ELTEX ESR-100, Operation Manual

Page 1: ...ESR Series Routers ESR 100 ESR 200 ESR 1000 ESR 1200 Operation Manual Firmware Ver 1 2 0 ...

Page 2: ...nfiguration Edited chapters 7 15 PBR routing policy configuration 7 19 Configuring remote access to corporate network via PPTP protocol Version 1 5 06 08 2015 Added description for ESR 100 ESR 200 Added chapters 2 4 2 ESR 100 ESR 200 design Edited chapters 2 4 Design 2 5 Delivery package 3 Installation and connection 7 1 VLAN configuration 7 6 Source NAT configuration 7 16 L2TPv3 tunnel configurat...

Page 3: ... via PPTP protocol 6 14 Configuring remote access to corporate network via L2TP IPsec protocol 7 1 Updating firmware via system resources 7 2 Updating firmware via bootloader Version 1 2 02 12 2014 Added chapters 6 6 Bridge configuration 6 7 RIP configuration 6 8 OSPF configuration 6 9 BGP configuration 6 10 L3 tunnel GRE configuration 6 11 L2TPv3 tunnel L2TPv3 configuration Version 1 1 03 06 2014...

Page 4: ...ction to Power Supply 24 3 5 SFP transceiver installation and removal 25 4 MANAGEMENT INTERFACES 26 4 1 Command line interface CLI 26 5 INITIAL ROUTER CONFIGURATION 27 5 1 ESR router factory settings 27 5 2 Router connection and configuration 28 5 2 1 Connection to the router 28 5 2 2 Basic router configuration 29 6 FIRMWARE UPDATE 33 6 1 Updating firmware via system resources 33 6 2 Updating firm...

Page 5: ...o corporate network via PPTP protocol 78 7 22Configuring remote access to corporate network via L2TP IPsec protocol 80 7 23Configuring remote access to corporate network via OpenVPN protocol 82 7 24Dual Homing Configuration 83 7 25QoS configuration 84 7 25 1 Basic QoS 85 7 25 2 Extended QoS 86 7 26Mirroring configuration 88 7 27Netflow configuration 89 7 28sFlow configuration 90 7 29LACP configura...

Page 6: ...ce and firmware update procedures Qualified technical personnel should be familiar with the operation basics of TCP IP protocol stacks and Ethernet networks design concepts 1 3 Symbols Symbol Description Calibri italic Variables and parameters that should be replaced with the appropriate word or string are written in Calibri Italic Semibold font Notes and warnings are written in semibold font Semi...

Page 7: ... Auto MDI MDIX Automatic cable type detection crossed or straight MDI Media Dependent Interface straight cable standard for connection of terminal devices MDIX Media Dependent Interface with Crossover crossed cable standard for connection of hubs and switches Backpressure routing support Back pressure The backpressure routing method is utilized in half duplex connections for management of data str...

Page 8: ...t further as a broadcast packet within L2 segment of the network 2 2 3 Second layer functions of OSI model Table 2 3 lists second layer functions and special aspects OSI Layer 2 Table 2 3 Second layer functions description OSI Layer 2 VLAN support VLAN Virtual Local Area Network is a solution used for splitting a network into separate segments on L2 level VLAN utilization allows to increase the op...

Page 9: ...a rule this method is used for obtaining network settings of a public network operator WAN DHCP server DHCP server enables automation and centralization of the network device configuration process DHCP server allocated on a router allows for a complete solution for the local area network support DHCP server integrated into the router assigns IP addresses to network devices and transfers additional...

Page 10: ...management is performed locally via serial port RS 232 or remotely via Telnet SSH Console command line interface CLI is the industrial standard CLI interpreter contains the list of commands and keywords that will help the user and reduce the amount of input data Syslog Syslog protocol is designed for transmission of system event messages and event logging Network utilities ping traceroute ping and...

Page 11: ... 100 Broadcom XLP104 Interfaces ESR 1200 12 x Ethernet 10 100 1000Base T 4 x Ethernet 10 100 1000Base T 1000Base X Combo 8 x 10GBase R 1000Base X SFP SFP ESR 1000 24 x Ethernet 10 100 1000Base T 2 x 10G Base Base R 1000Base X SFP SFP ESR 200 x Ethernet 10 100 1000Base T 1000 Base X Combo 4 x Ethernet 10 100 1000Base T ESR 100 x Ethernet 10 100 1000Base T 1000 Base X Combo Types of optical transcei...

Page 12: ...3ae IEEE 802 1D IEEE 802 1w IEEE 802 1s Control Local control CLI Remote control TELNET SSH Physical specifications and ambient conditions Power supply ESR 1200 ESR 1000 AC 220V 20 50Hz DC 36 72V Power options Single AC or DC power supply Two AC or DC power supplies with hot swapping ESR 100 ESR 200 AC 220V 20 50Hz Maximum power consumption ESR 1200 85W ESR 1000 75W ESR 100 20W ESR 200 25W Weight ...

Page 13: ...f ESR 1200 Front panel element Description 1 SD SD card connector 2 USB1 USB device port 3 USB2 USB device port 4 1 12 12 x Gigabit Ethernet 10 100 1000Base T RJ 45 ports 5 Combo Ports 4 x Gigabit Ethernet 10 100 1000Base X SFP ports 6 XG1 XG8 10G SFP 1G SFP transceiver installation slots 7 Status Indicator of device s current state Alarm indicator of alarm existence and emergency level HA НА oper...

Page 14: ...nabled devices connection port 4 XG1 XG2 10G SFP 1G SFP transceivers installation slots 5 1 24 24 x Gigabit Ethernet 10 100 1000 Base T RJ 45 ports 6 Status Current device status indicator Alarm Device alarm presence and level indicator VPN Active VPN sessions indicator Flash Data storage activity indicator SD card or USB Flash Power Device power indicator Master Device failover mode operation ind...

Page 15: ...ition 3 Removable ventilation modules with hot swapping 4 Earth bonding point of the device 2 4 1 4 Side panels of the device Fig 2 4 The right side panel of ESR 1000 ESR 1200 routers Fig 2 5 The left side panel of ESR 1000 ESR 1200 routers Side panels of the device have air vents for heat removal Do not block air vents This may cause components overheating which may result in terminal malfunction...

Page 16: ...cription 1 SD SD memory card installation slot 2 USB1 USB2 2 x USB enabled devices connection port 3 1 4 4 x Gigabit Ethernet 10 100 1000 Base T RJ 45 ports 4 Combo Ports 4 x Gigabit Ethernet 10 100 1000 Base X SFP ports 5 Power Device power indicator Status Current device status indicator Alarm Device alarm presence and level indicator Fan Fan alarm indicator 6 F Functional key that reboots the d...

Page 17: ...ar panel connectors of the router Table 2 13 Description of rear panel connectors of the router No Description 1 Earth bonding point of the device 2 Ventilation module 2 4 2 3 ESR 100 ESR 200 side panels Fig 2 9 The right side panel of ESR 100 and ESR 200 routers Fig 2 10 The left side panel of ESR 100 and ESR200 routers 1 The figure shows the router delivery package with a single AC power supply ...

Page 18: ...ation of RJ 45 port indicators Fig 2 12 Location of optical interface indicators Table 2 14 Light indication of copper interface status SPEED indicator is lit LINK ACT indicator is lit Ethernet interface state Off Off Port is disabled or connection is not established Off Solid on 10Mbps or 100Mbps connection is established Solid on Solid on 1000Mbps connection is established X Flashes Data transfe...

Page 19: ...installed is operational Orange Main power supply failure or fault or the primary main is missing Off Device internal power supply failure Master Device failover mode operation indicator Fan Cooling fan status Off All fans are operational Red One or more fans has failed Possible cause of failure at least one of the fans has stopped or is working at lower rpm RPS Backup power supply operation mode ...

Page 20: ...Orange Device is booting up the software Alarm Device alarm presence and level indicator 1 Power Device power indicator Green Device power is OK Main power supply if installed is operational Orange Main power supply failure or fault or the primary main is missing Off Device internal power supply failure Fan Cooling fan status Off All fans are operational Red One or more fans has failed Possible ca...

Page 21: ... kit Documentation ESR 1200 standard delivery package includes ESR 1200 router power cable Console port connection cable RJ 45 DB9F 19 rack mounting kit Documentation Power module PM 160 220 12 or PM 75 48 12 may be included in the ESR 1000 delivery package on the customer s request SFP SFP transceivers may be included in the delivery package on the customer s request ...

Page 22: ... package includes support brackets for rack installation and mounting screws to fix the device case on the brackets To install the support brackets Fig 3 1 Support brackets mounting 1 Align four mounting holes in the support bracket with the corresponding holes in the side panel of the device 2 Use a screwdriver to screw the support bracket to the case 3 Repeat steps 1 and 2 for the second support...

Page 23: ...e holes of the same level on both sides of the guides to ensure the device horizontal installation 3 Use a screwdriver to screw the router to the rack Fig 3 2 Device rack installation Device ventilation system is implemented using front rear layout Vents are located on the front and side panels of the device ventilation modules are located at the rear Do not block air inlet and outlet vents to avo...

Page 24: ... absence of the primary power supply You can check the state of power modules by the indication on the front panel of the router see Section 2 4 3 or by diagnostics available through the router management interfaces 3 4 Connection to Power Supply 1 Ground the case of the device prior to connecting it to the power supply An insulated multiconductor wire should be used for earthing The device ground...

Page 25: ...a slot with its open side down and the bottom SFP module with its open side up Fig 3 5 SFP transceiver installation 2 Push the module into the device housing until the it is secured with a clicking sound Fig 3 6 Installed SFP transceivers Transceiver removal 1 Flip the module handle to unlock the latch Fig 3 7 Opening the Latch of SFP Transceivers 2 Remove the module from the slot Fig 3 8 SFP tran...

Page 26: ...ed there are unified configuration operating principles When modifying and applying the configuration you should follow the specific sequence described herein that is intended to protect the device from misconfiguration 4 1 Command line interface CLI Command Line Interface CLI allows to perform the device management and monitor its operation and status You will require the PC application supportin...

Page 27: ...or ESR 1000 and ESR 1200 GigabitEthernet1 0 1 TengigabitEthernet1 0 1 TengigabitEthernet1 0 2 Zone interfaces are grouped into a single L2 segment via Bridge 2 network bridge 2 Trusted zone is meant for a local area network LAN connection In this zone the following ports are open Telnet and SSH ports for remote access ICMP ports for router availability test DHCP ports for clients obtaining IP addr...

Page 28: ... networks Basic router configuration should include Assigning IP addresses static or dynamic to the interfaces that participate in data routing Creation of security zones and distribution of interfaces between these zones Creation of policies governing data transfer through these zones Configuration of services that accompany the data routing NAT Firewall etc Advanced settings depend on the requir...

Page 29: ...ncludes the following steps Changing password for admin user Creation of new users Assigning device name Hostname Setting parameters for public network connection in accordance with the provider requirements Configuring remote connection to router Applying basic settings 5 2 2 1 Changing password for admin user To ensure the secure system access you should change the password for the privileged ad...

Page 30: ...esr config user privilege 15 esr config user exit esr config username ivan esr config user password password esr config user privilege 1 esr config user exit 5 2 2 3 Assigning device name To assign the device name use the following commands esr configure esr config hostname new name When a new configuration is applied command prompt will change to the value specified by new name parameter 5 2 2 4 ...

Page 31: ...ote access to the router may be established via Telnet or SSH from the trusted zone To enable remote access to the router from other zones e g from the public network you should create the respective rules in the firewall When configuring access to the router rules should be created for the following pair of zones source zone zone that the remote access will originate from self zone which includes...

Page 32: ...s gateway esr config zone rule match source port any esr config zone rule match destination port ssh esr config zone rule enable esr config zone rule exit esr config zone pair exit 5 2 2 6 Applying basic settings To apply performed router configuration changes you should enter the following commands from the root section of the command interface esr commit esr confirm If during configuration devic...

Page 33: ... into account the server inherence to the router security zones 3 Connect to the router locally via Console port or remotely via Telnet or SSH Check the server availability for the router using ping command on the router If the server is not available check the router settings and the status of the server network interfaces 4 To update the router firmware enter the following command Specify IP add...

Page 34: ... file_name system boot FTP esr copy ftp server file_name system boot SCP esr copy scp user password server folder file_name system boot 6 2 Updating firmware via bootloader Router firmware may be updated via the bootloader as follows 1 When U Boot finishes the router initialization break the device startup with the Esc key Configuring PoE distribution 1 dest_threshold 0xa drop_timer 0x0 Configurin...

Page 35: ... update a new file of the secondary bootloader is saved to the flash To view the current version of the load file operating on the device execute version command in U Boot CLI Also the version is displayed during the router startup BRCM XLP316Lite Rev B0 u boot version BRCM XLP U Boot 1 1 0 47 29 11 2016 19 00 24 Firmware update procedure 1 When U Boot finishes the router initialization break the ...

Page 36: ...r version Using nae 1 device TFTP from server 10 100 100 1 our IP address is 10 100 100 2 Filename esr1000 u boot bin Load address 0xa800000078020000 Loading done Bytes transferred 852648 d02a8 hex SF Detected MX25L12805D with page size 256 total 16777216 bytes 16384 KiB MX25L12805D at 0 0 is now current device 6 Reboot the router BRCM XLP316Lite Rev B0 u boot reset ...

Page 37: ...sr 1000 config interface gi 1 0 1 esr 1000 config if gi switchport general allowed vlan remove 2 untagged esr 1000 config if gi no switchport general pvid Configuration changes will take effect when the configuration is applied esr 1000 commit Configuration has been successfully committed esr 1000 confirm Configuration has been successfully confirmed Objective 2 Configure gi1 0 1 and gi1 0 2 ports...

Page 38: ...trunk mode configure gi1 0 2 port in access mode for VLAN 2 on ESR 100 ESR 200 Fig 7 3 Network structure Solution Create VLAN 2 VLAN 64 VLAN 2000 on ESR 100 ESR 200 esr config vlan 2 64 2000 Specify VLAN 2 VLAN 64 VLAN 2000 for gi1 0 1 port esr config interface gi1 0 1 esr config if gi switchport forbidden default vlan esr config if gi switchport mode trunk esr config if gi switchport trunk allowe...

Page 39: ...Create QinQ subinterface for C VLAN 741 esr config interface gigabitethernet 1 0 1 828 741 esr config qinq if ip address 192 168 1 1 24 esr config qinq if exit Configuration changes will take effect when the configuration is applied esr 1000 commit Configuration has been successfully committed esr 1000 confirm Configuration has been successfully confirmed Besides assigning IP address it is necessa...

Page 40: ...server connection settings use the following command esr show aaa radius servers To view the authentication profiles use the following command esr show aaa authentication 7 4 Command privilege configuration Command privilege configuration is a flexible tool that allows you to assign baseline user privilege level 1 15 to a command set In future you may specify privilege level during user creation w...

Page 41: ...zone Define IP address pool from 192 168 1 0 24 subnet for distribution to clients Define address lease time equal to 1 day Configure transmission of the default route domain name and DNS server addresses to clients using DHCP options Solution Create trusted security zone and define the inherence of the network interfaces being used to zones esr configure esr config security zone trusted esr confi...

Page 42: ...ject group service port range 68 esr config object group service exit esr config security zone pair trusted self esr config zone pair rule 30 esr config zone rule match protocol udp esr config zone rule match source address any esr config zone rule match destination address any esr config zone rule match source port dhcp_client esr config zone rule match destination port dhcp_server esr config zon...

Page 43: ...sed to zones Assign IP addresses to interfaces simultaneously esr configure esr config security zone UNTRUST esr config zone exit esr config security zone TRUST esr config zone exit esr config interface gigabitethernet 1 0 1 esr config if gi security zone TRUST esr config if gi ip address 10 1 1 1 25 esr config if gi exit esr config interface tengigabitethernet 1 0 1 esr config if te ip address 1 ...

Page 44: ... rule match protocol tcp esr config dnat rule match destination port SERV_HTTP esr config dnat rule action destination nat pool SERVER_POOL esr config dnat rule enable esr config dnat rule exit esr config dnat ruleset exit esr config dnat exit To transfer the traffic coming from UNTRUST zone into TRUST zone create the respective pair of zones Only DNAT translated traffic with the destination addre...

Page 45: ... zones configuration of network interfaces and their inherence to security zones Create TRUST zone for LAN and UNTRUST zone for public network esr configure esr config security zone UNTRUST esr config zone exit esr config security zone TRUST esr config zone exit esr config interface gigabitethernet 1 0 1 esr config if gi ip address 10 1 2 1 24 esr config if gi security zone TRUST esr config if gi ...

Page 46: ...de a check which ensures that data source address belongs to LOCAL_NET pool esr config snat ruleset SNAT esr config snat ruleset to zone UNTRUST esr config snat ruleset rule 1 esr config snat rule match source address LOCAL_NET esr config snat rule match destination address any esr config snat rule match destination port any esr config snat rule action source nat pool TRANSLATE_ADDRESS esr config ...

Page 47: ... range 21 12 2 2 21 12 2 254 esr config object group network exit esr config object group network PUBLIC_POOL esr config object group network ip address range 200 10 0 100 200 10 0 249 esr config object group network exit Configure SNAT service First step is to create public network address pool for use with SNAT esr config nat source esr config snat pool TRANSLATE_ADDRESS esr config snat pool ip ...

Page 48: ...fect when commit command is executed esr commit Configuration has been successfully committed esr confirm Configuration has been successfully confirmed 7 8 Firewall configuration Firewall is a package of hardware or software tools that allows for control and filtering of transmitted network packets in accordance with the defined rules Objective Enable message exchange via ICMP between PC1 PC2 and ...

Page 49: ...ne into LAN zone create a pair of zones and add a rule allowing ICMP traffic transfer from PC2 to PC1 Rules are applied with enable command esr config security zone pair WAN LAN esr config zone pair rule 1 esr config zone rule action permit esr config zone rule match protocol icmp esr config zone rule match destination address LAN esr config zone rule match source address WAN esr config zone rule ...

Page 50: ...e following commands esr show ip firewall sessions 7 9 Access list ACL configuration Access Control List or ACL is a list that contains rules defining traffic transmission through the interface Objective Allow traffic transmission from 192 168 20 0 24 subnet only Solution Configure access control list for filtering by a subnet esr configure esr config ip access list extended white esr config acl r...

Page 51: ...et access Traffic within LAN should be routed within LAN zone traffic from the Internet should belong to WAN zone Fig 7 8 Network structure Solution Define the device name for R1 router esr hostname R1 esr config do commit R1 config do confirm For gi1 0 1 interface specify 192 168 1 1 24 address and LAN zone R1 will be connected to 192 168 1 0 24 network through this interface R1 config interface ...

Page 52: ...ine the device name for R2 router esr hostname R2 esr config do commit R2 config do confirm For gi1 0 1 interface specify 10 0 0 1 8 address and LAN zone R2 will be connected to 10 0 0 0 8 network through this interface R2 config interface gi1 0 1 R2 config if gi security zone LAN R2 config if gi ip address 10 0 0 1 8 R2 config if gi exit For gi1 0 2 interface specify 192 168 100 2 30 address and ...

Page 53: ...1 0 10 esr config if gi description MXE esr config if gi switchport mode e1 esr config if gi switchport e1 slot 0 esr config if gi exit Enable interface e1 1 0 1 interface e1 1 0 4 into MLPPP 3 aggregation group esr config interface e1 1 0 1 esr config e1 ppp multilink esr config e1 ppp multilink group 3 esr config e1 exit esr config interface e1 1 0 4 esr config е1 ppp multilink esr config е1 ppp...

Page 54: ... 7 10 Network structure Solution Create VLAN 333 esr config vlan 333 esr config vlan exit Create trusted security zone esr config security zone trusted esr config zone exit Add gi1 0 11 gi1 0 12 interfaces to VLAN 333 esr config interface gigabitethernet 1 0 11 12 esr config if switchport general allowed vlan add 333 tagged Create bridge 333 map VLAN 333 to it and specify membership in trusted zon...

Page 55: ...lowed vlan add 50 tagged Map VLAN 60 to gi1 0 14 interface esr config interface gigabitethernet 1 0 14 esr config if gi switchport general allowed vlan add 60 tagged Create bridge 50 map VLAN 50 define IP address 10 0 50 1 24 and membership in LAN1 zone esr config bridge 50 esr config bridge vlan 50 esr config bridge ip address 10 0 50 1 24 esr config bridge security zone LAN1 esr config bridge en...

Page 56: ...ed esr commit Configuration has been successfully committed esr confirm Configuration has been successfully confirmed esr To view an interface membership in a bridge use the following command esr show interfaces bridge 7 13 RIP configuration RIP is a distance vector dynamic routing protocol that uses hop count as a routing metric The maximum count of hops allowed for RIP is 15 By default each RIP ...

Page 57: ...e done enable the protocol esr config rip enable Configuration changes will take effect when the configuration is applied esr commit Configuration has been successfully committed esr confirm Configuration has been successfully confirmed esr To view the RIP routing table use the following command esr show ip rip In addition to RIP protocol configuration open UDP port 520 in the firewall 7 14 OSPF c...

Page 58: ...ion from RIP esr config ospf redistribute rip Enable OSPF process esr config ospf enable esr config ospf exit Neighbouring routers are connected to gi1 0 5 and gi1 0 15 interfaces To establish the neighbouring with other routers map them to OSPF process and the area Next enable OSPF routing for the interface esr config interface gigabitethernet 1 0 5 esr config if gi ip ospf instance 10 esr config...

Page 59: ...mmand in the configuration mode esr config ospf area area type stub For R3 stub router enable announcement of the routing information from RIP esr config ospf redistribute rip Configuration changes will take effect when commit command is executed esr commit Configuration has been successfully committed esr confirm Configuration has been successfully confirmed Objective 3 Merge two backbone areas u...

Page 60: ...0 0 3 C 192 168 10 0 24 0 0 dev lo1 direct 21 32 01 Review the routing table on R3 router esr show ip route O 10 0 0 0 24 150 20 via 10 0 1 1 on gi1 0 12 ospf1 14 38 35 0 0 0 2 C 10 0 1 0 24 0 0 dev gi1 0 12 direct 14 35 34 C 192 168 20 0 24 0 0 dev lo1 direct 14 32 58 O 192 168 10 0 24 150 30 via 10 0 1 1 on gi1 0 12 ospf1 14 39 54 0 0 0 1 Since OSPF considers virtual link as the part of the area...

Page 61: ...onfig if gi exit esr config interface gigabitethernet 1 0 2 esr config if gi ip address 219 0 0 1 30 esr config if gi exit esr config interface gigabitethernet 1 0 3 esr config if gi ip address 80 66 0 1 24 esr config if gi exit esr config interface gigabitethernet 1 0 4 esr config if gi ip address 80 66 16 1 24 esr config if gi exit Create BGP process for AS 2500 and enter process parameters conf...

Page 62: ...sr config bgp af exit esr config exit Configuration changes will take effect when the configuration is applied esr commit Configuration has been successfully committed esr confirm Configuration has been successfully confirmed esr To view BGP peer information use the following command esr show ip bgp 2500 neighbors To view BGP routing table use the following command esr show ip bgp You should open ...

Page 63: ...L Fig 7 17 Network structure Objective 1 Assign community for routing information coming from AS 20 First do the following Configure BGP with AS 2500 on ESR router Establish neighbouring with AS20 Solution Create a policy esr configure esr config route map from as20 Create rule 1 esr config route map rule 1 If AS PATH contains AS 20 assign community 20 2020 to it and exit esr config route map rule...

Page 64: ...nfig route map rule match community 2500 25 esr config route map rule action set metric 240 esr config route map rule action set origin egp esr config route map rule exit esr config route map exit In AS 2500 BGP process enter neighbour parameter configuration esr config router bgp 2500 esr config bgp neighbor 185 0 0 2 Map the policy to the routing information being announced esr config bgp neighb...

Page 65: ...rational one Solution Create ACL esr configure esr config ip access list extended sub20 esr config acl rule 1 esr config acl rule match source address 10 0 20 0 255 255 255 0 esr config acl rule match destination address any esr config acl rule match protocol any esr config acl rule action permit esr config acl rule enable esr config acl rule exit esr config acl exit esr config ip access list exte...

Page 66: ...ify ACL as a filter esr config route map rule match ip access group sub30 Specify nexthop for sub30 and exit esr config route map rule action set ip next hop verify availability 80 16 0 23 10 esr config route map rule action set ip next hop verify availability 184 45 0 150 30 esr config route map rule exit esr config route map exit Rule 2 should provide traffic routing from the network 10 0 30 0 2...

Page 67: ...ay for the tunnel IP address 114 0 0 10 is used as a remote gateway for the tunnel IP address of the tunnel at the local side is 25 0 0 1 24 Fig 7 19 Network structure Solution Create GRE 10 tunnel esr config tunnel gre 10 Specify local and remote gateway IP addresses of WAN border interfaces esr config gre local address 115 0 0 1 esr config gre remote address 114 0 0 10 Specify tunnel IP address ...

Page 68: ...acket for outbound traffic esr config gre local checksum Enable check for GRE checksum presence and validity for inbound traffic esr config gre remote checksum Specify a unique identifier esr config gre key 15808 Specify DSCP MTU TTL values esr config gre dscp 44 esr config gre mtu 1426 esr config gre ttl 18 To view the tunnel status use the following command esr show tunnels status gre 10 To view...

Page 69: ...t number at the local side and port number at the partner s side is 519 IP address 21 0 0 1 is used as a local gateway for the tunnel IP address 183 0 0 10 is used as a remote gateway for the tunnel Tunnel identifier at the local side equals 2 at the partner s side 3 Session identifier inside the tunnel equals 100 at the partner s side 200 Forward traffic into the tunnel from the bridge with ident...

Page 70: ...ssfully confirmed When settings are applied traffic will be encapsulated into the tunnel and sent to the partner regardless of their L2TPv3 tunnel existence and settings validity Tunnel settings for the remote office should mirror local ones IP address 183 0 0 10 should be used as a local gateway IP address 21 0 0 1 should be used as a remote gateway Encapsulation protocol port number at the local...

Page 71: ...cryption algorithm AES 128 bit authentication algorithm MD5 7 19 1 Route based IPsec VPN configuration Solution 1 R1 configuration Configure external network interface and identify its inherence to a security zone esr configure esr config interface gi 1 0 1 esr config if gi ip address 180 100 0 1 24 esr config if gi security zone untrusted esr config if gi exit Create VTI tunnel Traffic will be ro...

Page 72: ...rection into the tunnel esr config security ike gateway ike_gw1 esr config ike gw ike policy ike_pol1 esr config ike gw mode route based esr config ike gw bind interface vti 1 esr config ike gw version v2 only esr config ike gw exit Create security parameters profile for IPsec tunnel For the profile select AES 128 bit encryption algorithm MD5 authentication algorithm Use the following parameters t...

Page 73: ... route 10 0 0 0 16 tunnel vti 1 Create IKE protocol profile In the profile select Diffie Hellman group 2 AES 128 bit encryption algorithm MD5 authentication algorithm Use the following parameters to secure IKE connection esr config security ike proposal ike_prop1 esr config ike proposal dh group 2 esr config ike proposal authentication algorithm md5 esr config ike proposal encryption algorithm aes...

Page 74: ... config security ipsec vpn ipsec1 esr config ipsec vpn mode ike esr config ipsec vpn ike establish tunnel immediate esr config ipsec vpn ike gateway ike_gw1 esr config ipsec vpn ike ipsec policy ipsec_pol1 esr config ipsec vpn enable esr config ipsec vpn exit esr config exit To view the tunnel status use the following command esr show security ipsec vpn status ipsec1 To view the tunnel configurati...

Page 75: ... ike gw remote network 192 0 2 0 24 esr config ike gw mode policy based esr config ike gw exit Create security parameters profile for IPsec tunnel For the profile select AES 128 bit encryption algorithm MD5 authentication algorithm Use the following parameters to secure IPsec tunnel esr config security ipsec proposal ipsec_prop1 esr config ipsec proposal authentication algorithm md5 esr config ips...

Page 76: ... Create IKE protocol gateway In this profile specify VTI tunnel policy version of protocol and traffic to tunnel redirection mode esr config security ike gateway ike_gw1 esr config ike gw ike policy ike_pol1 esr config ike gw remote address 180 100 0 1 esr config ike gw remote network 10 0 0 0 16 esr config ike gw local address 120 11 5 1 esr config ike gw local network 192 0 2 0 24 esr config ike...

Page 77: ...traffic between different virtual routers VRF Lite configured on a router LT tunnel might be used for organization of interaction between two or more VRF using firewall restrictions Objective Organize interaction between hosts terminated in two VRF vrf_1 and vrf_2 Initial configuration hostname esr ip vrf vrf_1 exit ip vrf vrf_2 exit interface gigabitethernet 1 0 1 ip vrf forwarding vrf_1 Ip firew...

Page 78: ...nt to Point Tunneling Protocol is a point to point tunnelling protocol that allows a computer to establish secure connection with a server by creating a special tunnel in a common unsecured network PPTP encapsulates PPP frames into IP packets for transmission via global IP network e g the Internet PPTP may be used for tunnel establishment between two local area networks РРТР uses an additional TCP...

Page 79: ...p_local esr config pptp remote address object group pptp_remote esr config pptp outside address object group pptp_outside esr config pptp dns servers object group pptp_dns Select authentication method for PPTP server users esr config pptp authentication mode local Specify security zone that user sessions will be related to esr config pptp security zone VPN Create PPTP users Ivan and Fedor for PPTP...

Page 80: ... L2TP may be used for tunnel establishment between two local area networks L2TP uses an additional UDP connection for tunnel handling L2TP protocol does not provide data encryption therefore it is usually combined with an IPsec protocol group that provides security on a packet level Objective Configure L2TP server on a router for remote user connection to LAN Authentication is performed on RADIUS ...

Page 81: ...config l2tp ipsec authentication pre shared key ascii text password Enable L2TP server esr config l2tp enable When a new configuration is applied the router will listen to IP address 120 11 5 1 and port 1701 To view L2TP server session status use the following command esr show remote access status l2tp server remote workers To view L2TP server session counters use the following command esr show re...

Page 82: ...TLS Configure zone for te1 0 1 interface Specify IP address for te1 0 1 interface Import certificates and keys via tftp esr copy tftp 192 168 16 10 ca crt certificate ca ca crt esr copy tftp 192 168 16 10 dh pem certificate dh dh pem esr copy tftp 192 168 16 10 server key certificate server key server key esr copy tftp 192 168 16 10 server crt certificate server crt server crt esr copy tftp 192 16...

Page 83: ... show remote access status openvpn server AP To view OpenVPN server session counters use the following command esr show remote access counters openvpn server AP To clear OpenVPN server session counters use the following command esr clear remote access counters openvpn server AP To end OpenVPN server session for user fedor use one of the following commands esr clear remote access session openvpn us...

Page 84: ...l allowed vlan add 50 55 esr 1000 config if gi exit 2 Main configuration step Make gigabitethernet 1 0 10 redundant for gigabitethernet 1 0 9 esr 1000 config interface gigabitethernet 1 0 9 esr 1000 config if gi backup interface gigabitethernet 1 0 10 vlan 50 55 Configuration changes will take effect when the configuration is applied esr 1000 commit Configuration has been successfully committed es...

Page 85: ...ueue 22 to 8 Redirect DSCP 14 traffic into 7th weighted queue esr config qos map dscp queue 14 to 7 Enable QoS on the inbound interface from LAN side esr config interface gigabitethernet 1 0 5 esr config if gi qos enable esr config if gi exit Enable QoS on the inbound interface from WAN side esr config interface gigabitethernet 1 0 8 esr config if gi qos enable Limit transfer rate to 60Mbps for 7t...

Page 86: ... acl exit esr config ip access list extended fl2 esr config acl rule 1 esr config acl rule action permit esr config acl rule match protocol any esr config acl rule match source address 10 0 12 0 255 255 255 0 esr config acl rule match destination address any esr config acl rule enable esr config acl rule exit esr config acl exit Create classes fl1 and fl2 specify the respective access control list...

Page 87: ...ce ingress for classification purposes and gi1 0 20 egress for applying restrictions and SFQ mode for default class esr config interface gigabitethernet 1 0 19 esr config if gi qos enable esr config if gi service policy input fl esr config if gi exit esr config interface gigabitethernet 1 0 20 esr config if gi qos enable esr config if gi service policy output fl esr config if gi exit Configuration...

Page 88: ...add VLAN 50 in general mode Main configuration step Specify VLAN that will be used for transmission of mirrored traffic еsr1000 config port monitor remote vlan 50 For gi 1 0 5 interface specify a port for mirroring еsr1000 config interface gigabitethernet 1 0 5 еsr1000 config if gi port monitor interface gigabitethernet 1 0 11 For gi 1 0 5 interface specify remote mirroring mode еsr1000 config if ...

Page 89: ...h ip firewall disable command Assign IP address to ports Main configuration step Specify collector IP address esr config netflow collector 10 10 0 2 Enable netflow statistics export collection for gi1 0 1 network interface esr config interface gigabitethernet 1 0 1 esr config if gi ip netflow export Enable netflow on the router еsr config netflow enable Configuration changes will take effect when ...

Page 90: ...erence to security zones esr config interface gi1 0 1 esr config if gi security zone UNTRUSTED esr config if gi ip address 10 10 0 1 24 esr config if gi exit esr config interface gi1 0 2 3 esr config if gi security zone TRUSTED esr config if gi exit esr config interface gi1 0 2 esr config if gi ip address 192 168 1 5 24 esr config if gi exit esr config interface gi1 0 3 esr config if gi ip address...

Page 91: ...7 29 LACP configuration LACP is a link aggregation protocol that allows multiple physical links to be combined into a single logical link This process allows to increase the communication link bandwidth and robustness Objective Configure aggregated link between ESR router and the switch Fig 7 31 Network structure Solution First configure the following For gi1 0 1 gi1 0 2 interfaces disable securit...

Page 92: ... default gateway for computers in the network Objective 1 Establish LAN virtual gateway in VLAN 50 using VRRP IP address 192 168 1 1 is used as a local virtual gateway Fig 7 32 Network structure Solution First do the following Create the respective sub interface Configure zone for sub interface Specify IP address for sub interface Main configuration step Configure R1 router Configure VRRP in the c...

Page 93: ...92 168 1 1 and 192 168 20 1 are used as virtual gateways Fig 7 33 Network structure Solution First do the following Create the respective sub interfaces Configure zone for sub interfaces Specify IP addresses for sub interfaces Main configuration step Configure R1 router Configure VRRP for 192 168 1 0 24 subnet in the created sub interface Specify unique VRRP identifier R1 config sub interface gi 1...

Page 94: ...s been successfully confirmed Configure R2 in the same manner In addition to tunnel creation you should enable VRRP protocol 112 in the firewall 7 31 VRRP tracking configuration VRRP tracking is a mechanism which allows activating static routes depending on VRRP state Objective Virtual gateway 192 168 0 1 24 is organized for 192 168 0 0 24 subnet using VRRP protocol and routers R1 and R2 There is ...

Page 95: ...wall disable ip address 192 168 0 2 24 vrrp ip 192 168 0 1 24 vrrp exit interface gigabitethernet 1 0 2 switchport forbidden default vlan exit interface gigabitethernet 1 0 2 742 ip firewall disable ip address 192 168 1 1 30 exit Router R2 hostname R2 interface gigabitethernet 1 0 1 switchport forbidden default vlan exit interface gigabitethernet 1 0 1 741 ip firewall disable ip address 192 168 0 ...

Page 96: ...te for packets must be created with destination IP address from network 10 0 1 0 24 Create tracking object with corresponding condition R1 config tracking 1 R1 config tracking vrrp 10 state master R1 config tracking enable R1 config tracking exit Create static route to subnet 10 0 1 0 24 through 192 168 1 2 which will work in case of satisfying of tracking 1 condition R1 config ip route 10 0 1 0 2...

Page 97: ...e rule match protocol tcp esr config zone rule match source port any esr config zone rule match destination port any esr config zone rule action permit esr config zone rule enable esr config zone rule exit Create interface mapping assign IP addresses specify an inherence to a security zone esr config interface gigabitethernet 1 0 7 esr config if gi ip vrf forwarding bit esr config if gi ip address...

Page 98: ...nfigure zones for te1 0 1 and te1 0 2 interfaces Specify IP addresses for te1 0 1 and te1 0 2 interfaces Main configuration step Configure routing еsr config ip route 108 16 0 0 28 wan load balance rule 1 Create WAN rule еsr config wan load balance rule 1 Specify affected interfaces еsr config wan rule outbound interface tengigabitethernet 1 0 2 еsr config wan rule outbound interface tengigabiteth...

Page 99: ...еsr config if wan load balance nexthop 65 6 0 1 In te1 0 1 interface configuration mode specify a list of targets for link check еsr config if wan load balance target list google In te1 0 2 interface configuration mode enable WAN mode and exit еsr config if wan load balance enable еsr config if exit Configuration changes will take effect when the configuration is applied esr commit Configuration h...

Page 100: ...o the following Specify zone for gi1 0 1 interface Configure IP address for ge1 0 1 interfaces Main configuration step Enable SNMP server esr config snmp server Create SNMPv3 user esr config snmp server user admin Specify security mode esr snmp user authentication access priv Specify authentication algorithm for SNMPv3 requests esr snmp user authentication algorithm md5 Define password for SNMPv3 ...

Page 101: ...ed information on installation and configuring SoftWLC server using following links http kcs eltex nsk ru articles 960 general article of SoftWLC http kcs eltex nsk ru articles 474 SoftWLC installation from repositories The BRAS license is obligatory for router after its activation you can start device configuring Create 3 security zones according to the network structure depicted in Fig 7 3 esr c...

Page 102: ...Selection of tariff plan depends on Location parameter see bridge 2 configuration The module which is control AAA operations is based on eltex radius and available by SoftWLC IP address Numbers of ports for authentication and accounting in the example below are the default values for SoftWLC Define parameters for interaction with the module esr config radius server host 192 0 2 20 esr config radiu...

Page 103: ...tch protocol any esr config acl rule match source address any esr config acl rule match destination address any esr config acl rule enable esr config acl rule exit esr config acl exit esr config ip access list extended INTERNET esr config acl rule 10 esr config acl rule action permit esr config acl rule match protocol any esr config acl rule match source address any esr config acl rule match desti...

Page 104: ...oup service exit Enable access to the Internet from trusted and dmz zones esr config security zone pair trusted untrusted esr config zone pair rule 10 esr config zone pair rule action permit esr config zone pair rule match protocol any esr config zone pair rule match source address any esr config zone pair rule match destination address any esr config zone pair rule enable esr config zone pair rul...

Page 105: ...match source address any esr config zone pair rule match destination address any esr config zone pair rule enable esr config zone pair rule exit esr config zone pair rule exit esr config security zone pair dmz self esr config zone pair rule 20 esr config zone pair rule action permit esr config zone pair rule match protocol icmp esr config zone pair rule match source address any esr config zone pai...

Page 106: ...106 ESR Series Routers Operation Manual esr commit Configuration has been successfully committed esr confirm Configuration has been successfully confirmed ...

Page 107: ...ption is configured on SSH client for instance section Connection for PuTTY client It is possible to set time to closing inactive TCP sessions 1 hour in example esr config ip firewall sessions tcp estabilished timeout 3600 Firewall was disabled on interface However access for active sessions from the port was not closed according to security zone pair rules after including this interface to securi...

Page 108: ...g traffic through CLI interfaces is realized on ESR series routers A packet sniffer is launched by monitor command How to configure ip prefix list 0 0 0 0 0 Example of prefix list configuration is shown below The configuration allows route reception by default esr config ip prefix list eltex esr config pl permit default route Problem of asynchronuous traffic transmission is occurred In case of asy...

Page 109: ...020 Tel 7 383 274 47 87 7 383 272 83 31 E mail techsupp eltex nsk ru Visit Eltex official website to get the relevant technical documentation and software benefit from our knowledge base send us online request or consult a Service Centre Specialist in our technical forum http www eltex nsk ru en support downloads http www eltex nsk ru en search http www eltex nsk ru en support knowledge ...