Download Print this page

ELTEX ESR Series User Manual

ELTEX ESR Series User Manual

Service routers

Hide thumbs Also See for ESR Series:

User manual (66 pages)

,

User manual (650 pages)

Table Of Contents

page of 575

/ 575
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

ESR series service routers

ESR-10, ESR-12V, ESR-12VF, ESR-14VF, ESR-20,

ESR-21, ESR-100, ESR-200, ESR-1000, ESR-1200,

ESR-1500, ESR-1511, ESR-3100, ESR-1700

User manual (29.06.2021)

Firmware version 1.13.0

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the ESR Series and is the answer not in the manual?

Questions and answers

Summary of Contents for ELTEX ESR Series

Page 1 ESR series service routers ESR-10, ESR-12V, ESR-12VF, ESR-14VF, ESR-20, ESR-21, ESR-100, ESR-200, ESR-1000, ESR-1200, ESR-1500, ESR-1511, ESR-3100, ESR-1700 User manual (29.06.2021) Firmware version 1.13.0...
Page 2: Table Of Contents
ESR-Series. User manual Contents Introduction ......................... 12 Abstract ..........................12 Target Audience........................12 Symbols ..........................12 Notes and warnings......................13 Product Description ......................14 Purpose ..........................14 Functions..........................15 2.2.1 Interface functions....................... 15 2.2.2 MAC table functions ....................15 2.2.3 Second-layer functions of OSI model .................
Page 3 ESR-Series. User manual SFP transceiver installation and removal................71 3.5.1 Transceiver installation ....................71 3.5.2 Transceiver removal ....................72 Management interfaces ..................... 73 Command line interface (CLI) .................... 73 Types and naming procedure of router interfaces ............73 Types and naming procedure of router tunnels..............77 Initial router configuration....................
Page 4 ESR-Series. User manual Interface management ....................... 98 VLAN Configuration ......................98 8.1.1 Configuration algorithm ....................99 8.1.2 Configuration example 1. VLAN removal from the interface........100 8.1.3 Configuration example 2. Enabling VLAN processing in tagged mode ....101 8.1.4 Configuration example 3. Enabling VLAN processing in tagged and untagged modes .........................
Page 5 ESR-Series. User manual 8.11.2 Configuration example ....................134 8.12 LACP configuration......................135 8.12.1 Configuration algorithm .................... 135 8.12.2 Configuration example ....................138 8.13 AUX configuration......................139 8.13.1 Configuration algorithm .................... 139 8.13.2 Configuration examples .................... 141 8.13.3 Adapter soldering schemes ..................146 Tunneling management....................
Page 6 ESR-Series. User manual 11.1 Routing information advertising policy................222 11.1.1 RIP..........................222 11.1.2 OSPF protocol ......................222 11.1.3 IS-IS protocol......................223 11.1.4 iBPG protocol ......................224 11.1.5 eBPG protocol ......................224 11.2 Static routes configuration....................225 11.2.1 Configuration algorithm .................... 225 11.2.2 Static routes configuration example ................
Page 7 ESR-Series. User manual 11.10.1 Configuration algorithm .................... 285 11.10.2 Configuration example ....................292 MPLS technology management..................295 12.1 LDP configuration ......................295 12.1.1 Configuration algorithm .................... 296 12.1.2 Configuration example ....................297 12.2 Configuring session parameters in LDP................300 12.2.1 Algorithm for setting Hello holdtime and Hello interval in the global LDP configuration ......................
Page 8 Basic user rules configuration example ..............422 13.6.7 Extended user rules configuration algorithm............424 13.6.8 Extended user rules configuration example............. 425 13.7 Eltex Distribution Manager interaction configuration............. 426 13.7.1 Basic configuration algorithm................... 426 13.7.2 Configuration example: ..................... 429 13.8 Content filtering service configuration ................432 13.8.1...
Page 9 ESR-Series. User manual 13.9.2 Configuration example: ..................... 443 Redundancy management ....................445 14.1 VRRP configuration......................445 14.1.1 Configuration algorithm .................... 445 14.1.2 Configuration example 1 ................... 448 14.1.3 Configuration example 2 ................... 449 14.2 VRRP tracking configuration .................... 451 14.2.1 Configuration algorithm ....................
Page 10 ESR-Series. User manual 16.3.2 Configuration example 1 ................... 500 16.3.3 Configuration example 2 ................... 503 16.4 Static NAT configuration ....................504 16.4.1 Configuration algorithm .................... 504 16.4.2 Static NAT configuration example................504 16.5 HTTP/HTTPS traffic proxying ..................506 16.5.1 Configuration algorithm .................... 506 16.5.2 HTTP proxy configuration example ................
Page 11 ESR-Series. User manual VoIP management ......................559 19.1 SIP profile configuration algorithm.................. 559 19.2 FXS/FXO ports configuration algorithm................560 19.3 Dial plan configuration algorithm ..................562 19.4 PBX server configuration algorithm................. 562 19.5 Registration trunk creation algorithm................564 19.6 VoIP configuration example..................... 565 19.7 Dial plan configuration example ..................
Page 12: Introduction
ESR series service routers could be used in large enterprise networks, SMB networks and operator's networks. Devices provide high performance and bandwidth, and feature protection of transmitted data.
Page 13: Notes And Warnings
ESR-Series. User manual 1.4 Notes and warnings  Notes contain important information, tips or recommendations on device operation and setup.  Warnings inform users about hazardous conditions which may cause injuries or device damage and may lead to the device malfunctioning or data loss. ...
Page 14: Product Description
• Delivery Package 2.1 Purpose ESR series devices are the high performance multi-purpose network routers. Device combines traditional network features with a complex multi-tier approach to routing security, and ensures robust corporate environment protection. Device has a built-in firewall that enables protection of your and organization network environment and supports latest data security, encryption, authentication and intrusion prevention features.
Page 15: Functions
ESR-Series. User manual 2.2 Functions 2.2.1 Interface functions Table 1 lists interface functions of the device. Table 1 – Device interface functions Cable connection polarity detection Automatic cable type detection–crossed or straight. (Auto MDI/MDIX) • MDI (Medium Dependent Interface – straight) – cable standard for connection of terminal devices;...
Page 16: Second-Layer Functions Of Osi Model
ESR-Series. User manual 2.2.3 Second-layer functions of OSI model Table 3 lists second-layer functions and special aspects (OSI Layer 2). Table 3 – Second-layer functions description (OSI Layer 2) VLAN support VLAN (Virtual Local Area Network) is a solution used for splitting a network into separate segments on L2 level.
Page 17 ESR-Series. User manual DHCP server DHCP server enables automation and centralization of the network device configuration process. DHCP server allocated on a router allows for a complete solution for the local area network support. DHCP server integrated into the router assigns IP addresses to network devices and transfers additional network settings, e.g.
Page 18: Traffic Tunnelling Functions
ESR-Series. User manual 2.2.5 Traffic tunnelling functions Table 5 – Traffic tunnelling functions Tunnelling protocols Tunneling is a method of packet conversion during their network transfer that involves the replacement, modification and addition of a new packet network header. This method may be used for negotiation of transport protocols when the data is transferred through the transit network as well as for creation of secured connections where tunnelled data is being encrypted.
Page 19: Network Security Functions
ESR-Series. User manual Authentication Authentication is a user identity check procedure. Routers support the following authentication methods: • local – local user database stored on the device is used for authentication; • group – user database is located on the authentication server.
Page 20: Main Specifications
ESR-Series. User manual 2.3 Main specifications Tble 8 lists main specifications of the router. Table 8 – Main Specifications General parameters Interfaces ESR-1700 4 x Combo Ethernet 10/100/1000BASE-T/1000BASE-X 8 x 10GBASE-R/1000BASE-X (SFP+/SFP) 2 x Hard disk installation slot 1 x Console RJ-45 1 x OOB port 2 x USB 2.0 ESR-3100...
Page 21 ESR-Series. User manual ESR-1500 4 x Combo Ethernet 10/100/1000BASE-T/1000BASE-X 4 x Ethernet 10/100/1000BASE-T (RJ-45) 4 x 10GBASE-R/1000BASE-X (SFP+/SFP) 1 x Console RJ-45 1 x OOB port 2 x USB 2.0 1 x SD card slot ESR-1200 4 x Combo Ethernet 10/100/1000BASE-T/1000BASE-X 12 x Ethernet 10/100/1000BASE-T (RJ-45) 8 x 10GBASE-R/1000BASE-X (SFP+/SFP) 1 x Console RJ-45...
Page 22 ESR-Series. User manual ESR-100 4 x Combo Ethernet 10/100/1000BASE-T/1000BASE-X 1 x Console RJ-45 1 x USB 3.0 1 x USB 2.0 1 x SD card slot ESR-21 8 x Ethernet 10/100/1000BASE-T (RJ-45) 4 x 1000BASE-X (SFP) 3 x Serial port RS-232 1 x Console RJ-45 1 x USB 3.0 1 x USB 2.0...
Page 23 ESR-Series. User manual ESR-12VF 8 x Ethernet 10/100/1000BASE-T (RJ-45) 1 x 1000BASE-X (SFP) 1 x Console RJ-45 3 x FXS 1 x FXO 2 x USB 2.0 ESR-12V 8 x Ethernet 10/100/1000BASE-T (RJ-45) 1 x Console RJ-45 3 x FXS 1 x FXO 2 x USB 2.0 ESR-10...
Page 24 ESR-Series. User manual ESR-200 1000BASE-X SFP ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12VF ESR-10 Duplex or half-duplex interface modes • duplex and half-duplex modes for electric ports • duplex mode for optical ports Maximum bandwidth in ESR-1700 160 Gbps L2 mode (hardware switching) ESR-1511 ESR-1500...
Page 25 ESR-Series. User manual Number of VPN tunnels ESR-1700 ESR-3100 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10 Quantity of static routes ESR-1700 ESR-3100 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10...
Page 26 ESR-Series. User manual Number of competitive ESR-1700 512k sessions ESR-3100 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 256k ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10 VLAN support up to 4k active VLANs according to 802.1Q Number of BGPv4/BGPv6 ESR-1700 routes ESR-3100 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200...
Page 27 ESR-Series. User manual Number of OSPFv2/ ESR-1700 500k OSPFv3/ISIS routes ESR-3100 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 300k ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10 Number of RIP/RIPng routes MAC address table ESR-1700 128k entries ESR-1511 ESR-1500 ESR-1200 ESR-1000 16k entries ESR-3100 2k bridge entries ESR-200 ESR-100...
Page 28 ESR-Series. User manual FIB size ESR-1700 3,0M ESR-3100 1.7M ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 1.4M ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10 VRF Lite L3 interfaces ESR-1700 4000 ESR-3100 ESR-1500 ESR-1511 ESR-1200 ESR-1000 ESR-200 ESR-100 ESR-21 ESR-20 ESR-14VF ESR-12V(F) ESR-10...
Page 29 ESR-Series. User manual Compliance IEEE 802.3 10BASE-T Ethernet IEEE 802.3u 100BASE-T Fast Ethernet IEEE 802.3ab 1000BASE-T Gigabit Ethernet IEEE 802.3z Fiber Gigabit Ethernet IEEE 802.3ba 40GBASE-SR4, 40GBASE-LR4 ANSI/IEEE 802.3 Speed autodetection IEEE 802.3x Data flow control IEEE 802.3ad LACP link aggregation IEEE 802.1q VLAN virtual local networks IEEE 802.1v IEEE 802.3ac...
Page 30 ESR-Series. User manual ESR-3100 AC: 100–240 V, 50–60 Hz ESR-1511 DC: 36–72 V ESR-1500 Power options: ESR-1200 • single AC or DC power supply; • two AC or DC power supplies with hot swapping. ESR-1000 ESR-200 AC: 100–264 V, 50–60 Hz ESR-100 ESR-21 ESR-20 ESR-14VF...
Page 31 ESR-Series. User manual ESR-10 Weight ESR-1700 12 kg max ESR-3100 5 kg max ESR-1511 7 kg max ESR-1500 ESR-1200 5.5 kg max ESR-1000 3.6 kg max ESR-200 2.5 kg max ESR-100 ESR-21 3.15 kg max ESR-20 2 kg max ESR-14VF 1 kg max ESR-12V(F) ESR-10...
Page 32 ESR-Series. User manual ESR-14VF 267x43.6x160.5 mm ESR-12V(F) ESR-10 185x32x118 mm Operating temperature ESR-1700 -10 to +45 °C range ESR-3100 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 ESR-100 ESR-21 ESR-20 ESR-14VF 0 to +40 °C ESR-12V(F) ESR-10 Storage temperature range -40 to +70 °C Operation relative humidity (non- up to 80% condensing)
Page 33: Design
ESR-Series. User manual 2.4 Design This section describes the design of the device. Depicted front, rear, and side panels of the device, connectors, LED indicators and controls. The device has a metal housing available for 19” form-factor rack mount; housing size is 1U. 2.4.1 ESR-1700 design ESR-1700 front panel The front panel layout is depicted in figure 1.
Page 34 ESR-Series. User manual № Front panel Description element Flash Activity of exchange with data storage – SD card or USB Flash. Power Device power LED. Master Failover mode operation LED (is not supported in the current version). Fan operation LED. Redundant power supply LED.
Page 35: Esr-3100 Design
ESR-Series. User manual Table 10 – Rear panel connectors description Description № Earth bonding point of the device. Hot-swappable removable ventilation modules. Main power supply. Place for installation of a redundant power supply. ESR-1700 side panels The side panel layout of ESR-1700 is depicted in figures 3 and 4. Figure 3 –...
Page 36 ESR-Series. User manual Table 11 – Description of connectors, LEDs and controls located on ESR-3100 front panel Front panel Description № element Status Current device status LED. Alarm Alarm LED. VPN gateway operation mode LED. Flash Activity of exchange with data storage – SD card or USB Flash. Power Device power LED.
Page 37 ESR-Series. User manual ESR-3100 rear panel The rear panel of ESR-3100 is depicted in the figure below. Figure 6 – ESR-3100 rear panel Table 12 lists rear panel connectors of the router. Table 12 – Rear panel connectors description № Description Main power supply.
Page 38: Esr-1511, Esr-1510 Design
ESR-Series. User manual 2.4.3 ESR-1511, ESR-1510 design ESR-1511 front panel The front panel layout is depicted in figure 9. Figure 9 – ESR-1511 front panel Table 13 lists connectors, LEDs and controls located on the front panel of ESR-1511. Table 13 – Description of connectors, LEDs and controls located on ESR-1511 front panel №...
Page 39 ESR-Series. User manual № Front panel Description element Functional key that reboots the device and resets it to factory default configuration: • Pressing the key for less than 10 seconds reboots the device; • Pressing the key for more than 10 seconds resets the terminal to factory settings. USB2 Port for USB device connection.
Page 40 ESR-Series. User manual № Front panel Description element Power Device power LED. Master Failover mode operation LED (is not supported in the current version). Fan operation LED. Redundant power supply LED. Console Console port RS-232 for local management of the device. Ethernet port for router management.
Page 41 ESR-Series. User manual ESR-1511, ESR-1500 rear panel The rear panel layout of ESR-1511 and ESR-1500 routers is depicted in figure 11. Figure 11 – ESR-1511, ESR-1500 rear panel Table 15 lists rear panel connectors of the router. Table 15 – Rear panel connectors description Description №...
Page 42: Esr-1200, Esr-1000 Design
ESR-Series. User manual 2.4.4 ESR-1200, ESR-1000 design ESR-1200 front panel The front panel layout is depicted in 14. Figure 14 – ESR-1200 front panel Table 16 lists connectors, LEDs and controls located on the front panel of ESR-1200. Table 16 – Description of connectors, LEDs and controls located on the front panel of ESR-1200 №...
Page 43 ESR-Series. User manual № Front Description panel element Master Indicator of failover modes operation. Fan operation LED. Redundant power supply LED. Functional key that reboots the device and resets it to factory default configuration: • Pressing the key for less than 10 seconds reboots the device; •...
Page 44 ESR-Series. User manual № Front Description panel element Alarm Alarm LED. Active VPN sessions indicator. Flash Activity indicator of exchange with data storages (SD-card or USB Flash). Power Device power LED. Master Indicator of failover modes operation. Fan operation LED. Redundant power supply LED.
Page 45: Design
ESR-Series. User manual Table 18 – Rear panel connectors description Description № Main power supply. Place for installation of a redundant power supply. Hot-swappable removable ventilation modules. Earth bonding point of the device. ESR-1200, ESR-1000 side panels The side panel layout of ESR-1200, ESR-1000 is depicted in Figures 17 and 18. Figure 17 –...
Page 46 ESR-Series. User manual Figure 20 – ESR-100 front panel Table 19 lists connectors, LEDs and controls located on the front panel of ESR-100 and ESR-200 routers. Table 19 – Description of connectors, LEDs and controls located on ESR-200, ESR-100 front panel №...
Page 47 ESR-Series. User manual Figure 21 – ESR-200, ESR-100 rear panel Table 20 lists rear panel connectors of the router. Table 20 – Rear panel connectors description № Description Earth bonding point of the device. Ventilation module. ESR-100, ESR-200 side panels The side panel layout of ESR-200, ESR-100 is depicted in Figures 22 and 23.
Page 48: Design
ESR-Series. User manual 2.4.6 ESR-21 design The device has a metal housing available for 19” form-factor rack mount; housing size is 1U. ESR-21 front panel The front panel layout of ESR-21 is depicted in figure 24. Figure 24 – ESR-21 front panel Table 21 lists sizes, LEDs and controls located on ESR-21 front panel.
Page 49: Design
ESR-Series. User manual № Front panel element Description [1 .. 8] 8 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45) Optical Port 4 ports of Gigabit Ethernet 10/100/1000BASE-X (SFP) ESR-21 rear panel The rear panel layout of ESR-21 is depicted in figure 25. Figure 25 –...
Page 50 ESR-Series. User manual ESR-20 front panel The front panel layout is depicted in figure 28. Figure 28 – ESR-20 front panel Table 23 lists connectors, LEDs and controls located on the front panel of ESR-20. Table 23 – Description of connectors, LEDs and controls located on ESR-20 rear panel Front panel element Description №...
Page 51: Esr-12Vf, Esr-14Vf Design
ESR-Series. User manual ESR-20 rear panel The rear panel layout of ESR-20 is depicted in figure 29. Figure 29 – ESR-20 rear panel Table 24 lists rear panel connectors of the router. Table 24 – Rear panel connectors description № Description Earth bonding point of the device.
Page 52 ESR-Series. User manual Figure 32 – ESR-12VF, ESR-14VF front panel Table 25 lists connectors, LEDs and controls located on the front panel of ESR-12VF and ESR-14VF routers. Table 25 – Description of connectors, LEDs and controls located on ESR-12VF, ESR-14VF front panel №...
Page 53 ESR-Series. User manual ESR-14VF, ESR-12VF rear panel The rear panel layout of ESR-12VF, ESR-14-VF is depicted in figure 33. Figure 33 – ESR-12VF, ESR-14VF rear panel Table 26 lists rear panel connectors of the router. Table 26 – Rear panel connectors description №...
Page 54: Esr-12V Design
ESR-Series. User manual ESR-12VF, ESR-14VF side panels The side panel layout of ESR-12VF, ESR-14VF is depicted in Figures 34 and 35. Figure 34 – ESR-12VF, ESR-14VF left side panel Figure 35 – ESR-12VF, ESR-14VF right side panel Side panels of the device have air vents for heat removal. Do not block air vents. This may cause the components to overheat, which may result in device malfunction.
Page 55 ESR-Series. User manual Table 27 – Description of connectors, LEDs and controls located on ESR-12V front panel Front panel element Description № 220V АC Power supply. Power Device power LED. Console Console port RS-232 for local management of the device. Functional key that reboots the device and resets it to factory default configuration: - pressing the key for less than 10 seconds reboots the device.
Page 56: Design
ESR-Series. User manual Table 28 – Rear panel connectors description Description № Earth bonding point of the device. ESR-12V side panels The side panel layout of ESR-12V is depicted in figures 38 and 39. Figure 38 – ESR-12V left side panel Figure 39 –...
Page 57 ESR-Series. User manual № Front Description panel elemen ON/OFF Power on/off button 12V DC Connector for power adapter connection Console RS-232 console port for local management of the device USB1, 2 USB connectors for connecting external USB devices USB2 [1 .. 4] 4 ports of Gigabit Ethernet –...
Page 58 ESR-Series. User manual Table 30 – Right panel connectors description Side Description № panel elemen Functional key that reboots the device and resets it to factory default configuration: • pressing the key for less than 10 seconds reboots the device. •...
Page 59: Light Indication
ESR-Series. User manual № Description panel elemen The LED is not used USB1, External USB devices LED USB2 [1 .. 4] Ethernet ports LED [5 .. 6] Optical interfaces LED 2.4.11 Light Indication ESR-1700, ESR-1511, ESR-1500, ESR-1200, ESR-1000 light indication Gigabit Ethernet copper interface statuses are represented by two LEDs –...
Page 60 ESR-Series. User manual Table 32 – Light indication of copper interface status SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state The port is disabled or connection is not established. Solid on 10Mbps or 100Mbps connection is established. Solid on Solid on 1000Mbps connection is established.
Page 61 ESR-Series. User manual Indicat Indicator function Device State State name Power Device power LED. Green Device power is OK. Main power supply, if installed, is operational. Orange Main power supply failure, fault, or the primary network is missing. Device internal power supply failure. Master Indicator of failover modes operation.
Page 62 ESR-Series. User manual SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state The port is disabled or connection is not established. Solid on 10Mbps or 100Mbps connection is established. Solid on Solid on 1000Mbps connection is established. Flashes Data transfer is in progress.
Page 63 ESR-Series. User manual SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state The port is disabled or connection is not established. Solid on 10Mbps or 100Mbps connection is established. Solid on Solid on 1000 Mbps connection is established. Flashes Data transfer is in progress.
Page 64 ESR-Series. User manual Indicator Indicator function Device State name State HA operation mode LED (is not supported in the current version)
Page 65 ESR-Series. User manual ESR-12V(F) light indication Gigabit Ethernet copper interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED. Table 39 – Light indication of copper and SFP interface status SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state Port is disabled or connection is not established Solid on...
Page 66: Delivery Package
ESR-Series. User manual ESR-10 light indication Gigabit Ethernet copper interfaces statuses are represented by amber SPEED LED. Table 41 – Light indication of copper interface status SPEED indicator is lit Ethernet interface state Port is disabled or connection is not established Solid on 1000Mbps connection is established Flashes...
Page 67 ESR-Series. User manual • Documentation (optional); • Informational leaflet. ESR-21 standard delivery package includes: • ESR-21 router; • Power cable; • 19” rack mounting kit; • Conformity certificate; • Documentation (optional); • Informational leaflet. ESR-100 standard delivery package includes: • ESR-100 router;...
Page 68 ESR-Series. User manual ESR-3100 standard delivery package includes: • ESR-3100 router; • 19” rack mounting kit; • Conformity certificate; • Documentation (optional); • Informational leaflet. ESR-1700 standard delivery package includes: • ESR-1700 router; • 19” rack mounting kit; • Conformity certificate; •...
Page 69: Installation And Connection
ESR-Series. User manual 3 Installation and connection • Support brackets mounting • Device rack installation • ESR-1000, ESR-1200, ESR-1500, ESR-1511, ESR-3100, ESR-1700 power module installation • Connection to Power Supply • SFP transceiver installation and removal • Transceiver installation • Transceiver removal This section describes installation of the device into a rack and connection to a power supply.
Page 70: Esr-1000, Esr-1200, Esr-1500, Esr-1511, Esr-3100, Esr-1700 Power Module Installation
ESR-Series. User manual Figure 51 – Device rack installation  Device ventilation system is implemented using 'front-rear' layout. Vents are located on the front and side panels of the device; ventilation modules are located at the rear. Do not block air inlet and outlet vents to avoid components overheating and subsequent device malfunction.
Page 71: Connection To Power Supply
ESR-Series. User manual Figure 53 – Plug installation  Power module fault indication may be caused not only by the module failure, but also by the absence of the primary power supply. You can check the state of power modules by the indication on the front panel of the router (see Section Light indication) or by diagnostics, available through the router management interfaces.
Page 72: Transceiver Removal
ESR-Series. User manual Figure 55 – Installed SFP transceivers 3.5.2 Transceiver removal 1. Flip the module handle to unlock the latch. Figure 56 – Opening SFP transceiver latch 2. Remove the module from the slot. Figure 57 – SFP transceivers removal...
Page 73: Management Interfaces
ESR-Series. User manual 4 Management interfaces • Command line interface (CLI) • Types and naming procedure of router interfaces • Types and naming procedure of router tunnels You may use various management interfaces in order to control and monitor the device. To access the device, you may use network connection via Telnet or SSH as well as direct connection via RS-232 compliant console port.
Page 74 ESR-Series. User manual Interface type Designation Physical interfaces Designation of physical interface includes its type and identifier. The identifier of physical interfaces is as follows: <UNIT>/<SLOT>/ <PORT>, where • <UNIT> – number of a device in a device group, • <SLOT>...
Page 75 ESR-Series. User manual Interface type Designation Sub-interfaces Designation of sub-interface is generated from the designation of basic interface and sub-interface identifier (VLAN) separated by a dot. Designation examples: • gigabitethernet 1/0/12.100 • tengigabitethernet 1/0/2.123 • fortygigabitethernet 1/0/2.1024 • port-channel 1.6 ...
Page 76 ESR-Series. User manual Interface type Designation Logical interfaces Designation of logical interface is the interface sequence number: Designation examples: • loopback 4 • bridge 60 • service-port 1 Serial interfaces Designation of serial interface includes its type and identifier. E1 interfaces identifier is as follows: <UNIT>/<SLOT>/<STREAM>, where •...
Page 77: Types And Naming Procedure Of Router Tunnels
ESR-Series. User manual 4.3 Types and naming procedure of router tunnels Network tunnels of various types and purposes are used for the router operation. The naming system allows you to uniquely address the tunnels by their functional purpose. The following table contains the list of tunnels types.
Page 78: Initial Router Configuration
ESR-Series. User manual 5 Initial router configuration • ESR router factory settings • Description of factory settings • Router connection and configuration • Connection to the router • Ethernet LAN connection • RS-232 console port connection • Applying the configuration change •...
Page 79: Router Connection And Configuration
To enable network access to the router on the first startup, static IP address 192.168.1.1/24 has been configured on Bridge 1 interface. 5.2 Router connection and configuration ESR series routers are intended to perform border gateway functions and securing the user network when it is connected to public data networks. Basic router configuration should include: •...
Page 80: Applying The Configuration Change
ESR-Series. User manual Ethernet LAN connection  Upon the initial startup, the router starts with the factory configuration. The factory configuration is described in the ESR Router Factory Configuration section of this manual. Connect the network data cable (patch cord) to any port within the 'Trusted' zone and to the PC intended for management tasks.
Page 81: Basic Router Configuration
Changing password for "admin" user To ensure the secure system access, you should change the password for the privileged 'admin' user.  'techsupport' account ('eltex' up to version 1.0.7) is required for service centre specialist remote access. 'remote' account – RADIUS, TACACS+, LDAP authentication.
Page 82 ESR-Series. User manual Example of commands, that allow you to create user 'fedor' with password '12345678' and privilege level 15 and create user 'ivan' with password 'password' and privilege level '1': esr# configure esr(config)# username fedor esr(config-user)# password 12345678 esr(config-user)# privilege esr(config-user)# exit esr(config)# username ivan esr(config-user)# password password...
Page 83 ESR-Series. User manual Configuration example for obtaining dynamic IP address from DHCP server on Gigabit Ethernet 1/0/10 interface: esr# configure esr(config)# interface gigabitethernet 1/0/10 esr(config-if)# ip address dhcp esr(config-if)# exit To ensure the correct IP address assigning for the interface, enter the following command when the configuration is applied: esr# show ip interfaces IP address...
Page 84 ESR-Series. User manual Use the following commands to create the allowing rule: esr# configure esr(config)# security zone-pair <source-zone> self esr(config-zone-pair)# rule <number> esr(config-zone-rule)# action permit esr(config-zone-rule)# match protocol tcp esr(config-zone-rule)# match source-address <network object-group> esr(config-zone-rule)# match destination-address <network object-group> esr(config-zone-rule)# match destination-port <service object-group> esr(config-zone-rule)# enable esr(config-zone-rule)# exit esr(config-zone-pair)# exit...
Page 85: Firmware Update
ESR-Series. User manual 6 Firmware update • Updating firmware via system resources • Updating firmware via bootloader • Secondary bootloader update (U-Boot) 6.1 Updating firmware via system resources  To update the firmware, use any of the following servers: TFTP, FTP, SCP. Router firmware files obtained from the manufacturer should be allocated on the server.
Page 86 ESR-Series. User manual FTP: esr# copy ftp://[<user>[:<password>]@]<server>:/<file_name> system:firmware SCP: esr# сору scp://[<user>[:<password>]@]<server>://<folder>/<file_name>system:firmware SFTP: esr# copy sftp://[<user>[:<password>]@]<server>:/<file_name> system:firmware For example, let's update basic firmware via SCP: esr# сору scp://adm:password123@192.168.16.168://home/tftp/firmware system:firmware To start the device with the new firmware version, you have to switch the active image. With show bootvar command, locate the image number, containing updated firmware.
Page 87: Updating Firmware Via Bootloader
ESR-Series. User manual esr# copy sftp://<server>:/<file_name> system:boot-2 6.2 Updating firmware via bootloader Router firmware may be updated via the bootloader as follows: When U-Boot finishes the router initialization, break the device startup with the <Esc> key. Configuring PoE... distribution dest_threshold drop_timer Configuring POE in bypass mode NAE configuration done!
Page 88: Secondary Bootloader Update (U-Boot)
ESR-Series. User manual Launch firmware update procedure: BRCM.XLP316Lite Rev B0.u-boot# run tftp_update_image1 Using nae-0-3 device TFTP from server 10.100.100.1; our IP address is 10.100.100.2 Filename 'esr1000/firmware'. Load address: 0xa800000060000000 Loading: TftpStart:TftpTimeoutMsecs = 10000, TftpTimeoutCountMax = ################################################################# ################################################################# ################################################################# ######################### #################################### done Bytes transferred = 64453909...
Page 89 ESR-Series. User manual Firmware update procedure: When U-Boot finishes the router initialization, break the device startup with the <Esc> key. Configuring PoE... distribution dest_threshold drop_timer Configuring POE in bypass mode NAE configuration done! initializing port 0, type 2. initializing port 1, type 2. SMC Endian Test:b81fb81f nae-0, nae-1...
Page 90 ESR-Series. User manual For version 1.5 and newer: BRCM.XLP316LiteRevB0.u-boot# run tftp_update_uboot Using nae-1 device TFTP from server 10.100.100.1; our IP address is 10.100.100.2 Filename 'esr1000/u-boot.bin'. Load address: 0xa800000078020000 Loading: ########################################################### done Bytes transferred = 852648 (d02a8 hex) SF: Detected MX25L12805D with page size 256, total 16777216 bytes 16384...
Page 91: Safe Configuration Recommendations
ESR-Series. User manual 7 Safe configuration recommendations • General recommendations • Event logging system configuration • Recommendations • Warnings • Configuration example • Password usage policy configuration • Recommendations • Configuration example • AAA policy configuration • Recommendations • Warnings •...
Page 92: Recommendations
ESR-Series. User manual 7.2.1 Recommendations • It is recommended to configure the event message storage in a syslog file on the device and transfer these events to an external syslog server. • It is recommended to limit the size of the syslog file on the device. •...
Page 93: Recommendations
ESR-Series. User manual 7.3.1 Recommendations • It is recommended to always enable the default password change request for the admin user. • It is recommended to limit the lifetime of passwords and prohibit reusing at least the previous password. • It is recommended to set the minimum password length requirement greater than 8 characters.
Page 94: Recommendations
ESR-Series. User manual 7.4.1 Recommendations • It is recommended to use a role-based access model on the device. • It is recommended to use personal accounts to authenticate on the device. • It is recommended to enable logging of commands entered by the user. •...
Page 95: Remote Management Configuration
ESR-Series. User manual esr(config)# username admin esr(config-user)# privilege 1 esr(config-user)# exit Configure the connection to the two RADIUS servers, the primary 192.168.1.11 and the backup 192.168.2.12: esr(config)# radius-server host 192.168.1.11 esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-radius-server)# priority esr(config-radius-server)# exit esr(config)# radius-server host 192.168.2.12 esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-radius-server)# priority...
Page 96: Configuration Of Protection Against Network Attacks Mechanisms
ESR-Series. User manual Disable telnet. Generate new encryption keys. Use crypto-resistant algorithms. Solution: Disable remote telnet control: esr(config)# no ip telnet server Generate new encryption keys: esr-20(config)# crypto key generate dsa esr-20(config)# crypto key generate ecdsa esr-20(config)# crypto key generate ed25519 esr-20(config)# crypto key generate rsa esr-20(config)# crypto key generate rsa1 Disable outdated and not crypto-resistant algorithms:...
Page 97: Configuration Example
ESR-Series. User manual • It is recommended to always enable protection against unregistered ip-protocols. • It is recommended to enable logging of the protection mechanism against network attacks. 7.6.2 Configuration example Objective: Configure the protection mechanism against network attacks in accordance with the recommendations. Solution: Enable protection against ip spoofing and logging of the protection mechanism: esr(config)# ip firewall screen spy-blocking spoofing...
Page 98: Interface Management
ESR-Series. User manual 8 Interface management • VLAN Configuration • Configuration algorithm • Configuration example 1. VLAN removal from the interface • Configuration example 2. Enabling VLAN processing in tagged mode • Configuration example 3. Enabling VLAN processing in tagged and untagged modes •...
Page 99: Configuration Algorithm
ESR-Series. User manual 8.1.1 Configuration algorithm Step Description Command Keys Create VLAN esr(config)# vlan <VID> <VID> – VLAN identifier, set in the range of [2..4094]. It is also possible to create multiple vlan (comma separated), vlan range (hyphen separated) or combined entry containing commas and hyphens.
Page 100: Configuration Example 1. Vlan Removal From The Interface
ESR-Series. User manual Step Description Command Keys Configure VLAN list on the interface in esr(config-if-gi)# switchport trunk For ESR-10/12V(F)/14VF/ tagged mode allowed vlan add <VID> 20/21/100/200/3100. <VID> – VLAN identifier, set in the range of [2..4094]. It is also possible to create multiple vlan (with a comma) or vlan range (with a hyphen).
Page 101: Configuration Example 2. Enabling Vlan Processing In Tagged Mode
ESR-Series. User manual Solution: Remove VLAN2 from gi1/0/1 port: esr(config)# interface 1/0/1 esr(config-if-gi)# switchport general allowed vlan remove untagged esr(config-if-gi)# no switchport general pvid 8.1.3 Configuration example 2. Enabling VLAN processing in tagged mode Objective: Configure gi1/0/1 and gi1/0/2 ports for packet transmission and reception in VLAN 2, VLAN 64, VLAN 2000. Solution: Create VLAN 2, VLAN 64, VLAN 2000 on ESR-1000: esr-1000(config)# vlan...
Page 102: Configuration Example 3. Enabling Vlan Processing In Tagged And Untagged Modes
ESR-Series. User manual Specify VLAN 2, VLAN 64, VLAN 2000 for gi1/0/1-2 port: esr-1000(config)# interface gi1/0/1 esr-1000(config-if-gi)# mode switchport esr-1000(config-if-gi)# switchport forbidden default-vlan esr-1000(config-if-gi)# switchport general allowed vlan add 2,64,2000 tagged 8.1.4 Configuration example 3. Enabling VLAN processing in tagged and untagged modes Objective: Configure gi1/0/1 ports for packet transmission and reception in VLAN 2, VLAN 64, VLAN 2000 in trunk mode, configure gi1/0/2 port in access mode for VLAN 2 on ESR-100/ESR -200.
Page 103: Configuration Algorithm
ESR-Series. User manual 8.2.1 Configuration algorithm Step Description Command Keys Enable LLDP on the router. esr(config)# lldp enable Enable the LLDPDU receiving and esr(config-if-gi)# lldp receive proceeding on the physical interface. Enable LLDPDU transmission on the esr(config-if-gi)# lldp transmit physical interface. Set the LLDPDU sending period esr(config)# lldp timer <SEC>...
Page 104: Configuration Example
ESR-Series. User manual 8.2.2 Configuration example Objective: Organize the LLDPDU exchange and proceeding between ESR-1 and ESR-2 routers. Solution: R1 configuration Enable LLDP globally on the router: esr(config)# lldp enable Enable the receiving and transmission of LLDPDU on the gi 1/0/1 interface. esr(config)# interface gigabitethernet...
Page 105: Lldp Med Configuration
ESR-Series. User manual 8.3 LLDP MED configuration LLDP MED — LLDP standard enhancement which allows to transmit network policies: VLAN ID, DSCP, priority. 8.3.1 Configuration algorithm Step Description Command Keys Enable LLDP on the router esr(config)# lldp enable Enable LLDPDU transmission on the esr(config-if-gi)# lldp transmit physical interface.
Page 106: Voice Vlan Configuration Example
ESR-Series. User manual Step Description Command Keys Set the CoS value (optional). esr(config-net-policy)# <COS> – priority value, takes priority <PRIORITY> the following values: • best-effort – COS0; • background – COS1; • excellent-effort – COS2; • critical-applications – COS3; • video – COS4; •...
Page 107: Sub-Interface Termination Configuration
ESR-Series. User manual esr(config)# vlan 10,20 esr(config-vlan)# exit esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# mode switchport esr(config-if-gi)# switchport mode trunk esr(config-if-gi)# switchport trunk allowed vlan add 10,20 esr(config-if-gi)# exit Enable LLDP and MED capability in LLDP globally on the router: esr(config)# lldp enable esr(config)# lldp med fast-start enable Create and configure network policy in the way that VLAN ID 20 is specified for the voice application: esr(config)# network-policy VOICE_VLAN...
Page 108: Configuration Algorithm
ESR-Series. User manual 8.4.1 Configuration algorithm Step Description Command Keys Create a sub-interface of a physical esr(config)# interface <PORT> – physical interface interface (possible if the physical gigabitethernet <PORT>.<S-VLAN> number. interface is in routeport or hybrid mode). <CH> – aggregated interface number.
Page 109 ESR-Series. User manual Step Description Command Keys esr(config-subif)# ip address dhcp For advanced DHCP client operation features, see section DHCP Client management. Disable the Firewall features on the esr(config-subif)# ip firewall interface or enable the interface in the disable security zone (see Firewall configuration).
Page 110: Sub-Interface Configuration Example
ESR-Series. User manual 8.4.2 Sub-interface configuration example Objective: Configure subnet 192.168.3.1/24 in VLAN: 828 on the physical interface gigabitethernet 1/0/1. Solution: Create sub-interface for VLAN: 828 esr(config)# interface gigabitethernet 1/0/1.828 Configure IP address from necessary subnet. esr(config)# interface gigabitethernet 1/0/1.828 esr(config-subif)# ip address 192.168.3.1/24 esr(config-subif)# exit...
Page 111 ESR-Series. User manual Step Description Command Keys Create Q-in-Q interface. esr(config)# interface <PORT> – physical interface gigabitethernet <PORT>.<S- number. VLAN>.<C-VLAN> <CH> – aggregated interface number. esr(config)# interface <S-VLAN> – identifier of tengigabitethernet <PORT>.<S- created S-VLAN. VLAN>.<C-VLAN> <C-VLAN> – identifier of created C-VLAN.
Page 112 ESR-Series. User manual Step Description Command Keys esr(config-qinq-if)# ip address For advanced DHCP client dhcp operation features, see section DHCP Client management. Disable the Firewall features on the esr(config-qinq-if)# ip firewall interface or enable the interface in the disable security zone (see Firewall configuration).
Page 113: Q-In-Q Configuration Example
ESR-Series. User manual 8.5.2 Q-in-Q configuration example Objective: Configure the termination of subnet 192.168.1.1/24 combination C-VLAN: 741, S-VLAN: 828 on the physical interface gigabitethernet 1/0/1.
Page 114: Usb Modems Configuration
ESR-Series. User manual Solution: Create sub-interface for S-VLAN: 828 esr(config)# interface gigabitethernet 1/0/1.828 esr(config-subif)# exit Create a Q-in-Q interface for the S-VLAN: 741 and configure the IP address from the required subnet. esr(config)# interface gigabitethernet 1/0/1.828.741 esr(config-qinq-if)# ip address 192.168.1.1/24 esr(config-qinq-if)# exit ...
Page 115 ESR-Series. User manual Set the password of mobile network esr(config-user)# password ascii- <CLEAR-TEXT> – unencrypted user (if authentication by login/ text password, set by the string of password required by cellular carrier). { <CLEAR-TEXT> | encrypted [1..64] characters, may include <ENCRYPTED-TEXT>...
Page 116 ESR-Series. User manual Set SIM card unlock code (if esr(config-cellular-modem)# pin <WORD> – SIM card unblock necessary). <WORD> code [4..8]. Only digits are allowed. Allow the use of any USB modem esr(config-cellular-modem)# <MODE> – acceptable USB operation mode (optionally). allowed-mode <MODE> modem operation mode [2g, 3g, 4g].
Page 117: Configuration Example
ESR-Series. User manual 8.6.2 Configuration example Objective: Configure connection to the Internet by using USB modem. Solution: For example, consider the connection to the cellular operator MTS. After modem connection, wait until the system detects the device. Determine the port of the device that was assigned to the connected USB modem: esr# show cellular status modem Number...
Page 118: Configuration Algorithm
ESR-Series. User manual To establish a PPP connection through the E1 stream, you must have a ToPGATE-SFP media converter in the ESR router. 8.7.1 Configuration algorithm Step Description Command Keys Put physical interface in switch mode esr(config-if-gi)# mode switchport Set the operation mode of the e1 esr(config-if-gi)# switchport mode interface Set the synchronization source...
Page 119 ESR-Series. User manual Step Description Command Keys Set amount of timeslots esr(config-if-gi)# switchport e1 <RANGE> – amount of timeslots <RANGE> timeslots Use E1 as a single entity, without time esr(config-if-gi)# switchport e1 slots (optional) unframed Configure E1 esr(config)# interface e1 1/ <SLOT>...
Page 120: Configuration Example
ESR-Series. User manual Step Description Command Keys Set MRU (Maximum Receive Unit) size esr(config-e1)# ppp mru <MRU> <MRU> – MRU value for the interface (optionally) Enable MLPPP mode (optionally) esr(config-e1)# ppp multilink Add the group to MLPPP (optionally) esr(config-e1)# ppp multilink- <GROUP-ID>...
Page 121: Mlppp Configuration
ESR-Series. User manual The configuration changes come into effect after applying the following commands: esr# commit Configuration has been successfully committed esr# confirm Configuration has been successfully confirmed 8.8 MLPPP Configuration Multilink PPP (MLPPP) is an aggregated channel that encompasses methods of traffic transition via multiple physical channels while having a single logical connection.
Page 122 ESR-Series. User manual Step Description Command Keys Specify the password that is sent with esr(config-multilink)# ppp chap <CLEAR-TEXT> – unencrypted the router name to a remote party for password ascii-text password, set by the string of CHAP authentication. { <CLEAR-TEXT> | encrypted [8..64] characters, may include <ENCRYPTED-TEXT>...
Page 123: Configuration Example
ESR-Series. User manual Step Description Command Keys Specify the time interval in seconds esr(config-multilink)# ppp timeout <TIME> – time in seconds, after which the router sends a keepalive keepalive <TIME> takes values of [1..32767]. message (optionally). Default value: 10. Specify the time interval in seconds esr(config-multilink)# ppp timeout <TIME>...
Page 124: Bridge Configuration
ESR-Series. User manual esr# configure esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# switchport mode e1 esr(config-if-gi)# switchport e1 slot esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/2 esr(config-if-gi)# switchport mode e1 esr(config-if-gi)# switchport e1 slot esr(config-if-gi)# exit Configure MLPPP 3: esr(config)# interface multilink esr(config-multilink)# ip address 10.77.0.2/24 esr(config-multilink)# security-zone trusted esr(config-multilink)# exit...
Page 125 ESR-Series. User manual Step Description Command Keys Enable network bridge. esr(config-bridge)# enable Specify VRF instance, in which the esr(config-bridge)# ip vrf <VRF> – VRF name, set by the given modem will operate (optionally). forwarding <VRF> string of up to 31 characters. Specify the configured network bridge esr(config-bridge)# description <DESCRIPTION>...
Page 126 ESR-Series. User manual Step Description Command Keys Specify the IPv4/IPv6 address and esr(config-bridge)# ip address <ADDR/LEN> – IP address and subnet mask for the interface to be <ADDR/LEN> subnet mask length, defined as configured or enable IP address obtain AAA.BBB.CCC.DDD/EE where dynamically.
Page 127: Example Of Bridge Configuration For Vlan And L2Tpv3 Tunnel
ESR-Series. User manual Step Description Command Keys Specify the network bridge MAC esr(config-bridge)# mac-address <ADDR> – network bridge MAC address different from a system one <ADDR> address, defined as (optionally). XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Enable interface isolation mode on the esr(config-bridge)# protected- exclude vlan –...
Page 128 ESR-Series. User manual Solution: Create VLAN 333: esr(config)# vlan esr(config-vlan)# exit Create 'trusted' security zone: esr(config)# security-zone trusted esr(config-zone)# exit Add gi1/0/11, gi1/0/12 interfaces to VLAN 333: esr(config)# interface gigabitethernet 1/0/11-12 esr(config-if)# mode switchport esr(config-if)# switchport general allowed vlan add tagged...
Page 129: Example Of Bridge Configuration For Vlan
ESR-Series. User manual Create bridge 333, map VLAN 333 to it and specify membership in 'trusted' zone: esr(config)# bridge esr(config-bridge)# vlan esr(config-bridge)# security-zone trusted esr(config-bridge)# enable Specify the affilation of L2TPv3 tunnel to bridge mapped to LAN (for L2TPv3 tunnel configuration, see Section L2TPv3 tunnel configuration).
Page 130 ESR-Series. User manual Map VLAN 50 to gi1/0/11, gi1/0/12 interfaces: esr(config)# interface gigabitethernet 1/0/11-12 esr(config-if-gi)# switchport general allowed vlan add tagged Map VLAN 60 to gi1/0/14 interface: esr(config)# interface gigabitethernet 1/0/14 esr(config-if-gi)# switchport general allowed vlan add tagged Create bridge 50, map VLAN 50, define IP address 10.0.50.1/24 and membership in 'LAN1' zone: esr(config)# bridge esr(config-bridge)# vlan esr(config-bridge)# ip address...
Page 131: Configuration Example Of The Second Vlan Tag Adding/Removing
ESR-Series. User manual 8.9.4 Configuration example of the second VLAN tag adding/removing Objective: The gigabitethernet 1/0/1 interface receives Ethernet frames with various VLAN tags. It is necessary to redirect them to the gigabitethernet 1/0/2 interface, adding the second VLAN-ID 828. When Ethernet frames with VLAN-ID 828 come on the gigabitethernet 1/0/2, this tag must be removed and sent to the gigabitethernet 1/0/1 interface.
Page 132: Configuration Algorithm
ESR-Series. User manual 8.10.1 Configuration algorithm Step Description Command Keys Specify a redundant interface to which esr(config-if-gi)# backup <IF> – interface to which the the switching will occur when the interface<IF> vlan <VID> switching will occur connection is lost on a primary one. <VID>...
Page 133: Mirroring Configuration (Span/Rspan)
ESR-Series. User manual Solution: First, do the following: Create VLAN 50, -55: esr(config)# vlan 50-55 You should disable STP for gigabitethernet 1/0/9 and gigabitethernet 1/0/10 interfaces, i.e. these protocols cannot operate simultaneously: esr(config)# interface gigabitethernet 1/0/9-10 esr(config-if-gi)# spanning-tree disable Add gigabitethernet 1/0/9 and gigabitethernet 1/0/10 interfaces into VLAN 50-55 in 'general' mode. esr(config-if-gi)# switchport general allowed vlan add 50-55 esr(config-if-gi)# exit...
Page 134: Configuration Algorithm
ESR-Series. User manual 8.11.1 Configuration algorithm Step Description Command Keys Define VLAN over which the mirrored esr(config)# port monitor remote <VID> – VLAN ID, set in the traffic will be transmitted (in case of vlan <VID> <DIRECTION> range of [2..4094]; using remote mirroring).
Page 135: Lacp Configuration
ESR-Series. User manual Solution: First, do the following: • Create VLAN 50: • On gi 1/0/5 interface, add VLAN 50 in 'general' mode. Main configuration step: Specify VLAN that will be used for transmission of mirrored traffic: еsr1000(config)# port monitor remote vlan For gi 1/0/5 interface, specify a port for mirroring: interface gigabitethernet...
Page 136 ESR-Series. User manual Step Description Command Keys Set the load balancing mechanism for esr(config)# port-channel load- • src-dst-mac-ip – channel aggregation groups. balance { src-dst-mac-ip | balancing mechanism is src-dst-mac | src-dst-ip | src-dst- based on source and mac-ip-port } destination MAC addresses and IP addresses;...
Page 137 ESR-Series. User manual Step Description Command Keys Include a physical interface in the esr(config-if-gi)# channel-group <ID> – sequence number of a channel aggregation group specifying <ID> mode <MODE> channel aggregation group, the mode of the channel aggregation takes values of [1..12]. group formation.
Page 138: Configuration Example
ESR-Series. User manual Step Description Command Keys It is also possible to configure the aggregated interface: · IPv4/IPv6 addressing (see sections IP addressing configuration, IPv6 addressing configuration DHCP client management); · Firewall (see section Firewall configuration); · QoS in basic or advanced mode (see section management);...
Page 139: Aux Configuration
ESR-Series. User manual Add gi1/0/1, gi1/0/2 physical interfaces into the created link aggregation group: esr(config)# interface gigabitethernet 1/0/1-2 esr(config-if-gi)# channel-group mode auto Further port-channel configuration is performed by analogy to the common physical interface. 8.13 AUX configuration  For ESR-21. AUX configuration is used to specify parameters for interacting with external devices connected via serial interfaces to the ESR.
Page 140 ESR-Series. User manual Step Description Command Keys • odd – a check for oddness; • even – a check for evenness; • none – parity bit is not set; Default is "none", <SPEED> – a speed of a serial interface in bps. Takes the following values: •...
Page 141: Configuration Examples
ESR-Series. User manual 8.13.2 Configuration examples Objective 1: Configure IP communication between two ESRs on the serial port, using modems in Leased line mode (automatic modem mode), connected to each other by a telephone cable  Modems should be previously entered into automatic connection setting mode. ...
Page 142 ESR-Series. User manual Configure the required RS-232 interfaces: esr-21-1(config)# interface serial 1/0/2 esr-21-1(config-serial)# ip address 1.1.1.1/24 esr-21-1(config-serial)# exit esr-21-1(config)# Configure firewall for security zones: esr-21-1(config)# security zone xx esr-21-1(config-zone)# exit esr-21-1(config)# security zone-pair xx self esr-21-1(config-zone-pair)# rule esr-21-1(config-zone-pair-rule)# action permit esr-21-1(config-zone-pair-rule)# enable esr-21-1(config-zone-pair-rule)# exit esr-21-1(config-zone-pair)# exit...
Page 143 ESR-Series. User manual Specify that the interfaces belong to the security zone: esr-21-2(config)# interface serial 1/0/2 esr-21-2(config-serial)# security-zone xx esr-21-2(config-serial)# exit esr-21-2(config)# Objective 2: Set up IP connectivity between two ESRs on a Serial port, using Dial-Up modems and the Public Switched Telephone Network (PSTN) The ESR-12VF with the following configuration is used as a PSTN emulation: dialplan pattern factory_test...
Page 144 ESR-Series. User manual Configure the parameters for negotiation with the modem: esr-21-1(config)# line aux esr-21-1(config-line-aux)# flowcontrol hardware esr-21-1(config-line-aux)# modem inout esr-21-1(config-line-aux)# exit esr-21-1(config)# Configure the required RS-232 interfaces: esr-21-1(config)# interface serial 1/0/2 esr-21-1(config-serial)# ip address 1.1.1.1/24 esr-21-1(config-serial)# exit esr-21-1(config)# Configure firewall for security zones: esr-21-1(config)# security zone xx esr-21-1(config-zone)# exit esr-21-1(config)# security zone-pair xx self...
Page 145 ESR-Series. User manual Configure the required RS-232 interfaces: esr-21-2(config)# interface serial 1/0/2 esr-21-2(config-serial)# ip address 1.1.1.2/24 esr-21-2(config-serial)# exit esr-21-2(config)# Configure firewall for security zones: esr-21-2(config)# security zone xx esr-21-2(config-zone)# exit esr-21-2(config)# security zone-pair xx self esr-21-2(config-zone-pair)# rule esr-21-2(config-zone-pair-rule)# action permit esr-21-2(config-zone-pair-rule)# enable esr-21-2(config-zone-pair-rule)# exit esr-21-2(config-zone-pair)# exit...
Page 146: Adapter Soldering Schemes
ESR-Series. User manual Create a line with additional modem initialization parameters for the second ESR-21: esr-21-2(config)# chat-script answer_test "ABORT 'BUSY' ABORT 'NO CARRIER' '' AT OK AT&F OK ATM0L0 RING ATAr CONNECT ''" esr-21-2(config)# Enable the use of the modem initialization string: esr-21-2(config)# interface serial...
Page 147: Tunneling Management
ESR-Series. User manual 9 Tunneling management • GRE tunnel configuration • Configuration algorithm • IP-GRE tunnel configuration example • DMVPN configuration • Configuration algorithm • Configuration example 1 • Configuration example 2 • L2TPv3 tunnel configuration • Configuration algorithm • L2TPv3 tunnel configuration example •...
Page 148 ESR-Series. User manual Step Description Command Keys Specify the description of the esr(config-gre)# description <DESCRIPTION> – tunnel configured tunnel (optionally). <DESCRIPTION> description, set by the string of up to 255 characters. Set local IP address for tunnel esr(config-gre)# local address <ADDR>...
Page 149 ESR-Series. User manual Step Description Command Keys Assign the broadcast domain for esr(config-gre)# bridge-group <BRIDGE-ID> – bridge encapsulation in the tunnel’s GRE <BRIDGE-ID> identification number, takes packets (only in ethernet mode). values in the range of: • for ESR-10/12V(F)/14VF – [1..50]; •...
Page 150 ESR-Series. User manual Step Description Command Keys Enable key transmitting in GRE tunnel esr(config-gre)# key <KEY> <KEY> – KEY value, takes header (according to RFC 2890) and values in the range of set the key value. Configured only on [1..2000000]. the both tunnel sides.
Page 151: Ip-Gre Tunnel Configuration Example
ESR-Series. User manual Step Description Command Keys Enable the mechanism of IP esr(config-gre)# keepalive dhcp <IF> – physical/logical addresses iterative query using DHCP dependent-interface <IF> interface on which IP address on the specified interfaces when the obtaining via DHCP is enabled. GRE tunnel is disconnected via keepalive (optionally) Specify the time interval between GRE...
Page 152 ESR-Series. User manual Solution: Pre-configure interfaces on the routers for connection with WAN, enable GRE packets reception from a security zone where WAN connected interfaces operate. Create GRE 10 tunnel: esr(config)# tunnel gre Specify local and remote gateways (IP addresses of WAN border interfaces): esr(config-gre)# local address 115.0.0.1 esr(config-gre)# remote address...
Page 153: Dmvpn Configuration
ESR-Series. User manual Alternatively, you may specify the following parameters for GRE tunnel: • Enable GRE header checksum calculation and inclusion into a packet with encapsulated packet for outbound traffic: esr(config-gre)# local checksum • Enable check for GRE checksum presence and validity for inbound traffic: esr(config-gre)# remote checksum •...
Page 154: Configuration Algorithm
ESR-Series. User manual Hub tunnels. This means that branches can communicate with each other directly, without the need for traffic to pass through the Hub. To establish such a connection, clients (NHC) over an encrypted IPsec tunnel send their internal (tunnel) address and external (NBMA) address to the NHRP server (NHS).
Page 155: Configuration Example 1
ESR-Series. User manual Step Description Command Keys Define the destination of multicast esr(config-gre)# ip nhrp multicast • dynamic — send to all traffic. { dynamic | nhs | <ADDR> } peers with which there is a connection; • nhs — send to all static configured servers;...
Page 156 ESR-Series. User manual External IP addres of Hub — 150.115.0.5; External IP address of Spoke-1 — 180.100.0.10; External IP address of Spoke-2 — 140.114.0.4. IPsec VPN parameters: IKE: • Diffie-Hellman group: 2; • encryption algorithm: AES128; • authentication algorithm: SHA1. IPSEC: •...
Page 157 ESR-Series. User manual Specify ttl value: esr(config-gre)# ttl Specify IP address of GRE tunnel: esr(config-gre)# ip address 10.10.0.5/24 Switch the GRE tunnel into multipoint mode to be able to connect to multiple points: esr(config-gre)# multipoint Proceed to NHRP configuration. Configure multicast to dynamically learnt addresses: esr(config-gre)# ip nhrp multicast dynamic Configure the dynamic routing protocol for the Hub.
Page 158 ESR-Series. User manual esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit esr(config)# security ipsec policy IPSECPOLICY esr(config-ipsec-policy)# proposal IPSECPROP esr(config-ipsec-policy)# exit esr(config)# security ipsec vpn IPSECVPN esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway IKEGW esr(config-ipsec-vpn)# ike ipsec-policy IPSECPOLICY esr(config-ipsec-vpn)# enable Map IPsec to the GRE tunnel so that clients can establish an encrypted connection:...
Page 159 ESR-Series. User manual Specify the tunnel address of NHS: esr(config-gre)# ip nhrp nhs 10.10.0.5/24 Specify the tunnel address – real: esr(config-gre)# ip nhrp map 10.10.0.5 150.115.0.5 Configure the multicast to the NHRP server: esr(config)# ip nhrp multicast nhs Configure the BGP for spoke: esr(config)# router bgp 65008 esr(config-bgp)# address-family ipv4...
Page 160 ESR-Series. User manual esr(config)# security ike gateway IKEGW_SPOKE esr(config-ike-gw)# ike-policy IKEPOLICY esr(config-ike-gw)# local address 180.100.0.10 esr(config-ike-gw)# local network 180.100.0.10/32 protocol gre esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network any esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit esr(config)# security ipsec policy IPSECPOLICY esr(config-ipsec-policy)# proposal IPSECPROP...
Page 161: Configuration Example 2
ESR-Series. User manual You can clear NHRP records with the command: esr# clear ip nhrp 9.2.3 Configuration example 2 Objective: Organize DMVPN between company offices with corresponding subnets LAN1 and LAN2, using mGRE tunnels, NHRP (Next Hop Resolution Protocol), Dynamic Routing Protocol (OSPF), IPsec. In our example, we will have a HUB router and two branches.
Page 162 ESR-Series. User manual Solution: Hub configuration Preliminary, configure the OSPF protocol. esr(config)# router ospf log-adjacency-changes esr(config)# router ospf esr(config-ospf)# router-id 77.77.77.77 esr(config-ospf)# area 10.10.0.0 esr(config-ospf-area)# enable esr(config-ospf-area)# exit esr(config-ospf)# enable esr(config-ospf)# exit Configure the interface and identify its inherence to a security zone. esr(config)# interface gigabitethernet...
Page 163 ESR-Series. User manual esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key ascii-text password esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit esr(config)# security ike gateway ike_spoke esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# local address 150.115.0.5 esr(config-ike-gw)# local network 150.115.0.5/32 protocol gre esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network any esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit esr(config)# security ipsec proposal ipsec_prop1...
Page 164 ESR-Series. User manual Configure the interface and identify its inherence to a security zone. esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# security-zone untrusted esr(config-if-gi)# ip address 180.100.0.10/30 esr(config-if-gi)# exit Configure the GRE tunnel, define the security zone membership, configure OSPF on the GRE tunnel, configure NHRP and enable the tunnel and NHRP with the enable command.
Page 165 ESR-Series. User manual esr(config)# security ike gateway ike_spoke esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# local address 180.100.0.10 esr(config-ike-gw)# local network 180.100.0.10/32 protocol gre esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network any esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit esr(config)# security ike gateway ike_hub esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# local address 180.100.0.10 esr(config-ike-gw)# local network...
Page 166: L2Tpv3 Tunnel Configuration
ESR-Series. User manual To view the NHRP records status, use the following command. esr# show ip nhrp Additionally, in the security zone-pair untrusted self, the protocols for the GRE over IPSec tunnel must be allowed. esr(config)# security zone-pair untrusted self esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol gre...
Page 167 ESR-Series. User manual Specify the description of the esr(config-l2tpv3)# description <DESCRIPTION> – tunnel configured tunnel (optionally). <DESCRIPTION> description, set by the string of up to 255 characters. Set local IP address for tunnel esr(config-l2tpv3)# local address <ADDR> – gateway IP address, installation.
Page 168: L2Tpv3 Tunnel Configuration Example
ESR-Series. User manual Specify MTU size esr(config-l2tpv3)# mtu <MTU> <MTU> – MTU value, takes (MaximumTransmissionUnit) for the values in the range of: tunnels (optionally). MTU above 1500 will be active only • for ESR-10/12V(F)/14VF when using the "system jumbo-frames” – [1280..9600]; command.
Page 169 ESR-Series. User manual Solution: Create L2TPv3 333 tunnel: esr# configure esr(config)# tunnel l2tpv3 Specify local and remote gateways (IP addresses of WAN border interfaces): esr(config-l2tpv3)# local address 21.0.0.1 esr(config-l2tpv3)# remote address 183.0.0.10...
Page 170 ESR-Series. User manual Specify the type of encapsulating protocol and UDP port numbers: esr(config-l2tpv3)# protocol udp esr(config-l2tpv3)# local port esr(config-l2tpv3)# remote port Specify identifiers for session inside the tunnel for local and remote sides: esr(config-l2tpv3)# local session-id esr(config-l2tpv3)# remote session-id Define the inherence of L2TPv3 tunnel to a bridge that should be mapped to remote office network (for bridge configuration, see Section Configuration example of bridge for VLAN and L2TPv3...
Page 171: Ipsec Vpn Configuration
ESR-Series. User manual To view sent and received packet counters, use the following command: esr# show tunnels counters l2tpv3 To view the tunnel configuration, use the following command: esr# show tunnels configuration l2tpv3  In addition to tunnel creation, you should enable UDP inbound traffic in the firewall with source port 519 and destination port 519.
Page 172 ESR-Series. User manual Step Description Command Keys Specify the description of the esr(config-ike-proposal)# <DESCRIPTION> – tunnel configured IKE profile (optionally). description<DESCRIPTION> description, set by the string of up to 255 characters. Specify IKE authentication algorithm esr(config-ike-proposal)# <ALGORITHM> – (optionally). authentication algorithm authentication algorithm, takes <ALGORITHM>...
Page 173 ESR-Series. User manual Step Description Command Keys Bind IKE profile to IKE policy. esr(config-ike-policy)# proposal <NAME> – IKE protocol name, <NAME> set by the string of up to 31 characters. Specify authentication key (mandatory esr(config-ike-policy)# pre- <TEXT> – string [1..64] ASCII if pre-shared-key is selected as shared-key ascii-text<TEXT>...
Page 174 ESR-Series. User manual Step Description Command Keys Specify the time period of response to esr(config-ike-gw)# dead-peer- <SEC> – time interval of DPD mechanism messages detection timeout <SEC> response to DPD mechanism (optionally). messages, takes values of [1..180] seconds. Default value: 30 seconds Bind VTI tunnel to IKE gateway.
Page 175 ESR-Series. User manual Step Description Command Keys Specify the lifetime of IPsec tunnel esr(config-ipsec- policy)# lifetime <SEC> – IPsec tunnel lifetime (optionally). { seconds <SEC> | after which the re-approval is packets <PACKETS> | kilobytes carried out. Takes values in the <KB>...
Page 176 ESR-Series. User manual Step Description Command Keys Set VPN activation mode. esr(config-ipsec-vpn)# ike <MODE> – VPN activation establish-tunnel <MODE> mode: • by-request – connection is enabled by an opposing party; • route – connection is enabled when there is traffic routed to the tunnel;...
Page 177: Route-Based Ipsec Vpn Configuration Example
ESR-Series. User manual Step Description Command Keys Configure the start of IKE connection esr(config-ipsec-vpn)# ike rekey <SEC> – time interval in keys re-approval before the expiration margin { seconds <SEC> | seconds remaining before the of the lifetime (optionally). packets <PACKETS> | kilobytes connection release (set by the <KB>...
Page 178 ESR-Series. User manual Objective: Configure IPsec tunnel between R1 and R2. • R1 IP address: 120.11.5.1; • R2 IP address: 180.100.0.1; IKE: • Diffie-Hellman group: 2; • encryption algorithm: AES 128 bit; • authentication algorithm: MD5. IP sec: • encryption algorithm: AES 128 bit; •...
Page 179 ESR-Series. User manual Create a static route to the remote LAN. For each subnet located beyond the IPsec tunnel, specify a route via VTI tunnel: esr(config)# ip route 192.0.2.0/24 tunnel vti Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile.
Page 180 ESR-Series. User manual Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using the enable command. esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway ike_gw1 esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1...
Page 181 ESR-Series. User manual Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node and authentication key negotiation: esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit Create IKE protocol gateway.
Page 182: Policy-Based Ipsec Vpn Configuration Algorithm
ESR-Series. User manual To view the tunnel configuration, use the following command: esr# show security ipsec vpn configuration ipsec1  In the firewall, you should enable ESP and ISAKMP protocol (UDP port 500). 9.4.3 Policy-based IPsec VPN configuration algorithm Step Description Command Keys...
Page 183 ESR-Series. User manual Step Description Command Keys Create an IKE profile policy and switch esr(config)# security ike policy <NAME> – IKE policy name, set to its configuration mode. <NAME> by the string of up to 31 characters. Specify the lifetime of IKE protocol esr(config-ike-proposal)# lifetime <SEC>...
Page 184 ESR-Series. User manual Step Description Command Keys Specify the interval between sending esr(config-ike-gw)#dead-peer- <SEC> – interval between messages via DPD mechanism detection interval <SEC> sending messages via DPD (optionally). mechanism, takes values of [1..180] seconds. Specify the time period of response to esr(config-ike-gw)# dead-peer- <SEC>...
Page 185 ESR-Series. User manual Step Description Command Keys Set recipient’s subnet IP address as esr(config-ike-gw)# remote <ADDR/LEN> – subnet IP well as IP and port. network <ADDR/LEN> address and mask of a sender. [ protocol { <TYPE> | <ID> } [ port The parameter is defined as <PORT>...
Page 186 ESR-Series. User manual Step Description Command Keys Specify the lifetime of IPsec tunnel esr(config-ipsec-policy)# lifetime <SEC> – IPsec tunnel lifetime (optionally). { seconds <SEC> | after which the re-approval is packets <PACKETS> | kilobytes carried out. Takes values in the <KB>...
Page 187 ESR-Series. User manual Step Description Command Keys Bind IKE gateway to VPN. esr(config-ipsec-vpn)# ike gateway <NAME> – IKE gateway name, <NAME> set by the string of up to 31 characters. Set the time interval value in seconds esr(config-ipsec-vpn)# ike idle- <TIME>...
Page 188: Policy-Based Ipsec Vpn Configuration Example
ESR-Series. User manual 9.4.4 Policy-based IPsec VPN configuration example Objective: Configure IPsec tunnel between R1 and R2. R1 IP address – 198.51.100.1; R2 IP address – 203.0.113.1;...
Page 189 ESR-Series. User manual IKE: • Diffie-Hellman group: 2; • encryption algorithm: AES 128 bit; • authentication algorithm: MD5. IPSEC: • encryption algorithm: AES 128 bit; • authentication algorithm: MD5. Solution: R1 configuration Configure external network interface and identify its inherence to a security zone: esr# configure esr(config)# interface...
Page 190 ESR-Series. User manual Create IKE protocol gateway. For this profile, specify VTI tunnel, policy, protocol version and mode of traffic redirection into the tunnel. esr(config)# security ike gateway ike_gw1 esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# local address 198.51.100.1 esr(config-ike-gw)# local network 10.0.0.0/16 esr(config-ike-gw)# remote address 203.0.113.1 esr(config-ike-gw)# remote network...
Page 191 ESR-Series. User manual To configure security zones rules, you should create ISAKMP port profile: esr(config)# object-group service ISAKMP esr(config-addr-set)# port-range esr(config-addr-set)# exit Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile. The given security parameters are used for IKE connection protection: esr(config)# security ike proposal ike_prop1 esr(config-ike-proposal)# dh-group...
Page 192: Remote Access Ipsec Vpn Configuration Algorithm
ESR-Series. User manual Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using the enable command. esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel immediate esr(config-ipsec-vpn)# ike gateway ike_gw1 esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1...
Page 193 ESR-Series. User manual Description Command Keys Specify the IP address of the VTI tunnel esr(config-vti)# ip address <ADDR/ <ADDR/LEN> – IP address and local side (optional). LEN> prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..31].
Page 194 ESR-Series. User manual Description Command Keys Create user name. esr(config-access-profile)# user <LOGIN> – login for client, set <LOGIN> by the string of up to 31 characters. Specify a password for a user esr(config-profile)# password <TEXT> – string [8..32] ASCII ascii-text <TEXT> characters.
Page 195 ESR-Series. User manual Description Command Keys Specify the interval between sending esr(config-ike-gw)#dead-peer- <SEC> – interval between messages via DPD mechanism detection interval <SEC> sending messages via DPD (optionally). mechanism, takes values of [1..180] seconds. Default value: 2 Specify the time period of response to esr(config-ike-gw)# dead-peer- <SEC>...
Page 196 ESR-Series. User manual Description Command Keys Set the pool for dynamic allocation of IP esr(config-ike-gw)# remote <NAME> – destination addresses to clients (only for server). network dynamic pool <NAME> addresses pool name, set by the string of up to 31 characters.
Page 197 ESR-Series. User manual Description Command Keys Specify protocol (optionally). esr(config-ipsec- <PROTOCOL> – encapsulation proposal)#protocol <PROTOCOL> protocol, takes the following values: • ah – this protocol performs only traffic authentication, data encryption is not performed; • esp – this protocol authenticates and encrypts traffic.
Page 198 ESR-Series. User manual Description Command Keys Create IPsec VPN policy and switch to esr(config)# security ipsec vpn <NAME> – VPN name, set by its configuration mode. <NAME> the string of up to 31 characters. Define the matching mode of data esr(config-ipsec-vpn)# mode <MODE>...
Page 199 ESR-Series. User manual Description Command Keys Disable key re-approval before the IKE esr(config-ipsec-vpn)# ike rekey Default value: disabled. connection is lost due to the timeout, disable the number of transmitted packets or bytes (optionally). Configure the start of IKE connection esr(config-ipsec-vpn)# ike rekey <SEC>...
Page 200 ESR-Series. User manual Description Command Keys Enable XAUTH clients reconnection esr(config-ipsec-vpn)# security ike <MODE> – reconnect mode, mode with one login/password (server session uniqueids <MODE> may take the following values: only) (optional). • no – established XAUTH connection will be deleted if an «INITIAL_CONTACT»...
Page 201: Remote Access Ipsec Vpn Configuration Example
ESR-Series. User manual 9.4.6 Remote Access IPsec VPN configuration example Objective: Configure Remote Access IPsec VPN between R1 and R2 using the second IPsec authentication factor, XAUTH. Configure router R1 as the IPsec VPN server, and router R2 as the IPsec VPN client. R2 IP address: 120.11.5.1;...
Page 202 ESR-Series. User manual Create IKE protocol profile. Select Diffie-Hellman group 2, 3DES encryption algorithm and SHA1 authentication algorithm in the profile. The given security parameters are used for IKE connection protection: esr(config)# security ike proposal IKEPROP esr(config-ike-proposal)# dh-group esr(config-ike-proposal)# authentication algorithm sha1 esr(config-ike-proposal)# encryption algorithm 3des esr(config-ike-proposal)# exit Create IKE protocol policy.
Page 203 ESR-Series. User manual Create security parameters profile for IPsec tunnel. Specify 3DES encryption algorithm and SHA1 authentication algorithm in the profile. Use the following parameters to secure IPsec tunnel: esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# authentication algorithm sha1 esr(config-ipsec-proposal)# encryption algorithm 3des esr(config-ipsec-proposal)# exit Create a policy for IPsec tunnel.
Page 204 ESR-Series. User manual To configure security zones rules, you should create ISAKMP port profile: esr(config)# object-group service ISAKMP esr(config-addr-set)# port-range 500,4500 esr(config-addr-set)# exit Create IKE protocol profile. Select Diffie-Hellman group 2, 3DES encryption algorithm and SHA1 authentication algorithm in the profile. The given security parameters are used for IKE connection protection: esr(config)# security ike proposal IKEPROP esr(config-ike-proposal)# dh-group...
Page 205 ESR-Series. User manual Create security parameters profile for IPsec tunnel. Specify 3DES encryption algorithm and SHA1 authentication algorithm in the profile. Use the following parameters to secure IPsec tunnel: esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# authentication algorithm md5 esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit Create a policy for IPsec tunnel.
Page 206: Tunnels Configuration
ESR-Series. User manual 9.5 LT tunnels configuration LT (англ. Logical Tunnel) is a type of tunnels dedicated for transmission of routing information and traffic between different virtual routers (VRF Lite) configured on a router. LT tunnel might be used for organization of interaction between two or more VRF using firewall restrictions.
Page 207: Configuration Example
ESR-Series. User manual Step Description Command Keys Specify the size of MTU packets that esr(config-lt)# mtu <MTU> <MTU> – MTU value, takes can be passed by the bridge (optionally; values in the range of: possible if only VLAN is included in the bridge).
Page 208 ESR-Series. User manual Solution: Create LT tunnels for each VRF, specifying IP address from one subnet: esr(config)# tunnel lt esr(config-lt)# ip vrf forwarding vrf_1 esr(config-lt)# ip firewall disable esr(config-lt)# ip address 192.168.0.1/30 esr(config-lt)# exit esr(config)# tunnel lt esr(config-lt)# ip vrf forwarding vrf_2 esr(config-lt)# ip firewall disable esr(config-lt)# ip address 192.168.0.2/30...
Page 209: Qos Management
ESR-Series. User manual 10 QoS management • Basic QoS • Configuration algorithm • Configuration example • Advanced QoS • Configuration algorithm • Configuration example QoS (Quality of Service) is a technology that provides various traffic classes with various service priorities. QoS service allows network applications to co-exist in a single network without altering the bandwidth of other applications.
Page 210 ESR-Series. User manual Step Description Command Keys Set the match between DSCP codes esr(config)# qos map dscp-queue <DSCP> – service classifier in a values of incoming packets and <DSCP> to <QUEUE> packet IP header, takes values outgoing queues. in the range of [0..63]; The given match works for incoming <QUEUE>...
Page 211 ESR-Series. User manual Step Description Command Keys Set the number of the default queue to esr(config)# qos queue default <QUEUE> – queue identifier, which all traffic except IP falls into the <QUEUE> takes values in the range of trust mode for DSCP priorities. [1..8].
Page 212: Configuration Example
ESR-Series. User manual Step Description Command Keys Set the incoming traffic rate limiting. (if esr(config-if-gi)# rate-limit <BANDWIDTH> – average the outgoing rate limiting is required) <BANDWIDTH> [BURST] traffic rate in Kbps, takes the value of [3000..10000000] for TengigabitEthernet interfaces and [64..1000000] for other interfaces and tunnels;...
Page 213: Advanced Qos
ESR-Series. User manual esr(config)# interface gigabitethernet 1/0/5 esr(config-if-gi)# qos enable esr(config-if-gi)# exit Enable QoS on the WAN side interface for proper queue handling and bandwidth limitation: esr(config)# interface gigabitethernet 1/0/8 esr(config-if-gi)# qos enable Limit transfer rate to 60Mbps for 7th queue: esr(config-if)# traffic-shape queue 7 60000 esr(config-if)# exit...
Page 214 ESR-Series. User manual Step Description Command Keys Specify DSCP code value which will be esr(config-class-map)# set dscp <DSCP> – DSCP code value, set in IP packets corresponding to the <DSCP> takes values in the range of class being configured. [0..63]. (cannot be assigned simultaneously with IP Precedence and CoS fields).
Page 215 ESR-Series. User manual Step Description Command Keys Include QoS policy in QoS class to esr(config-class-policy-map)# <NAME> – policy name, set by create hierarchical QoS. service-policy <NAME> the string of up to 31 characters. Inserted policy must already be created. Set the committed outgoing bandwidth esr(config-class-policy-map)# <BANDWIDTH>...
Page 216 ESR-Series. User manual Step Description Command Keys Specify the limited number of virtual esr(config-class-policy-map)# <QUEUE-LIMIT> – limited queues (optionally). fair-queue <QUEUE-LIMIT> number of virtual queues, takes values in the range of [16..4096]. Default value: 16. Specify the limited number of packets esr(config-class-policy-map)# <QUEUE-LIMIT>...
Page 217: Configuration Example
ESR-Series. User manual Step Description Command Keys Specify GRED (Generalized Random esr(config-class-policy-map)# <PRECEDENCE> – Early Detection) parameters (if random-detect precedence IPPrecendence value [0..7]; required). <PRECEDENCE><LIMIT><MAX><MI N><PROBABILITY> <LIMIT> – limited size of a queue in bytes, takes values of in the range of [1..1000000]; <MAX>...
Page 218 ESR-Series. User manual...
Page 219 ESR-Series. User manual Solution: Configure access control lists for filtering by a subnet, proceed to global configuration mode: esr(config)# ip access-list extended fl1 esr(config-acl)# rule esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol any esr(config-acl-rule)# match source-address 10.0.11.0 255.255.255.0 esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# enable esr(config-acl-rule)# exit esr(config-acl)# exit...
Page 220 ESR-Series. User manual For the rest of traffic, configure a class with SFQ mode: esr(config-policy-map)# class class-default esr(config-class-policy-map)# mode sfq esr(config-class-policy-map)# fair-queue esr(config-class-policy-map)# exit esr(config-policy-map)# exit Enable QoS on the interfaces, policy on gi 1/0/19 interface ingress for classification purposes and gi1/0/20 egress for applying restrictions and SFQ mode for default class: esr(config)# interface...
Page 221: Routing Management
ESR-Series. User manual 11 Routing management • Routing information advertising policy • • OSPF protocol • IS-IS protocol • iBPG protocol • eBPG protocol • Static routes configuration • Configuration algorithm • Static routes configuration example • RIP Configuration • Configuration algorithm •...
Page 222: Routing Information Advertising Policy
ESR-Series. User manual 11.1 Routing information advertising policy 11.1.1 RIP Default policy Advertising Filtering methods Filtering policy methods application levels Import Route information reception is Network, Route-map — the last (implicit) RIP process not limited Redistribute rule denies anything that is not explicitly allowed by the previous rules.
Page 223: Is-Is Protocol
ESR-Series. User manual Default policy Advertising Filtering methods Filtering policy methods application levels Export Information about interfaces Route-map — the last (implicit) with OSPF protocol enabled is rule allows anything that is not advertised explicitly denied by the previous rules. Prefix-list —...
Page 224: Ibpg Protocol
ESR-Series. User manual 11.1.4 iBPG protocol Default policy Advertising Filtering methods Filtering policy methods application levels Import Route information reception is Network, Route-map — the last (implicit) address-family, not limited Redistribute rule denies anything that is not peer-group, explicitly allowed by the previous neighbor rules.
Page 225: Static Routes Configuration
ESR-Series. User manual 11.2 Static routes configuration Static routing is a type of routing in which routes are defined explicitly during the router configuration without dynamic routing protocols. 11.2.1 Configuration algorithm You can add a static route by using the following command in global configuration mode: esr(config)# ip route [ vrf <VRF>...
Page 226: Static Routes Configuration Example
ESR-Series. User manual • <IF> – an IP interface name specified in the form described in Section Types and naming order of router interfaces; • blackhole – when specifying the command, the packets to this subnet will be removed by the device without sending notifications to a sender;...
Page 227 ESR-Series. User manual Specify 192.168.100.1/30 address and the 'LAN' zone for the gi1/0/2 interface. R1 will be connected to R2 device via the given interface for the further traffic routing: esr(config)# interface gi1/0/2 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# ip address 192.168.100.1/30 esr(config-if-gi)# exit Specify 128.107.1.2/30 address and the “WAN”...
Page 228: Rip Configuration
ESR-Series. User manual Create a default route by specifying the IP address of R1 router gi1/0/2 interface (192.168.100.1) as a nexthop: esr(config)# ip route 0.0.0.0/0 192.168.100.1 You can use the following command to check the routing table: esr# show ip route 11.3 RIP Configuration RIP is a distance-vector dynamic routing protocol that uses hop count as a routing metric.
Page 229 ESR-Series. User manual Step Description Command Keys Permit or deny the prefixes lists. esr(config-pl)# permit {object- <OBJ-GROUP-NETWORK- group <OBJ-GROUP-NETWORK- NAME> – IP addresses profile NAME > <ADDR/LEN> | <IPV6- name, set by the string of up to ADDR/LEN> } [ { eq <LEN> | le 31 characters;...
Page 230 ESR-Series. User manual Step Description Command Keys Specify the list of passwords for esr(config-rip)# authentication <KEYCHAIN> – key list authentication via md5 hashing key-chain <KEYCHAIN> identifier, set by the string of up algorithm (optionally). to 16 characters. Disable routes advertising on the esr(config-rip)# passive-interface <IF>...
Page 231 ESR-Series. User manual Step Description Command Keys Enable advertising of routes received in esr(config-rip)# redistribute static <NAME> – name of the route an alternative way (optionally). [ route-map <NAME> ] map that will be used for advertised static routes filtration and modification, set by the string of up to 31 characters.
Page 232 ESR-Series. User manual Step Description Command Keys Switch to the interface/tunnel/network esr(config)# interface <IF- <IF-TYPE> – interface type; bridge configuration mode. TYPE><IF-NUM> <IF-NUM> – F/S/P – F frame (1), S – slot (0), P – port. esr(config)# tunnel <TUN- <TUN-TYPE> – tunnel type; TYPE><TUN-NUM>...
Page 233: Rip Configuration Example
ESR-Series. User manual 11.3.2 RIP configuration example Objective: Configure RIP on the router in order to exchange the routing information with neighbouring routers. The router should advertise static routes and subnets 115.0.0.0/24, 14.0.0.0/24, 10.0.0.0/24. Routes should be advertised each 25 seconds. Solution: Pre-configure IP addresses on interfaces according to the network structure shown in figure.
Page 234 ESR-Series. User manual  In addition to RIP protocol configuration, open UDP port 520 in the firewall.
Page 235: Osfp Configuration
ESR-Series. User manual 11.4 OSFP configuration OSPF is a dynamic routing protocol, based on link-state technology and using shortest path first Dijkstra algorithm. 11.4.1 Configuration algorithm Step Description Command Keys Configure OSFP precedence for the esr(config)# ip protocols ospf <VALUE> – protocol main routing table (optionally).
Page 236 ESR-Series. User manual Step Description Command Keys Permit or deny the prefixes lists. esr(config-pl)# permit [ { object- <OBJ-GROUP-NETWORK- group <OBJ-GROUP-NETWORK- NAME> – IPv4/IPv6 addresses NAME> | <ADDR/LEN> | <IPV6- profile name, set by the string ADDR/LEN> } ] [ { eq <LEN> | le of up to 31 characters;...
Page 237 ESR-Series. User manual Step Description Command Keys Enable compatibility with RFC 1583 esr(config-ospf)# compatible (optionally). rfc1583 esr(config-ipv6-ospf)# compatible rfc1583 Add subnets filtration in incoming or esr(config-ospf)# prefix-list <PREFIX-LIST-NAME> – name outgoing updates (optionally). <PREFIX-LIST-NAME> { in | out } of a subnet list being configured, set by the string of up to 31 characters.
Page 238 ESR-Series. User manual Step Description Command Keys Create OSFP area and switch to the esr(config-ospf)# area <AREA_ID> <AREA_ID> – area identifier, scope configuration mode. defined as AAA.BBB.CCC.DDD where each part takes values esr(config-ipv6-ospf)# area of [0..255]. <AREA_ID> Enable subnets advertising. esr(config-ospf-area)# network <ADDR/LEN>...
Page 239 ESR-Series. User manual Step Description Command Keys Enable the subnet summarization or esr(config-ospf-area)# summary- <ADDR/LEN> – IP address and hiding. address <ADDR/LEN> { advertise | subnet mask, defined as not-advertise } AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];...
Page 240 ESR-Series. User manual Step Description Command Keys Set the time interval in seconds after esr(config-ospf- vlink)# <TIME> – time in seconds, which the router re-sends a packet that restransmit-interval <TIME> takes values of [1..65535]. has not received a delivery confirmation (for example, a DatabaseDescription Default value: 5 seconds.
Page 241 ESR-Series. User manual Step Description Command Keys Specify the list of passwords for esr(config-ospf- vlink)# <KEYCHAIN> – key list authentication via md5 hashing authentication key chain identifier, set by the string of up algorithm. <KEYCHAIN> to 16 characters. Enable virtual connection. esr(config-ospf- vlink)# enable Switch to the interface/tunnel/network esr(config)# interface <IF-...
Page 242 ESR-Series. User manual Step Description Command Keys Specify OSFP authentication algorithm. esr(config-if-gi)# ip ospf <ALGORITHM> – authentication algorithm authentication algorithm: <ALGORITHM> • cleartext – password, transmitted in clear text; • md5 – password is hashed by md5 algorithm. Set the password for OSPF neighbor esr(config-if-gi)# ip ospf <CLEAR-TEXT>...
Page 243 ESR-Series. User manual Step Description Command Keys Set the time interval during which esr(config-if-gi)# ip poll-interval <TIME> – time in seconds, NBMA interface waits before sending a <TIME> takes values of [1..65535]. HELLO packet to a neighbor, even if the neighbor is idle.
Page 244: Ospf Configuration Example
ESR-Series. User manual Step Description Command Keys esr(config-if-gi)# ipv6 ospf priority <VALUE> Set the metric size on the interface or esr(config-if-gi)# ip ospf cost <VALUE> – metric size, takes tunnel. <VALUE> values of [0..32767]. Default value: 150. esr(config-if-gi)# ipv6 ospf cost <VALUE>...
Page 245: Ospf Stub Area Configuration Example
ESR-Series. User manual esr(config-ospf)# area 1.1.1.1 esr(config-ospf-area)# enable esr(config-ospf-area)# exit Enable advertising of the routing information from RIP: esr(config-ospf)# redistribute rip Enable OSFP process: esr(config-ospf)# enable esr(config-ospf)# exit Neighbouring routers are connected to gi1/0/5 and gi1/0/15 interfaces. To establish the neighbouring with other routers, map them to OSPF process and the area.
Page 246: Virtual Link Configuration Example
ESR-Series. User manual For R3 stub router, enable advertising of the routing information from RIP: esr(config-ospf)# redistribute rip 11.4.4 Virtual link configuration example Objective: Merge two backbone areas using virtual link. Solution: Virtual link is a specialized connection that allows you to merge a split zone or connect a zone to the backbone zone trough the third zone.
Page 247: Bgp Configuration
ESR-Series. User manual Consider the routing table on R1 router: esr# show ip route 10.0.0.0/24 [0/0] dev gi1/0/12, [direct 00:49:34] 10.0.1.0/24 [150/20] via 10.0.0.1 on gi1/0/12, [ospf1 00:49:53] (0.0.0.3) 192.168.20.0/24 [150/30] via 10.0.0.1 on gi1/0/12, [ospf1 00:50:15] (0.0.0.3) 192.168.10.0/24 [0/0] dev lo1, [direct 21:32:01] Review the routing table on R3 router:...
Page 248: Configuration Algorithm
ESR-Series. User manual 11.5.1 Configuration algorithm  To establish a BGP session it is necessary to allow TCP port 179 on the firewall. Step Description Command Keys Configure BGP precedence for the main esr(config)# ip protocols bgp <VALUE> – protocol routing table (optional).
Page 249 ESR-Series. User manual Step Description Command Keys 3.1.1 If you select the route-map-based esr(config)# route-map <NAME> <NAME> – configured routing filtering method, create a list of rules rule name, set by the string of that will be used to filter the advertised up to 31 characters.
Page 250 ESR-Series. User manual Step Description Command Keys 3.1.3 Define the list of subnets affected by esr(config-route-map-rule)#match <ADDR/LEN> – IP address and the rule. ip address { <ADDR/LEN> | object- subnet mask, in the format of. group <OBJ-GRP-NETNAME> } [ { eq <LEN> | le <LEN> | ge <LEN 1> AAA.BBB.CCC.DDD/EE –...
Page 251 ESR-Series. User manual Step Description Command Keys 3.2.1 If you select the prefix-list-based esr(config)# ip prefix-list <NAME> <NAME> – name of a subnet filtering method, create a list of IP list being configured, set by the networks that will be used to filter the string of up to 31 characters.
Page 252 ESR-Series. User manual Step Description Command Keys 3.2.2 Permit or deny the prefixes lists. esr(config-pl)# permit { <ADDR/ <ADDR/LEN> – IP address and LEN> | object-group <OBJ-GRP- subnet mask, in the format of. NETNAME>} [ { eq <LEN> | le <LEN>...
Page 253 ESR-Series. User manual Step Description Command Keys Set the router identifier. esr(config-bgp)# router-id <ID> <ID> – router identifier, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Set the Route-Reflector identifier of the esr(config-bgp)# cluster-id <ID> <ID> – Route-Reflector cluster cluster to which the router BGP process identifier, defined as belongs.
Page 254 ESR-Series. User manual Step Description Command Keys Set a global password for esr(config-bgp)# authentication <CLEAR-TEXT> – password, set authentication with neighbors. (Used in key ascii-text { <CLEAR-TEXT> | by the string of 8 to 16 conjunction with «authentication encrypted <ENCRYPTED-TEXT> } characters;...
Page 255 ESR-Series. User manual Step Description Command Keys esr(config-bgp-af)# redistribute <ID> – process number, takes ospf <ID> <ROUTE-TYPE 1> values of {1..65535}; [<ROUTE-TYPE 2>] [<ROUTE-TYPE 3>] [<ROUTE-TYPE 4>] [ route-map <ROUTE-TYPE> – route type: <NAME> ] • intra-area – OSPF process routes advertising within a zone;...
Page 256 ESR-Series. User manual Step Description Command Keys Enable subnets advertising. esr(config-bgp-af)# network <ADDR/LEN> – subnet address, <ADDR/LEN> set in one of the following formats: • AAA.BBB.CCC.DDD/EE – network IP address with prefix mask, where AAA- DDD take values of [0..255] and EE takes values of [1..32];...
Page 257 ESR-Series. User manual Step Description Command Keys Set the time of minimum and maximum esr(config-bgp-af)# timers error- <TIME1> – minimum delay delay during which it is prohibited to wait <TIME1> <TIME2> time in seconds, takes values establish a connection in order to of [1..65535].
Page 258 ESR-Series. User manual Step Description Command Keys Set the password for neighbour esr(config-bgp-neighbor)# <CLEAR-TEXT> – password, set authentication (optionally). authentication key ascii-text by the string of 8 to 16 { <CLEAR-TEXT> | encrypted characters; <ENCRYPTED-TEXT> } <ENCRYPTED-TEXT> – encrypted password of 8 to 16 bytes (from 16 to 32 characters) in hexadecimal format (0xYYYY ...) or...
Page 259: Configuration Example
ESR-Series. User manual Step Description Command Keys Set the mode in which private numbers esr(config-bgp-neighbor-af)# all – remove all private AS of autonomous systems are removed remove-private-as [ { all | nearest | number from AS-path; from the AS Path routes BGP attribute replace } ] before sending an update (in nearest –...
Page 260 ESR-Series. User manual esr-R3(config)# interface gigabitethernet 1/0/1 esr-R3(config-if-gi)# ip address 185.0.0.1/30 esr-R3(config-if-gi)# exit esr-R3(config)# interface gigabitethernet 1/0/2 esr-R3(config-if-gi)# ip address 219.0.0.1/30 esr-R3(config-if-gi)# exit esr-R3(config)# interface gigabitethernet 1/0/3 esr-R3(config-if-gi)# ip address 80.66.0.1/24 esr-R3(config-if-gi)# exit esr-R3(config)# interface gigabitethernet 1/0/4 esr-R3(config-if-gi)# ip address 80.66.16.1/24 esr-R3(config-if-gi)# exit...
Page 261 ESR-Series. User manual Configure the firewall to receive BGP traffic from the WAN security zone: esr-R3(config)# object-group service og_bgp esr-R3(config-object-group-service)# port-range esr-R3(config-object-group-service)# exit esr-R3(config)# security zone wan esr-R3(config-zone)# exit esr-R3(config)# security zone-pair wan self esr-R3(config-zone-pair)# rule esr-R3(config-zone-pair-rule)# match protocol tcp esr-R3(config-zone-pair-rule)# match destination-port og_bgp esr-R3(config-zone-pair-rule)# action permit esr-R3(config-zone-pair-rule)# enable...
Page 262: Bfd Configuration
ESR-Series. User manual Enable IPv4 route exchange: esr-R3(config-bgp-neighbor)# address-family ipv4 unicast esr-R3(config-bgp-neighbor-af)# enable esr-R3(config-bgp-neighbor-af)# exit esr-R3(config-bgp-neighbor)# exit Create a neighborhood with the R1 router via eBGP: esr-R3(config-bgp)# neighbor 185.0.0.2 esr-R3(config-bgp-neighbor)# remote-as esr-R3(config-bgp-neighbor)# enable Enable the exchange of ipv4 routes, permitting the necessary routes for advertising by means of a previously prepared route-map: esr-R3(config-bgp-neighbor)# address-family ipv4 unicast esr-R3(config-bgp-neighbor-af)# route-map bgp-general out...
Page 263 ESR-Series. User manual Step Description Command Keys Enable BFD for BGP neighbor on the esr(config-bgp-neighbor)# bfd- interface enable Set the interval after which the BFD esr(config)# ip bfd idle-tx-interval <TIMEOUT> – interval after message is sent to the neighbor. <TIMEOUT> which the BFD packet should Globally be sent, takes values in...
Page 264 ESR-Series. User manual Step Description Command Keys Set the minimum interval after which esr(config)# ip bfd min-tx-interval <TIMEOUT> – interval after the BFD message is sent to the <TIMEOUT> which the BFD message should neighbor. be sent by the neighbor, takes Globally values in milliseconds in the (optionally)
Page 265 ESR-Series. User manual Step Description Command Keys Set the interval after which the BFD esr(config-if-gi)# ip bfd idle-tx- <TIMEOUT> – interval after message is sent to the neighbor. interval <TIMEOUT> which the BFD packet should On the interface be sent, takes values in (optionally) milliseconds in the range of [200..65535] for...
Page 266: Configuration Example Of Bfd With Bgp
ESR-Series. User manual Step Description Command Keys Set the amount of dropped packets, at esr(config-if-gi)# ip bfd multiplier <COUNT> – amount of dropped which the BFD neighbor is considered <COUNT> packets, at which the neighbor to be unavailable. is considered to be unavailable, On the interface takes values in the range of [1..100].
Page 267: Pbr Routing Policy Configuration
ESR-Series. User manual esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# ip address 10.0.0.2/24 Configure eBGP with BFD: esr(config)# router bgp esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 10.0.0.1 esr(config-bgp-neighbor)# remote-as esr(config-bgp-neighbor)# update-source 10.0.0.2 esr(config-bgp-neighbor)# bfd-enable esr(config-bgp-neighbor)# enable esr(config-bgp-neighbor)# ex esr(config-bgp-af)# enable esr(config-bgp-af)# exit 11.7 PBR routing policy configuration 11.7.1 Configuration algorithm of Route-map for BGP...
Page 268 ESR-Series. User manual Description Command Keys Set BGPAS-Path attribute value in the esr(config-route-map- <AS-PATH> – list of stand alone system route for which the rule should work rule)# match as-path numbers, defined as AS,AS,AS, takes values of (optionally). [begin | end | contain] [1..4294967295].
Page 269 ESR-Series. User manual Description Command Keys esr(config-route-map- rule)# match ipv6 next- hop object-group <OBJ- GROUP-NETWORK- NAME> Set the profile that includes IP esr(config-route-map- <OBJ-GROUP-NETWORK-NAME> – name of addresses of the router having rule)# match ip route- the IP addresses profile that includes advertised the route for which the source ...
Page 270 ESR-Series. User manual Description Command Keys Set BGP AS-Path attribute value that esr(config-route-map- <AS-PATH> – stand alone systems number list will be added to the beginning of AS- rule)# action set as-path that will be added to the current value in the Path list (optionally).
Page 271 ESR-Series. User manual Description Command Keys Specify Next-Hop value that will be esr(config-route-map- <NEXTHOP> – gateway IP address, defined as set in the route received by BGP rule)# action set ip next- AAA.BBB.CCC.DDD where each part takes (optionally). hop {NEXTHOP> | values of [0..255];...
Page 272: Configuration Example 1. Route-Map For Bgp
ESR-Series. User manual Description Command Keys Add filtration and modification of esr(config-bgp- <NAME> – name of the route map having routes in incoming or outgoing neighbor)# route-map been configured; directions. <NAME><DIRECTION> <DIRECTION> – direction: esr(config-ipv6-bgp- • in – filtration and modification of neighbor)# route-map received routes;...
Page 273: Configuration Example 2. Route-Map For Bgp
ESR-Series. User manual esr(config-route-map-rule)# match as-path contain esr(config-route-map-rule)# action set community 20:2020 esr(config-route-map-rule)# exit esr(config-route-map)# exit In AS 2500 BGP process, enter neighbour parameter configuration: esr(config)# router bgp 2500 esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 185.0.0.2 Map the policy to routing information: esr(config-bgp-neighbor)# route-map from-as20 in 11.7.3 Configuration example 2.
Page 274: Route-Map Based On Access Control Lists (Policy-Based Routing) Configuration Algorithm
ESR-Series. User manual In AS 2500 BGP process, enter neighbour parameter configuration: esr(config)# router bgp 2500 esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 185.0.0.2 Map the policy to routing information being advertised: esr(config-bgp-neighbor)# route-map to-as20 out esr(config-bgp-neighbor)# exit esr(config-bgp)# exit esr(config)# exit 11.7.4 Route-map based on access control lists (Policy-based routing) configuration algorithm Step Description...
Page 275: Route-Map Based On Access Control Lists (Policy-Based Routing) Configuration Example
ESR-Series. User manual 11.7.5 Route-map based on access control lists (Policy-based routing) configuration example Objective: Distribute traffic between Internet service providers based on user subnets. First, assign IP address to interfaces. Route traffic from addresses 10.0.20.0/24 through ISP1 (184.45.0.150), and traffic from addresses 10.0.30.0/24 –...
Page 276: Vrf Lite Configuration
ESR-Series. User manual esr(config-route-map)# rule Specify ACL as a filter: esr(config-route-map-rule)# match ip access-group sub20 Specify next-hop for sub20: esr(config-route-map-rule)# action set ip next-hop verify-availability 184.45.0.150 10 esr(config-route-map-rule)# action set ip next-hop verify-availability 80.16.0.23 30 esr(config-route-map-rule)# exit esr(config-route-map)# exit Rule 1 should provide traffic routing from the network 10.0.20.0/24 to address 184.45.0.150, and in case of its failure, to address 80.16.0.23.
Page 277: Configuration Algorithm
ESR-Series. User manual 11.8.1 Configuration algorithm Step Description Command Keys Create VRF instance and switch to the esr(config)# ip vrf <VRF> <VRF> – VRF instance name, VRF instance parameters configuration set by the string of up to 31 mode. characters. Assign the description of the esr(config-vrf)# description <DESCRIPTION>...
Page 278: Configuration Example
VRFs (if configuration required). 11.8.2 Configuration example Objective: ESR series router features 2 connected networks that should be isolated from other networks. Solution: Create VRF: esr(config)# ip vrf bit esr(config-vrf)# exit Create a security zone:...
Page 279 ESR-Series. User manual esr(config)# security zone-pair vrf-sec vrf-sec esr(config-zone-pair)# rule esr(config-zone-rule)# match source-address any esr(config-zone-rule)# match destination-address any esr(config-zone-rule)# match protocol udp esr(config-zone-rule)# match source-port any esr(config-zone-rule)# match destination-port any esr(config-zone-rule)# action permit esr(config-zone-rule)# enable esr(config-zone-rule)# exit esr(config-zone-pair)# rule esr(config-zone-rule)# match source-address any esr(config-zone-rule)# match destination-address any esr(config-zone-rule)# match protocol tcp esr(config-zone-rule)# match source-port any...
Page 280: Multiwan Configuration
ESR-Series. User manual Create interface mapping, assign IP addresses, specify an inherence to a security zone: esr(config)# interface gigabitethernet 1/0/7 esr(config-if-gi)# ip vrf forwarding bit esr(config-if-gi)# ip address 10.20.0.1/24 esr(config-if-gi)# security-zone vrf-sec esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/14.10 esr(config-subif)# ip vrf forwarding bit esr(config-subif)# ip address 10.30.0.1/16 esr(config-subif)# security-zone vrf-sec...
Page 281 ESR-Series. User manual Description Command Keys Specify interfaces or tunnels which are esr(config-wan-rule)# outbound <IF>– interface name; gateways in the route created by { interface <IF> | tunnel <TUN> } MultiWAN service. [WEIGHT] <TUN> – tunnel name; [WEIGHT] – tunnel or interface weight, defined in the range of [1..255].
Page 282 ESR-Series. User manual Description Command Keys esr(config-wan-target)# ipv6 <IPV6-ADDR> – destination address <IPV6-ADDR> IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. Enable the target check. esr(config-wan-target)# enable Commands for 14-17 items should be applied on interfaces/tunnels in MultiWAN Enable WAN mode on the interface for esr(config-if-gi)# wan load- IPv4/IPv6 stack.
Page 283: Configuration Example
ESR-Series. User manual Description Command Keys esr(config-if-gi)# ipv6 wan load- <IPV6> – destination IPv6 balance nexthop { <IPV6> } address (gateway), defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. This command will be checking the IP esr(config-if-gi)# wan load- <NAME>...
Page 284 ESR-Series. User manual esr(config)# ip route 108.16.0.0/28 wan load-balance rule Create WAN rule: еsr(config)# wan load-balance rule Specify affected interfaces: еsr(config-wan-rule)# outbound interface tengigabitethernet 1/0/2 еsr(config-wan-rule)# outbound interface tengigabitethernet 1/0/1 Enable the created balancing rule and exit the rule configuration mode: еsr(config-wan-rule)# enable еsr(config-wan-rule)# exit Create a list for the connection integrity check:...
Page 285: Is-Is Configuration
ESR-Series. User manual interface tengigabitethernet 1/0/2 еsr(config)# еsr(config-if)# wan load-balance nexthop 65.6.0.1 In te1/0/2 interface configuration mode, specify a list of targets for connection check: еsr(config-if)# wan load-balance target-list google In te1/0/2 interface configuration mode, enable WAN mode and exit: еsr(config-if)# wan load-balance enable еsr(config-if)# exit To switch into redundancy mode, configure the following:...
Page 286 ESR-Series. User manual Description Command Keys Set the authentication algorithm esr(config-isis)# <ALGORITHM> – authentication algorithm: for the L2 layer (optional). authentication domain algorithm <ALGORITHM> • cleartext – unencrypted password; • md5 – password is hashed by md5 algorithm. Set the authentication password esr(config-isis)# <CLEAR-TEXT>...
Page 287 ESR-Series. User manual Description Command Keys Set the type of metric to be used esr(config-isis)# metric-style narrow — accepts and generates TLVs (on in the IS-IS process (optional). { narrow | wide | transition } network reachability) of the old type; [<LEVEL>] wide —...
Page 288 ESR-Series. User manual Description Command Keys Enable advertising of routes esr(config-isis)# redistribute <AS> – stand alone system number, takes received in an alternative way bgp <AS> [ route-map values of [1..4294967295]. (optionally). <NAME> ] [is-type <LEVEL>] <NAME> – name of the route map that will be used for advertised routes filtration and esr(config-isis)# redistribute modification, set by the string of up to 31...
Page 289 ESR-Series. User manual Description Command Keys esr(config-isis)# redistribute <ID> – process number, takes values of isis <ID> <ROUTE-TYPE> [1..65535]. [ route-map <NAME> ] [is-type <LEVEL>] <ROUTE-TYPE> – route type: • level-1 – level 1 routes advertising; • level-2 – level 2 routes advertising; •...
Page 290 ESR-Series. User manual Description Command Keys Add subnets filtration in incoming esr(config-isis)# prefix-list <LIST-NAME> – name of a subnet list being or outgoing updates (optionally). { ipv6 <LIST_NAME> | configured, set by the string of up to 31 <LIST_NAME> } {in|out} characters.
Page 291 ESR-Series. User manual Description Command Keys Set the interval for sending hello esr(config-if-gi)# isis hello- <TIME> – time in seconds, takes values of packets (optional). interval <TIME> [<LEVEL>] [1..65535]; <LEVEL> – IS-IS protocol operation level: • level-1 – operate only on level 1; •...
Page 292: Configuration Example
ESR-Series. User manual Description Command Keys Set the authentication algorithm esr(config-if-gi)# isis <ALGORITHM> – authentication algorithm: for the hello packets (optional). authentication algorithm <ALGORITHM> [<LEVEL>] • cleartext – unencrypted password; • md5 – password is hashed by md5 algorithm; <LEVEL> – IS-IS protocol operation level: •...
Page 293 ESR-Series. User manual Solution: Pre-configure IP addresses on interfaces according to the network structure shown in figure. Proceed to the ESR1 router configuration. Create IS-IS process with identifier 1 and proceed to the protocol configuration mode: ESR1(config)# router isis Set the number of the zone in which the router will operate and its system ID: ESR1(config-isis)# net 49.0001.1111.1111.1111.00 Configure the router to operate only on the first layer of the IS-IS protocol:...
Page 294 ESR-Series. User manual ESR2(config-if-gi)# isis instance ESR2(config-if-gi)# isis enable Proceed to the ESR3 router configuration. ESR3(config)# router isis ESR3(config-isis)# net 49.0002.3333.3333.3333.00 ESR3(config-isis)# is-type level-2 ESR3(config-isis)# metric-style wide level-2 ESR3(config-isis)# enable ESR3(config-if-gi)# isis instance ESR3(config-if-gi)# isis enable The neighborhood establishment can be viewed with the show isis neighbors command. Execute it on ESR2: ESR2# show isis neighbors IS-IS IS-IS Level...
Page 295: Mpls Technology Management
ESR-Series. User manual 12 MPLS technology management • LDP configuration • Configuration algorithm • Configuration example • Configuring session parameters in LDP • Algorithm for setting Hello holdtime and Hello interval in the global LDP configuration • Algorithm for setting Hello holdtime and Hello interval for address family •...
Page 296: Configuration Algorithm
ESR-Series. User manual 12.1.1 Configuration algorithm Step Description Command Keys In the context of MPLS parameters esr(config-mpls)# forwarding <IF> – an interface's name, configuration, specify the interfaces interface { <IF> | <TUN> } specified in the form described involved in the MPLS switching process in Section Types and naming order of router...
Page 297: Configuration Example
ESR-Series. User manual Step Description Command Keys The following functionality is also available as part of the LDP configuration: • LDP tag filtering configuration (see section LDP tag filtering configuration) • LDP session parameters configuration (see section Configuring session parameters in LDP) •...
Page 298 ESR-Series. User manual ESR pre-configuration: hostname ESR router ospf area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/1 ip firewall disable ip address 10.10.10.1/30 ip ospf instance ip ospf exit interface loopback ip address 1.1.1.1/32 ip ospf instance ip ospf exit ESR1 pre-configuration:...
Page 299 ESR-Series. User manual 2 Configuration on ESR: ESR# config ESR(config)# mpls ESR(config-mpls)# forwarding interface gigabitethernet 1/0/1 ESR(config-mpls)# ldp ESR(config-ldp)# router-id 1.1.1.1 ESR(config-ldp)# enable ESR(config-ldp)# address-family ipv4 ESR(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1 ESR(config-ldp-af-ipv4-if)# end ESR# 3 Configuration on ESR1: ESR1 ESR1# configure ESR1(config)# mpls ESR1(config-mpls)# forwarding interface...
Page 300: Configuring Session Parameters In Ldp
ESR-Series. User manual The LDP session should be in the "Operational" state. ESR1# show mpls ldp neighbor Peer LDP ID: 4.4.4.4; Local LDP ID 1.1.1.1 State: Operational TCP connection: 4.4.4.4:40245 1.1.1.1:646 Messages sent/received: 10/11 Uptime: 00:00:58 ...
Page 301 ESR-Series. User manual ESR routers have the ability to flexibly configure Hello holdtime, Hello interval and Keepalive holdtime settings. Let's consider an example of configuring Hello holdtime for an LDP session: ESR# show run mpls mpls ldp router-id 4.4.4.4 ...
Page 302: Algorithm For Setting Hello Holdtime And Hello Interval In The Global Ldp Configuration
ESR-Series. User manual For a TCP session, Keepalive holdtime is also a matching parameter similar to Hold timer. Keepalive interval is calculated automatically and equals Keepalive holdtime/3. Keepalive holdtime can be set globally as well as for each neighbor. The timer set for a particular neighbor is a higher priority. ESR# show running-config mpls mpls ...
Page 303: Algorithm For Setting Keepalive Holdtime Parameter In The Global Ldp Configuration
ESR-Series. User manual Step Description Command Keys In the LDP address family configuration esr(config-ldp-af-ipv4-if)# <TIME> — time in the range of mode, set Hello interval on the specified discovery hello interval <TIME> [3..65535] seconds interface Default value: 5 12.2.3 Algorithm for setting Keepalive holdtime parameter in the global LDP configuration Step Description Command...
Page 304 ESR-Series. User manual Solution: ESR(config)# mpls ESR(config-mpls)# ldp ESR(config-ldp)# discovery hello holdtime ESR(config-ldp)# discovery hello interval ESR(config-ldp)# neighbor 1.1.1.1 ESR(config-ldp-neig)# keepalive...
Page 305: Configuring Session Parameters In Targeted-Ldp
ESR-Series. User manual Check: To view hello parameters: ESR# sh mpls ldp discovery detailed Local LDP ID: 4.4.4.4 Discovery sources: Interfaces: gigabitethernet 1/0/4: Hello interval: seconds Transport IP address: 4.4.4.4 LDP ID: 1.1.1.1 Source IP address: 10.10.10.1 Transport IP address: 1.1.1.1 Hold time: seconds...
Page 306 ESR-Series. User manual Parameter targeted-LDP Hold timer 45 seconds Keepalive holdtime 180 seconds...
Page 307 ESR-Series. User manual Hold timer is a matching parameter — the smallest is chosen. This example shows that the ESR after matching set 30 seconds: ESR1# sh mpls ldp discovery detailed Targeted hellos: 1.1.1.1 -> 4.4.4.4: Hello interval: seconds Transport IP address: 1.1.1.1 LDP ID:...
Page 308: Algorithm For Setting Hello Holdtime, Hello Interval And Keepalive Holdtime For The Ldp Process
ESR-Series. User manual If parameters are set for both the LDP process and a specific neighbor, the priority will be the settings set for the neighbor. ESR# sh running-config mpls mpls ldp router-id 1.1.1.1 keepalive discovery hello holdtime ...
Page 309: Algorithm For Setting Hello Holdtime, Hello Interval And Keepalive Holdtime For The Specific Neighbor
ESR-Series. User manual In the LDP configuration mode, esr(config-ldp)# keepalive <TIME> — time in the range of [3..65535] seconds set Keepalive holdtime <TIME> Default value: 180 12.3.2 Algorithm for setting Hello holdtime, Hello interval and Keepalive holdtime for the specific neighbor Configure the LDP (see section configuration) In the LDP neighbor...
Page 310: Ldp Tag Filtering Configuration
ESR-Series. User manual ESR1# sh mpls ldp discovery detailed Targeted hellos: 1.1.1.1 -> 4.4.4.4: Hello interval: seconds Transport IP address: 1.1.1.1 LDP ID: 4.4.4.4 Source IP address: 4.4.4.4 Transport IP address: 4.4.4.4 Hold time: seconds Proposed hold time: 40/45 (local/peer) seconds To view parameter of the established TCP session: ESR# sh mpls ldp neighbor 4.4.4.4...
Page 311: Configuration Example
ESR-Series. User manual Step Description Command Keys Describe the subnets for which labels esr(config-object-group-network)# <ADDR/LEN> – IP address and will be assigned ip prefix <ADDR/LEN> subnet mask, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];...
Page 312: L2Vpn Martini Mode Configuration
ESR-Series. User manual ESR_B esr(config)# object-group network ADV_LABELS esr(config-object-group-network)# ip prefix 10.10.0.1/32 esr(config-object-group-network)# ip prefix 10.10.0.2/32 Apply the created object-group on both routers: ESR_A и ESR_B esr(config)# mpls esr(config-ldp)# ldp esr(config-ldp)# advertise-labels ADV_LABELS Check: On ESR_B make sure that the tag is assigned to the appropriate prefixes: esr# sh mpls ldp bindings 10.10.0.1/32 10.10.0.1/32...
Page 313 ESR-Series. User manual Step Description Command Keys Create pw-class in the system and esr(config-l2vpn)# pw-class <WORD> — pw-class name switch to the pw-class configuration <WORD> [1..31] characters long. mode. Add a description for pw-class esr(config-l2vpn-pw-class)# <LINE> – description. Set by (optional).
Page 314: L2Vpn Vpws Configuration Example
ESR-Series. User manual Step Description Command Keys Create a pseudo-wire and switch to its esr(config-l2vpn-p2p)# pw <PW_ID> — psewdowire parameters configuration mode <PW_ID> <LSR_ID> identifier, specified in the range [1..4294967295] <LSR_ID> — identifier of LSR to which pseudo-wire is built, specified as AAA.BBB.CCC.DDD, where each part takes values [0..255]...
Page 315 ESR-Series. User manual On the PE1 router create a sub-interface from which traffic from CE1 will be received: PE1# configure PE1(config)# interface gigabitethernet 1/0/4.100 PE1(config-subif)# exit Set the MTU value on the interface towards PE2 to 9600 to avoid MTU overrun after encapsulating the MPLS header and disable the firewall: PE1#(config)# interface...
Page 316 ESR-Series. User manual PE1# commit PE1# confirm Configure the PE2 router in the same way as PE1: PE2# configure PE2(config)# interface gigabitethernet 1/0/4.100 PE2(config-subif)# exit PE2#(config)# interface gigabitethernet 1/0/1 PE2(config-if-gi)# mtu 9600 PE1(config-if-gi)# ip firewall disable PE1(config-if-gi)# exit PE2(config)# mpls PE2(config-mpls)# forwarding interface gigabitethernet...
Page 317: L2Vpn Vpls Configuration Algorithm
ESR-Series. User manual The LDP neighborhood is established, pseudowire has moved to 'UP' status. The l2vpn p2p type configuration is now complete. 12.5.3 L2VPN VPLS configuration algorithm Step Description Command Keys Configure the LDP (see section configuration). Create a network bridge in the system without specifying an IP address (see section Bridge configuration).
Page 318: L2Vpn Vpls Configuration Example
ESR-Series. User manual Step Description Command Keys Create a pseudo-wire and switch to its esr(config-l2vpn-vpls)# pw <PW_ID> — psewdowire parameters configuration mode <PW_ID> <LSR_ID> identifier, specified in the range [1..4294967295] <LSR_ID> — identifier of LSR to which pseudo-wire is built, specified as AAA.BBB.CCC.DDD, where each part takes values [0..255]...
Page 319 ESR-Series. User manual Solution: Pre-requisite: • Enable Jumbo frames support with the "system jumbo-frames" command (the device must be rebooted for the changes to take effect); • Сonfigure IP addresses on interfaces according to the network structure shown in the figure above; •...
Page 320 ESR-Series. User manual Allow packets with an MPLS header to be received on the interface towards the MPLS network (in this example, the interface towards PE2): PE1(config)# mpls PE1(config-mpls)# forwarding interface gigabitethernet 1/0/1 Configure the LDP protocol and enable neighbor detection on the interface towards PE2: PE1(config-mpls)# ldp PE1(config-ldp)# router-id 1.1.1.1...
Page 321 ESR-Series. User manual Configure PE2 and PE3 routers in the same way as PE1: PE2# configure PE2(config)# bridge PE2(config-bridge)# enable PE2(config-bridge)# exit PE2(config)# interface gigabitethernet 1/0/4.100 PE2(config-subif)# bridge-group PE2(config-subif)# exit PE2(config)# interface gigabitethernet 1/0/2 PE2(config-if-gi)# mtu 9600 PE2(config-if-gi)# ip firewall disable PE2(config-if-gi)# exit PE2(config)# mpls PE2(config-mpls)# forwarding...
Page 322 ESR-Series. User manual PE3(config-ldp)# enable PE3(config-ldp)# router-id 3.3.3.3 PE3(config-ldp)# address-family ipv4 PE3(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1 PE3(config-ldp-af-ipv4-if)# exit PE3(config-ldp-af-ipv4)# transport-address 3.3.3.3 PE3(config-ldp-af-ipv4)# exit PE3(config-ldp)# exit PE3(config-mpls)# l2vpn PE3(config-l2vpn)# pw-class for_vpls PE3(config-l2vpn-pw-class)# exit PE3(config-l2vpn)# vpls vpls1 PE3(config-l2vpn-vpls)# enable PE3(config-l2vpn-vpls)# bridge-group PE3(config-l2vpn-vpls)# pw 100 2.2.2.2 PE3(config-l2vpn-pw)# pw-class...
Page 323: L2Vpn Kompella Mode Configuration
ESR-Series. User manual 12.6 L2VPN Kompella mode configuration Unlike Martini mode, where all operation is done by the LDP, in this mode the LDP does only operate with transport labels. Autodetection (not typical of LDP signaling), and the construction of a pseudowire connection is entrusted to BGP.
Page 324 ESR-Series. User manual Step Description Command Keys Specify route target import for the given esr(config-bgp)# route-target <RT> – Route-target value, VPLS instance. import <RT> specified in one of the following forms: • <ASN>:<nn> — where <ASN> may take values [1..65535], nn may take values [1..65535];...
Page 325: L2Vpn Vpls Configuration Example
ESR-Series. User manual Step Description Command Keys Specify mtu (optional). esr (config-bgp)# mtu <VALUE> <VALUE> — MTU value [552..10000]. Enable ignoring encapsulation type esr(config-bgp)# ignore (optional). encapsulation-mismatch Enable ignoring MTU values (optional). esr(config-bgp)# ignore mtu- mismatch In the context of address-family l2vpn esr(config-bgp-neighbor-af)# vpls BGP configuration, enable send-community extended...
Page 326 ESR-Series. User manual First, configure the RR router: hostname RR system jumbo-frames router ospf area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/2 9500 ip firewall disable ip address 10.30.0.2/30 ip ospf instance ip ospf exit interface gigabitethernet 1/0/3 9500...
Page 327 ESR-Series. User manual Configure the BGP Route Reflector for the address family l2vpn: RR(config)# router bgp 65500 RR(config-bgp)# router-id 10.10.0.4 RR(config-bgp)# neighbor 10.10.0.1 RR(config-bgp-neighbor)# remote-as 65500 RR(config-bgp-neighbor)# route-reflector-client RR(config-bgp-neighbor)# update-source 10.10.0.4 RR(config-bgp-neighbor)# address-family l2vpn vpls RR(config-bgp-neighbor-af)# send-community extended RR(config-bgp-neighbor-af)# enable RR(config-bgp-neighbor-af)# exit RR(config-bgp-neighbor)#...
Page 328 ESR-Series. User manual Pre-configuration ip firewall disable ip address 10.20.0.1/30 ip ospf instance ip ospfexit interface gigabitethernet 1/0/2 9500 ip firewall disable ip address 10.30.0.1/30 ip ospf instance ip ospf exitinterface gigabitethernet 1/0/3 9500 ip firewall disable ip address 10.22.0.1/30 ip ospf instance ip ospf exit...
Page 329 ESR-Series. User manual BGP configuration: PE1(config)# router bgp 65500 PE1(config-bgp)# neighbor 10.10.0.4 PE2(config-bgp)# router-id 10.10.0.1 PE1(config-bgp-neighbor)# remote-as 65500 PE1(config-bgp-neighbor)# update-source 10.10.0.1 PE1(config-bgp-neighbor)# address-family l2vpn vpls PE1(config-bgp-neighbor-af)# send-community extended PE1(config-bgp-neighbor-af)# enable PE1(config-bgp-neighbor-af)# exit PE1(config-bgp-neighbor)# enable PE1(config-bgp-neighbor)# exit PE1(config-bgp)# enable PE1(config-bgp)# exit Check that the BGP session with RR is successfully established: PE1# sh ip bgp neighbors BGP neighbor is...
Page 330 ESR-Series. User manual Pre-configuration interface gigabitethernet 1/0/1 9500 ip firewall disable ip address 10.20.0.2/30 ip ospf instance ip ospf exit interface gigabitethernet 1/0/2 9500 ip firewall disable ip address 10.21.0.1/30 ip ospf instance ip ospf exit interface gigabitethernet 1/0/3 9500 ip firewall disable ip address 10.31.0.1/30...
Page 331 ESR-Series. User manual PE2(config)# router bgp 65500 PE2(config-bgp)# router-id 10.10.0.2 PE2(config-bgp)# neighbor 10.10.0.4 PE2(config-bgp-neighbor)# remote-as 65500 PE2(config-bgp-neighbor)# update-source 10.10.0.2 PE2(config-bgp-neighbor)# address-family l2vpn vpls PE2(config-bgp-neighbor-af)# send-community extended PE2(config-bgp-neighbor-af)# enable PE2(config-bgp-neighbor-af)# exit PE2(config-bgp-neighbor)# enable PE2(config-bgp-neighbor)# exit PE2(config-bgp)# enable PE2(config-bgp)# exit Check that the session with RR is successfully established: PE2# sh ip bgp neighbors BGP neighbor is 10.10.0.4...
Page 332 ESR-Series. User manual Configuration of BGP on PE3: Pre-configuration hostname PE3 system jumbo-frames router ospf area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/2 9500 ip firewall disable ip address 10.21.0.2/30 ip ospf instance ip ospf exit interface gigabitethernet 1/0/3...
Page 333 ESR-Series. User manual PE3(config)# router bgp 65500 PE3(config-bgp)# router-id 10.10.0.3 PE3(config-bgp)# neighbor 10.10.0.4 PE3(config-bgp-neighbor)# remote-as 65500 PE3(config-bgp-neighbor)# update-source 10.10.0.3 PE3(config-bgp-neighbor)# address-family l2vpn vpls PE3(config-bgp-neighbor-af)# send-community extended PE3(config-bgp-neighbor-af)# enable PE3(config-bgp-neighbor-af)# exit PE3(config-bgp-neighbor)# enable PE3(config-bgp-neighbor)# exit PE3(config-bgp)# enable PE3(config-bgp)# exit Check that the BGP session is successfully established: PE3# sh ip bgp neighbors BGP neighbor is 10.10.0.4...
Page 334 ESR-Series. User manual Check that the interface is included into the bridge domain: PE1# sh interfaces bridge Bridges Interfaces ---------- -------------------------------------------------------------- bridge gi1/0/4 PE1# sh interfaces status bridge Interface 'bridge 1' status information: Description: Operational state: Administrative state: Up Supports broadcast: Supports multicast: MTU: 1500...
Page 335 ESR-Series. User manual PE3(config)# bridge PE3(config-bridge)# enable PE3(config-bridge)# exit PE3(config)# interface gigabitethernet 1/0/4 PE3(config-if-gi)# mode switchport PE3(config-if-gi)# bridge-group PE3# sh interfaces bridge Bridges Interfaces ---------- -------------------------------------------------------------- bridge gi1/0/4 PE3# sh interfaces status bridge Interface Admin Link MAC address Last change Mode state state...
Page 336 ESR-Series. User manual Specify RD, RT, VE-ID, VPN-ID according to the network scheme and activate the service:  In some cases you can skip entering such parameters as RD and RT: if you specify only VPN ID, they will be formed as follows: <AS number> : <vpn-id>. For example, we have an AS 65550 autonomous system number, vpn-id is 10, then the following parameters will be generated: RD - 65550: 10.
Page 337 ESR-Series. User manual Proceed to the PE2 configuration: PE2(config-mpls)# l2vpn PE2(config-l2vpn)# vpls l2vpn PE2(config-l2vpn-vpls)# bridge-group PE2(config-l2vpn-vpls)# autodiscovery bgp PE2(config-bgp)# rd 65500:100 PE2(config-bgp)# route-target export 65500:100 PE2(config-bgp)# route-target import 65500:100 PE2(config-bgp)# vpn id PE2(config-bgp)# ve id PE2(config-bgp)# exit PE2(config-l2vpn-vpls)# enable Check that PE2 is advertising the route information on RR: PE2# sh ip bgp l2vpn vpls all neighbor 10.10.0.4...
Page 338 ESR-Series. User manual  The calculated service marks can be viewed as follows: PE2# sh mpls l2vpn bindings Neighbor: 10.10.0.1, PW ID: 2, VE ID: Local label: Encasulation Type: VPLS Control flags: 0x00 MTU: 1500 Remote label: Encasulation Type: VPLS Control flags: 0x00 MTU:...
Page 339 ESR-Series. User manual Proceed to the PE3 configuration: PE3# config PE3(config)# mpls PE3(config-mpls)# l2vpn PE3(config-l2vpn)# vpls l2vpn PE3(config-l2vpn-vpls)# bridge-group PE3(config-l2vpn-vpls)# autodiscovery bgp PE3(config-bgp)# rd 65500:100 PE3(config-bgp)# route-target export 65500:100 PE3(config-bgp)# route-target import 65500:100 PE3(config-bgp)# ve id PE3(config-bgp)# vpn id PE3(config-bgp)# exit PE3(config-l2vpn-vpls)# enable Check the routing information in PE3: PE3# sh ip bgp l2vpn vpls all...
Page 340: L3Vpn Configuration
ESR-Series. User manual Check that the pseudowire is built before both PEs and is in the "UP" status: PE3# sh mpls l2vpn vpls l2vpn VPLS: l2vpn bridge 1: MTU: 1500 Status: Up ACs: gigabitethernet 1/0/4: MTU: 1500 Status: Up PWs: PW ID 3, Neighbor 10.10.0.2: MTU: 1500...
Page 341: Configuration Algorithm
ESR-Series. User manual 12.7.1 Configuration algorithm Step Description Command Keys Configure addressing and one of IGP on all P and PE routers Configure LDP transport tag distribution Create VRF esr(config)# ip vrf <VRF> <VRF> – VRF instance name, set by the string of up to 31 characters.
Page 342 ESR-Series. User manual Step Description Command Keys Specify route target import for the esr(config-vrf)# route-target import <RT> – Route-target value, given VRF <RT> specified in one of the following forms: • <ASN>:<nn> — where <ASN> may take values [1..65535], nn may take values [1..65535];...
Page 343: Configuration Example
ESR-Series. User manual Step Description Command Keys Specify the allowed number of routes esr(config-vrf)# ip protocols <PROTOCOL> – protocol type, for this VRF <PROTOCOLS> max-routes may take following values: rip <VALUE> (only in global mode), ospf, isis, bgp; <VALUE> – amount of routes in the routing table, takes values in the range of: •...
Page 344 ESR-Series. User manual Solution: 1 Configuring addressing and enabling IGP on routers ESR1 router ospf log-adjacency-changes router ospf router-id 1.1.1.1 area 0.0.0.0 enable exit enable exit interface loopback ip address 1.1.1.1/32 ip ospf instance ip ospf exit interface gigabitethernet 1/0/1.10 ip firewall disable...
Page 345 ESR-Series. User manual ESR2 router ospf log-adjacency-changes router ospf router-id 2.2.2.2 area 0.0.0.0 enable exit enable exit interface loopback ip address 2.2.2.2/32 ip ospf instance ip ospf exit interface gigabitethernet 1/0/1.10 ip firewall disable ip address 10.10.10.2/30 ip ospf instance ip ospf exit ...
Page 346 ESR-Series. User manual ESR3 router ospf log-adjacency-changes router ospf router-id 3.3.3.3 area 0.0.0.0 enable exit enable exit interface loopback ip address 3.3.3.3/32 ip ospf instance ip ospf exit interface gigabitethernet 1/0/1.20 ip firewall disable ip address 20.20.20.1/30 ip ospf instance ip ospf exit ...
Page 347 ESR-Series. User manual ESR4 router ospf log-adjacency-changes router ospf router-id 4.4.4.4 area 0.0.0.0 enable exit enable exit interface loopback ip address 4.4.4.4/32 ip ospf instance ip ospf exit interface gigabitethernet 1/0/1.40 ip firewall disable ip address 40.40.40.2/30 ip ospf instance ip ospf exit ...
Page 348 ESR-Series. User manual It is necessary to make sure that the protocol is running on every router. ESR1# show ip ospf neighbors Router ID Pri State DTime Interface Router IP --------- --- ----- ----- ------------- --------- 2.2.2.2 128 Full/BDR 00:39 gi1/0/1.10 10.10.10.2 4.4.4.4 128...
Page 349 ESR-Series. User manual ESR2 mpls address-family ipv4 transport-address 2.2.2.2 interface gigabitethernet 1/0/1.10 exit interface gigabitethernet 1/0/1.20 exit exit enable exit forwarding interface gigabitethernet 1/0/1.10 forwarding interface gigabitethernet 1/0/1.20 exit ESR3 mpls address-family ipv4 transport-address 3.3.3.3 interface gigabitethernet 1/0/1.20 exit interface gigabitethernet 1/0/1.30 exit...
Page 350 ESR-Series. User manual One of the following commands can be used to check the LDP convergence: ESR1# show mpls ldp neighbor Peer LDP ID: 2.2.2.2; Local LDP ID 1.1.1.1 State: Operational TCP connection: 2.2.2.2:33933 1.1.1.1:646 Messages sent/received: 1059/1070 Uptime: 17:32:07 LDP discovery sources: gigabitethernet 1/0/1.10...
Page 351 ESR-Series. User manual Configure iBGP between ESR1 and ESR3. Enable extended community sending on both devices. ESR1 ESR1(config)# router bgp log-neighbor-changes ESR1(config)# router bgp 65500 ESR1(config-bgp)# router-id 1.1.1.1 ESR1(config-bgp)# enable ESR1(config-bgp)# neighbor 3.3.3.3 ESR1(config-bgp-neighbor)# remote-as 65500 ESR1(config-bgp-neighbor)# update-source 1.1.1.1 ESR1(config-bgp-neighbor)# enable ESR1(config-bgp-neighbor)# address-family ipv4 unicast ESR1(config-bgp-neighbor-af)# enable ESR1(config-bgp-neighbor-af)# exit...
Page 352 ESR-Series. User manual 4 PE-CE routing configuration Customer1 advertises a BGP(AS65505) subnet 10.100.0.0/24. Configure eBGP session between CE_SiteA and  By default: the route advertising is prohibited for EBGP, you should configure an allow rule; for IBGP route advertising is allowed. CE_SiteA Configure the corresponding interfaces.
Page 353 ESR-Series. User manual ESR1 Configure interface to the CE direction. Also create a route-map in which we specify the subnets allowed to be advertised. ESR1 interface gigabitethernet 1/0/2 ip vrf forwarding Customer1 description "Customer1" ip firewall disable ip address 192.168.32.1/30 ...
Page 354 ESR-Series. User manual Allow forwarding routes from VRF to the VPNv4 unicast table ESR1 address-family ipv4 unicast redistribute connected redistribute bgp 65500 exit enable exit The following commands can be used to check the accepted and advertised routes: ESR1# show ip bgp 65500 vrf Customer1 neighbors 192.168.32.2...
Page 355 ESR-Series. User manual CE_SiteB Configure the corresponding interfaces. CE_SiteB interface gigabitethernet 1/0/2 ip firewall disable ip address 192.168.32.6/30 exit interface loopback ip address 10.100.1.1/24 exit route-map OUTPUT rule match ip address 10.100.1.0/24 action permit Configure eBGP between ESR3 and CE_SiteB. CE_SiteB router bgp 65505...
Page 356 ESR-Series. User manual Create a route-map in which we specify the subnets allowed to be advertised. ESR3 route-map OUTPUT rule action permit Configure eBGP between ESR3 and CE_SiteB. ESR3 router bgp 65500 vrf Customer1 router-id 192.168.32.5 neighbor 192.168.32.6 remote-as 65505 update-source 192.168.32.5 address-family ipv4 unicast...
Page 357: Mpls Traffic Balancing
ESR-Series. User manual You can use one of the following commands to view the VPNv4 table: ESR1# show ip bgp vpnv4 unicast all Status codes: * - valid, > - best, i - internal, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete ...
Page 358: Operation With The Bridge Domain Within Mpls
ESR-Series. User manual Solution: ESR(config)# system cpu load-balance mpls passenger ip ESR(config)# system cpu load-balance mpls passenger ipoe-pw-without-cw 12.9 Operation with the bridge domain within MPLS To organize L2VPN service, you need to configure a bridge domain on the device, create the required AC, PW (LDP-signaling) and include all the necessary elements in this bridge domain.
Page 359 ESR-Series. User manual In BGP signaling, the bridge domain only operate in ethernet mode. PE1# config PE1(config)# mpls PE1(config-mpls)# l2vpn PE1(config-l2vpn)# vpls MARTINI_br PE1(config-l2vpn-vpls)# transport-mode vlan PE1# sh mpls l2vpn pseudowire Neighbor PW ID Sig Type Status --------------------------------------- ---------- --- ---------- ------ 10.10.0.2 LDP Eth Tagged Up ...
Page 360: Assignment Of Mtu When Operating With Mpls
ESR-Series. User manual 2. Vlan (Tagged) mode: • If AC is a subinterface, the vlan tag is saved before putting it in the bridge. The vlan tag can be saved or overwritten depending on the configuration when you exit the bridge. •...
Page 361 ESR-Series. User manual LDP-signaling. Configuration of MTU for matching PE2(config)# mpls PE2(config-mpls)# l2vpn PE2(config-l2vpn)# pw-class MTU_example PE2(config-l2vpn-pw-class)# encapsulation mpls mtu 9000 PE2(config-l2vpn-pw-class)# exit PE2(config-mpls)# l2vpn PE2(config-l2vpn)# vpls MTU_Example_PW PE2(config-l2vpn-vpls)# pw 200 10.10.0.1 PE2(config-l2vpn-pw)# pw-class PE2(config-l2vpn-pw)# pw-class MTU_example *Просмотр созданных pw-class'ов* PE2# sh mpls l2vpn pw-class...
Page 362 ESR-Series. User manual Consider the example: ...
Page 363 ESR-Series. User manual For BGP-signaling the MTU parameter can also be specified: BGP -signaling. Configuration of MTU for matching PE1(config)# mpls PE1(config-mpls)# l2vpn PE1(config-l2vpn)# vpls l2vpn_MTU PE1(config-l2vpn-vpls)# autodiscovery bgp PE1(config-bgp)# mtu 1500 PE2# sh mpls l2vpn vpls l2vpn_MTU VPLS: l2vpn_MTU PWs: PW ID 2, Neighbor 10.10.0.1: MTU:...
Page 364 ESR-Series. User manual * E.g., we have a bridge domain 100, which includes interfaces gi1/0/1 with MTU value 2000, and gi1/0/2 with MTU value 3000 CE3(config)# bridge CE3(config-bridge)# enable CE3(config-bridge)# exit CE3(config)# interface gigabitethernet 1/0/1 CE3(config-if-gi)# mtu 2000 CE3(config-if-gi)# bridge-group CE3(config-if-gi)# exit CE3(config)# interface...
Page 365 ESR-Series. User manual Description: Operational state: Administrative state: Up Supports broadcast: Supports multicast: MTU: 2000 MAC address: a8:f9:4b:aa:11:00 Last change: minutes and seconds Mode: Routerport Consider the example of traffic passing through the L2VPN service: PE1 has the following MTU values on the interfaces: PE1# sh interfaces status Interface Admin...
Page 366 ESR-Series. User manual Similar behavior when passing traffic in the L3VPN service: If CE1 sends a packet with a higher MTU than on the interface facing the client (gi1/0/2) or towards the mpls- core (gi1/0/1), the packet will be discarded.
Page 367: Security Management
Basic user rules configuration algorithm • Basic user rules configuration example • Extended user rules configuration algorithm • Extended user rules configuration example • Eltex Distribution Manager interaction configuration • Basic configuration algorithm • Configuration example: • Content filtering service configuration •...
Page 368: Local Authentication Configuration Algorithm
ESR-Series. User manual 13.1.1 Local authentication configuration algorithm Step Description Command Keys Set local as authentication method. esr(config)# aaa authentication <NAME> – list name, set by the login { default | <NAME> } string of up to 31 characters. <METHOD 1> [ <METHOD 2>...
Page 369 ESR-Series. User manual Step Description Command Keys Specify the number of failed esr(config)# aaa authentication <COUNT> – amount of failed authentication attempts to block the attempts max-fail <COUNT> authentication attempts after user login and time of the lock <TIME> which a user is blocked, takes (optional) the values of [1..65535];...
Page 370 ESR-Series. User manual Step Description Command Keys Set the minimum number of lower case esr(config)# security passwords <COUNT> – minimum number letters in the local user password and lower-case <COUNT> of lower case letters in the local ENABLE password (optional) user password and ENABLE password.
Page 371: Aaa Configuration Algorithm Via Radius
ESR-Series. User manual Step Description Command Keys Switch to the corresponding terminal esr(config)# line console configuration mode esr(config)# line telnet esr(config)# line ssh Activate user login authentication list esr(config-line-ssh)# login <NAME> – list name, set by the authentication <NAME> string of up to 31 characters. Activate authentication list of user esr(config-line-ssh)# enable <NAME>...
Page 372 ESR-Series. User manual Step Description Command Keys Add RADIUS server to the list of used esr(config)# radius-server host <IP-ADDR> – RADIUS server IP servers and switch to its configuration { <IP-ADDR> | <IPV6-ADDR> } [ vrf address, defined as mode. <VRF>...
Page 373 ESR-Series. User manual Step Description Command Keys Set IPv4/IPv6 address that will be used esr(config-radius-server)# source- <ADDR> – source IP address, as source IPv4/IPv6 address in address { <ADDR> | <IPV6-ADDR> } defined as AAA.BBB.CCC.DDD transmitted RADIUS packets. where each part takes values of [0..255];...
Page 374 ESR-Series. User manual Step Description Command Keys Set the method for iterating over esr(config)# aaa authentication <MODE> – options of iterating authentication methods (optional). mode <MODE> over methods: • chain – if the server returned FAIL, proceed to the following authentication method in the chain;...
Page 375: Aaa Configuration Algorithm Via Tacacs
ESR-Series. User manual 13.1.3 AAA configuration algorithm via TACACS Step Description Command Keys Set the DSCP code global value for the esr(config)# tacacs-server dscp <DSCP> – DSCP code value, use in IP headers of TACACS server <DSCP> takes values in the range of egress packets (optional).
Page 376 ESR-Series. User manual Step Description Command Keys Set the port number to communicate esr(config-tacacs-server)# port <PORT> – number of TCP port with remote TACACS server (optional). <PORT> to exchange data with a remote server, takes values of [1..65535]. Default value: 49 for TACACS server.
Page 377 ESR-Series. User manual Step Description Command Keys Set the method for iterating over esr(config)# aaa authentication <MODE> – options of iterating authentication methods (optional). mode <MODE> over methods: • chain – if the server returned FAIL, proceed to the following authentication method in the chain;...
Page 378: Aaa Configuration Algorithm Via Ldap
ESR-Series. User manual 13.1.4 AAA configuration algorithm via LDAP Step Description Command Keys Specify basic DN (Distinguished name) esr(config)# ldap-server base-dn <NAME> – basic DN, set by the which will be used when searching for <NAME> string of up to 255 characters. users.
Page 379 ESR-Series. User manual Step Description Command Keys Specify the interval after which the esr(config)# ldap-server search <SEC> – time interval in device assumes that LDAP server has timeout <SEC> seconds, takes values of [0..30] not found users entries satisfying the search condition (optional).
Page 380 ESR-Series. User manual Step Description Command Keys Specify the number of failed aaa authentication attempts max- <COUNT> – amount of failed authentication attempts to block the fail <COUNT> <TIME> authentication attempts after user login and time of the lock which a user is blocked, takes (optional) the values of [1..65535];...
Page 381 ESR-Series. User manual Step Description Command Keys Set LDAP as authentication method. esr(config)# aaa authentication <NAME> – list name, set by the login { default | <NAME> } string of up to 31 characters. <METHOD 1> [ <METHOD 2> ] [ <METHOD 3>...
Page 382: Example Of Authentication Configuration Using Telnet Via Radius Server
ESR-Series. User manual Step Description Command Keys Switch to the corresponding terminal esr(config)# line <TYPE> <TYPE> – console type: configuration mode. • console – local console; • ssh – secure remote console. Activate user login authentication list. esr(config-line-console)# login <NAME> – list name, set by the authentication <NAME>...
Page 383: Command Privilege Configuration
ESR-Series. User manual esr# show aaa authentication 13.2 Command privilege configuration Command privilege configuration is a flexible tool that allows you to assign baseline user privilege level (1–15) to a command set. In future, you may specify privilege level during user creation which will define a command set available to them.
Page 384 ESR-Series. User manual Step Description Command Keys Enable protection against land attacks. esr(config)# firewall screen dos- defense land Enable a limit on the number of packets esr(config)# ip firewall screen dos- <NUM> – limit number of IP sent per second per destination defense packets per second, set in the address...
Page 385 ESR-Series. User manual Step Description Command Keys Enable protection against port scan esr(config)# ip firewall screen spy- <threshold> – interval in attacks. blocking port-scan milliseconds during which the { <threshold> } [ <TIME> ] port scan attack will be recorded [1..1000000]. <TIME>...
Page 386: Description Of Attack Protection Mechanisms
ESR-Series. User manual Step Description Command Keys Enable more detailed message output esr(config)# logging firewall about detected and blocked network screen detailed attacks in the CLI. Enable mechanism of DoS attacks esr(config)# logging firewall <ATACK_TYPE> – DoS attack detection and logging via CLI, syslog screen dos-defense type, takes the following and SNMP.
Page 387 ESR-Series. User manual Command Description ip firewall screen dos-defense limit- When the host IP sessions table is overfilled, the host is unable to establish new session-destination sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting the number of packets transmitted per second per destination address, which attenuates DoS attacks.
Page 388 ESR-Series. User manual Command Description ip firewall screen spy-blocking icmp- The given command enables the blocking of all 4 type ICMP packets (source type source-quench quench) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability ip firewall screen spy-blocking icmp- The given command enables the blocking of all 11 type ICMP packets (time...
Page 389: Configuration Example Of Logging And Protection Against Network Attacks
ESR-Series. User manual Command Description ip firewall screen suspicious-packets The given command enables the blocking of ICMP packets more than 1024 large-icmp bytes. ip firewall screen suspicious-packets This command enables the blocking of fragmented TCP packets with the SYN syn-fragment flag.
Page 390: Firewall Configuration
ESR-Series. User manual esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit esr(config)# security zone-pair LAN WAN esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# ex esr(config-zone-pair)# exit esr(config)# security zone-pair WAN LAN esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit...
Page 391: Configuration Algorithm
ESR-Series. User manual 13.4.1 Configuration algorithm Step Description Command Keys Create security zones. esr(config)# security zone <zone- <zone-name> – up to 12 name1> characters. esr(config)# security zone <zone- name2> Specify a security zone description. esr(config-zone)# description <description> – up to 255 <description>...
Page 392 ESR-Series. User manual Step Description Command Keys Determine the size of outstanding esr(config)# ip firewall sessions <COUNT> – table size, takes sessions table (optional). max-expect <COUNT> values of [1..8553600]. Default value: 256. Determine the size of trackable esr(config)# ip firewall sessions <COUNT> ...
Page 393 ESR-Series. User manual Step Description Command Keys Enable application-level session esr(config)# ip firewall sessions <PROTOCOL> - application- tracking for certain protocols (optional). tracking level protocol [ftp, h323, pptp, netbios-ns, tftp] sessions of which should be tracked. <OBJECT-GROUP-SERVICE> – sip session TCP/UDP ports’ profile name, set by the string of up to 31 characters.
Page 394 ESR-Series. User manual Step Description Command Keys esr(config-object-group-network)# <FROM-ADDR> – range starting ip address-range IP address; <FROM-ADDR>-<TO-ADDR> <TO-ADDR> – range ending IP address, optional parameter; If the parameter is not specified, a single IP address is set by the command. The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
Page 395 ESR-Series. User manual Step Description Command Keys Create applications lists which will be esr(config)# object-group <NAME> – application profile used in DPI mechanism. application <NAME> name, set by the string of up to 31 characters. Specify applications list description esr(config-object-group- <description>...
Page 396 ESR-Series. User manual Step Description Command Keys Set name or number of IP for which the esr(config-zone-rule)# match [not] <protocol-type> – protocol rule should work (optional). protocol <protocol-type> type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre.
Page 397: Firewall Configuration Example
ESR-Series. User manual Step Description Command Keys Set the limitation under which the rule esr(config-zone-rule)# match [not] will only work for traffic modified by the destination-nat IP address and destination ports translation service. Set the maximum packet rate (optional, esr(config-zone-pair-rule)# rate- <rate-pps>...
Page 398 ESR-Series. User manual Solution: Create a security zone for each ESR network: esr# configure esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit Configure network interfaces and identify their inherence to security zones: esr(config)# interface gi1/0/2 esr(config-if-gi)# ip address 192.168.12.2/24 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# exit...
Page 399 ESR-Series. User manual For definition of rules for security zones, create 'LAN' address profile that includes addresses which are allowed to access WAN network and 'WAN' network address profile. esr(config)# object-group network WAN esr(config-object-group-network)# ip address-range 192.168.23.2 esr(config-object-group-network)# exit esr(config)# object-group network LAN esr(config-object-group-network)# ip address-range 192.168.12.2 esr(config-object-group-network)# exit...
Page 400: Configuration Example Of Application Filtering (Dpi)
ESR-Series. User manual Router always has a security zone named 'self'. When the traffic recipient is the router itself, i.e. traffic is not transit, pass 'self' zone as a parameter. Create a pair of zones for traffic coming from 'WAN' zone into 'self' zone.
Page 401 ESR-Series. User manual Objective: Block access to such resources as youtube, bittorrent and facebook. Solution: Create a security zone for each ESR network: esr# configure esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit Configure network interfaces and identify their inherence to security zones: esr(config)# interface gi1/0/1...
Page 402: Access List (Acl) Configuration
ESR-Series. User manual To set the rules of traffic passing from “WAN” zone to “LAN” zone, create a couple of zones and add a rule prohibiting the application traffic from passing and a rule allowing the rest of traffic to pass. Rules are applied with the enable command: esr(config)# security zone-pair WAN LAN esr(config-zone-pair)# rule...
Page 403: Configuration Algorithm
ESR-Series. User manual 13.5.1 Configuration algorithm Step Description Command Keys Create access control list and switch to esr(config)# ip access-list <NAME> – access control list its configuration mode. extended <NAME> name, set by the string of up to 31 characters. Specify the description of a esr(config-acl)# description <DESCRIPTION>...
Page 404 ESR-Series. User manual Step Description Command Keys Set sender IP addresses for which the esr(config-acl-rule)# match <ADDR> – sender IP address, rule should work (optional). source-address { <ADDR> <MASK> defined as AAA.BBB.CCC.DDD | any } where each part takes values of [0..255];...
Page 405: Access List Configuration Example
ESR-Series. User manual Step Description Command Keys Set VLAN ID for which the rule should esr(config-acl-rule)# match vlan <VID> – VLAN ID, takes values work (optional). <VID> of [1..4094]. Activate a rule. esr(config-acl-rule)# enable Specify access control list for the esr(config-if-gi)# service-acl input <NAME>...
Page 406: Base Configuration Algorithm
ESR-Series. User manual By default, ESR devices have a basic set of rules from EmergingThreats designed for testing and verifying system health. 13.6.1 Base configuration algorithm Step Description Command Keys Create IPS/IDS security policy. esr(config)# security ips policy <NAME> – security policy <NAME>...
Page 407: Configuration Algorithm For Ips/Ids Rules Autoupdate From External Sources
ESR-Series. User manual 13.6.2 Configuration algorithm for IPS/IDS rules autoupdate from external sources Step Description Command Keys Switch to the autoupdate configuration esr(config-ips)# auto-upgrade mode Specify a name and enter the esr(config-ips-auto-upgrade)# <WORD> – server name, set by configuration mode of the user update user-server <WORD>...
Page 408 ESR-Series. User manual https:// These rules describe well-known botnets and control servers. Sources: rules.emergingthreats.net/ Shadowserver.org, Zeus Tracker, Palevo Tracker, Feodo Tracker, Ransomware open/suricata/rules/ Tracker. botcc.rules https:// These rules describe malicious hosts by the classification of the www.cinsarmy.com rules.emergingthreats.net/ project. open/suricata/rules/ ciarmy.rules https:// These rules describe well-known compromised and malicious hosts.
Page 409 ESR-Series. User manual https:// These rules contain DOS attack signatures. rules.emergingthreats.net/ open/suricata/rules/emerging- dos.rules https:// These rules contain exploit signatures. rules.emergingthreats.net/ open/suricata/rules/emerging- exploit.rules https:// These rules contain signatures of vulnerabilities in the FTP protocol, signs of rules.emergingthreats.net/ incorrect use of the FTP protocol. open/suricata/rules/emerging- ftp.rules https://...
Page 410 ESR-Series. User manual https:// These rules contain different vulnerabilities signatures. rules.emergingthreats.net/ open/suricata/rules/emerging- misc.rules https:// These rules contain malware signatures for mobile platforms. rules.emergingthreats.net/ open/suricata/rules/emerging- mobile_malware.rules https:// These rules contain signatures of vulnerabilities in the NetBIOS protocol, signs of rules.emergingthreats.net/ incorrect use of the NetBIOS protocol. open/suricata/rules/emerging- netbios.rules https://...
Page 411 ESR-Series. User manual https:// These rules contain signatures of vulnerabilities in the SMTP protocol, signs of rules.emergingthreats.net/ incorrect use of the SMTP protocol. open/suricata/rules/emerging- smtp.rules https:// These rules contain vulnerability signatures for SQL DBMS. rules.emergingthreats.net/ open/suricata/rules/emerging- sql.rules https:// These rules contain signatures of vulnerabilities in the telnet protocol, signs of rules.emergingthreats.net/ incorrect use of the telnet protocol.
Page 412: Ips/Ids Configuration Example With Auto-Update Rules
ESR-Series. User manual https:// These rules describe signs of network worm activity. rules.emergingthreats.net/ open/suricata/rules/emerging- worm.rules 13.6.4 IPS/IDS configuration example with auto-update rules Objective: Organize LAN protection with auto-update rules from open sources. 192.168.1.0/24 – LAN Solution: Create a profile of addresses of LAN which we will protect: esr(config)# object-group network LAN esr(config-object-group-network)# ip prefix 192.168.1.0/24...
Page 413 ESR-Series. User manual Configure the DNS client on the ESR to allow the names of the IPS/IDS rule update sources: esr(config)# domain lookup enable esr(config)# domain name-server 8.8.8.8 Create IPS/IDS security policy: esr(config)# security ips policy OFFICE esr(config-ips-policy)# description "My Policy" esr(config-ips-policy)# protect network-group LAN Allow IPS/IDS operation on the bridge 1 LAN interface: esr(config)# bridge...
Page 414: Basic User Rules Configuration Algorithm
ESR-Series. User manual 13.6.5 Basic user rules configuration algorithm Step Description Command Keys Specify a name and enter the esr(config)# security ips-category <WORD> – user rule set name, configuration mode of the set of user user-defined <WORD> set by the string of up to 32 rules.
Page 415 ESR-Series. User manual Step Description Command Keys Set sender IP addresses for which the esr(config-ips-category-rule)# <ADDR> – sender IP address, rule should work. source-address defined as AAA.BBB.CCC.DDD {ip <ADDR> | ip-prefix <ADDR/LEN> where each part takes values of [0..255]; object-group <OBJ_GR_NAME> | policy-object-group <ADDR/LEN>...
Page 416 ESR-Series. User manual Step Description Command Keys Set destination IP addresses for which esr(config-ips-category-rule)# <<ADDR> – recepient IP the rule should trigger. destination-address address, defined as {ip <ADDR> | ip-prefix <ADDR/LEN> AAA.BBB.CCC.DDD where each | object-group <OBJ_GR_NAME> | part takes values of [0..255]; policy-object-group { protect | external } | any } <ADDR/LEN>...
Page 417 ESR-Series. User manual Step Description Command Keys Define the traffic classification which esr(config-ips-category-rule)# • not-suspicious – not will record to the log when this rule will meta classification-type suspicious traffic; trigger (optional). { not-suspicious | unknown | bad- • unknown – unknown unknown | attempted-recon | traffic.
Page 418 ESR-Series. User manual Step Description Command Keys • tcp-connection – TCP connection was detected. • trojan-activity – network Trojan was detected. • unusual-client-port- connection – the client used an unusual port. • network-scan – network scan was detected. • denial-of-service – denial of service attack was detected.
Page 419 ESR-Series. User manual Step Description Command Keys Set number of IP for which the rule esr(config-ips-category-rule)# ip <ID> – IP identification number, should work (optional). protocol-id <ID> takes values of [1..255]. Applicable only for protocol any value. Set ICMP CODE value for which the rule esr(config-ips-category-rule)# ip <CODE>...
Page 420 ESR-Series. User manual Step Description Command Keys Set TCP Window-Size value for which esr(config-ips-category-rule)# ip <SIZE> – TCP Window-Size the rule should trigger (optional). tcp window-size <SIZE> value, takes a value in the range [0..65535]. Applicable only for protocol tcp value. Set HTTP protocol keywords for which esr(config-ips-category-rule)# ip See the Suricata 4.X...
Page 421 ESR-Series. User manual Step Description Command Keys Set the number of offset bytes from the esr(config-ips-category-rule)# <OFFSET> – the number of beginning of the contents of the packet payload offset <OFFSET> offset bytes from the beginning to check (optional). of the packet contents, takes a value in the range [1 ..
Page 422: Basic User Rules Configuration Example
ESR-Series. User manual Step Description Command Keys Specify threshold handling method. esr(config-ips-category-rule)# • threshold – display a threshold type message every time a {threshold | limit | both } threshold is reached. • limit – issue a message no more than <COUNT> times per time interval <SECOND>.
Page 423 ESR-Series. User manual Specify protocol type for the rule: esr(config-ips-category-rule)# protocol icmp Since we specified the icmp protocol, we need to specify any as the port of the sender and recipient: esr(config-ips-category-rule)# source-port any esr(config-ips-category-rule)# destination-port any We will indicate our server as the recipient address: esr(config-ips-category-rule)# destination-address ip 192.168.1.10 Attacker can send packets from any address:...
Page 424: Extended User Rules Configuration Algorithm
ESR-Series. User manual Set traffic direction: esr(config-ips-category-rule)# direction one-way The rule will trigger on packets larger than 1024 bytes: esr(config-ips-category-rule)# payload data-size 1024 esr(config-ips-category-rule)# payload data-size comparison-operator greate r-than The rule will trigger if the load on the server exceeds 3 Mbps, while an attack message will be generated not more than once a minute: Mbps = 3145728...
Page 425: Extended User Rules Configuration Example
ESR-Series. User manual Description Command Keys Specify the given rule force. esr(config-ips-category-rule- <CONTENT> – text message in SNORT 2.X/ advanced)# rule-text <LINE> Suricata 4.X format, specified by a string of up to 1024 characters.  When writing rules, the symbol '' needs to be replaced with the symbol ' Activate a rule.
Page 426: Eltex Distribution Manager Interaction Configuration
ESR-Series. User manual 13.7 Eltex Distribution Manager interaction configuration EDM (Eltex Distribution Manager) is a service for distributing licensed content to devices via commercial subscription. Using Kaspersky Lab's security infrastructure, including the Kaspersky Security Network cloud-based "collective intelligence" with Kaspersky SafeStream II support, the ESR service router is able to detect malware in all types of traffic (web, email, P2P, instant messaging services, etc.).
Page 427 ESR-Series. User manual Step Description Command Keys Set the port to esr (config-content-provider)# host <PORT> – number of sender TCP/UDP port, connect to the edm port <PORT> takes values of [1..65535]. server. Set the type and esr (config-content-provider)# storage- <DEVICE> – label and partition name on the partition of the device <DEVICE>...
Page 428 ESR-Series. User manual Step Description Command Keys Connect the desired esr (config-ips-vendor)# category Phishing URL Data Feed – Phishing URL category. WORD(1-64) data streams Malicious URL Data Feed – Malicious URL data streams Botnet C&C URL Data Feed – Botnet C&C URL data streams Malicious Hash Data Feed –...
Page 429: Configuration Example
Enable IPS/IDS. esr(config- ips )# enable 13.7.2 Configuration example: Set the content-provider parameters – this is the address of the Eltex server. There must be network reachability between the content-provider server and the router. content-provider host address edm.eltex-co.ru host port...
Page 430 ESR-Series. User manual interface gigabitethernet 1/0/1 service-ips enable exit Configure security policy: security ips policy policy0 protect network-group objectgroup0 vendor kaspersky category MaliciousURLsDF rules action alert rules count enable exit category MobileBotnetCAndCDF rules action alert rules count 1000 enable exit category APTIPDF rules action alert rules count...
Page 431 ESR-Series. User manual category APTURLsDF rules action alert rules count 1000 enable exit category BotnetCAndCURLsDF rules action alert rules count 1000 enable exit category IPReputationDF rules action alert rules count 1000 enable exit category IoTURLsDF rules action alert rules count 1000 enable exit...
Page 432: Content Filtering Service Configuration
ESR-Series. User manual show security ips content-provider: esr-20# show security ips content-provider Server: content-provider Last MD5 of received files: c60bd0f10716d3f48e18f24828337135 Next update: October 2020 00:37:06 With this command you can find out if the content provider has downloaded rules from the EDM server (based on the presence of the md5 checksum) and when the next update is scheduled for the device.
Page 433 ESR-Series. User manual Step Description Command Keys Create IP addresses lists which will be esr (config)# object-group network <WORD> – server name, set by used during filtration. <WORD> the string of up to 32 characters. esr (config-object-group- network)# ip prefix <ADDR/LEN> <ADDR/LEN>...
Page 434 ESR-Series. User manual Step Description Command Keys Use all ESR rosiurces for IPS/IDS esr(config-ips)# perfomance max By default, half of the available (optional). processor cores are allocated for IPS/IDS. Set external drive for recording logs in esr(config-ips)# logging storage- <DEVICE_NAME> the name of EVE format (optional).
Page 435 ESR-Series. User manual Step Description Command Keys Set the IP protocol to HTTP. esr(config-ips-category-rule)# protocol http Set sender IP addresses for which the esr(config-ips-category-rule)# <ADDR> – sender IP address, rule should work. source-address defined as AAA.BBB.CCC.DDD {ip <ADDR> | ip-prefix <ADDR/LEN> where each part takes values of | ...
Page 436 ESR-Series. User manual Step Description Command Keys Set destination IP addresses for which esr(config-ips-category-rule)# <<ADDR> – recepient IP the rule should trigger. destination-address address, defined as {ip <ADDR> | ip-prefix <ADDR/LEN> AAA.BBB.CCC.DDD where each | object-group <OBJ_GR_NAME> | part takes values of [0..255]; policy-object-group { protect | external } | any } <ADDR/LEN>...
Page 437: Content Filtering Rules Configuration Example
ESR-Series. User manual Step Description Command Keys Assign a content filter category profile esr(config-ips-category-rule)# ip <NAME> – name of the content http content-filter <NAME> filtering profile, specified as a string of up to 31 characters. any – rule will trigger for http sites of any category.
Page 438 ESR-Series. User manual Configure the DNS client on the ESR to allow the names of the IPS/IDS rule update sources: esr(config)# domain lookup enable esr(config)# domain name-server 8.8.8.8 Create IPS/IDS security policy: esr(config)# security ips policy OFFICE esr(config-ips-policy)# description "My Policy" esr(config-ips-policy)# protect network-group LAN Allow IPS/IDS operation on the bridge gigabitethernet 1/0/2 interface: esr(config)#...
Page 439 ESR-Series. User manual We will drop packets: esr(config-ips-category-rule)# action drop Configure attack message: esr(config-ips-category-rule)# meta log-message «Corporate policy violation» Specify protocol type for the rule: esr(config-ips-category-rule)# protocol http For http requests, the operating system uses a random value as the TCP sender port, so you must specify any: esr(config-ips-category-rule)# source-port any As the TCP destination port for the protocol http is usually used port 80, but Internet sites can also work on non-standard ports, so we specify any:...
Page 440: Antispam" Service Configuration
ESR-Series. User manual 13.9 "Antispam" service configuration Mail antispam or spam filter is a program for detecting and filtering unwanted e-mail messages that can come through corporate mail servers and public e-mail services (spam, mail phishing, etc.). The main task of the "Anti-spam" service is to detect such unwanted emails while they are still being delivered to the recipient's mailbox.
Page 441 ESR-Series. User manual Step Description Command Keys Set the marking type for e-mails that the esr(config-antispam-profile)# <MARK-TYPE> – the marking "Antispam" service classifies as mark-type <MARK-TYPE> type of an email categorized as "Spam". "Spam". Possible values: • header – add the X-Spam header to email headers;...
Page 442 ESR-Series. User manual Step Description Command Keys Set the description of the email domain esr(config-mailserver-domain)# <DESCRIPTION> – up to 255 (optional). description <DESCRIPTION> characters. Set the name of the email domain to be esr(config-mailserver-domain)# <NAME> - up to 63 characters. served. mail domain <NAME>...
Page 443: Configuration Example
Solution: Ensure that the MX record for the domain eltex-co.ru points to the ESR IP address: esr@eltex:~$ dig +noall +answer eltex-co.ru MX eltex-co.ru. 3548 mail-gate.eltex-co.ru. esr@eltex:~$ dig +noall +answer mail-gate.eltex-co.ru A mail-gate.eltex-co.ru. 3453...
Page 444 Create a mail domain, which will be configured to process emails for the eltex-co.ru domain and retransmit such emails to the local mail server. Add the "Antispam" service profile created above to the configuration of...
Page 445: Redundancy Management
ESR-Series. User manual 14 Redundancy management • VRRP configuration • Configuration algorithm • Configuration example 1 • Configuration example 2 • VRRP tracking configuration • Configuration algorithm • Configuration example 14.1 VRRP configuration VRRP ( Virtual Router Redundancy Protocol) is a network protocol designed for increased availability of routers, acting as a default gateway.
Page 446 ESR-Series. User manual Step Description Command Keys esr(config-if-gi)# ipv6 vrrp ip <IPV6-ADDR> – virtual IPv6 <IPV6-ADDR> address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. You can specify up to 8 IPv6 addresses separated by commas. Set the VRRP router identifier.
Page 447 ESR-Series. User manual Step Description Command Keys Set the amount of GratuituousARP esr(config-if-gi)# vrrp timers garp <COUNT> – amount of messages that will be sent when repeat <COUNT> messages, takes values of switching the router to the Master [1..60]. status (optionally). Default value: 5.
Page 448: Configuration Example 1
ESR-Series. User manual Step Description Command Keys Specify VRRP version (optionally). esr(config-if-gi)# vrrp version <VERSION> – VRRP version: 2, <VERSION> Set the mode when vrrp IP address esr(config-if-gi)# vrrp force-up remains in the UP status regardless of the status of the interface itself. (optionally) Specify the delay between the esr(config-if-gi)# ipv6 vrrp timers...
Page 449: Configuration Example 2
ESR-Series. User manual Solution: First, do the following: • create a correspond sub interface; • configure a zone for the sub-interface; • specify IP address for the sub-interface. Main configuration step: Configure R1 router. Configure VRRP in the created sub-interface. Specify unique VRRP identifier: R1(config)#interface 1/0/5.50 R1(config-subif)# vrrp id...
Page 450 ESR-Series. User manual Solution: First, do the following: • create correspond sub interfaces; • configure a zone for the sub-interfaces; • specify IP addresses for the sub-interfaces. Main configuration step: Configure R1 router. Configure VRRP for 192.168.1.0/24 subnet in the created sub-interface. Specify unique VRRP identifier: R1(config-sub)#interface 1/0/5.50...
Page 451: Vrrp Tracking Configuration
ESR-Series. User manual Enable VRRP: R1(config-subif)# vrrp R1(config-subif)# exit Configure VRRP for 192.168.20.0/24 subnet in the created sub-interface. Specify unique VRRP identifier: R1(config-sub)#interface 1/0/6.60 R1(config-subif)# vrrp id Specify virtual gateway IP address 192.168.1.20: R1(config-subif)# vrrp ip 192.168.20.1 Specify VRRP group identifier: R1(config-subif)# vrrp group Enable VRRP: R1(config-subif)# vrrp...
Page 452 ESR-Series. User manual Step Description Command Keys Enable Tracking object. esr(config-tracking)#enable...
Page 453 ESR-Series. User manual Step Description Command Keys Create a static IP route to the specified esr(config)# ip route [ vrf <VRF> ] <VRF> – VRF name, set by the subnet indicating the Tracking object. <SUBNET> { <NEXTHOP> [ resolve ] string of up to 31 characters.
Page 454 ESR-Series. User manual Step Description Command Keys • unreachable – when specifying the command, the packets to this subnet will be removed by the device, a sender will receive in response ICMP Destination unreachable (Host unreachable, code 1); • prohibit – when specifying the command, the packets to this subnet will be removed...
Page 455: Configuration Example
ESR-Series. User manual 14.2.2 Configuration example Objective: Virtual gateway 192.168.0.1/24 is organized for 192.168.0.0/24 subnet, using VRRP protocol and routers R1 and R2. There is a link with a singular subnet 192.168.1.0/30 between R1 and R2 routers. Subnet 10.0.1.0/24 is terminated only on R2 router.
Page 456 ESR-Series. User manual 2 R2 router hostname R2 interface gigabitethernet 1/0/1 switchport forbidden default-vlan exit interface gigabitethernet 1/0/1.741 ip firewall disable ip address 192.168.0.3/24 vrrp id vrrp ip 192.168.0.1/24 vrrp exit interface gigabitethernet 1/0/2 switchport forbidden default-vlan exit interface gigabitethernet 1/0/2.742 ip firewall disable ip address...
Page 457: Remote Access Configuration
ESR-Series. User manual 15 Remote access configuration • Configuring server for remote access to corporate network via PPTP protocol • Configuration algorithm • Configuration example • Configuring server for remote access to corporate network via L2TP protocol • Configuration algorithm •...
Page 458 ESR-Series. User manual Specify IP address that should be esr(config-pptp-server)# outside- <OBJ-GROUP-NETWORK- proceeded by PPTP server. address NAME> – name of the profile { object-group <OBJ-GROUP- having IP address that should NETWORK-NAME> | listened by PPTP server, set by ip-address <ADDR> | interface the string of up to 31 { <IF>...
Page 459 ESR-Series. User manual Select PPTP clients authentication esr(config-pptp-server)# • local – user mode. authentication mode authentication by local { local | radius } base. • radius – user authentication by RADIUS server base. The router must be configured to interact with a RADIUS-server, see section AAA RADIUS...
Page 460: Configuration Example
ESR-Series. User manual Define the list of DNS servers that will esr(config-pptp-server)# dns- <OBJ-GROUP-NETWORK- be used by remote users (optionally). servers NAME> – name of the IP object-group <OBJ-GROUP- addresses profile that includes NETWORK -NAME > required DNS servers addresses, set by the string of up to 31 characters.
Page 461 ESR-Series. User manual Solution: Create an address profile that contains an address to be listened by the server: esr# configure esr(config)# object-group network pptp_outside esr(config-object-group-network)# ip address-range 120.11.5.1 esr(config-object-group-network)# exit Create address profile that contains local gateway address: esr(config)# object-group network pptp_local esr(config-object-group-network)# ip address-range 10.10.10.1 esr(config-object-group-network)# exit...
Page 462: Configuring Server For Remote Access To Corporate Network Via L2Tp Protocol
ESR-Series. User manual Enable PPTP server: esr(config-pptp)# enable When a new configuration is applied, the router will listen to 120.11.5.1:1723. To view PPTP server session status, use the following command: esr# show remote-access status pptp server remote-workers To view PPTP server session counters, use the following command: esr# show remote-access counters pptp server remote-workers To clear PPTP server session counters, use the following command: esr# clear remote-access counters pptp server remote-workers...
Page 463 ESR-Series. User manual Step Description Command Keys Specify the description of the esr(config-l2tp-server)# <DESCRIPTION> – L2TP server configured server (optionally). description <DESCRIPTION> description, set by the string of up to 255 characters. Specify IP address that should be esr(config-l2tp-server)# outside- <OBJ-GROUP-NETWORK- listened by L2TP server.
Page 464 ESR-Series. User manual Step Description Command Keys Select L2TP clients authentication esr(config-l2tp-server)# • local – user mode. authentication mode authentication by local { local | radius } base. • radius – user authentication by RADIUS server base. The router must be configured to interact with a RADIUS-server, see section...
Page 465 ESR-Series. User manual Step Description Command Keys Specify a shared secret authentication esr(config-l2tp-server)# ipsec <TEXT> – string [1..64] ASCII key that should be the same for both authentication pre-shared-key characters; parties of the tunnel. { ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT>...
Page 466: Configuration Example
ESR-Series. User manual 15.2.2 Configuration example Objective: Configure L2TP server on a router for remote user connection to LAN. Authentication is performed on RADIUS server. • L2TP server address: 120.11.5.1; • Gateway inside the tunnel: 10.10.10.1; • Radius server address: 192.168.1.4; For IPsec, key authentication method is used: key–'password’.
Page 467 ESR-Series. User manual Create address profile that contains local gateway address: esr(config)# object-group network l2tp_local esr(config-object-group-network)# ip address-range 10.10.10.1 esr(config-object-group-network)# exit Create address profile that contains DNS servers: esr(config)# object-group network pptp_dns esr(config-object-group-network)# ip address-range 8.8.8.8 esr(config-object-group-network)# ip address-range 8.8.4.4 esr(config-object-group-network)# exit Create L2TP server and map profiles listed above: esr(config)# remote-access l2tp remote-workers...
Page 468: Configuring Server For Remote Access To Corporate Network Via Openvpn Protocol
ESR-Series. User manual To clear L2TP server session counters, use the following command: esr# clear remote-access counters l2tp server remote-workers To end L2TP server session for user 'fedor', use one of the following commands: esr# clear remote-access session l2tp username fedor esr# clear remote-access session l2tp server remote-workers username fedor To view L2TP server configuration, use the following command: esr# show remote-access configuration l2tp remote-workers...
Page 469 ESR-Series. User manual Step Description Command Keys Define type of connection with a private esr(config-openvpn-server)# <TYPE> – encapsulation network via OpenVPN server. tunnel <TYPE> protocol, takes the following values: • ip – point-to-point connection; • ethernet – L2 domain connection. Specify IP addresses list from which esr(config-openvpn-server)# <FROM-ADDR>...
Page 470 ESR-Series. User manual Step Description Command Keys Define the additional parameters for a esr(config-openvpn-server)# <NAME> – user name, set by specified OpenVPN server user (when username < NAME > the string of up to 31 using a local base for user characters.
Page 471 ESR-Series. User manual Step Description Command Keys Enable the advertising of specified esr(config-openvpn-server)# route <ADDR/LEN> – subnet address, subnets, the gateway is OpenVPN <ADDR/LEN> set in the following format: server IP address (optionally). AAA.BBB.CCC.DDD/EE – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].
Page 472: Configuration Example
ESR-Series. User manual Step Description Command Keys Change the authentication algorithm for esr(config-openvpn-server)# <ALGORITHM> – OpenVPN clients (optional). authentication algorithm authentication algorithm: <ALGORITHM> • 8-128 bits key size: md4, rsa-md4, md5, rsa-md5, mdc2, rsa-mdc2 • 8-160 bits key size: sha, sha1, rsa-sha, rsa-sha1, rsa-sha1-2, dsa, dsa-sha, dsa-sha1, dsa-sha1-old,...
Page 473 ESR-Series. User manual • Specify IP address for te1/0/1 interface Import certificates and keys via tftp: esr# copy tftp://192.168.16.10:/ca.crt certificate:ca/ca.crt esr# copy tftp://192.168.16.10:/dh.pem certificate:dh/dh.pem esr# copy tftp://192.168.16.10:/server.key certificate:server-key/server.key esr# copy tftp://192.168.16.10:/server.crt certificate:server-crt/server.crt esr# copy tftp://192.168.16.10:/ta.key certificate:ta/ta.key Create OpenVPN server and a subnet for its operation: esr(config)# remote-access openvpn AP esr(config-openvpn)# network 10.10.100.0/24...
Page 474: Configuring Remote Access Client Via Pppoe
ESR-Series. User manual esr# show remote-access status openvpn server AP To view OpenVPN server session counters, use the following command: esr# show remote-access counters openvpn server AP To clear OpenVPN server session counters, use the following command: esr# clear remote-access counters openvpn server AP To end OpenVPN server session for user 'fedor', use one of the following commands: esr# clear remote-access session openvpn username fedor esr# clear remote-access session openvpn server AP username fedor...
Page 475 ESR-Series. User manual Step Description Command Keys Specify the interface through which the esr(config-pppoe)# interface <IF> <IF> – interface or interface PPPoE connection will be established. group. Specify user name and password for esr(config-pppoe)# username <NAME> – user name, set by connection to PPPoE server.
Page 476: Configuration Example
ESR-Series. User manual Step Description Command Keys Specify MTU size esr(config-pppoe)# mtu <MTU> <MTU> – MTU value, takes (MaximumTransmissionUnit) for values in the range of: PPPoE tunnel. MTU above 1500 will be active only • for ESR-10/12V(F)/14VF when using the 'system jumbo-frames' –...
Page 477 ESR-Series. User manual • Accounts for connection – tester; • Account passwords – password; • The connection should be established from the gigabitethernet 1/0/7 interface. Solution: Pre-configure PPPoE server with the accounts. Enter the PPPoE client configuration mode and disable the firewall: esr# configure esr(config)# tunnel pppoe esr(config-pppoe)# ip firewall disable...
Page 478: Configuring Remote Access Client Via Pptp
ESR-Series. User manual Specify the interface through which the PPPoE connection will be established: esr(config-pppoe)# interface gigabitethernet 1/0/7 esr(config- pppoe)# enable To view the tunnel status, use the following command: esr# show tunnels configuration pppoe To view PPPoE client session counters, use the following command: esr# show tunnels counters pppoe 15.5 Configuring remote access client via PPTP PPTP ( Point-to-Point Tunneling Protocol) is a point-to-point tunneling protocol that allows establishing secure...
Page 479 ESR-Series. User manual Step Description Command Keys Specify MTU size esr(config-pptp)# mtu <MTU> <MTU> – MTU value, takes (MaximumTransmissionUnit) for the values in the range of: tunnel (optionally). • for ESR-10/12V(F)/14VF – [552..9600]; • for ESR-20/21 – [552..9500]; • ESR-100/200/1000/1200 /1500/1511/1700 –...
Page 480: Configuration Example
ESR-Series. User manual Step Description Command Keys Enable recording of the current tunnel esr(config-pptp)# history statistics usage statistics (optional). Change the time interval in seconds esr(config-pptp)# ppp timeout <TIME> – time in seconds, after which the router sends a keepalive keepalive <TIME >...
Page 481: Configuring Remote Access Client Via L2Tp
ESR-Series. User manual Solution: Create PPTP tunnel: esr(config)# tunnel pptp Specify the account (Ivan user) to connect to the server: esr(config-pptp)# username ivan password ascii-text simplepass Specify the remote gateway: esr(config-pptp)# remote address 20.20.0.1 Specify a security zone: esr(config-pptp)# security-zone VPN Enable PPTP tunnel: esr(config-pptp)# enable To view the tunnel status, use the following command:...
Page 482: Configuration Algorithm
ESR-Series. User manual 15.6.1 Configuration algorithm Step Description Command Keys Create a L2TP tunnel and switch to its esr(config)# tunnel l2tp <INDEX> <INDEX> – tunnel identifier, set configuration mode. in the range of: [1..10]. Specify VRF instance, in which the given esr(config-l2tp)# ip vrf forwarding <VRF>...
Page 483 ESR-Series. User manual Step Description Command Keys Specify a shared secret authentication esr(config-l2tp)# ipsec <TEXT> – string [1..64] ASCII key that should be the same for both authentication pre-shared-key characters; parties of the tunnel. { ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT>...
Page 484: Configuration Example
ESR-Series. User manual Step Description Command Keys Change the time interval in seconds esr(config-l2tp)# ppp timeout <TIME> – time in seconds, after which the router sends a keepalive keepalive <TIME > takes values of [1..32767]. message (optional). Default value: 10 Change the number of failed data-link esr(config-l2tp)# ppp failure-count <NUM>...
Page 485 ESR-Series. User manual Specify the remote gateway: esr(config-l2tp)# remote address 20.20.0.1 Specify a security zone: esr(config-l2tp)# security-zone VPN Specify IPsec authentication method: esr(config-l2tp)# ipsec authentication method pre-shared-key Specify IPsec security key: esr(config-l2tp)# ipsec authentication pre-shared-key ascii-text password Enable L2TP tunnel: esr(config-l2tp)# enable To view the tunnel status, use the following command: esr# show tunnels status l2tp...
Page 486: Service Management
ESR-Series. User manual 16 Service management • DHCP server configuration • Configuration algorithm • Configuration example • Destination NAT configuration • Configuration algorithm • Destination NAT configuration example • Source NAT configuration • Configuration algorithm • Configuration example 1 • Configuration example 2 •...
Page 487 ESR-Series. User manual Step Description Command Keys Create pool of DHCP server IPv4/IPv6 esr(config)# ip dhcp-server pool <NAME> – IPv4/IPv6 server addresses and switch to its <NAME> [vrf <VRF>] profile name, set by the string configuration mode. of up to 31 characters. esr(config)# ipv6 dhcp-server pool <VRF>...
Page 488 ESR-Series. User manual Step Description Command Keys Add IPv4/IPv6 address for a specific esr(config-dhcp-server)# address <ADDR> – client IP address, physical address to the address pool of <ADDR> defined as AAA.BBB.CCC.DDD configurable DHCP server (optionally). {mac-address <MAC> | client- where each part takes values of identifier <CI>} [0..255];...
Page 489 ESR-Series. User manual Step Description Command Keys Specify DNS server IPv4/IPv6 esr(config-dhcp-server)# dns- <ADDR> – DNS server IP addresses list. The list is transmitted to server <ADDR> address, defined as clients as part of DHCP option 6 AAA.BBB.CCC.DDD where each (optionally).
Page 490: Configuration Example
ESR-Series. User manual Step Description Command Keys Specify specific supplier information esr(config-dhcp-vendor-id)# <HEX> – vendor-specific (DHCP Option 43). vendor-specific-options <HEX> information, specified in hexadecimal format up to 128 symbols. esr(config-ipv6-dhcp-vendor-id)# vendor-specific-options <HEX> Specify NetBIOS server IP address esr(config-dhcp-server)# netbios- <ADDR> – NetBIOS server IP (DHCP option 44) (optionally).
Page 491 ESR-Series. User manual • default route: 192.168.1.1; • domain name: eltex.loc; • DNS server list: DNS1: 172.16.0.1, DNS2: 8.8.8.8. esr(config-dhcp-server)# domain-name "eltex.loc" esr(config-dhcp-server)# default-router 192.168.1.1 esr(config-dhcp-server)# dns-server 172.16.0.1,8.8.8.8 esr(config-dhcp-server)# exit To enable IP address distribution from the configurable pool by DHCP server, IP interface should be created on the router that belongs to the same subnet as the pool addresses.
Page 492: Destination Nat Configuration
ESR-Series. User manual To enable DHCP message transmission to the server, you should create the respective port profiles including source port 68 and destination port 67 used by DHCP and create the allowing rule in the security policy for UDP packet transmission: esr(config)# object-group service dhcp_server esr(config-object-group-service)# port-range...
Page 493: Configuration Algorithm
ESR-Series. User manual 16.2.1 Configuration algorithm Step Description Command Keys Switch to the configuration mode of esr(config)# nat destination destination address translation service. Create a pool of IP addresses and/or esr(config-dnat)# pool <NAME> <NAME> – NAT addresses pool TCP/UDP ports with a specific name name, set by the string of up to (optionally).
Page 494 ESR-Series. User manual Step Description Command Keys Specify the profile of services (tcp/udp esr(config-dnat-rule)# match [not] <PORT-SET-NAME> – port ports) {sender | recipient} for which the {source|destination}-port <PORT- profile name, set by the string rule should work (optionally). SET-NAME> of up to 31 characters. “Any” value points at any source TCP/UDP port.
Page 495: Destination Nat Configuration Example
ESR-Series. User manual 16.2.2 Destination NAT configuration example Objective: Establish access from the public network, that belongs to the 'UNTRUST' zone, to LAN server in 'TRUST' zone. Server address in LAN – 10.1.1.100. Server should be accessible from outside the network–address 1.2.3.4, access port 80.
Page 496 ESR-Series. User manual Solution: Create 'UNTRUST' and 'TRUST' security zones. Specify the inherence of the network interfaces being used to zones. Assign IP ‑addresses to interfaces simultaneously. esr# configure esr(config)# security zone UNTRUST esr(config-zone)# exit esr(config)# security zone TRUST esr(config-zone)# exit esr(config)# interface gigabitethernet...
Page 497: Source Nat Configuration
ESR-Series. User manual esr(config-dnat)# ruleset DNAT esr(config-dnat-ruleset)# from zone UNTRUST esr(config-dnat-ruleset)# rule esr(config-dnat-rule)# match destination-address NET_UPLINK esr(config-dnat-rule)# match protocol tcp esr(config-dnat-rule)# match destination-port SRV_HTTP esr(config-dnat-rule)# action destination-nat pool SERVER_POOL esr(config-dnat-rule)# enable esr(config-dnat-rule)# exit esr(config-dnat-ruleset)# exit esr(config-dnat)# exit To transfer the traffic coming from 'UNTRUST' zone into 'TRUST' zone, create the respective pair of zones. Only DNAT-translated traffic with the destination address matching the 'SERVER_IP' specified in the profile should be transferred.
Page 498 ESR-Series. User manual Step Description Command Keys Create a pool of IP addresses and/or esr(config-snat)# pool <NAME> <NAME> – NAT addresses pool TCP/UDP ports with a specific name name, set by the string of up to (optionally). 31 characters. Set the range of IP addresses which will esr(config-snat-pool)# ip address- <IP>...
Page 499 ESR-Series. User manual Step Description Command Keys Set the rule group scope. The rules will esr(config-snat-ruleset)# to { zone <NAME> – isolation zone be applied only to traffic coming to a <NAME> | name; certain zone or interface. interface <IF> tunnel <TUN> | | default } <IF>...
Page 500: Configuration Example 1
ESR-Series. User manual Step Description Command Keys Specify the action “translation of esr(config-snat-rule)# action off – translation is disabled; source address and port” for the traffic source-nat { off | meeting the requirements of “match” pool <NAME> | netmap <ADDR/ pool<NAME>...
Page 501 ESR-Series. User manual Solution: Begin configuration with creation of security zones, configuration of network interfaces and their inherence to security zones. Create 'TRUST' zone for LAN and 'UNTRUST' zone for public network. esr# configure esr(config)# security zone UNTRUST esr(config-zone)# exit esr(config)# security zone TRUST esr(config-zone)# exit esr(config)#...
Page 502 ESR-Series. User manual To transfer traffic from 'TRUST' zone into 'UNTRUST' zone, create a pair of zones and add rules allowing traffic transfer in this direction. Additionally, there is a check in place to ensure that data source address belongs to 'LOCAL_NET' address range in order to limit the access to public network.
Page 503: Configuration Example 2
ESR-Series. User manual 16.3.3 Configuration example 2 Objective: Configure access for users in LAN 21.12.2.0/24 to public network using Source NAT function without the firewall. Public network address range for SNAT 200.10.0.100-200.10.0.249. Solution: Begin configuration with network interface configuration and disabling the firewall: esr(config)# interface gigabitethernet...
Page 504: Static Nat Configuration
ESR-Series. User manual esr(config-snat)# ruleset SNAT esr(config-snat-ruleset)# to interface te1/0/1 esr(config-snat-ruleset)# rule esr(config-snat-rule)# match source-address LOCAL_NET esr(config-snat-rule)# action source-nat pool TRANSLATE_ADDRESS esr(config-snat-rule)# enable esr(config-snat-rule)# exit esr(config-snat-ruleset)# exit In order the router could response to the ARP requests for addresses from the public pool, you should launch ARP Proxy service.
Page 505 ESR-Series. User manual Solution: Begin configuration with network interface configuration and disabling the firewall: esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip address 21.12.2.1/24 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# exit esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip address 200.10.0.1/24 esr(config-if-te)# ip firewall disable esr(config-if-te)# exit For Static NAT configuration, create 'LOCAL_NET' LAN address profile, that includes local subnet, and 'PUBLIC_POOL' public network address profile.
Page 506: Http/Https Traffic Proxying
ESR-Series. User manual Configure Static NAT service in SNAT configuration mode. In the set attributes, specify that the rules are applying only to packets transferred to public network through te1/0/1 port. The rules include data source address test for belonging to “LOCAL_NET” pool and destination addresses test for belonging to “PUBLIC_POOL”...
Page 507 ESR-Series. User manual Step Description Command Keys Create proxy profile. esr(config)# ip http profile <NAME> – profile name. <NAME> Choose default action. esr(config-profile)# default action <URL> – address of the host to {deny|permit|redirect} which requests will be sent. [redirect-url <URL>] Specify description (optionally).
Page 508 ESR-Series. User manual Step Description Command Keys Add necessary services (tcp/udp ports) esr(config-object-group-service)# ESR proxy server uses for its to the list. port-range 3128-3135 operation the ports starting from the base port defined in step 10 The http proxy uses ports from base port to base port + the number of cpu of this ESR model - 1...
Page 509: Http Proxy Configuration Example
ESR-Series. User manual  If the Firewall function on the ESR is not forcibly disabled, you must create an allow rule for the Self zone. 16.5.2 HTTP proxy configuration example Objective: Organize URL filtering for a number of addresses using a proxy. Solution: Create a set of URLs to filter by.
Page 510: Configuration Algorithm
ESR-Series. User manual Create a profile: esr(config)# ip http profile list1 esr(config-profile)# default action permit esr(config-profile)# urls local test1 action redirect redirect-url http://test.loc esr(config-profile)# exit Enable proxying on the interface by profile 'list1': esr(config)# interface 1/0/1 esr(config-if)# ip http proxy list1 esr(config-if)# ip https proxy list1 If you use Firewall, create permissive rules for it: For example we use the ESR-20 which has 4 CPUs.
Page 511 ESR-Series. User manual Step Description Command Keys Set authentication key (optional). esr(config-ntp)# key <ID> <ID> – key identifier, set in the range of [1..255]. Set the maximum time interval between esr(config-ntp)# maxpoll <INTERVAL> – maximum value of poll sending messages to the NTP server <INTERVAL>...
Page 512: Configuration Example
ESR-Series. User manual Step Description Command Keys Set the DSCP code value for the use in esr(config)# ntp dscp <DSCP> – DSCP code value, takes IP headers of NTP server egress <DSCP> values in the range of [0..63] packets (optionally). Default value: 46 Enable query-only mode that limits esr(config)# ntp object- <NAME>...
Page 513 ESR-Series. User manual  First, do the following: • specify security zone for gi1/0/1 interface; • configure the IP address for the gi1/0/1 interface to provide IP connectivity to the NTP server. Example: security zone untrust exit object-group service NTP port-range exit interface...
Page 514 ESR-Series. User manual esr# show ntp peers...
Page 515: Monitoring
ESR-Series. User manual 17 Monitoring • Netflow configuration • Configuration algorithm • Configuration example • sFlow configuration • Configuration algorithm • Configuration example • SNMP configuration • Configuration algorithm • Configuration example • Zabbix-agent/proxy configuration • Configuration algorithm • Zabbix-agent configuration example •...
Page 516: Configuration Example
ESR-Series. User manual Step Description Command Keys Set the rate of the statistics sending to esr(config)# netflow refresh-rate <RATE> – rate of the statistics a Netflow collector. <RATE> sending, set in packets/flow, takes the value of [1..10000]. Default value: 10. Enable Netflow on the router.
Page 517: Sflow Configuration
ESR-Series. User manual 2 Main configuration step: Specify collector IP address: esr(config)# netflow collector 10.10.0.2 Enable netflow statistics export collection for gi1/0/1 network interface: esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip netflow export Enable netflow on the router: еsr(config)# netflow enable To view the Netflow statistics, use the following command: esr# show netflow statistics Netflow configuration for traffic accounting between zones is performed by analogy to sFlow configuration;...
Page 518: Configuration Example
ESR-Series. User manual Step Description Command Keys Create the sFlow collector and esr(config)# sflow collector <ADDR> <ADDR> – collector IP address, switch to its configuration mode. defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Enable statistics sending to the esr(config-if-gi)# ip sflow export sFlow server in the interface/tunnel/ network bridge configuration mode.
Page 519 ESR-Series. User manual esr(config)# interface gi1/0/1 esr(config-if-gi)# security-zone UNTRUSTED esr(config-if-gi)# ip address 10.10.0.1/24 esr(config-if-gi)# exit esr(config)# interface gi1/0/2-3 esr(config-if-gi)# security-zone TRUSTED esr(config-if-gi)# exit esr(config)# interface gi1/0/2 esr(config-if-gi)# ip address 192.168.1.5/24 esr(config-if-gi)# exit esr(config)# interface gi1/0/3 esr(config-if-gi)# ip address 192.168.3.5/24 esr(config-if-gi)# exit Specify collector IP address: esr(config)# sflow collector 192.168.1.8...
Page 520: Snmp Configuration
ESR-Series. User manual Enable sFlow protocol statistics export for all traffic within 'rule1' for TRUSTED-UNTRUSTED direction: esr(config)# security zone-pair TRUSTED UNTRUSTED esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action sflow-sample esr(config-zone-pair-rule)# match protocol any esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable Enable sFlow on the router: еsr(config)# sflow enable SFlow configuration for traffic accounting from the interface is performed by analogy to...
Page 521 ESR-Series. User manual Step Description Command Keys Specify community for the access via esr(config)# snmp-server <COMMUNITY> – community SNMPv2c. community <COMMUNITY> for the access via SNMP; [ <TYPE> ] [ { <IP-ADDR> | <IPV6-ADDR> } ] <TYPE> – access level: [ client-list <OBJ-GROUP- NETWORK-NAME>...
Page 522 ESR-Series. User manual Step Description Command Keys Create SNMPv3 user. esr(config)# snmp-server user <NAME> – user name, set by <NAME> the string of up to 31 characters. Set the value of SNMP value that esr(config)# snmp-server location <LOCATION> – information contains the information on the device <LOCATION>...
Page 523 ESR-Series. User manual Step Description Command Keys Enable filtration and set the profile of IP esr(config-snmp-user)# client-list <NAME> – name of the addresses from which SNMPv3 packets <NAME> previously conscious object- with the given SNMPv3 user name can group, specified in a string of be received.
Page 524: Configuration Example
ESR-Series. User manual Step Description Command Keys Enable SNMP notifications esr(config)# snmp-server host <IP-ADDR> – IP address, transmission to the specified IP { <IP-ADDR> | <IPV6-ADDR> } [vrf defined as AAA.BBB.CCC.DDD address and switch to SNMP <VRF>] where each part takes values of notifications configuration mode.
Page 525 ESR-Series. User manual Solution: First, do the following: • Specify zone for gi1/0/1 interface; • Configure IP address for gi1/0/1 interface. Main configuration step: Enable SNMP server: esr(config)# snmp-server Create SNMPv3 user: esr(config)# snmp-server user admin...
Page 526: Zabbix-Agent/Proxy Configuration
ESR-Series. User manual Specify security mode: esr(snmp-user)# authentication access priv Specify authentication algorithm for SNMPv3 requests: esr(snmp-user)# authentication algorithm md5 Set the password for SNMPv3 request authentication: esr(snmp-user)# authentication key ascii-text 123456789 Specify the transmitted data encryption algorithm: esr(snmp-user)# privacy algorithm aes128 Set password for the transmitted data encryption: esr(snmp-user)# privacy key ascii-text 123456789...
Page 527 ESR-Series. User manual Step Description Command Keys Specify the host name (optionally). esr(config-zabbix)# hostname <WORD> – host name, set by <WORD> the string of up to 255 For active mode, the name must match characters. the host name on the zabbix server. esr(config-zabbix-proxy)# hostname <WORD>...
Page 528: Zabbix-Agent Configuration Example
ESR-Series. User manual Step Description Command Keys Specify the processing time for remote esr(config-zabbix)# timeout <TIME> – timeout, takes value commands (optionally). <TIME> in seconds [1..30]. esr(config-zabbix-proxy)# timeout Default value: 3. It is <TIME> recommended to set the maximum value since some commands may take longer than the default.
Page 529: Zabbix-Server Configuration Example
ESR-Series. User manual esr(config-zabbix)# timeout esr(config-zabbix)# enable 17.4.3 Zabbix-server configuration example Create the host:...
Page 530 ESR-Series. User manual Create the script (Administration -> Scripts-> Create Script) ESR routers support execution of the following priveleged commands: • Ping: zabbix_get -s {HOST.CONN} 10050 "system.run[ sudo ping -c 3 192.168.32.101]" The client (ESR) that received this command from the server will execute ping command to the specified host (in our example, up to 192.168.32.101) and return the result to the server.
Page 531 ESR-Series. User manual • Fping in VRF zabbix_get -s {HOST.CONN} -p 10050 "system.run[sudo netns-exec -n backup sudo fping 192.168.32.101 ]" • Traceroute zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[ sudo traceroute 192.168.32.101] The client (ESR) that received this command from the server will execute traceroute command to the specified host (in our example, up to 192.168.32.101) and return the result to the server.
Page 532: Syslog Configuration
ESR-Series. User manual Iperf command execution example: It is also possible to execute commands that do not require privileges, such as: snmpget, cat, pwd, wget and others. Example of the snmpget command execution 17.5 Syslog configuration Syslog (system log) – standard for sending and registering messages about events occurring in the system is used in networks operating over IP.
Page 533: Configuration Algorithm
ESR-Series. User manual 17.5.1 Configuration algorithm Step Description Command Keys Set the level of syslog messages that esr(config)# syslog snmp <SEVERITY> – message will be sent to the snmp server in the <SEVERITY> importance level, takes values form of snmp-trap. (in order of decreasing importance): Set the level of syslog messages that...
Page 534 ESR-Series. User manual Step Description Command Keys Set the maximum number of files saved esr(config)# syslog max-files <NUM> – maximal numberf of during rotation (optionally) <NUM> files , takes values [1 .. 1000] Enable the sending of syslog messages esr(config)#syslog host <HOSTNAME>...
Page 535: Configuration Example
ESR-Series. User manual Step Description Command Keys Enable registration of changes to the esr(config)#logging userinfo user settings (optionally). 17.5.2 Configuration example Objective: Configure message sending for the following system events: • failed user authentication; • changes to the configuration of logging system events; •...
Page 536: Integrity Check
ESR-Series. User manual Set the logging of failed authentication attempts: esr(config)# logging login on-failure Set the logging of syslog configuration changes: esr(config)# logging syslog configuration Set the logging of start/stop of the system process: esr(config)# logging service start-stop Set the logging of changes to the user profile: esr(config)# logging userinfo The configuration changes come into effect after applying the following commands: esr# commit...
Page 537: Configuration Example
ESR-Series. User manual 17.6.2 Configuration example Objective: Check file system integrity: Solution: Launch integrity check esr# verify filesystem Filesystem Successfully Verified 17.7 Router configuration file archiving ESR routers have the option of local and/or remote configuration file copying by timer or when applying the configuration.
Page 538: Configuration Example
ESR-Series. User manual Step Description Command Keys Set a period of time for automatic esr(config-ahchive)# time-period <TIME> – periodicity of configuration backup (optional, relevant <TIME> automatic redundancy of the only for auto mode) configuration, takes the value in minutes [1..35791394]. Default value: 720 minutes Set the maximum number of locally esr(config-ahchive)# count-backup...
Page 539 ESR-Series. User manual Set local and remote configuration backup mode: esr(config)# type both Configure the path for remote configuration backups and the maximum number of local backups: esr(config-archive)# path tftp://172.16.252.77:/esr-example/esr-example.cfg esr(config-archive)# count-backup Set the interval for the configuration backup if there are no changes: esr(config-archive)# time-period 1440 Enable archiving of router configuration by timer and upon successful configuration change:...
Page 540: Bras (Broadband Remote Access Server) Management
ESR-Series. User manual 18 BRAS (Broadband Remote Access Server) management • Configuration algorithm • Example of configuration with SoftWLC • Example of configuration without SoftWLC 18.1 Configuration algorithm Step Description Command Keys Add RADIUS server to the list of used esr(config)# radius-server host <IP-ADDR>...
Page 541 ESR-Series. User manual Step Description Command Keys Set the password for authentication on esr(config-das-server)# key ascii- <TEXT> – string of [8..16] ASCII remote DAS server. text characters; <ENCRYPTED- {<TEXT>|encrypted <ENCRYPTED- TEXT> – encrypted password, TEXT> } [8..16] bytes size, set by the string of [16..32] characters.
Page 542 ESR-Series. User manual Step Description Command Keys Bind the specified QoS class to the esr(config-subscriber-default- <NAME> – name of the class default service. service)# class-map <NAME> being bound, set by the string of up to 31 characters. Specify a name of the URL list that will esr(config-subscriber-default- <LOCAL-NAME>...
Page 543 ESR-Series. User manual Step Description Command Keys Enable session authentication by IP esr(config-subscriber-control)# address (optionally). session ip-authentication Enable transparent transmission of esr(config-subscriber-control)# backup traffic for BRAS (optionally). backup traffic-processing transparent Specify the interval after which esr(config)# subscriber-control <DELAY> – time interval in currently unused URL lists will be unused-filters-remove-delay seconds, takes values of...
Page 544: Example Of Configuration With Softwlc
ESR-Series. User manual Step Description Command Keys Enable the application control on the esr(config-if-gi)# subscriber- <NAME> – application profile interface (optionally). control application-filter <NAME> name, set by the string of up to 31 characters. Set/clear the upper bound of BRAS esr(config-subscriber-control)# <Threshold>...
Page 545 ESR-Series. User manual Create 3 security zones, according to the network structure: esr# configure esr(config)# security zone trusted esr(config-zone)# exit esr(config)# security zone untrusted esr(config-zone)# exit esr(config)# security zone dmz esr(config-zone)# exit Configure public port parameters and assign its default gateway: esr(config)# interface gigabitethernet...
Page 546 Location parameter (see bridge 2 configuration). The module which is responsible for AAA operations is based on eltex-radius and available by SoftWLC IP address. Numbers of ports for authentication and accounting in the example below are the default values for SoftWLC.
Page 547 ESR-Series. User manual Specify access parameters to the DAS (Direct-attached storage) server: esr(config)# object-group network server esr(config-object-group-network)# ip address-range 192.0.2.20 esr(config-object-group-network)# exit esr(config)# das-server CoA esr(config-das-server)# key ascii-text password esr(config-das-server)# port 3799 esr(config-das-server)# clients object-group server esr(config-das-server)# exit esr(config)# aaa das-profile CoA esr(config-aaa-das-profile)# das-server CoA esr(config-aaa-das-profile)# exit...
Page 548 Specify web resources which are available without authorization: esr(config)# object-group url defaultservice esr(config-object-group-url)# url http://eltex.nsk.ru esr(config-object-group-url)# exit The URL filtering lists are kept on SoftWLC server (you need to change only IP address of SoftWLC server, if addressing is different from the example. Leave the rest of URL without changes): esr(config)# subscriber-control filters-server-url http://192.0.2.20:7070/Filters/file/...
Page 549 ESR-Series. User manual Configure rules for transition between security zones: esr(config)# object-group service telnet esr(config-object-group-service)# port-range esr(config-object-group-service)# exit esr(config)# object-group service ssh esr(config-object-group-service)# port-range esr(config-object-group-service)# exit esr(config)# object-group service dhcp_server esr(config-object-group-service)# port-range esr(config-object-group-service)# exit esr(config)# object-group service dhcp_client esr(config-object-group-service)# port-range esr(config-object-group-service)# exit esr(config)# object-group service ntp esr(config-object-group-service)#...
Page 550 ESR-Series. User manual Enable access to the Internet from trusted and dmz zones: esr(config)# security zone-pair trusted untrusted esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol any esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit esr(config)# security zone-pair dmz untrusted esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit...
Page 551 ESR-Series. User manual Enable ICMP transmission to the device. For BRAS operation you need to open ports for web proxying - TCP 3129/3128 (NetPortDiscovery Port/Active API Server port: esr(config)# object-group service bras esr(config-object-group-service)# port-range 3129 esr(config-object-group-service)# port-range 3128 esr(config-object-group-service)# exit esr(config)# security zone-pair trusted self esr(config-zone-pair)#...
Page 552: Example Of Configuration Without Softwlc
ESR-Series. User manual Configure SNAT for gigabitethernet 1/0/1 port: esr(config)# nat source esr(config-snat)# ruleset inet esr(config-snat-ruleset)# to interface gigabitethernet 1/0/1 esr(config-snat-ruleset)# rule esr(config-snat-rule)# match source-address any esr(config-snat-rule)# action source-nat interface esr(config-snat-rule)# enable esr(config-snat-rule)# end 18.3 Example of configuration without SoftWLC Objective: Configure BRAS without SoftWLC support.
Page 553 ESR-Series. User manual #Service name for a session (A – the service is enabled, N – the service is disabled) Cisco-Account-Info = "{A|N}<SERVICE_NAME>" Service profile: <SERVICE_NAME> Cleartext-Password := <MACADDR> # Matches class-map name in ESR settings Cisco-AVPair = "subscriber:traffic-class=<CLASS_MAP>", # Action that is applied to the traffic by ESR (permit, deny, redirect) Cisco-AVPair = "subscriber:filter-default-action=<ACTION>", # The ability of IP flows passing (enabled-uplink, enabled-downlink, enabled, disabled) Cisco-AVPair =...
Page 554 Step 2: ESR configuration. BRAS functional configuration requires the BRAS licence: esr(config)# sh licence Licence information ------------------- Name: Eltex Version: Type: ESR-X S/N: NP00000000 MAC: XX:XX:XX:XX:XX:XX Features: BRAS – Broadband Remote Access Server Configuration of parameters for the interaction with RADIUS server: esr(config)# radius-server host 192.168.1.2...
Page 555 ESR-Series. User manual Specify parameters for the DAS server: esr(config)# das-server das esr(config-das-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-das-server)# exit esr(config)# aaa das-profile bras_das esr(config-aaa-das-profile)# das-server das esr(config-aaa-das-profile)# exit esr(config)# vlan esr(config-vlan)# exit Then, create rules for redirecting to portal and passing traffic to the Internet: esr(config)# ip access-list extended BYPASS esr(config-acl)# rule...
Page 556 Configuration of filtering by URL is obligatory. It is necessary to configure http-proxy filtering on BRAS for non- authorised users: esr(config)# object-group url defaultserv esr(config-object-group-url)# url http://eltex.nsk.ru esr(config-object-group-url)# url http://ya.ru esr(config-object-group-url)# url https://ya.ru esr(config-object-group-url)# exit Configure and enable BRAS, define NAS IP as address of the interface interacting with RADIUS server...
Page 557 ESR-Series. User manual Perform the following settings on the interfaces that require BRAS operation (minimum one interface is required for the successful start): esr(config)# bridge esr(config-bridge)# vlan esr(config-bridge)# ip firewall disable esr(config-bridge)# ip address 10.10.0.1/16 esr(config-bridge)# ip helper-address 192.168.1.2 esr(config-bridge)# service-subscriber-control any esr(config-bridge)# location USER esr(config-bridge)# protected-ports...
Page 558 ESR-Series. User manual To view the information and statistics on the user control sessions, use the following command: esr # sh subscriber-control sessions status Session id User name IP address MAC address Interface Domain -------------------- --------------- --------------- ----------------- 1729382256910270473 Bras_user 10.10.0.3 54:e1:ad:8f:37:35...
Page 559: Voip Management
ESR-Series. User manual 19 VoIP management • SIP profile configuration algorithm • FXS/FXO ports configuration algorithm • Dial plan configuration algorithm • PBX server configuration algorithm • Registration trunk creation algorithm • VoIP configuration example • Dial plan configuration example •...
Page 560: Fxs/Fxo Ports Configuration Algorithm
ESR-Series. User manual Step Description Command Keys Configure a registration server address esr(config-voip-sip-proxy)# ip <IP> – registration server IP address registration-server <IP> address. Configure a registration server port: esr(config-voip-sip-proxy)# ip <PORT> – number of portregistration-server <PORT> registration server UDP port, takes values of [1..65535].
Page 561 ESR-Series. User manual Step Description Command Keys Select SIP profile for a certain port. esr(config-voice-port-fxs)# profile <PROFILE> – SIP profile sip <PROFILE> number, set in the form of a digit from 1 to 5. Configure a login for authentication. esr(config-voice-port-fxs)# <LOGIN>...
Page 562: Dial Plan Configuration Algorithm
ESR-Series. User manual Step Description Command Keys Number of the subscriber that will esr(config-voice-port-fxo)# hotline <PHONE> – phone number that receive calls from PSTN number ipt <PHONE> calls are made to when using the service, takes the value from 1 to 50. "Hot/Warm line"...
Page 563 ESR-Series. User manual Step Description Command Keys Creating a pattern in a routing rule. esr(config-pbx-rule)# pattern <REGEXP> – regular <REGEXP> expression specifying the routing rule. Set by the string of up to 256 characters. The rules for creating regular expressions are described in section Dial plan configuration example.
Page 564: Registration Trunk Creation Algorithm
ESR-Series. User manual Step Description Command Keys Create a password for the subscriber esr(config-pbx-user)# password <password> – password that (optional). <password> will be used by the user for authentication, set by the string of up to 16 characters. The use of SIP profile for the esr(config-pbx-user)# profile <SIPPROFILE>...
Page 565: Voip Configuration Example
ESR-Series. User manual Step Description Command Keys Select the transport protocol esr(config-pbx-reg-server)# The default is udp. (optionally). protocol {tcp | udp } Trunk activation. esr(config-pbx-reg-server)# enable 19.6 VoIP configuration example Objective: Connect analogue telephones and fax modems to the IP network via ESR router. SIP server, located on the ESR, functions as proxy server and registration server.
Page 566 ESR-Series. User manual Configure a primary SIP proxy server and registration server: esr(config-sip-profile)# proxy primary Configure SIP proxy server address (use an embedded SIP server as SIP proxy server): esr(config-voip-sip-proxy)# ip address proxy-server 192.0.2.5 Configure a SIP proxy server port: esr(config-voip-sip-proxy)# ip port proxy-server 5080 If standard 5060 port is used, you do not need to specify it.
Page 567 ESR-Series. User manual If it is necessary to use SIP Domain for the registration, use the following command: esr(config-sip-profile)# sip-domain registration enable In this configuration all calls will be directed to SIP proxy server. If it is necessary to specify another direction for outgoing calls, you should perform the following: Create a numbering plan, see section Dial plan configuration...
Page 568: Dial Plan Configuration Example
ESR-Series. User manual 19.7 Dial plan configuration example Objective: Configure a dial plan in such a manner that calls to local numbers (connected to the given ESR-12V) are switched locally and calls to all other directions – through SIP proxy. Solution: Create a dial plan: esr(config)# dialplan pattern firstDialplan...
Page 569 ESR-Series. User manual «+» – repeating the previous character from 1 to infinity number of times. {a,b} – repeating the previous character from a to b times; {a,} – repeating the previous character equal to or more than a times; {,b} –...
Page 570: Fxo Port Configuration
ESR-Series. User manual signal will be returned. Also a set of three-digit numbers starting with “1”, the Invite of which will be sent to 10.110.60.51 IP address and 5060 port, will be returned. • Example 7: (S3 *xx#|#xx#|#xx#|*xx*x+#) – management and the use of VAS. Local calls inside the device may be required in some cases.
Page 571 ESR-Series. User manual Assign SIP profile to FXO port: esr(config-voice-port-fxo)# profile sip Enable the number transmission to PSTN: esr(config-voice-port-fxo)# pstn transmit-number Disable prefix transmission: esr(config-voice-port-fxo)# no pstn transmit-prefix For outgoing calls to work, you need to specify the following rule in the dial plan settings, which means that outgoing calls to numbers with prefix 9 are routed locally to the FXO set: 9x.@{local}:5064 This completes the baseline configuration of outgoing calls to PSTN.
Page 572: Frequently Asked Questions
ESR-Series. User manual 20 FREQUENTLY ASKED QUESTIONS 20.1 Receiving of routes, which are configured in VRF via BGP or/and OSPF, failed. The neighbouring is successfully installed, but record of routes in RIB is denied %ROUTING-W-KERNEL: Can not install route. Reached the maximum number of BGP routes in the RIB Allocate RIB resource for VRF (0 by default).
Page 573: How To Clear Esr Configuration Completely And Reset It To Factory Default
1/0/1 20.8 How to configure ip-prefix-list 0.0.0.0./0? Example of prefix-list configuration is shown below. The configuration allows route reception by default. esr(config)# ip prefix-list eltex esr(config-pl)# permit default-route 20.9 Problem of asynchronous traffic transmission is occurred In case of asynchronous routing, Firewall will forbid "incorrect" ingress traffic (which does not open new connection and does not belong any established connection) for security reasons.
Page 574: How To Save The Local Copy Of The Router Configuration
ESR-Series. User manual Firewall should be disabled on the ingress interface. esr(config-if-gi)# ip firewall disable 20.10 How to save the local copy of the router configuration? If you need to copy the current running or candidate configuration on the router itself, you can use the copy command specifying "system:running-config"...
Page 575: Esr Technical Support
ESR-Series. User manual 21 ESR technical support For technical assistance in issues related to operation of Eltex Ltd. equipment, please contact the Service Centre. Feedback form on the website: http://eltex-co.com/support/ Sevicedesk: https://servicedesk.eltex-co.ru/ Visit Eltex official website to get the relevant technical documentation and software, benefit from our...

This manual is also suitable for:

Esr-10 Esr-12v Esr-12vf Esr-14vf Esr-20 Esr-21 ... Show all

Save PDF