2vpn pw end PE3 commit PE3 confirm Make sure that the LDP neighborhood is established and display the virtual channel status pseudowire between PE1 PE2 and PE3 PE3 show mpls ldp neighbor Peer LDP ID 1 1 1 1 Local LDP ID 3 3 3 3 State Operational TCP connection 1 1 1 1 646 3 3 3 3 45979 Messages sent received 22 22 Uptime 00 13 16 ...

Page 323: ... domain configuration mode esr config l2vpn vpls NAME NAME name of the p2p service set by the string of up to 31 characters 4 Enable VPLS tunnel esr config l2vpn vpls enable 5 Add bridge domain esr config l2vpn vpls bridge group ID ID bridge domain identifier specified in the range 1 250 6 Switch to the autodiscovery bgp configuration context esr config l2vpn vpls autodiscovery bgp 7 Specify route...

Page 324: ...xport for the given VPLS instance esr config bgp route target export RT RT Route target value specified in one of the following forms ASN nn where ASN may take values 1 65535 nn may take values 1 65535 ADDR nn where ADDR specified as AAA BBB CCC DDD EE AAA DDD may take values 0 255 nn may take values 1 65535 4ASN nn where 4ASN may take values 1 4294967295 nn may take values 1 65535 10 Specify ve i...

Page 325: ...figuration enable extended attribute transfer esr config bgp neighbor af send community extended 12 6 2 L2VPN VPLS configuration example Objective Configure L2VPN service all CE devices must work within the same broadcast domain Solution Pre requisite Enable Jumbo frames support with the system jumbo frames command the device must be rebooted for the changes to take effect Сonfigure IP addresses o...

Page 326: ...e 1 ip ospf exit interface gigabitethernet 1 0 3 mtu 9500 ip firewall disable ip address 10 31 0 2 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 10 10 0 4 32 ip ospf instance 1 ip ospf exit mpls ldp router id 10 10 0 4 address family ipv4 interface gigabitethernet 1 0 2 exit interface gigabitethernet 1 0 3 exit exit enable exit forwarding interface gigabitethernet 1 0 2 forwar...

Page 327: ... RR config bgp neighbor update source 10 10 0 4 RR config bgp neighbor address family l2vpn vpls RR config bgp neighbor af send community extended RR config bgp neighbor af enable RR config bgp neighbor af exit RR config bgp neighbor enable RR config bgp neighbor exit RR config bgp neighbor 10 10 0 3 RR config bgp neighbor remote as 65500 RR config bgp neighbor route reflector client RR config bgp...

Page 328: ...tu 9500 ip firewall disable ip address 10 22 0 1 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 10 10 0 1 32 ip ospf instance 1 ip ospf exit mpls ldp router id 10 10 0 1 address family ipv4 interface gigabitethernet 1 0 1 exit interface gigabitethernet 1 0 2 exit interface gigabitethernet 1 0 3 exit exit enable exit forwarding interface gigabitethernet 1 0 1 forwarding interfac...

Page 329: ...bgp neighbor enable PE1 config bgp neighbor exit PE1 config bgp enable PE1 config bgp exit Check that the BGP session with RR is successfully established PE1 sh ip bgp neighbors BGP neighbor is 10 10 0 4 BGP state Established Neighbor address 10 10 0 4 Neighbor AS 65500 Neighbor ID 10 10 0 4 Neighbor caps refresh enhanced refresh restart aware AS4 Session internal multihop AS4 Source address 10 10...

Page 330: ...gabitethernet 1 0 3 mtu 9500 ip firewall disable ip address 10 31 0 1 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 10 10 0 2 32 ip ospf instance 1 ip ospf exit mpls ldp router id 10 10 0 2 address family ipv4 interface gigabitethernet 1 0 1 exit interface gigabitethernet 1 0 2 exit interface gigabitethernet 1 0 3 exit exit enable exit forwarding interface gigabitethernet 1 0 ...

Page 331: ...gp neighbor af enable PE2 config bgp neighbor af exit PE2 config bgp neighbor enable PE2 config bgp neighbor exit PE2 config bgp enable PE2 config bgp exit Check that the session with RR is successfully established PE2 sh ip bgp neighbors BGP neighbor is 10 10 0 4 BGP state Established Neighbor address 10 10 0 4 Neighbor AS 65500 Neighbor ID 10 10 0 4 Neighbor caps refresh enhanced refresh restart...

Page 332: ...f instance 1 ip ospf exit interface gigabitethernet 1 0 3 mtu 9500 ip firewall disable ip address 10 22 0 2 30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 10 10 0 3 24 ip ospf instance 1 ip ospf exit mpls ldp router id 10 10 0 3 address family ipv4 interface gigabitethernet 1 0 2 exit interface gigabitethernet 1 0 3 exit exit enable exit forwarding interface gigabitethernet 1 0...

Page 333: ...it Check that the BGP session is successfully established PE3 sh ip bgp neighbors BGP neighbor is 10 10 0 4 BGP state Established Neighbor address 10 10 0 4 Neighbor AS 65500 Neighbor ID 10 10 0 4 Neighbor caps refresh enhanced refresh restart aware AS4 Session internal multihop AS4 Source address 10 10 0 3 Weight 0 Hold timer 141 180 Keepalive timer 27 60 Uptime 77 s The next step is to create a ...

Page 334: ...4d 15 Last change 4 minutes and 22 seconds Mode Routerport PE2 PE2 config bridge 1 PE2 config bridge enable PE2 config bridge exit PE2 config interface gigabitethernet 1 0 4 PE2 config if gi mode switchport PE2 config if gi bridge group 1 PE2 sh interfaces bridge 1 Bridges Interfaces bridge 1 gi1 0 4 PE2 sh interfaces status bridge 1 Interface bridge 1 status information Description Operational st...

Page 335: ...ge 1 Up Up 1500 a8 f9 4b ac df f0 1 minute and 21 seconds Routerport PE3 sh interfaces status bridge 1 Interface bridge 1 status information Description Operational state Up Administrative state Up Supports broadcast Yes Supports multicast Yes MTU 1500 MAC address a8 f9 4b ac df f0 Last change 1 minute and 24 seconds Mode Routerport Next perform the VPLS configuration PE1 Switch to the L2VPN confi...

Page 336: ... 100 1 1 10 PE1 sh ip bgp l2vpn vpls all neighbor 10 10 0 4 advertise routes Origin codes i IGP e EGP incomplete Route Distinguisher VID VBO VBS Next hop Metric LocPrf Path 65500 100 1 1 10 10 10 0 1 100 i Подробный вывод анонсируемого маршрута PE1 sh ip bgp l2vpn vpls all neighbor 10 10 0 4 advertise routes ve id 1 block offset 1 BGP routing table entry for 65500 100 VE ID 1 VE Block Offset 1 VE ...

Page 337: ...onfig l2vpn vpls enable Check that PE2 is advertising the route information on RR PE2 sh ip bgp l2vpn vpls all neighbor 10 10 0 4 advertise routes Origin codes i IGP e EGP incomplete Route Distinguisher VID VBO VBS Next hop Metric LocPrf Path 65500 100 2 1 10 10 10 0 2 100 i In the l2vpn table you can see its routes as well as routes from PE1 PE2 sh ip bgp l2vpn vpls all Status codes valid best i ...

Page 338: ...t change 00 21 33 Status Up The calculated service marks can be viewed as follows 1 PE2 sh mpls l2vpn bindings Neighbor 10 10 0 1 PW ID 2 VE ID 1 Local label 45 Encasulation Type VPLS Control flags 0x00 MTU 1500 Remote label 87 Encasulation Type VPLS Control flags 0x00 MTU 1500 2 PE2 sh mpls forwarding table Local Outgoing Prefix Outgoing Next Hop label label or tunnel ID Interface 45 87 PW ID 2 1...

Page 339: ... exit PE3 config l2vpn vpls enable Check the routing information in PE3 PE3 sh ip bgp l2vpn vpls all Status codes valid best i internal S stale Origin codes i IGP e EGP incomplete Codes Route Distinguisher VID VBO VBS Next hop Metric LocPrf Weight Path 65500 100 3 1 10 i 65500 100 2 1 10 10 10 0 2 100 0 i i 65500 100 1 1 10 10 10 0 1 100 0 i Check that PE3 is advertising the route information on R...

Page 340: ...t min avg max mdev 0 173 0 208 0 290 0 045 ms CE3 ping 192 168 0 2 PING 192 168 0 2 192 168 0 2 56 84 bytes of data 192 168 0 2 ping statistics 5 packets transmitted 5 received 0 packet loss time 4004ms rtt min avg max mdev 0 158 0 204 0 255 0 032 ms PE3 sh mac address table bridge 1 VID MAC Address Interface Type a8 f9 4b aa 11 08 gigabitethernet 1 0 4 Dynamic a8 f9 4b aa 11 06 dypseudowire 3_10 ...

Page 341: ...tance name set by the string of up to 31 characters 4 Specify route distinguisher for the given VRF esr config vrf rd RD RD Route distinguisher value specified in one of the following forms ASN nn where ASN may take values 1 65535 nn may take values 1 65535 ADDR nn where ADDR specified as AAA BBB CCC DDD EE AAA DDD may take values 0 255 nn may take values 1 65535 4ASN nn where 4ASN may take values...

Page 342: ...A DDD may take values 0 255 nn may take values 1 65535 4ASN nn where 4ASN may take values 1 4294967295 nn may take values 1 65535 6 Specify route target export for the given VRF esr config vrf route target export RT RT route target value specified in one of the following forms ASN nn where ASN may take values 1 65535 nn may take values 1 65535 ADDR nn where ADDR specified as AAA BBB CCC DDD EE AAA...

Page 343: ...500000 ESR 20 21 100 200 1 300000 ESR 10 12V 12VF 14VF 1 30000 8 In the context of address family VPNv4 BGP configuration enable extended attribute transfer esr config bgp neighbor af send community extended 12 7 2 Configuration example Objective Configure L3VPN based on MPLS technology between ESR1 and ESR3 The final result of the configuration is the appearance of connectivity between nodes conn...

Page 344: ... 1 area 0 0 0 0 enable exit enable exit interface loopback 1 ip address 1 1 1 1 32 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 10 ip firewall disable ip address 10 10 10 1 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 40 ip firewall disable ip address 40 40 40 1 30 ip ospf instance 1 ip ospf exit system jumbo frames ...

Page 345: ...ble exit interface loopback 1 ip address 2 2 2 2 32 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 10 ip firewall disable ip address 10 10 10 2 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 20 ip firewall disable ip address 20 20 20 2 30 ip ospf instance 1 ip ospf exit system jumbo frames ...

Page 346: ...ble exit interface loopback 1 ip address 3 3 3 3 32 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 20 ip firewall disable ip address 20 20 20 1 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 30 ip firewall disable ip address 30 30 30 1 30 ip ospf instance 1 ip ospf exit system jumbo frames ...

Page 347: ...ble exit interface loopback 1 ip address 4 4 4 4 32 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 40 ip firewall disable ip address 40 40 40 2 30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1 0 1 30 ip firewall disable ip address 30 30 30 2 30 ip ospf instance 1 ip ospf exit system jumbo frames ...

Page 348: ...1970 01 0 8 1 1 1 1 O 4 4 4 4 32 150 10 via 40 40 40 2 on gi1 0 1 40 ospf1 1970 01 0 8 4 4 4 4 O 20 20 20 0 30 150 20 via 10 10 10 2 on gi1 0 1 10 ospf1 22 05 45 3 3 3 3 O 10 10 10 0 30 150 10 dev gi1 0 1 10 ospf1 22 05 33 1 1 1 1 O 3 3 3 3 32 150 20 multipath ospf1 22 05 45 3 3 3 3 via 40 40 40 2 on gi1 0 1 40 weight 1 O 2 2 2 2 32 150 10 via 10 10 10 2 on gi1 0 1 10 ospf1 22 05 45 2 2 2 2 2 LDP ...

Page 349: ...p address family ipv4 transport address 3 3 3 3 interface gigabitethernet 1 0 1 20 exit interface gigabitethernet 1 0 1 30 exit exit enable exit forwarding interface gigabitethernet 1 0 1 20 forwarding interface gigabitethernet 1 0 1 30 exit ESR4 mpls ldp address family ipv4 transport address 4 4 4 4 interface gigabitethernet 1 0 1 30 exit interface gigabitethernet 1 0 1 40 exit exit enable exit f...

Page 350: ...ery sources gigabitethernet 1 0 1 40 3 MP BGP configuration Create VRF on ESR1 and ESR3 respectively Specify RD rt export import in accordance with our scheme ESR1 ESR1 config ip vrf Customer1 ESR1 config vrf ip protocols bgp max routes 1000 ESR1 config vrf rd 65500 100 ESR1 config vrf route target import 65500 100 ESR1 config vrf route target export 65500 100 ESR3 ESR3 config ip vrf Customer1 ESR...

Page 351: ...00 ESR3 config bgp router id 3 3 3 3 ESR3 config bgp enable ESR3 config bgp neighbor 1 1 1 1 ESR3 config bgp neighbor remote as 65500 ESR3 config bgp neighbor update source 3 3 3 3 ESR3 config bgp neighbor enable ESR3 config bgp neighbor address family ipv4 unicast ESR3 config bgp neighbor af enable ESR3 config bgp neighbor af exit ESR3 config bgp neighbor address family vpnv4 unicast ESR3 config ...

Page 352: ...ace loopback 1 ip address 10 100 0 1 24 exit route map OUTPUT rule 1 match ip address 10 100 0 0 24 action permit exit exit Configure eBGP between ESR1 and CE_SiteA CE_SiteA router bgp log neighbor changes router bgp 65505 router id 192 168 32 1 neighbor 192 168 32 1 remote as 65500 allow local as 1 update source 192 168 32 2 address family ipv4 unicast route map OUTPUT out enable exit enable exit...

Page 353: ...tion Customer1 ip firewall disable ip address 192 168 32 1 30 Создаем route map route map OUTPUT rule 1 action permit exit exit Configure eBGP between ESR1 and CE_SiteA ESR1 router bgp 65500 vrf Customer1 router id 192 168 32 1 neighbor 192 168 32 2 remote as 65505 update source 192 168 32 1 address family ipv4 unicast exit exit Allow BGP routes to be transmitted to the peer ESR1 route map OUTPUT ...

Page 354: ...incomplete Network Next Hop Metric LocPrf Weight Path u 10 100 1 0 24 192 168 32 1 100 65500 i u 192 168 32 4 30 192 168 32 1 100 65500 i Display the advertised routes for a specific peer The route information is displayed after the filtering is applied ESR1 show ip bgp 65500 vrf Customer1 neighbors 192 168 32 2 routes Status codes u unicast b broadcast m multicast a anycast valid best Origin code...

Page 355: ...t Configure eBGP between ESR3 and CE_SiteB CE_SiteB router bgp 65505 router id 192 168 32 6 neighbor 192 168 32 5 remote as 65500 allow local as 1 update source 192 168 32 6 address family ipv4 unicast route map OUTPUT out enable exit enable exit address family ipv4 unicast network 10 100 1 0 24 exit enable ESR3 Configure interface to the CE direction ESR3 interface gigabitethernet 1 0 2 ip vrf fo...

Page 356: ...r bgp 65500 vrf Customer1 router id 192 168 32 5 neighbor 192 168 32 6 remote as 65505 update source 192 168 32 5 address family ipv4 unicast Allow BGP routes to be transmitted to the peer ESR3 route map OUTPUT out enable exit enable exit Allow route forwarding from VRF to VPNV4 for address family IPv4 ESR3 address family ipv4 unicast redistribute connected redistribute bgp 65500 exit enable exit ...

Page 357: ...es processing from these CPUs to less loaded ones By default lbd uses only MPLS tags to calculate the hash and then distribute the load to the different CPUs This behavior is not always an advantage especially when there are large homogeneous streams of MPLS traffic Additional functionality can be included to add entropy to the hash 12 8 1 Configuration example Objective Enable L2VPN traffic balan...

Page 358: ...o the appropriate AC PW Frames with unknown DST MAC broadcast and multicast frames so called BUM traffic Broadcast Unknown unicast and Multicast will be sent to all elements of the bridge domain except for the element AC or PW from which you entered the bridge domain Switching takes into account the DST MAC in the frames but does not take into account the VLAN tags present on the frames thus switc...

Page 359: ...e vlan tag is restored If AC is an interface then tagged and untagged traffic flows in both directions without modification Suppose PE1 and PE2 are configured in ethernet mode Figure 2 On the PE1 side gigabitethernet 1 0 4 100 subinterface is included in the bridge domain so the vlan tag vlan id 100 from incoming traffic will be removed before being placed in Pseudowire 10 respectively restored wh...

Page 360: ... is very important to correctly configure the MTU parameter on the interfaces through which a packet is transmitted This is true for the installation of the pseudowire and for the transmission of service traffic First of all the MTU value is involved in signaling when constructing a pseudowire in both LDP signaling and BGP signaling In LDP signaling the MTU is set within the pw class setting For s...

Page 361: ...nfig l2vpn vpls MTU_Example_PW PE2 config l2vpn vpls pw 200 10 10 0 1 PE2 config l2vpn pw pw class PE2 config l2vpn pw pw class MTU_example Просмотр созданных pw class ов PE2 sh mpls l2vpn pw class PW class Neighbor PW ID Status Status tlv MTU MTU_example 10 10 0 1 200 Up Enable 9000 PE2 sh mpls l2vpn vpls MTU_Example_PW VPLS MTU_Example_PW PWs PW ID 2 Neighbor 10 10 0 1 MTU 9000 Last change 01 27...

Page 362: ...der the example In the figure above PE1 raises two pseudowires Pseudowire 10 to PE2 and Pseudowire 20 to PE3 respectively For signaling with PE2 the MTU will be set to 2000 pw class TO_PE2 for PE3 the MTU will be 3000 pw class TO_PE3 ...

Page 363: ...N Reason MTU mismatch PE1 config l2vpn vpls l2vpn_MTU PE1 config l2vpn vpls autodiscovery bgp PE1 config bgp mtu 2000 PE2 sh mpls l2vpn vpls l2vpn_MTU PWs PW ID 2 Neighbor 10 10 0 1 MTU 2000 Last change 00 00 10 Status Down Reason MTU mismatch By default the bridge domain has an MTU of 1500 bytes It is worth noting that bridge domain automatically selects the lowest MTU value based on its own MTU ...

Page 364: ...e 100 1500 The lowest MTU value MTU gi1 0 1 2000 MTU gi1 0 2 3000 CE3 sh interfaces bridge Bridges Interfaces bridge 100 gi1 0 1 2 CE3 sh interfaces status bridge 100 Interface bridge 100 status information Description Operational state UP Administrative state Up Supports broadcast Yes Supports multicast Yes MTU 1500 MAC address a8 f9 4b aa 11 00 Last change 1 minute and 46 seconds Mode Routerport...

Page 365: ...utes and 2 Routerport seconds gi1 0 2 Up Up 1500 a8 f9 4b ac 4d 17 4 days 4 hours 49 Switchport minutes and 40 seconds gi1 0 3 Up Up 1800 a8 f9 4b ac 4d 18 4 days 1 hour 49 Switchport minutes and 38 seconds bridge 2 Up Up 1500 a8 f9 4b ac 4d 15 1 day 1 hour 27 minutes Routerport and 28 seconds CE1 sends packets of 1500 bytes CE2 sends packets of 1800 bytes respectively Since the MTU of the bridge ...

Page 366: ...anual 366 Similar behavior when passing traffic in the L3VPN service If CE1 sends a packet with a higher MTU than on the interface facing the client gi1 0 2 or towards the mpls core gi1 0 1 the packet will be discarded ...

Page 367: ...s autoupdate from external sources Recommended open rule update source IPS IDS configuration example with auto update rules Basic user rules configuration algorithm Basic user rules configuration example Extended user rules configuration algorithm Extended user rules configuration example Eltex Distribution Manager interaction configuration Basic configuration algorithm Configuration example Conte...

Page 368: ...r config aaa authentication enable NAME METHOD 1 METHOD 2 METHOD 3 METHOD 4 NAME list name set by the string of up to 31 characters Authentication methods local authentication by local user base tacacs authentication by TACACS server list radius authentication by RADIUS server list ldap authentication by LDAP server list 3 Set the method for iterating over authentication methods optional esr confi...

Page 369: ...alue 0 7 Set the lifetime of local user password optional esr config security passwords lifetime TIME TIME password lifetime in days Takes values in the range of 1 365 Default The lifetime of local user password is unlimited 8 Set a limit on the minimum length of local user password and ENABLE password optional esr config security passwords min length NUM NUM minimum number of characters in the pa...

Page 370: ...ords numeric count COUNT COUNT minimum number of digits in the password Takes values in the range of 0 128 Default value 0 14 Set the minimum number of special characters in the local user password and ENABLE password optional esr config security passwords special case COUNT COUNT minimum number of special characters in the password Takes values in the range of 0 128 Default value 0 15 Add user in...

Page 371: ...imeout SEC SEC time interval in minutes takes values of 1 65535 13 1 2 AAA configuration algorithm via RADIUS Step Description Command Keys 1 Set the DSCP code global value for the use in IP headers of RADIUS server egress packets optional esr config radius server dscp DSCP DSCP DSCP code value takes values in the range of 0 63 Default value 63 2 Set the global number of iterative queries to the l...

Page 372: ...tication attempts after which a user is blocked takes the values of 1 65535 TIME user blocking time in seconds takes the values of 1 65535 Default value COUNT 5 TIME 300 6 Set the password for authentication on remote RADIUS server esr config radius server key ascii text TEXT encrypted ENCRYPTED TEXT TEXT string 8 16 ASCII characters ENCRYPTED TEXT encrypted password 8 16 bytes size set by the str...

Page 373: ...efault NAME METHOD 1 METHOD 2 METHOD 3 METHOD 4 NAME list name set by the string of up to 31 characters Authentication methods local authentication by local user base tacacs authentication by TACACS server list radius authentication by RADIUS server list ldap authentication by LDAP server list 11 Set radius as authentication method of user privileges elevation esr config aaa authentication enable ...

Page 374: ...the list of user session accounting methods optional esr config aaa accounting login start stop METHOD 1 METHOD 2 METHOD accounting methods tacacs session accounting by TACACS radius session accounting by RADIUS 14 Switch to the corresponding terminal configuration mode esr config line TYPE TYPE console type console local console ssh secure remote console 15 Activate user login authentication list...

Page 375: ...acs server IP ADDR TACACS server IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 IPV6 ADDR TACACS server IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF VRF VRF instance name set by the string of up to 31 characters 4 Specify the number of failed authentication attempts to block the user login and time of the lock optional aaa...

Page 376: ...er the priority of server is Default value 1 8 Set IPv4 IPv6 address that will be used as source IPv4 IPv6 address in transmitted TACACS packets esr config tacacs server source address ADDR IPV6 ADDR ADDR source IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 9 Set TACACS as authentication method of user privileges elevation esr config aaa authentication enable NAME MET...

Page 377: ...ccounting commands stop only tacacs 12 Configure tacacs in the list of user session accounting methods optional esr config aaa accounting login start stop METHOD 1 METHOD 2 METHOD accounting methods tacacs session accounting by TACACS radius session accounting by RADIUS 13 Switch to the corresponding terminal configuration mode esr config line TYPE TYPE console type console local console ssh secur...

Page 378: ... 4 Specify the password of a user with administrator rights under which authorization will take place on the LDAP server when searching for users esr config ldap server bind authenticate root password ascii text TEXT encrypted ENCRYPTED TEXT TEXT string 8 16 ASCII characters ENCRYPTED TEXT encrypted password 8 16 bytes size set by the string of 16 32 characters 5 Specify a class name of the object...

Page 379: ...me which is compared with the name of a desired user on LDAP server optional esr config ldap server privilege level attribute NAME NAME object attribute name set by the string of up to 127 characters Default value priv lvl 10 Set the DSCP code global value for the use in IP headers of LDAP server egress packets optional esr config ldap server dscp DSCP DSCP DSCP code value takes values in the rang...

Page 380: ...ort PORT PORT number of TCP port to exchange data with a remote server takes values of 1 65535 Default value 389 for LDAP server 14 Prioritize the use of a remote LDAP server optional esr config ldap server priority PRIORITY PRIORITY remote server priority takes values in the range of 1 65535 The lower value the higher the priority of server is Default value 1 15 Set IPv4 IPv6 address that will be...

Page 381: ...ation enable NAME METHOD 1 METHOD 2 METHOD 3 METHOD 4 NAME list name set by the string of up to 31 characters default default list name METHOD authentication methods enable authentication by enable passwords tacacs authentication by TACACS radius authentication by RADIUS ldap authentication by LDAP 18 Set the method for iterating over authentication methods esr config aaa authentication mode MODE ...

Page 382: ...ration using telnet via RADIUS server Objective Configure authentication for users being connected via Telnet and RADIUS 192 168 16 1 24 Solution Configure connection to RADIUS server and specify the key password esr configure esr config radius server host 192 168 16 1 esr config radius server key ascii text encrypted 8CB5107EA7005AFF esr config radius server exit Create authentication profile esr...

Page 383: ...mode PRIV required command subtree privilege level takes value in the range of 1 15 COMMAND command subtree set by the string of up to 255 characters 13 2 2 Example of command privilege configuration Objective Transfer all interface information display commands to the privilege level 10 except for show interfaces bridges command Transfer show interfaces bridges command to the privilege level 3 Sol...

Page 384: ...cond set in the range of 1 10000 src dst limitation on the amount of TCP packets with the SYN flag set based on the source and destination addresses 6 Enable protection against UDP flood attacks esr config ip firewall screen dos defense udp threshold NUM NUM maximum amount of UDP packets per second set in the range of 1 10000 7 Enable protection against winnuke attacks esr config ip firewall scree...

Page 385: ... field esr config ip firewall screen spy blocking tcp no flag 16 Enable the blocking of fragmented ICMP packets esr config ip firewall screen suspicious packets icmp fragment 17 Enable the blocking of fragmented IP packets esr config ip firewall screen suspicious packets ip fragment 18 Enable the blocking of ICMP packets more than 1024 bytes esr config ip firewall screen suspicious packets icmp fr...

Page 386: ...26 Enable mechanism of specialized packets detection and logging via CLI syslog and SNMP esr config logging firewall screen suspicious packets PACKET_TYPE PACKET_TYPE non standard packets type takes the following values icmp fragment ip fragment large icmp syn fragment udp fragment unknown protocols 13 3 2 Description of attack protection mechanisms Command Description ip firewall screen dos defen...

Page 387: ... packets per second for one destination address is limited The attack lead to the host reboot and its failure due to the massive UDP traffic ip firewall screen dos defense winnuke This command enables the protection against winnuke attacks When the protection is enabled TCP packets with the URG flag set and 139 destination port are blocked The attack leads to the older Windows versions up to 95 ve...

Page 388: ...at type are blocked for the second specified time interval TIME An attacker will not be able to scan the device open ports quickly ip firewall screen spy blocking spoofing The given command enables the protection against ip spoofing attacks When the protection is enabled the router checks packets for matching the source address and routing table entries and in case of mismatch the packet is droppe...

Page 389: ...en suspicious packets udp fragment The given command enables the blocking of fragmented UDP packets ip firewall screen suspicious packets unknown protocols The given command enables the blocking of packets with the protocol ID contained in IP header equal to 137 and more 13 3 3 Configuration example of logging and protection against network attacks Objective Protect LAN and ESR router from land sy...

Page 390: ...AN esr config if gi ip address 10 0 0 1 24 esr config if gi exit Enable the protection against land syn flood ICMP flood attacks esr config ip firewall screen dos defense land esr config ip firewall screen dos defense syn flood 100 src dst esr config ip firewall screen dos defense icmp threshold 100 Configure the logging of detected attacks esr config ip firewall logging screen dos defense land es...

Page 391: ...y reduce the performance esr config ip firewall sessions allow unknown 6 Select firewall operation mode optional The firewall by application list is possible only in stateless mode esr config ip firewall mode MODE MODE firewall operation mode may take the following values stateful stateless Default value stateful 7 Determine the session lifetime for unsupported protocols optional esr config ip fir...

Page 392: ...lue 60 seconds 13 Determine the lifetime of TCP session in connection is being closed state after which it is considered to be outdated optional esr config ip firewall sessions tcp disconnect timeout TIME TIME lifetime of TCP session in connection is being closed state takes values in seconds 1 8553600 Default value 30 seconds 14 Determine the lifetime of TCP session in connection is being establi...

Page 393: ... assured timeout TIME TIME lifetime of UDP session in connection is confirmed state takes values in seconds 1 8553600 Default value 180 seconds 18 Determine the lifetime of UDP session in connection is not confirmed state after which it is considered to be outdated esr config ip firewall sessions udp wait timeout TIME TIME lifetime of UDP session in connection is not confirmed state takes values i...

Page 394: ...OM ADDR range starting IPv6 address TO ADDR range ending IPv6 address optional parameter If the parameter is not specified a single IPv6 address is set by the command The addresses are defined as X X X X X where each part takes values in hexadecimal format 0 FFFF 22 Create services lists which will be used during filtration esr config object group service obj group name obj group name service prof...

Page 395: ...e pptp into security zones optional esr config if gi security zone zone name zone name up to 12 characters Disable Firewall functions on the network interface physical logical E1 Multilink and connected remote access server l2tp openvpn pptp or tunnels gre ip4ip4 l2tp lt pppoe pptp optional esr config if gi ip firewall disable 29 Create an interzone interaction rule set esr config security zone pa...

Page 396: ...dress OBJ GROUP NETWORK NAME 36 Set source MAC address for which the rule should work optional esr config zone rule match not source mac mac addr mac addr defined as XX XX XX XX XX XX where each part takes the values of 00 FF 37 Set sender MAC address for which the rule should work optional esr config zone rule match not destination mac mac addr 38 Set TCP UDP ports profile for which the rule shou...

Page 397: ...ion only for IP packets including ip option optional available only for zone pair any self and zone pair zone name any esr config zone pair rule match not ip option 45 Create an interzone interaction rule esr config zone rule enable 46 Enable filtering and session tracking mode while packets are transmitted between one Bridge group participants optional available only for ESR 1000 1200 1500 1511 1...

Page 398: ...zone WAN esr config zone exit Configure network interfaces and identify their inherence to security zones esr config interface gi1 0 2 esr config if gi ip address 192 168 12 2 24 esr config if gi security zone LAN esr config if gi exit esr config interface gi1 0 3 esr config if gi ip address 192 168 23 2 24 esr config if gi security zone WAN esr config if gi exit ...

Page 399: ...zones and add a rule allowing ICMP traffic transfer from R1 to R2 Rules are applied with the enable command esr config security zone pair LAN WAN esr config zone pair rule 1 esr config zone pair rule action permit esr config zone pair rule match protocol icmp esr config zone pair rule match destination address WAN_GATEWAY esr config zone pair rule match source address LAN_GATEWAY esr config zone p...

Page 400: ...he ICMP requests from LAN zone add a rule allowing ICMP traffic transfer from R1 to ESR esr config security zone pair LAN self esr config zone pair rule 1 esr config zone pair rule action permit esr config zone pair rule match protocol icmp esr config zone pair rule match destination address LAN esr config zone pair rule match source address LAN_GATEWAY esr config zone pair rule enable esr config ...

Page 401: ...config if gi security zone WAN esr config if gi exit esr config interface gi1 0 2 esr config if te ip address 192 168 0 1 24 esr config if te security zone LAN esr config if te exit Switching the ESR firewall mode to stateless esr config ip firewall mode stateless To configure security zones rules you should create profile of the applications that should be blocked esr config object group applicat...

Page 402: ... prohibits the passage of application traffic and a rule that allows all other traffic to pass Rules are applied with the enable command esr config security zone pair LAN WAN esr config zone pair rule 1 esr config zone pair rule action deny esr config zone pair rule match application APP esr config zone pair rule enable esr config zone pair rule exit esr config zone pair rule 2 esr config zone pai...

Page 403: ... The rules are proceeded by the router in number ascending order esr config acl rule ORDER ORDER rule number takes values of 1 4094 4 Specify the action that should be applied for the traffic meeting the given requirements esr config acl rule action ACT ACT allocated action permit traffic transfer is permitted deny traffic transfer is denied 5 Set name of protocol for which the rule should work op...

Page 404: ... to zero specify MAC address bits excluded from the comparison when searching 9 Set destination MAC addresses for which the rule should work optional esr config acl rule match destination mac ADDR WILDCARD 10 Set the number of sender TCP UDP ports for which the rule should work if the protocol is specified esr config acl rule match source port PORT any PORT number of sender TCP UDP port takes valu...

Page 405: ...rule 1 esr config acl rule action permit esr config acl rule match source address 192 168 20 0 255 255 255 0 esr config acl rule enable esr config acl rule exit esr config acl exit Apply access list to Gi1 0 19 interface for inbound traffic esr config interface gigabitethernet 1 0 19 esr config if gi service acl input white To view the detailed information on access control list use the following ...

Page 406: ... the string of up to 32 characters 4 Specify the profile of IP addresses that are external for IPS IDS optionally esr config ips policy external network group OBJ GROUP NETWORK_NAME OBJ GROUP NETWORK NAME external IP addresses profile name set by the string of up to 32 characters 5 Switch to the IPS IDS configuration mode esr config security ips 6 Assign IPS IDS security policy esr config ips poli...

Page 407: ...le named classification config directory on the server containing rule files and or rule classifier file 5 Set the frequency for update checking optional esr config ips upgrade user server upgrade interval HOURS HOURS update interval in hours from 1 to 240 Default value 24 hours 13 6 3 Recommended open rule update source https sslbl abuse ch SSL Blacklist contains lists of bad SSL certificates i e...

Page 408: ... of the www spamhaus org project https rules emergingthreats net open suricata rules dshield rules These rules describe malicious hosts by the classification of the www dshield org project https rules emergingthreats net open suricata rules emerging activex rules These rules contain signatures for using ActiveX content https rules emergingthreats net open suricata rules emerging attack_response ru...

Page 409: ...cata rules emerging icmp rules These rules contain signatures of incorrect use of the ICMP protocol https rules emergingthreats net open suricata rules emerging icmp_info rules These rules contain signatures of ICMP information messages https rules emergingthreats net open suricata rules emerging imap rules These rules contain signatures of vulnerabilities in the IMAP protocol signs of incorrect u...

Page 410: ...e rules describe unwanted network activity access to MySpace Ebay https rules emergingthreats net open suricata rules emerging poprules These rules contain signatures of vulnerabilities in the POP3 protocol signs of incorrect use of the POP3 protocol https rules emergingthreats net open suricata rules emerging rpc rules These rules contain signatures of vulnerabilities in the RPC protocol signs of...

Page 411: ...col https rules emergingthreats net open suricata rules emerging trojan rules These rules contain signs of network activity of Trojans https rules emergingthreats net open suricata rules emerging user_agents rules These rules contain signs of suspicious and potentially dangerous HTTP clients identified by the values in the User Agent HTTP header https rules emergingthreats net open suricata rules ...

Page 412: ... 13 6 4 IPS IDS configuration example with auto update rules Objective Organize LAN protection with auto update rules from open sources 192 168 1 0 24 LAN Solution Create a profile of addresses of LAN which we will protect esr config object group network LAN esr config object group network ip prefix 192 168 1 0 24 esr config object group network exit ...

Page 413: ...s upgrade user server description emerging threats open rules esr config ips upgrade user server url https rules emergingthreats net open suricata 4 0 rules esr config ips upgrade user server exit esr config auto upgrade user server Aggressive esr config ips upgrade user server description Etnetera aggressive IP blacklist esr config ips upgrade user server url https security etnetera cz feeds etn_...

Page 414: ...ption optional esr config ips category rule description DESCRIPTION DESCRIPTION description set by the string of up to 255 characters 5 Specify the given rule force esr config ips category rule action alert reject pass drop alert traffic is allowed and the IPS IDS service generates a message reject traffic is prohibited If it is TCP traffic a TCP RESET packet is sent to the sender and recepient fo...

Page 415: ...ains sender IP address set by the string of up to 31 characters protect sets sender addresses protect addresses defined in IPS IDS policy external sets external addresses defined in IPS IDS policy as sender addresses When specifying the any value the rule will be triggered for any source IP address 8 Set the profile of source TCP UDP ports for which the rule should work For protocol icmp value sou...

Page 416: ...esses When specifying the any value the rule will work for any sender IP address 10 Set the profile of destination TCP UDP ports for which the rule should work For protocol icmp value destination port can only be any esr config ips category rule destination port any PORT object group OBJ GR NAME PORT number of destination TCP UDP port takes values of 1 65535 OBJ_GR_NAME recepient TCP UDP ports pro...

Page 417: ...propriate content policy violation default login attempt not suspicious not suspicious traffic unknown unknown traffic bad unknown potentially bad traffic attempted recon information leak attempt successful recon limited information leak successful recon largescale large scale information leak attempted dos denial of service attempt successful dos denial of service attempted user attempt to obtain...

Page 418: ... vulnerable web application web application attack attack on web application misc activity other activity misc attack other attacks icmp event general ICMP event inappropriate content inappropriate content was detected policy violation potential breach of corporate privacy default login attempt login attempt using a standard login password 14 Set DSCP code value for which the rule should work opti...

Page 419: ...rule should trigger optional Applicable only for protocol icmp value esr config ips category rule ip icmp sequence id SEQ ID SEQ ID ICMP Sequence ID value takes a value in the range 0 4294967295 20 Set ICMP TYPE value for which the rule should trigger optional Applicable only for protocol icmp value esr config ips category rule ip icmp type TYPE TYPE ICMP TYPE value takes a value in the range 0 25...

Page 420: ...ocol http value esr config ips category rule ip http urilen LEN LEN takes values in the range of 0 65535 esr config ips category rule ip http urilen comparison operator greater than less than Comparison operator for ip http urilen value greater than greater than less than less than 26 Set the value of the content of packages Payload content for which the rule will trigger optional esr config ips c...

Page 421: ...ze comparison operator greater than less than Comparison operator for payload data size value greater than greater than less than less than 31 Specify the threshold number of packets at which the rule will trigger optional esr config ips category rule threshold count COUNT COUNT number of packets takes values in the range of 1 65535 32 Specify the time interval for which the threshold number of pa...

Page 422: ... sent only once during the SECOND time interval 35 Activate a rule esr config ips category rule enable 13 6 6 Basic user rules configuration example Objective Write a rule to protect a server with IP 192 168 1 10 from a DOS attack by large ICMP packets Solution Create a set of user rules esr config security ips category user defined USER Create a rule to protect against attack esr config ips categ...

Page 423: ...specify any as the port of the sender and recipient esr config ips category rule source port any esr config ips category rule destination port any We will indicate our server as the recipient address esr config ips category rule destination address ip 192 168 1 10 Attacker can send packets from any address esr config ips category rule source address any ...

Page 424: ...category rule threshold track by dst esr config ips category rule threshold type both 13 6 7 Extended user rules configuration algorithm S t e p Description Command Keys 1 Specify a name and enter the configuration mode of the set of user rules esr config security ips category user defined WORD WORD user rule set name set by the string of up to 32 characters 2 Define a description of a set of user...

Page 425: ...cription Slow Loris rule 1 esr config ips category rule advanced rule text alert tcp any any any 80 msg Possible Slowloris Attack Detected flow to_server established content X a 3a distance 0 pcre d d d d distance 0 content 0d 0a sid 10000001 Create another extended rule that works on a similar algorithm to determine which rule will be more effective esr config ips category rule advanced 2 esr con...

Page 426: ...of encryptors set of encryptor URLs Hashes of malicious objects a set of file hashes that covers the most dangerous and common as well as the newest malicious programs Hashes of malicious objects for mobile devices a set of file hashes to detect malicious objects infecting mobile devices URLs of botnet command servers for mobile devices a set of URLs with contextual information to identify botnet ...

Page 427: ... content provider upgrade interval 1 240 8 Specify description optional esr config content provider description edm LINE 1 255 String describing server 9 Create IP addresses lists which will be used during filtration esr config object group network WORD esr config object group network ip prefix ADDR LEN WORD server name set by the string of up to 32 characters ADDR LEN subnet defined as AAA BBB CC...

Page 428: ... C C URL Exact data stream Phishing URL Exact Data Feed Phishing URL Exact data stream Malicious URL Exact Data Feed Malicious URL Exact data stream Iot URL Data Feed IoT URL data stream 15 Specify rule type esr config ips vendor category rules action ACTION ACTION drop reject alert pass actions to be applied to packages alert traffic is allowed and the IPS IDS service generates a message reject t...

Page 429: ...nd partition name on the external storage in the format of usb Partion_name mmc Partion_name 22 Enable IPS IDS esr config ips enable 13 7 2 Configuration example Set the content provider parameters this is the address of the Eltex server There must be network reachability between the content provider server and the router content provider host address edm eltex co ru host port 8098 upgrade interva...

Page 430: ...y policy security ips policy policy0 protect network group objectgroup0 vendor kaspersky category MaliciousURLsDF rules action alert rules count 100 enable exit category MobileBotnetCAndCDF rules action alert rules count 1000 enable exit category APTIPDF rules action alert rules count 1000 enable exit ...

Page 431: ... action alert rules count 1 enable exit category MobileMaliciousHashDF rules action alert rules count 1 enable exit category PSMSTrojanDF rules action alert rules count 1 enable exit category PhishingURLsDF rules action alert rules count 1000 enable exit category RansomwareURLsDF rules action alert rules count 1000 enable exit exit exit Assign an IPS policy to the service and enable it security ip...

Page 432: ...to a particular category Kaspersky Lab database is used as a database of site categories ESR sends HTTPS requests to Kaspersky Lab s server at https ksn vt kaspersky labs com to determine the category of sites The operation of the content filtering service is based on the Intrusion Prevention System IPS and is configured as user IPS rules 13 8 1 Basic configuration algorithm Step Description Comma...

Page 433: ... a content filter category profile esr config object group content filter NAME NAME name of the content filtering profile specified as a string of up to 31 characters 9 Set the description of the content filter categories profile optional esr config object group content filter description DESCRIPTION DESCRIPTION description set by the string of up to 255 characters 10 Set the content filtering cat...

Page 434: ... set of user rules optionally esr config ips category description DESCRIPTION DESCRIPTION description set by the string of up to 255 characters 20 Create a rule and switch to its configuration mode esr config ips category rule ORDER ORDER rule number takes values of 1 512 21 Specify rule description optional esr config ips category rule description DESCRIPTION DESCRIPTION description set by the st...

Page 435: ...values of 1 32 OBJ_GR_NAME name of IP addresses profile that contains sender IP address set by the string of up to 31 characters protect sets sender addresses protect addresses defined in IPS IDS policy external sets external addresses defined in IPS IDS policy as sender addresses When specifying the any value the rule will be triggered for any source IP address 25 Set the profile of source TCP po...

Page 436: ...rule will work for any sender IP address 27 Set the profile of destination TCP ports for which the rule should trigger Normally TCP port 80 is used for the http protocol In cases where web servers are used on non standard ports need to write these ports too esr config ips category rule destination port any PORT object group OBJ GR NAME PORT number of destination TCP UDP port takes values of 1 6553...

Page 437: ...e esr config ips category rule enable 13 8 2 Content filtering rules configuration example Objective Deny access to http sites related to the categories of adult content casino online betting online lotteries from the local network 192 168 1 0 24 Solution Interfaces and firewall rules must be configured on the device beforehand Create a profile of addresses of LAN which we will protect esr config ...

Page 438: ...DATA esr config ips policy OFFICE esr config ips enable The device will be used only as a security gateway for this allocate the IPS IDS service all available resources esr config ips perfomance max Create a content filtering profile for the selected categories esr config object group content filter Black esr config object group content filter vendor kaspersky lab esr config object group cf kasper...

Page 439: ... Internet sites can also work on non standard ports so we specify any esr config ips category rule destination port any As the recipient s address can be any site on the Internet esr config ips category rule destination address any Requests to the sites are sent from our local network esr config ips category rule source address policy object group protect Set traffic direction esr config ips categ...

Page 440: ...s during SMTP session pickup analysis of Unicode encodings present in the text of the letter analysis of references in the text of the email to phishing Emails that do not pass most of the checks will be discarded and will not reach the protected mail server 13 9 1 Basic configuration algorithm Step Description Command Keys 1 Configure router network name esr config hostname NAME NAME up to 64 cha...

Page 441: ...service profile optional esr config antispam profile rule ORDER ORDER rule number may take values from 1 100 12 Set the description of the Antispam service profile rule optional esr config antispam profile description DESCRIPTION DESCRIPTION up to 255 characters 13 Specify the profile of transmitter IP addresses for which the rule should work optional esr config antispam profile rule sender ip NAM...

Page 442: ...e mail domain esr config mailserver domain enable 23 Proceed to the mail server configuration esr config mailserver 24 Set the name of the email domain esr config mailserver domain NAME NAME up to 63 characters 25 Specify certificates and keys for the TLS protocol optional esr config mailserver tls keyfile TYPE NAME TYPE type of certificate or key file Possible values ca certificate authority serv...

Page 443: ...P session optional esr config mailserver smtp vrfy enable 31 Enable mail server esr config mailserver enable 13 9 2 Configuration example Objective Configure the Antispam service on ESR to work as an SMTP Proxy to analyze e mail addressed to the mail server located in the enterprise network and serving the eltex co ru domain Solution Ensure that the MX record for the domain eltex co ru points to t...

Page 444: ...profile exit Create a mail domain which will be configured to process emails for the eltex co ru domain and retransmit such emails to the local mail server Add the Antispam service profile created above to the configuration of the mail domain so that the mail in transit will be analyzed for spam esr config mailserver domain MainDomain esr config mailserver domain mail domain eltex co ru esr config...

Page 445: ...tch to the interface tunnel network bridge configuration mode for which it is necessary to configure VRRP esr config interface IF TYPE IF NUM IF TYPE interface type IF NUM F S P F frame 1 S slot 0 P port esr config tunnel TUN TYPE TUN NUM TUN TYPE tunnel type TUN NUM tunnel number esr config bridge BR NUM BR NUM bridge number 2 Configure the required parameters on the interface tunnel network brid...

Page 446: ...nother process roles will also be changed optionally esr config if gi vrrp group GRID GRID VRRP router group identifier takes values in the range of 1 32 esr config if gi ipv6 vrrp group GRID 8 Set the IP address that will be used as a source IP address for VRRP messages optionally esr config if gi vrrp source ip IP ADDR sender IP address defined as AAA BBB CCC DDD where each part takes values of ...

Page 447: ...ity Backup router would try to take the Master role from the current lower priority Master router optionally esr config if gi vrrp preemption disable esr config if gi ipv6 vrrp preemption disable 15 Set the time interval after which the higher priority Backup route will try to take the Master role from the current lower priority Master router optionally esr config if gi vrrp preemption delay TIME ...

Page 448: ...the period of ND protocol information update for ipv6 vrrp in MASTER status optionally esr config if gi ipv6 vrrp timers nd refresh TIME TIME time in seconds takes values of 1 65535 Default value 5 22 Specify the amount of ND messages sent in the update period for ipv6 vrrp in MASTER status optionally esr config if gi ipv6 vrrp timers nd refresh repeat NUM NUM amount takes values of 1 60 Default v...

Page 449: ...0 5 50 R1 config subif vrrp id 10 Specify virtual gateway IP address 192 168 1 1 24 R1 config subif vrrp ip 192 168 1 1 Enable VRRP R1 config subif vrrp R1 config subif exit 14 1 3 Configuration example 2 Objective Establish virtual gateways for 192 168 20 0 24 subnet in VLAN 50 and 192 168 1 0 24 in VLAN 60 using VRRP with Master sync feature To do this you have to group VRRP processes IP address...

Page 450: ...ub interfaces Main configuration step Configure R1 router Configure VRRP for 192 168 1 0 24 subnet in the created sub interface Specify unique VRRP identifier R1 config sub interface gi 1 0 5 50 R1 config subif vrrp id 10 Specify virtual gateway IP address 192 168 1 1 R1 config subif vrrp ip 192 168 1 1 Specify VRRP group identifier R1 config subif vrrp group 5 ...

Page 451: ...racking configuration VRRP tracking is a mechanism which allows activating static routes depending on VRRP state 14 2 1 Configuration algorithm Step Description Command Keys 1 Configure VRRP according to the section VRRP configuration algorithm 2 Add Tracking object to the system and switch to the Tracking object parameters configuration mode esr config tracking ID ID Tracking object number takes ...

Page 452: ...ESR Series User manual 452 Step Description Command Keys 4 Enable Tracking object esr config tracking enable ...

Page 453: ...55 and NN takes values of 1 32 NEXTHOP gateway IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 resolve when specifying this parameter gateway IP address will be recursively calculated through the routing table If the recursive calculation fails to find a gateway from a directly connected subnet then this route will not be installed into the system IF an IP interface nam...

Page 454: ...ng object identifier If the router is bound to the Tracking object it will appear in the system only after meeting all requirements specified in the object 6 Configure IP address the availability of which is checked by sending pings It is necessary to allow ICMP on the Firewall esr config bridge vrrp track ip AAA BBB CCC DDD AAA BBB CCC DDD host IP address where each part takes values of 0 255 7 T...

Page 455: ...ate traffic from PC will be transmitted without any additional settings When router R1 is in vrrp master state additional route is necessary for subnet 10 0 1 0 24 through interface 192 168 1 2 Initial configurations of the routers 1 R1 router hostname R1 interface gigabitethernet 1 0 1 switchport forbidden default vlan exit interface gigabitethernet 1 0 1 741 ip firewall disable ip address 192 16...

Page 456: ... 10 0 1 1 24 exit Solution There is no need in any changes in router R2 since subnet 10 0 1 0 24 is terminated on it and as soon as router R2 is vrrp master packets will be transmitted to corresponding interface As soon as R1 becomes vrrp master route for packets must be created with destination IP address from network 10 0 1 0 24 Create tracking object with corresponding condition R1 config track...

Page 457: ... Configuring server for remote access to corporate network via PPTP protocol PPTP Point to Point Tunneling Protocol is a point to point tunneling protocol that allows a computer to establish secure connection with a server by creating a special tunnel in a common unsecured network PPTP encapsulates PPP frames into IP packets for transmission via global IP network e g the Internet PPTP may be used ...

Page 458: ...TWORK NAME ip address ADDR OBJ GROUP NETWORK NAME name of the IP addresses profile that includes local gateway IP address set by the string of up to 31 characters ADDR range starting IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 5 Specify IP addresses list from which dynamic IP addresses are leased to remote users by PPTP esr config pptp server remote address object g...

Page 459: ...password ascii text PASSWORD encrypted PASSWORD PASSWORD user password set by the string of up to 32 characters 10 Activate user when using local user authentication esr config pptp user enable 11 Include the PPTP server in a security zone and configure interaction rules between zones or disable firewall see section Firewall configuration esr config pptp server security zone NAME NAME security zon...

Page 460: ...S servers that will be used by remote users optionally esr config pptp server wins servers object group OBJ GROUP NETWORK NAME OBJ GROUP NETWORK NAME name of the IP addresses profile that includes required WINS servers addresses set by the string of up to 31 characters 15 1 2 Configuration example Objective Configure PPTP server on a router PPTP server address 120 11 5 1 Gateway inside the tunnel ...

Page 461: ... group network exit Create PPTP server and map profiles listed above esr config remote access pptp remote workers esr config pptp local address object group pptp_local esr config pptp remote address object group pptp_remote esr config pptp outside address object group pptp_outside esr config pptp dns servers object group pptp_dns Select authentication method for PPTP server users esr config pptp a...

Page 462: ...remote access configuration pptp remote workers 15 2 Configuring server for remote access to corporate network via L2TP protocol L2TP Layer 2 Tunneling Protocol is a sophisticated tunneling protocol used to support virtual private networks L2TP encapsulates PPP frames into IP packets for transmission via global IP network e g the Internet L2TP may be used for tunnel establishment between two local...

Page 463: ...ress of the local gateway or disable firewall for the PPTP server esr config l2tp server local address object group OBJ GROUP NETWORK NAME ip address ADDR OBJ GROUP NETWORK NAME name of the IP addresses profile that includes local gateway IP address set by the string of up to 31 characters ADDR range starting IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 5 Specify IP ...

Page 464: ...e the L2TP server in a security zone and configure interaction rules between zones see section Firewall configuration esr config l2tp server security zone NAME NAME security zone name set by the string of up to 31 characters 9 Specify user name when using local authentication base esr config l2tp server username NAME NAME user name set by the string of up to 12 characters 10 Specify user password ...

Page 465: ...nfig l2tp server dscp DSCP DSCP outgoing packets dscp priority 0 63 16 Specify MTU size MaximumTransmissionUnit for the server optionally MTU above 1500 will be active only when using the system jumbo frames command esr config l2tp server mtu MTU MTU MTU value takes values in the range of 1280 1500 Default value 1500 17 Define the list of DNS servers that will be used by remote users optionally es...

Page 466: ...formed on RADIUS server L2TP server address 120 11 5 1 Gateway inside the tunnel 10 10 10 1 Radius server address 192 168 1 4 For IPsec key authentication method is used key password Solution First do the following Configure RADIUS server connection Configure zones for te1 0 1 and gi1 0 1 interfaces Specify IP addresses for te1 0 1 and te1 0 1 interfaces ...

Page 467: ... 10 15 esr config l2tp outside address ip address 120 11 5 1 esr config l2tp dns server object group l2tp_dns Select authentication method for L2TP server users esr config l2tp authentication mode radius Specify security zone that user sessions will be related to esr config l2tp security zone VPN Specify authentication method for IKE phase 1 and define an authentication key esr config l2tp ipsec a...

Page 468: ...ate OpenVPN server profile esr config remote access openvpn NAME NAME OpenVPN server profile name set by the string of up to 31 characters 2 Specify the description of the configured server optionally esr config openvpn server description DESCRIPTION DESCRIPTION OpenVPN server description set by the string of up to 255 characters 3 Define the subnet from which IP addresses are leased to users only...

Page 469: ...ly for tunnel ethernet esr config openvpn server bridge group BRIDGE ID BRIDGE ID bridge identifying number 8 Specify certificates and keys esr config openvpn server certificate CERTIFICATE TYPE NAME CERTIFICATE TYPE certificate or key type may take the following values ca Certificate Authority crl Certificate Revocation List dh Diffie Hellman key server crt public server certificate server key pr...

Page 470: ...openvpn server enable 15 Enable data transmission blocking between clients optionally esr config openvpn server client isolation 16 Set the maximum amount of simultaneous user sessions optionally esr config openvpn server client max VALUE VALUE maximum amount of users takes values of 1 65535 17 The mechanism of transmitted data compression between clients and the OpenVPN server is enabled optional...

Page 471: ...lly esr config openvpn server timers holdtime TIME TIME time in seconds takes values of 1 65535 Default value 120 23 Set the time interval after which the connection with the opposing party is checked optionally esr config openvpn server timers keepalive TIME TIME time in seconds takes values of 1 65535 Default value 10 24 Allow multiple users with the same certificate to connect to the OpenVPN se...

Page 472: ...0 ecdsa with sha1 8 224 bits key size sha 224 rsa sha 224 8 256 bits key size sha 256 rsa sha 256 8 384 bits key size sha 384 rsa sha 384 8 512 bits key size sha 512 rsa sha 512 whirlpool Default value sha 15 3 2 Configuration example Objective Configure Open VPN server in L3 mode on a router for remote user connection to LAN OpenVPN server subnet 10 10 100 0 24 Mode L3 Authentication based on cer...

Page 473: ...ocol tcp Advert LAN subnets that will be available via OpenVPN connection and define DNS server esr config route 10 10 0 0 20 esr config openvpn dns server 10 10 1 1 Specify previously imported certificates and keys that will be used with OpenVPN server esr config openvpn certificate ca ca crt esr config openvpn certificate dh dh pem esr config openvpn certificate server key server key esr config ...

Page 474: ...nection that is used to transmit IP packets and also works with PPP features This allows applying conventional PPP oriented software to configure the connection that uses not serial communication link but packet oriented network for example Ethernet to organize a classical connection with login and password for Internet connections In addition IP address on the opposite side of connection is assig...

Page 475: ...E tunnel in a security zone and configure interaction rules between zones see section Firewall configuration esr config pppoe security zone NAME NAME security zone name set by the string of up to 31 characters 7 Enable a configured profile esr config pppoe enable 8 Specify authentication method optionally esr config pppoe authentication method METHOD METHOD authentication method possible values ch...

Page 476: ...Default value 10 13 Change the time interval in seconds after which the router sends a keepalive message optional esr config pppoe ppp timeout keepalive TIME TIME time in seconds takes values of 1 32767 Default value 10 14 Override the MSS Maximum segment size field in incoming TCP packets optional esr config pppoe ip tcp adjust mss MSS MSS MSS value takes values in the range of 500 1460 Default v...

Page 477: ...ernet 1 0 7 interface Solution Pre configure PPPoE server with the accounts Enter the PPPoE client configuration mode and disable the firewall esr configure esr config tunnel pppoe 1 esr config pppoe ip firewall disable Specify user name and password for connection to PPPoE server esr config pppoe username tester password ascii text password ...

Page 478: ...or tunnel handling 15 5 1 Configuration algorithm Step Description Command Keys 1 Create a PPTP tunnel and switch to its configuration mode esr config tunnel pptp INDEX INDEX tunnel identifier set in the range of 1 10 2 Specify the description of the configured tunnel optionally esr config pptp description DESCRIPTION DESCRIPTION tunnel description set by the string of up to 255 characters 3 Speci...

Page 479: ...haracters may include 0 9a fA F characters HEX encrypted password set by the string of 16 128 characters 8 Enable the tunnel esr config pptp enable 9 Override the MSS Maximum segment size field in incoming TCP packets optional esr config pptp ip tcp adjust mss MSS MSS MSS value takes values in the range of 500 1460 Default value 1460 10 Ignore the default route via the given PPTP tunnel optionally...

Page 480: ...nfig pptp ppp timeout keepalive TIME TIME time in seconds takes values of 1 32767 Default value 10 15 Change the number of failed data link tests before breaking the session optional esr config pptp ppp failure count NUM NUM the number of failed data link tests specified in the range 1 100 Default value 10 15 5 2 Configuration example Objective Configure PPTP tunnel on a router PPTP server address...

Page 481: ...e the following command esr show tunnels counters pptp To view the tunnel configuration use the following command esr show tunnels configuration pptp 15 6 Configuring remote access client via L2TP L2TP Layer 2 Tunneling Protocol is a sophisticated tunneling protocol used to support virtual private networks L2TP encapsulates PPP frames into IP packets for transmission via global IP network e g the ...

Page 482: ...or disable firewall see section Firewall configuration esr config l2tp security zone NAME NAME security zone name set by the string of up to 31 characters esr config l2tp ip firewall disable 5 Set remote IP address for tunnel installation esr config l2tp remote address ADDR ADDR local gateway IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 6 Specify the user and set an ...

Page 483: ... Enable the tunnel esr config l2tp enable 10 Specify MTU size MaximumTransmissionUnit for the tunnel optional esr config l2tp mtu MTU MTU MTU value takes values in the range of for ESR 10 12V F 14VF 552 9600 for ESR 20 21 552 9500 for ESR 100 200 1000 1200 1500 1511 1700 552 10000 for ESR 3100 552 9190 Default value 1500 11 Ignore the default route via the given L2TP tunnel optionally esr config l...

Page 484: ...ig l2tp ppp failure count NUM NUM the number of failed data link tests specified in the range 1 100 Default value 10 It is also possible to configure QoS in basic or advanced mode for the PPPoE client see section QoS management 15 6 2 Configuration example Objective Configure PPTP tunnel on a router PPTP server address 20 20 0 1 account for connection login ivan password simplepass Solution Create...

Page 485: ...d pre shared key Specify IPsec security key esr config l2tp ipsec authentication pre shared key ascii text password Enable L2TP tunnel esr config l2tp enable To view the tunnel status use the following command esr show tunnels status l2tp To view sent and received packet counters use the following command esr show tunnels counters l2tp To view the tunnel configuration use the following command esr...

Page 486: ...options to network devices for example default router IP address of the router used as default gateway domain name domain name which will be used by client while solving host names via domain name system DNS dns server list of domain name server addresses for the current network that should be known by the client Server addresses are listed in descending order of their preference 16 1 1 Configurat...

Page 487: ... part AAA DDD takes values of 0 255 and EE takes values of 1 32 esr config ipv6 dhcp server network IPV6 ADDR LEN IPV6 ADDR LEN IP address and prefix of a subnet defined as X X X X X EE where each X part takes values in hexadecimal format 0 FFFF and EE takes values of 1 128 5 Add IPv4 IPv6 addresses range to the address pool of configurable DHCP server esr config dhcp server address range FROM ADD...

Page 488: ...onfig ipv6 dhcp server address ADDR mac address MAC IPV6 ADDR client IPv6 address defined as X X X X X where each part takes values in hexadecimal format 0 FFFF MAC MAC address of the client which will be given the IP address defined as XX XX XX XX XX XX where each part takes the values of 00 FF 7 Specify the list of default gateway IPv4 addresses which will be transmitted by DHCP server to client...

Page 489: ...max lease time TIME TIME maximal IP address lease time sets in format DD HH MM where DD amount of days takes values of 0 364 HH amount of hours takes values of 0 23 MM amount of minutes takes the value of 0 59 Default value 1 day esr config ipv6 dhcp server max lease time TIME 11 Specify the lease time for which a client will be given IP address optionally This time will be used if a client did no...

Page 490: ...e Configure DHCP server operation in a local network that belongs to the trusted security zone Specify IP address pool from 192 168 1 0 24 subnet for distribution to clients Specify address lease time equal to 1 day Configure transmission of the default route domain name and DNS server addresses to clients using DHCP options Solution Create trusted security zone and determine the inherence of the ...

Page 491: ...68 1 1 esr config dhcp server dns server 172 16 0 1 8 8 8 8 esr config dhcp server exit To enable IP address distribution from the configurable pool by DHCP server IP interface should be created on the router that belongs to the same subnet as the pool addresses esr config interface gigabitethernet 1 0 1 esr config if gi security zone trusted esr config if gi ip address 192 168 1 1 24 esr config i...

Page 492: ...cp_server esr config zone rule action permit esr config zone rule enable esr config zone rule exit esr config zone pair exit Enable server operation esr config ip dhcp server esr config exit To view the list of leased addresses use the following command esr show ip dhcp binding To view the configured address pools use the following commands esr show ip dhcp server pool esr show ip dhcp server pool...

Page 493: ... up to 31 characters 6 Specify VRF instance in which the given rule group will operate optionally esr config dnat ruleset ip vrf forwarding VRF VRF VRF name set by the string of up to 31 characters 7 Set the rule group scope The rules will be applied only to traffic coming from a certain zone or interface esr config dnat ruleset from zone NAME interface IF tunnel TUN default NAME isolation zone na...

Page 494: ...E TYPE NAME ICMP_TYPE ICMP message type takes values of 0 255 ICMP_CODE ICMP message code takes values of 0 255 Any value points at any message code TYPE NAME ICMP message type name 13 Specify the action translation of source address and port for the traffic meeting the requirements of match commands esr config dnat rule action destination nat off pool NAME netmap ADDR LEN off translation is disab...

Page 495: ... configuration example Objective Establish access from the public network that belongs to the UNTRUST zone to LAN server in TRUST zone Server address in LAN 10 1 1 100 Server should be accessible from outside the network address 1 2 3 4 access port 80 ...

Page 496: ...r config object group network exit esr config object group service SRV_HTTP esr config object group service port 80 esr config object group service exit esr config object group network SERVER_IP esr config object group network ip address 10 1 1 100 esr config object group network exit Proceed to DNAT configuration mode and create destination address and port pool that will be used for translation ...

Page 497: ...r rule action permit esr config zone pair rule enable esr config zone pair rule exit esr config zone pair exit esr config exit Configuration changes will take effect when the configuration is applied esr show ip nat destination pools esr show ip nat destination rulesets esr show ip nat proxy arp esr show ip nat translations 16 3 Source NAT configuration Source NAT SNAT function substitutes source ...

Page 498: ... range of external TCP UDP ports which will replace a source TCP UDP port esr config snat pool ip port range PORT ENDPORT PORT TCP UDP port of the beginning of range takes values of 1 65535 ENDPORT TCP UDP port of the end of range takes values of 1 65535 If TCP UDP port of the end of the range is not specified only TCP UDP port of the beginning of the range is used as TCP UDP port for translation ...

Page 499: ... by the string of up to 31 characters Any value points at any source IP address 12 Specify the profile of IP addresses sender recipient for which the rule should work optionally esr config snat rule match not source destination port PORT SET NAME PORT SET NAME port profile name set by the string of up to 31 characters Any value points at any source TCP UDP port 13 Set name or number of IP for whic...

Page 500: ...2 interface FIRST_PORT LAST_PORT specify the translation to the interface IP address If the range of TCP UDP ports is additionally specified the translation will occur only for the sender TCP UDP ports included in the specified range 16 Activate a configured rule esr config snat rule enable 1 When using the not key the rule will work for values which are not included in a specified profile Each ma...

Page 501: ...xit esr config interface tengigabitethernet 1 0 1 esr config if te ip address 100 0 0 99 24 esr config if te security zone UNTRUST esr config if te exit For SNAT function configuration and definition of rules for security zones create LOCAL_NET LAN address profile that includes addresses which are allowed to access the public network and PUBLIC_POOL public network address profile esr config object...

Page 502: ... the rules are applying only to packets transferred to public network into the UNTRUST zone Rules include a check which ensures that data source address belongs to LOCAL_NET pool esr config snat ruleset SNAT esr config snat ruleset to zone UNTRUST esr config snat ruleset rule 1 esr config snat rule match source address LOCAL_NET esr config snat rule action source nat pool TRANSLATE_ADDRESS esr con...

Page 503: ...des addresses which are allowed to access the public network and PUBLIC_POOL public network address profile esr config object group network LOCAL_NET esr config object group network ip address range 21 12 2 2 21 12 2 254 esr config object group network exit esr config object group network PUBLIC_POOL esr config object group network ip address range 200 10 0 100 200 10 0 249 esr config object group...

Page 504: ... as a gateway address On the router you should create the route for public network Specify this route as a default using the following command esr config ip route 0 0 0 0 0 200 10 0 254 esr config exit 16 4 Static NAT configuration Static NAT static NAT sets a unique match between two addresses In other words when passing through the router the address is changed to another strictly specified one ...

Page 505: ...figuration create LOCAL_NET LAN address profile that includes local subnet and PUBLIC_POOL public network address profile esr config object group network LOCAL_NET esr config object group network ip prefix 21 12 2 0 24 esr config object group network exit esr config object group network PUBLIC_POOL esr config object group network ip prefix 200 10 0 0 24 esr config object group network exit The ran...

Page 506: ...e to the ARP requests for addresses from the PROXY translation pool you should launch ARP Proxy service ARP Proxy service is configured on the interface that IP address from PROXY address profile subnet belongs to esr config interface tengigabitethernet 1 0 1 esr config if te ip nat proxy arp PROXY To enable 200 10 0 0 24 network access for LAN devices they should be configured for routing 21 12 2...

Page 507: ... config ip http proxy listen ports OBJ_GROUP_NAME OBJ_GROUP_NAME port profile name set by string of up to 31 characters 9 Specify a listening port for proxying optional esr config ip https proxy listen ports OBJ_GROUP_NAME OBJ_GROUP_NAME port profile name set by string of up to 31 characters 10 Specify a base port for proxying optional esr config ip https proxy redirect port PORT PORT port number ...

Page 508: ...lf a predefined security zone for traffic entering the ESR itself 17 Create an interzone interaction rule set esr config zone pair rule rule number rule number 1 10000 18 Specify rule description optional esr config zone rule description description description up to 255 characters 19 Specify the given rule force esr config zone rule action action log action permit log activation key for logging o...

Page 509: ... for the created set of URLs esr configure esr config object group url test1 esr config object group url url http speedtest net esr config object group url url http www speedtest net esr config object group url url https speedtest net esr config object group url url https www speedtest net esr config object group url exit If the Firewall function on the ESR is not forcibly disabled you must create...

Page 510: ...roup service exit Create a permissive interzonal interaction rule esr config security zone pair LAN self esr config zone pair rule 50 esr config zone pair rule action permit esr config zone pair rule match protocol tcp esr config zone pair rule match destination port proxy esr config zone pair rule enable esr config zone pair rule exit esr config zone pair exit NTP Network Time Protocol network pr...

Page 511: ... seconds it is calculated by raising two to power that is specified by the command parameter takes the value of 4 6 Default value 6 26 64 seconds or 1 minutes 4 seconds 6 Mark this NTP server as preferred optional esr config ntp prefer 7 Define a list of trusted IP addresses with which ntp packets can be exchanged optional esr config ntp access addresses NAME NAME IP addresses profile name set by ...

Page 512: ...ofile name set by the string of up to 31 characters 15 Specify source IP addresses for NTP packets for all peers optional esr config ntp source address ADDR ADDR IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 16 Set the current time and date manually optional esr set date TIME DAY MONTH YEAR TIME system timer defined as HH MM SS where HH hours takes the value of 0 23 M...

Page 513: ...esr confirm Command to view the current configuration of the NTP protocol esr show ntp configuration Command to view the current state of NTP servers peers First do the following specify security zone for gi1 0 1 interface configure the IP address for the gi1 0 1 interface to provide IP connectivity to the NTP server Example security zone untrust exit object group service NTP port range 123 exit i...

Page 514: ...ESR Series User manual 514 esr show ntp peers ...

Page 515: ...d for traffic accounting and analysis Netflow allows transmitting traffic information source and destination address port quantity of information from the network equipment sensor to the collector Common server may serve as a collector 17 1 1 Configuration algorithm Step Description Command Keys 1 Specify Netflow protocol version esr config netflow version VERSION VERSION Netflow protocol version ...

Page 516: ... CCC DDD where each part takes values of 0 255 7 Set the Netflow service port on the statistics collection server esr config netflow host port PORT PORT UDP port number in the range of 1 65535 Default value 2055 8 Enable statistics sending to the Netflow server in the interface tunnel network bridge configuration mode esr config if gi ip netflow export 17 1 2 Configuration example Objective Establ...

Page 517: ...computer network wireless network and network device monitoring standard designed for traffic accounting and analysis 17 2 1 Configuration algorithm Step Description Command Keys 1 Set the rate of sending the unchanged user traffic packets to sFlow collector esr config sflow sampling rate RATE RATE rate of sending the user traffic packets to the collector takes the value of 1 10000000 If the rate ...

Page 518: ...ng to the sFlow server in the interface tunnel network bridge configuration mode esr config if gi ip sflow export 17 2 2 Configuration example Objective Establish accounting for traffic between trusted and untrusted zones Solution Create two security zones for ESR networks esr configure esr config security zone TRUSTED esr config zone exit esr config security zone UNTRUSTED esr config zone exit Co...

Page 519: ...i exit esr config interface gi1 0 2 3 esr config if gi security zone TRUSTED esr config if gi exit esr config interface gi1 0 2 esr config if gi ip address 192 168 1 5 24 esr config if gi exit esr config interface gi1 0 3 esr config if gi ip address 192 168 3 5 24 esr config if gi exit Specify collector IP address esr config sflow collector 192 168 1 8 ...

Page 520: ...destination address any esr config zone pair rule enable Enable sFlow on the router еsr config sflow enable SFlow configuration for traffic accounting from the interface is performed by analogy to Netflow configuration 17 3 SNMP configuration SNMP Simple Network Management Protocol is a protocol designed for device management in IP networks featuring TCP UDP architecture SNMP provides management d...

Page 521: ... IP addresses from which snmp requests are processing set by the string of up to 31 characters VERSION the snmp version supported by this community takes the values v1 or v2c VIEW NAME SNMP view profile name set by the string of up to 31 characters VRF VRF instance name set by the string of up to 31 characters for which access will be granted 3 Set the value of SNMP variable that contains contact ...

Page 522: ...r config snmp user authentication access TYPE TYPE security mode auth used only for authentication priv both authentication and data encryption are used 10 Specify SNMPv3 queries authentication algorithm esr config snmp user authentication algorithm ALGORITHM ALGORITHM encryption algorithm md5 password is hashed by md5 algorithm sha1 password is encrypted by sha1 algorithm 11 Set the password for ...

Page 523: ... X X where each part takes values in hexadecimal format 0 FFFF 14 Enable SNMPv3 user esr config snmp user enable Default value process is disabled 15 Specify the transmitted data encryption algorithm esr config snmp user privacy algorithm ALGORITHM ALGORITHM encryption algorithm aes128 use AES 128 encryption algorithm des use DES encryption algorithm 16 Set password for the transmitted data encryp...

Page 524: ...mber in the range of 1 65535 Default value 162 19 Allow different types of SNMP notifications to be sent esr config snmp server enable traps TYPE TYPE type of filtered messages May take the following values config entry entry sensor environment envmon files operations flash flash operations interfaces links ports screens snmp syslog Additional parameters depend on the filter type See ESR Series CL...

Page 525: ...Solution First do the following Specify zone for gi1 0 1 interface Configure IP address for gi1 0 1 interface Main configuration step Enable SNMP server esr config snmp server Create SNMPv3 user esr config snmp server user admin ...

Page 526: ...eceiver server of Trap PDU messages esr config snmp server host 192 168 52 41 17 4 Zabbix agent proxy configuration Zabbix agent agent designed to monitor the device as well as execute remote commands from the Zabbix server The agent can operate in two modes passive and active To operate in passive mode by default you need an allow rule in the firewall tcp protocol port 10050 For active mode tcp p...

Page 527: ... ADDR PORT ADDR server IP address defined as AAA BBB CCC DDD where each part takes values of 0 255 PORT server port set in the range of 1 65535 Default value 10051 5 Specify the port that will be listened by the agent proxy optional esr config zabbix port PORT esr config zabbix proxy port PORT PORT port that will be listened by zabbix agent proxy may take values in the range of 1 65535 Default val...

Page 528: ...TCP ports 10050 10051 from the appropriate firewall security zone See Firewall configuration 17 4 2 Zabbix agent configuration example Objective Configure the interaction between the agent and the server to execute remote commands from the server Solution In the context of the agent settings specify the address of the Zabbix server and the address from which the server will interact esr config zab...

Page 529: ...ESR Series User manual 529 esr config zabbix timeout 30 esr config zabbix enable 17 4 3 Zabbix server configuration example Create the host ...

Page 530: ...ng the c key with the number of packets in the test is mandatory Without this key the ping command will not stop on its own and the test will not be considered complete Ping in VRF zabbix_get s HOST CONN p 10050 k system run sudo netns exec n backup sudo ping 192 168 32 101 c 5 W 2 The command above will be executed in the specified VRF with backup name Fping zabbix_get s HOST CONN p 10050 k syste...

Page 531: ...2 168 32 179 Iperf zabbix_get s HOST CONN p 10050 k system run sudo iperf c 192 168 32 101 u b 100K i 1 t 600 The client ESR that received this command from the server will execute iperf command to the specified server in our example up to 192 168 32 101 and return the result to the server Iperf in VRF zabbix_get s HOST CONN p 10050 k system run sudo netns exec n backup sudo iperf c 192 168 32 101...

Page 532: ...te commands that do not require privileges such as snmpget cat pwd wget and others Example of the snmpget command execution 17 5 Syslog configuration Syslog system log standard for sending and registering messages about events occurring in the system is used in networks operating over IP ...

Page 533: ...ges provide the user with information to correctly configure the system none disables the output of syslog messages to the console 2 Set the level of syslog messages that will be displayed during remote connections Telnet SSH optionally esr config syslog monitor SEVERITY 3 Enable the process of logging user commands entered to the local syslog server optionally esr config syslog cli commands 4 Ena...

Page 534: ... 255 SEVERITY importance level of the message optional parameter possible values are given in section Syslog configuration example TRANSPORT data transfer protocol optional parameter takes values TCP data transmission is carried out by TCP UDP data transmission is carried out by UDP PORT number of TCP UDP port optional parameter takes values of 1 65535 default value is 514 8 Enable debugging outpu...

Page 535: ...m process changes are made to the user profile ESR router IP address 192 168 52 8 Syslog server IP address 192 168 52 41 Use default settings for sending messages UDP protocol port 514 Solution First do the following Specify zone for gi1 0 1 interface Configure IP address for gi1 0 1 interface 1 Main configuration step Create a file on the router for syslog the level of messages for logging info e...

Page 536: ...onfiguration changes come into effect after applying the following commands esr commit Configuration has been successfully committed esr confirm Configuration has been successfully confirmed View the current syslog configuration esr show syslog configuration View the syslog entries esr show syslog ESR 17 6 Integrity check Integrity check involves checking the integrity of stored executable files 1...

Page 537: ...le backup mode esr config archive 2 Set router configuration backup type optional esr config ahchive type TYPE TYPE type of the router configuration backup Takes the following values local remote both Default value remote 3 Enable timer configuration backup mode optional esr config ahchive auto 4 Enable configuration backup after each successful configuration application mode optional esr config a...

Page 538: ...figuration backups Takes values in the range of 1 100 Default value 1 17 7 2 Configuration example Objective Configure local and remote backup of the router configuration once a day and upon successful configuration change Remote copies should be sent to the tftp server 172 16 252 77 in the esr example subfolder The maximum number of local copies is 30 Solution For successful operation of remote c...

Page 539: ...e period 1440 Enable archiving of router configuration by timer and upon successful configuration change esr config archive auto esr config archive by commit After applying this configuration once a day and with each successful change of the router configuration a configuration file with the esr exampleYYYYMMDD_HHMMSS cfg name will be sent to the tftp server Also on the router itself in the flash ...

Page 540: ... by the string of up to 31 characters 2 Set the password for authentication on remote RADIUS server esr config radius server key ascii text TEXT encrypted ENCRYPTED TEXT TEXT string of 8 16 ASCII characters ENCRYPTED TEXT encrypted password 8 16 bytes size set by the string of 16 32 characters 3 Create AAA profile esr config aaa radius profile NAME NAME server profile name set by the string of up ...

Page 541: ...e string of up to 31 characters 11 Select RADIUS server profile to obtain the user service parameters esr config subscriber control aaa services radius profile NAME NAME RADIUS server profile name set by the string of up to 31 characters 12 Select RADIUS server profile to obtain the user session parameters esr config subscriber control aaa sessions radius profile NAME NAME RADIUS server profile na...

Page 542: ...ed URL will be carried out set by the string of up to 255 characters 20 Specify the actions that should be applied for HTTP HTTPS packets whose URL is not included in the list of URL assigned by the filter name command esr config subscriber default service default action ACT ACT allocated action permit traffic transfer is permitted deny traffic transfer is denied redirect URL redirect to the speci...

Page 543: ...ffic will be redirected to the router HTTP Proxy server optionally esr config subscriber control ip proxy http listen ports NAME NAME TCP UDP ports profile name set by the string of up to 31 characters 31 Define HTTP Proxy server port on the router optionally esr config subscriber control ip proxy http redirect port PORT PORT port number set in the range of 1 65535 32 Define destination TCP ports ...

Page 544: ...wer bound of BRAS sessions amount optionally esr config subscriber control thresholds sessions number low Threshold Threshold number of BRAS sessions 0 50000 for ESR 1700 0 10000 for ESR 1200 1000 1500 1511 3100 0 1000 for ESR 100 200 18 2 Example of configuration with SoftWLC Objective Provide access to the Internet only to authorized users Solution SoftWLC server keeps accounts data and tariff p...

Page 545: ...trusted esr config zone exit esr config security zone dmz esr config zone exit Configure public port parameters and assign its default gateway esr config interface gigabitethernet 1 0 1 esr config if gi security zone untrusted esr config if gi ip address 203 0 113 2 30 esr config if gi service policy dynamic upstream esr config if gi exit esr config ip route 0 0 0 0 0 203 0 113 1 ...

Page 546: ...nterface gigabitethernet 1 0 2 esr config if gi service policy dynamic downstream esr config if gi exit The module which is responsible for AAA operations is based on eltex radius and available by SoftWLC IP address Numbers of ports for authentication and accounting in the example below are the default values for SoftWLC Define parameters for interaction with the module esr config radius server ho...

Page 547: ...requests You need to configure allowing rules in order to pass DHCP and DNS requests esr config ip access list extended DHCP esr config acl rule 10 esr config acl rule action permit esr config acl rule match protocol udp esr config acl rule match source address any esr config acl rule match destination address any esr config acl rule match source port 68 esr config acl rule match destination port ...

Page 548: ...you need to change only IP address of SoftWLC server if addressing is different from the example Leave the rest of URL without changes esr config subscriber control filters server url http 192 0 2 20 7070 Filters file Configure and enable BRAS define NAS IP as address of the interface interacting with SoftWLC gigabitethernet 1 0 24 in the example esr config subscriber control esr config subscriber...

Page 549: ...ig object group service port range 22 esr config object group service exit esr config object group service dhcp_server esr config object group service port range 67 esr config object group service exit esr config object group service dhcp_client esr config object group service port range 68 esr config object group service exit esr config object group service ntp esr config object group service por...

Page 550: ...e enable esr config zone pair rule exit esr config zone pair exit esr config security zone pair dmz trusted esr config zone pair rule 10 esr config zone pair rule action permit esr config zone pair rule match protocol any esr config zone pair rule match source address any esr config zone pair rule match destination address any esr config zone pair rule enable esr config zone pair rule exit esr con...

Page 551: ...ir rule action permit esr config zone pair rule match protocol icmp esr config zone pair rule match source address any esr config zone pair rule match destination address any esr config zone pair rule enable esr config zone pair rule exit esr config zone pair rule exit esr config security zone pair dmz self esr config zone pair rule 20 esr config zone pair rule action permit esr config zone pair r...

Page 552: ...RAS without SoftWLC support Given Subnet with clients 10 10 0 0 16 subnet for working with FreeRADIUS server 192 168 1 1 24 Solution Step 1 RADIUS server configuration For FreeRADIUS server you need to specify the subnet that can send the queries and add a user list To do this add the following to the users file in the directory with FreeRADIUS server configuration files User profile MACADDR Clear...

Page 553: ...is applied to the traffic by ESR permit deny redirect Cisco AVPair subscriber filter default action ACTION The ability of IP flows passing enabled uplink enabled downlink enabled disabled Cisco AVPair subscriber flow status STATUS Add a subnet in which ESR is located to the clients conf file client ESR ipaddr SUBNET secret RADIUS_KEY In this case the RADIUS server configuration will be as follows ...

Page 554: ...Step 2 ESR configuration BRAS functional configuration requires the BRAS licence esr config do sh licence Licence information Name Eltex Version 1 0 Type ESR X S N NP00000000 MAC XX XX XX XX XX XX Features BRAS Broadband Remote Access Server Configuration of parameters for the interaction with RADIUS server esr config radius server host 192 168 1 2 esr config radius server key ascii text encrypted...

Page 555: ... config acl rule match destination address any esr config acl rule match source port any esr config acl rule match destination port 53 esr config acl rule enable esr config acl rule exit esr config ip access list extended INTERNET esr config acl rule 1 esr config acl rule action permit esr config acl rule match protocol any esr config acl rule match source address any esr config acl rule match des...

Page 556: ...k ru esr config object group url url http ya ru esr config object group url url https ya ru esr config object group url exit Configure and enable BRAS define NAS IP as address of the interface interacting with RADIUS server gigabitethernet 1 0 2 in the example esr config subscriber control esr config subscriber control aaa das profile bras_das esr config subscriber control aaa sessions radius prof...

Page 557: ...esr config if gi exit Port towards the Client esr config interface gigabitethernet 1 0 3 10 esr config subif bridge group 10 esr config subif ip firewall disable esr config subif exit Configure SNAT for gigabitethernet 1 0 2 port esr config nat source esr config snat ruleset factory esr config snat ruleset to interface gigabitethernet 1 0 2 esr config snat ruleset rule 10 esr config snat rule desc...

Page 558: ...ation and statistics on the user control sessions use the following command esr sh subscriber control sessions status Session id User name IP address MAC address Interface Domain 1729382256910270473 Bras_user 10 10 0 3 54 e1 ad 8f 37 35 gi1 0 3 10 ...

Page 559: ...figure a primary SIP proxy server and registration server esr config sip profile proxy primary 3 Configure a SIP proxy server esr config voip sip proxy ip address proxy server IP IP proxy server IP address 4 Configure a SIP proxy server port esr config voip sip proxy ip port proxy server PORT PORT number of proxy server UDP port takes values of 1 65535 If standard 5060 port is used you do not need...

Page 560: ...nfigure a SIP profile esr config sip profile NUM NUM SIP profile number set in the form of a digit from 1 to 5 14 Assign a dial plan to the current SIP profile esr config sip profile dialplan pattern DNAME DNAME name of the dial plan set by the string of up to 31 characters 15 Enable SIP profile esr config sip profile enable 19 2 FXS FXO ports configuration algorithm Step Description Command Keys ...

Page 561: ...mber reserved for a telephone port 9 Specify UDP port from which and to which the FXO set will send and receive SIP messages esr config voice port fxo sip port PORT PORT UDP port number 10 Assign the user name matched with the port esr config voice port fxo sip user display name LOGIN LOGIN user name displayed in the Display Name field set by the string of up to 31 characters 11 Configure a login ...

Page 562: ...Add dial rules esr config dial ruleset pattern REGEXP REGEXP regular expression specifying the dial plan Set by the string of up to 1024 characters The rules for creating regular expressions are described in section Dial plan configuration example 3 Enable the dial plan esr config dial ruleset enable 19 4 PBX server configuration algorithm Step Description Command Keys 1 PBX server configuration e...

Page 563: ...ig pbx profile codec allow G711A alaw G711U ulaw G722 G726 9 Selecting SIP profile type esr config pbx profile client peer user friend peer incoming and outgoing calls are allowed without authorisation user only incoming calls are allowed friend combines peer and user profile types 10 Choosing a NAT interaction policy optional esr config pbx profile nat comedia force port both comedia send media s...

Page 564: ...x reg server ip address IP IP address of the server on which registration proceeds takes values of an IP address or can be specified by the string of up to 31 characters 4 Registration server port configuration esr config pbx reg server ip port PORT PORT number of registration server UDP port takes values of 1 65535 If standard 5060 port is used you do not need to specify it 5 Specify the authenti...

Page 565: ... tcp udp The default is udp 9 Trunk activation esr config pbx reg server enable 19 6 VoIP configuration example Objective Connect analogue telephones and fax modems to the IP network via ESR router SIP server located on the ESR functions as proxy server and registration server Solution Configure a SIP profile esr config sip profile 1 ...

Page 566: ...eps Configure registration server address use an embedded SIP server as registration server esr config voip sip proxy ip address registration server 192 0 2 5 Configure a registration server port esr config voip sip proxy ip port registration server 5080 If standard 5060 port is used you do not need to specify it Enable registration esr config voip sip proxy registration Enable proxy server and re...

Page 567: ...tes the configuration of a dial plan for SIP profile Enable SIP profile esr 12v config sip profile enable This completes the baseline configuration of SIP profile esr config sip profile exit The next step is to configure subscriber ports esr config interface voice port 1 Specify a subscriber number esr config voice port fxs sip user phone 4101 Specify a displayed name esr config voice port fxs sip...

Page 568: ...t enable Dial plan configuration is finished esr config dial ruleset exit Regular expression structure Sxx Lxx where xx random values of S and L timers dialplan limits The basis is designators for dialled digits sequence to be written Sequence of digits is written by several designators digits dialled from a phone keyboard 0 1 2 3 9 and Bracketed sequence of digits corresponds to any bracketed cha...

Page 569: ...placement of number dialling timers values Timers values can be assigned both to a whole dial plan and to a certain template S is responsible for the Interdigit Short Timer setup and L for the Interdigit Long Timer Timers values can be specified for all templates in a dial plan if the values are listed before the opening parenthesis Example S4 8XXX or S4 L8 XXX If these values are listed in one se...

Page 570: ...ss Example 123 local call on number 123 will be locally processed within the device 19 8 FXO port configuration Objective Add the ability to make a call to PSTN subscriber through the ESR 12V FXO port Solution Enable FXO port esr config interface voice port 4 Specify FXO port number same as PSTN access prefix esr config voice port fxo sip user phone 9 Specify UDP port from which and to which the F...

Page 571: ...oing calls to numbers with prefix 9 are routed locally to the FXO set 9x local 5064 This completes the baseline configuration of outgoing calls to PSTN To make a call to PSTN you should dial the callee number with the specified prefix FXO set phone number To receive calls from PSTN you should select the subscriber that will receive all calls from PSTN let it be a subscriber with number 305 Enable ...

Page 572: ...ured on SSH client for instance section Connection for PuTTY client It is possible to set time to closing inactive TCP sessions 1 hour in example esr config ip firewall sessions tcp estabilished timeout 3600 20 3 Firewall was disabled on interface ip firewall disable However access for active sessions from the port was not closed according to security zone pair rules after including this interface...

Page 573: ...2 46 24 00 00 VLAN creating VLAN 100 20 7 Do the ESR series routers have features for traffic analysis Opportunity of analysing traffic through CLI interfaces is realized on ESR series routers A packet sniffer is launched by monitor command esr monitor gigabitethernet 1 0 1 20 8 How to configure ip prefix list 0 0 0 0 0 Example of prefix list configuration is shown below The configuration allows r...

Page 574: ...specifying system running config or system candidate config as the copy source and the file in the flash data section as the copy destination esr copy system candidate config flash data temp txt Also it is possible to copy previously saved configuration files automatically from the flash backup section or manually from the flash data section to the candidate configuration esr copy flash data temp ...

Page 575: ...sk https servicedesk eltex co ru Visit Eltex official website to get the relevant technical documentation and software benefit from our knowledge base send us online request or consult a Service Centre Specialist in our technical forum Official site http eltex co com Technical forum http eltex co ru forum Knowledge base https docs eltex co ru display EKB Eltex Knowledge Base Download center http e...

Reviews: