ELTEX ESR-15V User Manual

page of 650

/ 650
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

ESR series service routers

ESR-10, ESR-12V, ESR-12VF, ESR-14VF, ESR-15V, ESR-20, ESR-21,

ESR-30, ESR-100, ESR-200, ESR-1000, ESR-1200, ESR-1500, ESR-1700,

ESR-1511, ESR-3100, ESR-3200

User manual

Firmware version 1.18.1

Table of Contents

Need help?

Do you have a question about the ESR-15V and is the answer not in the manual?

Questions and answers

Summary of Contents for ELTEX ESR-15V

Page 1 ESR series service routers ESR-10, ESR-12V, ESR-12VF, ESR-14VF, ESR-15V, ESR-20, ESR-21, ESR-30, ESR-100, ESR-200, ESR-1000, ESR-1200, ESR-1500, ESR-1700, ESR-1511, ESR-3100, ESR-3200 User manual Firmware version 1.18.1...
Page 2: Table Of Contents
ESR series service routers. ESR-Series. User manual Contents Introduction ......................... 12 Abstract ..........................12 Target Audience.......................12 Symbols ..........................12 Notes and warnings......................13 Product description ......................14 Purpose ..........................14 Functions..........................15 2.2.1 Interface functions....................... 15 2.2.2 MAC table functions ....................15 2.2.3 Second-layer functions of OSI model ................. 16 2.2.4 Third-layer functions of OSI model ................
Page 3 ESR series service routers. ESR-Series. User manual Connection to Power Supply ...................84 SFP transceiver installation and removal...............85 3.5.1 Transceiver installation ....................85 3.5.2 Transceiver removal ....................85 Management interfaces ..................... 86 Command line interface (CLI) ..................86 Types and naming procedure of router interfaces ............87 Types and naming procedure of router tunnels.............90 Initial router configuration....................
Page 4 ESR series service routers. ESR-Series. User manual Interface management ..................... 111 VLAN Configuration .......................112 8.1.1 Configuration algorithm .................... 112 8.1.2 Configuration example 1. VLAN removal from the interface........114 8.1.3 Configuration example 2. Enabling VLAN processing in tagged mode ....114 8.1.4 Configuration example 3.
Page 5 ESR series service routers. ESR-Series. User manual 8.11.2 Configuration example ....................150 8.12 Mirroring configuration (SPAN/RSPAN)...............151 8.12.1 Configuration algorithm .................... 151 8.12.2 Configuration example ....................152 8.13 LACP configuration......................153 8.13.1 Configuration algorithm .................... 153 8.13.2 Configuration example ....................155 8.14 AUX configuration......................156 8.14.1 Configuration algorithm ....................
Page 6 ESR series service routers. ESR-Series. User manual 10.2.1 Configuration algorithm .................... 229 10.2.2 Configuration example ....................235 Routing management ....................... 237 11.1 Routing information advertising policy.................238 11.1.1 RIP..........................238 11.1.2 OSPF protocol ......................238 11.1.3 IS-IS protocol......................239 11.1.4 iBPG protocol ......................240 11.1.5 eBPG protocol ......................
Page 7 ESR series service routers. ESR-Series. User manual 11.8.2 Configuration example ....................297 11.9 MultiWAN configuration ....................298 11.9.1 Configuration algorithm .................... 298 11.9.2 Configuration example ....................301 11.10 IS-IS configuration ......................303 11.10.1 Configuration algorithm .................... 303 11.10.2 Configuration example ....................310 MPLS technology management..................312 12.1 LDP configuration ......................313 12.1.1...
Page 8 ESR series service routers. ESR-Series. User manual 12.8 MPLS traffic balancing ....................374 12.8.1 Configuration example ....................375 12.9 Operation with the bridge domain within MPLS ............376 12.10 Assignment of MTU when operating with MPLS............378 12.11 Inter-AS Option A......................384 12.11.1 L2VPN......................... 384 12.11.2 L3VPN.........................
Page 9 Basic user rules configuration example ..............494 13.6.7 Extended user rules configuration algorithm............495 13.6.8 Extended user rules configuration example............. 496 13.7 Eltex Distribution Manager interaction configuration..........496 13.7.1 Basic configuration algorithm................... 497 13.7.2 Configuration example ....................501 13.8 Content filtering service configuration .................503 13.8.1...
Page 10 ESR series service routers. ESR-Series. User manual 15.4 Configuring remote access client via PPPoE...............554 15.4.1 Configuration algorithm .................... 554 15.4.2 Configuration example ....................556 15.5 Configuring remote access client via PPTP..............557 15.5.1 Configuration algorithm .................... 557 15.5.2 Configuration example ....................559 15.6 Configuring remote access client via L2TP ..............560 15.6.1...
Page 11 ESR series service routers. ESR-Series. User manual 17.3.2 Configuration example ....................601 17.4 Zabbix-agent/proxy configuration ................602 17.4.1 Configuration algorithm .................... 602 17.4.2 Zabbix-agent configuration example................ 604 17.4.3 Zabbix-server configuration example ............... 605 17.5 Syslog configuration......................608 17.5.1 Configuration algorithm .................... 608 17.5.2 Configuration example ....................
Page 12: Introduction
ESR series service routers. ESR-Series. User manual 1 Introduction • Abstract • Target Audience • Symbols • Notes and warnings 1.1 Abstract Today, large-scale communication network development projects are becoming increasingly common. One of the main tasks in implementation of large multiservice networks is the creation of reliable high-performance transport network that will serve as a backbone in multilayer architecture of next-generation networks.
Page 13: Notes And Warnings
ESR series service routers. ESR-Series. User manual 1.4 Notes and warnings  Notes contain important information, tips or recommendations on device operation and setup.  Warnings inform users about hazardous conditions which may cause injuries or device damage and may lead to the device malfunctioning or data loss. ...
Page 14: Product Description
ESR series service routers. ESR-Series. User manual 2 Product description • Purpose • Functions • Interface functions • MAC table functions • Second-layer functions of OSI model • Third-layer functions of OSI model • Traffic tunneling functions • Management and configuration functions •...
Page 15: Functions
ESR series service routers. ESR-Series. User manual 2.2 Functions 2.2.1 Interface functions Table 1 lists interface functions of the device. Table 1 – Device interface functions Cable connection polarity detection Automatic cable type detection – crossover cable or straight-through (Auto MDI/MDIX) cable.
Page 16: Second-Layer Functions Of Osi Model
ESR series service routers. ESR-Series. User manual 2.2.3 Second-layer functions of OSI model Table 3 lists second-layer functions and special aspects (OSI Layer 2). Table 3 – Second-layer functions description (OSI Layer 2) VLAN support VLAN (Virtual Local Area Network) is a solution used for splitting a network into separate segments on L2 level.
Page 17 ESR series service routers. ESR-Series. User manual DHCP server DHCP server enables automation and centralization of the network device configuration process. DHCP server allocated on a router allows for a complete solution for the local area network support. DHCP server integrated into the router assigns IP addresses to network devices and transfers additional network settings, e.g.
Page 18: Traffic Tunneling Functions
ESR series service routers. ESR-Series. User manual 2.2.5 Traffic tunneling functions Table 5 – Traffic tunneling functions Tunneling protocols Tunneling is a method of packet conversion during their network transfer that involves the replacement, modification and addition of a new packet network header.
Page 19: Network Security Functions
ESR series service routers. ESR-Series. User manual SSH Server/ SSH and Telnet server features allow you to establish connection to Telnet Server the device and perform device management. Automatic configuration restore Device features automatic configuration restore system designed to prevent remote access loss after re-configuration. If the configuration change is not confirmed in the specified time, configuration will be rolled back to the last known state.
Page 20: Main Specifications
ESR series service routers. ESR-Series. User manual 2.3 Main specifications Table 8 lists main specifications of the router. Table 8 – Main specifications General parameters Interfaces ESR-3200 12 × 1000BASE-X/10GBASE-R/25GBASE-R 1 × Console RS-232 (RJ-45) 1 × OOB port 1 × USB 2.0 1 ×...
Page 21 ESR series service routers. ESR-Series. User manual ESR-1500 4 × Combo Ethernet 10/100/1000BASE-T/1000BASE-X 4 × Ethernet 10/100/1000BASE-T (RJ-45) 4 × 10GBASE-R/1000BASE-X (SFP+/SFP) 1 × Console RS-232 (RJ-45) 1 × OOB port 2 × USB 2.0 1 × SD card slot ESR-1200 4 ×...
Page 22 ESR series service routers. ESR-Series. User manual ESR-100 4 × Combo Ethernet 10/100/1000BASE-T/1000BASE-X 1 × Console RS-232 (RJ-45) 1 × USB 3.0 1 × USB 2.0 1 × SD card slot ESR-30 4 × Ethernet 10/100/1000BASE-T (RJ-45) 2 × 10GBASE-R/1000BASE-X (SFP+/SFP) 1 ×...
Page 23 ESR series service routers. ESR-Series. User manual ESR-14VF 8 × Ethernet 10/100/1000BASE-T (RJ-45) 1 × 1000BASE-X (SFP) 1 × Console RS-232 (RJ-45) 4 × FXS 2 × USB 2.0 ESR-12VF 8 × Ethernet 10/100/1000BASE-T (RJ-45) 1 × 1000BASE-X (SFP) 1 × Console RS-232 (RJ-45) 3 ×...
Page 24 ESR series service routers. ESR-Series. User manual ESR-1700 1000BASE-X SFP ESR-3100 10GBASE-R SFP+ ESR-1500 ESR-1200 ESR-1000 ESR-30 ESR-200 1000BASE-X SFP ESR-100 ESR-21 ESR-20 ESR-15 ESR-14VF ESR-12VF ESR-10 ESR-15 1000BASE-R SFP+ Duplex or half-duplex interface modes • duplex and half-duplex modes for electric ports •...
Page 25 ESR series service routers. ESR-Series. User manual ESR-3100 • electrical interfaces 10/100/1000Mbps • optical interfaces 1/10Gbps ESR-1700 ESR-1500 ESR-1200 ESR-1000 ESR-200 • electrical interfaces 10/100/1000Mbps • optical interfaces 1Gbps ESR-100 ESR-21 ESR-20 ESR-15 ESR-14VF ESR-12V(F) ESR-10 Number of VPN tunnels ESR-3200 ESR-3100 ESR-1700 ESR-1511...
Page 26 ESR series service routers. ESR-Series. User manual ESR-15 ESR-14VF ESR-12V(F) ESR-10 Number of static routes ESR-3200 ESR-3100 ESR-1700 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 ESR-100 ESR-30 ESR-21 ESR-20 ESR-15 ESR-14VF ESR-12V(F) ESR-10 Number of concurrent sessions ESR-3200 512k ESR-3100 ESR-1700 ESR-1511 ESR-1500 ESR-1200 ESR-1000...
Page 27 ESR series service routers. ESR-Series. User manual ESR-200 256k ESR-100 ESR-30 ESR-21 ESR-20 ESR-15 ESR-14VF ESR-12V(F) ESR-10 VLAN support up to 4k active VLANs according to 802.1Q Number of BGPv4/BGPv6 routes ESR-3200 ESR-3100 ESR-1700 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 2.5M ESR-100 ESR-30 ESR-21 ESR-20...
Page 28 ESR series service routers. ESR-Series. User manual Number of OSPFv2/OSPFv3/IS-IS ESR-3200 500k routes ESR-3100 ESR-1700 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 300k ESR-100 ESR-30 ESR-21 ESR-20 ESR-15 ESR-14VF ESR-12V(F) ESR-10 Number of RIP/RIPng routes ESR-3200 ESR-3100 ESR-1700 ESR-1511 ESR-1500 ESR-1200 ESR-1000 ESR-200 ESR-100 ESR-30 ESR-21...
Page 29 ESR series service routers. ESR-Series. User manual ESR-15 ESR-14VF ESR-12V(F) ESR-10 MAC address table ESR-1700 128k entries ESR-1511 ESR-1500 ESR-1200 ESR-3200 16k entries ESR-1000 ESR-3100 2k bridge entries ESR-200 ESR-100 ESR-30 ESR-21 ESR-20 ESR-15 ESR-14VF ESR-12V(F) ESR-10 FIB size ESR-1700 3.0M ESR-3200 1.7M ESR-3100...
Page 30 ESR series service routers. ESR-Series. User manual ESR-200 1.4M ESR-100 ESR-30 ESR-21 ESR-20 ESR-15 800k ESR-14VF ESR-12V(F) ESR-10 VRF Lite L3 interfaces ESR-3200 4000 ESR-3100 ESR-1700 ESR-1500 ESR-1511 ESR-1200 ESR-1000 ESR-200 ESR-100 ESR-30 ESR-21 ESR-20 ESR-15 ESR-14VF ESR-12V(F) ESR-10...
Page 31 ESR series service routers. ESR-Series. User manual Compliance IEEE 802.3 10BASE-T Ethernet IEEE 802.3u 100BASE-T Fast Ethernet IEEE 802.3ab 1000BASE-T Gigabit Ethernet IEEE 802.3z Fiber Gigabit Ethernet IEEE 802.3ba 40GBASE-SR4, 40GBASE-LR4 ANSI/IEEE 802.3 Speed autodetection IEEE 802.3x Data flow control IEEE 802.3ad LACP link aggregation IEEE 802.1q VLAN virtual local networks IEEE 802.1v IEEE 802.3ac...
Page 32 ESR series service routers. ESR-Series. User manual ESR-3200 AC: 100–240 V, 50–60 Hz ESR-3100 DC: 36–72 V ESR-1511 Power options: ESR-1500 • single AC or DC power supply; • two AC or DC power supplies with hot swapping. ESR-1200 ESR-1000 ESR-200 AC: 100–264 V, 50–60 Hz ESR-100 ESR-30 ESR-21...
Page 33 ESR series service routers. ESR-Series. User manual ESR-20 25 W ESR-15 18 W ESR-14VF 22 W ESR-12V(F) ESR-10 Weight ESR-3200 5 kg ESR-3100 4.34 kg ESR-1700 12 kg ESR-1511 7 kg ESR-1500 ESR-1200 5.5 kg ESR-1000 3.6 kg ESR-200 2.5 kg ESR-100 ESR-30 1.8 kg...
Page 34 ESR series service routers. ESR-Series. User manual ESR-1511 430 × 44 × 425 mm ESR-1500 ESR-1200 430 × 44 × 352 mm ESR-1000 ESR-200 310 × 44 × 240 mm ESR-100 ESR-21 430 × 44 × 225 mm ESR-30 267 × 44 × 212 mm ESR-20 ESR-15 230 ×...
Page 35 ESR series service routers. ESR-Series. User manual ESR-15 0 to +40 °C ESR-14VF ESR-12V(F) ESR-10 Storage temperature range -40 to +70 °C Operation relative humidity (non-condensing) up to 80 % Storage relative humidity (non-condensing) from 10 to 95 % Lifetime at least 15 years...
Page 36: Design
ESR series service routers. ESR-Series. User manual 2.4 Design This section describes the design of the device. Depicted front, rear, and side panels of the device, connectors, LED indicators and controls. The device has a metal-enclosed design for 1U 19" racks; housing size is 1U. 2.4.1 ESR-3200 design ESR-3200 front panel The front panel layout is depicted in Figure 1.
Page 37 ESR series service routers. ESR-Series. User manual № Front panel Description element Ethernet port for router management. Console Console port RS-232 (RJ-45) for local management of the device. microSD microSD-card port. USB1 USB 2.0 port for USB devices connection. [1 .. 12] Slots for installing 25G SFP28/10G SFP+/1G SFP transceivers.
Page 38: Esr-3100 Design
ESR series service routers. ESR-Series. User manual ESR-3200 side panels The side panel layout of ESR-3200 is depicted in figures 3 and 4. Figure 3 – ESR-3200 right side panel Figure 4 – ESR-3200 left side panel Side panels of the device have air vents for heat removal. Do not block air vents. This may cause the components to overheat, which may result in device malfunction.
Page 39 ESR series service routers. ESR-Series. User manual № Front panel Description element Power Device power LED. Master Failover mode operation LED (is not supported in the current version). Fan operation LED. Redundant power supply LED. Functional key that reboots the device and resets it to factory default configuration: •...
Page 40: Esr-1700 Design
ESR series service routers. ESR-Series. User manual Table 12 – Rear panel connectors description № Description Main power supply. Earth bonding point of the device. Hot-swappable removable ventilation modules. Place for installation of a redundant power supply. ESR-3100 side panels The side panel layout of ESR-3100 is depicted in figures 7 and 8. Figure 7 –...
Page 41 ESR series service routers. ESR-Series. User manual Table 13 lists connectors, LEDs and controls located on the front panel of ESR-1700. Table 13 – Description of ESR-1700 connectors, LEDs and front panel controls № Front panel Description element HDD1 Connector for HDD installation. HDD2 Connector for HDD installation.
Page 42 ESR series service routers. ESR-Series. User manual ESR-1700 rear panel The rear panel of ESR-1700 is shown in the picture below. Figure 10 – ESR-1700 rear panel Table 14 lists rear panel connectors of the router. Table 14 – Rear panel connectors description №...
Page 43: Esr-1511, Esr-1510 Design
ESR series service routers. ESR-Series. User manual 2.4.4 ESR-1511, ESR-1510 design ESR-1511 front panel The front panel layout is depicted in figure 9. Figure 13 – ESR-1511 front panel Table 15 lists connectors, LEDs and controls located on the front panel of ESR-1511. Table 15 –...
Page 44 ESR series service routers. ESR-Series. User manual № Front panel Description element Functional key that reboots the device and resets it to factory default configuration: • Pressing the key for less than 10 seconds reboots the device; • Pressing the key for more than 10 seconds resets the terminal to factory settings. USB2 Port for USB device connection.
Page 45 ESR series service routers. ESR-Series. User manual № Front panel Description element Power Device power LED. Master Failover mode operation LED (is not supported in the current version). Fan operation LED. Redundant power supply LED. Console Console port RS-232 for local management of the device. Ethernet port for router management.
Page 46 ESR series service routers. ESR-Series. User manual ESR-1511, ESR-1500 rear panel The rear panel layout of ESR-1511 and ESR-1500 routers is depicted in figure 15. Figure 15 – ESR-1511, ESR-1500 rear panel Table 17 lists rear panel connectors of the router. Table 17 –...
Page 47: Esr-1200, Esr-1000 Design
ESR series service routers. ESR-Series. User manual 2.4.5 ESR-1200, ESR-1000 design ESR-1200 front panel The front panel layout is depicted in 18. Figure 18 – ESR-1200 front panel Table 18 lists connectors, LEDs and controls located on the front panel of ESR-1200. Table 18 –...
Page 48 ESR series service routers. ESR-Series. User manual № Front Description panel element Master Indicator of failover modes operation. Fan operation LED. Redundant power supply LED. Functional key that reboots the device and resets it to factory default configuration: • Pressing the key for less than 10 seconds reboots the device; •...
Page 49 ESR series service routers. ESR-Series. User manual № Front Description panel element Alarm Alarm LED. Active VPN sessions indicator. Flash Activity indicator of exchange with data storages (SD-card or USB Flash). Power Device power LED. Master Indicator of failover modes operation. Fan operation LED.
Page 50: Design
ESR series service routers. ESR-Series. User manual Table 20 – Rear panel connectors description № Description Main power supply. Place for installation of a redundant power supply. Hot-swappable removable ventilation modules. Earth bonding point of the device. ESR-1200, ESR-1000 side panels The side panel layout of ESR-1200, ESR-1000 is depicted in Figures 21 and 22.
Page 51 ESR series service routers. ESR-Series. User manual Figure 24 – ESR-100 front panel Table 21 lists connectors, LEDs and controls located on the front panel of ESR-100 and ESR-200 routers. Table 21 – Description of connectors, LEDs and controls located on ESR-200, ESR-100 front panel №...
Page 52 ESR series service routers. ESR-Series. User manual ESR-200, ESR-100 rear panel The rear panel layout of ESR-200 and ESR-100 routers is depicted in figure 25. Figure 25 – ESR-200, ESR-100 rear panel Table 22 lists rear panel connectors of the router. Table 22 –...
Page 53: Design
ESR series service routers. ESR-Series. User manual 2.4.7 ESR-21 design The device has a metal-enclosed design for 1U 19" racks. ESR-21 front panel The front panel layout of ESR-21 is depicted in figure 28. Figure 28 – ESR-21 front panel Table 23 lists sizes, LEDs and controls located on ESR-21 front panel. Table 23 –...
Page 54 ESR series service routers. ESR-Series. User manual № Front panel element Description [1 .. 8] 8 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45) Optical Port 4 ports of Gigabit Ethernet 10/100/1000BASE-X (SFP) ESR-21 rear panel The rear panel layout of ESR-21 is depicted in figure 29. Figure 29 –...
Page 55: Design
ESR series service routers. ESR-Series. User manual 2.4.8 ESR-30, ESR-20 design The device has a metal-enclosed design for 1U 19" racks. ESR-30 front panel The front panel layout is depicted in figure 32. Figure 32 – ESR-20 front panel Table 25 lists connectors, LEDs and controls located on the front panel of ESR-30. Table 25 –...
Page 56 ESR series service routers. ESR-Series. User manual № Front panel element Description [1 .. 4] 4 ports of 10/100/1000BASE-T. 1, 2 2 ports of10GBASE-R (SPF+)/1000BASE-X. ESR-20 front panel The front panel layout is depicted in figure 33. Figure 33 – ESR-20 front panel Table 26 lists connectors, LEDs and controls located on the front panel of ESR-20.
Page 57 ESR series service routers. ESR-Series. User manual № Front panel element Description 1, 2 2 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45). [1 .. 4] 2 Combo ports of Ethernet 10/100/1000BASE-X/10/100/1000BASE-T. ESR-20, ESR-30 rear panel The rear panel layout of ESR-20 and ESR-30 is depicted in figure 34. Figure 34 –...
Page 58: Design
ESR series service routers. ESR-Series. User manual 2.4.9 ESR-15 design The device has a metal-enclosed design for 1U 19" racks. ESR-15 front panel The front panel layout is depicted in figure 37. Figure 37 – ESR-15 front panel Table 28 lists connectors, LEDs and controls located on the front panel of ESR-15 router. Table 28 –...
Page 59 ESR series service routers. ESR-Series. User manual ESR-15 top panel The top panel layout of ESR-10 is depicted in figure 38. Table 29 lists LEDs located on ESR-15 top panel. Table 29 – Description of front panel LEDs № Description panel elemen Power Device power and operation status LED...
Page 60: Esr-14Vf, Esr-12Vf Design
ESR series service routers. ESR-Series. User manual 2.4.10 ESR-14VF, ESR-12VF design The device has a metal-enclosed design for 1U 19" racks. ESR-14VF, ESR-12VF front panel The front panel layout is depicted in figure 39. Figure 39 – ESR-14VF, ESR-12VF front panel Table 30 lists connectors, LEDs and controls located on the front panel of ESR-14VF and ESR-12VF routers.
Page 61 ESR series service routers. ESR-Series. User manual № Front Description panel element FXS 1, FXS 4 connectors for internal subscriber terminals (for ESR-14VF). 2, FXS 3 [1 .. 8] 8 ports of Gigabit Ethernet 10/100/1000BASE-T (RJ-45). Optical Port 1 port of Gigabit Ethernet-100/1000BASE-X (SFP). Optical interfaces LED.
Page 62: Esr-12V Design
ESR series service routers. ESR-Series. User manual ESR-12VF, ESR-14VF side panels The side panel layout of ESR-12VF, ESR-14VF is depicted in Figures 41 and 42. Figure 41 – ESR-12VF, ESR-14VF left side panel Figure 42 – ESR-12VF, ESR-14VF right side panel Side panels of the device have air vents for heat removal.
Page 63 ESR series service routers. ESR-Series. User manual Table 32 – Description of connectors, LEDs and controls located on ESR-12V front panel № Front panel Description element 220V AC Power supply. Power Device power LED. Console Console port RS-232 (RJ-45) for local management of the device. Functional key that reboots the device and resets it to factory default configuration: - pressing the key for less than 10 seconds reboots the device.
Page 64: Design
ESR series service routers. ESR-Series. User manual Table 33 – Rear panel connectors description № Description Earth bonding point of the device. ESR-12V side panels The side panel layout of ESR-12V is depicted in figures 45 and 46. Figure 45 – ESR-12V left side panel Figure 46 –...
Page 65 ESR series service routers. ESR-Series. User manual Table 34 – Description of connectors, LEDs and controls located on ESR-10 rear panel № Front Description panel element ON/OFF Power on/off button. 12V DC Connector for power adapter connection. Console Console port RS-232 (RJ-45) for local management of the device. USB1, USB2 2 USB connectors for connecting external USB devices.
Page 66 ESR series service routers. ESR-Series. User manual ESR-10 top panel The top panel layout of ESR-10 is depicted in figure 49. Figure 49 – ESR-10 top panel Table 36 lists LEDs located on ESR-10 top panel. Table 36 – Description of front panel LEDs Top panel element Description №...
Page 67: Light Indication
ESR series service routers. ESR-Series. User manual 2.4.13 Light Indication ESR-1700, ESR-1200, ESR-1000 light indication Gigabit Ethernet copper interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED. Location of the copper interface LEDs is depicted in figure 50. SFP interface status is represented by two LEDs –...
Page 68 ESR series service routers. ESR-Series. User manual Table 37 – Light indication of copper interface status SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state The port is disabled or connection is not established. Solid on 10Mbps or 100Mbps connection is established. Solid on Solid on 1000Mbps connection is established.
Page 69 ESR series service routers. ESR-Series. User manual Indicator name Indicator function LED State Device State Power Device power LED. Green Device power is normal. Main power supply, if installed, is operational. Orange Main power supply failure, fault, or the primary network is missing.
Page 70 ESR series service routers. ESR-Series. User manual Figure 53 – Location of optical interface indicators Table 40 – Light indication of copper interfaces status SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state The port is disabled or connection is not established. Solid on 10 Mbps or 100 Mbps connection is established.
Page 71 ESR series service routers. ESR-Series. User manual Indicator name Indicator function LED State Device State Alarm Device alarm presence and level indicator. Active VPN sessions indicator. Flash Activity indicator of Orange Read/write operation execution with 'copy' exchange with data command. storages: SD-card or USB Flash.
Page 72 ESR series service routers. ESR-Series. User manual ESR-200/ESR-100 light indication Gigabit Ethernet copper interface and SFP interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED. Location of the copper interface LEDs is depicted in figure 50. SFP interface status is depicted in figure 54.
Page 73 ESR series service routers. ESR-Series. User manual Indicator name Indicator function LED State Device State Power Device power LED. Green Device power is OK. Main power supply, if installed, is operational. Main power supply failure, fault, or the primary network is missing.
Page 74 ESR series service routers. ESR-Series. User manual Figure 56 – Location of RJ-45 connector indicators The following table lists description of system indicator statuses and meanings. Table 46 – Status of system indicators Indicator Indicator function Device State name State Power Device power LED.
Page 75 ESR series service routers. ESR-Series. User manual ESR-30 light indication Gigabit Ethernet copper interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED. Table 47 – Light indication of copper and SFP interfaces status SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state The port is disabled or connection is not...
Page 76 ESR series service routers. ESR-Series. User manual Indicator name Indicator function LED State Device State Status Current device status LED. Green Device is in normal operation state. Flashes green Device is booting up the software. Alarm Alarm LED. HA operation mode LED (not supported in the current version) ESR-15 light indication Gigabit Ethernet copper interfaces statuses are represented by amber SPEED LED.
Page 77 ESR series service routers. ESR-Series. User manual Indicator name Indicator function LED State Device State No devices connected or connectivity issues. ESR-12V(F) light indication Gigabit Ethernet copper interface statuses are represented by two LEDs – green LINK/ACT LED and amber SPEED LED. Table 51 –...
Page 78 ESR series service routers. ESR-Series. User manual Indicator Indicator LED State Device State name function Device internal power supply failure. ESR-10 light indication Gigabit Ethernet copper interfaces statuses are represented by amber SPEED LED. Table 53 – Light indication of copper interface status SPEED indicator is lit Ethernet interface state Port is disabled or connection is not established...
Page 79: Delivery Package
ESR series service routers. ESR-Series. User manual 2.5 Delivery package ESR-10 standard delivery package includes: • ESR-10 router; • 220 VAC/12 VDC, 1.5 A power adapter; • Conformity certificate; • Documentation (optional). ESR-12V standard delivery package includes: • ESR-12V router; • Power cable;...
Page 80 ESR series service routers. ESR-Series. User manual ESR-30 standard delivery package includes: • ESR-21 router; • Power cable; • Console cable; • 19” rack mounting kit; • Conformity certificate; • Documentation (optional). ESR-100 standard delivery package includes: • ESR-100 router; • Power cable;...
Page 81 ESR series service routers. ESR-Series. User manual ESR-1700 standard delivery package includes: • ESR-1700 router; • Console cable; • 19” rack mounting kit; • Conformity certificate; • Documentation (optional). ESR-3100 standard delivery package includes: • ESR-3100 router; • Console cable; • 19”...
Page 82: Installation And Connection
ESR series service routers. ESR-Series. User manual 3 Installation and connection • Support brackets mounting • Device rack installation • ESR-1000, ESR-1200, ESR-1500, ESR-1511, ESR-1700, ESR-3100, ESR-3200 power module installation • Connection to Power Supply • SFP transceiver installation and removal • Transceiver installation •...
Page 83: Device Rack Installation
ESR series service routers. ESR-Series. User manual 3.2 Device rack installation To install the device to the rack: Attach the device to the vertical guides of the rack. Align mounting holes in the support bracket with the corresponding holes in the rack guides. Use the holes of the same level on both sides of the guides to ensure the device horizontal installation.
Page 84: Esr-1000, Esr-1200, Esr-1500, Esr-1511, Esr-1700, Esr-3100, Esr-3200 Power Module Installation
ESR series service routers. ESR-Series. User manual 3.3 ESR-1000, ESR-1200, ESR-1500, ESR-1511, ESR-1700, ESR-3100, ESR-3200 power module installation ESR-1000/1200/1500/1511/1700/3100/3200 routers can operate with one or two power modules. The second power module installation is necessary when the device operates under strict reliability requirements. From the electric point of view, both places for power module installation are identical.
Page 85: Sfp Transceiver Installation And Removal
ESR series service routers. ESR-Series. User manual 3.5 SFP transceiver installation and removal  Optical modules can be installed when the terminal is turned on or off. 3.5.1 Transceiver installation 1. Insert the top SFP module into a slot with its open side down, and the bottom SFP module with its open side Figure 65 –...
Page 86: Management Interfaces
ESR series service routers. ESR-Series. User manual 4 Management interfaces • Command line interface (CLI) • Types and naming procedure of router interfaces • Types and naming procedure of router tunnels To control and monitor the device, various management interfaces can be used. To access the device, you may use network connection via Telnet or SSH as well as direct connection via RS-232 compliant console port.
Page 87: Types And Naming Procedure Of Router Interfaces
ESR series service routers. ESR-Series. User manual 4.2 Types and naming procedure of router interfaces Network interfaces of various types and purposes are used for the router operation. The naming system allows you to uniquely address the interfaces by their functional purpose and location in the system. The following table contains the list of interfaces types.
Page 88 ESR series service routers. ESR-Series. User manual Interface type Designation Sub-interfaces Designation of sub-interface is generated from the designation of basic interface and sub-interface identifier (VLAN) separated by a dot. Designation examples: • gigabitethernet 1/0/12.100 • tengigabitethernet 1/0/2.123 • fortygigabitethernet 1/0/2.1024 •...
Page 89 ESR series service routers. ESR-Series. User manual Interface type Designation Serial interfaces Designation of serial interface includes its type and identifier. Serial interfaces identifier is as follows: <UNIT>/<SLOT>/ <STREAM>, where • <UNIT> – number of a device in a device group [1..1], •...
Page 90: Types And Naming Procedure Of Router Tunnels
ESR series service routers. ESR-Series. User manual 4.3 Types and naming procedure of router tunnels Network tunnels of various types and purposes are used for the router operation. The naming system allows you to uniquely address the tunnels by their functional purpose. The following table contains the list of tunnels types.
Page 91: Initial Router Configuration
ESR series service routers. ESR-Series. User manual 5 Initial router configuration • ESR router factory configuration • Description of factory settings • Router connection and configuration • Connection to the router • Ethernet LAN connection • RS-232 console port connection • Applying the configuration change •...
Page 92: Router Connection And Configuration
ESR series service routers. ESR-Series. User manual • for ESR-30: GigabitEthernet 1/0/3-4; • for ESR-100: GigabitEthernet 1/0/2-4; • for ESR-200: GigabitEthernet 1/0/2-8; • for ESR-1000: GigabitEthernet 1/0/2-24; • for ESR-1200: GigabitEthernet 1/0/2-16, TengigabitEthernet 1/0/3-8; • for ESR-1500: GigabitEthernet 1/0/2-8, TengigabitEthernet 1/0/3-4; •...
Page 93: Connection To The Router
ESR series service routers. ESR-Series. User manual Advanced settings depend on the requirements of the specific device application pattern and may be easily added or modified with the existing management interfaces. 5.2.1 Connection to the router There are several device connection options: Ethernet LAN connection ...
Page 94: Basic Router Configuration
Changing password for 'admin' user To ensure the secure system access, you should change the password for the privileged 'admin' user.  'techsupport' account ('eltex' up to version 1.0.7) is required for service centre specialist remote access. 'remote' account – RADIUS, TACACS+, LDAP authentication.
Page 95 ESR series service routers. ESR-Series. User manual  Privilege levels 1–9 allow accessing the device and viewing its operation status, but the device configuration is disabled. Privilege levels 10-14 allow both the access to the device and configuration of majority of its functions. Privilege level 15 allows both the access to the device and configuration of all its functions.
Page 96 ESR series service routers. ESR-Series. User manual esr# show ip interfaces IP address Interface Type ------------------- --------------------------------- ------- 192.168.16.144/24 gigabitethernet 1/0/2.150 static Provider may use dynamically assigned addresses in their network. If the there is DHCP server in the network, you can obtain the IP address via DHCP. Configuration example for obtaining dynamic IP address from DHCP server on Gigabit Ethernet 1/0/10 interface: esr# configure...
Page 97 ESR series service routers. ESR-Series. User manual esr# configure esr(config)# object-group network clients esr(config-addr-set)# ip address-range 132.16.0.5-132.16.0.10 esr(config-addr-set)# exit esr(config)# object-group network gateway esr(config-addr-set)# ip address-range 40.13.1.22 esr(config-addr-set)# exit esr(config)# object-group service ssh esr(config-port-set)# port-range esr(config-port-set)# exit esr(config)# security zone-pair untrusted self esr(config-zone-pair)# rule esr(config-zone-rule)# action permit esr(config-zone-rule)# match protocol tcp...
Page 98: Firmware Update
ESR series service routers. ESR-Series. User manual 6 Firmware update • Updating firmware via system resources • Updating firmware via bootloader • Secondary bootloader update (U-Boot) 6.1 Updating firmware via system resources  To update the firmware, use any of the following servers: TFTP, FTP, SCP. Router firmware files obtained from the manufacturer should be allocated on the server.
Page 99 ESR series service routers. ESR-Series. User manual Example of updating main firmware via SCP: esr# copy scp://adm:password123@192.168.16.168://home/tftp/firmware system:firmware To start the device with the new firmware version, switch the active image. With show bootvar command, locate the image number, containing updated firmware. esr# show bootvar Image Version...
Page 100: Updating Firmware Via Bootloader
ESR series service routers. ESR-Series. User manual 6.2 Updating firmware via bootloader Router firmware may be updated via the bootloader as follows: When U-Boot finishes the router initialization, break the device startup with the <Esc> key. Configuring PoE... distribution dest_threshold drop_timer Configuring POE in bypass mode NAE configuration done! initializing port 0, type 2.
Page 101: Secondary Bootloader Update (U-Boot)
ESR series service routers. ESR-Series. User manual Launch firmware update procedure: BRCM.XLP316Lite Rev B0.u-boot# run tftp_update_image1 Using nae-0-3 device TFTP from server 10.100.100.1; our IP address is 10.100.100.2 Filename 'esr1000/firmware'. Load address: 0xa800000060000000 Loading: TftpStart:TftpTimeoutMsecs = 10000, TftpTimeoutCountMax = ################################################################# ################################################################# ################################################################# ######################### ####################################...
Page 102 ESR series service routers. ESR-Series. User manual Firmware update procedure: When U-Boot finishes the router initialization, break the device startup with the <Esc> key. Configuring PoE... distribution dest_threshold drop_timer Configuring POE in bypass mode NAE configuration done! initializing port 0, type 2. initializing port 1, type 2.
Page 103 ESR series service routers. ESR-Series. User manual For version 1.5 and newer: BRCM.XLP316LiteRevB0.u-boot# run tftp_update_uboot Using nae-1 device TFTP from server 10.100.100.1; our IP address is 10.100.100.2 Filename 'esr1000/u-boot.bin'. Load address: 0xa800000078020000 Loading: ########################################################### done Bytes transferred = 852648 (d02a8 hex) SF: Detected MX25L12805D with page size 256, total 16777216 bytes...
Page 104: Safe Configuration Recommendations
ESR series service routers. ESR-Series. User manual 7 Safe configuration recommendations • General recommendations • Event logging system configuration • Recommendations • Warnings • Configuration example • Password usage policy configuration • Recommendations • Configuration example • AAA policy configuration • Recommendations •...
Page 105: Recommendations
ESR series service routers. ESR-Series. User manual 7.2.1 Recommendations • It is recommended to configure the event message storage in a syslog file on the device and transfer these events to an external syslog server. • It is recommended to limit the size of the syslog file on the device. •...
Page 106: Recommendations
ESR series service routers. ESR-Series. User manual 7.3.1 Recommendations • It is recommended to always enable the default password change request for the admin user. • It is recommended to limit the lifetime of passwords and prohibit reusing at least the previous password.
Page 107: Warnings
ESR series service routers. ESR-Series. User manual • It is recommended to enable logging of commands entered by the user. • It is recommended to use several authentication methods for logging in to devices via console, remote login to devices and privilege escalation. A combination of RADIUS/TACACS/LDAP authentication and local authentication is considered optimal.
Page 108: Remote Management Configuration
ESR series service routers. ESR-Series. User manual esr(config)# radius-server host 192.168.1.11 esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-radius-server)# priority esr(config-radius-server)# exit esr(config)# radius-server host 192.168.2.12 esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-radius-server)# priority esr(config-radius-server)# exit Configure AAA policy: esr(config)# aaa authentication login CONSOLE radius local esr(config)# aaa authentication login SSH radius ...
Page 109: Configuration Of Protection Against Network Attacks Mechanisms
ESR series service routers. ESR-Series. User manual Disable outdated and not crypto-resistant algorithms: esr(config)# ip ssh server esr(config)# ip ssh authentication algorithm md5 disable esr(config)# ip ssh authentication algorithm md5-96 disable esr(config)# ip ssh authentication algorithm ripemd160 disable esr(config)# ip ssh authentication algorithm sha1 disable esr(config)# ip ssh authentication algorithm sha1-96 disable...
Page 110: Configuration Example
ESR series service routers. ESR-Series. User manual 7.6.2 Configuration example Objective: Configure the protection mechanism against network attacks in accordance with the recommendations. Solution: Enable protection against ip spoofing and logging of the protection mechanism: esr(config)# ip firewall screen spy-blocking spoofing esr(config)# logging firewall screen spy-blocking spoofing Enable protection against TCP packets with incorrectly set flags and logging of the protection mechanism: esr(config)# ip firewall screen spy-blocking syn-fin...
Page 111: Interface Management
ESR series service routers. ESR-Series. User manual 8 Interface management • VLAN Configuration • Configuration algorithm • Configuration example 1. VLAN removal from the interface • Configuration example 2. Enabling VLAN processing in tagged mode • Configuration example 3. Enabling VLAN processing in tagged and untagged modes •...
Page 112: Vlan Configuration
ESR series service routers. ESR-Series. User manual 8.1 VLAN Configuration VLAN (Virtual Local Area Network) is a logical (virtual) local area network that represents a group of devices, which communicate on channel level regardless of their physical location. VLAN operation is based on the use of additional Ethernet header fields according to 802.1q standard.
Page 113 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-gi)# switchport Only for general ESR-1000/1200/1500/1511/1700. This mode is the default mode and is not displayed in the configuration. Configure VLAN list on the esr(config-if-gi)# switchport Only for ESR-10/12V(F)/14VF/ interface in tagged mode. trunk allowed vlan add <VID>...
Page 114: Configuration Example 1. Vlan Removal From The Interface
ESR series service routers. ESR-Series. User manual 8.1.2 Configuration example 1. VLAN removal from the interface Objective: On the basis of the factory configuration, remove gi1/0/1 port from VLAN 2. Solution: Remove VLAN2 from gi1/0/1 port: esr(config)# interface 1/0/1 esr(config-if-gi)# switchport general allowed vlan remove untagged esr(config-if-gi)# no switchport general pvid 8.1.3 Configuration example 2.
Page 115: Configuration Example 3. Enabling Vlan Processing In Tagged And Untagged Modes
ESR series service routers. ESR-Series. User manual Specify VLAN 2, VLAN 64, VLAN 2000 for gi1/0/1-2 port: esr-1000(config)# interface gi1/0/1 esr-1000(config-if-gi)# mode switchport esr-1000(config-if-gi)# switchport forbidden default-vlan esr-1000(config-if-gi)# switchport general allowed vlan add 2,64,2000 tagged 8.1.4 Configuration example 3. Enabling VLAN processing in tagged and untagged modes Objective: Configure gi1/0/1 ports for packet transmission and reception in VLAN 2, VLAN 64, VLAN 2000 in trunk mode, configure gi1/0/2 port in access mode for VLAN 2 on ESR-100/ESR -200.
Page 116: Lldp Configuration
ESR series service routers. ESR-Series. User manual 8.2 LLDP configuration Link Layer Discovery Protocol (LLDP) is a data link layer protocol allowing network equipment to notify the devices operating in a local network of its existence and to transmit parameters to it as well as to receive similar information.
Page 117: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the system-name field which will esr(config)# lldp system-name <NAME> – system name, set by be transmitted to LLDP TLV as the <NAME> the string of up to 255 system-name (optional). characters.
Page 118: Lldp Med Configuration
ESR series service routers. ESR-Series. User manual To view LLDP statistics, use the following command: esr# show lldp statistics 8.3 LLDP MED configuration LLDP MED — LLDP standard enhancement which allows to transmit network policies: VLAN ID, DSCP, priority. 8.3.1 Configuration algorithm Step Description Command...
Page 119: Voice Vlan Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the CoS value (optional). esr(config-net-policy)# <COS> – priority value, takes priority <PRIORITY> the following values: • best-effort – COS0; • background – COS1; • excellent-effort – COS2; • critical-applications – COS3;...
Page 120: Sub-Interface Termination Configuration
ESR series service routers. ESR-Series. User manual Solution: First create VLAN 10 and 20 and configure the gi 1/0/1 interface in the trunk mode: esr(config)# vlan 10,20 esr(config-vlan)# exit esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# mode switchport esr(config-if-gi)# switchport mode trunk esr(config-if-gi)# switchport trunk allowed vlan add 10,20 esr(config-if-gi)# exit Enable LLDP and MED capability in LLDP globally on the router:...
Page 121: Configuration Algorithm
ESR series service routers. ESR-Series. User manual 8.4.1 Configuration algorithm Step Description Command Keys Create a sub-interface of a physical esr(config)# interface <PORT> – physical interface interface (possible if the physical gigabitethernet <PORT>.<S-VLAN> number. interface is in routeport or hybrid mode). <CH>...
Page 122 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-subif)# ip address dhcp For advanced DHCP client operation features, see section DHCP Client management. Disable the Firewall features on the esr(config-subif)# ip firewall interface or enable the interface in the disable security zone (see Firewall...
Page 123: Sub-Interface Configuration Example
ESR series service routers. ESR-Series. User manual 8.4.2 Sub-interface configuration example Objective: Configure subnet 192.168.3.1/24 in VLAN: 828 on the physical interface gigabitethernet 1/0/1. Solution: Create sub-interface for VLAN: 828 esr(config)# interface gigabitethernet 1/0/1.828 Configure IP address from necessary subnet. esr(config)# interface gigabitethernet 1/0/1.828...
Page 124 ESR series service routers. ESR-Series. User manual Step Description Command Keys Create Q-in-Q interface. esr(config)# interface <PORT> – physical interface gigabitethernet <PORT>.<S- number. VLAN>.<C-VLAN> <CH> – aggregated interface number. esr(config)# interface <S-VLAN> – identifier of tengigabitethernet <PORT>.<S- created S-VLAN. VLAN>.<C-VLAN> <C-VLAN> – identifier of created C-VLAN.
Page 125 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-qinq-if)# ip address For advanced DHCP client dhcp operation features, see section DHCP Client management. Disable the Firewall features on the esr(config-qinq-if)# ip firewall interface or enable the interface in the disable security zone (see Firewall...
Page 126: Q-In-Q Configuration Example
ESR series service routers. ESR-Series. User manual 8.5.2 Q-in-Q configuration example Objective: Configure the termination of subnet 192.168.1.1/24 combination C-VLAN: 741, S-VLAN: 828 on the physical interface gigabitethernet 1/0/1. Solution: Create sub-interface for S-VLAN: 828 esr(config)# interface gigabitethernet 1/0/1.828 esr(config-subif)# exit Create a Q-in-Q interface for the S-VLAN: 741 and configure the IP address from the required subnet.
Page 127 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set mobile network access point esr(config-cellular-profile)# apn <NAME> – mobile network <NAME> access point, set by the string of up to 31 characters. Set the name of mobile network user (if esr(config-cellular-profile)# user <NAME>...
Page 128 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set USB modem identifier allocated by esr(config-cellular-modem)# <WORD> – identifier of the system (specified in item 2). device <WORD> connected modem’s USB port, set in the range of [1..12]. Set the previously established esr(config-cellular-modem)# <ID>...
Page 129: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys It is also possible to configure a cellular network modem: • QoS in basic or advanced mode (see section management); • proxy (see section HTTP/HTTPS traffic proxying); • traffic monitoring (see sections Netflow configuration and sFlow configuration);...
Page 130: Stp/Rstp Configuration
ESR series service routers. ESR-Series. User manual Set the corresponding parameter profile and activate the modem: esr(config-cellular-modem)# profile esr(config-cellular-modem)# enable 8.7 STP/RSTP configuration Spanning Tree Protocol is a network protocol to bring an Ethernet network with redundant connections to a tree topology that excludes loops. Network devices exchange configuration messages using frames of a special format and selectively enable and disable transmission on ports.
Page 131 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set STP priority. esr(config)# spanning-tree <PRIORITY> – priority, specified in priority <PRIORITY> the range with increments of 4096 [0..61440]. Default value: 32768. Switch to interface/tunnel/network esr(config)# interface <IF- <IF-TYPE> – interface type; bridge configuration mode.
Page 132: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the path value determination esr(config-if-gi)# spanning-tree <COST> – path cost in the range method. cost [1..20000000]. Default value: 4. Allow this port to be set as root. esr(config-if-gi)# spanning-tree guard root Set the RSTP protocol to the esr(config-if-gi)# spanning-tree...
Page 133: Ppp Through E1 Configuration
ESR series service routers. ESR-Series. User manual Set STP as default: esr-20(config)# spanning-tree mode stp Set spanning tree lifetime to 15 seconds and network listening and learning interval to 10 seconds: esr-20(config)# spanning-tree max-age esr-20(config)# spanning-tree forward-time Show spanning-tree active command output: esr-20# show spanning-tree active Protocol version: STP Root ID: [32768]...
Page 134 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the operation mode of the E1 esr(config-if-gi)# switchport mode interface. Set the synchronization source esr(config-if-gi)# switchport e1 <SOURCE> – synchronization (optional). clock source <SOURCE> source: • Internal (default) – synchronize with an internal source;...
Page 135 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify IPv4 and network mask for the esr(config-e1)# ip address <ADDR/ <ADDR/LEN> – IP address configured interface. LEN> network mask length specified as AAA.BBB.CCC.DDD/EE, where each AAA – DDD part takes values [0..255] and EE takes values [1..32].
Page 136: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the amount of attempts to send esr(config-e1)# ppp max- <VALUE> – number of retries. Terminate-Request packets before the terminate <VALUE> session is aborted (optional). Set MRU (Maximum Receive Unit) size esr(config-e1)# ppp mru <MRU>...
Page 137 ESR series service routers. ESR-Series. User manual Configure the physical interface gigabitethernet 1/0/3, in which TOPGATE-WAN-E1 is installed: • Set mtu equal to 1510 or more; • Switch interface to the e1 operation mode; • Specify channel e1 – 0; • Specify e1 channel range from 1 to 8.
Page 138: Mlppp Configuration
ESR series service routers. ESR-Series. User manual Information about the state of e1 can be obtained using the following command: esr# show interfaces status e1 1/0/1 Interface 'e1 1/0/1' status information: Description: Operational state: Administrative state: Up Track ID: Supports broadcast: Supports multicast: MTU: 1492...
Page 139 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the router name that is sent to a esr(config-multilink)# ppp chap <NAME> – router name, set by remote party for CHAP authentication. hostname <NAME> the string of up to 31 characters Specify the password that is sent with esr(config-multilink)# ppp chap...
Page 140: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set MRU (Maximum Receive Unit) size esr(config-multilink)# ppp mru <MRU> – MRU value, takes for the interface. <MRU> values in the range of [128..1485]. Default value: 1500. Specify the time interval in seconds esr(config-multilink)# ppp timeout <TIME>...
Page 141 ESR series service routers. ESR-Series. User manual Solution: First, configure system jumbo-frames, save changes to the configuration and reboot the router: esr# configure esr(config)# system jumbo-frames esr(config)# exit esr# commit esr# confirm esr# reload system Do you really want to reload system ? (y/N): y Configure the gigabitethernet 1/0/3-4 physical interfaces that have TOPGATE-WAN-E1 installed.
Page 142: Bridge Configuration
ESR series service routers. ESR-Series. User manual Information about the state of the multilink interface can be obtained using the following command: esr# show interfaces status multilink Interface 'mu1' status information: Description: Operational state: Administrative state: Up Track ID: Supports broadcast: Supports multicast: MTU: 1492...
Page 143 ESR series service routers. ESR-Series. User manual Step Description Command Keys Connect sub interface, qinq interface, esr(config-if-gi)# bridge-group <BRIDGE-ID> – bridge L2GRE tunnel or L2TPv3 tunnel with the <BRIDGE-ID> identification number, takes network bridge. Connected interfaces/ values in the range of: tunnels and network bridges esr(config-if-l2tpv3)# bridge-group automatically become participants of...
Page 144 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-bridge)# ipv6 address <IPV6-ADDR/LEN> – IP address <IPV6-ADDR/LEN> and prefix of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128]. For advanced IPv6 addressing features see section IPv6...
Page 145: Example Of Bridge Configuration For Vlan And L2Tpv3 Tunnel
ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable interface isolation mode on the esr(config-bridge)# protected- exclude vlan – when specifying bridge. ports [ exclude vlan ] the given key, VLAN (connected In this mode, the traffic exchange with bridge) is excluded from between members of the network the isolated interfaces list.
Page 146 ESR series service routers. ESR-Series. User manual Solution: Create VLAN 333: esr(config)# vlan esr(config-vlan)# exit Create 'trusted' security zone: esr(config)# security-zone trusted esr(config-zone)# exit Add gi1/0/11, gi1/0/12 interfaces to VLAN 333: esr(config)# interface gigabitethernet 1/0/11-12 esr(config-if)# mode switchport esr(config-if)# switchport general allowed vlan add tagged Create bridge 333, map VLAN 333 to it and specify membership in 'trusted' zone: esr(config)# bridge...
Page 147: Example Of Bridge Configuration For Vlan
ESR series service routers. ESR-Series. User manual 8.10.3 Example of bridge configuration for VLAN Objective: Configure routing between VLAN 50 (10.0.50.0/24) and VLAN 60 (10.0.60.0/24). VLAN 50 should belong to 'LAN1', VLAN 60 – to 'LAN2', enable free traffic transmission between zones. Solution: Create VLAN 50, 60: esr(config)# vlan...
Page 148: Configuration Example Of The Second Vlan Tag Adding/Removing
ESR series service routers. ESR-Series. User manual Create bridge 60, map VLAN 60, define IP address 10.0.60.1/24 and membership in 'LAN2' zone: esr(config)# bridge esr(config-bridge)# vlan esr(config-bridge)# ip address 10.0.60.1/24 esr(config-bridge)# security-zone LAN2 esr(config-bridge)# enable Create firewall rules that enable free traffic transmission between zones: esr(config)# security zone-pair LAN1 LAN2 esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit...
Page 149: Dual-Homing Configuration
ESR series service routers. ESR-Series. User manual esr(config)# interface gigabitethernet 1/0/2.828 esr(config-subif)# bridge-group esr(config-subif)# exit  When adding the second VLAN tag to an Ethernet frame, its size is increased by 4 bytes. MTU must be increased by 4 bytes or more on the gigabitethernet 1/0/2 router interface and on all equipment transmitting Q-in-Q frames.
Page 150: Configuration Example
ESR series service routers. ESR-Series. User manual 8.11.2 Configuration example Objective: Establish redundancy of the ESR router L2 connections for VLAN 50-55 using SW1 and SW2 devices. Solution: First, do the following: Create VLAN 50, -55: esr(config)# vlan 50-55 Disable STP for gigabitethernet 1/0/9 and gigabitethernet 1/0/10 interfaces, i.e. these protocols cannot operate simultaneously: esr(config)# interface...
Page 151: Mirroring Configuration (Span/Rspan)
ESR series service routers. ESR-Series. User manual 8.12 Mirroring configuration (SPAN/RSPAN)  In the current firmware version the RSPAN functionality is supported only by ESR-1000/1200/1500/1511/1700 routers. Traffic mirroring is a feature of the router that allows for redirection of traffic from a specific port of the router to another port of the same router (local mirroring) or to a remote device (remote mirroring).
Page 152: Configuration Example
ESR series service routers. ESR-Series. User manual 8.12.2 Configuration example Objective: Establish remote mirroring of traffic through VLAN 50 from gi1/0/11 interface to be sent to server for processing purposes. Solution: First, do the following: • Create VLAN 50: • On gi 1/0/5 interface, add VLAN 50 in 'general' mode. Main configuration step: Specify VLAN that will be used for transmission of mirrored traffic: еsr1000(config)# port monitor remote vlan...
Page 153: Lacp Configuration
ESR series service routers. ESR-Series. User manual 8.13 LACP configuration LACP is a link aggregation protocol that allows multiple physical links to be combined into a single logical link. This process allows to increase the communication link bandwidth and robustness. 8.13.1 Configuration algorithm Step Description Command...
Page 154 ESR series service routers. ESR-Series. User manual Step Description Command Keys Include a physical interface in the esr(config-if-gi)# channel-group <ID> – sequence number of a channel aggregation group specifying <ID> mode <MODE> channel aggregation group, the mode of the channel aggregation takes values of [1..12].
Page 155: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys It is also possible to configure the aggregated interface: · IPv4/IPv6 addressing (see sections IP addressing configuration, IPv6 addressing configuration DHCP client management); · Firewall (see section Firewall configuration); · QoS in basic or advanced mode (see section management);...
Page 156: Aux Configuration
ESR series service routers. ESR-Series. User manual Add gi1/0/1, gi1/0/2 physical interfaces into the created link aggregation group: esr(config)# interface gigabitethernet 1/0/1-2 esr(config-if-gi)# channel-group mode auto Further port-channel configuration is performed by analogy to the common physical interface. 8.14 AUX configuration ...
Page 157 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the necessary serial interface esr(config-line-aux) databits <BITS> – a number of data bits sent parameters to communicate with the <BITS> [7..8]. connected device (optional). esr(config-line-aux) Default is '8'. These parameters are usually specified flowcontrol <FMODE>...
Page 158: Configuration Examples
ESR series service routers. ESR-Series. User manual Step Description Command Keys When using the device to be connected esr(config-line- as a modem, set the serial interface to aux)# modem inout modem mode (optional). Note: cannot be used in conjunction with the «transport telnet port» command.
Page 159 ESR series service routers. ESR-Series. User manual Configure the required RS-232 interfaces: esr-21-1(config)# interface serial 1/0/2 esr-21-1(config-serial)# ip address 1.1.1.1/24 esr-21-1(config-serial)# exit esr-21-1(config)# Configure firewall for security zones: esr-21-1(config)# security zone xx esr-21-1(config-zone)# exit esr-21-1(config)# security zone-pair xx self esr-21-1(config-zone-pair)# rule esr-21-1(config-zone-pair-rule)# action permit esr-21-1(config-zone-pair-rule)# enable esr-21-1(config-zone-pair-rule)# exit...
Page 160 ESR series service routers. ESR-Series. User manual Specify that the interfaces belong to the security zone: esr-21-2(config)# interface serial 1/0/2 esr-21-2(config-serial)# security-zone xx esr-21-2(config-serial)# exit esr-21-2(config)# Objective 2: Set up IP connectivity between two ESRs on a Serial port, using Dial-Up modems and the Public Switched Telephone Network (PSTN).
Page 161 ESR series service routers. ESR-Series. User manual Solution: Configure the first ESR-21 Configure the parameters for negotiation with the modem: esr-21-1(config)# line aux esr-21-1(config-line-aux)# flowcontrol hardware esr-21-1(config-line-aux)# modem inout esr-21-1(config-line-aux)# exit esr-21-1(config)# Configure the required RS-232 interfaces: esr-21-1(config)# interface serial 1/0/2 esr-21-1(config-serial)# ip address 1.1.1.1/24 esr-21-1(config-serial)# exit...
Page 162 ESR series service routers. ESR-Series. User manual Configure the required RS-232 interfaces: esr-21-2(config)# interface serial 1/0/2 esr-21-2(config-serial)# ip address 1.1.1.2/24 esr-21-2(config-serial)# exit esr-21-2(config)# Configure firewall for security zones: esr-21-2(config)# security zone xx esr-21-2(config-zone)# exit esr-21-2(config)# security zone-pair xx self esr-21-2(config-zone-pair)# rule esr-21-2(config-zone-pair-rule)# action permit esr-21-2(config-zone-pair-rule)# enable esr-21-2(config-zone-pair-rule)# exit...
Page 163: Adapter Soldering Schemes
ESR series service routers. ESR-Series. User manual Create a line with additional modem initialization parameters for the second ESR-21: esr-21-2(config)# chat-script answer_test "ABORT 'BUSY' ABORT 'NO CARRIER' '' AT OK AT&F OK ATM0L0 RING ATAr CONNECT ''" esr-21-2(config)# Enable the use of the modem initialization string: esr-21-2(config)# interface serial...
Page 164: Tunneling Management
ESR series service routers. ESR-Series. User manual 9 Tunneling management • GRE tunnel configuration • Configuration algorithm • IP-GRE tunnel configuration example • DMVPN configuration • Configuration algorithm • Configuration example 1 • Configuration example 2 • L2TPv3 tunnel configuration • Configuration algorithm •...
Page 165 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify VRF instance, in which the esr(config-gre )# ip vrf forwarding <VRF> – VRF name, set by the given GRE tunnel will operate <VRF> string of up to 31 characters. (optional).
Page 166 ESR series service routers. ESR-Series. User manual Step Description Command Keys Assign the broadcast domain for esr(config-gre)# bridge-group <BRIDGE-ID> – bridge encapsulation in the tunnel’s GRE <BRIDGE-ID> identification number, takes packets (only in ethernet mode). values in the range of: • for ESR-10/12V(F)/ 14VF/15 –...
Page 167 ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable key transmitting in GRE tunnel esr(config-gre)# key <KEY> <KEY> – KEY value, takes header (according to RFC 2890) and values in the range of set the key value. Configured only on [1..2000000].
Page 168: Ip-Gre Tunnel Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable the mechanism of IP esr(config-gre)# keepalive dhcp <IF> – physical/logical addresses iterative query using DHCP dependent-interface <IF> interface on which IP address on the specified interfaces when the obtaining via DHCP is enabled. GRE tunnel is disconnected via keepalive (optional).
Page 169 ESR series service routers. ESR-Series. User manual Solution: Pre-configure interfaces on the routers for connection with WAN, enable GRE packets reception from a security zone where WAN connected interfaces operate. Create GRE 10 tunnel: esr(config)# tunnel gre Specify local and remote gateways (IP addresses of WAN border interfaces): esr(config-gre)# local address 115.0.0.1 esr(config-gre)# remote address...
Page 170: Dmvpn Configuration
ESR series service routers. ESR-Series. User manual • Specify a unique identifier: esr(config-gre)# key 15808 • Specify DSCP, MTU, TTL values: esr(config-gre)# dscp esr(config-gre)# mtu 1426 esr(config-gre)# ttl • Enable and configure keepalive mechanism: esr(config-gre)# keepalive enable esr(config-gre)# keepalive timeout <TIME> esr(config-gre)# keepalive retries <VALUE>...
Page 171: Configuration Algorithm
ESR series service routers. ESR-Series. User manual 9.2.1 Configuration algorithm Step Description Command Keys Check the availability of 'external' IP addresses located on physical interfaces. Prepare IPsec tunnels for use with See section Policy-based IPsec dynamic GRE tunnels. configuration. Create a GRE tunnel and switch to its esr(config)# tunnel gre <INDEX>...
Page 172: Configuration Example 1
ESR series service routers. ESR-Series. User manual Step Description Command Keys Define the destination of multicast esr(config-gre)# ip nhrp multicast • dynamic — send to all traffic. { dynamic | nhs | <ADDR> } peers with which there is a connection; •...
Page 173 ESR series service routers. ESR-Series. User manual External IP addres of Hub — 150.115.0.5; External IP address of Spoke-1 — 180.100.0.10; External IP address of Spoke-2 — 140.114.0.4. IPsec VPN parameters: IKE: • Diffie-Hellman group: 2; • encryption algorithm: AES128; • authentication algorithm: SHA1.
Page 174 ESR series service routers. ESR-Series. User manual Proceed to NHRP configuration. Configure multicast to dynamically learnt addresses: esr(config-gre)# ip nhrp multicast dynamic Configure the dynamic routing protocol for the Hub. In our example, this will be BGP: esr(config)# router bgp 65005 esr(config-bgp)# address-family ipv4 esr(config-bgp-af)# neighbor 10.10.0.8...
Page 175 ESR series service routers. ESR-Series. User manual esr(config)# security ipsec vpn IPSECVPN esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway IKEGW esr(config-ipsec-vpn)# ike ipsec-policy IPSECPOLICY esr(config-ipsec-vpn)# enable Map IPsec to the GRE tunnel so that clients can establish an encrypted connection: esr(config-gre)# ip nhrp ipsec IPSECVPN dynamic Enable NHRP and the tunnel: esr(config-gre)# ip nhrp enable...
Page 176 ESR series service routers. ESR-Series. User manual Configure IPsec. When creating the IKE protocol gateway for NHS, specify particular destination addresses. When creating an IKE gateway for NHC – the destination address will be any: esr(config)# security ike proposal IKEPROP esr(config-ike-proposal)# encryption algorithm aes128 esr(config-ike-proposal)# dh-group esr(config-ike-proposal)# exit esr(config)# security ike policy IKEPOLICY...
Page 177 ESR series service routers. ESR-Series. User manual esr(config)# security ipsec vpn IPSECVPN_SPOKE esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway IKEGW_SPOKE esr(config-ipsec-vpn)# ike ipsec-policy IPSECPOLICY esr(config-ipsec-vpn)# enable Map IPsec to the GRE tunnel, in order to be able to establish an encrypted connection with the server and with other network clients: esr(config-gre)# ip nhrp ipsec IPSECVPN_HUB static...
Page 178: Configuration Example 2
ESR series service routers. ESR-Series. User manual 9.2.3 Configuration example 2 Objective: Organize DMVPN between company offices with corresponding subnets LAN1 and LAN2, using mGRE tunnels, NHRP (Next Hop Resolution Protocol), Dynamic Routing Protocol (OSPF), IPsec. In our example, we will have a HUB router and two branches.
Page 179 ESR series service routers. ESR-Series. User manual Solution: HUB configuration: First, configure the OSPF protocol: esr(config)# router ospf log-adjacency-changes esr(config)# router ospf esr(config-ospf)# router-id 77.77.77.77 esr(config-ospf)# area 10.10.0.0 esr(config-ospf-area)# enable esr(config-ospf-area)# exit esr(config-ospf)# enable esr(config-ospf)# exit Configure the interface and identify its inherence to a security zone: esr(config)# interface gigabitethernet...
Page 180 ESR series service routers. ESR-Series. User manual esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key ascii-text password esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit esr(config)# security ike gateway ike_spoke esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# local address 150.115.0.5 esr(config-ike-gw)# local network 150.115.0.5/32 protocol gre esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network any esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit...
Page 181 ESR series service routers. ESR-Series. User manual 2. SPOKE configuration: Preliminary configure the OSPF protocol with the advertising of the subnet LAN1: esr(config)# router ospf log-adjacency-changes esr(config)# router ospf esr(config-ospf)# router-id 1.1.1.1 esr(config-ospf)# area 10.10.0.0 esr(config-ospf-area)# network 192.168.1.0/24 esr(config-ospf-area)# enable esr(config-ospf-area)# exit esr(config-ospf)# enable esr(config-ospf)# exit Configure the interface and identify its inherence to a security zone:...
Page 182 ESR series service routers. ESR-Series. User manual esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key ascii-text password esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit esr(config)# security ike gateway ike_spoke esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# local address 180.100.0.10 esr(config-ike-gw)# local network 180.100.0.10/32 protocol gre esr(config-ike-gw)# remote address any esr(config-ike-gw)# remote network any esr(config-ike-gw)# mode policy-based esr(config-ike-gw)# exit...
Page 183 ESR series service routers. ESR-Series. User manual Map IPsec to the GRE tunnel, in order to be able to establish an encrypted connection with the server and with other network clients: esr(config)# tunnel gre esr(config-gre)# ip nhrp ipsec ipsec_hub static esr(config-gre)# ip nhrp ipsec ipsec_spoke dynamic esr(config-gre)# exit To view the NHRP records status, use the following command.
Page 184: L2Tpv3 Tunnel Configuration
ESR series service routers. ESR-Series. User manual 9.3 L2TPv3 tunnel configuration L2TPv3 (Layer 2 Tunnelling Protocol Version 3) is a protocol used for tunneling of 2nd level OSI model packets between two IP nodes. IP or UDP is used as an encapsulation protocol. L2TPv3 may be used as an alternative to MPLS P2P L2VPN (VLL) for L2 VPN establishment.
Page 185 ESR series service routers. ESR-Series. User manual Set remote session identifier. esr(config-l2tpv3)# remote <SESSION-ID> – session session-id <SESSION-ID> identifier, takes values in the range of [1..200000]. Define local UDP port (if UDP was esr(config-l2tpv3)# local port <UDP> – UDP port number in selected as encapsulation method).
Page 186: L2Tpv3 Tunnel Configuration Example
ESR series service routers. ESR-Series. User manual Enable recording of the current tunnel esr(config-subif)# history statistics usage statistics (optional). It is also possible to configure the L2TPv3 tunnel: • QoS in basic or advanced mode (see section management); • BRAS functionality (see section BRAS (Broadband Remote Access Server) management).
Page 187 ESR series service routers. ESR-Series. User manual Define the inherence of L2TPv3 tunnel to a bridge that should be mapped to remote office network (for bridge configuration, see Section Configuration example of bridge for VLAN and L2TPv3 tunnel): esr(config-l2tpv3)# bridge-group Enable previously created tunnel and exit: esr(config-l2tpv3)# enable esr(config-l2tpv3)# exit Create sub-interface for switching of traffic coming from the tunnel into LAN with VLAN id 333:...
Page 188: Ipsec Vpn Configuration
ESR series service routers. ESR-Series. User manual 9.4 IPsec VPN configuration IPsec is a set of protocols that enable security features for data transferred via IP protocol. This set of protocols allows for identity validation (authentication), IP packet integrity check and encryption, and also includes protocols for secure key exchange over the Internet.
Page 189 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify IKE encryption algorithm esr(config-ike-proposal)# <ALGORITHM> – encryption (optional). encryption algorithm protocol, takes the following <ALGORITHM> values: des, 3des, blowfish128, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256. Default value: 3des.
Page 190 ESR series service routers. ESR-Series. User manual Step Description Command Keys Bind IKE policy to IKE gateway. esr(config-ike-gw)# ike-policy <NAME> – IKE protocol policy <NAME> name, set by the string of up to 31 characters. Specify IKE version (optional). esr(config-ike-gw)# version <version>...
Page 191 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify IPsec authentication algorithm esr(config-ipsec-proposal)# <ALGORITHM> – (optional). authentication algorithm authentication algorithm, takes <ALGORITHM> values of: md5, sha1, sha2-256, sha2‑384, sha2-512. Default value: sha1. Specify IPsec encryption algorithm esr(config-ipsec-proposal)# <ALGORITHM> – encryption (route).
Page 192 ESR series service routers. ESR-Series. User manual Step Description Command Keys Create IPsec VPN policy and switch to esr(config)# security ipsec vpn <NAME> – VPN name, set by its configuration mode. <NAME> the string of up to 31 characters. Define the matching mode of data esr(config-ipsec-vpn)# mode <MODE>...
Page 193 ESR series service routers. ESR-Series. User manual Step Description Command Keys Configure the start of IKE connection esr(config-ipsec-vpn)# ike rekey <SEC> – time interval in keys re-approval before the expiration margin { seconds <SEC> | seconds remaining before the of the lifetime (optional). packets <PACKETS>...
Page 194: Route-Based Ipsec Vpn Configuration Example
ESR series service routers. ESR-Series. User manual 9.4.2 Route-based IPsec VPN configuration example Objective: Configure IPsec tunnel between R1 and R2. • R1 IP address: 120.11.5.1; • R2 IP address: 180.100.0.1. IKE: • Diffie-Hellman group: 2; • encryption algorithm: AES 128 bit; •...
Page 195 ESR series service routers. ESR-Series. User manual Create a static route to the remote LAN. For each subnet located beyond the IPsec tunnel, specify a route via VTI tunnel: esr(config)# ip route 192.0.2.0/24 tunnel vti Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile.
Page 196 ESR series service routers. ESR-Series. User manual Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using the enable command. esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway ike_gw1...
Page 197 ESR series service routers. ESR-Series. User manual Create IKE protocol policy. For the policy, specify the list of IKE protocol profiles that may be used for node and authentication key negotiation: esr(config)# security ike policy ike_pol1 esr(config-ike-policy)# pre-shared-key hexadecimal 123FFF esr(config-ike-policy)# proposal ike_prop1 esr(config-ike-policy)# exit Create IKE protocol gateway.
Page 198: Policy-Based Ipsec Vpn Configuration Algorithm
ESR series service routers. ESR-Series. User manual To view the tunnel configuration, use the following command: esr# show security ipsec vpn configuration ipsec1  Enable ESP and ISAKMP protocol (UDP port 500) in the firewall. 9.4.3 Policy-based IPsec VPN configuration algorithm Step Description Command...
Page 199 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the lifetime of IKE protocol esr(config-ike-proposal)# lifetime <SEC> – time interval, takes connection (optional). seconds <SEC> values of [4..86400] seconds. Bind the policy to profile. esr(config-ike-policy)# proposal <NAME> – IKE protocol name, <NAME>...
Page 200 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the time period of response to esr(config-ike-gw)# dead-peer- <SEC> – time interval of DPD mechanism messages (optional). detection timeout <SEC> response to DPD mechanism messages, takes values of [1..180] seconds. Specify IKE version (optional).
Page 201 ESR series service routers. ESR-Series. User manual Step Description Command Keys Create IPsec profile. esr(config)# security ipsec <NAME> – IPsec protocol proposal <NAME> profile name, set by the string of up to 31 characters. Specify IPsec authentication algorithm. esr(config-ipsec-proposal)# <ALGORITHM> – authentication algorithm authentication algorithm, takes <ALGORITHM>...
Page 202 ESR series service routers. ESR-Series. User manual Step Description Command Keys Create IPsec VPN policy and switch to esr(config)# security ipsecvpn <NAME> – VPN name, set by its configuration mode. <NAME> the string of up to 31 characters. Define the matching mode of data esr(config-ipsec-vpn)# mode <MODE>...
Page 203: Policy-Based Ipsec Vpn Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Configure the start of IKE connection esr(config-ipsec-vpn)# ike rekey <SEC> – time interval in keys re-approval before the expiration margin { seconds <SEC> | seconds remaining before the of the lifetime (optional). packets <PACKETS>...
Page 204 ESR series service routers. ESR-Series. User manual IKE: • Diffie-Hellman group: 2; • encryption algorithm: AES 128 bit; • authentication algorithm: MD5. IPSEC: • encryption algorithm: AES 128 bit; • authentication algorithm: MD5. Solution: R1 configuration Configure external network interface and identify its inherence to a security zone: esr# configure esr(config)# interface...
Page 205 ESR series service routers. ESR-Series. User manual Create IKE protocol gateway. For this profile, specify VTI tunnel, policy, protocol version and mode of traffic redirection into the tunnel. esr(config)# security ike gateway ike_gw1 esr(config-ike-gw)# ike-policy ike_pol1 esr(config-ike-gw)# local address 198.51.100.1 esr(config-ike-gw)# local network 10.0.0.0/16 esr(config-ike-gw)# remote address 203.0.113.1...
Page 206 ESR series service routers. ESR-Series. User manual To configure security zones rules, create ISAKMP port profile: esr(config)# object-group service ISAKMP esr(config-addr-set)# port-range esr(config-addr-set)# exit Create IKE protocol profile. Select Diffie-Hellman group 2, AES 128 bit encryption algorithm and MD5 authentication algorithm in the profile. The given security parameters are used for IKE connection protection: esr(config)# security ike proposal ike_prop1 esr(config-ike-proposal)# dh-group...
Page 207: Remote Access Ipsec Vpn Configuration Algorithm
ESR series service routers. ESR-Series. User manual Create IPsec VPN. For VPN, specify IKE protocol gateway, IPsec tunnel policy, key exchange mode and connection establishment method. When all parameters are entered, enable tunnel using the enable command: esr(config)# security ipsec vpn ipsec1 esr(config-ipsec-vpn)# mode ike esr(config-ipsec-vpn)# ike establish-tunnel route esr(config-ipsec-vpn)# ike gateway ike_gw1...
Page 208 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the IP address of the VTI esr(config-vti)# ip address <ADDR/LEN> – IP address and tunnel local side (optional). <ADDR/LEN> prefix of a subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..31].
Page 209 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify a password for a user. esr(config-profile)# password <TEXT> – string [8..32] ASCII ascii-text <TEXT> characters. Create a destination address pool esr(config)# address- <NAME> – destination addresses (only for server). assignment pool <NAME>...
Page 210 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the time period of response to esr(config-ike-gw)# dead-peer- <SEC> – time interval of DPD mechanism messages (optional). detection timeout <SEC> response to DPD mechanism messages, takes values of [1..180] seconds. Default value: 30 Specify IKE version (optional).
Page 211 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set access profile for XAUTH esr(config-ike-gw)# xauth <NAME> – access profile name, parameters (only for server). access-profile <NAME> set by the string of up to 31 characters. Set access profile and login for esr(config-ike-gw)# xauth <NAME>...
Page 212 ESR series service routers. ESR-Series. User manual Step Description Command Keys Configuration config-ipsec-proposal esr(config)# security ipsec <NAME> – IPsec policy name, set policy <NAME> by the string of up to 31 characters. Bind the policy to profile. esr(config-ipsec-policy)# <NAME> – IPsec protocol profile proposal <NAME>...
Page 213 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set VPN activation mode. esr(config-ipsec-vpn)#ike <MODE> – VPN activation mode: establish-tunnel <MODE> • by-request – connection is activated by the opposite side, available for the server; • route – the connection is activated when traffic routed to the tunnel appears;...
Page 214 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the level of margin seconds, esr(config-ipsec-vpn)# ike rekey <VALUE> – maximum ratio of margin packets, margin kilobytes randomization <VALUE> values spread, takes values of values random spread (optional). [1..100]. Default value: 100 Describe VPN (route).
Page 215: Remote Access Ipsec Vpn Configuration Example
ESR series service routers. ESR-Series. User manual 9.4.6 Remote Access IPsec VPN configuration example Objective: Configure Remote Access IPsec VPN between R1 and R2 using the second IPsec authentication factor, XAUTH. Configure router R1 as the IPsec VPN server, and router R2 as the IPsec VPN client. R2 IP address: 120.11.5.1;...
Page 216 ESR series service routers. ESR-Series. User manual Create IKE protocol profile. Select Diffie-Hellman group 2, 3DES encryption algorithm and SHA1 authentication algorithm in the profile. The given security parameters are used for IKE connection protection: esr(config)# security ike proposal IKEPROP esr(config-ike-proposal)# dh-group esr(config-ike-proposal)# authentication algorithm sha1 esr(config-ike-proposal)# encryption algorithm 3des esr(config-ike-proposal)# exit...
Page 217 ESR series service routers. ESR-Series. User manual Create security parameters profile for IPsec tunnel. Specify 3DES encryption algorithm and SHA1 authentication algorithm in the profile. Use the following parameters to secure IPsec tunnel: esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# authentication algorithm sha1 esr(config-ipsec-proposal)# encryption algorithm 3des esr(config-ipsec-proposal)# exit Create a policy for IPsec tunnel.
Page 218 ESR series service routers. ESR-Series. User manual To configure security zones rules, create ISAKMP port profile: esr(config)# object-group service ISAKMP esr(config-addr-set)# port-range 500,4500 esr(config-addr-set)# exit Create IKE protocol profile. Select Diffie-Hellman group 2, 3DES encryption algorithm and SHA1 authentication algorithm in the profile. The given security parameters are used for IKE connection protection: esr(config)# security ike proposal IKEPROP esr(config-ike-proposal)# dh-group...
Page 219 ESR series service routers. ESR-Series. User manual Create security parameters profile for IPsec tunnel. Specify 3DES encryption algorithm and SHA1 authentication algorithm in the profile. Use the following parameters to secure IPsec tunnel: esr(config)# security ipsec proposal IPSECPROP esr(config-ipsec-proposal)# authentication algorithm md5 esr(config-ipsec-proposal)# encryption algorithm aes128 esr(config-ipsec-proposal)# exit Create a policy for IPsec tunnel.
Page 220: Dpd Configuration Example (Dead Peer Detection)
ESR series service routers. ESR-Series. User manual 9.4.7 DPD configuration example (Dead Peer Detection) Objective: Configure Dead Peed Detection on R1 for Policy-based Ipsec VPN between R1 and R2. The initial configuration can be taken from the Policy-based IPsec VPN configuration example. Solution: On R1 in IKE protocol gateway specify the following: DPD operation mode – restart, polling interval –...
Page 221: Tunnels Configuration
ESR series service routers. ESR-Series. User manual esr# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- ipsec1 198.51.100.1 203.0.113.1 0x7a77a25a55853255 0xb62fd04f2db43d08 Established 2037-10-30T07:52:53+00:00 %CLI-I-CMD: user admin from console input: show security ipsec vpn status esr# show security ipsec vpn status...
Page 222 ESR series service routers. ESR-Series. User manual Step Description Command Keys For each LT tunnel, specify IP address esr(config-lt)# ip address <ADDR/ <ADDR/LEN> – IP address and for packets routing. For interacting LT LEN> prefix of a subnet, defined as tunnels, IP addresses should locate in AAA.BBB.CCC.DDD/EE where one IP subnet.
Page 223: Configuration Example
ESR series service routers. ESR-Series. User manual 9.5.2 Configuration example Objective: Organize interaction between hosts terminated in two VRF vrf_1 and vrf_2. Initial configuration: hostname esr ip vrf vrf_1 exit ip vrf vrf_2 exit interface gigabitethernet 1/0/1 ip vrf forwarding vrf_1 ip firewall disable ip address 10.0.0.1/24...
Page 224 ESR series service routers. ESR-Series. User manual  If none of dynamic routing protocols is configured in VRF, specify static routes for each VRF: esr(config)# ip route vrf vrf_1 0.0.0.0/0 192.168.0.2 esr(config)# ip route vrf vrf_2 0.0.0.0/0 192.168.0.1...
Page 225: Qos Management
ESR series service routers. ESR-Series. User manual 10 QoS management • Basic QoS • Configuration algorithm • Configuration example • Advanced QoS • Configuration algorithm • Configuration example QoS (Quality of Service) is a technology that provides various traffic classes with various service priorities. QoS service allows network applications to co-exist in a single network without altering the bandwidth of other applications.
Page 226 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the match between DSCP codes esr(config)# qos map dscp-queue <DSCP> – service classifier in a values of incoming packets and <DSCP> to <QUEUE> packet IP header, takes values outgoing queues. in the range of [0..63];...
Page 227 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the amount of priority queues. The esr(config)# priority-queue out <VALUE> – amount of queues, remaining queues are weighted num-of-queues <VALUE> takes values of [0..8], where: (optional). • 0 – all queues take part in WRR (WRR –...
Page 228: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the incoming traffic rate limiting (if esr(config-if-gi)# rate-limit <BANDWIDTH> – average the outgoing rate limiting is required). <BANDWIDTH> [BURST] traffic rate in Kbps, takes the value of [3000..10000000] for TengigabitEthernet interfaces and [64..1000000] for other interfaces and tunnels;...
Page 229: Advanced Qos
ESR series service routers. ESR-Series. User manual Enable QoS on the incoming interface to correctly classify traffic and direct it to the appropriate queue on the LAN side: esr(config)# interface gigabitethernet 1/0/5 esr(config-if-gi)# qos enable esr(config-if-gi)# exit Enable QoS on the WAN side interface for proper queue handling and bandwidth limitation: esr(config)# interface gigabitethernet...
Page 230 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify DSCP code value which will be esr(config-class-map)# set dscp <DSCP> – DSCP code value, set in IP packets corresponding to the <DSCP> takes values in the range of class being configured (cannot be [0..63].
Page 231 ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable automatic bandwidth allocation esr(config-policy-map)# shape between classes without bandwidth auto-distribution configuration, including the default class (if required). Include the specified QoS class in the esr(config-policy-map)# class <NAME> – name of the class policy and switch to the class <NAME>...
Page 232 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify class operation mode esr(config-class-policy-map)# <MODE> – class mode: (optional). mode <MODE> • fifo – FIFO mode (First In, First Out); • gred – GRED mode (Generalized RED); • red – RED mode (Random Early Detection);...
Page 233 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify RED (Random Early Detection) esr(config-class-policy-map)# <LIMIT> – limited size of a parameters (if required). random-detect <LIMIT> <MIN> queue in bytes, takes values of <MAX> <APS> <APS-NUM> in the range of [1..1000000]; <PROBABILITY>...
Page 234 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify GRED (Generalized Random esr(config-class-policy-map)# <QUEUE-NUM> – queue Early Detection) parameters (if random-detect queue <QUEUE- number [1..16]; required). NUM> [ dscp <DSCP> | precedence <DSCP> – DSCP code value, <IPP> ] <LIMIT> <MIN> <MAX> takes values in the range of <APS>...
Page 235: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Define the QoS policy on a configured esr(config-if-gi)# service-policy <NAME> – QoS policy name, interface/tunnel/network bridge to { input | output } <NAME> set by the string of up to 31 classify input and prioritize output characters.
Page 236 ESR series service routers. ESR-Series. User manual Create classes fl1 and fl2, specify the respective access control lists, configure labelling: esr(config)# class-map fl1 esr(config-class-map)# set dscp esr(config-class-map)# match access-group fl1 esr(config-class-map)# exit esr(config)# class-map fl2 esr(config-class-map)# set dscp esr(config-class-map)# match access-group fl2 esr(config-class-map)# exit Create policy and define general bandwidth limits: esr(config)# policy-map fl...
Page 237: Routing Management
ESR series service routers. ESR-Series. User manual 11 Routing management • Routing information advertising policy • • OSPF protocol • IS-IS protocol • iBPG protocol • eBPG protocol • Static routes configuration • Configuration algorithm • Static routes configuration example • RIP configuration •...
Page 238: Routing Information Advertising Policy
ESR series service routers. ESR-Series. User manual 11.1 Routing information advertising policy 11.1.1 RIP Default policy Advertising Filtering methods Filtering policy methods application levels Import Route information reception is Network, Route-map — the last (implicit) RIP process not limited Redistribute rule denies anything that is not explicitly allowed by the previous rules.
Page 239: Is-Is Protocol
ESR series service routers. ESR-Series. User manual Default policy Advertising Filtering methods Filtering policy methods application levels Export Information about interfaces Route-map — the last (implicit) with OSPF protocol enabled is rule allows anything that is not advertised explicitly denied by the previous rules.
Page 240: Ibpg Protocol
ESR series service routers. ESR-Series. User manual 11.1.4 iBPG protocol Default policy Advertising Filtering methods Filtering policy methods application levels Import Route information reception is Network, Route-map — the last (implicit) address-family, not limited Redistribute rule denies anything that is not peer-group, explicitly allowed by the previous neighbor...
Page 241: Static Routes Configuration
ESR series service routers. ESR-Series. User manual 11.2 Static routes configuration Static routing is a type of routing in which routes are defined explicitly during the router configuration without dynamic routing protocols. 11.2.1 Configuration algorithm You can add a static route by using the following command in global configuration mode: esr(config)# ip route [ vrf <VRF>...
Page 242: Static Routes Configuration Example
ESR series service routers. ESR-Series. User manual • <IF> – an IP interface name specified in the form described in Section Types and naming order of router interfaces; • blackhole – when specifying the command, the packets to this subnet will be removed by the device without sending notifications to a sender;...
Page 243 ESR series service routers. ESR-Series. User manual Specify 192.168.100.1/30 address and the 'LAN' zone for the gi1/0/2 interface. R1 will be connected to R2 device via the given interface for the further traffic routing: esr(config)# interface gi1/0/2 esr(config-if-gi)# security-zone LAN esr(config-if-gi)# ip address 192.168.100.1/30 esr(config-if-gi)# exit Specify 128.107.1.2/30 address and the 'WAN' zone for the gi1/0/3 interface.
Page 244: Rip Configuration
ESR series service routers. ESR-Series. User manual Create a default route by specifying the IP address of R1 router gi1/0/2 interface (192.168.100.1) as a nexthop: esr(config)# ip route 0.0.0.0/0 192.168.100.1 To check the routing table the following command can be used: esr# show ip route 11.3 RIP configuration RIP is a distance-vector dynamic routing protocol that uses hop count as a routing metric.
Page 245 ESR series service routers. ESR-Series. User manual Step Description Command Keys Permit or deny the prefixes lists. esr(config-pl)# permit {object- <OBJ-GROUP-NETWORK- group <OBJ-GROUP-NETWORK- NAME> – IP addresses profile NAME > <ADDR/LEN> | <IPV6- name, set by the string of up to ADDR/LEN>...
Page 246 ESR series service routers. ESR-Series. User manual Step Description Command Keys Disable routes advertising on the esr(config-rip)# passive-interface <IF> – interface and identifier; interfaces/tunnels/bridge where it is {<IF> | <TUN> } not necessary (optional). <TUN> – tunnel name and number. Set time interval after which the esr(config-rip)# timers update <TIME>...
Page 247 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-rip)# redistribute <NAME> – name of the route connected [ route-map <NAME> ] map that will be used for filtration and modification of advertised directly connected subnets, set by the string of up to 31 characters.
Page 248 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config)# bridge <BR-NUM> <BR-NUM> – bridge number. Set RIP routes metric value on the esr(config-if-gi)# ip rip metric <VALUE> – metric size, takes interface (optional). <VALUE> values of [0..32767]. Default value: 5. Set the routes advertising mode via RIP esr(config-if-gi)# ip rip mode <MODE>...
Page 249: Rip Configuration Example
ESR series service routers. ESR-Series. User manual 11.3.2 RIP configuration example Objective: Configure RIP on the router in order to exchange the routing information with neighboring routers. The router should advertise static routes and subnets 115.0.0.0/24, 14.0.0.0/24, 10.0.0.0/24. Routes should be advertised each 25 seconds.
Page 250: Osfp Configuration
ESR series service routers. ESR-Series. User manual 11.4 OSFP configuration OSPF is a dynamic routing protocol, based on link-state technology and using shortest path first Dijkstra algorithm. 11.4.1 Configuration algorithm Step Description Command Keys Configure OSFP precedence for the esr(config)# ip protocols ospf <VALUE>...
Page 251 ESR series service routers. ESR-Series. User manual Step Description Command Keys Permit or deny the prefixes lists esr(config-pl)# permit [ { object- <OBJ-GROUP-NETWORK- (optional). group <OBJ-GROUP-NETWORK- NAME> – IPv4/IPv6 addresses NAME> | <ADDR/LEN> | <IPV6- profile name, set by the string ADDR/LEN>...
Page 252 ESR series service routers. ESR-Series. User manual Step Description Command Keys Define OSFP process routes esr(config-ospf)# preference <VALUE> – OSFP process precedence. <VALUE> routes precedence, takes values in the range of [1..255]. esr(config-ipv6-ospf)# preference <VALUE> Define maximum number of equivalent esr(config-ospf)# maximum-path <PATHS>...
Page 253 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-ospf)# redistribute bgp <AS> – stand alone system <AS> [ route-map <NAME> ] number, takes values of [1..4294967295]. esr(config-ipv6-ospf)# redistribute <NAME> – name of the route bgp <AS> [ route-map <NAME> ] map that will be used for advertised BGP routes filtration and modification, set by the...
Page 254 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the area type (optional). esr(config-ospf-area)# area-type <TYPE> – area type: <TYPE> [ no-summary ] • stub – sets stub value (stub area); esr(config-ipv6-ospf-area)# area- no-summary – type <TYPE> [ no-summary ] command in conjunction with the 'stub' parameter forms the 'totallystubby'...
Page 255 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-ipv6-ospf-area)# <IPV6-ADDR/LEN> – IPv6 summary-address <IPV6-ADDR/ address and mask of a subnet, LEN> { advertise | not-advertise } defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128];...
Page 256 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the time interval in seconds after esr(config-ospf- vlink)# wait- <TIME> – time in seconds, which the router selects DR in the interval <TIME> takes values of [1..65535]. network (optional). Default value: 40 seconds esr(config-ipv6-ospf- vlink)# wait- interval <TIME>...
Page 257 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-if-gi)# ipv6 ospf instance <ID> Define the interface inherence to a esr(config-if-gi)# ip ospf area <AREA_ID> – area identifier, specific OSPF process area. <AREA_ID> defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
Page 258 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the time interval in seconds after esr(config-if-gi)# ip ospf <TIME> – time in seconds, which the router re-sends a packet that restransmit-interval <TIME> takes values of [1..65535]. has not received a delivery confirmation (for example, a DatabaseDescription Default value: 5 seconds.
Page 259 ESR series service routers. ESR-Series. User manual Step Description Command Keys Define the network type for OSPF esr(config-if-gi)# ip ospf network <TYPE> – network type: neighborhood establishment (optional). <TYPE> • broadcast – broadcast connection type; esr(config-if-gi)# ipv6 ospf • non-broadcast – NBMA network <TYPE>...
Page 260: Ospf Configuration Example
ESR series service routers. ESR-Series. User manual 11.4.2 OSPF configuration example Objective: Configure OSPF protocol on the router in order to exchange the routing information with neighboring routers. The router should be in 1.1.1.1 identifier area and announce routes received via RIP. Solution: Pre-configure IP addresses on interfaces according to the network structure shown in figure above.
Page 261: Ospf Stub Area Configuration Example
ESR series service routers. ESR-Series. User manual esr(config)# interface gigabitethernet 1/0/15 esr(config-if-gi)# ip ospf instance esr(config-if-gi)# ip ospf area 1.1.1.1 esr(config-if-gi)# ip ospf esr(config-if-gi)# exit esr(config)# exit 11.4.3 OSPF stub area configuration example Objective: Change 1.1.1.1 area type, area should be stub. Solution: Pre-configure OSPF protocol and IP addresses on interfaces according to the network structure shown in figure above.
Page 262 ESR series service routers. ESR-Series. User manual Create and enable virtual link with the identifier 0.0.0.3: esr(config-ospf-area)# virtual-link 0.0.0.3 esr(config-ospf-vlink)# enable For R3 router, proceed to 1.1.1.1 area configuration mode: esr(config-ospf)# area 1.1.1.1 Create and enable virtual link with the identifier 0.0.0.1: esr(config-ospf-area)# virtual-link 0.0.0.1 esr(config-ospf-vlink)# enable...
Page 263: Bgp Configuration
ESR series service routers. ESR-Series. User manual 11.5 BGP configuration BGP protocol is designed to exchange subnet reachability information among autonomous systems (AS), i.e. router groups united under a single technical control that uses interdomain routing protocol for defining packet delivery routes to other AS. Transmitted information includes a list of AS that are accessible through this system.
Page 264 ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable ECMP and define the maximum esr(config)# router bgp maximum- <VALUE> – amount of valid amount of equal routes to a destination paths <VALUE> equal routes to the target, takes point.
Page 265 ESR series service routers. ESR-Series. User manual Step Description Command Keys Define the list of subnets affected by esr(config-route-map-rule)#match <ADDR/LEN> – IP address and the rule. ip address { <ADDR/LEN> | object- subnet mask, in the format of. group <OBJ-GRP-NETNAME> } [ { eq <LEN>...
Page 266 ESR series service routers. ESR-Series. User manual Step Description Command Keys If prefix-list-based filtering method is esr(config)# ip prefix-list <NAME> <NAME> – name of a subnet selected, create a list of IP networks list being configured, set by the that will be used to filter the advertised string of up to 31 characters.
Page 267 ESR series service routers. ESR-Series. User manual Step Description Command Keys Permit or deny the prefixes lists. esr(config-pl)# permit { <ADDR/ <ADDR/LEN> – IP address and LEN> | object-group <OBJ-GRP- subnet mask, in the format of. NETNAME>} [ { eq <LEN> | le <LEN>...
Page 268 ESR series service routers. ESR-Series. User manual Step Description Command Keys Add BGP process to the system and esr(config)# router bgp <AS> <AS> – stand alone system switch to the BGP process parameters number, takes values of configuration mode. [1..4294967295]. Set the router identifier. esr(config-bgp)# router-id { <ID>...
Page 269 ESR series service routers. ESR-Series. User manual Step Description Command Keys Define the global algorithm of neighbor esr(config-bgp)# authentication <ALGORITHM> – encryption authentication (if necessary). algorithm <ALGORITHM> algorithm: • md5 – password is encrypted by md5 algorithm. Default value: encryption is not used.
Page 270 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-bgp-af)# redistribute <ID> – process number, takes ospf <ID> <ROUTE-TYPE 1> values of {1..65535}; [<ROUTE-TYPE 2>] [<ROUTE-TYPE 3>] [<ROUTE-TYPE 4>] [ route-map <ROUTE-TYPE> – route type: <NAME> ] • intra-area – OSPF process routes advertising within a zone;...
Page 271 ESR series service routers. ESR-Series. User manual Step Description Command Keys Exit global BGP process route esr(config-bgp-af)# exit information advertisement configuration mode. Add BGP neighbor and switch to the esr(config-bgp)# neighbor <ADDR> – neighbor’s IP BGP process parameters configuration <ADDR>|<IPV6-ADDR> address, defined as mode.
Page 272 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set IP/IPv6 router address that will be esr(config-bgp-neighbor)# update- <ADDR> – source IP address, used as source IP/IPv6 address in source { <ADDR> | <IPV6-ADDR> } defined as AAA.BBB.CCC.DDD transmitted BGP route information where each part takes values of updates (optional).
Page 273 ESR series service routers. ESR-Series. User manual Step Description Command Keys Define the type of neighbor configured esr(config-bgp-neighbor)# ipv 4 – IPv4 family; routing information and switch to this address-family { ipv4 | ipv6 | configuration mode. vpnv4 } unicast ipv 6 – IPv6 family; vpnv4 – VPNv4 family.
Page 274: Configuration Example
ESR series service routers. ESR-Series. User manual When configuring iBGP, it is common to have multiple BGP neighbors with the same parameters within a single BGP process. To avoid configuration redundancy, it is recommended to use BGP peer-group in which common parameters can be described and it is easy to identify the BGP peer-group membership in the BGP neighbor configuration.
Page 275 ESR series service routers. ESR-Series. User manual Configure the firewall to receive BGP traffic from the WAN security zone: esr-R3(config)# object-group service og_bgp esr-R3(config-object-group-service)# port-range esr-R3(config-object-group-service)# exit esr-R3(config)# security zone wan esr-R3(config-zone)# exit esr-R3(config)# security zone-pair wan self esr-R3(config-zone-pair)# rule esr-R3(config-zone-pair-rule)# match protocol tcp esr-R3(config-zone-pair-rule)# match destination-port og_bgp esr-R3(config-zone-pair-rule)# action permit esr-R3(config-zone-pair-rule)# enable...
Page 276: Bgp Best Route Selection Policy
ESR series service routers. ESR-Series. User manual Enable IPv4 route exchange: esr-R3(config-bgp-neighbor)# address-family ipv4 unicast esr-R3(config-bgp-neighbor-af)# enable esr-R3(config-bgp-neighbor-af)# exit esr-R3(config-bgp-neighbor)# exit Create a neighborhood with the R1 router via eBGP: esr-R3(config-bgp)# neighbor 185.0.0.2 esr-R3(config-bgp-neighbor)# remote-as esr-R3(config-bgp-neighbor)# enable Enable the exchange of ipv4 routes, permitting the necessary routes for advertising by means of a previously prepared route-map: esr-R3(config-bgp-neighbor)# address-family ipv4 unicast esr-R3(config-bgp-neighbor-af)# route-map bgp-general out...
Page 277 ESR series service routers. ESR-Series. User manual  For VPNv4 routes, selection of the best route is as follows: First, the choice of the best route occurs within its RD. Further, within the framework of VRF, where it will get in accordance with its RT. First of all, next-hop of the route is checked. If there is a connected route to the next-hop, it is considered available.
Page 278: Bfd Configuration
ESR series service routers. ESR-Series. User manual In the output of routing information for a particular prefix, the best route will be marked as 'Best': ESR# show bgp ipv4 unicast 192.0.2.0/24 192.0.2.0/24 100.64.28.1 gi1/0/1.2800 [bgp65514 2022-05-22] (65041i) Administrative Distance: Type: unicast Origin: AS PATH: 65054 65055 65056 65077 65098 65059...
Page 279 ESR series service routers. ESR-Series. User manual Example of establishing iBGP neighborhood and enabling BFD for it: ESR# show running-config routing bgp router bgp 65516 neighbor 10.100.0.2 remote-as 65515 update-source 10.100.0.1 bfd-enable enable exit enable exit ESR# show bfd neighbors 10.100.0.2 Neighbor address: 10.100.0.2 Local address:...
Page 280: Timers Configuration
ESR series service routers. ESR-Series. User manual Both devices have to be configured. After session re-establishing, its mode will change to multi-hop: esr-200# sh bfd neighbors 10.100.0.2 Neighbor address: 10.100.0.2 Local address: 10.100.0.1 Interface: Remote discriminator: 3751534121 Local discriminator: 1670865501 State: Session type: Control Session mode:...
Page 281: Configuration Algorithm
ESR series service routers. ESR-Series. User manual Locally configured timers, remote side timers, as well as calculated timers, can be viewed as follows: esr-200# sh bfd neighbors 10.100.0.2 Neighbor address: 10.100.0.2 Local address: 10.100.0.1 Interface: Remote discriminator: 3751534121 Local discriminator: 1670865501 State: Session type: Control...
Page 282 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the minimum interval after which esr(config)# ip bfd min-rx-interval <TIMEOUT> – interval after the neighbor should generate BFD <TIMEOUT> which the BFD message should message. be sent by the neighbor, takes Globally (optional).
Page 283 ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable BFD operation with the specified esr(config)# ip bfd neighbor <ADDR> – gateway IP address, IP address. <ADDR> [ { interface <IF> | tunnel defined as AAA.BBB.CCC.DDD <TUN> } ] where each part takes values of [local-address <ADDR>...
Page 284 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the minimum interval after which esr(config-if-gi)# ip bfd min-rx- <TIMEOUT> – interval after the neighbor should generate BFD interval <TIMEOUT> which the BFD message should message. On the interface (optional). be sent by the neighbor, takes values in milliseconds in the range of [200..65535] for...
Page 285: Bfd With Bgp Configuration Example
ESR series service routers. ESR-Series. User manual 11.6.3 BFD with BGP configuration example Objective: Configure eBGP between ESR R1 and R2 and enable BFD. Solution: R1 configuration Preconfigure Gi1/0/1 interface: esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# ip address 10.0.0.1/24 Configure eBGP with BFD: esr(config)# router bgp...
Page 286: Pbr Routing Policy Configuration
ESR series service routers. ESR-Series. User manual 11.7 PBR routing policy configuration 11.7.1 Configuration algorithm of Route-map for BGP Route-maps may serve as filters processing routing information when it is received from or sent to the neighboring device. Processing may include filtering based on various route criteria and setting attributes (MED, AS-PATH, community, LocalPreference, etc.) for the respective routes.
Page 287 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-route-map- rule)# match ipv6 address object-group <OBJ- GROUP-NETWORK-NAME> Set IP addresses profile that esr(config-route-map- <OBJ-GROUP-NETWORK-NAME> – name of includes BGPNext-Hop attribute rule)# match ip next-hop the IP addresses profile that includes value in the route for which the object-group <OBJ- destination subnets prefixes, set by the...
Page 288 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set RIP Tag attribute value in the esr(config-route-map- <RIP> – RIP Tag attribute value, takes route for which the rule should rule)# match tag rip <TAG> values in the range of [0..65535]. work.
Page 289 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify Next-Hop value that will esr(config-route-map- <NEXTHOP> – gateway IP address, defined be set in the route received by rule)# action set ip next- as AAA.BBB.CCC.DDD where each part BGP (optional). hop ...
Page 290: Configuration Example 1. Route-Map For Bgp
ESR series service routers. ESR-Series. User manual 11.7.2 Configuration example 1. Route-map for BGP Objective: Assign community for routing information coming from AS 20: First, do the following: • Configure BGP with AS2500 on ESR router; • Establish neighboring with AS20. Solution: Create a policy: esr# configure...
Page 291: Configuration Example 2. Route-Map For Bgp
ESR series service routers. ESR-Series. User manual 11.7.3 Configuration example 2. Route-map for BGP Objective: For the whole transmitted routing information (from community 2500:25), assign MED equal to 240 and define EGP routing information source: First: Configure BGP with AS2500 on ESR. Solution: Create a policy: esr(config)# route-map to-as20...
Page 292: Route-Map Based On Access Control Lists (Policy-Based Routing) Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Create a route map rule. esr(c onfig-route-map)# rule <ORDER> – rule number, takes <ORDER> values of [1..10000]. Specify the action that should be esr(config-route-map-rule)# <ACT> – allocated action: applied for routing information. action <ACT>...
Page 293 ESR series service routers. ESR-Series. User manual capability), and if one the connections goes down, redirect all the traffic from malfunctioning connection to the operational one. Solution: Create ACL: esr# configure esr(config)# ip access-list extended sub20 esr(config-acl)# rule esr(config-acl-rule)# match source-address 10.0.20.0 255.255.255.0 esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match protocol any...
Page 294 ESR series service routers. ESR-Series. User manual Create rule 2: esr(config-route-map)# rule Specify ACL as a filter: esr(config-route-map-rule)# match ip access-group sub30 Specify nexthop for sub30 and exit: esr(config-route-map-rule)# action set ip next-hop verify-availability 80.16.0.23 10 esr(config-route-map-rule)# action set ip next-hop verify-availability 184.45.0.150 30 esr(config-route-map-rule)# exit esr(config-route-map)# exit...
Page 295: Vrf Configuration
ESR series service routers. ESR-Series. User manual 11.8 VRF configuration VRF (Virtual Routing and Forwarding) is a technology designed for isolation of routing information that belongs to different classes (e.g., routes of a specific client). 11.8.1 Configuration algorithm Step Description Command Keys Create VRF instance and switch to the esr(config)# ip vrf <VRF>...
Page 296 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the capacity of routing tables in esr(config-vrf)# ip protocols <PROTOCOL> – protocol type, configured VRF for IPv4/IPv6 (optional). <PROTOCOL> max-routes <VALUE> takes the following values: ospf, bgp; esr(config-vrf)#ipv6 protocols <VALUE>...
Page 297: Configuration Example
ESR series service routers. ESR-Series. User manual 11.8.2 Configuration example Objective: ESR series router features 2 connected networks that should be isolated from other networks. Solution: Create VRF: esr(config)# ip vrf bit esr(config-vrf)# exit Create a security zone: esr(config)# security zone vrf-sec esr(config-zone)# ip vrf forwarding bit esr(config-zone)# exit Create rule for a pair of zones and allow all TCP/UDP traffic:...
Page 298: Multiwan Configuration
ESR series service routers. ESR-Series. User manual Create interface mapping, assign IP addresses, specify an inherence to a security zone: esr(config)# interface gigabitethernet 1/0/7 esr(config-if-gi)# ip vrf forwarding bit esr(config-if-gi)# ip address 10.20.0.1/24 esr(config-if-gi)# security-zone vrf-sec esr(config-if-gi)# exit esr(config)# interface gigabitethernet 1/0/14.10 esr(config-subif)# ip vrf forwarding bit esr(config-subif)# ip address...
Page 299 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify interfaces or tunnels which are esr(config-wan-rule)# outbound <IF>– interface name; gateways in the route created by { interface <IF> | tunnel <TUN> } MultiWAN service. [WEIGHT] <TUN> – tunnel name; [WEIGHT] –...
Page 300 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-wan-target)# ipv6 <IPV6-ADDR> – destination IPv6 address <IPV6-ADDR> address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. Enable target check. esr(config-wan-target)# enable Commands for 14–17 items should be applied on interfaces/tunnels in MultiWAN. Enable WAN mode on the interface for esr(config-if-gi)# wan load- IPv4/IPv6 stack.
Page 301: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-if-gi)# ipv6 wan load- <IPV6> – destination IPv6 balance nexthop { <IPV6> } address (gateway), defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. This command will be checking the IP esr(config-if-gi)# wan load- <NAME>...
Page 302 ESR series service routers. ESR-Series. User manual Create WAN rule: еsr(config)# wan load-balance rule Specify affected interfaces: еsr(config-wan-rule)# outbound interface tengigabitethernet 1/0/2 еsr(config-wan-rule)# outbound interface tengigabitethernet 1/0/1 Enable the created balancing rule and exit the rule configuration mode: еsr(config-wan-rule)# enable еsr(config-wan-rule)# exit Create a list for the connection integrity check: еsr(config)# wan load-balance target-list google Create integrity check target:...
Page 303: Is-Is Configuration
ESR series service routers. ESR-Series. User manual In te1/0/2 interface configuration mode, enable WAN mode and exit: еsr(config-if)# wan load-balance enable еsr(config-if)# exit To switch into redundancy mode, configure the following: Proceed to WAN rule configuration mode: еsr(config)# wan load-balance rule MultiWAN function may also work in redundancy mode when traffic is directed to the active interface with the highest weight.
Page 304 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set a list of keys for esr(config-isis)# <KEYCHAIN> – key list identifier, set by the authentication (optional). authentication domain key string of up to 16 characters. chain <KEYCHAIN> Select the authentication esr(config-isis)# <ALGORITHM>...
Page 305 ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable IS-IS operation with esr(config-isis)# address- ipv4 – IPv4 family; IPv4 and/or IPv6 addresses family { ipv4 | ipv6 } (optional). ipv6 – IPv6 family. Set the update interval for own esr(config-isis)# lsp-refresh- min —...
Page 306 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-isis)# redistribute <ID> – process number, takes values of ospf <ID> <ROUTE-TYPE> [1..65535]. [ route-map <NAME> ] [is-type <LEVEL>] <ROUTE-TYPE> – route type: • intra-area – OSPF process routes esr(config-isis)# redistribute advertising within a zone; ipv6 ospf <ID>...
Page 307 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-isis)# redistribute <NAME> – name of the route map that will static [ route-map <NAME> ] be used for advertised static routes [is-type <LEVEL>] filtration and modification, set by the string of up to 31 characters;...
Page 308 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the metric value for the esr(config-if-gi)# isis metric <VALUE> – number, may take values interface (optional). <VALUE> [<LEVEL>] [1..16777215]; <LEVEL> – IS-IS protocol operation level: • level-1 – operate only on level 1; •...
Page 309 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the interval between LSP esr(config-if-gi)# isis lsp- <TIME> – time in milliseconds, takes values transmissions on the interval <TIME> [<LEVEL>] of [1-10000]; Broadcast network (optional). <LEVEL> – IS-IS protocol operation level: •...
Page 310: Configuration Example
ESR series service routers. ESR-Series. User manual 11.10.2 Configuration example Objective: Configure the IS-IS protocol on routers to exchange routing information with neighbors. Router ESR1 will be L1- only, ESR2 will be L1/L2, ESR3 will be L2-only, which will also be in another area. Solution: Pre-configure IP addresses on interfaces according to the network structure shown in figure above.
Page 311 ESR series service routers. ESR-Series. User manual Set the zone number, the same as on ESR1, as well as a unique system identifier: ESR2(config-isis)# net 49.0001.2222.2222.2222.00 Set the router to operate with a narrow metric on the first layer and with a wide metric on the second layer, and enable this IS-IS process: ESR2(config-isis)# metric-style narrow level-1...
Page 312: Mpls Technology Management
ESR series service routers. ESR-Series. User manual 12 MPLS technology management • LDP configuration • Configuration algorithm • Configuration example • Configuring session parameters in LDP • Algorithm for setting Hello holdtime and Hello interval in the global LDP configuration • Algorithm for setting Hello holdtime and Hello interval for address family •...
Page 313: Ldp Configuration
ESR series service routers. ESR-Series. User manual 12.1 LDP configuration LDP is a tag distribution protocol. To find the neighbors hello messages are sent to the multicast address 224.0.0.2. When exchanging hello messages, routers learn each other's transport addresses. A router with a bigger address initializes the TCP session.
Page 314: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable LDP process. esr(config-ldp)# enable Enable explicit-null functionality esr(config-ldp)# egress-label- (optional). type explicit-null In the LDP neighbor configuration esr(config-ldp-neig)# password <CLEAR-TEXT> – password, sets mode, set the password with the {<TEXT>...
Page 315 ESR series service routers. ESR-Series. User manual ESR pre-configuration: hostname ESR router ospf area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/1 ip firewall disable ip address 10.10.10.1/30 ip ospf instance ip ospf exit interface loopback ip address 1.1.1.1/32 ip ospf instance ip ospf exit...
Page 316 ESR series service routers. ESR-Series. User manual Configuration on ESR: ESR# config ESR(config)# mpls ESR(config-mpls)# forwarding interface gigabitethernet 1/0/1 ESR(config-mpls)# ldp ESR(config-ldp)# router-id 1.1.1.1 ESR(config-ldp)# enable ESR(config-ldp)# address-family ipv4 ESR(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1 ESR(config-ldp-af-ipv4-if)# end ESR# Configuration on ESR1: ESR1 ESR1# configure ESR1(config)# mpls ESR1(config-mpls)# forwarding interface...
Page 317: Configuring Session Parameters In Ldp
ESR series service routers. ESR-Series. User manual The LDP session should be in the 'Operational' state. ESR1# show mpls ldp neighbor Peer LDP ID: 4.4.4.4; Local LDP ID 1.1.1.1 State: Operational TCP connection: 4.4.4.4:40245 1.1.1.1:646 Messages sent/received: 10/11 ...
Page 318 ESR series service routers. ESR-Series. User manual ESR routers have the ability to flexibly configure Hello holdtime, Hello interval and Keepalive holdtime settings. Example of configuring Hello holdtime for an LDP session: ESR# show run mpls mpls ldp router-id 4.4.4.4 ...
Page 319: Algorithm For Setting Hello Holdtime And Hello Interval In The Global Ldp Configuration
ESR series service routers. ESR-Series. User manual ESR# show running-config mpls mpls ldp router-id 4.4.4.4 keepalive 30 // set in the global LDP configuration neighbor 1.1.1.1 keepalive 55// set to neighbor with the 1.1.1.1 address ...
Page 320: Algorithm For Setting Keepalive Holdtime Parameter In The Global Ldp Configuration
ESR series service routers. ESR-Series. User manual Step Description Command Keys In the LDP address family configuration esr(config-ldp-af-ipv4-if)# <TIME> — time in the range of mode, set Hello interval on the specified discovery hello interval <TIME> [3..65535] seconds. interface. Default value: 5. 12.2.3 Algorithm for setting Keepalive holdtime parameter in the global LDP configuration Step Description...
Page 321 ESR series service routers. ESR-Series. User manual Solution: ESR(config)# mpls ESR(config-mpls)# ldp ESR(config-ldp)# discovery hello holdtime ESR(config-ldp)# discovery hello interval ESR(config-ldp)# neighbor 1.1.1.1 ESR(config-ldp-neig)# keepalive Check: To view hello parameters: ESR# sh mpls ldp discovery detailed Local LDP ID: 4.4.4.4 Discovery sources: Interfaces: gigabitethernet 1/0/4: Hello interval:...
Page 322: Configuring Session Parameters In Targeted-Ldp
ESR series service routers. ESR-Series. User manual 12.3 Configuring session parameters in targeted-LDP By default, the targeted LDP session is set to the following values: Parameter targeted-LDP Hello interval 5 seconds Hold timer 45 seconds Keepalive holdtime 180 seconds Hold timer is a matching parameter — the smallest is chosen. This example shows that the ESR after matching set 30 seconds: ESR1# sh mpls ldp discovery detailed ...
Page 323 ESR series service routers. ESR-Series. User manual Example output for the LDP process: ESR# sh running-config mpls mpls ldp router-id 1.1.1.1 keepalive discovery targeted-hello holdtime discovery targeted-hello interval ...
Page 324: Algorithm For Setting Hello Holdtime, Hello Interval And Keepalive Holdtime For The Ldp Process
ESR series service routers. ESR-Series. User manual ESR# show mpls ldp discovery detailed Targeted hellos: 1.1.1.1 -> 4.4.4.4: Hello interval: seconds Transport IP address: 1.1.1.1 LDP ID: 4.4.4.4 Source IP address: 4.4.4.4 Transport IP address: 4.4.4.4 Hold time: seconds Proposed hold time: 45/45 (local/peer) seconds ...
Page 325: Configuration Example
ESR series service routers. ESR-Series. User manual In the LDP neighbor esr(config-ldp-neig)# <TIME> — time in the range of [1..65535] seconds. configuration mode, set Hello discovery targeted- hello interval. interval <TIME> Default value: 5. In the LDP neighbor esr(config-ldp-neig)# <TIME> — time in the range of [3..65535] seconds. configuration mode, set keepalive <TIME>...
Page 326: Ldp Tag Filtering Configuration
ESR series service routers. ESR-Series. User manual To view parameter of the established TCP session: ESR# sh mpls ldp neighbor 4.4.4.4 Peer LDP ID: 4.4.4.4; Local LDP ID 1.1.1.1 State: Operational TCP connection: 4.4.4.4:34879 1.1.1.1:646 Messages sent/received: 11/11 Uptime: 00:01:05 Peer holdtime: Keepalive interval: LDP discovery sources: 1.1.1.1...
Page 327: Configuration Example
ESR series service routers. ESR-Series. User manual  This functionality is supported for IPv4. 12.4.2 Configuration example Objective: Assign MPLS tags only to FEC 10.10.0.2/32 and 10.10.0.1/32. Solution: On ESR_A and ESR_B create an object-group ADV_LABELS type network and add to it the prefixes 10.10.0.1/32 and 10.10.0.2/32 respectively.
Page 328: L2Vpn Martini Mode Configuration
ESR series service routers. ESR-Series. User manual And not assigned to 192.168.2.0/24: esr# sh mpls ldp bindings 192.168.2.0/24 esr# 12.5 L2VPN Martini mode configuration L2VPN allows organizing ethernet frames transmission through the MPLS domain. Allocation and distribution of tunnel labels, in this mode, is carried out by means of the LDP. In the implementation of L2VPN can be divided into two cases: P2P —...
Page 329 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify Attached Circuit interface. esr(config-l2vpn-p2p)# interface <IF> – an interface's name, { <IF> | <TUN> } specified in the form described in Section Types and naming order of router interfaces; <TUN>...
Page 330: L2Vpn Vpws Configuration Example
ESR series service routers. ESR-Series. User manual 12.5.2 L2VPN VPWS configuration example Objective: Configure l2vpn so that ge1/0/2.100 interface of the CE1 router and ge1/0/2.100 interface of the CE2 router operate within the same broadcast domain. Solution: Pre-requisite: • Enable Jumbo frames support with the 'system jumbo-frames' command (the device must be rebooted for the changes to take effect);...
Page 331 ESR series service routers. ESR-Series. User manual Create a pw-class on the basis of which the virtual channel (pw) will be created later. Since, in this example, the default parameters will be applied to pw, it will be sufficient to specify the class name: PE1(config-mpls)# l2vpn PE1(config-l2vpn)# pw-class...
Page 332 ESR series service routers. ESR-Series. User manual Configure the PE2 router in the same way as PE1: PE2# configure PE2(config)# interface gigabitethernet 1/0/4.100 PE2(config-subif)# exit PE2#(config)# interface gigabitethernet 1/0/1 PE2(config-if-gi)# mtu 9600 PE1(config-if-gi)# ip firewall disable PE1(config-if-gi)# exit PE2(config)# mpls PE2(config-mpls)# forwarding interface gigabitethernet 1/0/1...
Page 333: L2Vpn Vpls Configuration Algorithm
ESR series service routers. ESR-Series. User manual 12.5.3 L2VPN VPLS configuration algorithm Step Description Command Keys Configure the LDP (see section configuration). Create a network bridge in the system without specifying an IP address (see section Bridge configuration). Create pw-class in the system and esr(config-l2vpn)# pw-class <WORD>...
Page 334: L2Vpn Vpls Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Create a pseudo-wire and switch to its esr(config-l2vpn-vpls)# pw <PW_ID> — psewdowire parameters configuration mode <PW_ID> <LSR_ID> identifier, specified in the range [1..4294967295]. <LSR_ID> — identifier of LSR to which pseudo-wire is built, specified as AAA.BBB.CCC.DDD, where each part takes values [0..255].
Page 335 ESR series service routers. ESR-Series. User manual Solution: Pre-requisite: • Enable Jumbo frames support with the 'system jumbo-frames' command (the device must be rebooted for the changes to take effect); • Сonfigure IP addresses on interfaces according to the network structure shown in the figure above; •...
Page 336 ESR series service routers. ESR-Series. User manual Allow packets with an MPLS header to be received on the interface towards the MPLS network (in this example, the interface towards PE2): PE1(config)# mpls PE1(config-mpls)# forwarding interface gigabitethernet 1/0/1 Configure the LDP protocol and enable neighbor detection on the interface towards PE2: PE1(config-mpls)# ldp PE1(config-ldp)# router-id 1.1.1.1...
Page 337 ESR series service routers. ESR-Series. User manual Configure PE2 and PE3 routers in the same way as PE1: PE2# configure PE2(config)# bridge PE2(config-bridge)# enable PE2(config-bridge)# exit PE2(config)# interface gigabitethernet 1/0/4.100 PE2(config-subif)# bridge-group PE2(config-subif)# exit PE2(config)# interface gigabitethernet 1/0/2 PE2(config-if-gi)# mtu 9600 PE2(config-if-gi)# ip firewall disable PE2(config-if-gi)# exit PE2(config)# mpls...
Page 338 ESR series service routers. ESR-Series. User manual PE3(config-ldp)# enable PE3(config-ldp)# router-id 3.3.3.3 PE3(config-ldp)# address-family ipv4 PE3(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1 PE3(config-ldp-af-ipv4-if)# exit PE3(config-ldp-af-ipv4)# transport-address 3.3.3.3 PE3(config-ldp-af-ipv4)# exit PE3(config-ldp)# exit PE3(config-mpls)# l2vpn PE3(config-l2vpn)# pw-class for_vpls PE3(config-l2vpn-pw-class)# exit PE3(config-l2vpn)# vpls vpls1 PE3(config-l2vpn-vpls)# enable PE3(config-l2vpn-vpls)# bridge-group PE3(config-l2vpn-vpls)# pw 100 2.2.2.2 PE3(config-l2vpn-pw)#...
Page 339: L2Vpn Kompella Mode Configuration
ESR series service routers. ESR-Series. User manual 12.6 L2VPN Kompella mode configuration Unlike Martini mode, where all operation is done by the LDP, in this mode the LDP does only operate with transport labels. Autodetection (not typical of LDP signaling), and the construction of a pseudowire connection is entrusted to BGP.
Page 340 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify route target import for the given esr(config-bgp)# route-target <RT> – Route-target value, VPLS instance. import <RT> specified in one of the following forms: • <ASN>:<nn> — where <ASN> may take values [1..65535], nn may take values [1..65535];...
Page 341: L2Vpn Vpls Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable ignoring encapsulation type esr(config-bgp)# ignore (optional). encapsulation-mismatch Enable ignoring MTU values (optional). esr(config-bgp)# ignore mtu- mismatch In the context of address-family l2vpn esr(config-bgp-neighbor-af)# vpls BGP configuration, enable send-community extended extended attribute transfer.
Page 342 ESR series service routers. ESR-Series. User manual Configure the RR router: hostname RR system jumbo-frames router ospf area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/2 9500 ip firewall disable ip address 10.30.0.2/30 ip ospf instance ip ospf exit interface gigabitethernet...
Page 343 ESR series service routers. ESR-Series. User manual Configure the BGP Route Reflector for the address family l2vpn: RR(config)# router bgp 65500 RR(config-bgp)# router-id 10.10.0.4 RR(config-bgp)# neighbor 10.10.0.1 RR(config-bgp-neighbor)# remote-as 65500 RR(config-bgp-neighbor)# route-reflector-client RR(config-bgp-neighbor)# update-source 10.10.0.4 RR(config-bgp-neighbor)# address-family l2vpn vpls RR(config-bgp-neighbor-af)# send-community extended RR(config-bgp-neighbor-af)# enable RR(config-bgp-neighbor-af)#...
Page 344 ESR series service routers. ESR-Series. User manual Pre-configuration ip firewall disable ip address 10.20.0.1/30 ip ospf instance ip ospfexit interface gigabitethernet 1/0/2 9500 ip firewall disable ip address 10.30.0.1/30 ip ospf instance ip ospf exitinterface gigabitethernet 1/0/3 9500 ip firewall disable ip address 10.22.0.1/30 ip ospf instance...
Page 345 ESR series service routers. ESR-Series. User manual BGP configuration: PE1(config)# router bgp 65500 PE1(config-bgp)# neighbor 10.10.0.4 PE2(config-bgp)# router-id 10.10.0.1 PE1(config-bgp-neighbor)# remote-as 65500 PE1(config-bgp-neighbor)# update-source 10.10.0.1 PE1(config-bgp-neighbor)# address-family l2vpn vpls PE1(config-bgp-neighbor-af)# send-community extended PE1(config-bgp-neighbor-af)# enable PE1(config-bgp-neighbor-af)# exit PE1(config-bgp-neighbor)# enable PE1(config-bgp-neighbor)# exit PE1(config-bgp)# enable PE1(config-bgp)# exit Check that the BGP session with RR is successfully established:...
Page 346 ESR series service routers. ESR-Series. User manual Pre-configuration interface gigabitethernet 1/0/1 9500 ip firewall disable ip address 10.20.0.2/30 ip ospf instance ip ospf exit interface gigabitethernet 1/0/2 9500 ip firewall disable ip address 10.21.0.1/30 ip ospf instance ip ospf exit interface gigabitethernet 1/0/3 9500...
Page 347 ESR series service routers. ESR-Series. User manual PE2(config)# router bgp 65500 PE2(config-bgp)# router-id 10.10.0.2 PE2(config-bgp)# neighbor 10.10.0.4 PE2(config-bgp-neighbor)# remote-as 65500 PE2(config-bgp-neighbor)# update-source 10.10.0.2 PE2(config-bgp-neighbor)# address-family l2vpn vpls PE2(config-bgp-neighbor-af)# send-community extended PE2(config-bgp-neighbor-af)# enable PE2(config-bgp-neighbor-af)# exit PE2(config-bgp-neighbor)# enable PE2(config-bgp-neighbor)# exit PE2(config-bgp)# enable PE2(config-bgp)# exit Check that the session with RR is successfully established: PE2# show bgp neighbors BGP neighbor is...
Page 348 ESR series service routers. ESR-Series. User manual Configuration of BGP on PE3: Pre-configuration hostname PE3 system jumbo-frames router ospf area 0.0.0.0 enable exit enable exit interface gigabitethernet 1/0/2 9500 ip firewall disable ip address 10.21.0.2/30 ip ospf instance ip ospf exit interface...
Page 349 ESR series service routers. ESR-Series. User manual PE3(config)# router bgp 65500 PE3(config-bgp)# router-id 10.10.0.3 PE3(config-bgp)# neighbor 10.10.0.4 PE3(config-bgp-neighbor)# remote-as 65500 PE3(config-bgp-neighbor)# update-source 10.10.0.3 PE3(config-bgp-neighbor)# address-family l2vpn vpls PE3(config-bgp-neighbor-af)# send-community extended PE3(config-bgp-neighbor-af)# enable PE3(config-bgp-neighbor-af)# exit PE3(config-bgp-neighbor)# enable PE3(config-bgp-neighbor)# exit PE3(config-bgp)# enable PE3(config-bgp)# exit Check that the BGP session is successfully established: PE3# show bgp neighbors BGP neighbor is...
Page 350 ESR series service routers. ESR-Series. User manual Check that the interface is included into the bridge domain: PE1# show interfaces bridge Bridges Interfaces ---------- -------------------------------------------------------------- bridge gi1/0/4 PE1# sh interfaces status bridge Interface 'bridge 1' status information: Description: Operational state: Administrative state: Up Supports broadcast: Supports multicast: MTU:...
Page 351 ESR series service routers. ESR-Series. User manual PE3# show interfaces bridge Bridges Interfaces ---------- -------------------------------------------------------------- bridge gi1/0/4 PE3# sh interfaces status bridge Interface Admin Link MAC address Last change Mode state state ------------------ ----- ----- ------ ------------------ ------------------------- ---------- bridge 1500 a8:f9:4b:ac:df:f0 minute and seconds...
Page 352 ESR series service routers. ESR-Series. User manual Specify RD, RT, VE-ID, VPN-ID according to the network scheme and activate the service:  In some cases entering such parameters as RD and RT can be skipped: if only VPN ID is specified, they will be formed as follows: <AS number>...
Page 353 ESR series service routers. ESR-Series. User manual Proceed to the PE2 configuration: PE2(config-mpls)# l2vpn PE2(config-l2vpn)# vpls l2vpn PE2(config-l2vpn-vpls)# bridge-group PE2(config-l2vpn-vpls)# autodiscovery bgp PE2(config-bgp)# rd 65500:100 PE2(config-bgp)# route-target export 65500:100 PE2(config-bgp)# route-target import 65500:100 PE2(config-bgp)# vpn id PE2(config-bgp)# ve id PE2(config-bgp)# exit PE2(config-l2vpn-vpls)# enable Check that PE2 is advertising the route information on RR: PE2# show ip bgp l2vpn vpls all...
Page 354 ESR series service routers. ESR-Series. User manual  The calculated service marks can be viewed as follows: PE2# show mpls l2vpn bindings Neighbor: 10.10.0.1, PW ID: 2, VE ID: Local label: Encasulation Type: VPLS Control flags: 0x00 MTU: 1500 Remote label: Encasulation Type: VPLS Control flags: 0x00...
Page 355 ESR series service routers. ESR-Series. User manual Proceed to the PE3 configuration: PE3# config PE3(config)# mpls PE3(config-mpls)# l2vpn PE3(config-l2vpn)# vpls l2vpn PE3(config-l2vpn-vpls)# bridge-group PE3(config-l2vpn-vpls)# autodiscovery bgp PE3(config-bgp)# rd 65500:100 PE3(config-bgp)# route-target export 65500:100 PE3(config-bgp)# route-target import 65500:100 PE3(config-bgp)# ve id PE3(config-bgp)# vpn id PE3(config-bgp)# exit PE3(config-l2vpn-vpls)# enable Check the routing information in PE3:...
Page 356: L3Vpn Configuration
ESR series service routers. ESR-Series. User manual Check that the pseudowire is built before both PEs and is in the 'UP' status: PE3# show mpls l2vpn vpls l2vpn VPLS: l2vpn bridge 1: MTU: 1500 Status: Up ACs: gigabitethernet 1/0/4: MTU: 1500 Status: Up PWs: PW ID 3, Neighbor 10.10.0.2:...
Page 357: Configuration Algorithm
ESR series service routers. ESR-Series. User manual 12.7.1 Configuration algorithm Step Description Command Keys Configure addressing and one of IGP on all P and PE routers. Configure LDP transport tag distribution. Create VRF. esr(config)# ip vrf <VRF> <VRF> – VRF instance name, set by the string of up to 31 characters.
Page 358 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify route target import for the esr(config-vrf)# route-target <RT> – Route-target value, given VRF. import <RT> specified in one of the following forms: • <ASN>:<nn> — where <ASN> may take values [1..65535], nn may take values [1..65535];...
Page 359: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the allowed number of routes esr(config-vrf)# ip protocols <PROTOCOL> – protocol type, for this VRF. <PROTOCOLS> max-routes may take following values: rip <VALUE> (only in global mode), ospf, isis, bgp;...
Page 360 ESR series service routers. ESR-Series. User manual Solution: Configuring addressing and enabling IGP and P/PE on routers: ESR1 ESR1(config)# router ospf log-adjacency-changes ESR1(config)# router ospf ESR1(config-ospf)# router-id 1.1.1.1 ESR1(config-ospf)# area 0.0.0.0 ESR1(config-ospf-area)# enable ESR1(config-ospf-area)# exit ESR1(config-ospf)# enable ESR1(config-ospf)# exit ESR1(config)# ESR1(config)# interface loopback ESR1(config-loopback)# ip address...
Page 361 ESR series service routers. ESR-Series. User manual ESR2 ESR2(config)# router ospf log-adjacency-changes ESR2(config)# router ospf ESR2(config-ospf)# router-id 2.2.2.2 ESR2(config-ospf)# area 0.0.0.0 ESR2(config-ospf-area)# enable ESR2(config-ospf-area)# exit ESR2(config-ospf)# enable ESR2(config-ospf)# exit ESR2(config)# ESR2(config)# interface loopback ESR2(config-loopback)# ip address 2.2.2.2/32 ESR2(config-loopback)# ip ospf instance ESR2(config-loopback)# ip ospf ESR2(config-loopback)# exit ESR2(config)#...
Page 362 ESR series service routers. ESR-Series. User manual ESR3 ESR3(config)# router ospf log-adjacency-changes ESR3(config)# router ospf ESR3(config-ospf)# router-id 3.3.3.3 ESR3(config-ospf)# area 0.0.0.0 ESR3(config-ospf-area)# enable ESR3(config-ospf-area)# exit ESR3(config-ospf)# enable ESR3(config-ospf)# exit ESR3(config)# ESR3(config)# interface loopback ESR3(config-loopback)# ip address 3.3.3.3/32 ESR3(config-loopback)# ip ospf instance ESR3(config-loopback)# ip ospf ESR3(config-loopback)# exit ESR3(config)#...
Page 363 ESR series service routers. ESR-Series. User manual ESR4 ESR4(config)# router ospf log-adjacency-changes ESR4(config)# router ospf ESR4(config-ospf)# router-id 4.4.4.4 ESR4(config-ospf)# area 0.0.0.0 ESR4(config-ospf-area)# enable ESR4(config-ospf-area)# exit ESR4(config-ospf)# enable ESR4(config-ospf)# exit ESR4(config)# ESR4(config)# interface loopback ESR4(config-loopback)# ip address 4.4.4.4/32 ESR4(config-loopback)# ip ospf instance ESR4(config-loopback)# ip ospf ESR4(config-loopback)# exit ESR4(config)#...
Page 364 ESR series service routers. ESR-Series. User manual It is necessary to make sure that the OSPF protocol is running on each router: ESR1# show ip ospf neighbors Router ID Pri State DTime Interface Router IP --------- --- ----- ----- ------------- --------- 2.2.2.2 128 Full/BDR 00:39 gi1/0/1.10 10.10.10.2...
Page 365 ESR series service routers. ESR-Series. User manual ESR2 ESR2# config ESR2(config)# mpls ESR2(config-mpls)# ldp ESR2(config-ldp)# address-family ipv4 ESR2(config-ldp-af-ipv4)# transport-address 2.2.2.2 ESR2(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1.10 ESR2(config-ldp-af-ipv4-if)# exit ESR2(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1.20 ESR2(config-ldp-af-ipv4-if)# exit ESR2(config-ldp-af-ipv4)# exit ESR2(config-ldp)# enable ESR2(config-ldp)# exit ESR2(config-mpls)# forwarding interface gigabitethernet 1/0/1.10 ESR2(config-mpls)# forwarding...
Page 366 ESR series service routers. ESR-Series. User manual ESR4 ESR4# config ESR4(config)# mpls ESR4(config-mpls)# ldp ESR4(config-ldp)# address-family ipv4 ESR4(config-ldp-af-ipv4)# transport-address 4.4.4.4 ESR4(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1.30 ESR4(config-ldp-af-ipv4-if)# exit ESR4(config-ldp-af-ipv4)# interface gigabitethernet 1/0/1.40 ESR4(config-ldp-af-ipv4-if)# exit ESR4(config-ldp-af-ipv4)# exit ESR4(config-ldp)# enable ESR4(config-ldp)# exit ESR4(config-mpls)# forwarding interface gigabitethernet 1/0/1.30 ESR4(config-mpls)# forwarding...
Page 367 ESR series service routers. ESR-Series. User manual One of the following commands can be used to check the LDP convergence: ESR1# show mpls ldp neighbor Peer LDP ID: 2.2.2.2; Local LDP ID 1.1.1.1 State: Operational TCP connection: 2.2.2.2:33933 1.1.1.1:646 Messages sent/received: 1059/1070 Uptime: 17:32:07...
Page 368 ESR series service routers. ESR-Series. User manual ESR3 ESR3(config)# ip vrf Customer1 ESR3(config-vrf)# ip protocols bgp max-routes 1000 ESR3(config-vrf)# rd 65500:100 ESR3(config-vrf)# route-target export 65500:100 ESR3(config-vrf)# route-target import 65500:100 ESR3(config-vrf)# exit ESR3(config)# interface gigabitethernet 1/0/2 ESR3(config-if-gi)# ip vrf forwarding Customer1 ESR3(config-if-gi)# description "Customer1"...
Page 369 ESR series service routers. ESR-Series. User manual ESR3 ESR3(config)# router bgp log-neighbor-changes ESR3(config)# router bgp 65500 ESR3(config-bgp)# router-id 3.3.3.3 ESR3(config-bgp)# enable ESR3(config-bgp)# neighbor 1.1.1.1 ESR3(config-bgp-neighbor)# remote-as 65500 ESR3(config-bgp-neighbor)# update-source 3.3.3.3 ESR3(config-bgp-neighbor)# enable ESR3(config-bgp-neighbor)# address-family vpnv4 unicast ESR3(config-bgp-neighbor-af)# send-community extended ESR3(config-bgp-neighbor-af)# enable ESR3(config-bgp-neighbor-af)# exit ESR3(config-bgp-neighbor)# exit ESR3(config-bgp)# exit...
Page 370 ESR series service routers. ESR-Series. User manual Configuration on the CE-SiteA router: CE _SiteA CE-SiteA(config)# interface gigabitethernet 1/0/2 CE-SiteA(config-if-gi)# ip firewall disable CE-SiteA(config-if-gi)# ip address 192.168.32.2/30 CE-SiteA(config-if-gi)# exit CE-SiteA(config)# interface loopback CE-SiteA(config-loopback)# ip address 10.100.0.1/24 CE-SiteA(config-loopback)# exit CE-SiteA(config)# route-map OUTPUT CE-SiteA(config-route-map)# rule CE-SiteA(config-route-map-rule)# match ip address 10.100.0.0/24 CE-SiteA(config-route-map-rule)# action permit...
Page 371 ESR series service routers. ESR-Series. User manual Create eBGP session with CE_SiteA and allow routes transmission to the BGP peer: ESR1 ESR1(config)# router bgp 65500 ESR1(config-bgp)# vrf Customer1 ESR1(config-bgp-vrf)# router-id 192.168.32.1 ESR1(config-bgp-vrf)# neighbor 192.168.32.2 ESR1(config-bgp-vrf-neighbor)# remote-as 65505 ESR1(config-bgp-vrf-neighbor)# update-source 192.168.32.1 ESR1(config-bgp-vrf-neighbor)# address-family ipv4 unicast ESR1(config-bgp-neighbor-af-vrf)# route-map OUTPUT out ESR1(config-bgp-neighbor-af-vrf)# enable ESR1(config-bgp-neighbor-af-vrf)# exit...
Page 372 ESR series service routers. ESR-Series. User manual The following commands can be used to check the accepted and advertised routes: ESR1# show bgp vpnv4 unicast vrf Customer1 neighbors 192.168.32.2 advertise-routes Status codes: u - unicast, b - broadcast, m - multicast, a - anycast * - valid, >...
Page 373 ESR series service routers. ESR-Series. User manual CE_SiteB Perform similar steps between ESR3 and CE_SiteB routers. Configure the corresponding interfaces and create eBGP session between ESR3 and CE_SiteB: CE_SiteB CE-SiteB(config)# interface gigabitethernet 1/0/2 CE-SiteB(config-if-gi)# ip firewall disable CE-SiteB(config-if-gi)# ip address 192.168.32.6/30 CE-SiteB(config-if-gi)# exit CE-SiteB(config)# CE-SiteB(config)#...
Page 374: Mpls Traffic Balancing
ESR series service routers. ESR-Series. User manual ESR3 router bgp 65500 ESR3(config)# router bgp 65500 ESR3(config-bgp)# vrf Customer1 ESR3(config-bgp-vrf)# router-id 192.168.32.5 ESR3(config-bgp-vrf)# neighbor 192.168.32.6 ESR3(config-bgp-vrf-neighbor)# remote-as 65505 ESR3(config-bgp-vrf-neighbor)# update-source 192.168.32.5 ESR3(config-bgp-vrf-neighbor)# address-family ipv4 unicast ESR3(config-bgp-neighbor-af-vrf)# route-map OUTPUT out ESR3(config-bgp-neighbor-af-vrf)# enable ESR3(config-bgp-neighbor-af-vrf)# exit ESR3(config-bgp-vrf-neighbor)# enable ESR3(config-bgp-vrf-neighbor)# exit ESR3(config-bgp-vrf)# address-family ipv4 unicast...
Page 375: Configuration Example
ESR series service routers. ESR-Series. User manual By default, lbd uses only MPLS tags to calculate the hash and then distribute the load to the different CPUs. This behavior is not always an advantage, especially when there are 'large' homogeneous streams of MPLS traffic.
Page 376: Operation With The Bridge Domain Within Mpls
ESR series service routers. ESR-Series. User manual Solution: ESR(config)# system cpu load-balance mpls passenger ip ESR(config)# system cpu load-balance mpls passenger ipoe-pw-without-cw 12.9 Operation with the bridge domain within MPLS To organize L2VPN service, configure a bridge domain on the device, create the required AC, PW (LDP- signaling) and link all the necessary elements with this bridge domain.
Page 377 ESR series service routers. ESR-Series. User manual In BGP signaling, the bridge domain only operate in ethernet mode. PE1# config PE1(config)# mpls PE1(config-mpls)# l2vpn PE1(config-l2vpn)# vpls MARTINI_br PE1(config-l2vpn-vpls)# transport-mode vlan PE1# sh mpls l2vpn pseudowire Neighbor PW ID Sig Type Status --------------------------------------- ---------- --- ---------- ------ 10.10.0.2...
Page 378: Assignment Of Mtu When Operating With Mpls
ESR series service routers. ESR-Series. User manual 2. Vlan (Tagged) mode: • If AC is a subinterface, the vlan tag is saved before putting it in the bridge. The vlan tag can be saved or overwritten depending on the configuration when you exit the bridge. •...
Page 379 ESR series service routers. ESR-Series. User manual In LDP-signaling, the MTU is set as part of the pw-class setting: LDP-signaling. Configuration of MTU for matching PE2(config)# mpls PE2(config-mpls)# l2vpn PE2(config-l2vpn)# pw-class MTU_example PE2(config-l2vpn-pw-class)# encapsulation mpls mtu 9000 PE2(config-l2vpn-pw-class)# exit PE2(config-mpls)# l2vpn PE2(config-l2vpn)# vpls MTU_Example_PW PE2(config-l2vpn-vpls)# pw 200 10.10.0.1...
Page 380 ESR series service routers. ESR-Series. User manual ...
Page 381 ESR series service routers. ESR-Series. User manual For BGP-signaling, the MTU is specified as part of the l2vpn service configuration: BGP -signaling. Configuration of MTU for matching PE1(config)# mpls PE1(config-mpls)# l2vpn PE1(config-l2vpn)# vpls l2vpn_MTU PE1(config-l2vpn-vpls)# autodiscovery bgp PE1(config-bgp)# mtu 1500 PE2# sh mpls l2vpn vpls l2vpn_MTU VPLS: l2vpn_MTU PWs:...
Page 382 ESR series service routers. ESR-Series. User manual * E.g., we have a bridge domain 100, which includes interfaces gi1/0/1 with MTU value 2000, and gi1/0/2 with MTU value 3000 CE3(config)# bridge CE3(config-bridge)# enable CE3(config-bridge)# exit CE3(config)# interface gigabitethernet 1/0/1 CE3(config-if-gi)# mtu 2000 CE3(config-if-gi)# bridge-group CE3(config-if-gi)# exit...
Page 383 ESR series service routers. ESR-Series. User manual Description: Operational state: Administrative state: Up Supports broadcast: Supports multicast: MTU: 2000 MAC address: a8:f9:4b:aa:11:00 Last change: minutes and seconds Mode: Routerport Consider the example of traffic passing through the L2VPN service: PE1 has the following MTU values on the interfaces: PE1# sh interfaces status Interface Admin...
Page 384: Inter-As Option A
ESR series service routers. ESR-Series. User manual Similar behavior when passing traffic in the L3VPN service: If CE1 sends a packet with a higher MTU than on the interface facing the client (gi1/0/2) or towards the mpls- core (gi1/0/1), the packet will be discarded. 12.11 Inter-AS Option A This section provides examples of configuration based on the construction of l3vpn and l2vpn services. The main feature of inter-AS Option A is the absence of mpls-tags in traffic when transferring between ABSR.
Page 385 ESR series service routers. ESR-Series. User manual CE configuration: СE1 ESR# config ESR(config)# hostname CE1 ESR(config)# interface gigabitethernet 1/0/1.100 ESR(config-if-gi)# ip firewall disable ESR(config-if-gi)# ip address 192.168.1.1/24 ESR(config-if-gi)# ESR(config-if-gi)# conf СЕ2 ESR# config ESR(config)# hostname CE2 ESR(config)# interface gigabitethernet 1/0/1.200 ESR(config-if-gi)# ip firewall disable ESR(config-if-gi)# ip address 192.168.2.1/24 ESR(config-if-gi)#...
Page 386 ESR series service routers. ESR-Series. User manual ESR(config)# hostname PE1 ESR(config)# system jumbo-frames ESR(config)# router bgp log-neighbor-changes ESR(config)# router bgp 65500 ESR(config-bgp)# neighbor 10.10.1.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# update-source 10.10.1.1 ESR(config-bgp-neighbor)# address-family l2vpn vpls ESR(config-bgp-neighbor-af)# send-community extended ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)# exit ESR(config-bgp-neighbor)# enable ESR(config-bgp-neighbor)#...
Page 387 ESR series service routers. ESR-Series. User manual ESR(config-ldp-af-ipv4)# exit ESR(config-ldp)# enable ESR(config-ldp)# exit ESR(config-mpls)# l2vpn ESR(config-l2vpn)# vpls CE1 ESR(config-l2vpn-vpls)# bridge-group ESR(config-l2vpn-vpls)# autodiscovery bgp ESR(config-bgp)# vpn id ESR(config-bgp)# ve id ESR(config-bgp)# 65500:1 ESR(config-bgp)# route-target export 65500:1 ESR(config-bgp)# route-target import 65500:1 ESR(config-bgp)# exit ESR(config-l2vpn-vpls)# enable ESR(config-l2vpn-vpls)#...
Page 388 ESR series service routers. ESR-Series. User manual ESR(config)# hostname ESR ESR(config)# system jumbo-frames ESR(config)# ESR(config)# router bgp log-neighbor-changes ESR(config)# router bgp 65500 ESR(config-bgp)# router-id 10.11.1.1 ESR(config-bgp)# neighbor 10.11.1.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# update-source 10.11.1.1 ESR(config-bgp-neighbor)# address-family l2vpn vpls ESR(config-bgp-neighbor-af)# send-community extended ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)#...
Page 389 ESR series service routers. ESR-Series. User manual ESR(config-ldp-af-ipv4)# interface gigabitethernet 1/0/2 ESR(config-ldp-af-ipv4-if)# exit ESR(config-ldp-af-ipv4)# exit ESR(config-ldp)# enable ESR(config-ldp)# exit ESR(config-mpls)# l2vpn ESR(config-l2vpn)# vpls CE1 ESR(config-l2vpn-vpls)# bridge-group ESR(config-l2vpn-vpls)# autodiscovery bgp ESR(config-bgp)# vpn id ESR(config-bgp)# ve id ESR(config-bgp)# 65500:1 ESR(config-bgp)# route-target export 65500:1 ESR(config-bgp)# route-target import...
Page 390 ESR series service routers. ESR-Series. User manual ASBR1 ESR(config)# hostname ASBR1 ESR(config)# ESR(config)# system jumbo-frames ESR(config)# ESR(config)# vlan 100,200 ESR(config-vlan)# exit ESR(config)# ESR(config)# router bgp 65500 ESR(config-bgp)# router-id 10.10.1.2 ESR(config-bgp)# neighbor 10.10.1.1 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# update-source 10.10.1.2 ESR(config-bgp-neighbor)# address-family l2vpn vpls ESR(config-bgp-neighbor-af)# send-community extended ESR(config-bgp-neighbor-af)#...
Page 391 ESR series service routers. ESR-Series. User manual ESR(config-loopback)# ip ospf ESR(config-loopback)# exit ESR(config)# mpls ESR(config-mpls)# ESR(config-ldp)# router-id 10.10.1.2 ESR(config-ldp)# address-family ipv4 ESR(config-ldp-af-ipv4)# interface gigabitethernet 1/0/2 ESR(config-ldp-af-ipv4-if)# exit ESR(config-ldp-af-ipv4)# exit ESR(config-ldp)# enable ESR(config-ldp)# exit ESR(config-mpls)# l2vpn ESR(config-l2vpn)# vpls CE1 ESR(config-l2vpn-vpls)# bridge-group ESR(config-l2vpn-vpls)# autodiscovery bgp ESR(config-bgp)# vpn id...
Page 392 ESR series service routers. ESR-Series. User manual ASBR2 ESR(config)# hostname ASBR2 ESR(config)# ESR(config)# system jumbo-frames ESR(config)# ESR(config)# vlan 100,200 ESR(config-vlan)# exit ESR(config)# ESR(config)# router bgp 65500 ESR(config-bgp)# router-id 10.10.1.2 ESR(config-bgp)# neighbor 10.10.1.1 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# update-source 10.10.1.2 ESR(config-bgp-neighbor)# address-family l2vpn vpls ESR(config-bgp-neighbor-af)# send-community extended ESR(config-bgp-neighbor-af)#...
Page 393 ESR series service routers. ESR-Series. User manual ESR(config-loopback)# ip ospf ESR(config-loopback)# exit ESR(config)# mpls ESR(config-mpls)# ESR(config-ldp)# router-id 10.10.1.2 ESR(config-ldp)# address-family ipv4 ESR(config-ldp-af-ipv4)# interface gigabitethernet 1/0/2 ESR(config-ldp-af-ipv4-if)# exit ESR(config-ldp-af-ipv4)# exit ESR(config-ldp)# enable ESR(config-ldp)# exit ESR(config-mpls)# l2vpn ESR(config-l2vpn)# vpls CE1 ESR(config-l2vpn-vpls)# bridge-group ESR(config-l2vpn-vpls)# autodiscovery bgp ESR(config-bgp)# vpn id...
Page 394 ESR series service routers. ESR-Series. User manual Check label assignment, service status, and network availability between CEs: Labels information ASBR2# sh bgp l2vpn vpls all Status codes: * - valid, > - best, i - internal, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete ...
Page 395: L3Vpn
ESR series service routers. ESR-Series. User manual Checking network availability CE1# ping 192.168.1.2 detailed PING 192.168.1.2 (192.168.1.2) bytes of data. bytes from 192.168.1.2: icmp_seq=1 ttl=0 time=1.08 bytes from 192.168.1.2: icmp_seq=2 ttl=0 time=1.06 bytes from 192.168.1.2: icmp_seq=3 ttl=0 time=1.01 bytes from 192.168.1.2: icmp_seq=4 ttl=0 time=0.971 bytes from 192.168.1.2: icmp_seq=5 ttl=0 time=0.972...
Page 396 ESR series service routers. ESR-Series. User manual Configure CE: СE1 ESR(config)# hostname CE1 ESR(config)# ESR(config)# route-map BGP ESR(config-route-map)# rule ESR(config-route-map-rule)# exit ESR(config-route-map)# exit ESR(config)# router bgp 65501 ESR(config-bgp)# neighbor 192.168.1.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# address-family ipv4 unicast ESR(config-bgp-neighbor-af)# route-map BGP out ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)#...
Page 397 ESR series service routers. ESR-Series. User manual СE2 ESR(config)# hostname CE2 ESR(config)# ESR(config)# route-map BGP ESR(config-route-map)# rule ESR(config-route-map-rule)# exit ESR(config-route-map)# exit ESR(config)# router bgp 65501 ESR(config-bgp)# neighbor 192.168.2.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# address-family ipv4 unicast ESR(config-bgp-neighbor-af)# route-map BGP out ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)# exit ESR(config-bgp-neighbor)#...
Page 398 ESR series service routers. ESR-Series. User manual СE3 ESR(config)# hostname CE3 ESR(config)# ESR(config)# route-map BGP ESR(config-route-map)# rule ESR(config-route-map-rule)# exit ESR(config-route-map)# exit ESR(config)# router bgp 65501 ESR(config-bgp)# neighbor 192.168.3.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# address-family ipv4 unicast ESR(config-bgp-neighbor-af)# route-map BGP out ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)# exit ESR(config-bgp-neighbor)#...
Page 399 ESR series service routers. ESR-Series. User manual СE4 ESR(config)# hostname CE4 ESR(config)# ESR(config)# route-map BGP ESR(config-route-map)# rule ESR(config-route-map-rule)# exit ESR(config-route-map)# exit ESR(config)# router bgp 65501 ESR(config-bgp)# neighbor 192.168.4.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# address-family ipv4 unicast ESR(config-bgp-neighbor-af)# route-map BGP out ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)# exit ESR(config-bgp-neighbor)#...
Page 400 ESR series service routers. ESR-Series. User manual ESR(config)# hostname PE1 ESR(config)# ESR(config)# ip vrf CE1 ESR(config-vrf)# ip protocols bgp max-routes ESR(config-vrf)# 65500:1 ESR(config-vrf)# route-target export 65500:1 ESR(config-vrf)# route-target import 65500:1 ESR(config-vrf)# exit ESR(config)# ip vrf CE2 ESR(config-vrf)# ip protocols bgp max-routes ESR(config-vrf)# 65500:2 ESR(config-vrf)#...
Page 401 ESR series service routers. ESR-Series. User manual ESR(config-bgp-vrf)# address-family ipv4 unicast ESR(config-bgp-vrf-af)# redistribute bgp 65500 route-map BGP ESR(config-bgp-vrf-af)# exit ESR(config-bgp-vrf)# enable ESR(config-bgp-vrf)# exit ESR(config-bgp)# exit ESR(config)# ESR(config)# router ospf ESR(config-ospf)# area 0.0.0.0 ESR(config-ospf-area)# enable ESR(config-ospf-area)# exit ESR(config-ospf)# enable ESR(config-ospf)# exit ESR(config)# ESR(config)# interface gigabitethernet...
Page 402 ESR series service routers. ESR-Series. User manual ESR(config)# hostname PE2 ESR(config)# ESR(config)# ip vrf CE1 ESR(config-vrf)# ip protocols bgp max-routes ESR(config-vrf)# 65500:1 ESR(config-vrf)# route-target export 65500:1 ESR(config-vrf)# route-target import 65500:1 ESR(config-vrf)# exit ESR(config)# ip vrf CE2 ESR(config-vrf)# ip protocols bgp max-routes ESR(config-vrf)# 65500:2 ESR(config-vrf)#...
Page 403 ESR series service routers. ESR-Series. User manual ESR(config-bgp-vrf-neighbor)# exit ESR(config-bgp-vrf)# address-family ipv4 unicast ESR(config-bgp-vrf-af)# redistribute bgp 65500 route-map BGP ESR(config-bgp-vrf-af)# exit ESR(config-bgp-vrf)# enable ESR(config-bgp-vrf)# exit ESR(config-bgp)# exit ESR(config)# ESR(config)# router ospf ESR(config-ospf)# area 0.0.0.0 ESR(config-ospf-area)# enable ESR(config-ospf-area)# exit ESR(config-ospf)# enable ESR(config-ospf)# exit ESR(config)# ESR(config)# interface...
Page 404 ESR series service routers. ESR-Series. User manual ASBR1 ESR(config)# hostname ASBR1 ESR(config)# ESR(config)# ip vrf CE1 ESR(config-vrf)# ip protocols ospf max-routes ESR(config-vrf)# 65500:1 ESR(config-vrf)# route-target export 65500:1 ESR(config-vrf)# route-target import 65500:1 ESR(config-vrf)# exit ESR(config)# ip vrf CE2 ESR(config-vrf)# ip protocols ospf max-routes ESR(config-vrf)# 65500:2 ESR(config-vrf)#...
Page 405 ESR series service routers. ESR-Series. User manual ESR(config-ospf)# enable ESR(config-ospf)# exit ESR(config)# router ospf vrf CE2 ESR(config-ospf)# area 0.0.0.0 ESR(config-ospf-area)# enable ESR(config-ospf-area)# exit ESR(config-ospf)# enable ESR(config-ospf)# exit ESR(config)# ESR(config)# bridge ESR(config-bridge)# ip vrf forwarding CE1 ESR(config-bridge)# vlan ESR(config-bridge)# ip firewall disable ESR(config-bridge)# ip address 172.16.32.1/30...
Page 406 ESR series service routers. ESR-Series. User manual ESR(config-mpls)# forwarding interface gigabitethernet 1/0/2 ESR(config-mpls)# exit ESR(config)# ESR(config)# conf...
Page 407 ESR series service routers. ESR-Series. User manual ASBR2 ESR(config)# hostname ASBR2 ESR(config)# ESR(config)# ip vrf CE1 ESR(config-vrf)# ip protocols ospf max-routes ESR(config-vrf)# 65500:1 ESR(config-vrf)# route-target export 65500:1 ESR(config-vrf)# route-target import 65500:1 ESR(config-vrf)# exit ESR(config)# ip vrf CE2 ESR(config-vrf)# ip protocols ospf max-routes ESR(config-vrf)# 65500:2 ESR(config-vrf)#...
Page 408 ESR series service routers. ESR-Series. User manual ESR(config-ospf)# enable ESR(config-ospf)# exit ESR(config)# router ospf vrf CE2 ESR(config-ospf)# redistribute bgp 65500 ESR(config-ospf)# area 0.0.0.0 ESR(config-ospf-area)# enable ESR(config-ospf-area)# exit ESR(config-ospf)# enable ESR(config-ospf)# exit ESR(config)# ESR(config)# bridge ESR(config-bridge)# ip vrf forwarding CE1 ESR(config-bridge)# vlan ESR(config-bridge)# ip firewall disable ESR(config-bridge)#...
Page 409: Inter-As Option B
ESR series service routers. ESR-Series. User manual ESR(config-ldp)# exit ESR(config-mpls)# forwarding interface gigabitethernet 1/0/2 ESR(config-mpls)# exit ESR(config)# ESR(config)# conf Configuration is completed. Check distribution of routing information and network availability of nodes: PE1# sh bgp vpnv4 unicast all Status codes: * - valid, > - best, i - internal, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete ...
Page 410: L3Vpn
ESR series service routers. ESR-Series. User manual 12.12.1 L3VPN Configure CE: СE1 ESR(config)# hostname CE1 ESR(config)# ESR(config)# route-map BGP ESR(config-route-map)# rule ESR(config-route-map-rule)# exit ESR(config-route-map)# exit ESR(config)# router bgp 65501 ESR(config-bgp)# neighbor 192.168.1.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# address-family ipv4 unicast ESR(config-bgp-neighbor-af)# route-map BGP out ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)#...
Page 411 ESR series service routers. ESR-Series. User manual ESR(config)# hostname CE2 ESR(config)# ESR(config)# route-map BGP ESR(config-route-map)# rule ESR(config-route-map-rule)# exit ESR(config-route-map)# exit ESR(config)# router bgp 65501 ESR(config-bgp)# neighbor 192.168.2.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# address-family ipv4 unicast ESR(config-bgp-neighbor-af)# route-map BGP out ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)# exit ESR(config-bgp-neighbor)# enable...
Page 412 ESR series service routers. ESR-Series. User manual ESR(config)# hostname CE3 ESR(config)# ESR(config)# route-map BGP ESR(config-route-map)# rule ESR(config-route-map-rule)# exit ESR(config-route-map)# exit ESR(config)# router bgp 65501 ESR(config-bgp)# neighbor 192.168.3.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# address-family ipv4 unicast ESR(config-bgp-neighbor-af)# route-map BGP out ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)# exit ESR(config-bgp-neighbor)# enable...
Page 413 ESR series service routers. ESR-Series. User manual ESR(config)# hostname CE4 ESR(config)# ESR(config)# route-map BGP ESR(config-route-map)# rule ESR(config-route-map-rule)# exit ESR(config-route-map)# exit ESR(config)# router bgp 65501 ESR(config-bgp)# neighbor 192.168.4.2 ESR(config-bgp-neighbor)# remote-as 65500 ESR(config-bgp-neighbor)# address-family ipv4 unicast ESR(config-bgp-neighbor-af)# route-map BGP out ESR(config-bgp-neighbor-af)# enable ESR(config-bgp-neighbor-af)# exit ESR(config-bgp-neighbor)# enable...
Page 414 ESR series service routers. ESR-Series. User manual PE1(config)# hostname PE1 PE1(config)# PE1(config)# ip vrf CE1 PE1(config-vrf)# ip protocols bgp max-routes PE1(config-vrf)# rd 65501:1 PE1(config-vrf)# route-target export 65501:1 PE1(config-vrf)# route-target import 65501:1 PE1(config-vrf)# exit PE1(config)# ip vrf CE2 PE1(config-vrf)# ip protocols bgp max-routes PE1(config-vrf)# rd 65501:2 PE1(config-vrf)# route-target export...
Page 415 ESR series service routers. ESR-Series. User manual PE1(config-bgp-vrf-af)# redistribute bgp 65501 route-map BGP_OUT PE1(config-bgp-vrf-af)# exit PE1(config-bgp-vrf)# enable PE1(config-bgp-vrf)# exit PE1(config-bgp)# exit PE1(config)# PE1(config)# router ospf PE1(config-ospf)# area 0.0.0.0 PE1(config-ospf-area)# enable PE1(config-ospf-area)# exit PE1(config-ospf)# enable PE1(config-ospf)# exit PE1(config)# PE1(config)# interface gigabitethernet 1/0/1.100 PE1(config-subif)# ip vrf forwarding CE1 PE1(config-subif)# description "to CE1"...
Page 416 ESR series service routers. ESR-Series. User manual PE2(config)# hostname PE2 PE2(config)# PE2(config)# ip vrf CE1 PE2(config-vrf)# ip protocols bgp max-routes PE2(config-vrf)# 65501:1 PE2(config-vrf)# route-target export 65501:1 PE2(config-vrf)# route-target import 65501:1 PE2(config-vrf)# exit PE2(config)# ip vrf CE2 PE2(config-vrf)# ip protocols bgp max-routes PE2(config-vrf)# 65501:2 PE2(config-vrf)#...
Page 417 ESR series service routers. ESR-Series. User manual PE2(config-bgp-vrf-af)# redistribute bgp 65500 route-map BGP_OUT PE2(config-bgp-vrf-af)# exit PE2(config-bgp-vrf)# enable PE2(config-bgp-vrf)# exit PE2(config-bgp)# exit PE2(config)# PE2(config)# router ospf PE2(config-ospf)# router-id 10.11.1.1 PE2(config-ospf)# area 0.0.0.0 PE2(config-ospf-area)# enable PE2(config-ospf-area)# exit PE2(config-ospf)# enable PE2(config-ospf)# exit PE2(config)# PE2(config)# interface gigabitethernet 1/0/1.100...
Page 418 ESR series service routers. ESR-Series. User manual ASBR1 ASBR1(config)# hostname ASBR1 ASBR1(config)# ASBR1(config)# system jumbo-frames ASBR1(config)# ASBR1(config)# route-map VPNv4 ASBR1(config-route-map)# rule ASBR1(config-route-map-rule)# exit ASBR1(config-route-map)# exit ASBR1(config)# router bgp 65501 ASBR1(config-bgp)# router-id 10.10.1.2 ASBR1(config-bgp)# neighbor 10.10.1.1 ASBR1(config-bgp-neighbor)# remote-as 65501 ASBR1(config-bgp-neighbor)# update-source 10.10.1.2 ASBR1(config-bgp-neighbor)# address-family vpnv4 unicast ASBR1(config-bgp-neighbor-af)#...
Page 419 ESR series service routers. ESR-Series. User manual ASBR1(config-loopback)# exit ASBR1(config)# mpls ASBR1(config-mpls)# ASBR1(config-ldp)# router-id 10.10.1.2 ASBR1(config-ldp)# address-family ipv4 ASBR1(config-ldp-af-ipv4)# interface gigabitethernet 1/0/2 ASBR1(config-ldp-af-ipv4-if)# exit ASBR1(config-ldp-af-ipv4)# exit ASBR1(config-ldp)# enable ASBR1(config-ldp)# exit ASBR1(config-mpls)# forwarding interface gigabitethernet 1/0/1 ASBR1(config-mpls)# forwarding interface gigabitethernet 1/0/2 ASBR1(config-mpls)# exit ASBR1(config)# ASBR1(config)# conf...
Page 420 ESR series service routers. ESR-Series. User manual ASBR2 ASBR2(config)# hostname ASBR2 ASBR2(config)# ASBR2(config)# system jumbo-frames ASBR2(config)# ASBR2(config)# route-map VPNv4 ASBR2(config-route-map)# rule ASBR2(config-route-map-rule)# exit ASBR2(config-route-map)# exit ASBR2(config)# router bgp 65500 ASBR2(config-bgp)# router-id 10.11.1.2 ASBR2(config-bgp)# neighbor 10.101.0.2 ASBR2(config-bgp-neighbor)# remote-as 65501 ASBR2(config-bgp-neighbor)# address-family vpnv4 unicast ASBR2(config-bgp-neighbor-af)# route-map VPNv4 out ASBR2(config-bgp-neighbor-af)#...
Page 421 ESR series service routers. ESR-Series. User manual ASBR2(config-loopback)# ip ospf ASBR2(config-loopback)# exit ASBR2(config)# mpls ASBR2(config-mpls)# ASBR2(config-ldp)# router-id 10.11.1.2 ASBR2(config-ldp)# address-family ipv4 ASBR2(config-ldp-af-ipv4)# interface gigabitethernet 1/0/2 ASBR2(config-ldp-af-ipv4-if)# exit ASBR2(config-ldp-af-ipv4)# exit ASBR2(config-ldp)# enable ASBR2(config-ldp)# exit ASBR2(config-mpls)# forwarding interface gigabitethernet 1/0/1 ASBR2(config-mpls)# forwarding interface gigabitethernet 1/0/2 ASBR2(config-mpls)# exit...
Page 422 ESR series service routers. ESR-Series. User manual PE1# sh bgp vpnv4 unicast all Status codes: * - valid, > - best, i - internal, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete Codes Route Distinguisher IP Prefix Next hop Metric...
Page 423: Mpls Over Gre
ESR series service routers. ESR-Series. User manual *> 65501:2 10.104.0.1/32 65513 *> 65501:1 10.103.0.1/32 65512 *>i 65501:2 10.101.0.1/32 10.11.1.2 65501 65511 *>i 65501:1 10.100.0.1/32 10.11.1.2 65501 65510 CE4# ping 10.104.0.1 source ip 10.101.0.1 detailed PING 10.104.0.1 (10.104.0.1) from 10.101.0.1 bytes of data. bytes from 10.104.0.1: icmp_seq=1 ttl=0 time=2.25 bytes from 10.104.0.1:...
Page 424 ESR series service routers. ESR-Series. User manual Configure CE1 and CE2: hostname CE1 interface gigabitethernet 1/0/2 ip firewall disable ip address 10.100.0.1/24 exit hostname CE2 interface gigabitethernet 1/0/2 ip firewall disable ip address 10.100.0.2/24 exit Configure ESR1 and ESR2:...
Page 425 ESR series service routers. ESR-Series. User manual ESR1 ESR1(config)# hostname ESR1 ESR1(config)# ESR1(config)# system cpu load-balance mpls passenger ip ESR1(config)# system cpu load-balance mpls passenger ipoe-pw-without-cw ESR1(config)# security zone trusted ESR1(config-zone)# exit ESR1(config)# security zone untrusted ESR1(config-zone)# exit ESR1(config)# ESR1(config)# router ospf ESR1(config-ospf)# area 0.0.0.0...
Page 426 ESR series service routers. ESR-Series. User manual ESR1(config-l2vpn-p2p)# interface gigabitethernet 1/0/2 ESR1(config-l2vpn-p2p)# 100 10.100.0.2 ESR1(config-l2vpn-pw)# pw-class VPWS ESR1(config-l2vpn-pw)# enable ESR1(config-l2vpn-pw)# exit ESR1(config-l2vpn-p2p)# enable ESR1(config-l2vpn-p2p)# exit ESR1(config-l2vpn)# exit ESR1(config-mpls)# forwarding interface ESR1(config-mpls)# exit ESR1(config)# security zone-pair untrusted self ESR1(config-zone-pair)# rule ESR1(config-zone-pair-rule)# action permit ESR1(config-zone-pair-rule)# match protocol gre ESR1(config-zone-pair-rule)#...
Page 427 ESR series service routers. ESR-Series. User manual ESR2 ESR2(config)# hostname ESR2 ESR2(config)# ESR2(config)# system cpu load-balance mpls passenger ip ESR2(config)# system cpu load-balance mpls passenger ipoe-pw-without-cw ESR2(config)# security zone trusted ESR2(config-zone)# exit ESR2(config)# security zone untrusted ESR2(config-zone)# exit ESR2(config)# ESR2(config)# router ospf ESR2(config-ospf)# area 0.0.0.0...
Page 428 ESR series service routers. ESR-Series. User manual ESR2(config-l2vpn-p2p)# interface gigabitethernet 1/0/2 ESR2(config-l2vpn-p2p)# 100 10.100.0.1 ESR2(config-l2vpn-pw)# pw-class VPWS ESR2(config-l2vpn-pw)# enable ESR2(config-l2vpn-pw)# exit ESR2(config-l2vpn-p2p)# enable ESR2(config-l2vpn-p2p)# exit ESR2(config-l2vpn)# exit ESR2(config-mpls)# forwarding interface ESR2(config-mpls)# exit ESR2(config)# security zone-pair untrusted self ESR2(config-zone-pair)# rule ESR2(config-zone-pair-rule)# action deny ESR2(config-zone-pair-rule)# match protocol gre ESR2(config-zone-pair-rule)#...
Page 429 ESR series service routers. ESR-Series. User manual Configuration is complete. Check the service state and nodes availability: *Tunnel configuration* ESR2# sh tunnels configuration gre State: Enabled Description: Mode: Bridge group: VRF: Local address: 192.0.2.2 Remote address: 192.0.2.1 Calculates checksums outgoing GRE packets: Requires that all input GRE packets were checksum: No key: TTL:...
Page 430: L3Vpn
ESR series service routers. ESR-Series. User manual 12.13.2 L3VPN  When configuring MTU on a tunnel, consider the following: • At least one mpls label will be present when passing through the tunnel. Accounting should include all labels in the stack, for example, explicit null or entropy label; ...
Page 431 ESR series service routers. ESR-Series. User manual CE1(config)# hostname CE1 CE1(config)# CE1(config)# route-map BGP_OUT CE1(config-route-map)# rule CE1(config-route-map-rule)# exit CE1(config-route-map)# exit CE1(config)# router bgp 65501 CE1(config-bgp)# neighbor 10.10.0.2 CE1(config-bgp-neighbor)# remote-as 65500 CE1(config-bgp-neighbor)# address-family ipv4 unicast CE1(config-bgp-neighbor-af)# route-map BGP_OUT out CE1(config-bgp-neighbor-af)# enable CE1(config-bgp-neighbor-af)# exit CE1(config-bgp-neighbor)# enable...
Page 432 ESR series service routers. ESR-Series. User manual CE2(config)# hostname CE2 CE2(config)# CE2(config)# route-map BGP_OUT CE2(config-route-map)# rule CE2(config-route-map-rule)# exit CE2(config-route-map)# exit CE2(config)# router bgp 65502 CE2(config-bgp)# neighbor 10.10.0.5 CE2(config-bgp-neighbor)# remote-as 65500 CE2(config-bgp-neighbor)# address-family ipv4 unicast CE2(config-bgp-neighbor-af)# route-map BGP_OUT out CE2(config-bgp-neighbor-af)# enable CE2(config-bgp-neighbor-af)# exit CE2(config-bgp-neighbor)# enable...
Page 433 ESR series service routers. ESR-Series. User manual ESR1 ESR1(config)# hostname ESR1 ESR1(config)# ESR1(config)# ip vrf l3vpn_service ESR1(config-vrf)# ip protocols bgp max-routes ESR1(config-vrf)# 65500:1 ESR1(config-vrf)# route-target export 65500:1 ESR1(config-vrf)# route-target import 65500:1 ESR1(config-vrf)# exit ESR1(config)# ESR1(config)# ESR1(config)# system cpu load-balance mpls passenger ip ESR1(config)# security zone untrusted ESR1(config-zone)# exit ESR1(config)# security zone trusted...
Page 434 ESR series service routers. ESR-Series. User manual ESR1(config)# interface gigabitethernet 1/0/1 ESR1(config-if-gi)# security-zone untrusted ESR1(config-if-gi)# ip address 192.0.2.1/30 ESR1(config-if-gi)# exit ESR1(config)# interface gigabitethernet 1/0/2 ESR1(config-if-gi)# ip vrf forwarding l3vpn_service ESR1(config-if-gi)# description "from CE1" ESR1(config-if-gi)# ip firewall disable ESR1(config-if-gi)# ip address 10.10.0.2/30 ESR1(config-if-gi)# exit ESR1(config)# interface...
Page 435 ESR series service routers. ESR-Series. User manual ESR2(config)# hostname ESR2 ESR2(config)# ESR2(config)# ip vrf l3vpn_service ESR2(config-vrf)# ip protocols bgp max-routes ESR2(config-vrf)# 65500:1 ESR2(config-vrf)# route-target export 65500:1 ESR2(config-vrf)# route-target import 65500:1 ESR2(config-vrf)# exit ESR2(config)# ESR2(config)# ESR2(config)# system cpu load-balance mpls passenger ip ESR2(config)# security zone untrusted ESR2(config-zone)# exit ESR2(config)# security zone trusted...
Page 436 ESR series service routers. ESR-Series. User manual ESR2(config-if-gi)# ip address 192.0.2.2/30 ESR2(config-if-gi)# exit ESR2(config)# interface gigabitethernet 1/0/2 ESR2(config-if-gi)# ip vrf forwarding l3vpn_service ESR2(config-if-gi)# description "from CE2" ESR2(config-if-gi)# ip firewall disable ESR2(config-if-gi)# ip address 10.10.0.5/30 ESR2(config-if-gi)# exit ESR2(config)# interface loopback ESR2(config-loopback)# ip address 10.12.0.2/32 ESR2(config-loopback)# ip ospf instance...
Page 437 ESR series service routers. ESR-Series. User manual *GRE tunnel configuration* ESR2# sh tunnels configuration Tunnel State Description ---------------- -------- ------------------------------ Enabled ESR2# sh tunnels configuration gre State: Enabled Description: Mode: Bridge group: VRF: Local address: 192.0.2.2 Remote address: 192.0.2.1 Calculates checksums outgoing GRE packets: Requires that all input GRE packets were checksum: No key:...
Page 438 ESR series service routers. ESR-Series. User manual imp-null 10.12.0.1/32 10.11.0.1 *Availability of nodes in the network* CE2# ping 10.100.0.1 source ip 10.101.0.1 detailed PING 10.100.0.1 (10.100.0.1) from 10.101.0.1 bytes of data. bytes from 10.100.0.1: icmp_seq=1 ttl=0 time=1.32 bytes from 10.100.0.1: icmp_seq=2 ttl=0 time=1.12 bytes from 10.100.0.1: icmp_seq=3 ttl=0 time=1.14...
Page 439: Security Management
Basic user rules configuration algorithm • Basic user rules configuration example • Extended user rules configuration algorithm • Extended user rules configuration example • Eltex Distribution Manager interaction configuration • Basic configuration algorithm • Configuration example • Content filtering service configuration •...
Page 440: Local Authentication Configuration Algorithm
ESR series service routers. ESR-Series. User manual 13.1.1 Local authentication configuration algorithm Step Description Command Keys Set local as authentication esr(config)# aaa authentication <NAME> – list name, set by the method. login { default | <NAME> } string of up to 31 characters. <METHOD 1>...
Page 441 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the number of failed esr(config)# aaa authentication <COUNT> – amount of failed authentication attempts to block attempts max-fail <COUNT> authentication attempts after which the user login and time of the <TIME>...
Page 442 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the minimum number of esr(config)# security passwords <COUNT> – minimum number of lower case letters in the local lower-case <COUNT> lower case letters in the local user user password and ENABLE password and ENABLE password.
Page 443: Aaa Configuration Algorithm Via Radius
ESR series service routers. ESR-Series. User manual Step Description Command Keys Switch to the corresponding esr(config)# line console terminal configuration mode esr(config)# line telnet esr(config)# line ssh Activate user login authentication esr(config-line-ssh)# login <NAME> – list name, set by the list authentication <NAME>...
Page 444 ESR series service routers. ESR-Series. User manual Step Description Command Keys Add RADIUS server to the list of esr(config)# radius-server host <IP-ADDR> – RADIUS server IP used servers and switch to its { <IP-ADDR> | <IPV6-ADDR> } [ vrf address, defined as configuration mode.
Page 445 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set IPv4/IPv6 address that will esr(config-radius-server)# <ADDR> – source IP address, be used as source IPv4/IPv6 source-address { <ADDR> | defined as AAA.BBB.CCC.DDD where address in transmitted RADIUS <IPV6-ADDR> } each part takes values of [0..255];...
Page 446: Aaa Configuration Algorithm Via Tacacs
ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify authentication methods esr(config)# aaa authentication <MODE> – options of iterating over to be tried in case of failure mode <MODE> methods: (optional). • chain – if the server returned FAIL, proceed to the following authentication method in the chain;...
Page 447 ESR series service routers. ESR-Series. User manual Step Description Command Keys Add TACACS server to the list of esr(config)# tacacs -server host <IP-ADDR> – TACACS server IP used servers and switch to its { <IP-ADDR> | <IPV6-ADDR> } [ vrf address, defined as configuration mode.
Page 448 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the interface or tunnel of esr(config-tacacs-server)# <IF> – interface specified in form the router whose IPv4/IPv6 source-interface { <IF> | <TUN> } given in the Types and naming address will be used as the procedure of router interfaces source IPv4/IPv6 address in section...
Page 449: Aaa Configuration Algorithm Via Ldap
ESR series service routers. ESR-Series. User manual Step Description Command Keys Switch to the corresponding esr(config)# line <TYPE> <TYPE> – console type: terminal configuration mode. • console – local console; • ssh – secure remote console. Activate user login esr(config-line-console)# login <NAME>...
Page 450 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the user search scope in esr(config)# ldap-server search <SCOPE> – user search scope on LDAP server tree (optional). scope <SCOPE> LDAP server, takes the following values: • onelevel – search through the objects on the level following a basic DN tree in LDAP server tree;...
Page 451 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the number of failed aaa authentication attempts max- <COUNT> – amount of failed authentication attempts to block fail <COUNT> <TIME> authentication attempts after which the user login and time of the lock a user is blocked, takes the values (optional) of [1..65535];...
Page 452 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set LDAP as authentication esr(config)# aaa authentication <NAME> – list name, set by the method. login { default | <NAME> } string of up to 31 characters. <METHOD 1> [ <METHOD 2> ] [ <METHOD 3>...
Page 453: Example Of Authentication Configuration Using Telnet Via Radius Server
ESR series service routers. ESR-Series. User manual Step Description Command Keys Activate authentication list of esr(config-line-console)# enable <NAME> – list name, set by the user privileges elevation. authentication <NAME> string of up to 31 characters. Created in step 15. 13.1.5 Example of authentication configuration using telnet via RADIUS server Objective: Configure authentication for users connected via Telnet and RADIUS (192.168.16.1/24).
Page 454: Configuration Algorithm
ESR series service routers. ESR-Series. User manual 13.2.1 Configuration algorithm To change minimum privilege level required for CLI command execution, use the following command: esr(config)# privilege <COMMAND-MODE> level <PRIV><COMMAND> <COMMAND-MODE> – command mode; <PRIV> – required command subtree privilege level, takes value in the range of [1..15]; <COMMAND>...
Page 455 ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable protection against SYN flood esr(config)# ip firewall screen <NUM> – maximum amount of attacks. dos-defense TCP packets with the set SYN flag syn-flood { <NUM> } [src-dsr] per second, set in the range of [1..10000].
Page 456 ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable blocking of TCP packets, with esr(config)# ip firewall screen all flags or with the set of flags: FIN, spy-blocking tcp-all-flag PSH, URG. The given command provides the protection against XMAS attack.
Page 457: Description Of Attack Protection Mechanisms
ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable mechanism of espionage esr(config)# logging firewall <ATACK_TYPE> – espionage activity detection and logging via CLI, screen spy-blocking activity type, takes the following syslog and SNMP. { <ATACK_TYPE> | icmp-type values: fin-no-ack, ip-sweep, port- <ICMP_TYPE>...
Page 458 ESR series service routers. ESR-Series. User manual Command Description ip firewall screen dos-defense syn- This command enables the protection against SYN flood attacks. When the flood protection is enabled, the amount of TCP packets with the SYN flag set per second for one destination address is limited. The attack leads to the host reboot and its failure due to the necessity to process each TCP SYN packet and the attempts to establish a TCP session.
Page 459 ESR series service routers. ESR-Series. User manual Command Description ip firewall screen spy-blocking ip- This command enables the protection against IP-sweep attacks. When the sweep protection is enabled, if more than 10 ICMP queries from one source arrive within the specified interval, the first 10 queries are dropped by the router and 11th with the following ones are discarded for the remaining interval time.
Page 460: Configuration Example Of Logging And Protection Against Network Attacks
ESR series service routers. ESR-Series. User manual Command Description ip firewall screen suspicious-packets The given command enables the blocking of fragmented UDP packets. udp-fragment ip firewall screen suspicious-packets The given command enables the blocking of packets, with the protocol ID unknown-protocols contained in IP header equal to 137 and more.
Page 461: Firewall Configuration
ESR series service routers. ESR-Series. User manual Enable protection against land, syn-flood, ICMP flood attacks: esr(config)# ip firewall screen dos-defense land esr(config)# ip firewall screen dos-defense syn-flood src-dst esr(config)# ip firewall screen dos-defense icmp-threshold Configure logging of detected attacks: esr(config)# firewall logging screen dos-defense land esr(config)# firewall logging screen dos-defense syn-flood esr(config)# firewall logging screen dos-defense icmp-threshold Configure SNMP server to which the traps will be sent:...
Page 462 ESR series service routers. ESR-Series. User manual Step Description Command Keys Disable filtration of packets for which it esr(config)# ip firewall sessions was not possible to determine allow-unknown belonging to any known connection and which are not the beginning of a new connection (optional, may reduce the performance).
Page 463 ESR series service routers. ESR-Series. User manual Step Description Command Keys Determine the lifetime of TCP session esr(config)# ip firewall sessions <TIME> – lifetime of TCP in 'connection is being established' tcp-connect-timeout <TIME> session in 'connection is being state after which it is considered to be established' state, takes values outdated (optional).
Page 464 ESR series service routers. ESR-Series. User manual Step Description Command Keys Determine the lifetime of UDP session esr(config)# ip firewall sessions <TIME> – lifetime of UDP in 'connection is confirmed' state after udp-assured-timeout <TIME> session in 'connection is which it is considered to be outdated confirmed' state, takes values (optional).
Page 465 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-object-group-network)# <FROM-ADDR> – range starting ipv6 address-range IPv6 address; <FROM-ADDR>-<TO-ADDR> <TO-ADDR> – range ending IPv6 address, optional parameter. If the parameter is not specified, a single IPv6 address is set by the command.
Page 466 ESR series service routers. ESR-Series. User manual Step Description Command Keys Disable Firewall functions on the esr(config-if-gi)# ip firewall disable network interface (physical, logical, E1/ Multilink and connected), remote- access server (l2tp, openvpn, pptp) or tunnels (gre, ip4ip4, l2tp, lt, pppoe, pptp) (optional).
Page 467 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the profile of transmitter IP esr(config-zone-rule)# match [not] <OBJ-GROUP-NETWORK- addresses for which the rule should source-address <OBJ-GROUP- NAME> – IP addresses profile work (optional). NETWORK-NAME> name, set by the string of up to 31 characters.
Page 468 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the filtration only for IP packets esr(config-zone-pair-rule)# match including ip-option (optional, available [not] ip-option only for zone-pair any self and zone-pair <zone-name> any). Create an interzone interaction rule. esr(config-zone-rule)# enable Enable filtering and session tracking esr(config-bridge)# ports firewall mode while packets are transmitted...
Page 469: Firewall Configuration Example
ESR series service routers. ESR-Series. User manual 13.4.2 Firewall configuration example Objective: Enable message passage via ICMP between R1, R2 and ESR router. Solution: Create a security zone for each ESR network: esr# configure esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit Configure network interfaces and identify their inherence to security zones: esr(config)#...
Page 470 ESR series service routers. ESR-Series. User manual For definition of rules for security zones, create 'LAN' address profile that includes addresses which are allowed to access WAN network and 'WAN' network address profile. esr(config)# object-group network WAN esr(config-object-group-network)# ip address-range 192.168.23.2 esr(config-object-group-network)# exit esr(config)# object-group network LAN esr(config-object-group-network)# ip address-range...
Page 471: Configuration Example Of Application Filtering (Dpi)
ESR series service routers. ESR-Series. User manual Router always has a security zone named 'self'. When the traffic recipient is the router itself, i.e. traffic is not transit, pass 'self' zone as a parameter. Create a pair of zones for traffic coming from 'WAN' zone into 'self' zone.
Page 472 ESR series service routers. ESR-Series. User manual Solution: Create a security zone for each ESR network: esr# configure esr(config)# security zone LAN esr(config-zone)# exit esr(config)# security zone WAN esr(config-zone)# exit Configure network interfaces and identify their inherence to security zones: esr(config)# interface gi1/0/1 esr(config-if-gi)# ip address...
Page 473 ESR series service routers. ESR-Series. User manual To set the rules of traffic passing from 'WAN' zone to 'LAN' zone, create a couple of zones and add a rule prohibiting the application traffic flow and a rule allowing all other traffic to pass. Rules are applied with the enable command: esr(config)# security zone-pair WAN LAN esr(config-zone-pair)# rule...
Page 474: Access List (Acl) Configuration
ESR series service routers. ESR-Series. User manual 13.5 Access list (ACL) configuration Access Control List or ACL is a list that contains rules defining traffic transmission through the interface. 13.5.1 Configuration algorithm Step Description Command Keys Create access control list and esr(config)# ip access-list <NAME>...
Page 475 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set sender IP addresses for esr(config-acl-rule)# match <ADDR> – sender IP address, which the rule should work source-address { <ADDR> defined as AAA.BBB.CCC.DDD where (optional). <MASK> | any } each part takes values of [0..255]; <MASK>...
Page 476: Access List Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set VLAN ID for which the rule esr(config-acl-rule)# match vlan <VID> – VLAN ID, takes values of should work (optional). <VID> [1..4094]. Activate a rule. esr(config-acl-rule)# enable Specify access control list for the esr(config-if-gi)# service-acl <NAME>...
Page 477: Ips/Ids Configuration
ESR series service routers. ESR-Series. User manual 13.6 IPS/IDS configuration  The function is activated only under the license. IPS/IDS (Intrusion Prevention System/Intrusion Detection System) – a network and computer security software system that detects intrusions or security breaches and automatically protecting from them. The system is based on signature traffic analysis.
Page 478: Configuration Algorithm For Ips/Ids Rules Autoupdate From External Sources
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set remote server parameters for esr(config-ips)# logging remote- <ADDR> – sender IP address, defined sending IPS/IDS service statistics server { <ADDR> | <IPV6- as AAA.BBB.CCC.DDD where each in EVE format (elasticsearch) ADDR>...
Page 479: Recommended Open Rule Update Source
ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify a name and enter the esr(config-ips-auto-upgrade)# <WORD> – server name, set by the configuration mode of the user user-server <WORD> string of up to 32 characters. update server. Specify the description of the user esr(config-ips-upgrade-user- <DESCRIPTION>...
Page 480 ESR series service routers. ESR-Series. User manual https:// These rules describe well-known botnets and control servers. Sources: rules.emergingthreats.net/ Shadowserver.org, Zeus Tracker, Palevo Tracker, Feodo Tracker, Ransomware open/suricata/rules/ Tracker. botcc.rules https:// These rules describe malicious hosts by the classification of the www.cinsarmy.com rules.emergingthreats.net/ project.
Page 481 ESR series service routers. ESR-Series. User manual https:// These rules contain DOS attack signatures. rules.emergingthreats.net/ open/suricata/rules/emerging- dos.rules https:// These rules contain exploit signatures. rules.emergingthreats.net/ open/suricata/rules/emerging- exploit.rules https:// These rules contain signatures of vulnerabilities in the FTP protocol, signs of rules.emergingthreats.net/ incorrect use of the FTP protocol. open/suricata/rules/emerging- ftp.rules https://...
Page 482 ESR series service routers. ESR-Series. User manual https:// These rules contain different vulnerabilities signatures. rules.emergingthreats.net/ open/suricata/rules/emerging- misc.rules https:// These rules contain malware signatures for mobile platforms. rules.emergingthreats.net/ open/suricata/rules/emerging- mobile_malware.rules https:// These rules contain signatures of vulnerabilities in the NetBIOS protocol, signs of rules.emergingthreats.net/ incorrect use of the NetBIOS protocol.
Page 483 ESR series service routers. ESR-Series. User manual https:// These rules contain signatures of vulnerabilities in the SMTP protocol, signs of rules.emergingthreats.net/ incorrect use of the SMTP protocol. open/suricata/rules/emerging- smtp.rules https:// These rules contain vulnerability signatures for SQL DBMS. rules.emergingthreats.net/ open/suricata/rules/emerging- sql.rules https:// These rules contain signatures of vulnerabilities in the Telnet protocol, signs of rules.emergingthreats.net/...
Page 484: Ips/Ids Configuration Example With Rules Autoupdate
ESR series service routers. ESR-Series. User manual https:// These rules describe signs of network worm activity. rules.emergingthreats.net/ open/suricata/rules/emerging- worm.rules 13.6.4 IPS/IDS configuration example with rules autoupdate Objective: Organize LAN protection with autoupdate rules from open sources. 192.168.1.0/24 – LAN Solution: Create a profile of protected LAN addresses: esr(config)# object-group network LAN esr(config-object-group-network)# ip prefix 192.168.1.0/24...
Page 485: Basic User Rules Configuration Algorithm
ESR series service routers. ESR-Series. User manual The device will be used only as a security gateway, for this allocate the IPS/IDS service all available resources: esr(config-ips)# perfomance max Configure autoupdate rules from EmergingThreats.net, etnetera.cz Abuse.ch sites esr(config-ips)# auto-upgrade esr(config-auto-upgrade)# user-server ET-Open esr(config-ips-upgrade-user-server)# description "emerging threats open rules"...
Page 486 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the given rule force. esr(config-ips-category-rule)# • alert – traffic is allowed action { alert | reject | pass | drop } and the IPS/IDS service generates a message; • reject –...
Page 487 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the profile of sender TCP/UDP esr(config-ips-category-rule)# <PORT> – number of sender ports for which the rule should work. source-port {any | <PORT> | object- TCP/UDP port, takes values of group <OBJ-GR-NAME>...
Page 488 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set traffic direction for which the rule esr(config-ips-category-rule)# • one-way – traffic is should trigger. direction { one-way | round-trip } transmitted in one direction. • round-trip – traffic is transmitted in both directions.
Page 489 ESR series service routers. ESR-Series. User manual Step Description Command Keys Define the traffic classification which esr(config-ips-category-rule)# • not-suspicious – not will record to the log when this rule will meta classification-type suspicious traffic; trigger (optional). { not-suspicious | unknown | bad- •...
Page 490 ESR series service routers. ESR-Series. User manual Step Description Command Keys • unusual-client-port- connection – the client used an unusual port. • network-scan – network scan was detected. • denial-of-service – denial of service attack was detected. • non-standard-protocol – custom protocol or event was detected.
Page 491 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-ips-category-rule)# ip Comparison operator for ip icmp code comparison-operator icmp code value: { greater-than | less-than } • greater-than – greater than.. • less-than – less than.. Set ICMP ID value for which the rule esr(config-ips-category-rule)# ip <ID>...
Page 492 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set HTTP protocol keywords for which esr(config-ips-category-rule)# ip See the Suricata 4.X the rule will trigger (optional). http { accept | accept-enc | documentation for the meaning accept-lang | client-body | of the keywords.
Page 493 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-ips-category-rule)# Comparison operator for payload data-size payload data-size value: comparison-operator { greater- than | less-than } • greater-than – greater than.. • less-than – less than. Specify the threshold number of esr(config-ips-category-rule)# <COUNT>...
Page 494: Basic User Rules Configuration Example
ESR series service routers. ESR-Series. User manual 13.6.6 Basic user rules configuration example Objective: Write a rule to protect a server with IP 192.168.1.10 from a DOS attack by large ICMP packets. Solution: Create a set of user rules: esr(config)# security ips-category user-defined USER Create a rule to protect against attack: esr(config-ips-category)# rule esr(config-ips-category-rule)# description...
Page 495: Extended User Rules Configuration Algorithm
ESR series service routers. ESR-Series. User manual Set traffic direction: esr(config-ips-category-rule)# direction one-way The rule will trigger on packets larger than 1024 bytes: esr(config-ips-category-rule)# payload data-size 1024 esr(config-ips-category-rule)# payload data-size comparison-operator greate r-than The rule will trigger if the load on the server exceeds 3 Mbps, while an attack message will be generated not more than once a minute: Mbps = 3145728...
Page 496: Extended User Rules Configuration Example
3, seconds 30; classtype:denial-of- service; sid: 10000002; rev:1; )' 13.7 Eltex Distribution Manager interaction configuration EDM (Eltex Distribution Manager) is a service for distributing licensed content to devices via commercial subscription. Using Kaspersky Lab's security infrastructure, including the Kaspersky Security Network cloud-based...
Page 497: Basic Configuration Algorithm
ESR series service routers. ESR-Series. User manual in all types of traffic (web, email, P2P, instant messaging services, etc.). As a result, users are protected from the most dangerous cyber threats, including zero-day threats, encryption programs, infected sites and other types. IPS on ESR devices can use the following sets of rules provided by Kaspersky SafeStream II: •...
Page 498 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the time to reboot esr (config-content-provider)# reboot Restart the device after receiving the the device after immediately | [time <HH:MM:SS>] certificate. receiving the certificate. time <HH:MM:SS> – The time at which ESR will reboot <hours:minutes:seconds>.
Page 499 ESR series service routers. ESR-Series. User manual Step Description Command Keys Сonnect the required esr (config-ips-vendor)# category Phishing URL Data Feed – Phishing category. WORD(1-64) URL data streams Malicious URL Data Feed – Malicious URL data streams Botnet C&C URL Data Feed – Botnet C&C URL data streams Malicious Hash Data Feed –...
Page 500 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the number of esr (config-ips-vendor-category)# rules <number> downloadable rules. count <number> Enable category. enable Switch to the IPS/IDS esr (config)# security ips configuration mode. Assign IPS/IDS security esr(config-ips)# policy <NAME> <NAME>...
Page 501: Configuration Example
Keys Enable IPS/IDS. esr(config- ips )# enable 13.7.2 Configuration example Set the content-provider parameters – this is the address of the Eltex server. There must be network reachability between the content-provider server and the router. content-provider host address edm.eltex-co.ru host port...
Page 502 ESR series service routers. ESR-Series. User manual category APTURLsDF rules action alert rules count 1000 enable exit category BotnetCAndCURLsDF rules action alert rules count 1000 enable exit category IPReputationDF rules action alert rules count 1000 enable exit category IoTURLsDF rules action alert rules count 1000 enable...
Page 503: Content Filtering Service Configuration
ESR series service routers. ESR-Series. User manual The following commands can be used to view information about downloaded content for IPS/IDS: show security ips content-provider esr-20# show security ips content-provider Server: content-provider Last MD5 of received files: c60bd0f10716d3f48e18f24828337135 Next update: October 2020 00:37:06 With this command you can find out if the content provider has downloaded rules from the EDM server (based on the presence of the md5 checksum) and when the next update is scheduled for the device.
Page 504 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify policy description esr(config-ips-policy)# <DESCRIPTION> – description, set by (optional). description <DESCRIPTION> the string of up to 255 characters. Create IP addresses lists which esr (config)# object-group <WORD> – server name, set by the will be used during filtration.
Page 505 ESR series service routers. ESR-Series. User manual Step Description Command Keys Use all ESR resources for IPS/ esr(config-ips)# perfomance By default, half of the available IDS (optional). processor cores are allocated for IPS/ IDS. Set remote server parameters esr(config-ips)# logging remote- <ADDR>...
Page 506 ESR series service routers. ESR-Series. User manual Step Description Command Keys Define a description of a set of esr(config-ips-category)# <DESCRIPTION> – description, set by user rules (optional). description <DESCRIPTION> the string of up to 255 characters. Create a rule and switch to its esr(config-ips-category)# rule <ORDER> ...
Page 507 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the profile of source TCP esr(config-ips-category-rule)# <PORT> – number of sender TCP/UDP ports for which the rule should source-port {any | <PORT> | port, takes values of [1..65535]. work. object-group <OBJ-GR-NAME>...
Page 508: Content Filtering Rules Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Define the message that IPS/ esr(config-ips-category-rule)# <MESSAGE> – text message specified IDS will record to the log when meta log-message <MESSAGE> by a string of up to 129 characters. this rule will trigger. Assign a content filter category esr(config-ips-category-rule)# ip <NAME>...
Page 509 ESR series service routers. ESR-Series. User manual Allow IPS/IDS operation on the bridge gigabitethernet 1/0/2 interface: esr(config)# interface gigabitethernet 1/0/2 esr(config-if-gi)# service-ips inline Configure IPS/IDS parameters: esr(config)# security ips esr(config-ips)# policy OFFICE esr(config-ips)# enable The device will be used only as a security gateway, for this allocate the IPS/IDS service all available resources: esr(config-ips)# perfomance max Create a content filtering profile for the selected categories: esr(config)# object-group content-filter Black...
Page 510 ESR series service routers. ESR-Series. User manual As the TCP destination port for the protocol http is usually used port 80, but Internet sites can also work on non-standard ports, so we specify any: esr(config-ips-category-rule)# destination-port any As the recipient's address can be any site on the Internet: esr(config-ips-category-rule)# destination-address any Requests to the sites are sent from our local network: esr(config-ips-category-rule)# source-address policy-object-group protect...
Page 511: Antispam Service Configuration
ESR series service routers. ESR-Series. User manual 13.9 Antispam service configuration  The function is activated only under the license. Mail antispam or spam filter is a program for detecting and filtering unwanted e-mail messages that can come through corporate mail servers and public e-mail services (spam, mail phishing, etc.). The main task of the Antispam service is to detect such unwanted emails while they are still being delivered to the recipient's mailbox.
Page 512 ESR series service routers. ESR-Series. User manual Step Description Command Keys Create Antispam service profile esr(config)# security antispam <NAME> - up to 31 characters. profile <NAME> Set the description of the esr(config-antispam-profile)# <DESCRIPTION> – up to 255 Antispam service profile description <DESCRIPTION> characters. (optional).
Page 513 ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable a rule in the Antispam esr(config-antispam-profile- service profile (optional). rule)# enable Create mail domain. esr(config)# mailserver domain <DOMAIN-NAME> - up to 31 <DOMAIN-NAME> characters. Set the description of the email esr(config-mailserver-domain)# <DESCRIPTION>...
Page 514: Configuration Example
Configure the Antispam service on ESR to work as an SMTP Proxy to analyze e-mail addressed to the mail server located in the enterprise network and serving the eltex-co.ru domain. Solution: Ensure that the MX record for the domain eltex-co.ru points to the ESR IP address: esr@eltex:~$ dig +noall +answer eltex-co.ru MX eltex-co.ru.
Page 515 Create a mail domain, which will be configured to process emails for the eltex-co.ru domain and retransmit such emails to the local mail server. Add the Antispam service profile created above to the configuration of the...
Page 516: Redundancy Management
ESR series service routers. ESR-Series. User manual 14 Redundancy management • VRRP configuration • Configuration algorithm • Configuration example 1 • Configuration example 2 • Tracking configuration • Configuration algorithm • Configuration example • Firewall/NAT failover configuration • Configuration algorithm • Configuration example •...
Page 517 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set virtual IP address of VRRP esr(config-if-gi)# vrrp ip <ADDR/ <ADDR/LEN> – virtual IP address, router. LEN> defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
Page 518 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-if-gi)# ipv6 vrrp timers advertise <TIME> Set the interval after which esr(config-if-gi)# vrrp timers garp <TIME> – time in seconds, takes GratuituousARP messages are sent delay <TIME> values of [1..60]. when switching the router to the Master status (optional).
Page 519 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify authentication algorithm esr(config-if-gi)# vrrp <ALGORITHM> – authentication (optional). authentication algorithm algorithm: <ALGORITHM> • cleartext – password, transmitted in clear text; • md5 – password is hashed by md5 algorithm. Specify VRRP version (optional).
Page 520: Configuration Example 1
ESR series service routers. ESR-Series. User manual 14.1.2 Configuration example 1 Objective: Establish LAN virtual gateway in VLAN 50 using VRRP. IP address 192.168.1.1 is used as a local virtual gateway. Solution: First, do the following: • create a correspond sub interface; •...
Page 521: Configuration Example 2
ESR series service routers. ESR-Series. User manual 14.1.3 Configuration example 2 Objective: Establish virtual gateways for 192.168.20.0/24 subnet in VLAN 50 and 192.168.1.0/24 in VLAN 60 using VRRP with Master sync feature. To do this, group VRRP processes. IP addresses 192.168.1.1 and 192.168.20.1 are used as virtual gateways.
Page 522: Tracking Configuration
ESR series service routers. ESR-Series. User manual Enable VRRP: R1(config-subif)# vrrp R1(config-subif)# exit Configure VRRP for 192.168.20.0/24 subnet in the created sub-interface. Specify unique VRRP identifier: R1(config-sub)#interface 1/0/6.60 R1(config-subif)# vrrp id Specify virtual gateway IP address 192.168.1.20: R1(config-subif)# vrrp ip 192.168.20.1 Specify VRRP group identifier: R1(config-subif)# vrrp group Enable VRRP:...
Page 523 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set a rule for tracking VRRP/SLA esr(config-track)# track vrrp id <VRID> – trackable VRRP router processes, based on which Tracking <VRID> state [not] { master | identifier, takes values in the range of object will switch to active state.
Page 524 ESR series service routers. ESR-Series. User manual Step Description Command Keys Add the ability to manage a static IP esr(config)# ip route [ vrf <VRF> – VRF name, set by the string route to the specified subnet <VRF> ] <SUBNET> of up to 31 characters. (optional).
Page 525 ESR series service routers. ESR-Series. User manual Step Description Command Keys • prohibit – when specifying the command, the packets to this subnet will be removed by the device, a sender will receive in response ICMP Destination unreachable (Communication administratively prohibited, code 13);...
Page 526: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Add the ability to control the BGP esr(config-route-map-rule)# <AS-PATH> – list of autonomous AS-Path attribute that will be added action set as-path system numbers to be added to the to the front of the AS-Path list prepend <AS-PATH>...
Page 527 ESR series service routers. ESR-Series. User manual Initial configurations of the routers: R1 router hostname R1 interface gigabitethernet 1/0/1 switchport forbidden default-vlan exit interface gigabitethernet 1/0/1.741 ip firewall disable ip address 192.168.0.2/24 vrrp id vrrp ip 192.168.0.1/24 vrrp exit interface gigabitethernet 1/0/2 switchport forbidden default-vlan exit...
Page 528: Firewall/Nat Failover Configuration
ESR series service routers. ESR-Series. User manual Solution: There is no need in any changes in router R2, since subnet 10.0.1.0/24 is terminated on it and as soon as router R2 is vrrp master, packets will be transmitted to corresponding interface. As soon as R1 becomes vrrp master, route for packets must be created with destination IP address from network 10.0.1.0/24.
Page 529 ESR series service routers. ESR-Series. User manual Step Description Command Setting the UDP port number of the ip firewall failover port <PORT> – port number of Firewall Firewall session reservation service <PORT> session reservation through which information is service, specified in range exchanged when working in unicast [1..65535].
Page 530: Configuration Example
ESR series service routers. ESR-Series. User manual 14.3.2 Configuration example Objective: Configure firewall session reservation for VRRP group in unicast mode. It is necessary to organize redundancy for two subnets using the VRRP protocol, synchronize VRRP processes on routers. Main configuration steps: Configure VRRP processes on routers.
Page 531 ESR series service routers. ESR-Series. User manual  To ensure that the VRRP processes states on a router are synchronized (master, backup), as well as to synchronize their sessions using firewall failover, it is necessary to configure them to belong to the same VRRP group.
Page 532 ESR series service routers. ESR-Series. User manual Additionally, the following protocols must be allowed in the security zone-pair trusted self: master(config)# security zone-pair trusted self master(config-zone-pair)# rule master(config-zone-pair-rule)# action permit master(config-zone-pair-rule)# match protocol vrrp master(config-zone-pair-rule)# enable master(config-zone-pair-rule)# exit master(config-zone-pair)# rule master(config-zone-pair-rule)# action permit master(config-zone-pair-rule)# match protocol udp master(config-zone-pair-rule)# match destination-port failover master(config-zone-pair-rule)# enable...
Page 533: Dhcp Failover Configuration
ESR series service routers. ESR-Series. User manual Configure ESR-2 router (backup). Configure interfaces: backup(config)# interface gigabitethernet 1/0/1 backup(config-if-gi)# security-zone trusted backup(config-if-gi)# ip address 192.0.2.2/24 backup(config-if-gi)# vrrp id backup(config-if-gi)# vrrp ip 192.0.2.1/24 backup(config-if-gi)# vrrp priority backup(config-if-gi)# vrrp group backup(config-if-gi)# vrrp backup(config-if-gi)# exit backup(config)# interface gigabitethernet 1/0/2...
Page 534: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Select DHCP failover operation mode { active-active | active- active-active – operating mode with mode. standby } two active routers; active-standby – operating mode with one active router and one standby router.
Page 535 ESR series service routers. ESR-Series. User manual Main configuration steps: Configure VRRP processes on routers. Use vrrp priority 20 for master, and vrrp priority 10 for backup. Configure DHCP failover in Active-Standby mode. Configure security zone for VRRP, UDP and TCP protocols. Solution: Configure ESR-1 router (master).
Page 536 ESR series service routers. ESR-Series. User manual Configure DHCP failover. For DHCP failover it is necessary to configure the following parameters: mode, local- address, remote-address, VRRP router belonging to a group. master(config)# ip dhcp-server pool LAN master(config-dhcp-server)# network 192.0.2.0/24 master(config-dhcp-server)# address-range 192.0.2.10-192.0.2.20 master(config-dhcp-server)# exit master(config)# ip dhcp-server master(config)# ip dhcp-server failover master(config-dhcp-server-failover)# mode active-standby...
Page 537 ESR series service routers. ESR-Series. User manual View the status of Firewall session reservations using the following command: master# show ip dhcp server failover VRF: State: Successful View the status of device redundancy systems using the following command: master# show high-availability state AP Tunnels: State: Disabled...
Page 538 ESR series service routers. ESR-Series. User manual Configure DHCP failover: backup(config)# ip dhcp-server pool LAN backup(config-dhcp-server)# network 192.0.2.0/24 backup(config-dhcp-server)# address-range 192.0.2.10-192.0.2.20 backup(config-dhcp-server)# exit backup(config)# ip dhcp-server backup(config)# ip dhcp-server failover backup(config-dhcp-server-failover)# mode active-standby backup(config-dhcp-server-failover)# local-address 203.0.113.2 backup(config-dhcp-server-failover)# remote-address 203.0.113.1 backup(config-dhcp-server-failover)# vrrp-group backup(config-dhcp-server-failover)# enable backup(config-dhcp-server-failover)# exit Configuration of a security zone is similar to the configuration of security zone for the ESR-1 (master) router.
Page 539: Remote Access Configuration
ESR series service routers. ESR-Series. User manual 15 Remote access configuration • Configuring server for remote access to corporate network via PPTP protocol • Configuration algorithm • Configuration example • Configuring server for remote access to corporate network via L2TP protocol •...
Page 540 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify IP address that should be esr(config-pptp-server)# outside- <OBJ-GROUP-NETWORK-NAME> – proceeded by PPTP server. address name of the profile having IP { object-group <OBJ-GROUP- address that should listened by NETWORK-NAME> | PPTP server, set by the string of ip-address <ADDR>...
Page 541 ESR series service routers. ESR-Series. User manual Step Description Command Keys Allow necessary authentication esr(config-pptp-server)# <METHOD> – authentication methods for remote users authentication method method, possible values: [chap, <METHOD> mschap, mschap-v2, eap, pap]. By default only chap is allowed. Specify user name (when using local esr(config-pptp-server) <NAME>...
Page 542: Configuration Example
ESR series service routers. ESR-Series. User manual 15.1.2 Configuration example Objective: Configure PPTP server on a router. • PPTP server address: 120.11.5.1; • Gateway inside the tunnel for connecting clients: 10.10.10.1; • IP address pool for lease: 10.10.10.5-10.10.10.25; • DNS servers: 8.8.8.8, 8.8.8.4; •...
Page 543 ESR series service routers. ESR-Series. User manual Create PPTP server and map profiles listed above: esr(config)# remote-access pptp remote-workers esr(config-pptp)# local-address object-group pptp_local esr(config-pptp)# remote-address object-group pptp_remote esr(config-pptp)# outside-address object-group pptp_outside esr(config-pptp)# dns-servers object-group pptp_dns Select authentication method for PPTP server users: esr(config-pptp)# authentication mode local Specify security zone that user sessions will be related to: esr(config-pptp)# security-zone VPN...
Page 544: Configuring Server For Remote Access To Corporate Network Via L2Tp Protocol
ESR series service routers. ESR-Series. User manual To view PPTP server configuration, use the following command: esr# show remote-access configuration pptp remote-workers  In addition to PPTP server creation, open TCP port 1723 designed for connection handling and enable GRE protocol (47) for the tunnel traffic in the firewall. 15.2 Configuring server for remote access to corporate network via L2TP protocol L2TP (Layer 2 Tunneling Protocol) is a sophisticated tunneling protocol used to support ...
Page 545 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the IP address of the local esr(config-l2tp-server)# <OBJ-GROUP-NETWORK-NAME> – gateway or disable firewall for the local-address { object-group name of the IP addresses profile that PPTP server <OBJ-GROUP-NETWORK includes local gateway IP address, -NAME>...
Page 546 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify user password (when using esr(config-l2tp-user) <PASSWORD> – user password, set local authentication base). password ascii-text by the string of up to 32 characters. { <PASSWORD> | encrypted <PASSWORD> } Enable user (when using local esr(config-l2tp-user) enable authentication base).
Page 547: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Define the list of DNS servers that will esr(config-l2tp-server)# dns- <OBJ-GROUP-NETWORK-NAME> – be used by remote users (optional). servers object-group name of the IP addresses profile that <OBJ-GROUP-NETWORK includes required DNS servers -NAME >...
Page 548 ESR series service routers. ESR-Series. User manual Create address profile that contains DNS servers: esr(config)# object-group network pptp_dns esr(config-object-group-network)# ip address-range 8.8.8.8 esr(config-object-group-network)# ip address-range 8.8.4.4 esr(config-object-group-network)# exit Create L2TP server and map profiles listed above: esr(config)# remote-access l2tp remote-workers esr(config-l2tp)# local-address ip-address 10.10.10.1 esr(config-l2tp)# remote-address address-range 10.10.10.5-10.10.10.15...
Page 549: Configuring Server For Remote Access To Corporate Network Via Openvpn Protocol
ESR series service routers. ESR-Series. User manual To view L2TP server configuration, use the following command: esr# show remote-access configuration l2tp remote-workers  In addition to creating L2TP server, open UDP port 500, 1701, 4500 designed for connection handling and enable ESP (50) and GRE protocol (47) for the tunnel traffic in the firewall. 15.3 Configuring server for remote access to corporate network via OpenVPN protocol OpenVPN is a sophisticated tool based on SSL that implements Virtual Private Networks (VPN), enables remote access and solves many different tasks related to data transmission security.
Page 550 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify IP addresses list from which esr(config-openvpn-server)# <FROM-ADDR> – range starting IP dynamic IP addresses are leased to address-range <FROM-ADDR>- address, defined as remote users in L2 mode by <TO-ADDR> AAA.BBB.CCC.DDD where each part OpenVPN server (only for tunnel takes values of [0..255];...
Page 551 ESR series service routers. ESR-Series. User manual Step Description Command Keys Define a static ip address for the esr(config-openvpn-user)# ip <ADDR> – address set in the specified OpenVPN server user. address <ADDR> following format: AAA.BBB.CCC.DDD – IP address of the subnet where AAA-DDD are set to [0..255].
Page 552: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the time interval after which the esr(config-openvpn-server)# <TIME> – time in seconds, takes connection with the opposing party timers keepalive <TIME> values of [1..65535]. is checked (optional). Default value: 10. Allow multiple users with the same esr(config-openvpn-server)# certificate to connect to the...
Page 553 ESR series service routers. ESR-Series. User manual Solution: First, do the following: • Prepare certificates and keys: • CA certificate; • OpenVPN server key and certificate; • Diffie-Hellman and HMAC key for TLS. • Configure zone for te1/0/1 interface; • Specify IP address for te1/0/1 interface. Import certificates and keys via TFTP: esr# copy tftp://192.168.16.10:/ca.crt certificate:ca/ca.crt...
Page 554: Configuring Remote Access Client Via Pppoe
ESR series service routers. ESR-Series. User manual Enable OpenVPN server: esr(config-openvpn)# enable When a new configuration is applied, the router will listen to port 1194 (used by default). To view OpenVPN server session status, use the following command: esr# show remote-access status openvpn server AP To view OpenVPN server session counters, use the following command: esr# show remote-access counters openvpn server AP To clear OpenVPN server session counters, use the following command:...
Page 555 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the name of the VRF instance esr(config-pppoe)# ip vrf <VRF> – VRF name, set by the string that will use the PPPoE client forwarding <VRF> of up to 31 characters. (optional).
Page 556: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Change the number of failed data-link esr(config-pppoe)# ppp <NUM> – the number of failed data- tests before breaking the session failure-count <NUM> link tests, specified in the range (optional). [1..100]. Default value: 10.
Page 557: Configuring Remote Access Client Via Pptp
ESR series service routers. ESR-Series. User manual Solution: Pre-configure PPPoE server with the accounts. Enter the PPPoE client configuration mode and disable the firewall: esr# configure esr(config)# tunnel pppoe esr(config-pppoe)# ip firewall disable Specify user name and password for connection to PPPoE server: esr(config-pppoe)# username tester password ascii-text password Specify the interface through which the PPPoE connection will be established: esr(config-pppoe)#...
Page 558 ESR series service routers. ESR-Series. User manual Step Description Command Keys Include the PPTP tunnel in a esr(config-pptp)# security-zone <NAME> – security zone name, set security zone and configure <NAME> by the string of up to 31 characters. interaction rules between zones or disable firewall (see section esr(config-pptp)# ip firewall ...
Page 559: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify authentication method esr(config-pptp)# <METHOD> – authentication (optional). authentication method method, possible values: chap, <METHOD> mschap, mschap-v2, eap, pap Default value: chap. Enable recording of the current esr(config-pptp)# history tunnel usage statistics (optional). statistics Change the time interval in esr(config-pptp)# ppp timeout...
Page 560: Configuring Remote Access Client Via L2Tp
ESR series service routers. ESR-Series. User manual Solution: Create PPTP tunnel: esr(config)# tunnel pptp Specify the account (Ivan user) to connect to the server: esr(config-pptp)# username ivan password ascii-text simplepass Specify the remote gateway: esr(config-pptp)# remote address 20.20.0.1 Specify a security zone: esr(config-pptp)# security-zone VPN Enable PPTP tunnel: esr(config-pptp)# enable...
Page 561: Configuration Algorithm
ESR series service routers. ESR-Series. User manual 15.6.1 Configuration algorithm Step Description Command Keys Create a L2TP tunnel and switch to its esr(config)# tunnel l2tp <INDEX> <INDEX> – tunnel identifier, set in configuration mode. the range of: [1..10]. Specify VRF instance, in which the esr(config-l2tp)# ip vrf <VRF>...
Page 562 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify a shared secret authentication esr(config-l2tp)# ipsec <TEXT> – string [1..64] ASCII key that should be the same for both authentication pre-shared-key characters; parties of the tunnel. { ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT>...
Page 563: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify authentication method esr(config-l2tp)# authentication <METHOD> – authentication (optional). method <METHOD> method, possible values: chap, mschap, mschap-v2, eap, pap Default value: chap. Specify the time interval during which esr(config-l2tp)# load-average <TIME>...
Page 564 ESR series service routers. ESR-Series. User manual Specify the account (Ivan user) to connect to the server: esr(config-l2tp)# username ivan password ascii-text simplepass Specify the remote gateway: esr(config-l2tp)# remote address 20.20.0.1 Specify a security zone: esr(config-l2tp)# security-zone VPN Specify IPsec authentication method: esr(config-l2tp)# ipsec authentication method pre-shared-key Specify IPsec security key: esr(config-l2tp)# ipsec authentication pre-shared-key ascii-text password...
Page 565: Service Management
ESR series service routers. ESR-Series. User manual 16 Service management • DHCP server configuration • Configuration algorithm • Configuration example • Destination NAT configuration • Configuration algorithm • Destination NAT configuration example • Source NAT configuration • Configuration algorithm • Configuration example 1 •...
Page 566 ESR series service routers. ESR-Series. User manual Step Description Command Keys Create pool of DHCP server IPv4/ esr(config)# ip dhcp-server pool <NAME> – IPv4/IPv6 server profile IPv6 addresses and switch to its <NAME> [vrf <VRF>] name, set by the string of up to 31 configuration mode.
Page 567 ESR series service routers. ESR-Series. User manual Step Description Command Keys Add IPv4/IPv6 address for a esr(config-dhcp-server)# address <ADDR> – client IP address, defined specific physical address to the <ADDR> as AAA.BBB.CCC.DDD where each address pool of configurable {mac-address <MAC> | client- part takes values of [0..255];...
Page 568 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-ipv6-dhcp-server)# <IPV6-ADDR> – DNS server IPv6 dns-server <IPV6-ADDR> address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. Up to 8 IP addresses can be specified separated by commas. Specify maximum IP addresses esr(config-dhcp-server)# max- <TIME>...
Page 569: Configuration Example
192.168.1.0/24 esr(config-dhcp-server)# address-range 192.168.1.100-192.168.1.125 esr(config-dhcp-server)# default-lease-time 1:00:00 Configure transfer of additional network parameters to clients: • default route: 192.168.1.1; • domain name: eltex.loc; • DNS server list: DNS1: 172.16.0.1, DNS2: 8.8.8.8. esr(config-dhcp-server)# domain-name "eltex.loc" esr(config-dhcp-server)# default-router 192.168.1.1 esr(config-dhcp-server)# dns-server 172.16.0.1,8.8.8.8...
Page 570 ESR series service routers. ESR-Series. User manual To enable DHCP message transmission to the server, create the respective port profiles including source port 68 and destination port 67 used by DHCP and create the allowing rule in the security policy for UDP packet transmission: esr(config)# object-group service dhcp_server esr(config-object-group-service)# port-range...
Page 571: Destination Nat Configuration
ESR series service routers. ESR-Series. User manual 16.2 Destination NAT configuration Destination NAT (DNAT) function includes destination IP address translation for packets transferred through the network gateway. DNAT is used for redirection of traffic, coming to a specific 'virtual' address in a public network, to a 'real' server in LAN located behind the network gateway.
Page 572 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the profile of IP esr(config-dnat-rule)# match <OBJ-GROUP-NETWORK-NAME> – IP addresses {sender | recipient} [not] addresses profile name, set by the for which the rule should work. {source|destination}-address string of up to 31 characters. <OBJ-GROUP-NETWORK-NAME>...
Page 573: Destination Nat Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable application layer esr(config)# ip firewall sessions all – enables application layer session session tracking for FTP, SIP, tracking tracking for all available protocols; H323, netbios-ns, PPTP protocols (optional). {<PROTOCOL> | sip [ port <PROTOCOL>...
Page 574 ESR series service routers. ESR-Series. User manual Solution: Create 'UNTRUST' and 'TRUST' security zones. Specify the inherence of the network interfaces being used to zones. Assign IP addresses to interfaces simultaneously. esr# configure esr(config)# security zone UNTRUST esr(config-zone)# exit esr(config)# security zone TRUST esr(config-zone)# exit esr(config)# interface...
Page 575: Source Nat Configuration
ESR series service routers. ESR-Series. User manual esr(config-dnat)# ruleset DNAT esr(config-dnat-ruleset)# from zone UNTRUST esr(config-dnat-ruleset)# rule esr(config-dnat-rule)# match destination-address NET_UPLINK esr(config-dnat-rule)# match protocol tcp esr(config-dnat-rule)# match destination-port SRV_HTTP esr(config-dnat-rule)# action destination-nat pool SERVER_POOL esr(config-dnat-rule)# enable esr(config-dnat-rule)# exit esr(config-dnat-ruleset)# exit esr(config-dnat)# exit To transfer the traffic coming from 'UNTRUST' zone into 'TRUST' zone, create the respective pair of zones.
Page 576 ESR series service routers. ESR-Series. User manual Step Description Command Keys Create a pool of IP addresses and/ esr(config-snat)# pool <NAME> – NAT addresses pool or TCP/UDP ports with a specific <NAME> name, set by the string of up to 31 name (optional).
Page 577 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the rule group scope. The rules esr(config-snat-ruleset)# to <NAME> – isolation zone name; will be applied only to traffic coming { zone <NAME> | to a certain zone or interface. interface <IF>...
Page 578 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the action 'translation of esr(config-snat-rule)# action off – translation is disabled; source address and port' for the source-nat { off | traffic meeting the requirements of pool <NAME> | netmap pool<NAME>...
Page 579: Configuration Example 1
ESR series service routers. ESR-Series. User manual  When using the not key, the rule will work for values which are not included in a specified profile. Each 'match' command may contain 'not' key. When using the key, packets that do not meet the given requirement will fall under the rule.
Page 580 ESR series service routers. ESR-Series. User manual To transfer traffic from 'TRUST' zone into 'UNTRUST' zone, create a pair of zones and add rules allowing traffic transfer in this direction. Additionally, there is a check in place to ensure that data source address belongs to 'LOCAL_NET' address range in order to limit the access to public network.
Page 581: Configuration Example 2
ESR series service routers. ESR-Series. User manual 16.3.3 Configuration example 2 Objective: Configure access for users in LAN 21.12.2.0/24 to public network using Source NAT function without the firewall. Public network address range for SNAT 200.10.0.100-200.10.0.249. Solution: Begin configuration with network interface configuration and disabling the firewall: esr(config)# interface gigabitethernet...
Page 582: Static Nat Configuration
ESR series service routers. ESR-Series. User manual Second step is to create SNAT rule set. In the set attributes, specify that the rules are applying only to packets transferred to public network through te1/0/1 port. Rules include a check which ensures that data source address belongs to 'LOCAL_NET' pool: esr(config-snat)# ruleset SNAT esr(config-snat-ruleset)# to...
Page 583 ESR series service routers. ESR-Series. User manual Solution: Begin configuration with network interface configuration and disabling the firewall: esr(config)# interface gigabitethernet 1/0/1 esr(config-if-gi)# ip address 21.12.2.1/24 esr(config-if-gi)# ip firewall disable esr(config-if-gi)# exit esr(config)# interface tengigabitethernet 1/0/1 esr(config-if-te)# ip address 200.10.0.1/24 esr(config-if-te)# ip firewall disable esr(config-if-te)# exit For Static NAT configuration, create 'LOCAL_NET' LAN address profile, that includes local subnet, and 'PUBLIC_POOL' public network address profile.
Page 584: Http/Https Traffic Proxying
ESR series service routers. ESR-Series. User manual In order the router could response to the ARP requests for addresses from the 'PROXY' translation pool, launch ARP Proxy service. ARP Proxy service is configured on the interface that IP address from 'PROXY' address profile subnet belongs to: esr(config)# interface...
Page 585 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the remote server where esr(config)# ip http proxy server- <URL> – server address where the necessary URL lists are url <URL> remote url lists will be taken from. (optional). Specify a listening port for esr(config)# ip http proxy listen- <OBJ_GROUP_NAME>...
Page 586 ESR series service routers. ESR-Series. User manual Step Description Command Keys Create an interzone interaction esr(config)# security zone-pair <src-zone-name> – security zone rule set. <src-zone-name1> self in which the interfaces with the ip http proxy or ip https proxy function are located. self –...
Page 587: Http Proxy Configuration Example
ESR series service routers. ESR-Series. User manual 16.5.2 HTTP proxy configuration example Objective: Organize URL filtering for a number of addresses using a proxy. Solution: Create a set of URLs to filter by. Configure a proxy filter and specify the actions for the created set of URLs: esr# configure esr(config)# object-group url test1 esr(config-object-group-url)# url...
Page 588: Ntp Configuration
ESR series service routers. ESR-Series. User manual Create a permissive interzonal interaction rule: esr(config)# security zone-pair LAN self esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol tcp esr(config-zone-pair-rule)# match destination-port proxy esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit esr(config-zone-pair)# exit 16.6 NTP configuration NTP (Network Time Protocol) — network protocol for synchronizing the internal clock of equipment using IP networks, uses the UDP protocol for its operation, takes into account transmission times and uses algorithms to achieve high precision time synchronization.
Page 589 ESR series service routers. ESR-Series. User manual Step Description Command Keys Mark this NTP server as preferred esr(config-ntp)# prefer (optional). Define a list of trusted IP esr(config)# ntp access- <NAME> – IP addresses profile name, set by addresses with which ntp packets addresses <NAME>...
Page 590: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the current time and date esr# set date <TIME> <TIME> – system timer, defined as manually (optional). [<DAY> <MONTH> HH:MM:SS, where: [ <YEAR> ] ] • HH – hours, takes the value of [0..23]; •...
Page 591 ESR series service routers. ESR-Series. User manual Solution:  First, do the following: • specify security zone for gi1/0/1 interface; • configure the IP address for the gi1/0/1 interface to provide IP connectivity to the NTP server. Example: security zone untrust exit object-group service NTP port-range...
Page 592: Monitoring
ESR series service routers. ESR-Series. User manual 17 Monitoring • Netflow configuration • Configuration algorithm • Configuration example • sFlow configuration • Configuration algorithm • Configuration example • SNMP configuration • Configuration algorithm • Configuration example • Zabbix-agent/proxy configuration • Configuration algorithm •...
Page 593 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the interval after which the esr(config)# netflow active- <TIMEOUT> – delay before sending information on active sessions is timeout <TIMEOUT> active sessions information, set in exported to the collector. seconds, takes the value of [5..36000].
Page 594: Configuration Example
ESR series service routers. ESR-Series. User manual 17.1.2 Configuration example Objective: Establish accounting for traffic from gi1/0/1 interface to be sent to the server via gi1/0/8 interface for processing purposes. Solution: First, configure addressing on interfaces. Main configuration step: Specify collector IP address: esr(config)# netflow collector 10.10.0.2 Enable netflow statistics export collection for gi1/0/1 network interface:...
Page 595: Sflow Configuration
ESR series service routers. ESR-Series. User manual 17.2 sFlow configuration Sflow is a computer network, wireless network and network device monitoring standard designed for traffic accounting and analysis. 17.2.1 Configuration algorithm Step Description Command Keys Set the rate of sending the esr(config)# sflow sampling-rate <RATE>...
Page 596: Configuration Example
ESR series service routers. ESR-Series. User manual 17.2.2 Configuration example Objective: Establish accounting for traffic between 'trusted' and 'untrusted' zones. Solution: Create two security zones for ESR networks: esr# configure esr(config)# security zone TRUSTED esr(config-zone)# exit esr(config)# security zone UNTRUSTED esr(config-zone)# exit Configure network interfaces and identify their inherence to security zones: esr(config)# interface...
Page 597: Snmp Configuration
ESR series service routers. ESR-Series. User manual Enable sFlow protocol statistics export for all traffic within 'rule1' for TRUSTED-UNTRUSTED direction: esr(config)# security zone-pair TRUSTED UNTRUSTED esr(config-zone-pair)# rule esr(config-zone-pair-rule)# action sflow-sample esr(config-zone-pair-rule)# match protocol any esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# enable Enable sFlow on the router: еsr(config)# sflow enable...
Page 598 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify community for the esr(config)# snmp-server <COMMUNITY> – community for access via SNMPv2c. community <COMMUNITY> the access via SNMP; [ <TYPE> ] [ { <IP-ADDR> | <IPV6-ADDR> } ] <TYPE> – access level: [ client-list <OBJ-GROUP- NETWORK-NAME>...
Page 599 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the value of SNMP value that esr(config)# snmp-server location <LOCATION> – information about contains the information on the <LOCATION> equipment location, set by the device location. string up to 255 characters. Specify user access level via esr(config-snmp-user)# access <TYPE>...
Page 600 ESR series service routers. ESR-Series. User manual Step Description Command Keys esr(config-snmp-user)# ipv6 <IPV6-ADDR> – client IPv6 address <ADDR> address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. Enable SNMPv3 user. esr(config-snmp-user)# enable Default value: process is disabled. Specify the transmitted data esr(config-snmp-user)# privacy <ALGORITHM>...
Page 601: Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Allow different types of SNMP esr(config)# snmp-server enable <TYPE> – type of filtered notifications to be sent. traps <TYPE> messages. May take the following values: config, entry, entry-sensor, environment, envmon, files- operations, flash, flash-operations, interfaces, links, ports, screens, snmp, syslog.
Page 602: Zabbix-Agent/Proxy Configuration
ESR series service routers. ESR-Series. User manual Specify security mode: esr(snmp-user)# authentication access priv Specify authentication algorithm for SNMPv3 requests: esr(snmp-user)# authentication algorithm md5 Set the password for SNMPv3 request authentication: esr(snmp-user)# authentication key ascii-text 123456789 Specify the transmitted data encryption algorithm: esr(snmp-user)# privacy algorithm aes128 Set password for the transmitted data encryption: esr(snmp-user)# privacy key ascii-text...
Page 603 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the host name (optional). esr(config-zabbix)# hostname <WORD> – host name, set by the <WORD> string of up to 255 characters. For active mode, the name must match the host name on the Zabbix server. esr(config-zabbix-proxy)# hostname <WORD>...
Page 604: Zabbix-Agent Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify the processing time for remote esr(config-zabbix)# timeout <TIME> – timeout, takes value in commands (optional). <TIME> seconds [1..30]. esr(config-zabbix-proxy)# Default value: 3. It is timeout <TIME> recommended to set the maximum value since some commands may take longer than the default.
Page 605: Zabbix-Server Configuration Example
ESR series service routers. ESR-Series. User manual Set the execution time of the remote commands, and activate the agent’s functionality: esr(config-zabbix)# timeout esr(config-zabbix)# enable 17.4.3 Zabbix-server configuration example Create the host:...
Page 606 ESR series service routers. ESR-Series. User manual Create the script (Administration -> Scripts-> Create Script): ESR routers support execution of the following privilleged commands: • Ping zabbix_get -s {HOST.CONN} 10050 "system.run[ sudo ping -c 3 192.168.32.101]" The client (ESR) that received this command from the server will execute ping command to the specified host (in our example, up to 192.168.32.101) and return the result to the server.
Page 607 ESR series service routers. ESR-Series. User manual • Traceroute zabbix_get -s {HOST.CONN} -p 10050 -k "system.run[ sudo traceroute 192.168.32.101] The client (ESR) that received this command from the server will execute traceroute command to the specified host (in our example, up to 192.168.32.101) and return the result to the server. •...
Page 608: Syslog Configuration
ESR series service routers. ESR-Series. User manual Example of the snmpget command execution: 17.5 Syslog configuration Syslog (System Log) – standard for sending and registering messages about events occurring in the system is used in networks operating over IP. 17.5.1 Configuration algorithm Step Description Command...
Page 609 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the severity for messages that will esr(config)# syslog <SEVERITY> – message importance level, be sent to the SNMP server. snmp <SEVERITY> takes the following values (in order of decreasing importance): •...
Page 610 ESR series service routers. ESR-Series. User manual Step Description Command Keys Set the severity for messages that will esr(config-syslog- <SEVERITY> – described in point 3. be saved to the local syslog file file)# severity (optional). <SEVERITY> Set maximum size of the log file esr(config)# syslog <SIZE>...
Page 611 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify transport protocol for packet esr(config-syslog- <VRF> – VRF instance name, set by the transmission to the remote syslog host)# transport { tcp | string of up to 31 characters, for which server (optional).
Page 612: Configuration Example
ESR series service routers. ESR-Series. User manual 17.5.2 Configuration example Objective: Configure message sending for the following system events: • failed user authentication; • changes to the configuration of logging system events; • start/stop of the system process; • changes are made to the user profile. ESR router IP address: 192.168.52.8, Syslog server IP address: 192.168.52.41.
Page 613: Integrity Check
ESR series service routers. ESR-Series. User manual The configuration changes come into effect after applying the following commands: esr# commit Configuration has been successfully committed esr# confirm Configuration has been successfully confirmed View the current syslog configuration: esr# show syslog configuration View the syslog entries: esr# show syslog ESR 17.6 Integrity check...
Page 614: Configuration Process
ESR series service routers. ESR-Series. User manual 17.7.1 Configuration process Step Description Command Keys Switch to the configuration file esr(config)# archive backup mode. Set router configuration backup esr(config-ahchive)# type <TYPE> – type of the router type (optional). <TYPE> configuration backup. Takes the following values: •...
Page 615 ESR series service routers. ESR-Series. User manual Solution: For successful operation of remote configuration archiving, IP connectivity should be established between the router and the server, permissions for the passage of TFTP traffic over the network and saving files on the server should be configured.
Page 616: Bras (Broadband Remote Access Server) Management
ESR series service routers. ESR-Series. User manual 18 BRAS (Broadband Remote Access Server) management • Configuration algorithm • Example of configuration with SoftWLC • Example of configuration without SoftWLC 18.1 Configuration algorithm Step Description Command Keys Add RADIUS server to the list of used esr(config)# radius-server <IP-ADDR>...
Page 617 ESR series service routers. ESR-Series. User manual Step Description Command Keys Create AAA DAS profile. esr(config)# aaa das-profile <NAME> – DAS profile name, set by <NAME> the string of up to 31 characters. Specify DAS server in DAs profile. esr(config-aaa-das-profile)# <NAME> – DAS server name, set by das-server <NAME>...
Page 618 ESR series service routers. ESR-Series. User manual Step Description Command Keys Specify a name of the URL list that esr(config-subscriber-default- <LOCAL-NAME> – URL profile name, will be used to filtrate HTTP/HTTPS service)# filter-name set by the string of up to 31 traffic of non-authenticated users.
Page 619 ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable transparent transmission of esr(config-subscriber- backup traffic for BRAS (optional). control)# backup traffic- processing transparent Specify the interval after which esr(config)# subscriber- <DELAY> – time interval in seconds, currently unused URL lists will be control unused-filters- takes values of [10800..86400].
Page 620: Example Of Configuration With Softwlc
ESR series service routers. ESR-Series. User manual Step Description Command Keys Enable the application control on the esr(config-if-gi)# subscriber- <NAME> – application profile name, interface (optional). control application-filter set by the string of up to 31 <NAME> characters. Set/clear the upper bound of BRAS esr(config-subscriber- <Threshold>...
Page 621 Location parameter (see bridge 2 configuration). The module which is responsible for AAA operations is based on eltex-radius and available by SoftWLC IP address. Numbers of ports for authentication and accounting in the example below are the default values for...
Page 622 ESR series service routers. ESR-Series. User manual Define parameters for interaction with the module: esr(config)# radius-server host 192.0.2.20 esr(config-radius-server)# key ascii-text password esr(config-radius-server)# auth-port 31812 esr (config-radius-server)# acct-port 31813 esr (config-radius-server)# exit Create AAA profile: esr(config)# aaa radius-profile RADIUS esr(config-aaa-radius-profile)# radius-server host 192.0.2.20 esr(config-aaa-radius-profile)# exit Specify access parameters to the DAS (Direct-attached storage) server:...
Page 623 Specify web resources which are available without authorization: esr(config)# object-group url defaultservice esr(config-object-group-url)# url http://eltex.nsk.ru esr(config-object-group-url)# exit The URL filtering lists are kept on SoftWLC server (change only IP address of SoftWLC server, if addressing is different from the example. Leave the rest of URL without changes): esr(config)# subscriber-control filters-server-url http://192.0.2.20:7070/Filters/file/...
Page 624 ESR series service routers. ESR-Series. User manual Configure rules for transition between security zones: esr(config)# object-group service telnet esr(config-object-group-service)# port-range esr(config-object-group-service)# exit esr(config)# object-group service ssh esr(config-object-group-service)# port-range esr(config-object-group-service)# exit esr(config)# object-group service dhcp_server esr(config-object-group-service)# port-range esr(config-object-group-service)# exit esr(config)# object-group service dhcp_client esr(config-object-group-service)# port-range esr(config-object-group-service)# exit...
Page 625 ESR series service routers. ESR-Series. User manual Enable DHCP transmitting from trusted to dmz: esr (config)# security zone-pair trusted dmz esr (config-zone-pair)# rule esr(config-zone-pair-rule)# action permit esr(config-zone-pair-rule)# match protocol udp esr(config-zone-pair-rule)# match source-address any esr(config-zone-pair-rule)# match destination-address any esr(config-zone-pair-rule)# match source-port dhcp_client esr(config-zone-pair-rule)# match destination-port dhcp_server esr(config-zone-pair-rule)# enable esr(config-zone-pair-rule)# exit...
Page 626: Example Of Configuration Without Softwlc
ESR series service routers. ESR-Series. User manual Activate DHCP-Relay: esr(config)# ip dhcp-relay Configure SNAT for gigabitethernet 1/0/1 port: esr(config)# nat source esr(config-snat)# ruleset inet esr(config-snat-ruleset)# to interface gigabitethernet 1/0/1 esr(config-snat-ruleset)# rule esr(config-snat-rule)# match source-address any esr(config-snat-rule)# action source-nat interface esr(config-snat-rule)# enable esr(config-snat-rule)# end 18.3 Example of configuration without SoftWLC Objective:...
Page 627 ESR series service routers. ESR-Series. User manual Service name for a session (A – the service is enabled, N – the service is disabled): Cisco-Account-Info = "{A|N}<SERVICE_NAME>" Service profile: <SERVICE_NAME> Cleartext-Password := <MACADDR> Matches class-map name in ESR settings: Cisco-AVPair = "subscriber:traffic-class=<CLASS_MAP>", Action that is applied to the traffic by ESR (permit, deny, redirect): Cisco-AVPair = "subscriber:filter-default-action=<ACTION>", The ability of IP flows passing (enabled-uplink, enabled-downlink, enabled, disabled):...
Page 628 Step 2: ESR configuration. BRAS functional configuration requires the BRAS licence: esr(config)# sh licence Licence information ------------------- Name: Eltex Version: Type: ESR-X S/N: NP00000000 MAC: XX:XX:XX:XX:XX:XX Features: BRAS – Broadband Remote Access Server Configuration of parameters for the interaction with RADIUS server: esr(config)# radius-server host 192.168.1.2...
Page 629 ESR series service routers. ESR-Series. User manual Then, create rules for redirecting to portal and passing traffic to the Internet: esr(config)# ip access-list extended BYPASS esr(config-acl)# rule esr(config-acl-rule)# action permit esr(config-acl-rule)# match protocol udp esr(config-acl-rule)# match source-address any esr(config-acl-rule)# match destination-address any esr(config-acl-rule)# match source-port esr(config-acl-rule)#...
Page 630 Configuration of filtering by URL is obligatory. It is necessary to configure http-proxy filtering on BRAS for non- authorised users: esr(config)# object-group url defaultserv esr(config-object-group-url)# url http://eltex.nsk.ru esr(config-object-group-url)# url http://ya.ru esr(config-object-group-url)# url https://ya.ru esr(config-object-group-url)# exit Configure and enable BRAS, define NAS IP as address of the interface interacting with RADIUS server...
Page 631 ESR series service routers. ESR-Series. User manual Perform the following settings on the interfaces that require BRAS operation (minimum one interface is required for the successful start): esr(config)# bridge esr(config-bridge)# vlan esr(config-bridge)# ip firewall disable esr(config-bridge)# ip address 10.10.0.1/16 esr(config-bridge)# ip helper-address 192.168.1.2 esr(config-bridge)# service-subscriber-control any esr(config-bridge)# location USER...
Page 632 ESR series service routers. ESR-Series. User manual To view the information and statistics on the user control sessions, use the following command: esr # sh subscriber-control sessions status Session id User name IP address MAC address Interface Domain -------------------- --------------- --------------- ----------------- 1729382256910270473...
Page 633: Voip Management
ESR series service routers. ESR-Series. User manual 19 VoIP management • SIP profile configuration algorithm • FXS/FXO ports configuration algorithm • Dial plan configuration algorithm • PBX server configuration algorithm • Registration trunk creation algorithm • VoIP configuration example • Dial plan configuration example •...
Page 634: Fxs/Fxo Ports Configuration Algorithm
ESR series service routers. ESR-Series. User manual Step Description Command Keys Configure a registration server esr(config-voip-sip-proxy)# <IP> – registration server IP address. address. ip address registration- server <IP> Configure a registration server esr(config-voip-sip-proxy)# <PORT> – number of registration server port. ip portregistration-server UDP port, takes values of [1..65535].
Page 635 ESR series service routers. ESR-Series. User manual Step Description Command Keys Configure a login for esr(config-voice-port-fxs)# <LOGIN> – login for authentication, set by authentication. authentication name the string of up to 31 characters <LOGIN> Configure a password for esr(config-voice-port-fxs)# <PASS> – authentication password, set by authentication.
Page 636: Dial Plan Configuration Algorithm
ESR series service routers. ESR-Series. User manual 19.3 Dial plan configuration algorithm Step Description Command Keys Create a dial plan. esr(config)# dialplan pattern <DNAME> – name of the dial plan, set by <DNAME> the string of up to 31 characters. Add dial rules. esr(config-dial-ruleset)# <REGEXP>...
Page 637: Registration Trunk Creation Algorithm
ESR series service routers. ESR-Series. User manual Step Description Command Keys Select a codec supported by a SIP esr(config-pbx-profile)# profile. codec allow { G711A(alaw) | G711U(ulaw) | G722 | G726 } Select SIP profile type. esr(config-pbx-profile)# • peer – incoming and outgoing client { peer | user | friend } calls are allowed without authorization.
Page 638: Voip Configuration Example
ESR series service routers. ESR-Series. User manual Step Description Command Keys Configure registration server port. esr(config-pbx-reg-server)# <PORT> – number of registration server ip port <PORT> UDP port, takes values of [1..65535]. If standard 5060 port is used, you do not need to specify it. Specify the authentication name.
Page 639 ESR series service routers. ESR-Series. User manual Configure SIP proxy server address (use an embedded SIP server as SIP proxy server): esr(config-voip-sip-proxy)# ip address proxy-server 192.0.2.5 Configure a SIP proxy server port: esr(config-voip-sip-proxy)# ip port proxy-server 5080 If standard 5060 port is used, there is no need to specify it. If it is necessary to use the registration, perform the following steps: Configure registration server address (use an embedded SIP server as registration server): esr(config-voip-sip-proxy)# ip address registration-server...
Page 640 ESR series service routers. ESR-Series. User manual In this configuration all calls will be directed to SIP proxy server. If it is necessary to specify another direction for outgoing calls, you should perform the following: Create a numbering plan, see section Dial plan configuration example.
Page 641: Dial Plan Configuration Example
ESR series service routers. ESR-Series. User manual 19.7 Dial plan configuration example Objective: Configure a dial plan in such a manner that calls to local numbers (connected to the given ESR-12V) are switched locally and calls to all other directions – through SIP proxy. Solution: Create a dial plan: esr(config)# dialplan pattern firstDialplan...
Page 642 ESR series service routers. ESR-Series. User manual {a,b} – repeating the previous character from a to b times; {a,} – repeating the previous character equal to or more than a times; {,b} – repeating the previous character equal to or less than b times. •...
Page 643: Fxo Port Configuration
ESR series service routers. ESR-Series. User manual will be returned. Also a set of three-digit numbers starting with '1', the Invite of which will be sent to 10.110.60.51 IP address and 5060 port, will be returned. • Example 7: (S3 *xx#|#xx#|#xx#|*xx*x+#) – management and the use of VAS. Local calls inside the device may be required in some cases.
Page 644: Example Of Voip Configuration For Fxs Ports Registration On External Sip Server
ESR series service routers. ESR-Series. User manual This completes the baseline configuration of outgoing calls to PSTN. To make a call to PSTN, dial the callee number with the specified prefix (FXO set phone number). To receive calls from PSTN, you should select the subscriber that will receive all calls from PSTN, let it be a subscriber with number 305.
Page 645: Example Of Voip Configuration On Internal Pbx Server
ESR series service routers. ESR-Series. User manual Configure FXS ports. Specify number, parameters for authentication on an external server and sip profile: esr(config)# interface voice-port esr(config-voice-port-fxs)# sip user phone 6101 esr(config-voice-port-fxs)# authentication name as-phone esr(config-voice-port-fxs)# authentication password password esr(config-voice-port-fxs)# profile sip esr(config-voice-port-fxs)# exit esr(config)# interface voice-port...
Page 646 ESR series service routers. ESR-Series. User manual  The structure of the 'pattern' regular expression is described in the section Dial plan configuration example. Configure routing context for FXO port (example of dial plan for call transfer to 5200-5202): esr(config-pbx)# ruleset FXO esr(config-pbx-ruleset)# rule esr(config-pbx-rule)# pattern '_X.,1,Dial(SIP/5200&SIP/5201&SIP/5202)'...
Page 647 ESR series service routers. ESR-Series. User manual Configure subscribers on PBX server: esr(config-pbx)# user 5200 esr(config-pbx-user)# profile fxs_ports esr(config-pbx-user)# exit esr(config-pbx)# user 5201 esr(config-pbx-user)# profile fxs_ports esr(config-pbx-user)# exit esr(config-pbx)# user 5202 esr(config-pbx-user)# profile fxs_ports esr(config-pbx-user)# exit esr(config-pbx)# user esr(config-pbx-user)# profile fxo_ports esr(config-pbx-user)# exit esr(config-pbx)# Enable PBX server:...
Page 648: Frequently Asked Questions
ESR series service routers. ESR-Series. User manual 20 Frequently asked questions Receiving of routes, which are configured in VRF via BGP or/and OSPF, failed. The neighbor adjacency is successfully established, but record of routes in RIB is denied %ROUTING-W-KERNEL: Can not install route. Reached the maximum number of BGP routes in the RIB Allocate RIB resource for VRF (0 by default).
Page 649 1/0/1 How to configure ip-prefix-list 0.0.0.0./0? Example of prefix-list configuration is shown below. The configuration allows route reception by default. esr(config)# ip prefix-list eltex esr(config-pl)# permit default-route Problem of asynchronous traffic transmission is occurred In case of asynchronous routing, Firewall will forbid 'incorrect' ingress traffic (which does not open new connection and does not belong any established connection) for security reasons.
Page 650 Service Center of the company: http://www.eltex-co.com/support You are welcome to visit Eltex official website to get the relevant technical documentation and software, to use our knowledge base or consult a Service Center Specialist in our technical forum. http://www.eltex-co.com/ http://www.eltex-co.com/support/downloads/...

This manual is also suitable for:

Esr-10 Esr-12v Esr-12vf Esr-14vf Esr series Esr-20 ... Show all

ELTEX ESR-15V User Manual

Quick Links

Need help?

Questions and answers

Related Manuals for ELTEX ESR-15V

Summary of Contents for ELTEX ESR-15V