Download Print this page

ELTEX ESR-10 User Manual

ELTEX ESR-10 User Manual

Hide thumbs Also See for ESR-10:

User manual (66 pages)

,

User manual (575 pages)

,

User manual (650 pages)

Table Of Contents

page of 440

/ 440
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual

ESR service routers

ESR-10, ESR-12V, ESR-12VF, ESR-14VF, ESR-20,

ESR-21, ESR-100, ESR-200, ESR-1000, ESR-1200,

ESR-1500, ESR-1700

User manual, Functionality description (29.10.2020)

Firmware version 1.12.0

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the ESR-10 and is the answer not in the manual?

Questions and answers

Summary of Contents for ELTEX ESR-10

Page 1 ESR service routers ESR-10, ESR-12V, ESR-12VF, ESR-14VF, ESR-20, ESR-21, ESR-100, ESR-200, ESR-1000, ESR-1200, ESR-1500, ESR-1700 User manual, Functionality description (29.10.2020) Firmware version 1.12.0...
Page 2: Table Of Contents
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Contents Introduction ........................... 10 Abstract ..........................10 Target Audience........................10 Notes and warnings......................10 Interface management ......................11 VLAN Configuration ......................11 2.1.1 Configuration algorithm ....................12 2.1.2 Configuration example 1. VLAN removal from the interface........13 2.1.3 Configuration example 2.
Page 3 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2.10.3 Example of bridge configuration for VLAN ..............40 2.10.4 Configuration example of the second VLAN tag adding/removing ......41 2.11 Dual-Homing configuration ....................42 2.11.1 Configuration algorithm ....................42 2.11.2 Configuration example ....................42 2.12 Mirroring configuration (SPAN/RSPAN)................43 2.12.1 Configuration algorithm ....................44 2.12.2...
Page 4 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 4.1.1 Configuration algorithm ....................107 4.1.2 Configuration example ....................110 Advanced QoS........................111 4.2.1 Configuration algorithm ....................111 4.2.2 Configuration example ....................115 Routing management ......................118 Static routes configuration....................118 5.1.1 Configuration algorithm ....................118 5.1.2 Static routes configuration example ................
Page 5 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 5.9.1 Configuration algorithm ....................173 5.9.2 Configuration example ....................182 MPLS technology management..................184 LDP configuration ....................... 184 6.1.1 Configuration algorithm ....................185 6.1.2 Configuration example ....................186 Configuring session parameters in LDP................189 6.2.1 Algorithm for setting Hello holdtime and Hello interval in the global LDP configuration ........................
Page 6 Basic user rules configuration example ..............303 7.7.7 Extended user rules configuration algorithm............. 305 7.7.8 Extended user rules configuration example............... 305 Eltex Distribution Manager interaction configuration............306 7.8.1 Base configuration algorithm..................307 7.8.2 Configuration example: ....................310 Redundancy management ....................314 VRRP configuration......................
Page 7 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 VRRP tracking configuration ....................320 8.2.1 Configuration algorithm ....................320 8.2.2 Configuration example ....................322 Remote access configuration .................... 325 Configuring server for remote access to corporate network via PPTP protocol.... 325 9.1.1 Configuration algorithm ....................
Page 8 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 10.5.1 Configuration algorithm ....................370 10.5.2 HTTP proxy configuration example ................373 10.6 NTP configuration....................... 374 10.6.1 Configuration algorithm ....................374 10.6.2 Configuration example ....................376 Monitoring ........................... 379 11.1 Netflow configuration......................379 11.1.1 Configuration algorithm ....................
Page 9 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 13.3 Dial plan configuration algorithm ..................422 13.4 PBX server configuration algorithm................... 422 13.5 Registration trunk creation algorithm................424 13.6 VoIP configuration example....................424 13.7 Dial plan configuration example ..................427 13.8 FXO port configuration ....................... 429 Safe configuration recommendations................
Page 10: Introduction
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 1 Introduction 1.1 Abstract Today, large-scale communication network development projects are becoming increasingly common. One of the main tasks in implementation of large multiservice networks is the creation of reliable high-performance transport network that will serve as a backbone in multilayer architecture of next-generation networks. ESR series firewalls could be used in large enterprise networks, SMB networks and operator's networks.
Page 11: Interface Management
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2 Interface management • VLAN Configuration • Configuration algorithm • Configuration example 1. VLAN removal from the interface • Configuration example 2. Enabling VLAN processing in tagged mode • Configuration example 3. Enabling VLAN processing in tagged and untagged modes •...
Page 12: Configuration Algorithm
Set the combined mode of the Only for ESR-1000/1200/1500/1700 esr(config-if-gi)# physical interface. mode hybrid Set L2 interface operation mode Only for ESR-10/12V(F)/14VF/ esr(config-if-gi)# switchport access 20/21/100/200. This mode is the default mode and is not displayed in the configuration. esr(config-if-gi)# Only for ESR-10/12V(F)/14VF/ 20/21/100/200.
Page 13: Configuration Example 1. Vlan Removal From The Interface
<VID> – VLAN identifier, set in the allowed vlan add <VID> untagged range of [2..4094]. Enable the processing of Ethernet Only for ESR-10/12V(F)/14VF/ esr(config-if-gi)# frames of all created VLANs on the switchport trunk 20/21/100/200. interface (optionally) allowed vlan auto-all Only for ESR-1000/1200/1500/1700.
Page 14: Configuration Example 2. Enabling Vlan Processing In Tagged Mode
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2.1.3 Configuration example 2. Enabling VLAN processing in tagged mode Objective: Configure gi1/0/1 and gi1/0/2 ports for packet transmission and reception in VLAN 2, VLAN 64, VLAN 2000. Solution: Create VLAN 2, VLAN 64, VLAN 2000 on ESR-1000: esr-1000(config)# vlan 2,64,2000 Specify VLAN 2, VLAN 64, VLAN 2000 for gi1/0/1-2 port:...
Page 15: Lldp Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# vlan 2,64,2000 Specify VLAN 2, VLAN 64, VLAN 2000 for gi1/0/1 port: esr(config)# interface gi1/0/1 esr(config-if-gi)# mode switchport esr(config-if-gi)# switchport forbidden default-vlan esr(config-if-gi)# switchport mode trunk esr(config-if-gi)# switchport trunk allowed vlan add 2,64,2000 Specify VLAN2 to gi1/0/2 port: esr(config)#...
Page 16: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the system-description field <DESCRIPTION> – system esr(config)# lldp which will be transmitted to LLDP system-description description, set by the string of up TLV as the system-description <DESCRIPTION> to 255 characters. (optionally).
Page 17: Lldp Med Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# lldp receive esr(config-if-gi)# lldp transmit To view LLDP neighbors information, use the following command: esr# show lldp neighbors To view more detailed information on the certain interface neighbor, use the following command: esr# show lldp neighbors gigabitethernet 1/0/1 To view LLDP statistics, use the following command:...
Page 18: Voice Vlan Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the DSCP value (optional). <DSCP> – DSCP code value, takes esr(config-net- policy)# dscp <DSCP> values in the range of [0..63]. Set the CoS value (optional). <COS> – priority value, takes the esr(config-net- policy)# priority ...
Page 19: Sub-Interface Termination Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# vlan 10,20 esr(config-vlan)# exit esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# mode switchport esr(config-if-gi)# switchport mode trunk esr(config-if-gi)# switchport trunk allowed vlan add 10,20 esr(config-if-gi)# exit Enable LLDP and MED capability in LLDP globally on the router: esr(config)# lldp enable esr(config)# lldp med fast-start enable Create and configure network policy in the way that VLAN ID 20 is specified for the voice application:...
Page 20: Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2.5 Configuration algorithm Step Description Command Keys Create a sub-interface of a physical esr(config)# <PORT> – physical interface number. interface (possible if the physical interface interface is in routeport or hybrid gigabitethernet <CH> – aggregated interface number. mode).
Page 21: Sub-Interface Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Disable the Firewall features on the esr(config-subif)# ip interface or enable the interface in firewall disable the security zone (see Firewall configuration). esr(config-subif)# <NAME> – security zone name, set by security-zone <NAME>...
Page 22: Q-In-Q Termination Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Create sub-interface for VLAN: 828 esr(config)# interface gigabitethernet 1/0/1.828 Configure IP address from necessary subnet. esr(config)# interface gigabitethernet 1/0/1.828 esr(config-subif)# ip address 192.168.3.1/24 esr(config-subif)# exit  In addition to assigning an IP address, you must either disable the firewall or configure the corresponding security zone on the sub interface.
Page 23 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Create Q-in-Q interface. <PORT> – physical interface number. esr(config)# interface gigabitethernet <PORT>.<S-VLAN>.<C- <CH> – aggregated interface number. VLAN> <S-VLAN> – identifier of created S- VLAN. esr(config)# interface tengigabitethernet <C-VLAN> – identifier of created C- VLAN.
Page 24 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Disable the Firewall features on the esr(config-qinq-if)# interface or enable the interface in ip firewall disable the security zone (see Firewall configuration). esr(config-qinq-if)# <NAME> – security zone name, set by security-zone <NAME>...
Page 25: Q-In-Q Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2.6.2 Q-in-Q configuration example Objective: Configure the termination of subnet 192.168.1.1/24 combination C-VLAN: 741, S-VLAN: 828 on the physical interface gigabitethernet 1/0/1. Solution: Create sub-interface for S-VLAN: 828 esr(config)# interface gigabitethernet 1/0/1.828 esr(config-subif)# exit Create a Q-in-Q interface for the S-VLAN: 741 and configure the IP address from the required subnet.
Page 26 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set mobile network access point <NAME> – mobile network access esr(config-cellular- profile)# apn <NAME> point, set by the string of up to 31 characters. Set the name of mobile network esr(config-cellular- <NAME>...
Page 27 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set USB modem identifier allocated <WORD> – identifier of connected esr(config-cellular- by the system (specified in item 2). modem)# device <WORD> modem’s USB port, set in the range of [1..12]. Set the previously established esr(config-cellular- <ID>...
Page 28: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0  For the full modem mobile network functionality, you must additionally configure the routing and NAT functionality. 2.7.2 Configuration example Objective: Configure connection to the Internet by using USB modem. Solution: For example, consider the connection to the cellular operator MTS. After modem connection, wait until the system detects the device.
Page 29: Ppp Through E1 Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2.8 PPP through E1 configuration PPP (Point-to-Point Protocol) — point-to-point link layer protocol, used to establish direct communication between two network nodes. It can provide connection authentication, encryption and data compression. To establish a PPP connection through the E1 stream, you must have a ToPGATE-SFP media converter in the ESR router.
Page 30 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set amount of timeslots <RANGE> – amount of timeslots esr(config-if-gi)# switchport e1 timeslots <RANGE> Use E1 as a single entity, without esr(config-if-gi)# time slots (optional) switchport e1 unframed Configure E1 esr(config)# interface <SLOT>...
Page 31: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set MRU (Maximum Receive Unit) <MRU> – MRU value esr(config-e1)# ppp size for the interface (optionally) mru <MRU> Enable MLPPP mode (optionally) esr(config-e1)# ppp multilink Add the group to MLPPP (optionally) esr(config-e1)# ppp <GROUP-ID>...
Page 32: Mlppp Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# interface 1/3/1 esr(config-e1)# security-zone trusted esr(config-e1)# ip address 10.77.0.1/24 esr(config-e1)# exit The configuration changes come into effect after applying the following commands: esr# commit Configuration has been successfully committed esr# confirm Configuration has been successfully confirmed 2.9 MLPPP Configuration Multilink PPP (MLPPP) is an aggregated channel that encompasses methods of traffic transition via multiple physical channels while having a single logical connection.
Page 33 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable authentication override esr(config- (optionally). multilink)# ppp chap refuse Specify the router name that is sent to esr(config- <NAME> – router name, set by the a remote party for CHAP multilink)# ppp chap string of up to 31 characters authentication.
Page 34: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the amount of attempts to send <VALUE> – time in seconds, takes esr(config- Terminate-Request packets before the multilink)# ppp max- values of [1..255]. session is aborted (optionally). terminate <VALUE> Default value: 2.
Page 35: Bridge Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Switch gigabitethernet 1/0/10 interface into E1 operation mode: esr# configure esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# switchport mode e1 esr(config-if-gi)# switchport e1 slot esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/2 esr(config-if-gi)# switchport mode e1 esr(config-if-gi)# switchport e1 slot esr(config-if-gi)# exit Configure MLPPP 3:...
Page 36: Configuration Algorithm
Add a network bridge to the system esr(config)# bridge <BRIDGE-ID> – bridge identification and switch to its configuration mode. <BRIDGE-ID> number, takes values in the range of: · for ESR-10/12V(F)/14VF – [1..50]; · for ESR-20/21/100/200 – [1..250]; · for ESR-1000/1200/1500/1700 – [1..500]. Enable network bridge. esr(config- bridge )# ...
Page 37 <MTU> the range of: (optionally; possible if only VLAN is included in the bridge). · for ESR-10/12V(F)/14VF – MTU above 1500 will be active only [552..9600]; when using the "system jumbo- frames” command.
Page 38 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the time interval during which <TIME> – interval in seconds, takes esr(config-bridge)# the statistics on the bridge load is load-average <TIME> values of [5..150]. averaged (optionally). Default value: 5 Specify the network bridge MAC esr(config-bridge)# <ADDR>...
Page 39: Example Of Bridge Configuration For Vlan And L2Tpv3 Tunnel
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2.10.2 Example of bridge configuration for VLAN and L2TPv3 tunnel Objective: Combine router interfaces related to LAN and L2TPv3 tunnel passing through the public network into a single L2 domain. For combining, use VLAN 333. Solution: Create VLAN 333: esr(config)# vlan...
Page 40: Example Of Bridge Configuration For Vlan
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2.10.3 Example of bridge configuration for VLAN Objective: Configure routing between VLAN 50 (10.0.50.0/24) and VLAN 60 (10.0.60.0/24). VLAN 50 should belong to 'LAN1', VLAN 60 – to 'LAN2', enable free traffic transmission between zones. Solution: Create VLAN 50, 60: esr(config)# vlan...
Page 41: Configuration Example Of The Second Vlan Tag Adding/Removing
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create bridge 60, map VLAN 60, define IP address 10.0.60.1/24 and membership in 'LAN2' zone: esr(config)# bridge esr(config-bridge)# vlan esr(config-bridge)# ip address 10.0.60.1/24 esr(config-bridge)# security-zone LAN2 esr(config-bridge)# enable Create firewall rules that enable free traffic transmission between zones: esr(config)# security zone-pair LAN1 LAN2 esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit...
Page 42: Dual-Homing Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Include the gigabitethernet 1/0/2.828 sub interface in bridge 1. esr(config)# interface gigabitethernet 1/0/2.828 esr(config-subif)# bridge-group esr(config-subif)# exit  When adding the second VLAN tag to an Ethernet frame, its size is increased by 4 bytes. MTU must be increased by 4 bytes or more on the gigabitethernet 1/0/2 router interface and on all equipment transmitting Q-in-Q frames.
Page 43: Mirroring Configuration (Span/Rspan)
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: First, do the following: Create VLAN 50-55: esr(config)# vlan 50-55 You should disable STP for gigabitethernet 1/0/9 and gigabitethernet 1/0/10 interfaces, i.e. these protocols cannot operate simultaneously: esr(config)# interface gigabitethernet 1/0/9-10 esr(config-if-gi)# spanning-tree disable Add gigabitethernet 1/0/9 and gigabitethernet 1/0/10 interfaces into VLAN 50-55 in 'general' mode.
Page 44: Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2.12.1 Configuration algorithm Step Description Command Keys Define VLAN over which the mirrored esr(config)# port <VID> – VLAN ID, set in the traffic will be transmitted (in case of monitor remote vlan range of [2..4094]; using remote mirroring).
Page 45: Lacp Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: First, do the following: • Create VLAN 50: • On gi 1/0/5 interface, add VLAN 50 in 'general' mode. Main configuration step: Specify VLAN that will be used for transmission of mirrored traffic: еsr1000(config)# port monitor remote vlan For gi 1/0/5 interface, specify a port for mirroring: interface...
Page 46 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the load balancing mechanism esr(config)# port- • src-dst-mac-ip – balancing for channel aggregation groups. channel load-balance mechanism is based on source { src-dst-mac-ip | and destination MAC src-dst-mac | src-dst- addresses and IP addresses;...
Page 47 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the Ethernet interface LACP <PRIORITY> – priority, set in the range esr(config-if-gi)# priority. lacp port-priority of [1..65535]. <PRIORITY> Default value: 1 Set the time interval during which esr(config-subif)# <TIME>...
Page 48: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2.13.2 Configuration example Objective: Configure aggregated link between ESR router and the switch. Solution: 1 First, do the following settings: For gi1/0/1, gi1/0/2 interfaces disable security zone with 'no security-zone' command. 2 Main configuration step: Create port-channel 2 interface: esr(config)# interface...
Page 49 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the necessary serial interface <BITS> – a number of data bits esr(config-line-aux) parameters to communicate with the databits <BITS> sent [7..8]. connected device (optional). esr(config-line-aux) Default is "8", flowcontrol <FMODE>...
Page 50: Configuration Examples
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys When using the device to be connected esr(config-line- as a modem, set the serial interface to aux)# modem inout modem mode (optional). Note: cannot be used in conjunction with the «transport telnet port» command.
Page 51 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Configure the first ESR-21 Configure negotiation parameters: esr-21-1(config)# line aux esr-21-1(config-line-aux)# flowcontrol hardware esr-21-1(config-line-aux)# exit esr-21-1(config)# Configure the required RS-232 interfaces: esr-21-1(config)# interface serial 1/0/2 esr-21-1(config-serial)# ip address 1.1.1.1/24 esr-21-1(config-serial)# exit esr-21-1(config)# Configure firewall for security zones: esr-21-1(config)# security zone xx esr-21-1(config-zone)# exit...
Page 52 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure firewall for security zones: esr-21-2(config)# security zone xx esr-21-2(config-zone)# exit esr-21-2(config)# security zone-pair xx self esr-21-2(config-zone-pair)# rule esr-21-2(config-zone-pair-rule)# action permit esr-21-2(config-zone-pair-rule)# enable esr-21-2(config-zone-pair-rule)# exit esr-21-2(config-zone-pair)# exit esr-21-2(config)# Specify that the interfaces belong to the security zone: esr-21-2(config)# interface serial...
Page 53 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 The ESR-12vf with the following configuration is used as a PSTN emulation: dialplan pattern factory_test description "dialplan for factory test" pattern "S5, L5 (00[1-3]@{local} | [xABCD*#].S)" enable exit sip profile dialplan pattern "factory_test" enable proxy primary enable...
Page 54 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure firewall for security zones: esr-21-1(config)# security zone xx esr-21-1(config-zone)# exit esr-21-1(config)# security zone-pair xx self esr-21-1(config-zone-pair)# rule esr-21-1(config-zone-pair-rule)# action permit esr-21-1(config-zone-pair-rule)# enable esr-21-1(config-zone-pair-rule)# exit esr-21-1(config-zone-pair)# exit esr-21-1(config)# Specify that the interfaces belong to the security zone: esr-21-1(config)# interface serial...
Page 55 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure firewall for security zones: esr-21-2(config)# security zone xx esr-21-2(config-zone)# exit esr-21-2(config)# security zone-pair xx self esr-21-2(config-zone-pair)# rule esr-21-2(config-zone-pair-rule)# action permit esr-21-2(config-zone-pair-rule)# enable esr-21-2(config-zone-pair-rule)# exit esr-21-2(config-zone-pair)# exit esr-21-2(config)# Specify that the interfaces belong to the security zone: esr-21-2(config)# interface serial...
Page 56: Adapter Soldering Schemes
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Enable the use of the modem initialization string: esr-21-2(config)# interface serial 1/0/2 esr-21-2(config-serial)# dialer string modem-script answer_test esr-21-2(config-serial)# exit esr-21-2(config)# 2.14.3 Adapter soldering schemes RJ-45 <--> DB-25 pinout RJ-45 <--> RJ-45 pinout (rolled over cable)
Page 57: Tunneling Management
GRE tunnel will be built. Create a GRE tunnel and switch to its esr(config)# tunnel <INDEX> – tunnel identifier, set in the configuration mode. range of: gre <INDEX> • for ESR-10/12V(F)/14VF – [1..10]; • for ESR-20/21/100/200 – [1..250]; • ESR-1000/1200/1500/1700 – [1..500].
Page 58 Assign the broadcast domain for esr(config-gre)# <BRIDGE-ID> – bridge identification encapsulation in the tunnel’s GRE bridge-group <BRIDGE- number, takes values in the range of: packets (only in ethernet mode). ID> • for ESR-10/12V(F)/14VF – [1..50]; • for ESR-20/21/100/200 – [1..250]; • ESR-1000/1200/1500/1700 – [1..500]...
Page 59 <MTU> – MTU value, takes values in (MaximumTransmissionUnit) for the the range of: <MTU> tunnel (optionally). MTU above 1500 will be active only • for ESR-10/12V(F)/14VF – when using the "system jumbo- [1280..9600]; frames” command. • for ESR-20/21 – [1280..9500]; •...
Page 60 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable verification of the presence esr(config-gre)# and consistency of checksum values remote checksum in the headers of GRE packets being received. Also it is necessary to enable calculation of the checksum on the remote side.
Page 61: Ip-Gre Tunnel Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable recording of the current tunnel esr(config-gre)# usage statistics (optional). history statistics Enable the tunnel. esr(config-gre)# enable It is also possible to configure the GRE tunnel: • QoS in basic or advanced mode (see section management);...
Page 62 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Also, the tunnel should belong to the security zone in order to create rules that allow traffic to pass through the firewall. To define the tunnel inherence to a zone, use the following command: esr(config-gre)# security-zone untrusted Enable tunnel: esr(config-gre)# enable...
Page 63: Dmvpn Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr# show tunnels counters gre To view the tunnel configuration, use the following command: esr# show tunnels configuration gre IPv4-over-IPv4 tunnel configuration is performed in the same manner.  During tunnel creation, you should enable GRE protocol (47) in the firewall. 3.2 DMVPN configuration DMVPN (Dynamic Multipoint Virtual Private Network)–...
Page 64 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the time during which a <TIME> – the time in seconds during esr(config-gre)# ip record about this client will exist nhrp holding-time which a record about this client will on the NHS (optional).
Page 65: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Organize IP connectivity using the dynamic routing protocol. Other settings are the same as for the static GRE-tunnel (see section GRE-tunnel configuration) 3.2.2 Configuration example Objective: Organize DMVPN between company offices using mGRE tunnels, NHRP (Next Hop Resolution Protocol), Dynamic Routing Protocol (BGP), Ipsec.
Page 66 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-gre)# local address 150.115.0.5 Specify MTU value: esr(config-gre)# mtu 1416 Specify ttl value: esr(config-gre)# ttl Specify IPaddress of GRE tunnel: esr(config-gre)# ip address 10.10.0.5/24 Switch the GRE tunnel into multipoint mode to be able to connect to multiple points: esr(config-gre)# multipoint Proceed to NHRP configuration.
Page 67 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# security ike gateway IKEGW esr(config-ike-gw)# ike-policy IKEPOLICY esr(config-ike-gw)# local address 150.115.0.5 esr(config-ike-gw)# local network 150.115.0.5/32 protocol gre esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network any esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit esr(config)# security ipsec policy IPSECPOLICY...
Page 68 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Specify the tunnel address of NHS: esr(config-gre)# ip nhrp nhs 10.10.0.5/24 Specify the tunnel address – real: esr(config-gre)# ip nhrp map 10.10.0.5 150.115.0.5 Configure the multicast to the NHRP server: esr(config)# ip nhrp multicast nhs Configure the BGP for spoke: esr(config)# router bgp 65008...
Page 69 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# security ike gateway IKEGW_SPOKE esr(config-ike-gw)# ike-policy IKEPOLICY esr(config-ike-gw)# local address 180.100.0.10 esr(config-ike-gw)# local network 180.100.0.10/32 protocol gre esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network any esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit esr(config)# security ipsec policy IPSECPOLICY...
Page 70: L2Tpv3 Tunnel Configuration
Create a L2TPv3 tunnel and switch <INDEX> – tunnel identifier, set in esr(config)# tunnel to its configuration mode. l2tpv3 <INDEX> the range of: · for ESR-10/12V(F)/14VF – [1..10]; · for ESR-20/21/100/200 – [1..250]; · for ESR-1000/1200/1500/1700 – [1..500]. Specify the description of the esr(config-l2tpv3)# <DESCRIPTION>...
Page 71 Assign the broadcast domain for esr(config-l2tpv3)# <BRIDGE-ID> – bridge identification encapsulation in the tunnel’s bridge-group <BRIDGE- number, takes values in the range L2TPV3 packets. ID> • for ESR-10/12V(F)/14VF – [1..50]; • for ESR-20/21/100/200 – [1..250]; • ESR-1000/1200/1500/1700 – [1..500] Enable the tunnel.
Page 72: L2Tpv3 Tunnel Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Define the local cookie value to <COOKIE> – COOKIE value, the esr(config-l2tpv3)# check the conformance of data local cookie <COOKIE> parameter takes values of 8 or 16 being transmitted and session characters in hexadecimal form.
Page 73 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr# configure esr(config)# tunnel l2tpv3 Specify local and remote gateways (IP addresses of WAN border interfaces): esr(config-l2tpv3)# local address 21.0.0.1 esr(config-l2tpv3)# remote address 183.0.0.10 Specify identifiers for session inside the tunnel for local and remote sides: esr(config-l2tpv3)# protocol udp esr(config-l2tpv3)# local port esr(config-l2tpv3)# remote port...
Page 74: Ipsec Vpn Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr# show tunnels status l2tpv3 To view sent and received packet counters, use the following command: esr# show tunnels counters l2tpv3 To view the tunnel configuration, use the following command: esr# show tunnels configuration l2tpv3 ...
Page 75 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Create an IKE profile and switch to <NAME> – IKE protocol name, set by esr(config)# security its configuration mode. ike proposal <NAME> the string of up to 31 characters. Specify the description of the <DESCRIPTION>...
Page 76 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Bind IKE profile to IKE policy. <NAME> – IKE protocol name, set by esr(config-ike- policy)# proposal the string of up to 31 characters. <NAME> Specify authentication key. esr(config-ike- <TEXT> – string [1..64] ASCII (mandatory if pre-shared-key is policy)# pre-shared- characters.
Page 77 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Create IPsec profile. <NAME> – IPsec protocol profile esr(config)# security ipsec proposal <NAME> name, set by the string of up to 31 characters. Specify IPsec authentication esr(config-ipsec- <ALGORITHM> – authentication algorithm.
Page 78 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Create IPsec VPN policy and switch <NAME> – VPN name, set by the string esr(config)# security to its configuration mode. ipsec vpn <NAME> of up to 31 characters. Define the matching mode of data <MODE>...
Page 79: Route-Based Ipsec Vpn Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Configure the start of IKE <SEC> – time interval in seconds esr(config-ipsec- connection keys re-approval before vpn)# ike rekey remaining before the connection the expiration of the lifetime margin { seconds release (set by the lifetimeseconds (optionally).
Page 80 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • R2 IP address – 180.100.0.1; IKE: • Diffie-Hellman group: 2; • encryption algorithm: AES 128 bit; • authentication algorithm: MD5. IP sec: • encryption algorithm: AES 128 bit; • authentication algorithm: MD5. Solution: R1 configuration Configure external network interface and identify its inherence to a security zone:...
Page 81 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create a static route to the remote LAN. For each subnet located beyond the IPsec tunnel, specify a route via VTI tunnel: esr(config)# ip route 192.0.2.0/24 tunnel vti Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile.
Page 82 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using the enable command. esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway ike_gw1...
Page 83 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node and authentication key negotiation: esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit Create IKE protocol gateway.
Page 84: Policy-Based Ipsec Vpn Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 To view the tunnel configuration, use the following command: esr# show security ipsec vpn configuration ipsec1  In the firewall, you should enable ESP and ISAKMP protocol (UDP port 500). 3.4.3 Policy-based IPsec VPN configuration algorithm Step Description Command...
Page 85 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Bind the policy to profile. <NAME> – IKE protocol name, set by esr(config-ike- policy)# proposal the string of up to 31 characters. <NAME> Specify authentication key. esr(config-ike- <TEXT> – string [1..64] ASCII policy)#pre-shared- characters.
Page 86 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set sender’s IP subnets. <ADDR/LEN> – subnet IP address and esr(config-ike-gw)# local network <ADDR/ mask of a sender. The parameter is LEN> defined as AAA.BBB.CCC.DDD/EE [ protocol { <TYPE> where each part AAA-DDD takes values | <ID>...
Page 87 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify IPsec encryption algorithm. esr(config-ipsec- <ALGORITHM> – encryption protocol, proposal)# encryption takes the following values: des, 3des, algorithm <ALGORITHM> blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.
Page 88 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set VPN activation mode. <MODE> – VPN activation mode: esr(config-ipsec- vpn)#ike establish- tunnel <MODE> • by-request – connection is enabled by an opposing party; • route – connection is enabled when there is traffic routed to the tunnel;...
Page 89: Policy-Based Ipsec Vpn Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable IPsec VPN. esr(config-ipsec- vpn)# enable 3.4.4 Policy-based IPsec VPN configuration example Objective: Configure IPsec tunnel between R1 and R2. R1 IP address: 120.11.5.1; R2 IP address – 180.100.0.1; IKE: •...
Page 90 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# security ike proposal ike_prop1 esr(config-ike-proposal)# dh-group esr(config-ike-proposal)# authentication algorithm md5 esr(config-ike-proposal)# encryption algorithm aes128 esr(config-ike-proposal)# exit Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node and authentication key negotiation: esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF...
Page 91 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel immediate esr(config-ipsec-vpn)# ike gateway ike_gw1 esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1 esr(config-ipsec-vpn)# enable esr(config-ipsec-vpn)# exit esr(config)# exit R2 configuration Configure external network interface and identify its inherence to a security zone: esr# configure esr(config)# interface...
Page 92: Remote Access Ipsec Vpn Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create security parameters profile for IPsec tunnel. For the profile, select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm. Use the following parameters to secure IPsec tunnel: esr(config)# security ipsec proposal ipsec_prop1 esr(config-ipsec-proposal)# authentication algorithm md5 esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit...
Page 93 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Create an IKE instance and switch <NAME> – IKE protocol name, set by the esr(config)# security to its configuration mode. ike proposal <NAME> string of up to 31 characters. Specify the description of the <DESCRIPTION>...
Page 94 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify authentication key. <TEXT> – string [1..64] ASCII characters. esr(config-ike- policy)#pre-shared- key ascii-text <TEXT> Create an access profile. esr(config)# access <NAME> – access profile name, set by profile <NAME> the string of up to 31 characters.
Page 95 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the interval between <SEC> – interval between sending esr(config-ike- sending messages via DPD gw)#dead-peer- messages via DPD mechanism, takes mechanism (optionally). detection interval values of [1..180] seconds. <SEC> Default value: 2 Specify the time period of esr(config-ike-gw)#...
Page 96 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set access profile for XAUTH <NAME> – access profile name, set by esr(config-ike-gw)# parameters (only for server). xauth access-profile the string of up to 31 characters. <NAME> Set access profile and login for esr(config-ike-gw)# <NAME>...
Page 97 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the lifetime of IPsec <SEC> – IPsec tunnel lifetime after which esr(config-ipsec- tunnel (optionally). policy)# lifetime the re-approval is carried out. { seconds <SEC> | packets <PACKETS> | Takes values in the range of kilobytes <KB>...
Page 98 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Bind IKE gateway to VPN. <NAME> – IKE gateway name, set by the esr(config-ipsec- vpn)# ike gateway string of up to 31 characters. <NAME> Set the time interval value in esr(config-ipsec- <TIME>...
Page 99: Remote Access Ipsec Vpn Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable XAUTH clients <MODE> – reconnect mode, may take the esr(config-ipsec- reconnection mode with one vpn)# security ike following values: login/password (server only) session uniqueids (optional). <MODE> no – established XAUTH connection will be deleted if an «INITIAL_CONTACT»...
Page 100 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • authentication algorithm: SHA1. IPsec: • encryption algorithm: 3DES; • authentication algorithm: SHA1. XAUTH: • login: client1; • password: password123. Solution: R1 configuration Configure external network interface and identify its inherence to a security zone: esr# configure esr(config)# security zone untrusted esr(config-zone)# exit...
Page 101 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# access profile XAUTH esr(config-access-profile)# user client1 esr(config-profile)# password ascii-text password123 esr(config-profile)# exit esr(config-access-profile)# exit Create a pool of destination addresses from which IP clients will be issued IPsec VPN: esr-1000(config)# address-assignment pool CLIENT_POOL esr-1000(config-pool)# ip prefix 192.0.2.0/24 esr-1000(config-pool)# exit...
Page 102 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Allow esp protocol and udp ports 500, 4500 in the firewall configuration for establishing IPsec VPN: esr(config)# security zone-pair untrusted self esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol udp esr(config-zone-pair-rule)# match destination-port ISAKMP esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)#...
Page 103 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# access profile XAUTH esr(config-access-profile)# user client1 esr(config-profile)# password ascii-text password123 esr(config-profile)# exit esr(config-access-profile)# exit Create a loopback interface for terminating the IP address received from the IPsec VPN server: esr(config)# interface loopback esr(config-loopback)# exit Create IKE protocol gateway.
Page 104: Tunnels Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# security zone-pair untrusted self esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol udp esr(config-zone-pair-rule)# match destination-port ISAKMP esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol esp esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# end To view the tunnel status, use the following command:...
Page 105: Configuration Example
<MTU> (optionally; possible if only VLAN is included in the bridge). • for ESR-10/12V(F)/14VF – MTU above 1500 will be active only [1280..9600]; when using the "system jumbo- • for ESR-20/21 – [1280..9500];...
Page 106 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 hostname esr ip vrf vrf_1 exit ip vrf vrf_2 exit interface gigabitethernet 1/0/1 ip vrf forwarding vrf_1 ip firewall disable ip address 10.0.0.1/24 exit interface gigabitethernet 1/0/2 ip vrf forwarding vrf_2 ip firewall disable ip address 10.0.1.1/24 exit...
Page 107: Qos Management
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 4 QoS management • Basic QoS • Configuration algorithm • Configuration example • Advanced QoS • Configuration algorithm • Configuration example QoS (Quality of Service) is a technology that provides various traffic classes with various service priorities. QoS service allows network applications to co-exist in a single network without altering the bandwidth of other applications.
Page 108 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the match between DSCP codes <DSCP> – service classifier in a esr(config)# qos map values of incoming packets and dscp-queue <DSCP> to packet IP header, takes values in the outgoing queues.
Page 109 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the number of the default queue <QUEUE> – queue identifier, takes esr(config)# qos to which all traffic except IP falls queue default <QUEUE> values in the range of [1..8]. into the trust mode for DSCP priorities.
Page 110: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the incoming traffic rate limiting. <BANDWIDTH> – average traffic rate esr(config-if-gi)# (if the outgoing rate limiting is rate-limit in Kbps, takes the value of required) <BANDWIDTH> [BURST] [3000..10000000] for TengigabitEthernet interfaces and [64..1000000] for other interfaces and tunnels;...
Page 111: Advanced Qos
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# interface gigabitethernet 1/0/5 esr(config-if-gi)# qos enable esr(config-if-gi)# exit Enable QoS on the inbound interface from WAN side: esr(config)# interface gigabitethernet 1/0/8 esr(config-if-gi)# qos enable Limit transfer rate to 60Mbps for 7th queue: esr(config-if)# traffic-shape queue 7 60000 esr(config-if)# exit...
Page 112 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify DSCP code value which will <DSCP> – DSCP code value, takes esr(config-class- be set in IP packets corresponding to map)# set dscp <DSCP> values in the range of [0..63]. the class being configured.
Page 113 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Include QoS policy in QoS class to <NAME> – policy name, set by the esr(config-class- create hierarchical QoS. policy-map)# service- string of up to 31 characters. Inserted policy <NAME> policy must already be created.
Page 114 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the limited number of <QUEUE-LIMIT> – limited number of esr(config-class- packets for a virtual queue. policy-map)# queue- packets in a virtual queue, takes (optionally) limit <QUEUE-LIMIT> values in the range of [2..4096]. Default value: 127.
Page 115: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable tcp headers compression esr(config-class- protocol for the certain class traffic. policy-map)# (if required) compression header ip Enable QoS on the interface/tunnel/ esr(config-if-gi)# network bridge. qos enable Define the QoS policy on a configured esr(config-if-gi)# <NAME>...
Page 116 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Configure access control lists for filtering by a subnet, proceed to global configuration mode: esr(config)# ip access-list extended fl1 esr(config-acl)# rule esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol any esr(config-acl-rule)# match source-address 10.0.11.0 255.255.255.0 esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# enable esr(config-acl-rule)# exit...
Page 117 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 For the rest of traffic, configure a class with SFQ mode: esr(config-policy-map)# class class-default esr(config-class-policy-map)# mode sfq esr(config-class-policy-map)# fair-queue esr(config-class-policy-map)# exit esr(config-policy-map)# exit Enable QoS on the interfaces, policy on gi 1/0/19 interface ingress for classification purposes and gi1/0/20 egress for applying restrictions and SFQ mode for default class: esr(config)# interface...
Page 118: Routing Management
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 5 Routing management • Static routes configuration • Configuration algorithm • Static routes configuration example • RIP Configuration • Configuration algorithm • RIP configuration example • OSFP configuration • Configuration algorithm • OSPF configuration example •...
Page 119: Static Routes Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • <IF> – an IP interface name specified in the form described in Section Types and naming order of router interfaces; • <TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;...
Page 120 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Specify the device name for R1 router: esr# hostname R1 Specify 192.168.1.1/24 address and the “LAN” zone for the gi1/0/1 interface. R1 interface will be connected to 192.168.1.0/24 network via this interface: esr(config)# interface gi1/0/1...
Page 121: Rip Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create a route for interaction with the Internet using the provider gateway as a nexthop (128.107.1.1): esr(config)# ip route 0.0.0.0/0 128.107.1.1 Specify the device name for R2 router: esr# hostname R2 Specify 10.0.0.1/8 address and the 'LAN' zone for the gi1/0/1 interface. R2 interface will be connected to 10.0.0.0/8 network via this interface: esr(config)# interface...
Page 122 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Configure RIP routing tables <VALUE> – amount of RIP routes in esr(config)# ip capacity (optionally). protocols rip max- the routing table, takes values in the routes <VALUE> range of[ 1..10000]; Default value: 10000.
Page 123 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the list of passwords for <KEYCHAIN> – key list identifier, set esr(config-rip)# authentication via md5 hashing authentication key- by the string of up to 16 characters. algorithm (optionally). chain <KEYCHAIN>...
Page 124 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys <NAME> – name of the route map esr(config-rip)# redistribute connected that will be used for filtration and [ route-map <NAME> ] modification of advertised directly connected subnets, set by the string of up to 31 characters.
Page 125: Rip Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the routes advertising mode <MODE> – routes advertising mode: esr(config-if-gi)# ip via RIP (optionally). rip mode <MODE> • multicast – routes are advertised in multicast mode; • broadcast – routes are advertised in broadcast mode;...
Page 126: Osfp Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# router rip Specify the networks to be advertised by protocol: 115.0.0.0/24, 14.0.0.0/24 и 10.0.0.0/24: esr(config-rip)# network 115.0.0.0/24 esr(config-rip)# network 14.0.0.0/24 esr(config-rip)# network 10.0.0.0/24 To advertise static routes by the protocol, execute the following command: esr(config-rip)# redistribute static Configure timer, responsible for routing information transmission:...
Page 127 • protocols ospf max-routes ESR-1000/1200/1500/1700 <VALUE> [1..500000]; • for ESR-20/21/100/200 [1..300000]; • for ESR-10/12V(F)/14VF – [1..30000] Default value for the global mode: • ESR-1000/1200/1500/1700 – (500000); • for ESR-20/21/100/200 – (300000); • for ESR-10/12V(F)/14VF –...
Page 128 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Permit or deny the prefixes lists. <OBJ-GROUP-NETWORK-NAME> esr(config-pl)# permit [ { object-group <OBJ- – IPv4/IPv6 addresses profile GROUP-NETWORK-NAME> | name, set by the string of up to 31 <ADDR/LEN> | <IPV6-ADDR/ characters;...
Page 129 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Add subnets filtration in incoming <PREFIX-LIST-NAME> – name of a esr(config-ospf)# prefix- or outgoing updates (optionally). list <PREFIX-LIST-NAME> subnet list being configured, set { in | out } by the string of up to 31 characters.
Page 130 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable subnets advertising. <ADDR/LEN> – subnet address, esr(config-ospf-area)# network <ADDR/LEN> set in the following format: AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].
Page 131 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable the subnet summarization <ADDR/LEN> – IP address and esr(config-ospf-area)# or hiding. summary-address <ADDR/ subnet mask, defined as LEN> AAA.BBB.CCC.DDD/EE where { advertise | not- each part AAA-DDD takes values advertise } of [0..255] and EE takes values of [1..32];...
Page 132 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the time interval in seconds <TIME> – time in seconds, takes esr(config-ospf- vlink)# after which the router re-sends a restransmit-interval values of [1..65535]. packet that has not received a <TIME>...
Page 133 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable virtual connection. esr(config-ospf- vlink)# enable Switch to the interface/tunnel/ esr(config)# interface <IF-TYPE> – interface type; network bridge configuration mode. <IF-TYPE><IF-NUM> <IF-NUM> – F/S/P – F frame (1), S –...
Page 134 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the password for OSPF <CLEAR-TEXT> – password, set by esr(config-if-gi)# ip neighbor authentication when ospf authentication key the string of 8 to 16 characters; transmitting an unencrypted ascii-text password.
Page 135 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set static IP address of a neighbor <IP> – neighbor’s IP address, esr(config-if-gi)# ip to establish a relation in NMBA and ospf neighbor <IP> defined as AAA.BBB.CCC.DDD P2MP (Point-to-MultiPoint) [ eligible ] where each part takes values of networks.
Page 136: Ospf Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable BFD protocol for OSPF esr(config-if-gi)# ip protocol. ospf bfd-enable esr(config-if-gi)# ipv6 ospf bfd-enable 5.3.2 OSPF configuration example Objective: Configure OSPF protocol on the router in order to exchange the routing information with neighbouring routers. The router should be in 1.1.1.1 identifier area and announce routes received via RIP.
Page 137: Ospf Stub Area Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-ospf)# enable esr(config-ospf)# exit Neighbouring routers are connected to gi1/0/5 and gi1/0/15 interfaces. To establish the neighbouring with other routers, map them to OSPF process and the area. Next, enable OSPF routing for the interface. esr(config)# interface gigabitethernet...
Page 138: Virtual Link Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 5.3.4 Virtual link configuration example Objective: Merge two backbone areas using virtual link. Solution: Virtual link is a specialized connection that allows you to merge a split zone or connect a zone to the backbone zone trough the third zone.
Page 139: Bgp Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr# show ip route 10.0.0.0/24 [150/20] via 10.0.1.1 on gi1/0/12, [ospf1 14:38:35] (0.0.0.2) 10.0.1.0/24 [0/0] dev gi1/0/12, [direct 14:35:34] 192.168.20.0/24 [0/0] dev lo1, [direct 14:32:58] 192.168.10.0/24 [150/30] via 10.0.1.1 on gi1/0/12, [ospf1 14:39:54] (0.0.0.1) Since OSPF considers virtual link as the part of the area, R1 routes received from R3 are marked as an intrazone and vice versa.
Page 140 [1..3000000]; routes <VALUE> • for ESR-20/21/100/200 [1..2000000]; esr(config-vrf)# ip protocols bgp max- • for ESR-10/12V(F)/14VF routes <VALUE> [1..800000]. The default value for the global esr(config-vrf)# ipv6 routing table: protocols bgp max- routes <VALUE> • for ESR-1700 (5000000);...
Page 141 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys 3.1.2 Create rule <ORDER> – rule number, takes (config-route-map)# rule <ORDER> values of [1..10000]. 3.1.3 Define the list of subnets affected by <ADDR/LEN> – IP address and esr(config-route-map- the rule. rule)#match ip address subnet mask, in the format of: { <ADDR/LEN>...
Page 142 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys 3.2.1 If you select the prefix-list-based <NAME> – name of a subnet list esr(config)# ip filtering method, create a list of IP prefix-list <NAME> being configured, set by the string networks that will be used to filter of up to 31 characters.
Page 143 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Add BGP process to the system and <AS> – stand alone system number, esr(config)# router switch to the BGP process bgp <AS> takes values of [1..4294967295]. parameters configuration mode. Set the router identifier.
Page 144 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable BGP process. esr(config-bgp)# enable Define the type of configured routing esr(config-bgp)# • ipv4 – IPv4 family; information and switch to this address-family { ipv4 • ipv6 – IPv6 family; configuration mode.
Page 145 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys <AS> – stand alone system esr(config-bgp-af)# redistribute bgp <AS> number, takes values of [ route-map <NAME> ] [1..4294967295]. <NAME> – name of the route map that will be used for advertised BGP routes filtration and modification, set by the string of up to 31 characters.
Page 146 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the time of minimum and <TIME1> – minimum delay time in esr(config-bgp-af)# maximum delay during which it is timers error-wait seconds, takes values of [1..65535]. prohibited to establish a connection <TIME1>...
Page 147 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the password for neighbour <CLEAR-TEXT> – password, set by esr(config-bgp- authentication (optionally). neighbor)# the string of 8 to 16 characters; authentication key ascii-text <ENCRYPTED-TEXT> – encrypted { <CLEAR-TEXT> | password of 8 to 16 bytes (from 16 encrypted <ENCRYPTED- to 32 characters) in hexadecimal...
Page 148 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the mode in which private esr(config-bgp- • all – remove all private AS numbers of autonomous systems neighbor-af)# remove- number from AS-path; are removed from the AS Path routes private-as •...
Page 149: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 5.4.2 Configuration example Objective: Configure BGP on the R3 router with the following parameters: • own subnets: 80.66.0.0/24, 80.66.16.0/24; • advertising of directly connected subnets; • proprietary AS 2500; • first neighbouring – subnet 219.0.0.0/30, proprietary IP address 219.0.0.1, neighbour IP address 219.0.0.2, AS2500;...
Page 150 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure the firewall to receive BGP traffic from the WAN security zone esr-R3(config)# object-group service og_bgp esr-R3(config-object-group-service)# port-range esr-R3(config-object-group-service)# exit esr-R3(config)# security zone wan esr-R3(config-zone)# exit esr-R3(config)# security zone-pair wan self esr-R3(config-zone-pair)# rule esr-R3(config-zone-pair-rule)# match protocol tcp esr-R3(config-zone-pair-rule)# match destination-port og_bgp esr-R3(config-zone-pair-rule)# action permit...
Page 151: Bfd Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Enable ipv4 route exchange esr-R3(config-bgp-neighbor)# address-family ipv4 unicast esr-R3(config-bgp-neighbor-af)# enable esr-R3(config-bgp-neighbor-af)# exit esr-R3(config-bgp-neighbor)# exit Create a neighborhood with the R1 router via eBGP esr-R3(config-bgp)# neighbor 185.0.0.2 esr-R3(config-bgp-neighbor)# remote-as esr-R3(config-bgp-neighbor)# enable Enable the exchange of ipv4 routes, permitting the necessary routes for advertising by means of a previously prepared route-map esr-R3(config-bgp-neighbor)# address-family ipv4 unicast esr-R3(config-bgp-neighbor-af)# route-map bgp-general out...
Page 152 (optionally) [200..65535] for ESR-1000/1200/1500/1700 and [300..65535] for ESR-10/12V(F)/ 20/21/100/200 By default: • 300 ms on ESR-10/12V(F)/ 14VF/20/21/100/200 • 200 ms on ESR-1000/1200/1500/1700 Set the minimum interval after esr(config)# ip bfd <TIMEOUT> – interval after which the...
Page 153 <TIMEOUT> – interval after which the message is sent to the neighbor. bfd idle-tx-interval BFD packet should be sent, takes On the interface <TIMEOUT> values in milliseconds in the range of (optionally) [200..65535] for ESR-1000/1200/1500/1700 and [300..65535] for ESR-10/12V(F)/14VF/ 20/21/100/200 Default: 1 second...
Page 154: Configuration Example Of Bfd With Bgp
On the interface in the range of [200..65535] for (optionally) ESR-1000/1200/1500/1700 and [300..65535] for ESR-10/12V(F)/ 20/21/100/200 By default: • 300 ms on ESR-10/12V(F)/ 14VF/20/21/100/200 • 200 ms on ESR-1000/1200/1500/1700 Set the minimum interval after esr(config-if-gi)# ip <TIMEOUT> – interval after which the...
Page 155 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution R1 configuration Preconfigure Gi1/0/1 interface: esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# ip address 10.0.0.1/24 Configure eBGP with BFD: esr(config)# router bgp esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 10.0.0.2 esr(config-bgp-neighbor)# remote-as esr(config-bgp-neighbor)# update-source 10.0.0.1 esr(config-bgp-neighbor)# bfd-enable...
Page 156: Pbr Routing Policy Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 5.6 PBR routing policy configuration 5.6.1 Configuration algorithm of Route-map for BGP Route-maps may serve as filters processing routing information when it is received from or sent to the neighbouring device. Processing may include filtering based on various route criteria and setting attributes (MED, AS-PATH, community, LocalPreference, etc.) for the respective routes.
Page 157 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys BGPExtendedCommunity attribute <EXTCOMMUNITY-LIST> – esr(config-route-map- value for which the rule should rule)# match extcommunity list, defined as work (optionally). extcommunity KIND:AS:N, KIND:AS:N, where <EXTCOMMUNITY-LIST> KIND – extcommunity type: •...
Page 158 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set BGP MED attribute value in the <METRIC> – BGP MED attribute value, esr(config-route-map- route for which the rule should rule)# match metric takes values in the range of work (optionally).
Page 159 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set BGP ExtCommunity attribute <EXTCOMMUNITY-LIST> – esr(config-route-map- value that will be specified in the rule)# action set extcommunity list, defined as route (optionally). extcommunity KIND:AS:N, KIND:AS:N, where <EXTCOMMUNITY-LIST> KIND – extcommunity type: •...
Page 160: Configuration Example 1. Route-Map For Bgp
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify BGP Local Preference <PREFERENCE> – BGP Local esr(config-route-map- attribute value that will be set in rule)# action set Preference attribute value, takes the route (optionally). local-preference values in the range of [0..255]. <PREFERENCE>...
Page 161: Configuration Example 2. Route-Map For Bgp
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Create a policy: esr# configure esr(config)# route-map from-as20 Create rule 1: esr(config-route-map)# rule If AS PATH contains AS 20, assign community 20:2020 to it and exit: esr(config-route-map-rule)# match as-path contain esr(config-route-map-rule)# action set community 20:2020 esr(config-route-map-rule)# exit esr(config-route-map)# exit...
Page 162: Route-Map Based On Access Control Lists (Policy-Based Routing) Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create rule: esr(config-route-map)# rule If community contains 2500:25, assign MED 240 and Origin EGP to it: esr(config-route-map-rule)# match community 2500:25 esr(config-route-map-rule)# action set metric bgp esr(config-route-map-rule)# action set origin egp esr(config-route-map-rule)# exit esr(config-route-map)# exit In AS 2500 BGP process, enter neighbour parameter configuration: esr(config)# router bgp 2500...
Page 163: Route-Map Based On Access Control Lists (Policy-Based Routing) Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set Next-Hop for the packets that <NEXTHOP> – gateway IP address, esr(config-route-map- meet the requirements of the rule)# action set ip defined as AAA.BBB.CCC.DDD specified ACL (optionally). next-hop where each part takes values of verify-availability [0..255];...
Page 164 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Create ACL: esr# configure esr(config)# ip access-list extended sub20 esr(config-acl)# rule esr(config-acl-rule)# match source-address 10.0.20.0 255.255.255.0 esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match protocol any esr(config-acl-rule)# action permit esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit esr(config)# ip access-list extended sub30 esr(config-acl)# rule esr(config-acl-rule)# match source-address...
Page 165: Vrf Lite Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-route-map-rule)# match ip access-group sub30 Specify nexthop for sub30 and exit: esr(config-route-map-rule)# action set ip next-hop verify-availability 80.16.0.23 10 esr(config-route-map-rule)# action set ip next-hop verify-availability 184.45.0.150 30 esr(config-route-map-rule)# exit esr(config-route-map)# exit Rule 2 should provide traffic routing from the network 10.0.30.0/24 to address 80.16.0.23, and in case of its failure, to address 184.45.0.150.
Page 166: Configuration Example
<VALUE> – amount of routes in esr(config-vrf)#ipv6 the routing table, takes values in protocols <PROTOCOL> the range of: max-routes <VALUE> OSPF ESR-1000/1200/1500/1700 [1..500000], ESR-20/21/100/200 [1..300000], ESR-10/12V(F)/14VF [1..30000] BGP ESR-1000/1200/1500/1700 [1..2800000], ESR-20/21/100/200 [1..1500000], ESR-10/12V(F)/ 14VF [1..800000]. Default value: 0 Enable and configure dynamic traffic ...
Page 167 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create a security zone: esr(config)# security zone vrf-sec esr(config-zone)# ip vrf forwarding bit esr(config-zone)# exit Create rule for a pair of zones and allow all TCP/UDP traffic: esr(config)# security zone-pair vrf-sec vrf-sec esr(config-zone-pair)# rule esr(config-zone-rule)# match source-address any esr(config-zone-rule)# match destination-address any esr(config-zone-rule)# match protocol udp...
Page 168: Multiwan Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 5.8 MultiWAN configuration MultiWAN technology establishes a fail-safe connection with redundancy of links from multiple providers and solves the problem involving traffic balancing between redundant links. 5.8.1 Configuration algorithm Step Description Command Keys Configure interfaces through which MultiWAN will operate: set ip addresses and specify security zone.
Page 169 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the check target and switch <ID> – target identifier, set in the range esr(config-target- to the target parameters list)# target <ID> of [1..50]. If the “all” parameter value is configuration mode.
Page 170: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set a neighbour's IP address that will <IP> – destination IP address esr(config-if-gi)# be indicated as one of the gateways wan load-balance (gateway), defined as in a static route created by nexthop AAA.BBB.CCC.DDD where each part MultiWAN service.
Page 171 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: First, do the following: • Configure zones for te1/0/1 and te1/0/2 interfaces. • Specify IP addresses for te1/0/1 and te1/0/2 interfaces. Main configuration step: Configure routing: esr(config)# ip route 108.16.0.0/28 wan load-balance rule Create WAN rule: еsr(config)# wan load-balance rule Specify affected interfaces:...
Page 172: Is-Is Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure interfaces. In te1/0/1 interface configuration mode, specify nexthop: interface tengigabitethernet 1/0/1 еsr(config)# еsr(config-if)# wan load-balance nexthop 203.0.0.1 In te1/0/1 interface configuration mode, specify a list of targets for connection check: еsr(config-if)# wan load-balance target-list google In te1/0/1 interface configuration mode, enable WAN mode and exit: еsr(config-if)# wan load-balance enable еsr(config-if)# exit...
Page 173: Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 5.9.1 Configuration algorithm Step Description Command Keys Create an IS-IS process and switch esr(config)# router <ID> – process number, takes values to the parameters configuration isis <ID> [vrf <VRF>] of [1..65535]; mode of this process. <VRF>...
Page 174 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set a list of keys for authentication <KEYCHAIN> – key list identifier, set esr(config-isis)# (optional). authentication area key by the string of up to 16 characters. chain <KEYCHAIN> Enable transmission of router esr(config-isis)# name to the LSP (optional).
Page 175 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the update interval for own min — minimum update/generation esr(config-isis)# lsp- LSP (optional). refresh-interval interval; { min | max } <TIME> [ <LEVEL> ] max — maximum update/generation interval; <TIME>...
Page 176 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable advertising of <AS> – stand alone system number, esr(config- isis)# redistribute bgp takes values of [1..4294967295]. routes received by <AS> [ route-map <NAME> ] <NAME> – name of the route map alternative [is-type <LEVEL>] that will be used for advertised...
Page 177 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys <ID> – process number, takes esr(config-isis)# redistribute isis <ID> values of [1..65535]. <ROUTE-TYPE> [ route-map <NAME> ] <ROUTE-TYPE> – route type: [is-type <LEVEL>] • level-1 – level 1 routes advertising;...
Page 178 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys <NAME> – name of the route map esr(config- isis)# redistribute that will be used for advertised static static routes filtration and modification, [ route-map <NAME> ] [is-type <LEVEL>] set by the string of up to 31 characters;...
Page 179 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable the use of TLV#8 in hello esr(config-if-gi)# isis packets (optional). hello-padding Set the priority when selecting DIS <VALUE> – number, may take values esr(config-if-gi)# isis (optional). priority <VALUE> [0..127]; [<LEVEL>] <LEVEL>...
Page 180 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the multiplier for calculating <VALUE> – number, may take values esr(config-if-gi)# isis and sending Hold Time (optional). hello-multiplier [3..1000]; <VALUE> [<LEVEL>] <LEVEL> – IS-IS protocol operation level: • level-1 – operate only on level •...
Page 181 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the LSP re-distribution interval <TIME> – time in seconds, takes esr(config-if-gi)# isis in the PtP network (optional). lsp-retransmit-interval values of [1..65535]; <TIME> [<LEVEL>] <LEVEL> – IS-IS protocol operation level: •...
Page 182: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 5.9.2 Configuration example Objective: Configure the IS-IS protocol on routers to exchange routing information with neighbors. Router ESR1 will be L1- only, ESR2 will be L1/L2, ESR3 will be L2-only, which will also be in another area. Solution: Pre-configure IP addresses on interfaces according to the network structure shown in figure.
Page 183 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Proceed to the ESR2 router configuration. ESR2(config)# router isis Set the zone number, the same as on ESR1, as well as a unique system identifier: ESR2(config-isis)# net 49.0001.2222.2222.2222.00 Set the router to operate with a narrow metric on the first layer and with a wide metric on the second layer, and enable this IS-IS process: ESR2(config-isis)# metric-style narrow level-1...
Page 184: Mpls Technology Management
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6 MPLS technology management • LDP configuration • Configuration algorithm • Configuration example • Configuring session parameters in LDP • Algorithm for setting Hello holdtime and Hello interval in the global LDP configuration •...
Page 185: Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6.1.1 Configuration algorithm Step Description Command Keys In the context of MPLS parameters esr(config-mpls)# <IF> – an interface's name, configuration, specify the interfaces forwarding interface specified in the form described involved in the MPLS switching process { <IF>...
Page 186: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6.1.2 Configuration example Objective: Configure LDP communication between peers. Solution: 1 ESR pre-configuration: First, IP addresses must be assigned to the interfaces, the firewall must be disabled and one of the internal routing protocols must be configured ESR pre-configuration: ...
Page 187 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 ESR1 pre-configuration:  hostname ESR1 router ospf 1 area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/1 ip firewall disable ip address 10.10.10.2/30 ip ospf instance 1 ip ospf exit interface loopback 1 ip address 4.4.4.4/32 ip ospf instance 1 ip ospf...
Page 188 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 3 Configuration on ESR1: ESR1 ESR1# configure ESR1(config)# mpls ESR1(config-mpls)# forwarding interface gigabitethernet 1/0/1 ESR1(config-mpls)# ldp ESR1(config-ldp)# router-id 4.4.4.4 ESR1(config-ldp)# enable ESR1(config-ldp)# address-family ipv4 ESR1(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1 ESR1(config-ldp-af-ipv4-if)# end ESR1# Check: Enter the following commands at one of the piers: The output will show the parameters of the neighboring pier obtained from the multicast hello messages.
Page 189: Configuring Session Parameters In Ldp
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6.2 Configuring session parameters in LDP By default, hello messages sent out are set to the following values: Parameter Hello interval 5 seconds Hold timer 15 seconds Keepalive holdtime 180 seconds Hold timer is a matching parameter — the smallest is chosen. This example shows that the ESR after matching the Hold timer is 10 seconds.
Page 190 ESR service routers. ESR-Series. Functionality description. Version 1.12.0  ESR# show mpls ldp discovery detailed Local LDP ID: 4.4.4.4 Discovery sources: Interfaces: gigabitethernet 1/0/4: Hello interval: 5 seconds Transport IP address: 4.4.4.4 ...
Page 191: Algorithm For Setting Hello Holdtime And Hello Interval In The Global Ldp Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0  ESR# sh mpls ldp neighbor 1.1.1.1 Peer LDP ID: 1.1.1.1; Local LDP ID 4.4.4.4 State: Operational TCP connection: 1.1.1.1:646 - 4.4.4.4:56668 Messages sent/received: 401/401 Uptime: 02:00:24 Peer holdtime: 55 ...
Page 192: Algorithm For Setting Keepalive Holdtime Parameter For The Specific Neighbor
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6.2.4 Algorithm for setting Keepalive holdtime parameter for the specific neighbor Step Description Command Keys Configure the LDP (see section LDP configuration) In the neighbor configuration mode, set esr(config-ldp-neig)# <TIME> — Time in seconds in the Keepalive holdtime parameter the range of [3..65535] keepalive <TIME>...
Page 193: Configuring Session Parameters In Targeted-Ldp
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 To view parameter of the established TCP session: ESR# sh mpls ldp neighbor 1.1.1.1 Peer LDP ID: 1.1.1.1; Local LDP ID 4.4.4.4 State: Operational TCP connection: 1.1.1.1:646 4.4.4.4:45414 Messages sent/received: 15/15 Uptime: 00:06:31 Peer holdtime: Keepalive interval: LDP discovery sources:...
Page 194 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Example output for the LDP process:  ESR# sh running-config mpls mpls ldp router-id 1.1.1.1 keepalive 160 discovery targeted-hello holdtime 30 discovery targeted-hello interval 10 ...
Page 195: Algorithm For Setting Hello Holdtime, Hello Interval And Keepalive Holdtime For The Ldp Process
ESR service routers. ESR-Series. Functionality description. Version 1.12.0  ESR# show mpls ldp discovery detailed Targeted hellos: 1.1.1.1 -> 4.4.4.4: Hello interval: 15 seconds Transport IP address: 1.1.1.1 LDP ID: 4.4.4.4 Source IP address: 4.4.4.4 Transport IP address: 4.4.4.4 Hold time: 45 seconds Proposed hold time: 45/45 (local/peer) seconds ESR# show mpls ldp neighbor 4.4.4.4 Peer LDP ID: 4.4.4.4;...
Page 196: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 In the LDP neighbor configuration esr(config-ldp-neig)# <TIME> — Time in seconds in mode, set Keepalive holdtime the range of [3..65535] keepalive <TIME> Default value: 180 6.3.3 Configuration example Objective: Override hello holdtime (120 seconds) and hello interval (30 seconds) parameters for the entire targeted-LDP process.
Page 197: Ldp Tag Filtering Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 To view parameter of the established TCP session: ESR# sh mpls ldp neighbor 4.4.4.4 Peer LDP ID: 4.4.4.4; Local LDP ID 1.1.1.1 State: Operational TCP connection: 4.4.4.4:34879 1.1.1.1:646 Messages sent/received: 11/11 Uptime: 00:01:05 Peer holdtime: Keepalive interval: LDP discovery sources:...
Page 198: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6.4.2 Configuration example Objective: Assign mpls tags only to FEC 10.10.0.0/24 Solution: On ESR_A and ESR_B create an object-group ADV_LABELS of type network and add a subnet 10.10.0.0/24 to it. On ESR_B we also add 192.168.2.0/24. ESR_A esr(config)# object-group network ADV_LABELS esr(config-object-group-network)# ip prefix...
Page 199: L2Vpn Martini Mode Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 And not assigned to 192.168.2.0/24 esr# sh mpls ldp bindings 192.168.2.0/24 192.168.2.0/24: local label: -- remote label: imp-null lsr: 172.16.0.1 6.5 L2VPN Martini mode configuration L2VPN allows you to organize ethernet frames transmission through the MPLS domain. Allocation and distribution of tunnel labels, in this mode, is carried out by means of the LDP.
Page 200 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify Attached Circuit interface. esr(config-l2vpn-p2p)# <IF> – an interface's name, specified in the form described interface { <IF> | <TUN> } Section Types and naming order of router interfaces; <TUN> – the name of the tunnel is specified as described section Types and naming order of router...
Page 201: L2Vpn Vpws Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys If it is necessary to change the default settings for a targeted LDP session, see section Configuring session parameters in targeted-LDP. 6.5.2 L2VPN VPWS configuration example Objective: Configure l2vpn so that ge1/0/2.100 interface of the CE1 router and ge1/0/2.100 interface of the CE2 router operate within the same broadcast domain.
Page 202 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure the LDP protocol and enable neighbor detection on the interface towards PE2: PE1(config-mpls)# ldp PE1(config-ldp)# router-id 1.1.1.1 PE1(config-ldp)# address-family ipv4 PE1(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1 PE1(config-ldp-af-ipv4-if)# exit PE1(config-ldp-af-ipv4)# transport-address 1.1.1.1 PE1(config-ldp-af-ipv4)# exit PE1(config-ldp)# enable PE1(config-ldp)# exit Create a pw-class on the basis of which the virtual channel (pw) will be created later.
Page 203 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure the PE2 router in the same way as PE1: PE2# configure PE2(config)# interface gigabitethernet 1/0/4.100 PE2(config-subif)# exit PE2#(config)# interface gigabitethernet 1/0/1 PE2(config-if-gi)# mtu 9600 PE1(config-if-gi)# ip firewall disable PE1(config-if-gi)# exit PE2(config)# mpls PE2(config-mpls)# forwarding interface gigabitethernet...
Page 204: L2Vpn Vpls Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6.5.3 L2VPN VPLS configuration algorithm Step Description Command Keys Configure the LDP (see section LDP configuration) Create a network bridge in the system without specifying an ip address (see section Bridge configuration). Create pw-class in the system and esr(config-l2vpn)# pw- <WORD>...
Page 205: L2Vpn Vpls Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Add a description for pseudo-wire esr(config-l2vpn-pw)# <LINE> — description. Set by (optional). the string [1..255] characters description <LINE> long. Set pw-class for pseudo-wire. esr(config-l2vpn-pw)# pw- <WORD> — pw-class name class <WORD>...
Page 206 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • Enable Jumbo frames support with the "system jumbo-frames" command (the device must be rebooted for the changes to take effect); • Сonfigure IP addresses on interfaces according to the network structure shown in the figure above; •...
Page 207 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create a new l2vpn of vpls type and add pw to routers PE2 and PE3, take the pw identifier as VID for convenience (in this case = 100): PE1(config-l2vpn)# vpls vpls1 PE1(config-l2vpn-vpls)# bridge-group PE1(config-l2vpn-vpls)# pw 100 2.2.2.2 PE1(config-l2vpn-pw)#...
Page 208 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 PE2(config-ldp-af-ipv4)# exit PE2(config-ldp)# exit PE2(config-mpls)# l2vpn PE2(config-l2vpn)# pw-class for_vpls1 PE2(config-l2vpn-pw-class)# exit PE2(config-l2vpn)# vpls vpls1 PE2(config-l2vpn-vpls)# enable PE2(config-l2vpn-vpls)# bridge-group PE2(config-l2vpn-vpls)# pw 100 1.1.1.1 PE2(config-l2vpn-pw)# pw-class for_vpls1 PE2(config-l2vpn-pw)# enable PE2(config-l2vpn-pw)# exit PE2(config-l2vpn-vpls)# pw 100 3.3.3.3 PE2(config-l2vpn-pw)# pw-class for_vpls1...
Page 209: L2Vpn Kompella Mode Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Make sure that the LDP neighborhood is established and display the virtual channel status (pseudowire) between PE1, PE2 and PE3 PE3# show mpls ldp neighbor Peer LDP ID: 1.1.1.1; Local LDP ID 3.3.3.3 State: Operational TCP connection: 1.1.1.1:646...
Page 210 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Add bridge domain. esr(config-l2vpn-vpls)# <ID> — bridge domain identifier, specified in the range [1..250]. bridge-group <ID> Switch to the autodiscovery bgp esr(config-l2vpn-vpls)# configuration context. autodiscovery bgp Specify route distinguisher for the esr(config-bgp)# rd <RD>...
Page 211 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify route target export for the esr(config-bgp)# route- <RT> – Route-target value, specified given VPLS instance. in one of the following forms: target export <RT> • <ASN>:<nn> — where <ASN> may take values [1..65535], nn may take values [1..65535];...
Page 212: L2Vpn Vpls Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6.6.2 L2VPN VPLS configuration example Objective: Configure L2VPN service: all CE devices must work within the same broadcast domain. Solution: Pre-requisite: • Enable Jumbo frames support with the "system jumbo-frames" command (the device must be rebooted for the changes to take effect);...
Page 213 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 First, configure the RR router:  Pre-configuration hostname RR system jumbo-frames router ospf 1 area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/2 mtu 9500 ip firewall disable ip address 10.30.0.2/30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1/0/3...
Page 214 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure the BGP Route Reflector for the address family l2vpn: RR(config)# router bgp 65500 RR(config-bgp)# router-id 10.10.0.4 RR(config-bgp)# neighbor 10.10.0.1 RR(config-bgp-neighbor)# remote-as 65500 RR(config-bgp-neighbor)# route-reflector-client RR(config-bgp-neighbor)# update-source 10.10.0.4 RR(config-bgp-neighbor)# address-family l2vpn vpls RR(config-bgp-neighbor-af)# send-community extended RR(config-bgp-neighbor-af)# enable...
Page 215 ESR service routers. ESR-Series. Functionality description. Version 1.12.0  Pre-configuration ip firewall disable ip address 10.20.0.1/30 ip ospf instance 1 ip ospfexit interface gigabitethernet 1/0/2 mtu 9500 ip firewall disable ip address 10.30.0.1/30 ip ospf instance 1 ip ospf exitinterface gigabitethernet 1/0/3 mtu 9500 ip firewall disable ip address 10.22.0.1/30...
Page 216 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 BGP configuration: PE1(config)# router bgp 65500 PE1(config-bgp)# neighbor 10.10.0.4 PE2(config-bgp)# router-id 10.10.0.1 PE1(config-bgp-neighbor)# remote-as 65500 PE1(config-bgp-neighbor)# update-source 10.10.0.1 PE1(config-bgp-neighbor)# address-family l2vpn vpls PE1(config-bgp-neighbor-af)# send-community extended PE1(config-bgp-neighbor-af)# enable PE1(config-bgp-neighbor-af)# exit PE1(config-bgp-neighbor)# enable PE1(config-bgp-neighbor)# exit PE1(config-bgp)# enable PE1(config-bgp)# exit...
Page 217 ESR service routers. ESR-Series. Functionality description. Version 1.12.0  Pre-configuration interface gigabitethernet 1/0/1 mtu 9500 ip firewall disable ip address 10.20.0.2/30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1/0/2 mtu 9500 ip firewall disable ip address 10.21.0.1/30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1/0/3...
Page 218 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 PE2(config)# router bgp 65500 PE2(config-bgp)# router-id 10.10.0.2 PE2(config-bgp)# neighbor 10.10.0.4 PE2(config-bgp-neighbor)# remote-as 65500 PE2(config-bgp-neighbor)# update-source 10.10.0.2 PE2(config-bgp-neighbor)# address-family l2vpn vpls PE2(config-bgp-neighbor-af)# send-community extended PE2(config-bgp-neighbor-af)# enable PE2(config-bgp-neighbor-af)# exit PE2(config-bgp-neighbor)# enable PE2(config-bgp-neighbor)# exit PE2(config-bgp)# enable PE2(config-bgp)# exit Check that the session with RR is successfully established: ...
Page 219 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configuration of BGP on PE3:  Pre-configuration hostname PE3 system jumbo-frames router ospf 1 area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/2 mtu 9500 ip firewall disable ip address 10.21.0.2/30 ip ospf instance 1 ip ospf exit interface gigabitethernet 1/0/3...
Page 220 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 PE3(config)# router bgp 65500 PE3(config-bgp)# router-id 10.10.0.3 PE3(config-bgp)# neighbor 10.10.0.4 PE3(config-bgp-neighbor)# remote-as 65500 PE3(config-bgp-neighbor)# update-source 10.10.0.3 PE3(config-bgp-neighbor)# address-family l2vpn vpls PE3(config-bgp-neighbor-af)# send-community extended PE3(config-bgp-neighbor-af)# enable PE3(config-bgp-neighbor-af)# exit PE3(config-bgp-neighbor)# enable PE3(config-bgp-neighbor)# exit PE3(config-bgp)# enable PE3(config-bgp)# exit Check that the BGP session is successfully established: ...
Page 221 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Check that the interface is included into the bridge domain: PE1# sh interfaces bridge Bridges Interfaces ---------- -------------------------------------------------------------- bridge gi1/0/4 PE1# sh interfaces status bridge Interface 'bridge 1' status information: Description: Operational state: Administrative state: Up Supports broadcast: Supports multicast:...
Page 222 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 PE3: PE3(config)# bridge PE3(config-bridge)# enable PE3(config-bridge)# exit PE3(config)# interface gigabitethernet 1/0/4 PE3(config-if-gi)# mode switchport PE3(config-if-gi)# bridge-group PE3# sh interfaces bridge Bridges Interfaces ---------- -------------------------------------------------------------- bridge gi1/0/4 PE3# sh interfaces status bridge Interface Admin Link MAC address Last change...
Page 223 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 PE1(config-bgp)# rd 65500:100 PE1(config-bgp)# route-target import 65500:100 PE1(config-bgp)# route-target export 65500:100 PE1(config-bgp)# ve id PE1(config-bgp)# vpn id PE1(config-bgp)# exit PE1(config-l2vpn-vpls)# enable After activating the service, check that route information appeared in the l2vpn table, and it is advertised on RR: PE1# sh ip bgp l2vpn vpls all Status codes: * - valid, >...
Page 224 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 PE2(config-bgp)# route-target export 65500:100 PE2(config-bgp)# route-target import 65500:100 PE2(config-bgp)# vpn id PE2(config-bgp)# ve id PE2(config-bgp)# exit PE2(config-l2vpn-vpls)# enable Check that PE2 is advertising the route information on RR: PE2# sh ip bgp l2vpn vpls all neighbor 10.10.0.4 advertise-routes...
Page 225 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Check the service state: PE2# sh mpls l2vpn vpls l2vpn VPLS: l2vpn bridge 1: MTU: 1500 Status: Up ACs: gigabitethernet 1/0/4: MTU: 1500 Status: Up PWs: PW ID 2, Neighbor 10.10.0.1: MTU: 1500 Last change: 00:21:33 Status:...
Page 226 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Check that PE3 is advertising the route information on RR: PE3# sh ip bgp l2vpn vpls all neighbor 10.10.0.4 advertise-routes Origin codes: i - IGP, e - EGP, ? - incomplete Route Distinguisher Next hop Metric LocPrf...
Page 227: L3Vpn Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6.7 L3VPN configuration L3VPN service allows to combine distributed client IP networks, and ensure the transfer of traffic between them within a single VRF.  The current implementation of MP-BGP only supports VPN–IPv4 routes (AF I= 1, SAFI = 128) 6.7.1 Configuration algorithm Step Description...
Page 228 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify route target import for the esr(config-vrf)# route- <RT> — Route-target value, specified given VRF in one of the following forms: target import <RT> • <ASN>:<nn> — where <ASN> may take values [1..65535], nn may take values [1..65535];...
Page 229: Configuration Example
• • ESR-1700 [1..5000000]; • ESR-1000/1200/150 0 [1..3000000]; • ESR-20/21/100/200 [1..1500000], • ESR-10/12V/12VF/ 14VF [1.. 800000]. • OSPF and IS-IS • ESR-1000/1200/150 0/1700 [1..500000]; • ESR-20/21/100/200 [1..300000]; • ESR-10/12V/12VF/ 14VF [1..30000]. In the context of address-family...
Page 230 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: 1 Configuring addressing and enabling IGP on routers ESR1 router ospf log-adjacency-changes router ospf router-id 1.1.1.1 area 0.0.0.0 enable exit enable exit interface loopback ip address 1.1.1.1/32 ip ospf instance ip ospf exit ...
Page 231 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 ESR2 router ospf log-adjacency-changes router ospf router-id 2.2.2.2 area 0.0.0.0 enable exit enable exit interface loopback ip address 2.2.2.2/32 ip ospf instance ip ospf exit interface gigabitethernet 1/0/1.10 ip firewall disable ip address 10.10.10.2/30 ip ospf instance...
Page 232 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 ESR3 router ospf log-adjacency-changes router ospf router-id 3.3.3.3 area 0.0.0.0 enable exit enable exit interface loopback ip address 3.3.3.3/32 ip ospf instance ip ospf exit interface gigabitethernet 1/0/1.20 ip firewall disable ip address 20.20.20.1/30 ip ospf instance...
Page 233 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 ESR4 router ospf log-adjacency-changes router ospf router-id 4.4.4.4 area 0.0.0.0 enable exit enable exit interface loopback ip address 4.4.4.4/32 ip ospf instance ip ospf exit interface gigabitethernet 1/0/1.40 ip firewall disable ip address 40.40.40.2/30 ip ospf instance...
Page 234 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 It is necessary to make sure that the protocol is running on every router.  ESR1# show ip ospf neighbors Router ID Pri State DTime Interface Router IP --------- --- ----- ----- ------------- --------- 2.2.2.2 128 Full/BDR 00:39 gi1/0/1.10 10.10.10.2 4.4.4.4 128 Full/BDR 00:32 gi1/0/1.40 40.40.40.2 ESR1# show ip ospf...
Page 235 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 ESR2 mpls address-family ipv4 transport-address 2.2.2.2 interface gigabitethernet 1/0/1.10 exit interface gigabitethernet 1/0/1.20 exit exit enable exit forwarding interface gigabitethernet 1/0/1.10 forwarding interface gigabitethernet 1/0/1.20 exit ESR3 mpls address-family ipv4 transport-address 3.3.3.3 interface gigabitethernet 1/0/1.20 exit...
Page 236 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 One of the following commands can be used to check the LDP convergence:  ESR1# show mpls ldp neighbor Peer LDP ID: 2.2.2.2; Local LDP ID 1.1.1.1 State: Operational TCP connection: 2.2.2.2:33933 - 1.1.1.1:646 Messages sent/received: 1059/1070 Uptime: 17:32:07 LDP discovery sources:...
Page 237 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure iBGP between ESR1 and ESR3. Enable extended community sending on both devices. ESR1 ESR1(config)# router bgp log-neighbor-changes ESR1(config)# router bgp 65500 ESR1(config-bgp)# router-id 1.1.1.1 ESR1(config-bgp)# enable ESR1(config-bgp)# neighbor 3.3.3.3 ESR1(config-bgp-neighbor)# remote-as 65500 ESR1(config-bgp-neighbor)# update-source 1.1.1.1 ESR1(config-bgp-neighbor)# enable...
Page 238 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 4 PE-CE routing configuration Customer1 advertises a BGP(AS65505) subnet 10.100.0.0/24. Configure eBGP session between CE_SiteA and  By default: the route advertising is prohibited for EBGP, you should configure an allow rule; for IBGP route advertising is allowed.
Page 239 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 ESR1 Configure interface to the CE direction. Also create a route-map in which we specify the subnets allowed to be advertised. ESR1 interface gigabitethernet 1/0/2 ip vrf forwarding Customer1 description "Customer1" ip firewall disable ip address 192.168.32.1/30 ...
Page 240 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 The following commands can be used to check the accepted and announced routes:  ESR1# show ip bgp 65500 vrf Customer1 neighbors 192.168.32.2 advertise-routes Status codes: u - unicast, b - broadcast, m - multicast, a - anycast * - valid, >...
Page 241 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure eBGP between ESR3 and CE_SiteB. CE_SiteB router bgp 65505 router-id 192.168.32.6 neighbor 192.168.32.5 remote-as 65500 allow-local-as update-source 192.168.32.6 address-family ipv4 unicast route-map OUTPUT out enable exit enable exit address-family ipv4 unicast network 10.100.1.0/24 exit enable...
Page 242: Mpls Traffic Balancing
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Allow BGP routes to be transmitted to the peer. ESR3 route-map OUTPUT out enable exit enable exit Allow route forwarding from VRF to VPNV4 for address-family IPv4. ESR3 address-family ipv4 unicast redistribute connected redistribute bgp 65500 exit...
Page 243: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 By default, lbd uses only MPLS tags to calculate the hash and then distribute the load to the different CPUs. This behavior is not always an advantage, especially when there are "large" homogeneous streams of MPLS traffic.
Page 244 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 ...
Page 245 ESR service routers. ESR-Series. Functionality description. Version 1.12.0  In LDP signaling, the transport mode is matched between PEs during pseudowire creation, so it must match on both PEs. Consider the rules of traffic processing: 1. Ethernet (Raw) mode: • If AC is a subinterface, the vlan tag is removed before putting it in the bridge. Upon leaving the bridge, the vlan tag is restored.
Page 246: Assignment Of Mtu When Operating With Mpls
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 6.10 Assignment of MTU when operating with MPLS It is very important to correctly configure the MTU parameter on the interfaces through which a packet is transmitted. This is true for the installation of the pseudowire and for the transmission of service traffic. First of all, the MTU value is involved in signaling when constructing a pseudowire in both LDP-signaling and BGP-signaling.
Page 247 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Consider the example: ...
Page 248 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 For BGP-signaling the MTU parameter can also be specified: BGP-signaling. Configuration of MTU for matching PE1(config)# mpls PE1(config-mpls)# l2vpn PE1(config-l2vpn)# vpls l2vpn_MTU PE1(config-l2vpn-vpls)# autodiscovery bgp PE1(config-bgp)# mtu 1500 PE2# sh mpls l2vpn vpls l2vpn_MTU VPLS: l2vpn_MTU PWs:...
Page 249 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 *E.g., we have a bridge domain 100, which includes interfaces gi1/0/1 with MTU value 2000, and gi1/0/2 with MTU value 3000* CE3(config)# bridge CE3(config-bridge)# enable CE3(config-bridge)# exit CE3(config)# interface gigabitethernet 1/0/1 CE3(config-if-gi)# mtu 2000 CE3(config-if-gi)# bridge-group CE3(config-if-gi)# exit...
Page 250 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Description: Operational state: Administrative state: Up Supports broadcast: Supports multicast: MTU: 2000 MAC address: a8:f9:4b:aa:11:00 Last change: minutes and seconds Mode: Routerport Consider the example of traffic passing through the L2VPN service: PE1 has the following MTU values on the interfaces: PE1# sh interfaces status Interface Admin...
Page 251 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Similar behavior when passing traffic in the L3VPN service: If CE1 sends a packet with a higher MTU than on the interface facing the client (gi1/0/2) or towards the mpls- core (gi1/0/1), the packet will be discarded.
Page 252: Security Management
Basic user rules configuration example • Extended user rules configuration algorithm • Extended user rules configuration example • Eltex Distribution Manager interaction configuration • Base configuration algorithm • Configuration example: 7.1 AAA configuration AAA (Authentication, Authorization, Accounting) is used for description of access provisioning and control.
Page 253: Local Authentication Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 7.2 Local authentication configuration algorithm Step Description Command Keys Set local as authentication esr(config)# aaa <NAME> – list name, set by the string method. authentication login of up to 31 characters. { default | <NAME> } Authentication methods: <METHOD 1>...
Page 254 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the number of failed <COUNT> – amount of failed esr(config)# aaa authentication attempts to block authentication attempts authentication attempts after which a the user login and time of the lock max-fail <COUNT>...
Page 255 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the minimum number of lower <COUNT> – minimum number of esr(config)# security case letters in the local user passwords lower-case lower case letters in the local user password and ENABLE password <COUNT>...
Page 256: Aaa Configuration Algorithm Via Radius
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Activate user login authentication <NAME> – list name, set by the string esr(config-line-ssh)# list login authentication of up to 31 characters. <NAME> Activate authentication list of user esr(config-line-ssh)# <NAME> – list name, set by the string privileges elevation enable authentication of up to 31 characters.
Page 257 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the number of failed <COUNT> – amount of failed aaa authentication authentication attempts to block attempts max-fail authentication attempts after which a the user login and time of the lock <COUNT>...
Page 258 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set radius as authentication <NAME> – list name, set by the string esr(config)# aaa method. authentication login of up to 31 characters. { default | <NAME> } <METHOD 1> Authentication methods: [ <METHOD 2>...
Page 259: Aaa Configuration Algorithm Via Tacacs
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Configure radius in the list of user <METHOD> – accounting methods: esr(config)# aaa session accounting methods accounting login start- (optional). stop <METHOD 1> • tacacs – session accounting [ <METHOD 2> ] by TACACS;...
Page 260 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the number of failed <COUNT> – amount of failed aaa authentication authentication attempts to block attempts max-fail authentication attempts after which a the user login and time of the lock <COUNT>...
Page 261 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set TACACS as authentication <NAME> – list name, set by the string esr(config)# aaa method of user privileges authentication enable of up to 31 characters; elevation. <NAME><METHOD 1> [ <METHOD 2> ] •...
Page 262: Aaa Configuration Algorithm Via Ldap
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Activate authentication list of user <NAME> – list name, set by the string esr(config-line- privileges elevation. console)# enable of up to 31 characters. Created in authentication <NAME> step 8. 7.2.3 AAA configuration algorithm via LDAP Step Description...
Page 263 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the interval after which the <SEC> – time interval in seconds, esr(config)# ldap- device assumes that LDAP server server search timeout takes values of [0..30] has not found users entries <SEC>...
Page 264 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the port number to communicate <PORT> – number of TCP port to esr(config-ldap- with remote LDAP server (optional). server)# port <PORT> exchange data with a remote server, takes values of [1..65535]. Default value: 389 for LDAP server.
Page 265 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set LDAP as authentication method <NAME> – list name, set by the esr(config)# aaa of user privileges elevation. authentication enable string of up to 31 characters; <NAME> <METHOD 1> [ <METHOD •...
Page 266: Example Of Authentication Configuration Using Telnet Via Radius Server
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 7.2.4 Example of authentication configuration using telnet via RADIUS server Objective: Configure authentication for users being connected via Telnet and RADIUS (192.168.16.1/24). Solution: Configure connection to RADIUS server and specify the key (password): esr# configure esr(config)# radius-server host 192.168.16.1...
Page 267: Example Of Command Privilege Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 <COMMAND-MODE> – command mode; <PRIV> – required command subtree privilege level, takes value in the range of [1..15]; <COMMAND> – command subtree, set by the string of up to 255 characters. 7.3.2 Example of command privilege configuration Objective: Transfer all interface information display commands to the privilege level 10 except for 'show interfaces bridges' command.
Page 268 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable protection against SYN flood <NUM> – maximum amount of TCP esr(config)# ip attacks. firewall screen dos- packets with the set SYN flag per defense second, set in the range of syn-flood { <NUM>...
Page 269 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable the blocking of TCP packets, esr(config)# ip with the SYN and FIN flags set. firewall screen spy- blocking syn-fin Enable the blocking of TCP packets, esr(config)# ip with all flags or with the set of flags: firewall screen spy- FIN, PSH, URG.
Page 270: Description Of Attack Protection Mechanisms
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable more detailed message esr(config)# logging output about detected and blocked firewall screen network attacks in the CLI. detailed Enable mechanism of DoS attacks esr(config)# logging <ATACK_TYPE> – DoS attack type, detection and logging via CLI, syslog firewall screen dos- takes the following values: icmp-...
Page 271 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Command Description ip firewall screen dos-defense limit-session- When the host IP sessions table is overfilled, the host is unable to source establish new sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables the limitation on the amount of simultaneous sessions, based on the source address, that mitigates DoS attacks.
Page 272 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Command Description ip firewall screen spy-blocking icmp-type The given command enables the blocking of all 11 type ICMP packets time-exceeded (time exceeded) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability ip firewall screen spy-blocking ip-sweep The given command enables the protection against IP-sweep attacks.
Page 273: Configuration Example Of Logging And Protection Against Network Attacks
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Command Description ip firewall screen suspicious-packets syn- This command enables the blocking of fragmented TCP packets with fragment the SYN flag. TCP packets with the SYN flag are usually small and there is no need to fragment them. The protection prevents concentration of fragmented packets in a buffer.
Page 274: Firewall Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit esr(config)# security zone-pair LAN WAN esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# ex esr(config-zone-pair)# exit esr(config)# security zone-pair WAN LAN esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable...
Page 275: Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 7.5.1 Configuration algorithm Step Description Command Keys Create security zones. esr(config)# security <zone-name> – up to 12 characters. zone <zone-name1> esr(config)# security zone <zone-name2> Specify a security zone description. esr(config-zone)# <description> – up to 255 description characters..
Page 276 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Determine ICMPv6 session lifetime <TIME> – ICMP session lifetime, esr(config)# ip after which it is considered to be firewall sessions takes values in seconds outdated (optional). icmpv6-timeout <TIME> [1..8553600]. Default value: 30 seconds.
Page 277 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable application-level session <PROTOCOL> - application-level esr(config)# ip tracking for certain protocols firewall sessions protocol [ftp, h323, pptp, netbios-ns, (optional). tracking tftp] sessions of which should be tracked. <OBJECT-GROUP-SERVICE> – sip session TCP/UDP ports’...
Page 278 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys <FROM-ADDR> – range starting IP esr(config-object- group-network)# ip address; address-range <FROM-ADDR>-<TO-ADDR> <TO-ADDR> – range ending IP address, optional parameter; If the parameter is not specified, a single IP address is set by the command. The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
Page 279 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify applications list description <description> – profile description, esr(config-object- (optional). group-application)# set by the string of up to 255 description characters. <description> Add necessary applications to the esr(config-object- <APPLICATION> – specifies the lists.
Page 280 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys <protocol-id> – IP identification esr(config-zone-rule)# match [not] protocol- number, takes values of [0x00-0xFF]. id <protocol-id> Specify the profile of transmitter IP esr(config-zone-rule)# <OBJ-GROUP-NETWORK-NAME> – IP addresses for which the rule should match [not] source- addresses profile name, set by the work (optional).
Page 281: Firewall Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the filtration only for fragmented esr(config-zone-pair- IP packets (optional, available only rule)# match [not] for zone-pair any self and zone-pair fragment <zone-name> any). Set the filtration only for IP packets esr(config-zone-pair- including ip-option (optional, rule)# match [not] ip-...
Page 282 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure network interfaces and identify their inherence to security zones: esr(config)# interface gi1/0/2 esr(config-if-gi)# ip address 192.168.12.2/24 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# exit esr(config)# interface gi1/0/3 esr(config-if-gi)# ip address 192.168.23.2/24 esr(config-if-gi)# security-zone WAN esr(config-if-gi)# exit For definition of rules for security zones, create 'LAN' address profile that includes addresses which are allowed to access WAN network and 'WAN' network address profile.
Page 283: Configuration Example Of Application Filtering (Dpi)
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Router always has a security zone named 'self'. When the traffic recipient is the router itself, i.e. traffic is not transit, pass 'self' zone as a parameter. Create a pair of zones for traffic coming from 'WAN' zone into 'self' zone.
Page 284 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Objective: Block access to such resources as youtube, bittorrent and facebook. Solution: Create a security zone for each ESR network: esr# configure esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit Configure network interfaces and identify their inherence to security zones: esr(config)# interface...
Page 285: Access List (Acl) Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 To set the rules of traffic passing from “WAN” zone to “LAN” zone, create a couple of zones and add a rule prohibiting the application traffic from passing and a rule allowing the rest of traffic to pass. Rules are applied with the enable command: esr(config)# security zone-pair WAN LAN esr(config-zone-pair)# rule...
Page 286 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the description of a <DESCRIPTION> – access control list esr(config-acl)# configurable access control list description description, set by the string of up to (optional). <DESCRIPTION> 255 characters. Create a rule and switch to its esr(config-acl)# rule <ORDER> ...
Page 287: Access List Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the number of sender TCP/ <PORT> – number of sender TCP/UDP esr(config-acl-rule)# UDP ports for which the rule match source-port port, takes values of [1..65535]. When should work (if the protocol is { <PORT>...
Page 288: Ips/Ids Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr# configure esr(config)# ip access-list extended white esr(config-acl)# rule esr(config-acl-rule)# action permit esr(config-acl-rule)# match source-address 192.168.20.0 255.255.255.0 esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit Apply access list to Gi1/0/19 interface for inbound traffic: esr(config)# interface gigabitethernet 1/0/19...
Page 289: Configuration Algorithm For Ips/Ids Rules Autoupdate From External Sources
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Switch to the IPS/IDS esr(config)# security configuration mode. Assign IPS/IDS security policy. <NAME> – security policy name, set esr(config-ips)# policy <NAME> by the string of up to 32 characters Use all ESR rosiurces for IPS/IDS.
Page 290: Recommended Open Rule Update Source
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the frequency for update <HOURS> – update interval in esr(config-ips-upgrade- checking (optional). user-server)# upgrade hours, from 1 to 240. interval <HOURS> Default value: 24 hours 7.7.3 Recommended open rule update source https://sslbl.abuse.ch/ SSL Blacklist contains lists of 'bad' SSL certificates, i.e.
Page 291 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 https://rules.emergingthreats.net/open/suricata/ Temporary rules awaiting possible inclusion in permanent rule lists. rules/emerging-current_events.rules https://rules.emergingthreats.net/open/suricata/ These rules contain signatures of vulnerabilities in the DNS rules/emerging-dns.rules protocol, signs of the use of DNS by malware, and incorrect use of the DNS protocol.
Page 292 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 https://rules.emergingthreats.net/open/suricata/ These rules describe unwanted network activity (access to rules/emerging-policy.rules MySpace, Ebay). https://rules.emergingthreats.net/open/suricata/ These rules contain signatures of vulnerabilities in the POP3 rules/emerging-poprules protocol, signs of incorrect use of the POP3 protocol. https://rules.emergingthreats.net/open/suricata/ These rules contain signatures of vulnerabilities in the RPC rules/emerging-rpc.rules protocol, signs of incorrect use of the RPC protocol.
Page 293: Ips/Ids Configuration Example With Auto-Update Rules
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 https://rules.emergingthreats.net/open/suricata/ These rules describe signs of network worm activity. rules/emerging-worm.rules 7.7.4 IPS/IDS configuration example with auto-update rules Objective: Organize LAN protection with auto-update rules from open sources. 192.168.1.0/24 – LAN Solution: Create a profile of addresses of LAN which we will protect: esr(config)# object-group network LAN esr(config-object-group-network)# ip prefix 192.168.1.0/24...
Page 294: Basic User Rules Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-ips)# auto-upgrade esr(config-auto-upgrade)# user-server ET-Open esr(config-ips-upgrade-user-server)# description «emerging threats open rules» esr(config-ips-upgrade-user-server)# url https://rules.emergingthreats.net/open/suricata-4.0/ rules/ esr(config-ips-upgrade-user-server)# exit esr(config-auto-upgrade)# user-server Aggressive esr(config-ips-upgrade-user-server)# description «Etnetera aggressive IP blacklist» esr(config-ips-upgrade-user-server)# url https://security.etnetera.cz/feeds/ etn_aggressive.rules esr(config-ips-upgrade-user-server)# upgrade interval esr(config-ips-upgrade-user-server)# exit esr(config-auto-upgrade)# user-server SSL-BlackList esr(config-ips-upgrade-user-server)# description «Abuse.ch SSL Blacklist»...
Page 295 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the given rule force. esr(config-ips- • alert – traffic is allowed and the category-rule)# action IPS/IDS service generates a { alert | reject | pass message; | drop } •...
Page 296 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the profile of source TCP/ <PORT> – number of sender TCP/UDP esr(config-ips- UDP ports for which the rule category-rule)# source- port, takes values of [1..65535]. should work. port {any | <PORT> | object-group <OBJ-GR- <OBJ_GR_NAME>...
Page 297 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Define the message that IPS/IDS <MESSAGE> – text message specified esr(config-ips- will record to the log when this category-rule)# meta by a string of up to 129 characters. rule will trigger. log-message <MESSAGE>...
Page 298 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Define the traffic classification esr(config-ips- • not-suspicious – not suspicious which will record to the log when category-rule)# meta traffic; this rule will work classification-type • unknown – unknown traffic. { not-suspicious | •...
Page 299 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys • network-scan – network scan was detected. • denial-of-service – denial of service attack was detected. • non-standard-protocol – custom protocol or event was detected. • protocol-command-decode – encryption attempt was detected.
Page 300 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set ICMP CODE value for which <CODE> – ICMP CODE value, takes a esr(config-ips- the rule should work category-rule)# ip icmp value in the range [0..255]. code <CODE> Applicable only for protocol icmp value esr(config-ips- Comparison operator for ip icmp code...
Page 301 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set TCP Sequence-ID value for <SEQ-ID> – TCP Sequence-ID value, esr(config-ips- which the rule should work category-rule)# ip tcp takes a value in the range sequence-id <SEQ-ID> [0..4294967295]. Applicable only for protocol tcp value (optional).
Page 302 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Do not distinguish between esr(config-ips- uppercase and lowercase letters category-rule)# payload in the description of package no-case contents. Only applicable in conjunction with the payload content command. (optional). Set how many bytes from the <DEPTH>...
Page 303: Basic User Rules Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the time interval for <SECOND> – time interval in seconds, esr(config-ips- which the threshold number of category-rule)# takes values in the range of [1.. 65535]. packets is considered threshold second <SECOND>...
Page 304 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-ips-category)# rule esr(config-ips-category-rule)# description «Big ICMP DoS» Drop packets: esr(config-ips-category-rule)# action drop Configure attack message: esr(config-ips-category-rule)# meta log-message «Big ICMP DoS» esr(config-ips-category-rule)# meta classification-type successful-dos Specify protocol type for the rule: esr(config-ips-category-rule)# protocol icmp Since we specified the icmp protocol, we need to specify any as the port of the sender and recipient: esr(config-ips-category-rule)# source-port any esr(config-ips-category-rule)# destination-port any...
Page 305: Extended User Rules Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-ips-category-rule)# threshold count 23040 esr(config-ips-category-rule)# threshold second esr(config-ips-category-rule)# threshold track by-dst esr(config-ips-category-rule)# threshold type both 7.7.7 Extended user rules configuration algorithm Step Description Command Keys Specify a name and enter the esr(config)# security <WORD>...
Page 306: Eltex Distribution Manager Interaction Configuration
3, seconds 30; classtype:denial-of- service; sid: 10000002; rev:1; ) 7.8 Eltex Distribution Manager interaction configuration EDM (Eltex Distribution Manager) is a service for distributing licensed content to devices via commercial subscription. Using Kaspersky Lab's security infrastructure, including the Kaspersky Security Network cloud-based "collective intelligence"...
Page 307: Base Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 7.8.1 Base configuration algorithm Step Description Command Keys Go to the content provider esr (config)# content- configuration. provider Specify edm server IP address. esr (config-content- <IP-ADDR> – IP address, defined as provider)# host address AAA.BBB.CCC.DDD where each part <A.B.C.D | WORD | takes values of [0..255];...
Page 308 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable service-ips on interface. esr (config)# interface gigabitethernet 1/0/X esr (config-if-gi)# service-ips enable Create IPS/IDS security policy. esr (config)# security WORD(1-31) ips policy WORD(1-31) Specify the IP address profile esr(config-ips-policy)# <OBJ-GROUP-NETWORK-NAME>...
Page 309 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Connect the desired category. Phishing URL Data Feed – Phishing URL esr (config-ips- vendor)# category data streams WORD(1-64) Malicious URL Data Feed – Malicious URL data streams Botnet C&C URL Data Feed – Botnet C&C URL data streams Malicious Hash Data Feed –...
Page 310: Configuration Example
<DEVICE_NAME> usb://Partion_name:/ mmc://Partion_name:/ Enable IPS/IDS. esr(config- ips )# enable 7.8.2 Configuration example: Set the content-provider parameters – this is the address of the Eltex server. There must be network reachability between the content-provider server and the router.
Page 311 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 content-provider host address edm.eltex-co.ru host port 8098 upgrade interval storage-device mmc://TEST:/ reboot immediately enable exit After rebooting the device, you can start configuring the IPS service. Specify the IP address profile that IPS/IDS will protect:...
Page 312 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 category APTURLsDF rules action alert rules count 1000 enable exit category BotnetCAndCURLsDF rules action alert rules count 1000 enable exit category IPReputationDF rules action alert rules count 1000 enable exit category IoTURLsDF rules action alert rules count 1000 enable...
Page 313 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 show security ips content-provider: esr-20# show security ips content-provider Server: content-provider Last MD5 of received files: c60bd0f10716d3f48e18f24828337135 Next update: October 2020 00:37:06 With this command you can find out if the content provider has downloaded rules from the EDM server (based on the presence of the md5 checksum) and when the next update is scheduled for the device.
Page 314: Redundancy Management
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 8 Redundancy management • VRRP configuration • Configuration algorithm • Configuration example 1 • Configuration example 2 • VRRP tracking configuration • Configuration algorithm • Configuration example 8.1 VRRP configuration VRRP (Virtual Router Redundancy Protocol) is a network protocol designed for increased availability of routers, acting as a default gateway.
Page 315 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys <IPV6-ADDR> – virtual IPv6 address, esr(config-if-gi)# ipv6 vrrp ip <IPV6- defined as X:X:X:X::X where each part ADDR> takes values in hexadecimal format [0..FFFF]. You can specify up to 8 IPv6 addresses separated by commas.
Page 316 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the amount of GratuituousARP <COUNT> – amount of messages, esr(config-if-gi)# messages that will be sent when vrrp timers garp takes values of [1..60]. switching the router to the Master repeat <COUNT>...
Page 317: Configuration Example 1
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the mode when vrrp IP address esr(config-if-gi)# remains in the UP status regardless of vrrp force-up the status of the interface itself. (optionally) Specify the delay between the esr(config-if-gi)# <TIME>...
Page 318: Configuration Example 2
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • configure a zone for the sub-interface; • specify IP address for the sub-interface. Main configuration step: Configure R1 router. Configure VRRP in the created sub-interface. Specify unique VRRP identifier: R1(config)#interface 1/0/5.50 R1(config-subif)# vrrp id Specify virtual gateway IP address 192.168.1.1/24: R1(config-subif)# vrrp ip 192.168.1.1...
Page 319 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Main configuration step: Configure R1 router. Configure VRRP for 192.168.1.0/24 subnet in the created sub-interface. Specify unique VRRP identifier: R1(config-sub)#interface 1/0/5.50 R1(config-subif)# vrrp id Specify virtual gateway IP address 192.168.1.1: R1(config-subif)# vrrp ip 192.168.1.1 Specify VRRP group identifier: R1(config-subif)# vrrp group...
Page 320: Vrrp Tracking Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 8.2 VRRP tracking configuration VRRP tracking is a mechanism, which allows activating static routes, depending on VRRP state. 8.2.1 Configuration algorithm Step Description Command Keys Configure VRRP according to the section «VRRP configuration algorithm».
Page 321 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Create a static IP route to the <VRF> – VRF name, set by the string of esr(config)# ip route specified subnet indicating the [ vrf <VRF> ] <SUBNET> up to 31 characters. Tracking object.
Page 322: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys • prohibit – when specifying the command, the packets to this subnet will be removed by the device, a sender will receive in response ICMP Destination unreachable (Communication administratively prohibited, code 13);...
Page 323 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Initial configurations of the routers: 1 R1 router hostname R1 interface gigabitethernet 1/0/1 switchport forbidden default-vlan exit interface gigabitethernet 1/0/1.741 ip firewall disable ip address 192.168.0.2/24 vrrp id vrrp ip 192.168.0.1/24 vrrp exit interface gigabitethernet 1/0/2...
Page 324 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 2 R2 router hostname R2 interface gigabitethernet 1/0/1 switchport forbidden default-vlan exit interface gigabitethernet 1/0/1.741 ip firewall disable ip address 192.168.0.3/24 vrrp id vrrp ip 192.168.0.1/24 vrrp exit interface gigabitethernet 1/0/2 switchport forbidden default-vlan exit interface gigabitethernet...
Page 325: Remote Access Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 9 Remote access configuration • Configuring server for remote access to corporate network via PPTP protocol • Configuration algorithm • Configuration example • Configuring server for remote access to corporate network via L2TP protocol •...
Page 326 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify IP address that should be <OBJ-GROUP-NETWORK-NAME> – esr(config-pptp- proceeded by PPTP server. server)# outside- name of the profile having IP address address that should listened by PPTP server, { object-group <OBJ- set by the string of up to 31 GROUP-NETWORK-NAME>...
Page 327 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Allow necessary authentication <METHOD> – authentication method, esr(config-pptp- methods for remote users server)# possible values: [chap, mschap, authentication method mschap-v2, eap, pap]. <METHOD> By default only chap is allowed Specify user name (when using esr(config-pptp- <NAME>...
Page 328: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Define the list of WINS servers that <OBJ-GROUP-NETWORK-NAME> – esr(config-pptp- will be used by remote users server)# wins-servers name of the IP addresses profile that (optionally). object-group includes required WINS servers <OBJ-GROUP-NETWORK addresses, set by the string of up to -NAME >...
Page 329 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Create an address profile that contains an address to be listened by the server: esr# configure esr(config)# object-group network pptp_outside esr(config-object-group-network)# ip address-range 120.11.5.1 esr(config-object-group-network)# exit Create address profile that contains local gateway address: esr(config)# object-group network pptp_local esr(config-object-group-network)# ip address-range 10.10.10.1...
Page 330: Configuring Server For Remote Access To Corporate Network Via L2Tp Protocol
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Enable PPTP server: esr(config-pptp)# enable When a new configuration is applied, the router will listen to 120.11.5.1:1723. To view PPTP server session status, use the following command: esr# show remote-access status pptp server remote-workers To view PPTP server session counters, use the following command: esr# show remote-access counters pptp server remote-workers To clear PPTP server session counters, use the following command:...
Page 331 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the description of the <DESCRIPTION> – L2TP server esr(config-l2tp- configured server (optionally). server)# description description, set by the string of up to <DESCRIPTION> 255 characters. Specify IP address that should be esr(config-l2tp- <OBJ-GROUP-NETWORK-NAME>...
Page 332 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Select L2TP clients authentication esr(config-l2tp- • local – user authentication by mode. server)# authentication local base. mode • radius – user authentication { local | radius } by RADIUS server base. The router must be configured to interact with a RADIUS-server, see section...
Page 333: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify a shared secret <TEXT> – string [1..64] ASCII esr(config-l2tp- authentication key that should be server)# ipsec characters; the same for both parties of the authentication pre- tunnel. shared-key <HEX>...
Page 334 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 For IPsec, key authentication method is used: key–'password’. Solution: First, do the following: • Configure RADIUS server connection; • Configure zones for te1/0/1 and gi1/0/1 interfaces. • Specify IP addresses for te1/0/1 and te1/0/1 interfaces. Create address profile that contains local gateway address: esr(config)# object-group network l2tp_local esr(config-object-group-network)# ip address-range...
Page 335: Configuring Server For Remote Access To Corporate Network Via Openvpn Protocol
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Enable L2TP server: esr(config-l2tp)# enable When a new configuration is applied, the router will listen to IP address 120.11.5.1 and port 1701. To view L2TP server session status, use the following command: esr# show remote-access status l2tp server remote-workers To view L2TP server session counters, use the following command: esr# show remote-access counters l2tp server remote-workers To clear L2TP server session counters, use the following command:...
Page 336 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Define the subnet from which IP <ADDR/LEN> – subnet address, set esr(config-openvpn- addresses are leased to users. (only server)# network in the following format: for tunnel ip) <ADDR/LEN> AAA.BBB.CCC.DDD/EE – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].
Page 337 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify certificates and keys. <CERTIFICATE-TYPE> – certificate esr(config-openvpn- server)# certificate or key type, may take the following <CERTIFICATE-TYPE> values: <NAME> • ca – Certificate Authority; • crl – Certificate Revocation List;...
Page 338 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the maximum amount of <VALUE> – maximum amount of esr(config-openvpn- simultaneous user sessions server)# client-max users, takes values of [1..65535]. (optionally). <VALUE> The mechanism of transmitted data esr(config-openvpn- compression between clients and server)# compression the OpenVPN server is enabled...
Page 339: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Define the list of WINS servers that <ADDR> – WINS server IP address, esr(config-openvpn- will be used by remote users server)# wins-server defined as AAA.BBB.CCC.DDD (optionally). <ADDR> where each part takes values of [0..255].
Page 340 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • Diffie-Hellman and HMAC key for TLS • Configure zone for te1/0/1 interface • Specify IP address for te1/0/1 interface Import certificates and keys via tftp: esr# copy tftp://192.168.16.10:/ca.crt certificate:ca/ca.crt esr# copy tftp://192.168.16.10:/dh.pem certificate:dh/dh.pem esr# copy tftp://192.168.16.10:/server.key certificate:server-key/server.key esr# copy...
Page 341: Configuring Remote Access Client Via Pppoe
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr# show remote-access status openvpn server AP To view OpenVPN server session counters, use the following command: esr# show remote-access counters openvpn server AP To clear OpenVPN server session counters, use the following command: esr# clear remote-access counters openvpn server AP To end OpenVPN server session for user 'fedor', use one of the following commands: esr# clear remote-access session openvpn username fedor...
Page 342 <MTU> – MTU value, takes values (MaximumTransmissionUnit) for <MTU> in the range of: PPPoE tunnel. MTU above 1500 will be active only • for ESR-10/12V(F)/14VF – when using the 'system jumbo- [1280..9600]; frames' command • for ESR-20/21 – (optionally). [1280..9500];...
Page 343: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Change the number of failed data- <NUM> – the number of failed esr(config-pppoe)# ppp link tests before breaking the failure-count <NUM> data-link tests, specified in the session (optional). range [1..100]. Default value: 10 Change the time interval in seconds esr(config-pppoe)# ppp...
Page 344: Configuring Remote Access Client Via Pptp
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr# configure esr(config)# tunnel pppoe esr(config-pppoe)# ip firewall disable Specify user name and password for connection to PPPoE server: esr(config-pppoe)# username tester password ascii-text password Specify the interface through which the PPPoE connection will be established: esr(config-pppoe)# interface gigabitethernet...
Page 345 Specify MTU size esr(config-pptp)# mtu <MTU> – MTU value, takes values (MaximumTransmissionUnit) for the <MTU> in the range of: tunnel (optionally). • for ESR-10/12V(F)/14VF – [552..9600]; • for ESR-20/21 – [552..9500]; • ESR-100/200/1000/1200/15 00/1700 [552..10000]. Default value: 1500. Specify the user and set an esr(config-pptp)# <NAME>...
Page 346: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the time interval during <TIME> – interval in seconds, takes esr(config-pptp)# which the statistics on the tunnel load-average <TIME> values of [5..150]. load is averaged (optionally). Default value: 5 Specify authentication method esr(config-pptp)# <METHOD>...
Page 347: Configuring Remote Access Client Via L2Tp
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-pptp)# username ivan password ascii-text simplepass Specify the remote gateway: esr(config-pptp)# remote address 20.20.0.1 Specify a security zone: esr(config-pptp)# security-zone VPN Enable PPTP tunnel: esr(config-pptp)# enable To view the tunnel status, use the following command: esr# show tunnels status pptp To view sent and received packet counters, use the following command: esr# show tunnels counters pptp...
Page 348 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the description of the <DESCRIPTION> – tunnel esr(config-l2tp)# configured tunnel (optionally). description description, set by the string of up to <DESCRIPTION> 255 characters. Include the L2TP tunnel in a security esr(config-l2tp)# <NAME>...
Page 349: Configuration Example
Specify MTU size <MTU> – MTU value, takes values in esr(config-l2tp)# mtu (MaximumTransmissionUnit) for the <MTU> the range of: tunnel (optional). • for ESR-10/12V(F)/14VF – [552..9600]; • for ESR-20/21 – [552..9500]; • ESR-100/200/1000/1200/150 0/1700 [552..10000]. Default value: 1500. Ignore the default route via the given...
Page 350 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Create L2TP tunnel: esr(config)# tunnel l2tp Specify the account (Ivan user) to connect to the server: esr(config-l2tp)# username ivan password ascii-text simplepass Specify the remote gateway: esr(config-l2tp)# remote address 20.20.0.1 Specify a security zone: esr(config-l2tp)# security-zone VPN Specify ipsec authentication method: esr(config-l2tp)# ipsec authentication method pre-shared-key...
Page 351 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr# show tunnels configuration l2tp...
Page 352: Service Management
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 10 Service management • DHCP server configuration • Configuration algorithm • Configuration example • Destination NAT configuration • Configuration algorithm • Destination NAT configuration example • Source NAT configuration • Configuration algorithm • Configuration example 1 •...
Page 353 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Create pool of DHCP server IPv4/ <NAME> – IPv4/IPv6 server profile esr(config)# ip dhcp- IPv6 addresses and switch to its server pool <NAME> name, set by the string of up to 31 configuration mode.
Page 354 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Add IPv4/IPv6 address for a <ADDR> – client IP address, defined esr(config-dhcp- specific physical address to the server)# address as AAA.BBB.CCC.DDD where each address pool of configurable DHCP <ADDR> part takes values of [0..255];...
Page 355 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys <IPV6-ADDR> – DNS server IPv6 esr(config-ipv6-dhcp- server)# dns-server address, defined as X:X:X:X::X where <IPV6-ADDR> each part takes values in hexadecimal format [0..FFFF]. You can specify up to 8 IP addresses separated by commas.
Page 356: Configuration Example
192.168.1.100-192.168.1.125 esr(config-dhcp-server)# default-lease-time 1:00:00 Configure transfer of additional network parameters to clients: • default route: 192.168.1.1; • domain name: eltex.loc; • DNS server list: DNS1: 172.16.0.1, DNS2: 8.8.8.8. esr(config-dhcp-server)# domain-name "eltex.loc" esr(config-dhcp-server)# default-router 192.168.1.1 esr(config-dhcp-server)# dns-server 172.16.0.1 8.8.8.8...
Page 357: Destination Nat Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# security-zone trusted esr(config-if-gi)# ip address 192.168.1.1/24 esr(config-if-gi)# exit To enable DHCP message transmission to the server, you should create the respective port profiles including source port 68 and destination port 67 used by DHCP and create the allowing rule in the security policy for UDP packet transmission: esr(config)# object-group service dhcp_server esr(config-object-group-service)# port-range...
Page 358: Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 10.2.1 Configuration algorithm Step Description Command Keys Switch to the configuration mode esr(config)# nat of destination address translation destination service. Create a pool of IP addresses and/ esr(config-dnat)# <NAME> – NAT addresses pool name, or TCP/UDP ports with a specific pool <NAME>...
Page 359 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the profile of services (tcp/ <PORT-SET-NAME> – port profile esr(config-dnat- udp ports) {sender | recipient} for rule)# match [not] name, set by the string of up to 31 which the rule should work {source|destination}- characters.
Page 360: Destination Nat Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 10.2.2 Destination NAT configuration example Objective: Establish access from the public network, that belongs to the 'UNTRUST' zone, to LAN server in 'TRUST' zone. Server address in LAN – 10.1.1.100. Server should be accessible from outside the network–address 1.2.3.4, access port 80.
Page 361 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# object-group network SERVER_IP esr(config-object-group-network)# ip address 10.1.1.100 esr(config-object-group-network)# exit Proceed to DNAT configuration mode and create destination address and port pool that will be used for translation of packet addresses coming to address 1.2.3.4 from the external network. esr(config)# nat destination esr(config-dnat)# pool SERVER_POOL esr(config-dnat-pool)# ip address...
Page 362: Source Nat Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 10.3 Source NAT configuration Source NAT (SNAT) function substitutes source address for packets transferred through the network gateway. When packets are transferred from LAN into public network, source address is substituted to one of the gateway public addresses.
Page 363 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Create a rule group with a specific <NAME> – rule group name, set by the esr(config-snat)# name. ruleset <NAME> string of up to 31 characters. Specify VRF instance, in which the <VRF>...
Page 364: Configuration Example 1
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the type and code of ICMP <ICMP_TYPE> – ICMP message type, esr(config-snat- messages for which the rule rule)# match [not] takes values of [0..255]. should work (optionally). icmp {<ICMP_TYPE><ICMP_COD <ICMP_CODE>...
Page 365 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Begin configuration with creation of security zones, configuration of network interfaces and their inherence to security zones. Create 'TRUST' zone for LAN and 'UNTRUST' zone for public network. esr# configure esr(config)# security zone UNTRUST esr(config-zone)# exit esr(config)# security zone TRUST esr(config-zone)# exit...
Page 366 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 To transfer traffic from 'TRUST' zone into 'UNTRUST' zone, create a pair of zones and add rules allowing traffic transfer in this direction. Additionally, there is a check in place to ensure that data source address belongs to 'LOCAL_NET' address range in order to limit the access to public network.
Page 367: Configuration Example 2
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 10.3.3 Configuration example 2 Objective: Configure access for users in LAN 21.12.2.0/24 to public network using Source NAT function without the firewall. Public network address range for SNAT 200.10.0.100-200.10.0.249. Solution: Begin configuration with network interface configuration and disabling the firewall: esr(config)# interface gigabitethernet...
Page 368: Static Nat Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-snat)# ruleset SNAT esr(config-snat-ruleset)# to interface te1/0/1 esr(config-snat-ruleset)# rule esr(config-snat-rule)# match source-address LOCAL_NET esr(config-snat-rule)# action source-nat pool TRANSLATE_ADDRESS esr(config-snat-rule)# enable esr(config-snat-rule)# exit esr(config-snat-ruleset)# exit In order the router could response to the ARP requests for addresses from the public pool, you should launch ARP Proxy service.
Page 369 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: Begin configuration with network interface configuration and disabling the firewall: esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip address 21.12.2.1/24 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# exit esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip address 200.10.0.1/24 esr(config-if-te)# ip firewall disable esr(config-if-te)# exit For Static NAT configuration, create 'LOCAL_NET' LAN address profile, that includes local subnet, and...
Page 370: Http/Https Traffic Proxying
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Configure Static NAT service in SNAT configuration mode. In the set attributes, specify that the rules are applying only to packets transferred to public network through te1/0/1 port. The rules include data source address test for belonging to “LOCAL_NET”...
Page 371 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Choose default action <URL> – address of the host to which esr(config-profile)# default action {deny| requests will be sent. permit|redirect} [redirect-url <URL>] Specify description (optionally). esr(config-profile)# <description> – up to 255 characters. description <description>...
Page 372 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Add necessary services (tcp/udp ESR proxy server uses for its esr(config-object- ports) to the list. group-service)# port- operation the ports starting from the range 3128-3135 base port defined in step 10 The http proxy uses ports from base port to base port + the number of cpu of this ESR model - 1...
Page 373: Http Proxy Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 10.5.2 HTTP proxy configuration example Objective: Organize URL filtering for a number of addresses using a proxy. Solution: Create a set of URLs to filter by. Configure a proxy filter and specify the actions for the created set of URLs: esr# configure esr(config)# object-group url test1 esr(config-object-group-url)# url...
Page 374: Ntp Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# object-group service proxy esr(config-object-group-service)# port-range 3128-3135 esr(config-object-group-service)# exit Create a permissive interzonal interaction rule: esr(config)# security zone-pair LAN self esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol tcp esr(config-zone-pair-rule)# match destination-port proxy esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit...
Page 375 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the minimum time interval <INTERVAL> – minimum value of poll esr(config-ntp)# between sending messages to the minpoll <INTERVAL> interval in seconds; it is calculated by NTP server (optional). raising two to power that is specified by the command parameter, takes the value of [4..6].
Page 376: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify source-IP addresses for <ADDR> – IP address, defined as esr(config)# ntp NTP packets for all peers source address AAA.BBB.CCC.DDD where each part (optional). <ADDR> takes values of [0..255]. Set the current time and date esr# set date <TIME>...
Page 377 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution:  First, do the following • specify security zone for gi1/0/1 interface; • configure the IP address for the gi1/0/1 interface to provide IP connectivity to the NTP server. Example: security zone untrust exit object-group service NTP port-range...
Page 378 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr# show ntp peers...
Page 379: Monitoring
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 11 Monitoring • Netflow configuration • Configuration algorithm • Configuration example • sFlow configuration • Configuration algorithm • Configuration example • SNMP configuration • Configuration algorithm • Configuration example • Zabbix-agent/proxy configuration • Configuration algorithm •...
Page 380: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the rate of the statistics sending <RATE> – rate of the statistics esr(config)# netflow to a Netflow collector. refresh-rate <RATE> sending, set in packets/flow, takes the value of [1..10000]. Default value: 10.
Page 381: Sflow Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • Assign IP address to ports. 2 Main configuration step: Specify collector IP address: esr(config)# netflow collector 10.10.0.2 Enable netflow statistics export collection for gi1/0/1 network interface: esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip netflow export Enable netflow on the router: еsr(config)# netflow enable To view the Netflow statistics, use the following command:...
Page 382: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Create the sFlow collector and <ADDR> – collector IP address, defined esr(config)# sflow switch to its configuration mode. collector <ADDR> as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Enable statistics sending to the esr(config-if-gi)# ip sFlow server in the interface/...
Page 383: Snmp Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# interface gi1/0/1 esr(config-if-gi)# security-zone UNTRUSTED esr(config-if-gi)# ip address 10.10.0.1/24 esr(config-if-gi)# exit esr(config)# interface gi1/0/2-3 esr(config-if-gi)# security-zone TRUSTED esr(config-if-gi)# exit esr(config)# interface gi1/0/2 esr(config-if-gi)# ip address 192.168.1.5/24 esr(config-if-gi)# exit esr(config)# interface gi1/0/3 esr(config-if-gi)# ip address 192.168.3.5/24 esr(config-if-gi)# exit Specify collector IP address:...
Page 384 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify community for the access <COMMUNITY> – community for the esr(config)# snmp- via SNMPv2c. server community access via SNMP; <COMMUNITY> [ <TYPE> ] [ { <IP-ADDR> | <TYPE> – access level: <IPV6-ADDR>...
Page 385 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify user access level via <TYPE> – access level: esr(config-snmp-user)# SNMPv3. access <TYPE> • ro – read-only access; • rw – read and write access. Specify user security mode via esr(config-snmp-user)# <TYPE>...
Page 386 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the transmitted data <ALGORITHM> – encryption esr(config-snmp-user)# encryption algorithm. privacy algorithm algorithm: <ALGORITHM> • aes128 – use AES-128 encryption algorithm; • des – use DES encryption algorithm. Set password for the transmitted esr(config-snmp-user)# <CLEAR-TEXT>...
Page 387: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Allow different types of SNMP <TYPE> – type of filtered messages. esr(config)# snmp- notifications to be sent. server enable traps May take the following values: <TYPE> config, entry, entry-sensor, environment, envmon, files- operations, flash, flash-operations, interfaces, links, ports, screens,...
Page 388: Zabbix-Agent/Proxy Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Specify security mode: esr(snmp-user)# authentication access priv Specify authentication algorithm for SNMPv3 requests: esr(snmp-user)# authentication algorithm md5 Set the password for SNMPv3 request authentication: esr(snmp-user)# authentication key ascii-text 123456789 Specify the transmitted data encryption algorithm: esr(snmp-user)# privacy algorithm aes128 Set password for the transmitted data encryption: esr(snmp-user)# privacy key ascii-text...
Page 389 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Specify the host name (optionally). <WORD> – host name, set by the esr(config-zabbix)# hostname <WORD> string of up to 255 characters. For active mode, the name must esr(config-zabbix- match the host name on the proxy)# hostname zabbix server.
Page 390: Zabbix-Agent Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Allow access to the router (to the self zone) on TCP ports 10050, 10051 from the appropriate firewall security zone. See Firewall configuration 11.4.2 Zabbix-agent configuration example Objective: Configure the interaction between the agent and the server to execute remote commands from the server. Solution: In the context of the agent settings, specify the address of the zabbix server, and the address from which the server will interact:...
Page 391: Zabbix-Agent Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 11.4.3 Zabbix-agent configuration example Create the host:...
Page 392 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Create the script (Administration -> Scripts-> Create Script) ESR routers support execution of the following priveleged commands: • Ping: zabbix_get -s {HOST.CONN} 10050 "system.run[ sudo ping -c 3 192.168.32.101]" The client (ESR) that received this command from the server will execute ping command to the specified host (in our example, up to 192.168.32.101) and return the result to the server.
Page 393 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • Fping in VRF zabbix_get -s {HOST.CONN} -p 10050 "system.run[sudo netns-exec -n backup sudo fping 192.168.32.101 ]" • Traceroute zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[ sudo traceroute 192.168.32.101] The client (ESR) that received this command from the server will execute traceroute command to the specified host (in our example, up to 192.168.32.101) and return the result to the server.
Page 394: Syslog Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Iperf command execution example: It is also possible to execute commands that do not require privileges, such as: snmpget, cat, pwd, wget and others. Example of the snmpget command execution: 11.5 Syslog configuration Syslog (system log) –...
Page 395: Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 11.5.1 Configuration algorithm Step Description Command Keys Set the level of syslog messages esr(config)# syslog <SEVERITY> – message importance that will be sent to the snmp snmp <SEVERITY> level, takes values (in order of server in the form of snmp-trap.
Page 396 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable the sending of syslog <HOSTNAME> – syslog server name, set esr(config)#syslog messages of a specified level of host <HOSTNAME> by the string of up to 31 characters. importance to a remote syslog <ADDR>...
Page 397: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 11.5.2 Configuration example Objective: Configure message sending for the following system events: • failed user authentication; • changes to the configuration of logging system events; • start/stop of the system process; • changes are made to the user profile. ESR router IP address: 192.168.52.8, Syslog server IP address: 192.168.52.41.
Page 398: Integrity Check
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# logging userinfo The configuration changes come into effect after applying the following commands: esr# commit Configuration has been successfully committed esr# confirm Configuration has been successfully confirmed View the current syslog configuration: esr# show syslog configuration View the syslog entries: esr# show syslog ESR...
Page 399: Configuration Process
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 11.7.1 Configuration process Step Description Command Keys Switch to the configuration file esr(config)# archive backup mode. Set router configuration backup type esr(config-ahchive)# <TYPE> – type of the router (optional) type <TYPE> configuration backup. Takes the following values: •...
Page 400 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Solution: For successful operation of remote configuration archiving, IP connectivity should be established between the router and the server, permissions for the passage of tftp traffic over the network and saving files on the server should be configured.
Page 401: Bras (Broadband Remote Access Server) Management
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 12 BRAS (Broadband Remote Access Server) management • Configuration algorithm • Example of configuration with SoftWLC • Example of configuration without SoftWLC 12.1 Configuration algorithm Step Description Command Keys Add RADIUS server to the list of used esr(config)# radius <IP-ADDR>...
Page 402 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Set the password for authentication <TEXT> – string of [8..16] ASCII esr(config-das- on remote DAS server. server)# key ascii- characters; <ENCRYPTED-TEXT> – text encrypted password, [8..16] bytes {<TEXT>|encrypted size, set by the string of [16..32] <ENCRYPTED-TEXT>...
Page 403 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Switch to the default service esr(config-subscriber- configuration mode. control)# default- service Bind the specified QoS class to the esr(config-subscriber- <NAME> – name of the class being default service. default-service)# bound, set by the string of up to 31 characters.
Page 404 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Enable user control on the interface. <NAME> – IP addresses profile esr(config-if-gi)# service-subscriber- name, set by the string of up to 31 control characters. {any| object-group <NAME>} Enable iterative query of quota value esr(config-subscriber- when it expires for user services with control)# quota-...
Page 405 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Define HTTP Proxy server port on the <PORT> – port number, set in the esr(config-subscriber- router control)# ip proxy range of [1..65535]. http redirect-port (optional). <PORT> Define destination TCP ports from esr(config-subscriber- <NAME>...
Page 406: Example Of Configuration With Softwlc
Provide access to the Internet only to authorized users. Solution: SoftWLC server keeps accounts data and tariff plan parameters. You can obtain more detailed information on installation and configuring SoftWLC server using following links: https://docs.eltex-co.ru/display/doc/v1.16_SoftWLC – general SoftWLC article; https://docs.eltex-co.ru/pages/viewpage.action?pageId=58230784 – installation of SoftWLC from repositories.
Page 407 Location parameter (see bridge 2 configuration). The module which is responsible for AAA operations is based on eltex-radius and available by SoftWLC IP address. Numbers of ports for authentication and accounting in the example below are the default values for SoftWLC.
Page 408 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# object-group network server esr(config-object-group-network)# ip address-range 192.0.2.20 esr(config-object-group-network)# exit esr(config)# das-server CoA esr(config-das-server)# key ascii-text password esr(config-das-server)# port 3799 esr(config-das-server)# clients object-group server esr(config-das-server)# exit esr(config)# aaa das-profile CoA esr(config-aaa-das-profile)# das-server CoA esr(config-aaa-das-profile)# exit The traffic from trusted zone is blocked before authentication as well as DHCP and DNS requests.
Page 409 Specify web resources which are available without authorization: esr(config)# object-group url defaultservice esr(config-object-group-url)# url http://eltex.nsk.ru esr(config-object-group-url)# exit The URL filtering lists are kept on SoftWLC server (you need to change only IP address of SoftWLC server, if addressing is different from the example. Leave the rest of URL without changes): esr(config)# subscriber-control filters-server-url http://192.0.2.20:7070/Filters/file/...
Page 410 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# security zone-pair trusted untrusted esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol any esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit esr(config)# security zone-pair dmz untrusted esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol any...
Page 411 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# object-group service bras esr(config-object-group-service)# port-range 3129 esr(config-object-group-service)# port-range 3128 esr(config-object-group-service)# exit esr(config)# security zone-pair trusted self esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol tcp esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# match source-port any esr(config-zone-pair-rule)# match destination-port bras esr(config-zone-pair-rule)# enable...
Page 412: Example Of Configuration Without Softwlc
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 12.3 Example of configuration without SoftWLC Objective: Configure BRAS without SoftWLC support. Given: Subnet with clients 10.10.0.0/16, subnet for working with FreeRADIUS server 192.168.1.1/24 Solution: 12.3.1 Step 1: RADIUS server configuration. For FreeRADIUS server, you need to specify the subnet that can send the queries and add a user list. To do this, add the following to the users file in the directory with FreeRADIUS server configuration files: User profile: <MACADDR>...
Page 413: Step 2
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 # Action that is applied to the traffic by ESR (permit, deny, redirect) Cisco-AVPair = "subscriber:filter-default-action=<ACTION>", # The ability of IP flows passing (enabled-uplink, enabled-downlink, enabled, disabled) Cisco-AVPair = "subscriber:flow-status=<STATUS>" Add a subnet, in which ESR is located, to the clients.conf file: client ESR { ipaddr = <SUBNET>...
Page 414 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# sh licence Licence information ------------------- Name: Eltex Version: Type: ESR-X S/N: NP00000000 MAC: XX:XX:XX:XX:XX:XX Features: BRAS – Broadband Remote Access Server Configuration of parameters for the interaction with RADIUS server: esr(config)# radius-server host 192.168.1.2...
Page 415 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# ip access-list extended BYPASS esr(config-acl)# rule esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol udp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port esr(config-acl-rule)# match destination-port esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# rule esr(config-acl-rule)# action permit...
Page 416 Configuration of filtering by URL is obligatory. It is necessary to configure http-proxy filtration on BRAS for non- authorised users: esr(config)# object-group url defaultserv esr(config-object-group-url)# url http://eltex.nsk.ru esr(config-object-group-url)# url http://ya.ru esr(config-object-group-url)# url https://ya.ru esr(config-object-group-url)# exit Configure and enable BRAS, define NAS IP as address of the interface interacting with RADIUS server...
Page 417 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# bridge esr(config-bridge)# vlan esr(config-bridge)# ip firewall disable esr(config-bridge)# ip address 10.10.0.1/16 esr(config-bridge)# ip helper-address 192.168.1.2 esr(config-bridge)# service-subscriber-control any esr(config-bridge)# location USER esr(config-bridge)# protected-ports esr(config-bridge)# protected-ports exclude vlan esr(config-bridge)# enable esr(config-bridge)# exit Configure port towards the SoftWLC server: esr(config)# interface gigabitethernet...
Page 418 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr # sh subscriber-control sessions status Session id User name IP address MAC address Interface Domain -------------------- --------------- --------------- ----------------- 1729382256910270473 Bras_user 10.10.0.3 54:e1:ad:8f:37:35 gi1/0/3.10...
Page 419: Voip Management
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 13 VoIP management • SIP profile configuration algorithm • FXS/FXO ports configuration algorithm • Dial plan configuration algorithm • PBX server configuration algorithm • Registration trunk creation algorithm • VoIP configuration example • Dial plan configuration example •...
Page 420: Fxs/Fxo Ports Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Configure a registration server <IP> – registration server IP address. esr(config-voip-sip- address proxy)# ip address registration-server <IP> Configure a registration server esr(config-voip-sip- <PORT> – number of registration port: server UDP port, takes values of proxy)# ip portregistration-server [1..65535].
Page 421 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Configure a login for <LOGIN> – login for authentication, esr(config-voice-port- authentication fxs)# authentication set by the string of up to 31 name <LOGIN> characters Configure a password for esr(config-voice-port- <PASS>...
Page 422: Dial Plan Configuration Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Number of the subscriber that will <PHONE> – phone number that esr(config-voice-port- receive calls from PSTN fxo)# hotline number calls are made to when using the ipt <PHONE> service, takes the value from 1 to “Hot/Warm line”...
Page 423 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Step Description Command Keys Applying a routing rule esr(config-pbx-rule)# enable Creating a SIP profile on a esr(config-pbx)# profile <PROFILE> – name of the SIP profile, PBX Server <PROFILE> that used by PBX server, set by the string of 31 character.
Page 424: Registration Trunk Creation Algorithm
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 13.5 Registration trunk creation algorithm Step Description Command Keys PBX server configuration esr(config)# pbx Trunk creation esr(config-pbx)# <name> – trunk name, set by the string register-server <name> of up to 31 characters. Registration server address esr(config-pbx-reg- <IP>...
Page 425 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# sip profile Configure a primary SIP proxy server and registration server: esr(config-sip-profile)# proxy primary Configure SIP proxy server address (use an embedded SIP server as SIP proxy server): esr(config-voip-sip-proxy)# ip address proxy-server 192.0.2.5 Configure a SIP proxy server port: esr(config-voip-sip-proxy)# ip port proxy-server...
Page 426 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-sip-profile)# sip-domain address sipdomain.com If it is necessary to use SIP Domain for the registration, use the following command: esr(config-sip-profile)# sip-domain registration enable In this configuration all calls will be directed to SIP proxy server. If it is necessary to specify another direction for outgoing calls, you should perform the following: Create a numbering plan, see section Dial plan configuration...
Page 427: Dial Plan Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config-voice-port-fxs)# exit 13.7 Dial plan configuration example Objective: Configure a dial plan in such a manner that calls to local numbers (connected to the given ESR-12V) are switched locally and calls to all other directions – through SIP proxy. Solution: Create a dial plan: esr(config)# dialplan pattern firstDialplan...
Page 428 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • Example 2: ([1-39]) – example from previous paragraph with other record format. ‘X’ character corresponds to any digit from 0 to 9. • Example: (1XX) - any three-digit number, starting at 1. '.' - Previous symbol repeating from 0 to infinity.
Page 429: Fxo Port Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • Example 4: (S0 <:82125551234>) – specified number speed dial, «Hotline» mode analogue on another gateways. • Example 5: (S5 <:1000> | xxxx) – the given dial plan allows to dial any number consisting of digits; if nothing is entered during 5 seconds, call number 1000 (let it be a secretary).
Page 430 ESR service routers. ESR-Series. Functionality description. Version 1.12.0 Disable prefix transmission: esr(config-voice-port-fxo)# no pstn transmit-prefix For outgoing calls to work, you need to specify the following rule in the dial plan settings, which means that outgoing calls to numbers with prefix 9 are routed locally to the FXO set: 9x.@{local}:5064 This completes the baseline configuration of outgoing calls to PSTN.
Page 431: Safe Configuration Recommendations
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 14 Safe configuration recommendations • General recommendations • Event logging system configuration • Recommendations • Warnings • Configuration example • Password usage policy configuration • Recommendations • Configuration example • AAA policy configuration •...
Page 432: Recommendations
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 14.2.1 Recommendations • It is recommended to configure the event message storage in a syslog file on the device and transfer these events to an external syslog server. • It is recommended to limit the size of the syslog file on the device. •...
Page 433: Recommendations
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 14.3.1 Recommendations • It is recommended to always enable the default password change request for the admin user. • It is recommended to limit the lifetime of passwords and prohibit reusing at least the previous password.
Page 434: Recommendations
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 14.4.1 Recommendations • It is recommended to use a role-based access model on the device. • It is recommended to use personal accounts to authenticate on the device. • It is recommended to enable logging of commands entered by the user. •...
Page 435: Remote Management Configuration
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 esr(config)# username admin esr(config-user)# privilege 1 esr(config-user)# exit Configure the connection to the two RADIUS servers, the primary 192.168.1.11 and the backup 192.168.2.12: esr(config)# radius-server host 192.168.1.11 esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-radius-server)# priority esr(config-radius-server)# exit esr(config)# radius-server host 192.168.2.12...
Page 436: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 14.5.2 Configuration example Objective: Disable telnet. Generate new encryption keys. Use crypto-resistant algorithms. Solution: Disable remote telnet control: esr(config)# no ip telnet server Generate new encryption keys: esr-20(config)# crypto key generate dsa esr-20(config)# crypto key generate ecdsa esr-20(config)# crypto key generate ed25519 ...
Page 437: Configuration Example
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 • It is recommended to always enable protection against TCP packets with incorrectly set flags. • It is recommended to always enable protection against fragmented TCP packets with the SYN flag set. • It is recommended to always enable protection against fragmented ICMP packets.
Page 438: Frequently Asked Questions
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 15 FREQUENTLY ASKED QUESTIONS • Receiving of routes, which are configured in VRF via BGP or/and OSPF, failed. The neighbouring is successfully installed, but record of routes in RIB is denied %ROUTING-W-KERNEL: Can not install route. Reached the maximum number of BGP routes in the RIB Allocate RIB resource for VRF (0 by default).
Page 439 1/0/1 • How to configure ip-prefix-list 0.0.0.0./0? Example of prefix-list configuration is shown below. The configuration allows route reception by default. esr(config)# ip prefix-list eltex esr(config-pl)# permit default-route • Problem of asynchronous traffic transmission is occurred. In case of asynchronous routing, Firewall will forbid "incorrect" ingress traffic (which does not open new connection and does not belong any established connection) for security reasons.
Page 440: Esr Technical Support
ESR service routers. ESR-Series. Functionality description. Version 1.12.0 16 ESR technical support For technical assistance in issues related to operation of Eltex Ltd. equipment, please contact the Service Centre. Feedback form on the site: http://eltex-co.com/support/ Sevicedesk: https://servicedesk.eltex-co.ru/ Visit Eltex official website to get the relevant technical documentation and software, benefit from our...

This manual is also suitable for:

Esr-12v Esr-12vf Esr-14vf Esr-20 Esr-21 Esr-100 ... Show all